WLAN V200R009C00 Typical Configuration Examples PDF

Typical Configuration Examples
Issue 01
Date 2017-12-29
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 01 (2017-12-29) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Typical Configuration Examples About This Document
About This Document
Purpose
This document provides the typical configuration examples supported by the WLAN.
Intended Audience
This document is intended for network engineers responsible for WLAN configuration and
management. You should be familiar with basic Ethernet knowledge and have extensive
experience in network deployment and management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 01 (2017-12-29) Huawei Proprietary and Confidential ii

Symbol Description
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
NOTE
The interface types, command outputs, and device models provided in this manual vary according to
device configurations and may differ from the actual information.
To obtain better user experience, you are advised to set the number of columns displayed on the
command line editor to 132 or higher.
The pages displayed on your web platform may be different from those in this example and shall prevail.
Issue 01 (2017-12-29) Huawei Proprietary and Confidential iii

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, do not disable password complexity check, and change the password
periodically.
When configuring a plaintext password, do not start and end it with %$%$, %^%#, %#
%#, %@%@, or @%@%, which are considered valid ciphertext characters. The device
can decrypt such as password and display the same plaintext password as that configured
by the user in the configuration file. Ciphertext passwords starting and ending with %$%
$, %^%#, %#%#, %@%@, or @%@% are valid. However, ciphertext passwords for
different features are not interchangeable. For example, the ciphertext password
generated for Authentication, Authorization, Accounting (AAA) cannot be configured
for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,
SHA1, SHA-2, MD5 and SMS4. The encryption algorithm depends on the applicable
scenario. Use the recommended encryption algorithm; otherwise, security defense
requirements may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 128 bits or
more.
– For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or
more.
– For the hash algorithm, use SHA2 with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios)
have a low security, which may bring security risks. If protocols allowed, using
more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/
SHA2/HMAC-SHA2, is recommended.
– SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm
must be used for the administrator password.
l Personal data
Some personal data (such as the MAC or IP addresses of users) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
Issue 01 (2017-12-29) Huawei Proprietary and Confidential iv

Configuration Conventions
Large-scale or batch service configuration using scripts may cause high CPU usage,
preventing the system from processing regular services.
Model Declaration for Carriers

This document is provided to both enterprise and carrier users. Table 1 lists WLAN product
models supported for carriers.
Table 1 WLAN product models for carriers
Software Version Product Model
V200R009C00 AC6005
AC6605
ACU2
AC6800V
AP2030DN
AP2050DN
AP2050DN-E
AP2051DN
AP2051DN-E
AP4030DN
AP4050DN
AP4050DN-E
AP4051DN
AP4130DN
AP4151DN
AP5030DN
AP5130DN
AP6050DN
AP6150DN
AP6510DN-AGN
AP7050DE
AP7050DN-E
Issue 01 (2017-12-29) Huawei Proprietary and Confidential v

Software Version Product Model
AP7052DN
AP7152DN
AP8030DN
AP8050DN
AP8082DN
AP8130DN
AP8150DN
AP8182DN
AD9430DN-12
AD9430DN-24
R230D
R240D
R250D
R251D
R251D
R250D-E
R450D
Issue 01 (2017-12-29) Huawei Proprietary and Confidential vi

Typical Configuration Examples Contents
Contents
About This Document.....................................................................................................................ii

1 Introduction to WLAN..................................................................................................................1
2 Product Overview.......................................................................................................................... 3
2.1 AC Products Overview................................................................................................................................................... 3
2.2 AP Products Overview................................................................................................................................................... 4
3 WLAN Configuration................................................................................................................. 17
3.1 WLAN Service Configuration Procedure.....................................................................................................................17
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................17
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................19
3.1.3 AP Group and AP...................................................................................................................................................... 20
3.1.4 Regulatory Domain Profile........................................................................................................................................22
3.1.5 Radio Profile..............................................................................................................................................................22
3.1.6 Air Scan Profile......................................................................................................................................................... 22
3.1.7 RRM Profile.............................................................................................................................................................. 23
3.1.8 VAP Profile................................................................................................................................................................24
3.1.9 SSID Profile...............................................................................................................................................................25
3.1.10 Authentication Profile..............................................................................................................................................25
3.1.11 Security Profile........................................................................................................................................................ 26
3.1.12 Traffic Profile.......................................................................................................................................................... 26
3.1.13 UCC Profile............................................................................................................................................................. 27
3.1.14 Attack Defense Profile.............................................................................................................................................27
3.1.15 User Profile..............................................................................................................................................................28
3.1.16 Soft GRE profile...................................................................................................................................................... 28
3.1.17 STA Blacklist Profile............................................................................................................................................... 28
3.1.18 STA Whitelist Profile.............................................................................................................................................. 29
3.1.19 SAC Profile..............................................................................................................................................................29
3.1.20 Hotspot2.0 Profile....................................................................................................................................................29
3.1.21 AP System Profile................................................................................................................................................... 30
3.1.22 AP Wired Port Profile..............................................................................................................................................33
3.1.23 AP Wired Port Link Profile..................................................................................................................................... 33
3.1.24 WIDS Profile........................................................................................................................................................... 33
3.1.25 WIDS Spoof SSID Profile....................................................................................................................................... 34
Issue 01 (2017-12-29) Huawei Proprietary and Confidential vii

3.1.26 WIDS Whitelist Profile........................................................................................................................................... 34

3.1.27 Location Profile....................................................................................................................................................... 34
3.1.28 BLE Profile..............................................................................................................................................................35
3.1.29 WDS Profile............................................................................................................................................................ 35
3.1.30 WDS Whitelist Profile.............................................................................................................................................36
3.1.31 Mesh Profile............................................................................................................................................................ 36
3.1.32 Mesh Handover Profile............................................................................................................................................37
3.1.33 Mesh Whitelist Profile.............................................................................................................................................37
3.1.34 IoT Profile................................................................................................................................................................37
3.1.35 WMI Profile.............................................................................................................................................................38
3.1.36 AP Provisioning Profile...........................................................................................................................................38
3.1.37 Common Operations of Profiles.............................................................................................................................. 38
3.2 Data Packet Processing.................................................................................................................................................39
4 Typical Configuration Examples (CLI)................................................................................... 50

4.1 WLAN Common Service Configuration Examples..................................................................................................... 50
4.1.1 Example for Configuring Internal Personnel to Access the WLAN (802.1x Authentication)..................................50
4.1.2 Example for Configuring Guests to Access the WLAN (MAC Address-prioritized Portal Authentication)........... 60
4.1.3 Example for Configuring High-Density WLAN Services........................................................................................ 71
4.1.4 Example for Configuring WLAN Backhaul..............................................................................................................85
4.1.5 Example for Configuring Rail Transportation WLAN Services............................................................................... 98
4.1.6 Example for Configuring Agile Distributed Wi-Fi Services................................................................................... 114
4.1.7 Example for Configuring WLAN Environment Detection and Containment (WIDS and WIPS)..........................122
4.2 WLAN Basic Networking Configuration Examples (Fat AP)................................................................................... 131
4.2.1 Example for Configuring Fat AP Layer 2 Networking........................................................................................... 131
4.2.3 Example for Configuring Users on the Fat AP to Access the Public Network Through NAT................................143
4.3 AP Mode Switching Examples...................................................................................................................................149
4.3.1 Example for Switching a Fit AP with Factory Defaults to the Fat Mode by One Command................................. 149
4.3.2 Example for Switching a Fit AP to the Fat Mode Using SFTP...............................................................................153
4.3.3 Example for Switching a Fit AP to the Fat Mode Using FTP................................................................................. 163
4.3.4 Example for Switching an Online Fit AP to the Fat Mode Through the AC.......................................................... 168
4.4 WLAN Basic Networking Configuration Examples.................................................................................................. 172
4.4.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode.................................................................... 172
4.4.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode...................................................................180
4.4.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode..................................................................187
4.4.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode.................................................................195
4.4.9 Example for Configuring WLAN IPv4/IPv6 Dual-Stack Services......................................................................... 243
4.4.10 Example for Configuring NAT Traversal Between the AC and APs.................................................................... 251
Issue 01 (2017-12-29) Huawei Proprietary and Confidential viii

4.4.11 Example for Configuring VPN Traversal Between the AC and APs.................................................................... 260
4.4.12 Example for Configuring Hand-in-Hand WDS Services...................................................................................... 272
4.4.13 Example for Configuring Back-to-Back WDS......................................................................................................285
4.4.14 Example for Configuring Common Mesh Services.............................................................................................. 298
4.4.15 Example for Configuring Dual-MPP Mesh Services............................................................................................ 306
4.5 AP's Wired Interface Configuration Examples...........................................................................................................318
4.5.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.........................................................318
4.6 PPPoE Configuration Examples (Fat AP and Fat Central AP).................................................................................. 321
4.6.1 Example for Configuring the PPPoE Client............................................................................................................ 321
4.6.2 Example for Connecting LAN to the Internet Using the ADSL Modem................................................................ 323
4.7 Authentication Configuration Examples.................................................................................................................... 327
4.7.1 Example for Configuring External Portal Authentication....................................................................................... 327
4.7.2 Example for Configuring Built-in Portal Authentication for Local Users.............................................................. 337
4.7.3 Example for Configuring MAC Address-prioritized Portal Authentication........................................................... 347
4.7.4 Example for Configuring 802.1X Authentication................................................................................................... 358
4.7.5 Example for Configuring MAC Address Authentication........................................................................................368
4.7.6 Example for Configuring MAC Authentication for Local Users............................................................................ 378
4.7.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............................386
4.7.8 Example for Configuring WeChat Authentication Using a Built-in Portal Server................................................. 397
4.7.9 Example for Configuring Different Authentication Modes for Multiple SSIDs..................................................... 405
4.8 Reliability Configuration Examples........................................................................................................................... 417
4.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios.............................. 417
4.8.2 Example for Configuring Dual-Link HSB in Load Balancing Mode..................................................................... 435
4.8.3 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios........................ 448
4.8.4 Example for Configuring Dual-link Cold Backup (Global Configuration Mode).................................................. 460
4.8.5 Example for Configuring Dual-Link HSB in Active/Standby Mode...................................................................... 468
4.8.6 Example for Configuring VRRP HSB.....................................................................................................................479
4.8.7 Example for Configuring N+1 Backup (APs and ACs in different network segments)......................................... 495
4.8.8 Example for Configuring N+1 Backup (APs and ACs in the same network segment)...........................................513
4.8.9 Example for Configuring N+1 Backup and VRRP HSB (APs and ACs in Different Network Segments)............ 529
4.9 Roaming Configuration Examples............................................................................................................................. 556
4.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 556
4.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 569
4.9.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 579
4.9.5 Example for Configuring Agile Distributed SFN Roaming.................................................................................... 602
4.10 Agile Distributed Networking Configuration Examples.......................................................................................... 611
4.10.1 Example for Configuring an Agile Distributed WLAN........................................................................................ 611
4.11 High-Density Configuration Examples.................................................................................................................... 619
4.11.1 Example for Configuring High-Density WLAN Services.....................................................................................619
4.12 Example for Configuring Vehicle-Ground Communication.................................................................................... 634
4.12.1 Example for Configuring Vehicle-Ground Fast Link Handover........................................................................... 634
Issue 01 (2017-12-29) Huawei Proprietary and Confidential ix

4.12.2 Example for Configuring Vehicle-Ground Fast Link Handover (VRRP Backup for Vehicle-Mounted APs)......650
4.13 Radio Resource Management Configuration Examples...........................................................................................668
4.13.1 Example for Configuring Dynamic Load Balancing.............................................................................................668
4.13.2 Example for Configuring Static Load Balancing.................................................................................................. 672
4.13.3 Example for Configuring Band Steering............................................................................................................... 675
4.13.4 Example for Configuring Smart Roaming.............................................................................................................679
4.14 Spectrum Analysis Configuration Examples............................................................................................................682
4.14.1 Example for Configuring Spectrum Analysis....................................................................................................... 682
4.15 WLAN Security Configuration Examples................................................................................................................689
4.15.1 Example for Configuring Rogue Device Detection and Containment.................................................................. 689
4.15.2 Example for Configuring Attack Detection...........................................................................................................698
4.15.3 Example for Configuring the STA Blacklist and Whitelist................................................................................... 708
4.16 WLAN Location Configuration Examples...............................................................................................................717
4.16.1 Example for Configuring AeroScout Wi-Fi Tag Location.................................................................................... 717
4.16.2 Example for Configuring AeroScout MU Location.............................................................................................. 723
4.16.3 Example for Configuring Ekahau Wi-Fi Tag Location......................................................................................... 728
4.16.4 Example for Configuring Wi-Fi Terminal Location..............................................................................................734
4.16.5 Example for Configuring Bluetooth Terminal Location....................................................................................... 742
4.17 WLAN QoS Configuration Examples...................................................................................................................... 750
4.17.1 Common Misconfigurations.................................................................................................................................. 750
4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network Access of STAs............................. 750
4.17.2 Example for Configuring WMM and Priority Mapping....................................................................................... 751
4.17.3 Example for Configuring Traffic Policing.............................................................................................................757
4.17.4 Example for Configuring Airtime Fair Scheduling............................................................................................... 760
4.17.5 Example for Configuring ACL-based Packet Filtering......................................................................................... 763
4.17.6 Example for Configuring Optimization for Voice and Video Services................................................................. 767
4.17.7 Example for Configuring Priorities for Skype4B Packets.....................................................................................771
4.18 WLAN Enhanced Services Configuration Examples...............................................................................................775
4.18.1 Example for Configuring WLAN-based E-schoolbag.......................................................................................... 775
4.18.2 Example for Configuring WLAN Hotspot 2.0 Services........................................................................................787
4.18.3 Example for Configuring Service Holding upon CAPWAP Link Disconnection.................................................798
4.18.4 Example for Configuring Channel Switching Without Service Interruption........................................................ 806
4.18.5 Example for Configuring an AP to Go Online Using a Static IP Address............................................................ 813
4.18.6 Example for Configuring the Soft GRE Service................................................................................................... 817
4.18.7 Example for Configuring Bandwidth-based Multicast CAC................................................................................ 827
4.18.8 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................... 836
4.18.9 Example for Configuring EoGRE to Implement Layer 2 Communication Between the Wireless Gateway and AC
.......................................................................................................................................................................................... 844
4.19 Comprehensive Case................................................................................................................................................ 852
4.19.1 Example for Configuring Unified Access for Wired and Wireless Users............................................................. 852
4.19.2 Higher Education Campus Network Deployment Case (S12700 Used as the Gateway and Authentication Point)
.......................................................................................................................................................................................... 870
4.19.2.1 Application Scenario and Service Requirements............................................................................................... 870
Issue 01 (2017-12-29) Huawei Proprietary and Confidential x

4.19.2.2 Solution Design.................................................................................................................................................. 871

4.19.2.3 Configuration Roadmap and Data Plan.............................................................................................................. 873
4.19.2.4 Configuration Notes........................................................................................................................................... 878
4.19.2.5 Configuration Procedure.....................................................................................................................................880
4.19.2.5.1 Configuring the Aggregation Switch S7700-A in Office Building A............................................................. 880
4.19.2.5.2 Configuring the Access Switch S5700-A in Office Building A......................................................................881
4.19.2.5.3 Configuring the Core Switch S12700..............................................................................................................882
4.19.2.5.4 Configuring the Egress Firewall USG6650s................................................................................................... 890
4.19.2.5.5 Configuring the Agile Controller.................................................................................................................... 896
4.19.2.5.6 Configuring the Srun....................................................................................................................................... 915
4.19.2.6 Verification......................................................................................................................................................... 920
4.19.2.7 Configuration Script........................................................................................................................................... 924
4.19.3 Higher Education Campus Network Deployment Case (Aggregation Switch Used as the Gateway and
Authentication Point)........................................................................................................................................................932
4.19.3.2 Solution Design.................................................................................................................................................. 933
4.19.3.5.2 Configuring Core Switches............................................................................................................................. 944
4.19.3.5.3 Configuring the Aggregation Switch S12700 in Office Building A............................................................... 948
4.19.3.5.4 Configuring the USG6650s............................................................................................................................. 954
4.19.3.6 Verification......................................................................................................................................................... 982
5 Typical Configuration Examples (Web)..............................................................................1001

5.1 WLAN Common Service Configuration Examples................................................................................................. 1001
5.1.1 Example for Configuring Internal Personnel to Access the WLAN (802.1x Authentication)..............................1001
5.1.2 Example for Configuring Guests to Access the WLAN (MAC Address-prioritized Portal Authentication)........1011
5.1.3 Example for Configuring High-Density WLAN Services.................................................................................... 1021
5.1.4 Example for Configuring WLAN Backhaul..........................................................................................................1040
5.1.5 Example for Configuring Rail Transportation WLAN Services........................................................................... 1053
5.1.6 Example for Configuring Agile Distributed Wi-Fi Services................................................................................. 1069
5.2 WLAN Basic Networking Configuration Examples (FAT AP)............................................................................... 1087
5.2.1 Example for Configuring Fat AP Layer 2 Networking......................................................................................... 1087
5.2.3 Example for Configuring Users on the Fat AP to Access the Public Network Through NAT..............................1101
5.3 PPPoE Configuration Examples (Fat AP)................................................................................................................ 1110
5.3.1 Example for Configuring the Device as a PPPoE Client.......................................................................................1110
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xi

5.3.2 Example for Connecting LAN to the Internet Using the ADSL Modem.............................................................. 1113
5.4 PPPoE Configuration Examples (Fat Central AP)....................................................................................................1116
5.5 WLAN Basic Networking Configuration Examples................................................................................................ 1123
5.5.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode.................................................................. 1123
5.5.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode................................................................. 1132
5.5.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode................................................................ 1141
5.5.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode...............................................................1150
5.5.10 Example for Configuring VPN Traversal Between the AC and APs.................................................................. 1214
5.5.11 Example for Configuring Hand-in-Hand WDS Services.................................................................................... 1226
5.5.12 Example for Configuring Back-to-Back WDS....................................................................................................1239
5.5.13 Example for Configuring Common Mesh Services............................................................................................ 1251
5.5.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 1262
5.6 AP's Wired Interface Configuration Examples.........................................................................................................1273
5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.......................................................1273
5.7 Authentication Configuration Examples.................................................................................................................. 1277
5.7.1 Example for Configuring External Portal Authentication..................................................................................... 1277
5.7.2 Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)............................................. 1287
5.7.3 Example for Configuring Built-in Portal Authentication for Local Users............................................................ 1296
5.7.4 Example for Configuring MAC Address-prioritized Portal Authentication......................................................... 1307
5.7.5 Example for Configuring 802.1X Authentication................................................................................................. 1317
5.7.6 Example for Configuring MAC Address Authentication......................................................................................1328
5.7.7 Example for Configuring MAC Authentication for Local Users.......................................................................... 1338
5.7.8 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users..........................1347
5.7.9 Example for Configuring Built-in Portal WeChat Authentication........................................................................ 1359
5.7.10 Example for Configuring Different Authentication Modes for Multiple SSIDs................................................. 1367
5.8 Reliability Configuration Examples......................................................................................................................... 1379
5.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios............................ 1379
5.8.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios...................... 1392
5.8.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode)................................................ 1403
5.8.4 Example for Configuring Dual-Link Hot Standby (HSB) for ACs....................................................................... 1411
5.8.5 Example for Configuring VRRP HSB...................................................................................................................1420
5.8.6 Example for Configuring N+1 Backup (APs and ACs in different network segments)....................................... 1432
5.8.7 Example for Configuring N+1 Backup (APs and ACs in the same network segment).........................................1444
5.9 Roaming Configuration Examples........................................................................................................................... 1456
5.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming..................................................................................... 1456
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xii

5.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................. 1468

5.9.3 Example for Configuring Inter-AC Layer 2 Roaming.......................................................................................... 1478
5.9.5 Example for Configuring Agile Distributed SFN Roaming.................................................................................. 1502
5.10 Agile Distributed Networking Configuration Examples........................................................................................ 1513
5.10.1 Example for Configuring an Agile Distributed WLAN...................................................................................... 1513
5.11 High-Density Configuration Examples.................................................................................................................. 1522
5.11.1 Example for Configuring High-Density WLAN Services...................................................................................1522
5.12 Example for Configuring Vehicle-Ground Communication.................................................................................. 1540
5.12.1 Example for Configuring Vehicle-Ground Fast Link Handover......................................................................... 1540
5.13 Radio Resource Management Configuration Examples.........................................................................................1557
5.13.1 Example for Configuring Dynamic Load Balancing...........................................................................................1557
5.13.2 Example for Configuring Static Load Balancing................................................................................................ 1560
5.13.3 Example for Configuring Band Steering............................................................................................................. 1563
5.13.4 Example for Configuring Smart Roaming...........................................................................................................1566
5.14 Spectrum Analysis Configuration Examples..........................................................................................................1569
5.14.1 Example for Configuring Spectrum Analysis..................................................................................................... 1569
5.15 WLAN Security Configuration Examples..............................................................................................................1574
5.15.1 Example for Configuring Rogue Device Detection and Containment................................................................ 1574
5.15.2 Example for Configuring Attack Detection.........................................................................................................1584
5.15.3 Example for Configuring the STA Blacklist and Whitelist................................................................................. 1594
5.16 WLAN QoS Configuration Examples.................................................................................................................... 1603
5.16.1 Example for Configuring WMM and Priority Mapping..................................................................................... 1603
5.16.2 Example for Configuring Traffic Policing...........................................................................................................1608
5.16.3 Example for Configuring Airtime Fair Scheduling............................................................................................. 1610
5.16.4 Example for Configuring ACL-based Packet Filtering....................................................................................... 1612
5.16.5 Example for Configuring Optimization for Voice and Video Services............................................................... 1615
5.16.6 Example for Configuring Priorities for Skype4B Packets...................................................................................1619
5.17 WLAN Enhanced Services Configuration Examples.............................................................................................1622
5.17.1 Example for Configuring WLAN-based E-Schoolbag........................................................................................1622
5.17.2 Example for Configuring WLAN Hotspot2.0 Services.......................................................................................1637
5.17.3 Example for Configuring Service Holding upon WLAN CAPWAP Link Disconnection..................................1651
5.17.4 Example for Configuring Channel Switching Without Service Interruption...................................................... 1659
5.17.5 Example for Configuring an AP to Go Online Using a Static IP Address.......................................................... 1667
5.17.6 Example for Configuring the Soft GRE Service................................................................................................. 1671
5.17.7 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................. 1682
5.17.8 Configuring Ethernet over GRE to Enable Layer 2 Communication Between an AC and a Wireless Gateway1692
5.17.9 Example of Intelligent Upgrade for AC and Fit APs.......................................................................................... 1700
Contents
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xiii


3.1.3 AP Group and AP...................................................................................................................................................... 20
3.1.5 Radio Profile..............................................................................................................................................................22
3.1.6 Air Scan Profile......................................................................................................................................................... 22
3.1.7 RRM Profile.............................................................................................................................................................. 23
3.1.8 VAP Profile................................................................................................................................................................24
3.1.9 SSID Profile...............................................................................................................................................................25
3.1.12 Traffic Profile.......................................................................................................................................................... 26
3.1.13 UCC Profile............................................................................................................................................................. 27
3.1.15 User Profile..............................................................................................................................................................28
3.1.16 Soft GRE profile...................................................................................................................................................... 28
3.1.19 SAC Profile..............................................................................................................................................................29
3.1.20 Hotspot2.0 Profile....................................................................................................................................................29
3.1.24 WIDS Profile........................................................................................................................................................... 33
3.1.28 BLE Profile..............................................................................................................................................................35
3.1.29 WDS Profile............................................................................................................................................................ 35
3.1.31 Mesh Profile............................................................................................................................................................ 36
3.1.34 IoT Profile................................................................................................................................................................37
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xiv

3.1.35 WMI Profile.............................................................................................................................................................38


Issue 01 (2017-12-29) Huawei Proprietary and Confidential xv

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xvi

.......................................................................................................................................................................................... 844
.......................................................................................................................................................................................... 870
4.19.2.2 Solution Design.................................................................................................................................................. 871
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xvii


4.19.2.6 Verification......................................................................................................................................................... 920
4.19.3.2 Solution Design.................................................................................................................................................. 933
4.19.3.6 Verification......................................................................................................................................................... 982

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xviii

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xix


Contents

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xx

3.1.3 AP Group and AP...................................................................................................................................................... 20
3.1.5 Radio Profile..............................................................................................................................................................22
3.1.6 Air Scan Profile......................................................................................................................................................... 22
3.1.7 RRM Profile.............................................................................................................................................................. 23
3.1.8 VAP Profile................................................................................................................................................................24
3.1.9 SSID Profile...............................................................................................................................................................25
3.1.12 Traffic Profile.......................................................................................................................................................... 26
3.1.13 UCC Profile............................................................................................................................................................. 27
3.1.15 User Profile..............................................................................................................................................................28
3.1.16 Soft GRE profile...................................................................................................................................................... 28
3.1.19 SAC Profile..............................................................................................................................................................29
3.1.20 Hotspot2.0 Profile....................................................................................................................................................29
3.1.24 WIDS Profile........................................................................................................................................................... 33
3.1.28 BLE Profile..............................................................................................................................................................35
3.1.29 WDS Profile............................................................................................................................................................ 35
3.1.31 Mesh Profile............................................................................................................................................................ 36
3.1.34 IoT Profile................................................................................................................................................................37
3.1.35 WMI Profile.............................................................................................................................................................38
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxi


Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxii


Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxiii


.......................................................................................................................................................................................... 844
.......................................................................................................................................................................................... 870
4.19.2.2 Solution Design.................................................................................................................................................. 871
4.19.2.6 Verification......................................................................................................................................................... 920
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxiv


4.19.3.2 Solution Design.................................................................................................................................................. 933
4.19.3.6 Verification......................................................................................................................................................... 982

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxv

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxvi


Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxvii

Typical Configuration Examples Figures
Figures
Figure 1-1 WLAN Networking................................................................................................................................2

Figure 3-1 Reference relationships between WLAN profiles............................................................................... 18
Figure 3-2 WLAN basic service configuration flowchart..................................................................................... 20
Figure 3-3 AP group.............................................................................................................................................. 21
Figure 3-4 AP group and AP................................................................................................................................. 21
Figure 3-5 Management packet forwarding...........................................................................................................40
Figure 3-6 Direct forwarding of service data packets............................................................................................41
Figure 3-7 Forwarding service data packets over a CAPWAP tunnel................................................................... 42
Figure 3-8 Forwarding service data packets over a soft GRE tunnel.................................................................... 43
Figure 3-9 Forwarding service data packets during Layer 2 roaming................................................................... 44
Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming................................................. 45
Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming...................................................47
Figure 4-1 Networking diagram for configuring 802.1x authentication............................................................... 51
Figure 4-2 Networking for configuring MAC address-prioritized Portal authentication...................................... 61
Figure 4-3 Networking diagram for configuring a high-density WLAN.............................................................. 71
Figure 4-4 Networking diagram for configuring hand-in-hand WDS services..................................................... 86
Figure 4-5 Networking for configuring vehicle-ground fast link handover.......................................................... 99
Figure 4-6 Networking for configuring an agile distributed WLAN...................................................................115
Figure 4-7 Networking for configuring rogue device detection and containment.............................................. 123
Figure 4-8 Networking diagram for configuring basic Layer 2 WLAN services................................................132
Figure 4-10 Networking diagram for configuring STAs to access the public network through NAT.................144
Figure 4-11 AP-PC connection diagram..............................................................................................................150
Figure 4-14 Networking for configuring Layer 2 direct forwarding in inline mode........................................... 173
Figure 4-15 Networking for configuring Layer 2 tunnel forwarding in inline mode.......................................... 180
Figure 4-16 Networking for configuring Layer 2 direct forwarding in bypass mode......................................... 188
Figure 4-17 Networking for configuring Layer 2 tunnel forwarding in bypass mode........................................ 196
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxviii

Figure 4-22 Networking for configuring WLAN IPv4/IPv6 dual-stack services................................................243

Figure 4-23 Networking for configuring NAT traversal between the AC and APs............................................ 252
Figure 4-24 Networking for configuring VPN traversal between the AC and APs............................................ 261
Figure 4-25 Networking diagram for configuring hand-in-hand WDS services................................................. 273
Figure 4-26 Networking for configuring back-to-back WDS............................................................................. 286
Figure 4-27 Networking for configuring mesh services...................................................................................... 299
Figure 4-28 Networking for configuring dual-MPP Mesh services.................................................................... 307
Figure 4-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces...............................318
Figure 4-30 Networking diagram of the device functioning as the PPPoE client............................................... 321
Figure 4-31 Networking diagram for connecting a LAN to the Internet using an ADSL modem...................... 324
Figure 4-32 Networking for configuring external Portal authentication............................................................. 328
Figure 4-33 Networking for configuring built-in Portal authentication for local users.......................................338
Figure 4-34 Networking for configuring MAC address-prioritized Portal authentication.................................. 348
Figure 4-35 Networking diagram for configuring 802.1x authentication........................................................... 358
Figure 4-36 Networking diagram for configuring MAC address authentication................................................ 369
Figure 4-37 Networking for configuring MAC authentication for local users....................................................379
Figure 4-38 Networking for configuring user authorization based on user groups.............................................387
Figure 4-39 Networking diagram for configuring WeChat authentication using a built-in Portal server........... 397
Figure 4-40 Networking diagram for configuring different authentication modes for multiple SSIDs.............. 405
Figure 4-41 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)........................................................................................................................................................... 419
Figure 4-42 Networking diagram for configuring dual-Link HSB in load balancing mode for ACs................. 436
Figure 4-43 Networking diagram for configuring dual-link HSB....................................................................... 449
Figure 4-44 Networking for configuring dual-link cold backup......................................................................... 460
Figure 4-45 Networking for configuring dual-link HSB for ACs....................................................................... 469
Figure 4-46 Configuring VRRP HSB (direct forwarding).................................................................................. 480
Figure 4-47 Networking for configuring N+1 backup.........................................................................................496
Figure 4-49 Networking for configuring N+1 backup and VRRP HSB..............................................................530
Figure 4-50 Networking for configuring inter-VLAN Layer 3 roaming.............................................................557
Figure 4-51 Networking for configuring intra-VLAN roaming.......................................................................... 569
Figure 4-52 Networking for configuring inter-AC Layer 2 roaming.................................................................. 579
Figure 4-54 Networking for configuring agile distributed SFN roaming............................................................603
Figure 4-55 Networking for configuring an agile distributed WLAN.................................................................612
Figure 4-56 Networking diagram for configuring a high-density WLAN.......................................................... 620
Figure 4-57 Networking for configuring vehicle-ground fast link handover...................................................... 635
Figure 4-59 Networking for configuring dynamic load balancing...................................................................... 669
Figure 4-60 Networking for configuring static load balancing........................................................................... 673
Figure 4-61 Networking for configuring Band Steering..................................................................................... 676
Figure 4-62 Networking for configuring smart roaming..................................................................................... 679
Figure 4-63 Networking for configuring spectrum analysis................................................................................683
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxix

Figure 4-64 Networking for configuring rogue device detection and containment............................................ 690
Figure 4-65 Networking for configuring attack detection................................................................................... 699
Figure 4-66 Networking for configuring the STA blacklist and whitelist........................................................... 709
Figure 4-67 Networking for configuring AeroScout Wi-Fi tag location............................................................. 718
Figure 4-68 Networking for configuring AeroScout MU location......................................................................723
Figure 4-69 Networking for configuring Ekahau Wi-Fi tag location.................................................................. 729
Figure 4-70 Networking for configuring Wi-Fi terminal location.......................................................................734
Figure 4-71 Networking for configuring Bluetooth terminal location................................................................ 743
Figure 4-72 Networking for configuring WMM and priority mapping...............................................................751
Figure 4-73 Networking for configuring traffic policing.................................................................................... 757
Figure 4-74 Networking for configuring airtime fair scheduling........................................................................ 760
Figure 4-75 Networking for configuring ACL-based packet filtering................................................................ 764
Figure 4-76 Networking for configuring optimization for voice and video services.......................................... 767
Figure 4-77 Networking for configuring priorities for Skype4B packets........................................................... 772
Figure 4-78 Networking for configuring the WLAN-based e-schoolbag service............................................... 776
Figure 4-79 Networking for configuring WLAN Hotspot 2.0 services...............................................................788
Figure 4-80 Networking for configuring service holding upon WLAN CAPWAP link disconnection.............. 799
Figure 4-81 Networking for configuring channel switching without service interruption..................................806
Figure 4-82 Networking for configuring an AP to go online using a static IP address.......................................814
Figure 4-83 Networking for configuring the soft GRE service........................................................................... 818
Figure 4-84 Networking for configuring bandwidth-based multicast CAC........................................................ 828
Figure 4-85 Networking for configuring CAC based on the number of multicast group memberships............. 836
Figure 4-86 Layer 2 communication between the wireless gateway and AC implemented through EoGRE.....844
Figure 4-87 Networking for unified wired and wireless access.......................................................................... 853
Figure 4-88 Network topology............................................................................................................................ 871
Figure 4-89 Networking diagram........................................................................................................................ 933
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services..............................................1088
Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT............... 1103
Figure 5-11 Networking diagram of the device functioning as the PPPoE client..............................................1111
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1113
Figure 5-13 Networking diagram of the device functioning as the PPPoE client............................................. 1117
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode......................................... 1124
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode........................................ 1133
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxx

Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode....................................... 1142
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode...................................... 1151
Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1205
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1215
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1227
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1240
Figure 5-27 Networking for configuring mesh services.................................................................................... 1251
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1262
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1273
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1278
Figure 5-31 Networking diagram for configuring Layer 2 external Portal authentication................................1288
Figure 5-32 Networking for configuring built-in Portal authentication for local users.....................................1297
Figure 5-33 Networking for configuring MAC address-prioritized Portal authentication................................ 1308
Figure 5-34 Networking diagram for configuring 802.1x authentication......................................................... 1318
Figure 5-35 Networking diagram for configuring MAC address authentication.............................................. 1328
Figure 5-36 Networking for configuring MAC authentication for local users..................................................1338
Figure 5-37 Networking for configuring user authorization based on user groups...........................................1348
Figure 5-38 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1359
Figure 5-39 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1368
forwarding)......................................................................................................................................................... 1380
Figure 5-41 Networking diagram for configuring dual-link HSB..................................................................... 1393
Figure 5-42 Networking for configuring dual-link cold backup....................................................................... 1404
Figure 5-43 Networking for configuring dual-link HSB for ACs..................................................................... 1412
Figure 5-44 Configuring VRRP HSB (direct forwarding)................................................................................ 1421
Figure 5-45 Networking for configuring N+1 backup.......................................................................................1433
Figure 5-47 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1457
Figure 5-48 Networking for configuring intra-VLAN roaming........................................................................ 1468
Figure 5-49 Networking for configuring inter-AC Layer 2 roaming................................................................ 1479
Figure 5-51 Networking for configuring agile distributed SFN roaming..........................................................1502
Figure 5-52 Networking for configuring an agile distributed WLAN...............................................................1514
Figure 5-53 Networking diagram for configuring a high-density WLAN........................................................ 1522
Figure 5-54 Networking for configuring vehicle-ground fast link handover.................................................... 1542
Figure 5-55 Networking for configuring dynamic load balancing.................................................................... 1558
Figure 5-56 Networking for configuring static load balancing......................................................................... 1561
Figure 5-57 Networking for configuring Band Steering................................................................................... 1564
Figure 5-58 Networking for configuring smart roaming................................................................................... 1567
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxi

Figure 5-59 Networking for configuring spectrum analysis..............................................................................1570

Figure 5-60 Networking for configuring rogue device detection and containment.......................................... 1575
Figure 5-61 Networking for configuring attack detection................................................................................. 1584
Figure 5-62 Networking for configuring the STA blacklist and whitelist......................................................... 1595
Figure 5-63 Networking for configuring WMM and priority mapping.............................................................1604
Figure 5-64 Networking for configuring traffic policing.................................................................................. 1608
Figure 5-65 Networking for configuring airtime fair scheduling...................................................................... 1610
Figure 5-66 Networking for configuring ACL-based packet filtering.............................................................. 1613
Figure 5-67 Networking for configuring optimization for voice and video services........................................ 1616
Figure 5-68 Networking for configuring priorities for Skype4B packets......................................................... 1620
Figure 5-69 Networking for configuring the WLAN-based e-schoolbag service............................................. 1623
Figure 5-70 Networking for configuring WLAN Hotspot 2.0 services.............................................................1638
Figure 5-71 Networking for configuring service holding upon WLAN CAPWAP link disconnection............ 1652
Figure 5-72 Networking for configuring channel switching without service interruption................................1660
Figure 5-73 Networking for configuring an AP to go online using a static IP address.....................................1667
Figure 5-74 Networking for configuring the soft GRE service......................................................................... 1672
Figure 5-75 Networking for configuring CAC based on the number of multicast group memberships........... 1683
Figure 5-76 Layer 2 communication between the wireless gateway and AC implemented through EoGRE...1693
Figures
Figure 1-1 WLAN Networking................................................................................................................................2

Figure 3-1 Reference relationships between WLAN profiles............................................................................... 18
Figure 3-2 WLAN basic service configuration flowchart..................................................................................... 20
Figure 3-3 AP group.............................................................................................................................................. 21
Figure 3-4 AP group and AP................................................................................................................................. 21
Figure 3-5 Management packet forwarding...........................................................................................................40
Figure 3-6 Direct forwarding of service data packets............................................................................................41
Figure 3-7 Forwarding service data packets over a CAPWAP tunnel................................................................... 42
Figure 3-8 Forwarding service data packets over a soft GRE tunnel.................................................................... 43
Figure 3-9 Forwarding service data packets during Layer 2 roaming................................................................... 44
Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming................................................. 45
Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming...................................................47
Figure 4-1 Networking diagram for configuring 802.1x authentication............................................................... 51
Figure 4-2 Networking for configuring MAC address-prioritized Portal authentication...................................... 61
Figure 4-3 Networking diagram for configuring a high-density WLAN.............................................................. 71
Figure 4-4 Networking diagram for configuring hand-in-hand WDS services..................................................... 86
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxii

Figure 4-5 Networking for configuring vehicle-ground fast link handover.......................................................... 99

Figure 4-6 Networking for configuring an agile distributed WLAN...................................................................115
Figure 4-7 Networking for configuring rogue device detection and containment.............................................. 123
Figure 4-10 Networking diagram for configuring STAs to access the public network through NAT.................144
Figure 4-22 Networking for configuring WLAN IPv4/IPv6 dual-stack services................................................243
Figure 4-23 Networking for configuring NAT traversal between the AC and APs............................................ 252
Figure 4-24 Networking for configuring VPN traversal between the AC and APs............................................ 261
Figure 4-26 Networking for configuring back-to-back WDS............................................................................. 286
Figure 4-27 Networking for configuring mesh services...................................................................................... 299
Figure 4-28 Networking for configuring dual-MPP Mesh services.................................................................... 307
Figure 4-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces...............................318
Figure 4-30 Networking diagram of the device functioning as the PPPoE client............................................... 321
Figure 4-31 Networking diagram for connecting a LAN to the Internet using an ADSL modem...................... 324
Figure 4-32 Networking for configuring external Portal authentication............................................................. 328
Figure 4-33 Networking for configuring built-in Portal authentication for local users.......................................338
Figure 4-36 Networking diagram for configuring MAC address authentication................................................ 369
Figure 4-37 Networking for configuring MAC authentication for local users....................................................379
Figure 4-38 Networking for configuring user authorization based on user groups.............................................387
Figure 4-39 Networking diagram for configuring WeChat authentication using a built-in Portal server........... 397
Figure 4-40 Networking diagram for configuring different authentication modes for multiple SSIDs.............. 405
forwarding)........................................................................................................................................................... 419
Figure 4-42 Networking diagram for configuring dual-Link HSB in load balancing mode for ACs................. 436
Figure 4-43 Networking diagram for configuring dual-link HSB....................................................................... 449
Figure 4-44 Networking for configuring dual-link cold backup......................................................................... 460
Figure 4-45 Networking for configuring dual-link HSB for ACs....................................................................... 469
Figure 4-46 Configuring VRRP HSB (direct forwarding).................................................................................. 480
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxiii


Figure 4-49 Networking for configuring N+1 backup and VRRP HSB..............................................................530
Figure 4-50 Networking for configuring inter-VLAN Layer 3 roaming.............................................................557
Figure 4-51 Networking for configuring intra-VLAN roaming.......................................................................... 569
Figure 4-54 Networking for configuring agile distributed SFN roaming............................................................603
Figure 4-59 Networking for configuring dynamic load balancing...................................................................... 669
Figure 4-60 Networking for configuring static load balancing........................................................................... 673
Figure 4-61 Networking for configuring Band Steering..................................................................................... 676
Figure 4-62 Networking for configuring smart roaming..................................................................................... 679
Figure 4-63 Networking for configuring spectrum analysis................................................................................683
Figure 4-65 Networking for configuring attack detection................................................................................... 699
Figure 4-66 Networking for configuring the STA blacklist and whitelist........................................................... 709
Figure 4-67 Networking for configuring AeroScout Wi-Fi tag location............................................................. 718
Figure 4-68 Networking for configuring AeroScout MU location......................................................................723
Figure 4-69 Networking for configuring Ekahau Wi-Fi tag location.................................................................. 729
Figure 4-70 Networking for configuring Wi-Fi terminal location.......................................................................734
Figure 4-71 Networking for configuring Bluetooth terminal location................................................................ 743
Figure 4-72 Networking for configuring WMM and priority mapping...............................................................751
Figure 4-73 Networking for configuring traffic policing.................................................................................... 757
Figure 4-74 Networking for configuring airtime fair scheduling........................................................................ 760
Figure 4-75 Networking for configuring ACL-based packet filtering................................................................ 764
Figure 4-76 Networking for configuring optimization for voice and video services.......................................... 767
Figure 4-77 Networking for configuring priorities for Skype4B packets........................................................... 772
Figure 4-78 Networking for configuring the WLAN-based e-schoolbag service............................................... 776
Figure 4-79 Networking for configuring WLAN Hotspot 2.0 services...............................................................788
Figure 4-80 Networking for configuring service holding upon WLAN CAPWAP link disconnection.............. 799
Figure 4-81 Networking for configuring channel switching without service interruption..................................806
Figure 4-82 Networking for configuring an AP to go online using a static IP address.......................................814
Figure 4-83 Networking for configuring the soft GRE service........................................................................... 818
Figure 4-84 Networking for configuring bandwidth-based multicast CAC........................................................ 828
Figure 4-85 Networking for configuring CAC based on the number of multicast group memberships............. 836
Figure 4-86 Layer 2 communication between the wireless gateway and AC implemented through EoGRE.....844
Figure 4-87 Networking for unified wired and wireless access.......................................................................... 853
Figure 4-88 Network topology............................................................................................................................ 871
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxiv

Figure 4-89 Networking diagram........................................................................................................................ 933

Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT............... 1103
Figure 5-11 Networking diagram of the device functioning as the PPPoE client..............................................1111
Figure 5-13 Networking diagram of the device functioning as the PPPoE client............................................. 1117
Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1205
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1215
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1227
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1240
Figure 5-27 Networking for configuring mesh services.................................................................................... 1251
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1262
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1273
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1278
Figure 5-31 Networking diagram for configuring Layer 2 external Portal authentication................................1288
Figure 5-32 Networking for configuring built-in Portal authentication for local users.....................................1297
Figure 5-33 Networking for configuring MAC address-prioritized Portal authentication................................ 1308
Figure 5-34 Networking diagram for configuring 802.1x authentication......................................................... 1318
Figure 5-35 Networking diagram for configuring MAC address authentication.............................................. 1328
Figure 5-36 Networking for configuring MAC authentication for local users..................................................1338
Figure 5-37 Networking for configuring user authorization based on user groups...........................................1348
Figure 5-38 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1359
Figure 5-39 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1368
forwarding)......................................................................................................................................................... 1380
Figure 5-41 Networking diagram for configuring dual-link HSB..................................................................... 1393
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxv

Figure 5-42 Networking for configuring dual-link cold backup....................................................................... 1404

Figure 5-43 Networking for configuring dual-link HSB for ACs..................................................................... 1412
Figure 5-44 Configuring VRRP HSB (direct forwarding)................................................................................ 1421
Figure 5-47 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1457
Figure 5-48 Networking for configuring intra-VLAN roaming........................................................................ 1468
Figure 5-51 Networking for configuring agile distributed SFN roaming..........................................................1502
Figure 5-52 Networking for configuring an agile distributed WLAN...............................................................1514
Figure 5-53 Networking diagram for configuring a high-density WLAN........................................................ 1522
Figure 5-54 Networking for configuring vehicle-ground fast link handover.................................................... 1542
Figure 5-55 Networking for configuring dynamic load balancing.................................................................... 1558
Figure 5-56 Networking for configuring static load balancing......................................................................... 1561
Figure 5-57 Networking for configuring Band Steering................................................................................... 1564
Figure 5-58 Networking for configuring smart roaming................................................................................... 1567
Figure 5-59 Networking for configuring spectrum analysis..............................................................................1570
Figure 5-60 Networking for configuring rogue device detection and containment.......................................... 1575
Figure 5-61 Networking for configuring attack detection................................................................................. 1584
Figure 5-62 Networking for configuring the STA blacklist and whitelist......................................................... 1595
Figure 5-63 Networking for configuring WMM and priority mapping.............................................................1604
Figure 5-64 Networking for configuring traffic policing.................................................................................. 1608
Figure 5-65 Networking for configuring airtime fair scheduling...................................................................... 1610
Figure 5-66 Networking for configuring ACL-based packet filtering.............................................................. 1613
Figure 5-67 Networking for configuring optimization for voice and video services........................................ 1616
Figure 5-68 Networking for configuring priorities for Skype4B packets......................................................... 1620
Figure 5-69 Networking for configuring the WLAN-based e-schoolbag service............................................. 1623
Figure 5-70 Networking for configuring WLAN Hotspot 2.0 services.............................................................1638
Figure 5-71 Networking for configuring service holding upon WLAN CAPWAP link disconnection............ 1652
Figure 5-72 Networking for configuring channel switching without service interruption................................1660
Figure 5-73 Networking for configuring an AP to go online using a static IP address.....................................1667
Figure 5-74 Networking for configuring the soft GRE service......................................................................... 1672
Figure 5-75 Networking for configuring CAC based on the number of multicast group memberships........... 1683
Figure 5-76 Layer 2 communication between the wireless gateway and AC implemented through EoGRE...1693
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxvi

Typical Configuration Examples Tables
Tables
Table 1 WLAN product models for carriers............................................................................................................ v

Table 2-1 Indoor settled APs....................................................................................................................................5
Table 2-2 Indoor wall plate APs...............................................................................................................................9
Table 2-3 Indoor distributed APs........................................................................................................................... 10
Table 2-4 Outdoor settled APs............................................................................................................................... 13
Table 2-5 Rail transportation APs.......................................................................................................................... 16
Table 3-1 Description of the parameter profiles.................................................................................................... 30
Table 4-1 Data planning on the AC........................................................................................................................51
Table 4-2 AC data planning................................................................................................................................... 61
Table 4-3 Data planning......................................................................................................................................... 72
Table 4-4 Adjustment recommendations............................................................................................................... 73
Table 4-5 AP data planning....................................................................................................................................86
Table 4-7 AP information.....................................................................................................................................100
Table 4-8 Data planning....................................................................................................................................... 100
Table 4-9 AC data planning................................................................................................................................. 115
Table 4-10 AC data planning............................................................................................................................... 123
Table 4-11 AC data planning................................................................................................................................173
Table 4-22 AP data planning................................................................................................................................273
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxvii


Table 4-30 Radio chips used by APs....................................................................................................................309
Table 4-35 Data planning on the AC....................................................................................................................359
Table 4-42 AC Data planning.............................................................................................................................. 449
Table 4-45 AC Data Planning.............................................................................................................................. 481
Table 4-55 Data planning..................................................................................................................................... 620
Table 4-56 Adjustment recommendations........................................................................................................... 622
Table 4-57 AP information...................................................................................................................................636
Table 4-59 AP planning....................................................................................................................................... 652
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxviii


Table 4-88 WLAN data planning.........................................................................................................................845
Table 4-89 EoGRE data planning........................................................................................................................ 846
Table 4-90 Network data planning.......................................................................................................................853
Table 4-91 Service data planning.........................................................................................................................855
Table 4-92 Radio channel data planning..............................................................................................................858
Table 4-93 Basic service data plan of the core switch......................................................................................... 874
Table 4-94 Authentication service data plan of the core switch.......................................................................... 874
Table 4-95 Service data plan of the Agile Controller.......................................................................................... 875
Table 4-96 Service data plan of the Srun............................................................................................................. 875
Table 4-97 Data plan of the egress solution and USG6600 HRP........................................................................ 877
Table 4-98 Information about customization conditions..................................................................................... 910
Table 4-99 Information about authorization results............................................................................................. 912
Table 4-100 Information about authorization rules..............................................................................................913
Table 4-101 Basic service data plan of the core switch....................................................................................... 936
Table 4-102 Basic service data plan of the NGFW module.................................................................................936
Table 4-103 Basic service data plan of the aggregation switch S12700.............................................................. 936
Table 4-104 Basic service data plan of the aggregation switch S7700................................................................ 937
Table 4-105 Basic service data plan of the aggregation switch S12700 or S7700.............................................. 937
Table 4-106 Service data plan of the Agile Controller........................................................................................ 938
Table 4-107 Service data plan of the Srun........................................................................................................... 938
Table 4-108 Data plan of the egress solution and USG6600 HRP...................................................................... 940
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxxix


Table 5-10 AC data planning............................................................................................................................. 1079
Table 5-11 AC data planning.............................................................................................................................. 1111
Table 5-12 AC data planning..............................................................................................................................1113
Table 5-25 AP data planning..............................................................................................................................1227
Table 5-31 Radio chips used by APs..................................................................................................................1253
Table 5-39 Data planning on the AC..................................................................................................................1319
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xl

Table 5-45 AC Data planning............................................................................................................................ 1393

Table 5-48 AC Data Planning............................................................................................................................ 1422
Table 5-57 Data planning................................................................................................................................... 1523
Table 5-58 Adjustment recommendations......................................................................................................... 1524
Table 5-59 AP information.................................................................................................................................1543
Table 5-82 WLAN data planning.......................................................................................................................1693
Table 5-83 EoGRE data planning...................................................................................................................... 1694
Tables
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xli

Table 1 WLAN product models for carriers............................................................................................................ v

Table 2-1 Indoor settled APs....................................................................................................................................5
Table 2-2 Indoor wall plate APs...............................................................................................................................9
Table 2-3 Indoor distributed APs........................................................................................................................... 10
Table 2-4 Outdoor settled APs............................................................................................................................... 13
Table 2-5 Rail transportation APs.......................................................................................................................... 16
Table 3-1 Description of the parameter profiles.................................................................................................... 30
Table 4-1 Data planning on the AC........................................................................................................................51
Table 4-3 Data planning......................................................................................................................................... 72
Table 4-4 Adjustment recommendations............................................................................................................... 73
Table 4-5 AP data planning....................................................................................................................................86
Table 4-7 AP information.....................................................................................................................................100
Table 4-8 Data planning....................................................................................................................................... 100
Table 4-9 AC data planning................................................................................................................................. 115
Table 4-11 AC data planning................................................................................................................................173
Table 4-30 Radio chips used by APs....................................................................................................................309
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xlii


Table 4-42 AC Data planning.............................................................................................................................. 449
Table 4-45 AC Data Planning.............................................................................................................................. 481
Table 4-59 AP planning....................................................................................................................................... 652
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xliii


Table 4-88 WLAN data planning.........................................................................................................................845
Table 4-89 EoGRE data planning........................................................................................................................ 846
Table 4-90 Network data planning.......................................................................................................................853
Table 4-91 Service data planning.........................................................................................................................855
Table 4-92 Radio channel data planning..............................................................................................................858
Table 4-93 Basic service data plan of the core switch......................................................................................... 874
Table 4-94 Authentication service data plan of the core switch.......................................................................... 874
Table 4-95 Service data plan of the Agile Controller.......................................................................................... 875
Table 4-96 Service data plan of the Srun............................................................................................................. 875
Table 4-97 Data plan of the egress solution and USG6600 HRP........................................................................ 877
Table 4-98 Information about customization conditions..................................................................................... 910
Table 4-99 Information about authorization results............................................................................................. 912
Table 4-100 Information about authorization rules..............................................................................................913
Table 4-101 Basic service data plan of the core switch....................................................................................... 936
Table 4-102 Basic service data plan of the NGFW module.................................................................................936
Table 4-103 Basic service data plan of the aggregation switch S12700.............................................................. 936
Table 4-104 Basic service data plan of the aggregation switch S7700................................................................ 937
Table 4-105 Basic service data plan of the aggregation switch S12700 or S7700.............................................. 937
Table 4-106 Service data plan of the Agile Controller........................................................................................ 938
Table 4-107 Service data plan of the Srun........................................................................................................... 938
Table 4-108 Data plan of the egress solution and USG6600 HRP...................................................................... 940
Table 5-11 AC data planning.............................................................................................................................. 1111
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xliv


Table 5-45 AC Data planning............................................................................................................................ 1393
Table 5-48 AC Data Planning............................................................................................................................ 1422
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xlv


Table 5-58 Adjustment recommendations......................................................................................................... 1524
Table 5-59 AP information.................................................................................................................................1543
Table 5-82 WLAN data planning.......................................................................................................................1693
Table 5-83 EoGRE data planning...................................................................................................................... 1694
Issue 01 (2017-12-29) Huawei Proprietary and Confidential xlvi

Typical Configuration Examples 1 Introduction to WLAN
1 Introduction to WLAN
WLAN Deployment
WLAN deployment is affected by technical factors and non-technical factors. Technical
factors include signal interference and wired network quality. Non-technical factors include
local laws and property management policies. Before deploying a WLAN, ensure that:
l The 2.4 GHz and 5 GHz frequency bands are allowed by local laws.
l The property management policy permits WLAN deployment.
Issue 01 (2017-12-29) Huawei Proprietary and Confidential 1

Typical Configuration Examples 1 Introduction to WLAN
WLAN Infrastructure
Figure 1-1 WLAN Networking
As shown in Figure 1-1, a WLAN consists of access points (APs), PoE switches, access
controllers (ACs), Remote Authentication Dial In User Service (RADIUS) server, and
network management system (NMS).
l AP: WLAN access device. Huawei provides a series of fit APs to meet indoor and
outdoor networking requirements.
l PoE switch: upstream devices for APs. It provides data switching and power for APs. If
only one AC is required and the AC has PoE ports, the PoE switch is not required.
l AC: manages APs and controls the rights of WLAN users.
l RADIUS server: authenticates WLAN users and assigns rights to them. The RADIUS
server is installed on the SPES server.
l NMS: manages APs and ACs. It monitors status of ACs and APs in real time, processes
alarms, and analyzes data.

Typical Configuration Examples 2 Product Overview
2 Product Overview
2.1 AC Products Overview

Introduction to ACU2
An ACU2 is a WLAN service card installed on a chassis switch such as an
S7700&S9700&S12700 switch.
WLAN ACU2 provides the following functions:
l Centralized configuration and management of APs
l WLAN user access control (authentication and authorization)
l WLAN service configuration and delivery
l Integrated DHCP server to assign addresses to STAs
l Traffic management, congestion control, forwarding and scheduling of data packets
Introduction to AC6005
Huawei AC6005 series (AC6005 for short) is access controllers (AC) applicable to MANs
and enterprise networks for wireless access. AC6005 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
Huawei AC6005 series has two models: AC6005-8 and AC6005-8-PWR.
The AC6005 has the following features:
l AC6005-8-PWR provides PoE power (15.4 W) for 8 interfaces or PoE+ power (30 W)
for 4 interfaces so that APs can directly connect to these interfaces.
l Has various user policy management and authority control capabilities.
l Can be managed using the eSight, web system, or command line interface.
Introduction to AC6605
Huawei AC6605-26-PWR (AC6605 for short) is access controller (AC) applicable to MANs
and enterprise networks for wireless access. AC6605 has a large capacity and high

performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
The AC6605 has the following features:
l Has the access and aggregation functions.
l Provides PoE power (15.4 W) or PoE+ power (30 W) on 24 interfaces, and can directly
connect to APs.
l Supports redundancy backup and hot swapping of AC or DC power supplies, ensuring
long-term operation.
l Can be maintained using the eSight, web system, or command line interface.
Introduction to AC6800V
Huawei AC6800V is an X86-based Access Controller (AC). The AC6800V has a large
capacity and high performance. It is highly reliable, easy to install and maintain, and features
such advantages as flexible networking and energy conservation.
The AC6800V has the following features:
l Can be managed using the eSight, web system, or command line interface.
Version
NOTICE
Before WLAN configurations, ensure that the AC and AP versions match. Otherwise, APs
cannot go online. When the AC and AP versions do not match, upgrade the AC or AP. For
details about the upgrade, see related product upgrade guides.
2.2 AP Products Overview

Huawei offers many WLAN AP products, and you can select AP products according to
project requirements or customer demands. This section describes mainstream AP products.
For details about specifications and features of various AP products, see the documentation of
the specific products.
WLAN APs are classified into the following types depending on their usage scenarios: indoor
settled APs, indoor wall plate APs, indoor distributed APs, outdoor settled APs, and rail
transportation APs.
l Indoor settled APs: applicable to small to medium coverage scenarios, for example,
multimedia classrooms, open office areas, and meeting rooms.

Table 2-1 Indoor settled APs

Model IEEE Frequency Transmit Antenna PoE-In
Standards Band Power Type Mode
Complian Supported (Combine
ce d Power in
dBm)
AP1050DN 802.11a/b/g 2.4G/5G l 2.4G: 20 Built-in 802.3af/at

-S /n/ac/ac l 5G: 20 omnidirecti
Wave 2 onal dual-
band
antenna

/n/ac l 5G: 23 omnidirecti
onal
antenna

-AGN /n l 5G: 20 omnidirecti
onal
antenna

onal
antenna
AP4030TN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in 802.3at

onal
antenna
AP4050DN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in 802.3at

-E /n/ac/ac l 5G: 23 omnidirecti
Wave 2 onal dual-
band
antenna

/n/ac/ac l 5G: 23 omnidirecti
Wave 2 onal dual-
band
antenna

-S /n/ac/ac l 5G: 23 omnidirecti
Wave 2 onal dual-
band
antenna


ce d Power in
dBm)

Wave 2 onal dual-
band
antenna

-HD /n/ac/ac l 5G: 22 dual-band
Wave 2 directional
antenna
(beamwidth
: 30
degrees)
AP4051TN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in 802.3af/at

/n/ac/ac The AP l 5G omnidirecti
Wave 2 supports (Radio onal
three radios, 1): 22 antenna
including l 5G
one 5 GHz (Radio
radio and 2): 23
two radios
that can
switch
between the
2.4 GHz
and 5 GHz
frequency
bands.
AP4130DN 802.11a/b/g 2.4G/5G l 2.4G: 23 External 802.3af/at

/n/ac l 5G: 23 dual-band
combined
antenna

/n/ac/ac l 5G: 23 dual-band
Wave 2 combined
antenna

onal
antenna


ce d Power in
dBm)
AP5010SN- 802.11b/g/n 2.4G 20 Built-in 802.3af/at

GN omnidirecti
onal
antenna

onal
antenna

combined
antenna

onal
antenna
AP6010SN- 802.11b/g/n 2.4G 23 Built-in 802.3af/at

GN omnidirecti
onal
antenna

Wave 2 onal dual-
band
antenna
AP6052DN 802.11a/b/g 2.4G/5G l 2.4G/5G Built-in 802.3at/bt

/n/ac/ac The AP (switcha omnidirecti
Wave 2 supports 2.4 ble): onal dual-
GHz & 5 26/21 band
GHz dual l 5G antenna
band dual (non-
concurrent switchab
(DBDC), le):24
and can
work in
dual-5G
mode.


ce d Power in
dBm)
AP6150DN 802.11a/b/g 2.4G/5G l 2.4G: 26 External 802.3at

Wave 2 onal dual-
band
antenna
AP7030DE 802.11a/b/g 2.4G/5G l 2.4G: 25 Built-in 802.3at

smart
antenna
AP7050DE 802.11a/b/g 2.4G/5G l 2.4G: 26 Built-in 802.3at

Wave 2 smart
antenna
AP7050DN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in UPoE

-E /n/ac/ac l 5G: 27 dual-band
Wave 2 omnidirecti
onal
antenna
AP7052DE 802.11a/b/g 2.4G/5G l 2.4G: 29 Built-in 802.3at/bt

Wave 2 smart
antenna
AP7052DN 802.11a/b/g 2.4G/5G l 2.4G/5G Built-in 802.3at/bt

GHz & 5 26/21 band
band dual (non-
concurrent switchab
(DBDC), le): 24
and can
work in
dual-5G
mode.
AP7110DN 802.11a/b/g 2.4G/5G l 2.4G: 25 Removable 802.3at

-AGN /n l 5G: 25 RP-SMA
antenna
AP7110SN- 802.11b/g/n 2.4G 25 Removable 802.3af/at

GN RP-SMA
antenna


ce d Power in
dBm)
AP7152DN 802.11a/b/g 2.4G/5G l 2.4G/5G External 802.3at/bt

GHz & 5 26/21 band
band dual (non-
concurrent switchab
(DBDC), le): 24
and can
work in
dual-5G
mode.
l Indoor wall plate APs: applicable to hotels, apartments, and offices.
Table 2-2 Indoor wall plate APs

ce d Power in
dBm)

/n (working l 5G: 17 omnidirecti
only on one onal
frequency antenna
band at one
time)

onal
antenna

Wave 2 onal
antenna

-E /n/ac/ac l 5G: 20 omnidirecti
Wave 2 onal
antenna


ce d Power in
dBm)

/n/ac/ac l 5G: 23 smart
wave2 antenna

-E /n/ac/ac l 5G: 23 smart
wave2 antenna
l Indoor distributed APs: applicable to medium-scale coverage scenarios that are subject
to coverage holes or important public places, such as hotels, airports, and conference
halls. Indoor distributed APs are not applicable to networks that require high capacities.
Table 2-3 Indoor distributed APs

ce d Power
in dBm)
AP6310SN- 802.11b/g/n 2.4G 27 External 802.3af/at

GN antennas
(depending
on the
antenna
type used
by the
indoor
antenna
system)


ce d Power
in dBm)

/n/ac l 5G: 21 antennas.
The AP has
a total of
twelve
antenna
ports which
use RP-
SMA-K
connectors
(outside
thread,
central pin),
applicable
to indoor
distribution
scenarios.
AD9430DN 802.11a/b/g 2.4G/5G l 2.4G: 20 Built-in 802.3af

and /n/ac l 5G: 18 omnidirecti
AD9431DN onal
-24X (used antenna
together
with the
R230D)
AD9430DN 802.11a/b/g 2.4G/5G l 2.4G: 21 Built-in 802.3af/at

AD9431DN onal
-24X (used antenna
together
with the
R240D)

AD9431DN onal
-24X (used antenna
together
with the
R250D)


ce d Power
in dBm)

AD9431DN onal
-24X (used antenna
together
with the
R250D-E)

and /n/ac/ac l 5G: 23 smart
AD9431DN Wave2 antenna
-24X (used
together
with the
R251D)

and /n/ac/ac l 5G: 23 smart
AD9431DN Wave2 antenna
-24X (used
together
with the
R251D-E)

and /n/ac/ac l 5G: 23 omnidirecti
AD9431DN Wave 2 onal dual-
-24X (used band
together antenna
with the
R450D)
l Outdoor settled APs: applicable to open outdoor areas with high user densities, such as
squares, residential communities, schools, dormitories, and enterprise campus, or
outdoor places that have high demands for wireless access, such as pedestrian malls.

Table 2-4 Outdoor settled APs

ce d Power
in dBm)
AP6510DN 802.11a/b/g 2.4G/5G l 2.4G: 26 Dipole 802.3at

-AGN /n l 5G: 20 antennas or
common
outdoor
antennas
AP6610DN 802.11a/b/g 2.4G/5G l 2.4G: 27 Dipole —

-AGN /n l 5G: 24 antennas or
common
outdoor
antennas

/n/ac l 5G: 26 directional
antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°

/n/ac/ac l 5G: 26 directional
Wave 2 antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°

-S /n/ac/ac l 5G: 26 directional
Wave 2 antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°


ce d Power
in dBm)
AP8050TN 802.11a/b/g 2.4G/5G l 2.4G: 21 Built-in 802.3at/af

-HD /n/ac/ac The AP l 5G directional
Wave 2 supports (5150 antenna
three radios MHz to l 2.4G:
that provide 5350 – Hori
services at MHz): zonta
the same 20 l
time. l 5G lobe:
(5490 40°
MHz to – Verti
5850 cal
MHz): lobe:
21 40°
l 5G:
– Hori
zonta
l
lobe:
27°
– Verti
cal
lobe:
27°
AP8082DN 802.11a/b/g 2.4G/5G l 2.4G: 29 Built-in 802.3at/bt

/n/ac/ac l 5G: 28 directional
Wave 2 antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°
AP8130DN 802.11a/b/g 2.4G/5G l 2.4G: 28 Outdoor 802.3at

/n/ac The AP l 5G: 26 external
supports antenna
2.4G-to-5G
switchover
and can
work in
dual-5G
mode.


ce d Power
in dBm)

-W /n/ac The 4.9 l 5G: 26 external
GHz antenna
frequency
band is
contained in
5 GHz
radios.

/n/ac/ac The AP l 5G: 24 external
Wave 2 supports antenna
2.4G-to-5G
switchover
and can
work in
dual-5G
mode.
AP8182DN 802.11a/b/g 2.4G/5G l 2.4G: 28 Outdoor 802.3at/bt

/n/ac/ac The AP l 5G: 27 external
Wave 2 supports antenna
2.4G-to-5G
switchover
and can
work in
dual-5G
mode.
AT815SN 802.11a/n 5G 5G: 26 Built-in 802.3af/at

directional
antenna
l Horizont
al lobe:
45°
l Vertical
lobe:
15°
l Rail transportation APs: applicable to train-ground backhaul and compartment coverage

scenarios.

Table 2-5 Rail transportation APs

ce d Power
in dBm)

combined
antenna
(QMA x 3)

/n/ac l 5G: 25 antennas
l Split
mode:
2.4G
antenna
(QMA x
3), 5G
antenna
(QMA x
3)
l Combin
ed
mode:
dual-
band
combine
d
antenna
(QMA x
3)
NOTE
The actual transmit power depends on local laws and regulations.
Product Versions
NOTICE
Before performing WLAN configurations, ensure that the versions of the AC and APs match;
otherwise, the APs may fail to go online. If the versions of the AC and APs do not match,
upgrade the AC or APs. For the detailed upgrade procedure, see the upgrade guide of the
related products.

Typical Configuration Examples 3 WLAN Configuration
3 WLAN Configuration
3.1 WLAN Service Configuration Procedure

3.1.1 Reference Relationships Between WLAN Profiles
Various profiles are designed based on different functions and features of WLAN networks to
help users configure and maintain functions of WLAN networks. These profiles are called
WLAN profiles. Figure 3-1 shows the referencing relationships between WLAN profiles. By
getting to know the referencing relationships, users can easily grasp the configuration
roadmap of WLAN profiles and complete their configurations.
As shown in Figure 3-1, the following profiles can be bound to the AP group and AP: radio
profile, VAP profile, Location profile, regulatory domain profile, AP system profile, WIDS
profile, AP wired port profile, WDS profile, and Mesh profile. Some of the listed profiles can
further reference other profiles, for example, the radio profile can reference an air scan profile
and an RRM profile.

Figure 3-1 Reference relationships between WLAN profiles
Regulatory domain profile*
Air scan profile*

Radio profile*
RRM profile*
802.1x access profile*
SSID profile* Portal access profile*
Authentication
profile* MAC access profile*
Security profile*
Authentication-free
Traffic profile* rule profile*
URL-filter profile
UCC profile
Attack defense Antivirus profile
profile
VAP profile* User profile Intrusion prevention
profile
Soft-GRE profile
STA blacklist profile Cellular network profile

AP
STA whitelist profile Roaming consortium profile
NAI realm profile

SAC profile
Connection capability profile
AP group Hotspot2.0 profile
Operator domain profile
STA blacklist profile
Operator name profile
AP system STA whitelist profile
profile * Venue name profile
WMI profile
Operating class profile
AP wired port
AP wired port link profile*
profile*
WIDS spoof SSID profile
WIDS profile*
WIDS whitelist profile
Location profile
BLE profile
Security profile*
WDS profile*
WDS whitelist profile
Security profile*
Mesh profile* Mesh handover profile*
Mesh whitelist profile

NOTE
l The profiles marked with * can be configured as default profiles.

l AP provisioning profiles cannot be referenced by other profiles and are only used to deliver
configurations to specified APs or AP groups. Therefore, this figure does not show AP provisioning
profiles.
l An AP radio can directly reference some profiles, including the radio profile, VAP profile, WDS profile,
WDS whitelist profile, Mesh profile, and Mesh whitelist profile.
l The IoT profiles are directly referenced in the IoT card interface view and are not displayed.
WLAN profiles are designed to facilitate configuration and maintenance of WLAN functions.
When configuring WLAN service functions, users need to configure parameters in matching
WLAN profiles. After completing the configurations, they need to bind the profiles to upper-
level profiles, AP groups, or APs, and the configurations will be automatically delivered to
APs. After that, the configured functions automatically take effect on the APs.
NOTE
l If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound to an AP
group or AP.
l Configurations in an AP provisioning profile take effect only after they are manually delivered to APs.
Configurations in other WLAN profiles are automatically delivered to APs.
For example, to configure air interface scan parameters, you can configure the parameters in
an air scan profile and bind the air scan profile to a radio profile, which is then bound to an
AP group or AP, as shown in Figure 3-1. The configurations of air interface scan parameters
are automatically delivered to APs and take effect. If referencing relationships between
profiles are set in advance, parameter configurations in the air scan profile are automatically
delivered to APs.
3.1.2 WLAN Basic Service Configuration Procedure

You can follow the procedure in Figure 3-2 to configure WLAN basic services.
The WLAN basic service configuration procedure includes the following steps:
1. Create an AP group.
2. Configure network interconnection.
3. Configure system parameters for the AC.
4. Configure the AC to deliver WLAN services to Fit APs.

Figure 3-2 WLAN basic service configuration flowchart
Create an AP group
Configure network Configure the DHCP server

interconnection Configure device connectivity
Configure the AC to
manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the AC’s source interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Create an SSID Create a security

Create a radio profile
profile profile
Bind
Create a VAP profile
Bind
AP or AP group
3.1.3 AP Group and AP
To simplify the configuration of a large number of APs, you can add them to an AP group and
perform centralized configuration.
However, APs may have different configurations. These configurations cannot be uniformly
performed but can be directly performed on each AP.
Each AP must and can only join one AP group when going online. If an AP obtains both AP
group and specific configurations from an AC, the AP specific configurations are
preferentially used.
l If no configuration is available on each AP, the AP uses the configurations in the AP
group.
l If configurations are available on the AP, the AP uses the configurations preferentially.
However, if the configurations are incomplete, the AP obtains the configurations that do
not exist on itself from the AP group.
l Performance of APs in an AP group may vary according to the model. If the unified
configuration delivered to the AP group is not supported by an AP in the group, the
configuration does not take effect for this AP.

As shown in Figure 3-3, the AP with ID 1 does not find any configurations on itself;
therefore, the AP uses all WLAN configurations in the AP group a to which it belongs.
Figure 3-3 AP group
AP group name: a
Regulatory domain profile name: a

Country code: CN
VAP profile name: a
SSID profile: a
AP system profile: a
Other profiles...
AP 1 does not find any

configurations on itself, so it uses
all configurations in the AP group.
AP ID: 1
Name of the AP group
to which it belongs: a
As shown in Figure 3-4, the AP with ID 101 finds configurations on itself so the AP
preferentially uses the configurations. Since there is only regulatory domain profile
configuration on the AP, the AP acquires other configurations in AP group a to which it
belongs, for example, VAP profile, AP system profile, and other profiles shown in the
following figure.
Figure 3-4 AP group and AP
AP ID: 101 AP group name: a
Regulatory domain profile name: a

Country code: CN
Regulatory domain profile name: b VAP profile name: a
Country code: US SSID profile: a
AP system profile: a
Other profiles...
The AP finds regulatory domain

1 profile configuration on itself and
preferentially uses the The configurations on the AP
configuration. 2 are incomplete. The AP
acquires the other
configurations in the AP group.
AP ID: 101
Name of the AP group to
which it belongs: a

3.1.4 Regulatory Domain Profile
A regulatory domain profile provides configurations of country code, calibration channel, and
calibration bandwidth for an AP.
l A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
channels. Correct country code configuration ensures that radio attributes of APs comply
with laws and regulations of countries and regions to which the APs are delivered. For
details, see Configuring Country Codes in the Configuration-WLAN Service
Configuration Guide.
l A calibration channel set limits the dynamic AP channel adjustment range when the
radio calibration function is configured. Radar channels and the channels that are not
supported by STAs are avoided. For details, see Radio Resource Management
Configuration Guide in the Configuration.
l The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz
channels, Different calibration bandwidths support different calibration channels. Larger-
bandwidth channels mean higher transmission rates. However, at least three channels are
required in radio calibration to achieve the optimal calibration effect. When configuring
the calibration bandwidth, ensure that enough calibration channels are available for use.
For details, see Radio Resource Management Configuration Guide in the Configuration.
3.1.5 Radio Profile
Radio profiles are used to optimize radio parameters, and control the in-service channel
switching function. For details, see Configuring a Radio in the Configuration-WLAN Service
Radio profiles are divided into 2G and 5G radio profiles. 2G and 5G radio profiles apply to
2.4 GHz and 5 GHz radios respectively. The differences between configurations of 2G and 5G
radio profiles are as follows:
l 2G radio profiles allow you to configure the 802.11bg basic rate set and supported rate
set.
l 5G radio profiles allow you to configure the 802.11a basic rate set and supported rate set,
and perform 802.11ac-related configurations.
Radio profiles can reference air scan profiles and RRM profiles.
l Air scan profiles are designed for radio calibration, spectrum analysis, location, and
WIDS data analysis. APs periodically scan radio signals in their surrounding
environment and report the collected information to ACs or servers.
l RRM profiles are designed to maintain optimal radio resource utilization. They enable
APs to check the surrounding radio environment, dynamically adjust working channels
and transmit power, and evenly distribute access users. This function helps adjust radio
coverage, reduce radio signal interference, and enable a wireless network to quickly
adapt to changes in the radio environment. With the radio resource management
function, the wireless network can provide high service quality for wireless users. For
details, see Radio Resource Management Configuration Guide in the Configuration.
3.1.6 Air Scan Profile

The air scan profile is used for radio calibration, spectrum analysis, WLAN device location,
and Wireless Intrusion Detection System (WIDS) data analysis. An AP periodically scans
surrounding radio signals and reports the collected information to an AC or server.
l Radio calibration
An authorized AP scans surrounding radio signals, collects information about
surrounding authorized APs, rogue APs, and non-Wi-Fi devices, and reports the
information to an AC.
For the detailed configuration, see Configuring Radio Calibration in the Configuration-
Radio Resource Management Configuration Guide.
l Spectrum analysis
An AP detects different types of interference resources on wireless networks, and
displays the information to users. Users can then use the information to locate these
interference sources. This function improves user experience.
For the detailed configuration, see Configuring Spectrum Analysis in the Configuration-
Spectrum Analysis Configuration Guide.
l WLAN device location
An AP collects radio signals, and reports the location information to the positioning
server. Alternatively, the AP can send the location information to the AC, which filters
the information and sends the filtered information to the positioning server. An AP can
collect radio signals in either of the two modes:
– The AP collects Received Signal Strength Indicator (RSSI) information of WLAN
terminals and rogue APs and reports the information to the positioning server. The
information is then used to locate WLAN terminals or rogue APs
– An AP scans spectrums and reports fast Fourier transform (FFT) results of radio
signals to an AC. The information is then used to identify non-Wi-Fi interference
sources.
For the detailed configuration, see Configuring Wi-Fi Tag Location in the Configuration.
l WIDS data analysis
A monitor AP scans channels to monitor information about neighboring wireless
devices, collects information about neighboring wireless devices by listens on WLAN
packets sent from neighboring wireless devices, and periodically reports collected
information to an AC. The AC then uses the information to determine rogue devices.
For the detailed configuration, see Configuring Device Detection in the Configuration-
WLAN Security Configuration Guide.
The air scan profile takes effect only after it is referenced by the radio profile.
3.1.7 RRM Profile

WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as
transmission medium. Radio waves will attenuate when they are transmitted over air,
degrading service quality for wireless users. Radio resource management enables a WLAN to
adapt to changes in the radio environment by dynamically adjusting radio resources. This
improves service quality for wireless users.
Radio resource management (RRM) enables APs to check the surrounding radio environment,
dynamically adjust channels and transmit power, and evenly distribute access users. This
function helps reduce radio signal interference, adjust radio coverage, and enable a wireless
network to quickly adapt to changes in the radio environment. With the RRM profile, the

wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization. For the detailed configuration, see Radio Resource Management
Configuration Guide in the Configuration.
The RRM profile takes effect only after it is referenced by the radio profile.
3.1.8 VAP Profile

After parameters in a VAP profile are configured, and the VAP profile is bound to an AP
group or AP, virtual access points (VAPs) are created on APs. VAPs provide wireless access
services for STAs. You can configure parameters in the VAP profile to enable APs to provide
different wireless services.
A VAP profile can reference the following profiles:
l SSID profile: used to configure SSIDs of WLANs. In the profile, you can also disable
access of non-HT STAs and configure the association aging time of STAs and delivery
traffic indication message (DTIM) interval. For details, see Configuring an SSID Profile
in the Configuration-User Access and Authentication Configuration Guide.
l Security profile: used to configure security policies of WLANs, including policies for
authentication and encryption of STAs. Security policies include open system
authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WAPI-PSK, and WAPI-
certificate. For details, see Security Policy Configuration in the Configuration-WLAN
Security Configuration Guide.
l Traffic profile: used to configure priority mapping and traffic policing functions of
WLANs. After the WMM function is enabled on the STA and AP, the priority mapping
function allows you to configure methods for mapping upstream priorities of packets,
upstream tunnel priorities, and downstream priorities. The traffic policing function limits
packet sending rates of wireless STAs. For details, see Configuring Priority Mapping and
Configuring Traffic Policing in the Configuration-QoS Configuration Guide.
l Attack defense profile: used to configure various security functions such as URL
filtering, antivirus, and intrusion prevention. For details, see Configuring URL Filtering
Profile, Configuring Intrusion Prevention, and Configuring Antivirus in the
Configuration-WLAN Security Configuration Guide.
l User profile: used to reference a QoS CAR profile. You can bind the user profile that has
QoS CAR profile referenced to a VAP profile to limit the rate of a STA using the VAP
profile. For details, see Configuring Traffic Policing in the Configuration-QoS
l Authentication profile: used to manage network admission control (NAC)
configurations. You can bind access profiles (including the 802.1x access profile, MAC
access profile, and Portal access profile) to authentication profiles to determine
configurations of the access protocols. After the authentication profile configuration is
complete, bind it to an interface or VAP profile to authenticate and control access users.
For details, see Configuring NAC in the Configuration-User Access and Authentication
l Hotspot2.0 profile: used to configure parameters of Hotspot2.0 networks, such as
location, operator, and roaming consortium information, so that STAs can identify
networks and access proper networks. For details, see Hotspot 2.0 Configuration Guide
in the Configuration.
l SAC profile: used to identify and classify application protocols. The SAC feature can use
the service awareness technology to detect and identify packets and protocols so that the
system can classify applications intelligently and identify key services to provide

sufficient bandwidths for them and limit traffic rates of non-critical services, thereby
providing refined QoS policy control. For details, see Configuring SAC in the
Configuration-QoS Configuration Guide.
l UCC profile: used to configure priorities for Microsoft Skype4B voice, video, desktop
sharing, and file transfer packets. For details, see Configuring Skype4B Traffic
Optimization in the Configuration-QoS Configuration Guide.
3.1.9 SSID Profile

SSIDs identify different wireless networks. When you search for available wireless networks
on your laptop, the displayed wireless network names are SSIDs.
An SSID profile is used to configure the SSID name and other access parameters of a WLAN.
The following configurations are performed in an SSID profile:
l SSID hiding: When creating a WLAN, configure an AP to hide the SSID of the WLAN
to ensure security. Only the users who know the SSID can connect to the WALN.
l Maximum number of STAs: More access users on a VAP indicate fewer network
resources that each user can occupy. To ensure Internet experience of users, you can
configure a proper maximum number of access users on a VAP according to actual
network situations.
l SSID hiding when the number of STAs reaches the maximum: When this function is
enabled and the number of access users on a WLAN reaches the maximum, the SSID of
the WLAN is hidden and new users cannot search for the SSID.
l Denying access of non-HT STAs: Non-HT STAs that support only 802.11a, 802.11b, and
802.11g protocols cannot access a wireless network. These terminals provide a rate far
smaller than 802.11n and 802.11ac terminals. If the non-HT STAs access the wireless
network, data transmission rates of the 802.11n and 802.11ac terminals are decreased. To
ensure data transmission rates of the 802.11n and 802.11ac terminals, access of non-HT
STAs is denied.
l STA association timeout period: If an AP receives no data packet from an STA in a
continuous period of time, the STA goes offline after the association timeout period
expires.
l DTIM interval: The DTIM interval specifies how many Beacon frames are sent by an AP
before the Beacon frame that contains the DTIM. The Beacon frame carrying DTIM
wakes an STA in power-saving mode, and transmits the broadcast and multicast frames
saved on the AP to the STA.
For details about how to configure an SSID profile, see Configuring an SSID Profile in the
Configuration-WLAN Service Configuration Guide.
3.1.10 Authentication Profile

NAC implements access control on users. To facilitate NAC function configuration, the
device uses authentication profiles to uniformly manage NAC configuration. You can
configure parameters in an authentication profile to provide different access control modes for
users. For example, you can configure the access profile bound to the authentication profile to
determine the authentication mode for the authentication profile. The device then uses the
authentication mode to authenticate users on the VAP profile to which the authentication
profile is applied.
For the configuration, see Configuring an Authentication Profile in the Configuration-User
Access and Authentication Configuration Guide.

3.1.11 Security Profile

You can configure WLAN security policies to authenticate identities of wireless terminals and
encrypt user packets, protecting the security of the WLAN and users. The supported WLAN
security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/
WPA2-802.1x, WAPI-PSK, and WAPI-certificate. You can configure one of them in a
security profile. Open system authentication and WPA/WPA2-802.1x need to be configured
together with NAC to manage user access.
To connect a STA to the WLAN, bind the security profile to a VAP profile. The STA can
connect to the WLAN through an SSID only after it completes identity authentication
according to the security policy configured in the VAP profile. For the detailed configuration,
see Configuring a WLAN Security Policy in the Configuration- User Access and
Authentication Configuration Guide.
For WDS services, bind the security profile to the WDS profile. To ensure WDS security, set
the security policy to WPA2+PSK+AES. For the detailed configuration, see Configuring a
Security Profile in the Configuration-WDS and Mesh Configuration Guide.
For Mesh services, bind the security profile to the Mesh profile. To ensure Mesh security, set
the security policy to WPA2+PSK+AES. For the detailed configuration, see Configuring a
Security Profile in the Configuration-WDS and Mesh Configuration Guide.
3.1.12 Traffic Profile

In a traffic profile, you can configure priority mapping on the wireless side, air interface
performance optimization, traffic policing, and ACL-based packet filtering. The
configurations in a traffic profile take effect only after it is bound to a VAP profile.
l Priority mapping
Packets of different types have different priorities. For example, 802.11 packets sent by
STAs carry user priorities or DSCP priorities, VLAN packets on wired networks carry
802.1p priorities, and IP packets carry DSCP priorities. Priority mapping must be
configured on network devices to retain the priorities of packets that traverse different
networks.
For details, see Configuring Priority Mapping in the Configuration-QoS Configuration
Guide-WLAN QoS Configuration.
l Traffic policing
To protect network resources and prevent network congestion, you can configure traffic
policing to limit the rate of traffic entering a WLAN. In a traffic profile, you can
configure rate limiting for upstream and downstream packets of all STAs or each STA on
a VAP.
For details, see Configuring Traffic Policing in the Configuration-QoS Configuration
Guide-WLAN QoS Configuration.
l Traffic optimization
On a WLAN, a large number of wireless packets need to be forwarded, which may easily
cause network congestion and degrade network performance. WLAN traffic optimization
measures, such as traffic limit and multicast optimization, can be taken to adjust network
traffic in real time, significantly reducing impact of burst data on the network and
improving network performance.
For details, see WLAN Traffic Optimization Configuration Guide in the Configuration.

l ACL-based packet priority re-marking

You can configure ACL-based packet filtering to enable a device to permit or deny
packets matching ACL rules to control network traffic.
For details, see Configuring ACL-based Packet Filtering in the Configuration-QoS
Configuration Guide-WLAN QoS Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet re-marking priorities of packets matching ACL
rules to implement differentiated services for wireless packets.
For details, see Configuring ACL-based Priority Remarking in the Configuration-QoS
3.1.13 UCC Profile

A Unified Communication and Collaboration (UCC) profile is used to configure priorities for
Microsoft Skype4B voice, video, desktop sharing, and file transfer packets.
After creating a UCC profile, you can configure the DSCP priorities or 802.1p priorities for
Microsoft Skype4B voice, video, desktop sharing, and file transfer packets, so that a WLAN
device can process packets according to the new priorities. The configurations in a UCC
profile take effect only after it is bound to a VAP profile. For details, see Configuring
Skype4B Traffic Optimization in the Configuration-QoS Configuration Guide-SAC
Configuration.
3.1.14 Attack Defense Profile

As the network develops continuously, there are various types of potential risks such as
Trojan horses, worms, and viruses in packets. After an attack defense profile is created,
various security functions are available, such as URL filtering, intrusion prevention, and
antivirus.
The profile of URL filtering defines actions for URLs matching the blacklist and whitelist to
allow or block access to the URLs.
For the detailed configuration, see Configuring URL Filtering Profile in the Configuration-
Before you configure intrusion prevention, update the intrusion prevention signature database
or, if necessary, configure user-defined signatures, create intrusion prevention profiles,
reference signatures matching the specified conditions in the intrusion prevention profiles,
and apply the intrusion prevention profiles in the attack defense profiles.
For the detailed configuration, see Configuring Intrusion Prevention in the Configuration-
The AV function identifies the files transmitted using the specified protocols and processes
the virus-infected files based on the predefined response actions to prevent virus-infected files
from entering the protected network.
To use the AV function, you must configure an antivirus profile and reference the profile in an
attack defense profile.
For the detailed configuration, see Configuring Antivirus in the Configuration-Security

3.1.15 User Profile

A user profile is used to configure traffic policing and internal priorities for users' service
packets. The configurations in a user profile take effect only after it is bound to a VAP profile.
l Traffic policing
To protect network resources and prevent network congestion, you can configure traffic
policing to limit the rate of traffic entering a WLAN. You can configure QoS CAR
parameters and apply them to a user profile, so that traffic policing can be implemented
on upstream and downstream packets of users on the VAPs to which the user profile is
applied. For details, see Configuring Traffic Policing in the Configuration-QoS
l Internal priority
When users' service packets reach a WLAN device, the WLAN device maps priorities of
the packets to internal priorities. After creating a user profile, you can modify priorities
of users' service packets in the user profile, so that the device can process users' service
packets according to the new internal priorities.
3.1.16 Soft GRE profile

Before configuring soft GRE tunnel forwarding, configure a soft GRE profile first so that data
packets can be forwarded according to parameters configured in the profile. For details, see
(Optional) Configuring a Soft GRE Profile in the Configuration-WLAN Service Configuration
Guide.
l In a soft GRE profile, the destination address of the soft GRE tunnel must be configured
to specify the destination to which service data is forwarded.
l A soft GRE tunnel is not capable of detecting tunnel status. If the remote interface is
unreachable, the soft GRE tunnel cannot be immediately tore down. As a result, the
source end continues sending data to the remote end, wasting device resources and
bandwidth of the intermediate network.
The Keepalive detection function can monitor the soft GRE tunnel status to check
whether the remote end is reachable. If the remote end is unreachable, the source end
tears down the tunnel immediately to reduce resource waste and bandwidth occupation.
3.1.17 STA Blacklist Profile

A STA blacklist profile contains MAC addresses of wireless terminals forbidden to connect to
the WLAN. To forbid some STAs to connect to the WLAN, configure a STA blacklist profile
and apply the STA blacklist profile to an AP system profile or a VAP profile.
The effective scope of the STA blacklist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA blacklist profile takes effect based on the AP. APs using the
AP system profile will use the STA blacklist profile. The STA blacklist profile takes
effect on all STAs connected to the APs (all VAPs).
l VAP profile: The STA blacklist profile takes effect based on the VAP. If the STA
blacklist profile is applied to an AP, the STA blacklist profile applies only to STAs
connected to the corresponding VAPs.
For the detailed configuration, see Configuring a STA Blacklist Profile in the Configuration-
User Access and Authentication Configuration Guide.

3.1.18 STA Whitelist Profile

A STA whitelist profile contains MAC addresses of STAs allowed to connect to the WLAN.
To allow only some STAs to connect to the WLAN, configure a STA whitelist profile and
apply the STA whitelist profile to an AP system profile or a VAP profile.
The effective scope of the STA whitelist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA whitelist profile takes effect based on the AP. APs using the
AP system profile will use the STA whitelist. The STA whitelist profile takes effect on
all STAs connected to the APs (all VAPs).
l VAP profile: The STA whitelist profile takes effect based on the VAP. If the STA
whitelist profile is applied to an AP, the STA whitelist profile applies only to STAs
connected to the corresponding VAPs.
For the detailed configuration, see Configuring a STA Whitelist Profile in the Configuration-
User Access and Authentication Configuration Guide.
3.1.19 SAC Profile

Smart Application Control (SAC) is a smart engine that can identify and classify application
protocols. It uses service awareness technology to identify packets of dynamic protocols such
as HTTP and RTP by checking Layer 4 to Layer 7 information in the packets. SAC helps
implement fine-granular QoS policy control.
An SAC profile is used to configure policies for re-marking packet priorities, discarding
packets, and limiting packet rates based on applications or application groups, so as to control
different types of applications and ensure stable and highly efficient running of key services.
The configurations in an SAC profile take effect only after it is bound to a VAP profile or a
user group. For details, see Configuring SAC in the Configuration-QoS Configuration Guide-
SAC Configuration.
3.1.20 Hotspot2.0 Profile

Hotspot 2.0 networks are usually provided by network service providers who can set network
parameters in compliance with Hotspot 2.0 standards to identify the networks. Wireless
terminals can obtain network information and automatically select and access the desired
networks based on the preset identity credentials. The administrator needs to configure the
APs through Hotspot 2.0 profiles according to the parameters provided by the network service
providers so that the APs can provide Hotspot 2.0 network information to the wireless
terminals. After the Hotspot 2.0 profiles are applied to VAP profiles, the configuration takes
effect.
If a Hotspot 2.0 network parameter carries multiple data entries, you need to configure the
parameter using a profile. In the profile, you can configure the entries of the parameter and
then bind the profile to a Hotspot 2.0 profile.

Table 3-1 Description of the parameter profiles

Parameter Profile Description
Cellular network profile You can configure Hotspot 2.0 services on cellular
networks. When connecting to the networks, user terminals
can obtain network information from APs, which helps
them to select desired networks.
NAI realm profile A NAI realm profile is used to configure the network access
identifier (NAI) realm name, authentication mode, and
authentication parameters for networks accessible to users.
Roaming consortium profile If the user terminals need to roam among Hotspot2.0
networks of different operators, configure a roaming
consortium profile and add the organization identifiers
(OIs) of the operators to the roaming consortium profile. In
this way, after the user terminals connect to a network of an
operator in the profile, they can roam to networks of the
other operators while maintaining online.
Connection capability You can configure Hotspot2.0 services for networks. When
profile user terminals connect to the networks, they can obtain
network connection capability information from APs,
including allowed protocols and ports, which helps them to
select desired networks.
Operating class profile The operating class profile is used to configure the
operating class indication of AP in on the hotspot2.0
network. When a STA accesses the network, it can obtain
channel information used to access a Wi-Fi frequency from
AP so that the STA can set up a connection.
Operator domain profile A network domain name profile is used to configure the
operator domain profile. STAs can obtain the domain name
information through ANQP, which is used as a basis for
network selection.
Operator name profile You can specify different friendly names for different
languages so that users can select networks.
Venue name profile When configuring Hotspot2.0 services, configure network

parameters according to operator requirements. When
connecting to networks, user terminals can obtain the
network parameters to select desired networks. The venue
name describes physical locations of a network and is an
optional parameter.
For details, see Hotspot 2.0 Configuration Guide.
3.1.21 AP System Profile

An AP system profile is used to configure AP system parameters and can reference STA
blacklist and whitelist profiles as well as spectrum analysis configuration. The following
configurations are performed in an AP system profile:
l Manage AP login modes.

A user can log in to an AP through the console port, STelnet, SFTP, and Telnet in wired
mode, or through Telnet in wireless mode. These login modes can be disabled in an AP
system profile to ensure AP login security. For details, see Managing Wired Login for
APs and Managing Wireless Login for APs in the Configuration - AP Management
l Configure the offline management VAP and antenna alignment VAP for an AP.
When an AP goes offline unexpectedly, the AC cannot manage the AP. In this case, you
can enable the management VAP and log in to the AP using Telnet or Stelnet to
troubleshoot the fault. This prevents complex operations.
You can associate a mobile phone on which the antenna alignment APP is installed with
the wireless network with SSID hw_manage_xxxx (xxxx is the last four bits of the AP
MAC address) and use the phone to receive packets sent by the antenna alignment VAP.
For details, see Configuring Antenna Alignment VAPs in the Configuration - AP
Management Configuration Guide.
l A management VLAN is configured for an AP.
In practice, the PVID of an AP wired interface is usually set to the management VLAN
ID. For details, see Configuration Limitations for WLAN in the Configuration -
WLAN Service Configuration Guide. When management packets from the AP or data
packets forwarded in tunnel mode reach the access device through the CAPWAP tunnel,
the access device tags the packets with the PVID.
If the PVID of the access device has been used for other purposes (for example, as the
default VLAN ID of wired users), the PVID cannot be configured as the management
VLAN ID on the access device interface. In this case, configure CAPWAP packets sent
from an AP wired interface to carry the management VLAN tag. The AP then adds the
management VLAN ID to the CAPWAP packets sent to the AC. You only need to
configure the access device to allow the packets carrying the management VLAN ID to
pass.
For details, see Configuring a Management VLAN on an AP in the Configuration - AP
l Configure service holding upon CAPWAP link disconnection.
To mitigate impact of link disconnections on users in direct forwarding mode and
improve service reliability, you can configure the function of service holding upon
CAPWAP link disconnection. To allow new users to access APs after CAPWAP link
disconnection, you can configure the function of user access upon CAPWAP link
disconnection. After the disconnected CAPWAP link is restored, the AP forces all the
STAs that went online during CAPWAP link disconnection to go offline. The AP then
reassociates with these STAs and reports STA information through logs. For Portal or
MAC address authentication STAs, after the broken CAPWAP link is restored, the AP
forces all these STAs to go offline and reports STA information through logs.
For details, see Configuring Service Holding upon CAPWAP Link Disconnection in the
Configuration - AP Management Configuration Guide or (Optional) Configuring Service
Holding upon CAPWAP Link Disconnection Configuration - WLAN Service
l Configure PoE parameters for an AP.

PoE parameters include PoE power, parameters that are configured to allow high inrush
current during power-on, and PoE standard used by the AP. For details, see Managing
the PoE Function of an AP in the Configuration - AP Management Configuration Guide.
l Configure AP indicators.
Blinking indicators of indoor APs deployed in hospitals and hotels may affect people's
nighttime rest. Therefore, you can turn off AP indicators after APs are installed and run
properly.
l Configure the alarm function on an AP.
– You can configure alarm thresholds on an AP to monitor the AP in real time. When
the configured thresholds are exceeded, the AP generates alarms or logs to notify
the AC of AP status.
– If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During this
period, the AP sends a large number of STA association failure alarms to the AC,
which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
For details, see Configuring the Alarm Function on an AP in the Configuration - AP
l Configure the log backup and log suppression functions on an AP.
– Logs record user operations and system running information. After logs are backed
up to a server, network administrators can summarize and analyze AP logs to learn
the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
– If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC
in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a
user to the AC within the log suppression period.
For details, see Configuring the Log Backup and Log Suppression Functions on an AP in
the Configuration - AP Management Configuration Guide.
l Configure LLDP on an AP.
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management
address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors.
For details, see Configuring LLDP on an AP in the Configuration - AP Management
l Configure the effective scope of a STA blacklist or whitelist.
If a STA blacklist or whitelist is applied to an AP system profile, the STA blacklist or
whitelist takes effect on all APs using the AP system profile. For details, see Applying
the Configuration to a VAP Profile or an AP System Profile in the Configuration - User
Access and Authentication Configuration Guide.

l Configure some parameters for spectrum analysis.

The parameters include the IP address and port number of a spectrum server and aging
time of information about non-Wi-Fi devices on an AC during spectrum analysis. For
details, see Configuring Spectrum Analysis on an AC in the Configuration - Spectrum
Analysis Configuration Guide.
3.1.22 AP Wired Port Profile
An AP wired port profile provides configurations of AP wired ports. AP wired port link
profiles can be bound to AP wired port profiles. AP wired port link profiles are used to
configure link-layer parameters of AP wired ports. For details, see Managing an AP's Wired
Interface in the Configuration - AP Management Configuration Guide.
The following configurations are performed in an AP wired port profile:

l Add an AP's wired port to an Eth-Trunk.
l Configure STP, working mode, and DHCP and ND trusted port on an AP's wired port.
l Configure STA address learning, IP source guard, and dynamic ARP probing on an AP's
wired port.
l Specify the maximum broadcast, multicast, and unknown unicast traffic allowed by an
AP's wired port.
l Associate STP with the error-triggered shutdown function on an AP's wired port.
l Configure IGMP Snooping for an AP's wired port.
3.1.23 AP Wired Port Link Profile
An AP wired port link profile provides link layer configurations on an AP's wired port.
The following configurations are performed in an AP wired port link profile:

l Enable or disable an AP's wired port.
Enable an AP's wired port before using the port. Disable the AP's wired port when a user
connected to the AP's wired port attacks the network. For details, see Shutting Down an
AP's Wired Interface in the Configuration - AP Management Configuration Guide.
l Configure LLDP and the types of advertise TLVs on an AP's wired port.
You can obtain the network topology of an AP through LLDP. For details, see
Configuring LLDP on an AP in the Configuration - AP Management Configuration
Guide.
l Configure PoE for an AP's wired port.
Some APs can function as PSE devices to supply PoE power for PDs. Configure PoE for
an AP's wired port, so that the AP can provide PDs with PoE power through this port.
For details, see Managing the PoE Function of an AP in the Configuration - AP
l Configure the alarm function for CRC errors on an AP's wired port.
For details, see Configuring the CRC Error Trap Function on an AP's Wired Interface in
the Configuration - AP Management Configuration Guide.
3.1.24 WIDS Profile

WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to
AP groups or APs so that they can take effect. For details, see Configuring Device Detection
and Containment and Configuring Attack Detection and a Dynamic Blacklist in the
A WIDS profile supports the following functions:
l WIDS device detection and countering
– APs detect Wi-Fi devices within their coverage range and determine whether they
are authorized.
– You can configure a WIDS spoof SSID profile and a WIDS whitelist profile to
identify spoofing SSIDs and add the trusted devices to the whitelist. After
configuring these profiles, you bind them to the WIDS profile.
– Countermeasures are taken on the detected rogue device so that rogue STAs cannot
access the network or authorized STAs will not access rogue APs.
l WIDS attack detection and dynamic blacklist
– APs detect Wi-Fi devices on a network that launch attacks, including flood attacks,
weak IV attacks, spoofing attacks, and Brute force PSK cracking attacks.
– After the dynamic blacklist function is enabled, attacking devices are added to the
dynamic blacklist and packets from these devices are discarded.
3.1.25 WIDS Spoof SSID Profile

WLAN services are available in public places, such as banks and airports. Users can connect
to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and
provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to
the rogue AP, which brings security risks. To address this problem, configure a fuzzy
matching rule to identify spoofing SSIDs. The device compares a detected SSID with the
matching rule. If the SSID matches the rule, the SSID is considered a spoofing SSID. The AP
using the spoofing SSID is a rogue AP. After rogue AP containment is configured, the device
contains the rogue AP and disconnects users from the spoofing SSID.
For the detailed configuration, see (Optional) Configuring Fuzzy Matching Rules for
Identifying Spoofing SSIDs in the Configuration-WLAN Security Configuration Guide.
3.1.26 WIDS Whitelist Profile

After the rogue device containment function is enabled, rogue APs can be detected and
contained. However, there may be APs of other vendors or on other networks working in the
existing signal coverage areas. If these APs are contained, their services will be affected. To
prevent this situation, you can configure the WIDS whitelist profile to add these APs to a
WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list.
For the detailed configuration, see (Optional) Configuring a WIDS Whitelist in the
3.1.27 Location Profile

A location profile is used to enable the WLAN location function and configure location server
parameters and the mode used by APs to report location information. For details, see Wi-Fi
Tag Location Configuration in the Configuration, Bluetooth Location Configuration in the
Configuration and Terminal Location Configuration in the Configuration

3.1.28 BLE Profile

l Bluetooth terminal location technology uses Bluetooth Low Energy (BLE) devices and a
location system to locate Bluetooth terminals through the iBeacon protocol. An AP with
a built-in Bluetooth module collects information about BLE devices and sends the
information to a server through an AC. The server sends data about maps and BLE
device locations to a Bluetooth terminal through an app server. The Bluetooth terminal
then works with the location app to calculate its own location. Alternatively, the AP
collects information carried in Bluetooth terminal location packets and sends the
information to the AC or location server for server-side location.
l Bluetooth tag location technology uses Bluetooth tags and a location system to locate
Bluetooth tags through the BLE protocol. An AP with a built-in Bluetooth module
collects information about Bluetooth tags and sends the information to a location server
to locate the Bluetooth tags. The AP also monitors battery power of Bluetooth tags and
checks whether Bluetooth tags are disconnected.
l Bluetooth data transparent transmission technology is used to enable an AP with a built-
in Bluetooth module to collect data from Bluetooth clients (such as Bluetooth
thermometers, blood pressure monitors, and heart rate monitors) and upload the data to a
server.
For the detailed configuration, see Configuring Bluetooth Location in the Configuration.
3.1.29 WDS Profile

A WDS profile contains major parameters required for configuring the WDS function. To
enable radios of an AP group or a specified AP to set up Mesh links, a WDS profile must be
applied to the radios.
When configuring WDS services, use the WDS profile with the following profiles:
l Security profile: After a security profile is bound to a WDS profile, parameters in the
security profile will be used for WDS link setup to ensure security of WDS links, The
WPA2+PSK+AES security policy is recommended for a WDS security profile.
l WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring
APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. In the WDS, only APs with radios working in root mode and middle
mode can have a whitelist configured. APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile

provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
3.1.30 WDS Whitelist Profile

A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS
links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with
MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS,
only APs with radios working in root mode and middle mode can have a whitelist configured.
APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
3.1.31 Mesh Profile

A Mesh profile contains major parameters required for configuring the Mesh function. To
enable radios of an AP group or a specified AP to set up Mesh links, a Mesh profile must be
applied to the radios.
When configuring Mesh services, use the Mesh profile with the following profiles:
l Security profile: After a security profile is bound to a Mesh profile, parameters in the
security profile will be used for Mesh link setup to ensure security of Mesh links, The
WPA2+PSK+AES security policy is recommended for a Mesh security profile.
NOTE
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the Mesh function, configure the same channel for radios of Mesh APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.

l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
3.1.32 Mesh Handover Profile

After a Mesh handover profile is bound to a Mesh profile, the Mesh profile can provide the
fast Mesh link handover function and apply to train-ground communication scenarios. A
Mesh handover profile and the FWA mode of a Mesh profile are mutually exclusive. A Mesh
handover profile cannot be referenced by the Mesh profile in which the FWA mode is
enabled.
3.1.33 Mesh Whitelist Profile

Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring APs
allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to an AP
radio, only APs with MAC addresses in the whitelist can access the AP, and other APs are
denied. On common Mesh networks, a Mesh whitelist must be configured for a Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not need to
configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
3.1.34 IoT Profile
An IoT profile provides the following communication parameters between an AP and a host
computer:
l Domain name, IP address and port number of the host computer:

Before the AP reports data to the host computer, configure the IP address, domain name,
and port number for the host computer. If these parameters are not configured, serial port
data reported by the AP will be discarded.
l Host computer trusted by the AP:
Configure a trusted host computer. So that only hosts with specified IP addresses can
communicate with the AP and deliver configurations, protecting the AP against attacks.
If no trusted host computer is configured, other hosts can also deliver IoT card
configurations to the AP.
l Shared key:
To enhance communication security, you can configure a shared key for encrypting
communication data between the AP and host computers. The shared key must be the
same on the AP and host computers.

l Local port number:

The port number identifies an IoT card slot and is used for the AP to communicate with
host computers.
For details, see Configuring Parameters for APs to Communicate with the Host Computer in
the Configuration - Healthcare IoT Solution.
3.1.35 WMI Profile
Wi-Fi networks are open and shared, and work on free wireless frequency bands. Therefore,
co-channel interference may easily occur in wireless environments, causing Wi-Fi network
instability. These always-changing factors make post-event backtracking difficult. To improve
troubleshooting efficiency, configure APs to report key performance indicators (KPIs) to a
WLAN Maintaining Insight (WMI) server for possible fault cause analysis. In addition, data
statistics are centrally collected for observing device and network trends and identifying
potential device and network faults.
The server to which APs report information is called WMI server. You can set parameters for
APs to report KPI information to the WMI server in the WMI profile.
For details, see Configuring APs to Report KPIs in the AP Management Configuration Guide.
3.1.36 AP Provisioning Profile
To facilitate maintenance and management, an AP provisioning profile is designed so that you

can run commands on a Fit AP after logging in to the Fit AP. You can also configure
parameters in an AP provisioning profile and manually deliver configurations to specified
APs or AP groups. For details, see Configuring AP Online Parameters (AP Provisioning
View) or Switching the Working Mode of an AP in the Configuration-AP Management
Parameters in an AP provisioning profile are configured for an AP to go online, including

l the AP name, group to which an AP belongs, mode of obtaining an IP address, static IP
address, gateway address, and AC IP address list.
l Configure the running mode of the AP. Set the running mode of the AP to switch
between the Fat AP and cloud AP modes.
3.1.37 Common Operations of Profiles
Copying Profiles
To improve configuration efficiency, you can copy configurations in one profile to another
profile and then modify specific parameters.
For example, if you need to copy the configurations in VAP profile b to VAP profile a, you
only need to run the copy-from profile-name command in VAP profile a. The detailed
procedure is as follows:
<AC6605> system-view
[AC6605] wlan
[AC6605-wlan-view] vap-profile name a
[AC6605-wlan-vap-prof-a] copy-from b

NOTE
l You can perform this operation only between profiles of the same type. For example, you can copy the
configurations in a VAP profile to another VAP profile other than a radio profile.
l If a profile is bound to another profile, you cannot perform this operation in this profile. For example, if
VAP profile a is bound to an AP group, you cannot perform this operation in VAP profile a.
Viewing Reference Information About a Profile

After configuring a profile, you can run the display references profile-type name profile-
name command to view to which profiles it is bound. profile-type indicates the name of a
profile type. You can run the display references ? command in any view to view all profile-
type available for viewing and description. For example, you can run the display references
radio-2g-profile name default command to view the profiles to which 2G radio profile
default is bound.
3.2 Data Packet Processing

Packets transmitted on a WLAN include management packets and service data packets.
Management packets must be transmitted over Control and Provisioning of Wireless Access
Points (CAPWAP) tunnels, and service data packets can be transmitted over CAPWAP
tunnels, soft GRE tunnels, or directly.
Management packets transmit management data between an AC and AP. Data packets
transmit data from STAs and the upper-layer network when WLAN users surf on the Internet.
On a WLAN, packets transmitted between STAs and APs are 802.11 packets. APs are bridges
between STAs and the upper layer wired network. They convert 802.11 packets into 802.3
packets and forward 802.3 packets to the wired network.
Management packets and service data packets are marked with different VLAN tags on a
WLAN.The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and
VLAN s' represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
WLAN roaming is categorized as Layer 2 and Layer 3 roaming depending on whether a STA
roams within the same subnet. In roaming scenarios, management packets are forwarded
through the CAPWAP tunnel, while service data packets can be forwarded through the
CAPWAP tunnel or using direct forwarding mode.
Management Packet Forwarding Process

As shown in Figure 3-5:
l In the uplink direction (from the AP to the AC): When receiving management packets,
the AP encapsulates the packets in CAPWAP packets. The switch tags the packets with
VLAN m. The AC decapsulates the CAPWAP packets and removes the tag VLAN m'.
l In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and tags

them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
The devices between an AC and AP must be configured to allow VLAN m and transparently
transmit packets of VLAN m.
Figure 3-5 Management packet forwarding
Direct Forwarding of Service Data Packets

Figure 3-6 shows the direct forwarding process of service data packets. In direct forwarding
mode, service data packets are not encapsulated with CAPWAP.
l In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the packets
into 802.3 packets, tags the packets with VLAN s, and forwards the packets to the
destination.
l In the downlink direction (from the Internet to the STA): When downstream service data
packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by upstream
devices), the AP converts the 802.3 packets into 802.11 packets and forwards them to the
STA.
The devices between an AC and AP must be configured to allow service VLAN s and
transparently transmit packets of VLAN s.
In direct forwarding mode, an AC is connected to a core or aggregation switch in bypass
mode. The AC does not forward service data and only manages APs. If an AC is connected to
an upstream switch in inline mode, the AC forwards data packets. In this networking, the AC
acts as an aggregation switch.

Figure 3-6 Direct forwarding of service data packets
Forwarding Service Data Packets over a CAPWAP Tunnel

In tunnel forwarding mode, APs set up control tunnels and data tunnels with an AC. Data
packets of WLAN users and management packets are encapsulated in CAPWAP data packets
and control packets, and forwarded over the CAPWAP tunnels. As shown in Figure 3-7:
l In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the packets
into 802.3 packets, tags the packets with VLAN s, and encapsulates them in CAPWAP
packets. The upstream switch tags the packets with VLAN m. The AC decapsulates the
CAPWAP packets and removes the tag VLAN m' from the packets.
l In the downlink direction (from the Internet to the STA): When downstream service data
packets reach the AC, the AC encapsulates the packets in CAPWAP packets, allows the
packets carrying VLAN s to pass through, and tags the packets with VLAN m'. The
switch removes VLAN m from the packets. The AP decapsulates the CAPWAP packets,
removes VLAN s, converts the 802.3 packets into 802.11 packets, and forwards them to
the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets. The
intermediate devices between the AC and AP can only transparently transmit packets carrying
VLAN m and cannot be configured with VLAN s encapsulated in the CAPWAP packets.
All encapsulated data packets are processed and forwarded by the AC, regardless of whether
the AC is connected to the upstream switch in inline or bypass mode.

Figure 3-7 Forwarding service data packets over a CAPWAP tunnel
Forwarding Service Data Packets over a Soft GRE Tunnel

As shown in Figure 3-8, service data packets can be transmitted over a soft GRE tunnel.
l When receiving upstream service data packets in 802.11 format from the STA, the AP
converts the packets into 802.3 packets, encapsulates the packets into a soft GRE tunnel,
and forwards the packets to the BRAS. The BRAS decapsulates the packets and
implements unified accounting and authentication.
l The BRAS encapsulates downlink service data packets into a soft GRE tunnel and
forwards the packets to the AP. The AP then decapsulates the packets, converts the
packets into 802.11 packets, and sends them to the STA.
The route between the AP and BRAS must be reachable so that service data packets can be
transmitted properly over the soft GRE tunnel.

Figure 3-8 Forwarding service data packets over a soft GRE tunnel
Forwarding Service Data Packets During Layer 2 Roaming

As shown in Figure 3-9, during Layer 2 roaming, the STA stays within the same subnet. The
FAP/FAC processes packets of a Layer 2 roaming STA in the same way as it processes
packets of a newly online STA. The FAP/FAC forwards the packets on the local network but
not send the packets back to the HAP/HAC over the inter-AC tunnel.
l Before roaming: When receiving upstream service data packets from a STA, the HAP
forwards the packets to the HAC. The HAC then directly forwards the packets to the
destination. When receiving downstream service data packets from the HAC, the HAP
forwards the packets to the STA.
l After roaming: When receiving upstream service data packets from a STA, the FAP
forwards the packets to the FAC. The FAC then directly forwards the packets to the
destination. When receiving downstream service data packets from the FAC, the FAP
forwards the packets to the STA.

Figure 3-9 Forwarding service data packets during Layer 2 roaming
Forwarding Service Data Packets During Layer 3 Roaming

The STA stays in different subnets before and after Layer 3 roaming. To ensure that the STA
can still access the original network after roaming, user traffic is forwarded to the original
subnet over tunnels.
l As shown in Figure 3-10, in tunnel forwarding mode, service packets exchanged
between the HAP and HAC are encapsulated through a CAPWAP tunnel, and the HAP
and HAC can be considered in the same subnet. Instead of forwarding the packets back
to the HAP, the HAC directly forwards the packets to the upper-layer network.

Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming
Service Data Packet Before Roaming After Roaming

Type
Upstream service data 1. The STA sends a 1. The STA sends a

service packet to the service packet to the
HAP. FAP.
2. After receiving the 2. After receiving the
service packet, the service packet, the FAP
HAP sends it to the sends it to the FAC.
HAC. 3. The FAC forwards the
3. The HAC forwards the service packet to the
service packet to the HAC through a tunnel
upper-layer network. between them.
4. The HAC forwards the
service packet to the
upper-layer network.

Service Data Packet Before Roaming After Roaming

Type
Downstream service data 1. The HAC encapsulates 1. The HAC encapsulates

downstream service downstream service
data in a CAPWAP data in a CAPWAP
packet, and sends it to packet.
the HAP. 2. The HAC forwards the
2. The HAP receives the service packet to the
CAPWAP packet and FAC through a tunnel
decapsulates it. between them.
3. The HAP sends the 3. The FAP receives the
service packet to the CAPWAP packet and
STA. decapsulates it.
4. The FAP sends the
service packet to the
STA.
l As shown in Figure 3-11, in direct forwarding mode, service packets exchanged between
the HAP and HAC are not encapsulated through the CAPWAP tunnel; therefore, whether
the HAP and HAC reside in the same subnet is unknown. Packets are forwarded back to
the HAP by default. If the HAP and HAC are located in the same subnet, configure the
HAC with higher performance as the home agent. This reduces the load on the HAP and
improves the forwarding efficiency.

Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming

Service Data Before Roaming After Roaming Configuring the

Packet Type AC as the Home
Agent
Upstream service 1. The STA sends 1. The STA sends 1. The STA sends
data a service packet a service packet a service packet
to the HAP. to the FAP. to the FAP.
2. After receiving 2. After receiving 2. After receiving
the service the service the service
packet, the packet, the FAP packet, the FAP
HAP forwards sends it to the sends it to the
the service FAC over the FAC over the
packet to the CAPWAP CAPWAP
upper-layer tunnel. tunnel.
network 3. The FAC 3. The FAC
directly. forwards the forwards the
service packet service packet
to the HAC to the HAC
through a tunnel through a tunnel
between them. between them.
4. The HAC sends 4. The HAC
the service forwards the
packet to the service packet
HAP over the to the upper-
CAPWAP layer network.
tunnel.
5. The HAP
forwards the
service packet
to the upper-
layer network.

Service Data Before Roaming After Roaming Configuring the

Packet Type AC as the Home
Agent
Downstream 1. The upper-layer 1. The upper-layer 1. The upper-layer

service data network sends a network sends a network sends a
service packet service packet service packet
to the HAC. to the HAP. to the HAC.
2. The HAC sends 2. The HAP sends 2. The HAC
the service the service forwards the
packet to the packet to the service packet
HAP. HAC over the to the FAC
3. After receiving CAPWAP through a tunnel
the service tunnel. between them.
packet, the 3. The HAC 3. After receiving
HAP sends it to forwards the the service
the STA. service packet packet, the FAC
to the FAC sends it to the
through a tunnel FAP over the
between them. CAPWAP
4. After receiving tunnel.
the service 4. The FAP sends
packet, the FAC the service
sends it to the packet to the
FAP over the STA.
CAPWAP
tunnel.
5. The FAP sends
the service
packet to the
STA.

Typical Configuration Examples 4 Typical Configuration Examples (CLI)
4 Typical Configuration Examples (CLI)
4.1 WLAN Common Service Configuration Examples

4.1.1 Example for Configuring Internal Personnel to Access the
WLAN (802.1x Authentication)
Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES

Figure 4-1 Networking diagram for configuring 802.1x authentication
Data Planning
Table 4-1 Data planning on the AC
Configuration Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for the STAs 10.23.101.2-10.23.101.254/24
RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net
802.1x access profile l Name: wlan-net

l Authentication mode: EAP
Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net
AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default
Regulatory domain profile l Name: default

l Country code: China
SSID profile l Name: wlan-net

l SSID name: wlan-net
Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES
VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1X authentication on the AC.
5. Configure third-party server interconnection parameters.

NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit


[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable


[SwitchB-Vlanif101] dhcp select interface
Step 3 Configure APs to go online.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit
# Configure the AC's source interface.

[AC] capwap source interface vlanif 100
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
Step 4 Configure the AP channel and power.

NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
[AC-wlan-ap-0] quit
Step 5 Configure 802.1x authentication on the AC.

1. Configure RADIUS authentication parameters.
# Create a RADIUS server template.

[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit
# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit
2. Configure an 802.1x access profile to manage 802.1x access control parameters.
# Create the 802.1x access profile wlan-net.

[AC] dot1x-access-profile name wlan-net
# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit

4. Configure WLAN service parameters.
# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-view] quit
Step 6 Configure third-party server interconnection parameters.

l For interconnection with the Cisco ISE, see "Example for Configuring Wireless 802.1X
Authentication (CLI)" in the WLAN Product Interoperation Configuration Guide-Typical
Configuration for Interconnection Between AC and Cisco ISE Server.
l For interconnection with the Aruba ClearPass, see "Example for Configuring Wireless
802.1X Authentication (CLI)" in the WLAN Product Interoperation Configuration
Guide-Typical Configuration for Interconnection Between AC and Aruba ClearPass
Server.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless 802.1X Authentication" in the WLAN Product Interoperation Configuration
Guide-Typical Configuration for Interconnection Between AC and Huawei Agile
Controller-Campus Server.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 7 Verify the configuration.

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:

i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
#
return
l SwitchB configuration file

#
sysname SwitchB
#


#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
port trunk allow-pass vlan 100 102
#
port trunk allow-pass vlan 103
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}ÀARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa

authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return
4.1.2 Example for Configuring Guests to Access the WLAN (MAC

Address-prioritized Portal Authentication)
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
l DHCP deployment mode:

– The AC functions as a DHCP server to assign IP addresses to APs.

– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Figure 4-2 Networking for configuring MAC address-prioritized Portal authentication
Data Planning
Table 4-2 AC data planning
Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
AC's source VLANIF100: 10.23.100.1/24

interface
address

l Referenced profile: VAP profile wlan-net and regulatory domain profile
default
Regulatory l Name: default

domain l Country code: China
profile
SSID l Name: wlan-net

profile l SSID name: wlan-net
Security l Name: wlan-net

profile l Security policy: open
RADIUS Name of the RADIUS authentication scheme: wlan-net

authenticati Name of the RADIUS accounting scheme: wlan-net
on
parameters Name of the RADIUS server template: wlan-net
l IP address: 10.23.102.1
l Shared key: Huawei123
Portal l Name: wlan-net

server l IP address: 10.23.103.1
template
l Destination port number in the packets that the AC sends to the Portal
server: 50200
l Portal shared key: Huawei123

access l Referenced profile: Portal server template wlan-net
profile
MAC Name:wlan-net
access
profile

Item Data
Authenticati l Name: default_free_rule

on-free rule l Authentication-free resource: IP address of the DNS server(8.8.8.8)
profile
Authenticati l Name: wlan-net

on Profile l Referenced profile: Portal access profile wlan-net, MAC access profile
wlan-net, RADIUS server template wlan-net, authentication-free rule
profile default_free_rule and authentication scheme wlan-net

l Forwarding mode: tunnel forwarding
l Referenced profile: SSID profile wlan-net, security profile wlan-net and
Authentication profile wlan-net
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
Configuration Notes

user experience.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[SwitchA] vlan batch 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
[SwitchB] vlan batch 100 101
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
[Router] vlan batch 101
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure the AC to communicate with the network devices.

NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.

# Add GE0/0/1 on the AC to VLAN 100 and VLAN 101.

[AC6605] sysname AC
[AC] vlan batch 100 101
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.

[AC] dhcp enable
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
Step 5 Configure an AP to go online.
[AC] wlan
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).

[AC] wlan
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] quit
State field is displayed as nor, the AP goes online successfully.
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Configure a RADIUS server template.

[AC-radius-wlan-net] radius-server shared-key cipher Huawei123
# Create an authentication scheme and configure the RADIUS authentication mode.

[AC] aaa

[AC-aaa] accounting-scheme wlan-net
[AC-aaa-accounting-wlan-net] accounting-mode radius
[AC-aaa-accounting-wlan-net] accounting realtime 15
[AC-aaa-accounting-wlan-net] quit
[AC-aaa] quit
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.

User Quantity Real-Time Accounting Interval
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Step 8 Configure a Portal server template.

NOTE
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 11 Configure an authentication-free rule profile.

[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 8.8.8.8 mask 32
[AC-free-rule-default_free_rule] quit
Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule

Step 13 Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] quit

Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users" in the WLAN Product Interoperation Configuration Guide-Typical
Configuration for Interconnection Between AC and Huawei Agile Controller-Campus
Server.

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
l Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp server gateway-list 10.23.101.2
dhcp server dns-list 8.8.8.8
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#


mac-access-profile wlan-net
portal-access-profile wlan-net
free-rule-template default_free_rule
#
dhcp enable
#
aaa
accounting-scheme wlan-net
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
url-template name wlan-net
url http://portal.com:8080/portal
#
web-auth-server wlan-net
server-ip 10.23.103.1
port 50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url-template wlan-net ciphered-parameter-name cpname iv-parameter-name iv-
value key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
wlan
ssid wlan-net
forward-mode tunnel
regulatory-domain-profile default
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#

mac-access-profile name wlan-net

#
return
4.1.3 Example for Configuring High-Density WLAN Services
The WLAN of a stadium needs to provide access for a large number of users; therefore, APs
are placed in close proximity, causing severe interference. The IT department of the stadium
requires that the interference be eliminated to maximize Internet experience for users.
addresses to STAs.
Figure 4-3 Networking diagram for configuring a high-density WLAN

Data Planning
Table 4-3 Data planning

Item Data
Management VLAN for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch (SwitchB) functions
as a DHCP server to assign IP addresses to
STAs.
IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24

l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile default, and 5G radio
profile wlan-radio5g



l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net, security profile wlan-net, and traffic
profile wlan-traffic

Item Data
RRM profile l Name: wlan-rrm

l Airtime fair scheduling: enable
l Smart roaming: enable
2G radio profile l Name: wlan-radio2g

l Referenced profile: RRM profile wlan-
rrm

rrm
Traffic profile l Name: wlan-traffic
1. Configure network interworking of the APs, AC, and other network devices.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 4-4.
Table 4-4 Adjustment recommendations

Adjustm Purpose Recommendation
ent Item
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.


ent Item
Remove To make an AP offer Increase the maximum number of access

the limit wireless services to more users to 128 for an SSID profile.
on the users.
number of
access
users
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
User To prevent mobile terminals Enable user isolation on the AC.

isolation from exchanging a large
number of ARP packets.
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Adjust To reduce interference l Channel: Prevent adjacent APs from

AP between APs. working on overlapping channels. It is
channel recommended that you configure
and channels 1, 9, 5, and 13 in a high-
power density WLAN environment.
l Power: Minimize AP power while
ensuring that the RSSI is greater than
-65 dBm at the edge of the AP's
coverage area.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Enable To ensure that wireless Enable airtime fair scheduling.

airtime channel resources can be
fair equally allocated to users.
schedulin
g
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold


ent Item
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Adjust the To reduce wireless resource Set the transmit rate of 2.4 GHz Beacon
transmit occupation of Beacon frames to 11 Mbit/s.
rate of 2.4 frames and improve channel
GHz usage efficiency.
Beacon
frames
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
Configure To improve the network Configure the short preamble. If some

the short synchronization legacy NICs exist on the network, disable
preamble performance. the short preamble function.
for a radio
Adjust To improve user experience. Set the EDCA parameters of AC_BE

EDCA packets as follows:
parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
5. Deliver WLAN services to the APs and verify the configuration.

Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
[SwitchA] vlan batch 10 101 102
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
[SwitchB] vlan batch 10 100 101 102
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102


# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
[Router] vlan batch 101 102
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102

# Add GE0/0/1 on the AC to VLAN 100 and create VLANIF 100.
[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
# Configure DHCP relay on SwitchB.
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
view.


# On the AC, create a global IP address pool to assign IP addresses to APs.

[AC] dhcp enable
[AC] ip pool huawei
[AC-ip-pool-huawei] network 10.23.10.0 mask 24
[AC-ip-pool-huawei] gateway-list 10.23.10.1
[AC-ip-pool-huawei] option 43 sub-option 3 ascii 10.23.100.1
[AC-ip-pool-huawei] quit
[AC-Vlanif100] dhcp select global
[AC-Vlanif100] quit
Step 4 Configure a VLAN pool for service VLANs.
# On the AC, create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the
VLAN assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
the AP.


Step 7 Adjust WLAN high-density parameters.

1. Adjust VAP profile parameters.
# Enable the band steering function. By default, the band steering function is enabled.
[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-net-prof-wlan-net] quit
2. Adjust SSID profile parameters.
# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, EDCA parameters for AC_BE packets of STAs, and the transmit rate
of 2.4 GHz Beacon frames to 11 Mbit/s.
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
[AC-wlan-ssid-prof-wlan-net] association-timeout 1
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] beacon-2g-rate 11
3. Create a traffic profile and adjust traffic profile parameters.
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
# Bind the traffic profile to the VAP profile.

[AC-wlan-net-prof-wlan-net] traffic-profile wlan-traffic
4. Create an RRM profile, enable airtime fair scheduling and smart roaming, and set the
SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
[AC-wlan-rrm-prof-wlan-rrm] undo smart-roam disable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
5. Create a 2G radio profile and adjust 2G radio profile parameters.
Create 2G radio profile wlan-radio2g and set the parameters as follows:

– Set the RTS-CTS operation mode to rts-cts and the RTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 TUs.
– Enable the short preamble function. By default, the short preamble function is
supported by a radio profile.
– Set the GI mode to short GI.

– Set the 802.11bg basic rate to 6 Mbit/s, 9 Mbit/s, 12 Mbit/s, 18 Mbit/s, 24 Mbit/s,
36 Mbit/s, 48 Mbit/s, or 54 Mbit/s.
– Set the multicast rate to 11 Mbit/s.
– Set EDCA parameters for AC_BE packets: AIFSN (3); ECWmin (5); ECWmax (6).
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-mode rts-cts
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-threshold 1400
[AC-wlan-radio-2g-prof-wlan-radio2g] beacon-interval 160
[AC-wlan-radio-2g-prof-wlan-radio2g] undo short-preamble disable
[AC-wlan-radio-2g-prof-wlan-radio2g] guard-interval-mode short
[AC-wlan-radio-2g-prof-wlan-radio2g] dot11bg basic-rate 6 9 12 18 24 36 48 54
[AC-wlan-radio-2g-prof-wlan-radio2g] multicast-rate 11
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-be aifsn 3 ecw ecwmin 5
ecwmax 6
# Bind RRM profile wlan-rrm to the radio profile.

[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit

ecwmax 6

7. Enter the AP group ap-group1 and bind it to the radio profiles.

[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0

NOTE


[AC-wlan-ap-0] quit

WLAN service configuration is automatically delivered to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output displays as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
Internet experience.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 101 to 102
#

port trunk allow-pass vlan 10 101 to 102

port-isolate enable
#
#
port-isolate enable
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid wlan-net
association-timeout 1
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
beacon-2g-rate 11
service-vlan vlan-pool sta-pool
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
rrm-profile name wlan-rrm
airtime-fair-schedule enable
smart-roam roam-threshold snr 15
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
beacon-interval 160
normal
multicast-rate 6

radio 0
radio-2g-profile wlan-radio2g
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.1.4 Example for Configuring WLAN Backhaul

Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.
l AC networking mode: Layer 2 networking in bypass mode
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
l Backhaul radio: 5 GHz

Figure 4-4 Networking diagram for configuring hand-in-hand WDS services
Data Planning
Table 4-5 AP data planning
AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
AP_2 AP8130DN dcd2-fc04-b500
AP_3 AP8130DN dcd2-fc96-e4c0
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101

assign IP addresses to APs. Switch_A
functions as a DHCP server to assign IP
addresses to STAs.

Item Data
AC's source interface address VLANIF 100
WDS mode l Radio 1 on AP_1: root

l Radio 1 on AP_2: leaf
l Radio 0 on AP_2: root

l Country code: CN

Wireless service security profile l Name: wlan-net

+AES

net and security profile wlan-net
WDS link security profile l Name: wds-security

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
WDS whitelist profile l Name: wds-list1

l AP MAC address: MAC address of
AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)
WDS profile l Name: wds-root

l WDS name: wlan-wds
l WDS working mode: root
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

Item Data
l Name: wds-leaf
l WDS working mode: leaf
security

l Root APs, such as AP_1, are added to
the group.
l Referenced profiles: WDS profile wds-
root, VAP profile wlan-net, and
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
leaf, VAP profile wlan-net, and
1. Configure root node AP_1 to go online on the AC.
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
Configuration Notes

user experience.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100


10.23.101.2/24.
# On the AC, configure GE0/0/1 to allow packets from VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
NOTE
view.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] quit
# Create AP groups ap-group1, ap-group2, and ap-group3.

[AC] wlan

e?[Y/N]:y
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] quit
Step 5 Set WDS service parameters.

# Set key radio parameters for the WDS nodes. In this example, AP_1 and AP_3 use radio 1,
and AP_2 uses radio 0 and radio 1. Configure radio 0 of AP_2 to work on the 5 GHz
frequency band. To reduce channel interference, configure radio 0 and radio 1 of AP_2 to

work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-radio-1/1] channel 40mhz-plus 157
[AC-wlan-radio-1/1] coverage distance 4
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds

[AC-wlan-wds-prof-wds-root] wds-mode root

[AC-wlan-wds-prof-wds-root] security-profile wds-security
[AC-wlan-wds-prof-wds-root] vlan tagged 101
[AC-wlan-wds-prof-wds-root] quit
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN
[AC-wlan-view] wds-profile name wds-leaf
[AC-wlan-wds-prof-wds-leaf] wds-name wlan-wds
[AC-wlan-wds-prof-wds-leaf] wds-mode leaf
[AC-wlan-wds-prof-wds-leaf] security-profile wds-security
[AC-wlan-wds-prof-wds-leaf] vlan tagged 101
[AC-wlan-wds-prof-wds-leaf] quit
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-ap-group1/1] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Bind WDS profile wds-root to AP group ap-group1.
[AC-wlan-ap-group-ap-group1] wds-profile wds-root radio 1
# Bind WDS profiles wds-root and wds-leaf to AP group ap-group2.

[AC-wlan-ap-group-ap-group2] wds-profile wds-leaf radio 1
# Bind WDS profile wds-leaf to AP group ap-group3.


NOTE


# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
# Disable the automatic channel and power calibration functions.

[AC-wlan-ap-1]quit
[AC-wlan-ap-2]quit
[AC-wlan-ap-3]quit
# Configure the channel and power for radio 0.


[AC-wlan-ap-1]quit
# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State is displayed as nor, APs have gone online successfully.
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 ap-group1 10.23.100.254 AP8130DN nor 0 20M:
16S -
2 dcd2-fc04-b500 AP_2 ap-group2 10.23.100.253 AP8130DN nor 0
17S -
3 dcd2-fc96-e4c0 AP_3 ap-group3 10.23.100.252 AP8130DN nor 0 3M:
55S -
----------------------------------------------------------------------------------
----------------
Total: 3
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -39 -30 0 5
55 42/57/-/-
AP_2 AP_3 0 4 149 root normal -56 -40 0 9
59 45/40/60/-
AP_2 AP_1 1 4 157 leaf normal -32 -30 0 15
58 41/36/60/-
AP_3 AP_2 1 4 149 leaf normal -33 -32 0 7
59 51/59/-/-
----------------------------------------------------------------------------------
-----------------
Total: 4
The AC automatically delivers WLAN service configuration to the AP. After the service
command output is displayed as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
l Switch_B configuration file

#
sysname Switch_B
#
#
#
#
return

#
sysname Router

#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
security-profile name wds-security
security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^
%# aes
ssid wlan-net
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
peer-ap mac dcd2-fc96-e4c0
wds-profile name wds-leaf
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
vlan tagged 101
wds-name wlan-wds
wds-mode root
radio 0
radio 1
wds-profile wds-root
wds-whitelist-profile wds-list1
radio 0
radio 1
wds-profile wds-leaf

radio 0
radio 1
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 40mhz-plus 157
coverage distance 4
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
eirp 127
coverage distance 4
radio 1
eirp 127
coverage distance 4
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
radio 1
coverage distance 4
#
return
4.1.5 Example for Configuring Rail Transportation WLAN

Services
To reduce network deployment costs and better serve passengers, a rail transportation
enterprise wants to use WLAN technology to implement vehicle-ground communications and
expects that multicast servers on the ground network can deliver multimedia information
services to passengers.
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover

l Backhaul radio: 5 GHz radio
Figure 4-5 Networking for configuring vehicle-ground fast link handover

Data Planning
Table 4-7 AP information

AP Type MAC Address
Trackside AP AP9132DN 0046-4b59-1d10

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......
Vehicle-mounted AP9132DN 0046-4b59-2e10

AP (in the front)

AP (in the rear)
.......

Item Data
Multicast service VLAN VLAN 101
DHCP server l Configure the AC as a DHCP server to assign IP

addresses to trackside APs.
l Configure Switch_A as a DHCP server to assign IP
addresses to vehicle-mounted terminals.

address
Gateway address IP address of VLANIF 101 on Switch_A: 10.23.224.1/24

Item Data
IP address pool for 10.23.100.2-10.23.100.254/24

trackside APs
IP address pool for vehicle- 10.23.224.4-10.23.224.254/24

mounted terminals
AP group to which Name: mesh-mpp

trackside APs belong
IDs of trackside APs l Trackside AP (L1_001): 1

l Trackside AP (L1_003): 2
AP wired port profile l Name: wired-port
Security profile l Name: sp01

l Authentication key: a1234567
AP system profile l Name: mesh-sys

l Mesh role: Mesh-portal
Mesh profile Trackside APs:

l Name: mesh-net
l Identifier: mesh-net
Vehicle-mounted APs:
l Name: mesh-net
Mesh handover profile Trackside APs:

l Name: hand-over
l Name: hand-over
Mesh whitelist on trackside Name: whitelist01

APs Add MAC addresses of all vehicle-mounted APs on trains
running on the rail to the whitelist according to actual
situations.
MAC address of the l Gateway: 707b-e8e9-d328

proxied ground device l Network management device: 286e-d488-12cd
l Multicast source: 286e-d488-b6ab

Item Data
MAC address of the l Vehicle-mounted terminal_1: 286e-d488-d359

proxied vehicle-mounted l Vehicle-mounted terminal_2: 286e-d488-d270
device
Multicast group 225.1.1.1-225.1.1.3
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
user experience.
Procedure
l Configure ground network devices.

a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
[Switch_A] vlan batch 100 101 200
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.

NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
[Switch_B] vlan batch 100 101
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
f. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to

properly forward multicast data.
# Enable IGMP snooping globally on Switch_A.
[Switch_A] igmp-snooping enable
# Enable IGMP snooping in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
[Switch_A-vlan101] quit
# Configure multicast group filter policies on Switch_A.

[Switch_A] acl 2000
[Switch_A-acl-basic-2000] rule permit source 225.1.1.1 0


[Switch_A-acl-basic-2000] quit
# Apply the multicast group filter policies in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A] quit
# Complete multicast configuration on Switch_B and Switch_C according to the

multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000
g. Configure the AC to enable it to communicate with trackside APs at Layer 2.

# Create VLAN 100 on the AC and configure GE0/0/1 to allow packets from
VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100
# Configure the AC as a DHCP server to assign IP addresses to trackside APs.

[AC] dhcp enable
[AC-Vlanif100] quit
h. Configure the AP group, country code, and AC's source interface.

# Create the AP group mesh-mpp and add trackside APs that require the same
configuration to the group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.


[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit

# Add trackside APs to the AP group mesh-mpp.

NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
[AC-wlan-ap-101] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.

[AC-wlan-view] wired-port-profile name wired-port

[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Bind the wired port profile wired-port to the AP group mesh-mpp.

[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port
gigabitethernet 0
j. Configure Mesh parameters.

# Create the Mesh whitelist whitelist01 and add MAC addresses of vehicle-
mounted APs to the Mesh whitelist.
[AC-wlan-view] mesh-whitelist name whitelist01
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e10
[AC-wlan-mesh-whitelist-whitelist01] quit
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
k. Apply the Mesh parameters to radios of trackside APs.

# Configure the radio and channel used by trackside APs and apply the Mesh
whitelist, Mesh profile, and AP system profile.
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile whitelist01
[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net
[AC-wlan-group-radio-mesh-mpp/1] quit

[AC-wlan-view] quit
[AC] quit
l Configure vehicle-mounted network devices.

NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of
the train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the
vehicle-mounted AP in the front.
a. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
from VLAN 101 to pass through, and set the PVID of GE0/0/1 to VLAN 101.
<Huawei> sysname AP
[AP] vlan batch 101
[AP] interface gigabitethernet 0/0/1
[AP-GigabitEthernet0/0/1] port link-type trunk
[AP-GigabitEthernet0/0/1] port trunk pvid vlan 101
[AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
[AP-GigabitEthernet0/0/1] quit
b. Configure system parameters for the vehicle-mounted APs.

# Configure the AP country code.
[AP] wlan
[AP-wlan-view] country-code cn
c. Configure vehicle-ground fast link handover parameters.

[AP-wlan-view] security-profile name sp01
[AP-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-sp01] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
d. Apply the Mesh parameters to radios of vehicle-mounted APs.

# Configure the radio and channel used by vehicle-mounted APs and apply the
Mesh profile.
[AP] interface wlan-radio 0/0/1
[AP-Wlan-Radio0/0/1] channel 40mhz-plus 157

[AP-Wlan-Radio0/0/1] mesh-profile mesh-net

[AP-Wlan-Radio0/0/1] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-

mounted terminals on the vehicle-mounted APs.
[AP-wlan-view] mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan
101
101
[AP-wlan-view] quit
f. Enable IGMP snooping on the vehicle-mounted APs.

[AP] igmp-snooping enable
[AP] vlan 101
[AP-vlan101] igmp-snooping enable
[AP-vlan101] quit
[AP] quit
l Verify the configuration.

# After vehicle-ground fast link handover configuration is complete, run the display
wlan mesh link all command on the AC to view Mesh connections between trackside
and vehicle-mounted APs.
<AC> display wlan mesh link all
Mesh : Mesh mode Re : retry ratio(%)
------------------------------------------------------------------------------
----------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-
Status RSSI MaxR Per Re TSNR SNR(Ch0~3:dB)
------------------------------------------------------------------------------
----------------------------------------------------
L1_001 AP 0046-4b59-2e10 1 3 157 portal
- -51 -38 0 0 47 39/47/-/-
L1_003 AP 0046-4b59-2e10 1 3 157 portal
- -59 -7 0 0 50 19/14/37/-
L1_010 AP 0046-4b59-2e10 1 3 157 portal
- -45 -33 0 0 37 20/17/17/-
L1_150 AP 0046-4b59-2e10 1 3 157 portal
- -54 -39 0 0 46 34/43/-/-
L1_160 AP 0046-4b59-2e10 1 3 157 portal
- -52 -7 0 0 32 21/18/35/-
L1_170 AP 0046-4b59-2e10 1 3 157 portal
- -42 -33 0 0 29 26/14/19/-
------------------------------------------------------------------------------
----------------------------------------------------
Total: 6

# Run the display mesh-neighbor-rssi command on the AC to view RSSI information

of trackside APs.
<AC> display mesh-neighbor-rssi
Info: This operation may take a few seconds, please wait.done.
AP name/MAC/Radio/Location-ID Neighbor AP/MAC/Location-ID RSSI Update
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/1/1 -/0046-4b59-2e10/- -44

18:08:21
L1_003/0046-4b59-1d20/1/3 -/0046-4b59-2e10/- -50
18:08:20
L1_010/0046-4b59-1d30/1/10 -/0046-4b59-2e10/- -28
18:08:21
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e10/- -43
18:08:20
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e10/- -47
18:08:21
L1_170/0046-4b59-1d60/1/170 -/0046-4b59-2e10/- -38
18:08:21
------------------------------------------------------------------------------
Total: 6
# Run the display mesh-handover-trace command on the vehicle-mounted AP to view

roaming traces of the vehicle-mounted AP.
<AP> display mesh-handover-trace
Index Timestamp From AP MAC/RSSI/Location-ID To AP MAC/RSSI/Location-ID
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
– Switch_A configuration file

#
sysname Switch_A
#
vlan batch 100 to 101 200
#
igmp-snooping enable
#
dhcp enable

#
vlan 101
igmp-snooping group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
return
– Switch_B configuration file
#
sysname Switch_B
#
#
#
vlan 101
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
#


#
#
#
#
return
– Switch_C configuration file
#
sysname Switch_C
#
#
#
vlan 101
#
acl number 2000
#
#
#
#
#
return
– AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#


#
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-2e10
mesh-profile name mesh-
net
mesh-handover-profile hand-
over
security-profile
sp01
mesh-id mesh-net
ap-system-profile name mesh-sys
mesh-role Mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-
mpp
ap-system-profile mesh-
sys
wired-port-profile wired-port gigabitethernet
0
radio
1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus
157
ap-id 1 type-id 48 ap-mac 0046-4b59-1d10 ap-sn
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
210235555310CC003587
ap-name
L1_160

ap-group mesh-mpp
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
l Vehicle-mounted network devices
– Vehicle-mounted AP (in the front) configuration file
#
sysname AP
#
#
vlan batch 101
#
vlan 101
#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
location-based-algorithm enable moving-direction
forward
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
#
return
4.1.6 Example for Configuring Agile Distributed Wi-Fi Services

Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.

l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
Figure 4-6 Networking for configuring an agile distributed WLAN
Data Planning

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to central APs,

server RUs, and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's source VLANIF 100: 10.23.100.1/24

interface
address

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

profile


profile l Security policy: WPA-WPA2+PSK+AES

l Referenced profiles: SSID profile wlan-net and security profile wlan-
net
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
Configuration Notes

user experience.
Procedure
10.23.101.2/24.

NOTE
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
[AC6605] sysname AC
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port-isolate enable
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.

# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure a central AP and RUs to go online.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1


[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3

NOTE
the AP.


Step 6 Set channels and power for the RU radios.

NOTE
configurations take effect only when these two functions are disabled. The settings of the RU channel and
power in this example are for reference only. You need to configure the RU channel and power based on the
[AC-wlan-ap-1] quit

The AC automatically delivers WLAN service configuration to the RUs. After the
configuration is complete, run the display vap ssid wlan-net command. If the Status field is
displayed as ON, the VAPs have been successfully created on RU radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 ru_1 0 1 FCB6-9897-C520 ON WPA/WPA2-PSK 0 wlan-net
2 ru_2 0 1 FCB6-9897-CA40 ON WPA/WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------------
Total: 4
----------------------------------------------------------------------------------
-------
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------

-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
port-isolate enable
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012

ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return
4.1.7 Example for Configuring WLAN Environment Detection and

Containment (WIDS and WIPS)
An enterprise branch needs to deploy WLAN services for mobile office so that branch users
can access the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks. For
example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the WLAN to
establish connections with STAs to intercept enterprise information, posing great threats to the
enterprise network. To prevent such attack, the detection and containment function can be
configured for authorized APs. In this way, the AC can detect rogue AP area_2 (neither
managed by the AC nor in the authorized AP list), preventing STAs from associating with the
rogue AP.
addresses to STAs.

Figure 4-7 Networking for configuring rogue device detection and containment
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, and WIDS profile wlan-wids
l Working mode of the AP radio: normal
l Rogue device detection and containment: enabled

profile



net
WIDS l Name: wlan-wids

profile l Rogue device containment mode: containment against rogue APs using
spoofing SSIDs
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.

Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit
Step 7 Configure rogue device detection and containment.

# Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-group-radio-ap-group1/0] work-mode normal
[AC-wlan-group-radio-ap-group1/0] wids device detect enable
[AC-wlan-group-radio-ap-group1/0] wids contain enable


# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
# Bind WIDS profile wlan-wids to AP group ap-group1.

[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids

Run the display wlan ids contain ap command. The command output shows information
about the contained AP2.
[AC-wlan-view] display wlan ids contain ap
#Rf: Number of monitor radios that have contained the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------
000b-6b8f-fc6a 11 wpa-wpa2 2014-11-20/16:16:57 1 wlan-net
-------------------------------------------------------------------------------
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
Pinging 10.23.101.22 with 32 bytes of data:
Request timed out.

Request timed out.
Request timed out.
Request timed out.
Reply from 10.23.101.22: bytes=32 time=1433ms TTL=255
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return


#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel

wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
wids-profile wlan-wids
radio 0
wids device detect enable
wids contain enable
radio 1
wids contain enable
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.2 WLAN Basic Networking Configuration Examples (Fat

AP)
4.2.1 Example for Configuring Fat AP Layer 2 Networking
As shown in Figure 4-8, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Router functions as a DHCP server to assign IP addresses to STAs.

Figure 4-8 Networking diagram for configuring basic Layer 2 WLAN services

Copyright © Huawei
Service VLAN:Technologies
101 Co., Ltd.
GE0/0/0
Fat AP VLAN 101: Router
10.23.101.2/24
Data planning
Item Data
DHCP server Router functions as a DHCP server to assign

IP addresses to STAs.
IP address pool for STAs 10.23.101.3 to 10.23.101.254/24


+AES

The configuration roadmap is as follows:
1. Configure the AP and upper-layer devices to communicate at Layer 2.

2. Configure Router as a DHCP server to assign IP addresses to STAs from an IP address
pool on an interface.
3. Configure the AP's system parameters, including the country code.
4. Configure a VAP so that STAs can access the WLAN.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the AP to communicate with the network devices.

NOTE
Configure the AP's uplink interfaces to transparently transmit packets of service VLANs as required.
# Add GE0/0/0 on the AP to VLAN 101.

[Huawei] sysname AP
[AP] vlan batch 101
# Create VLANIF 101 and configure its IP address for communication with Router.
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.2 24
[AP-Vlanif101] quit
Step 2 Configure Router as a DHCP server to assign IP addresses to STAs.

# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.
NOTE
view.
[Router] dhcp enable
[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2
Step 3 Configure the AP's system parameters.

# Configure the country code for the AP.
[AP] wlan

NOTE
[AP-wlan-view] security-profile name wlan-net
[AP-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-wlan-net] quit
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.

[AP-wlan-view] vap-profile name wlan-net

[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
Step 5 Configure radio parameters for the VAP and AP.

NOTE
# Disable automatic channel and power calibration functions of the radio, and configure the
channel and power for the radio.
[AP-wlan-view] quit
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/0] channel 20mhz 6
[AP-Wlan-Radio0/0/0] eirp 127
The configuration automatically takes effect after it is completed. Run the display vap ssid
wlan-net command. If Status in the command output is displayed as ON, the VAP has been
successfully created on the AP radios.
[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP MAC RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
00bc-da3f-e900 0 2 00BC-DA3F-E901 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
[AP] display station all
----------------------------------------------------------------------------------
----------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
----------------
14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------

----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname Router
#
dhcp enable
#
ip address 10.23.101.1
255.255.255.0
dhcp server excluded-ip-address 10.23.101.2
#
return
l AP configuration file
#
sysname AP
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J
\ht3Y%^%# aes
ssid wlan-net
#
interface Wlan-Radio0/0/0
channel 20mhz 6
#
channel 20mhz 149
#
return
As shown in Figure 4-9, a Fat AP is connected to the Internet in wired mode and connected to

anywhere, anytime.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.


Service VLAN:© 101
Copyright Huawei Technologies Co., Ltd.
GE0/0/0
10.23.200.1/24
Data planning
Item Data
DHCP server The AP functions as a DHCP server to

assign IP addresses to STAs.


+AES

1. Configure the AP and upper-layer devices to communicate with each other.
2. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address
Configuration Notes
Procedure
10.23.200.2/24.


# Add the AP's uplink interface GE0/0/1 to VLAN 200.Create VLANIF 200 and set its IP
address to 10.23.200.1/24.
[Huawei] sysname AP
[AP] vlan batch 200
[AP-Vlanif200] quit
# Configure a default route with the next hop IP address 10.23.200.2/24 on the AP.
[AP] ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
Step 3 Configure the DHCP server to assign IP addresses to STAs.

# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
view.
[AP] dhcp enable
[AP] vlan batch 101
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit

[AP] wlan

NOTE
[AP-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes


NOTE
[AP-wlan-view] quit

The configuration automatically takes effect after it is completed. Run the display vap ssid
[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
[AP] display station all
----------------------------------------------------------------------------------

----------------
address SSID
----------------------------------------------------------------------------------
----------------
14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname Router
#
vlan batch 200
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
return
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
wlan
\ht3Y%^%# aes
ssid wlan-net
#
channel 20mhz 6
#

channel 20mhz 149
#
return
4.2.3 Example for Configuring Users on the Fat AP to Access the

Public Network Through NAT
As shown in Figure 4-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.
l Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses
are translated to the IP address of the Fat AP outbound interface using Easy-IP for
employees to access the public network.

Figure 4-10 Networking diagram for configuring STAs to access the public network through
NAT

Service VLAN: 101
GE0/0/0
VLAN 200:
Data planning
Item Data



+AES

NAT Outbound The private IP address segment

10.23.101.0/24 is mapped to the public IP
address 202.169.10.1.
1. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address

4. Configure NAT so that users can access the public network using public IP addresses.
Configuration Notes

Procedure
# On the AP, create VLANIF 200, set its IP address to 202.169.10.1/24, and add GE0/0/0 to
VLAN 200.
[Huawei] sysname AP
[AP] vlan batch 200
[AP-Vlanif200] quit
# Configure a default route. The following assumes that the public IP address of the peer end
is 202.169.10.2/24.
[AP] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
view.
[AP] dhcp enable
[AP] vlan batch 101
[AP-Vlanif101] quit

[AP] wlan
NOTE
[AP-wlan-sec-prof-wlan-net] security wpa2 psk pass-phrase a1234567 aes


NOTE
[AP-wlan-view] quit
Step 6 Configure the NAT function.
# Configure NAT outbound on the AP.

[AP] acl 2000
[AP-acl-basic-2000] rule 5 permit source 10.23.101.0 0.0.0.255
[AP-acl-basic-2000] quit
[AP-Vlanif200] nat outbound 2000
[AP-Vlanif200] quit
[AP] quit
# The configuration automatically takes effect after it is completed. Run the display vap ssid
<AP> display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
-------
----------------------------------------------------------------------------------
-------
----------------------------------------------------------------------------------
-------
Total: 2

<AP> display station all
----------------------------------------------------------------------------------
-------------------
address SSID
----------------------------------------------------------------------------------
-------------------
14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
-------------------
Total: 1 2.4G: 1 5G: 0
# Run the display nat outbound command on the AP to check the IP address translation
result.
<AP> display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------------
Vlanif200 2000 1 no-pat
--------------------------------------------------------------------------------
Total : 1
# Run the ping command on the AP to verify that users on the private network can access the
public network.
<AP> ping -a 10.23.101.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms
-- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
----End
Configuration Files
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
acl number 2000
rule 5 permit source 10.23.101.0 0.0.0.255
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif200
ip address 202.169.10.1 255.255.255.0
nat outbound 2000
#

#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
wlan
\ht3Y%^%# aes
ssid wlan-net
#
channel 20mhz 6
#
channel 20mhz 149
#
return
4.3 AP Mode Switching Examples
4.3.1 Example for Switching a Fit AP with Factory Defaults to the

Fat Mode by One Command
Applicable Scope
This example is applicable to APs with factory defaults. APs work in Fit mode by default.
NOTE
With factory defaults, the local configuration of an AP is not modified, and the AP has not obtained the
new configuration from an AC.
Applicable version: V200R007, V200R008, and V200R009

Applicable model: AP5050DN-S, AP2051DN, AP2051DN-S, AP2051DN-E, AP1050DN-S,
AD9431DN-24X, AP2050DN, AP2050DN-S, AP2050DN-E, AP4050DN-HD, AP4050DN-
E, AP7050DN-E, AP7050DE, AD9430DN-12, AD9430DN-24, AP6150DN, AP6050DN,
AP8130DN, AP8030DN, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP8050DN,
AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE,
AP8050TN-HD, AP8082DN, and AP8182DN
Networking Scenario
To use a new AP independently provide Wi-Fi coverage, you need to switch the AP to the Fat
mode and deploy services through the web platform or other way.
Connect the AP to a PC through an Ethernet cable in a proper mode, as shown in Figure 4-11.

When the AP supports DC power supply and works with a power adapter, connect the AP to
the AC directly through an Ethernet cable. If the AP does not support DC power supply or no
adapter is available, supply PoE power to the AP. In this case, connect the AP to the PC
through a PoE device.
Figure 4-11 AP-PC connection diagram

A P p o w e re d b y a D C p o w e r a d a p te r
G E n e tw o r k P o w e r p o rt
p o rt A C in p u t
E th e r n e t
PC c a b le AP D C p o w e r a d a p te r
A P p o w e r e d b y a P o E d e v ic e
P o E p o w e r a d a p te r
P o E s w it c h A C in p u t
N e tw o r k p o r t P o E _ O U T p o rt D A T A p o rt P o E p o rt
E th e r n e t E th e r n e t E th e r n e t E th e r n e t
c a b le c a b le c a b le c a b le
P o E _ IN P o E _ IN
p o rt p o rt
PC AP PC AP
Quick Configuration
This section helps you quickly configure an AP, without the need to read the entire document.
If you are not familiar with the product or operation, read the detailed guidance in the
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Configure the IP address of the PC and STelnet, check
network connectivity between the AP and PC, and observe indicator states.
2 Check AP information: On the PC, log in to the AP through STelnet to check the
version and working mode of the AP.
3 Start the switching: Run the ap-mode-switch fat command in the system view to
switch the working mode of the AP. The AP then restarts.
4 Verify the switching: Log in to the AP again and check the working mode of the AP.
Configuration Procedure
Step 1 Prepare the environment.
The following is used as an example. Prepare your environment based on site requirements.

D Description
ev
ic
e
PC Operating system: Windows 7

STelnet client: PuTTY (third-party software)
A Model: AP4050DN
P Version: V200R007C20
Default information:
l User name: admin
l Password: admin@huawei.com
l STelnet login port number: 22
# Power on the AP. The indicator is green for around 2 minutes during the startup. When the
indicator blinks, the AP is started successfully.
# Set the IP address of the PC to 169.254.1.100 and mask to 255.255.0.0 so that the PC and
AP are located on the same network segment.
Step 2 Check AP information.
# Open PuTTY on the PC, enter the IP address and port number of the AP, select the SSH
mode, and click Open. If a key pair information prompt is displayed, click Yes.

# When the following information is displayed, the AP is connected successfully. Enter the
user name and password to log in to the AP.
login as: admin
Further authentication required
admin@169.254.1.1's password:admin@huawei.com //For information security,
characters you entered are invisible.
Info: Current mode: Fit (managed by the AC). //The current mode is Fit.
Info: You are advised to change the password to ensure security.
<Huawei>
# Check AP information.
<Huawei> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (AP4050DN FIT V200R007C20SPCa00) //Model,
working mode, and version
...
Step 3 Start the switching.

# Switch the AP mode to Fat. Wait until the AP restart is complete.
[Huawei] ap-mode-switch fat
Warning: The system will reboot and start in fat mode of V200R007C20SPCa00.
Continue? (y/n)[n]:y
Info: system is rebooting ,please wait.................
Step 4 Verify the switching.

# Log in to the AP to view AP information. The AP is working in Fat mode.

login as: admin

admin@169.254.1.1's password:admin@huawei.com
Info: Current mode: Fat (working independently).

Warning: The default country code is CN. Ensure that AP radio attributes comply
with laws and regulations in different countries. Do you want to change the
country code? [Y/N]:n
[Huawei] display version
VRP (R) software, Version 5.170 (AP4050DN FAT V200R007C20SPCa00)
...
----End
FAQ
An error message is displayed when you run a mode switching command.
[Huawei] ap-mode-switch fat
Error: The fat mode does not exist. To switch to the fat AP mode, run the ap-mode-
switch fat tftp/ftp/sftp command.
The AP is not in factory defaults and therefore cannot be switched to the Fat mode by one
click. In this case, switch the working mode of the AP using SFTP. For details, see the related
sources.
Related Sources
4.3.2 Example for Switching a Fit AP to the Fat Mode Using SFTP
WLAN Quick Configuartion Guide (Video)
4.3.2 Example for Switching a Fit AP to the Fat Mode Using SFTP
Applicable Scope
Applicable models: AP5050DN-S, AP2051DN, AP2051DN-S, AP2051DN-E, AP1050DN-S,

AD9431DN-24X, AP2050DN, AP2050DN-S, AP2050DN-E, AP4050DN-HD, AP4050DN-
E, AP7050DN-E, AP7050DE, AD9430DN-12, AD9430DN-24, AP6150DN, AP6050DN,
AP8130DN, AP8030DN, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP8050DN,
AP8150DN, AP8050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE,
AP8050TN-HD, AP8082DN, and AP8182DN
For APs in factory defaults, it is recommended that you switch the working mode of an AP by
referring to 4.3.1 Example for Switching a Fit AP with Factory Defaults to the Fat Mode
by One Command.
This example is also applicable to switching a Fit AP to the Fat mode using FTP or TFTP.
Note the following differences:
l Configure the FTP or TFTP client software on the PC, which is not mentioned here.
l Different parameters are used in the command for switching the AP mode and are
described in the procedure.

Networking Scenario
When the PC serves as an SFTP server, prepare the Fat AP software package for the AP to
obtain through SFTP.

p o rt A C in p u t
E th e r n e t
p o rt p o rt
PC AP PC AP
Quick Configuration
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Configure the IP address, STelnet client, and SFTP server
software on the PC. Download the Fat AP software package of the target version to
the SFTP server. Check network connectivity and the indicator states of the AP.

Pr Task
oc
ed
ur
e
3 Start the switching: Run the ap-mode-switch fat sftp filename server-ip-address
user-name password [ port ] command in the system view. The AP restarts.
If FTP or TFTP is used, run the following command:
l FTP mode: ap-mode-switch fat ftp filename server-ip-address user-name
password [ port ]
l TFTP mode: ap-mode-switch fat tftp filename server-ip-address
Dev Description
ice

SFTP server: FreeSSHd (third-party software)
AP Model: AP4050DN
Version: V200R007C20
l User name: admin
# Power on the AP. The indicator is on for around 2 minutes during the startup. When the
# Log in to Huawei enterprise technical support website (support.huawei.com/e), download
the Fat AP software package, and store the package on the PC.
# Open FreeSSHd on the PC, and set SFTP server parameters:
l Set the IP address and port number for the client to access the server. Retain the default
settings here.

l Set the authentication mode so that the password is required for the client to access the
server.

l Select a local directory to provide file services for the client. Store the downloaded
software package in this directory.

l Add a user to verify identity information entered by the client to ensure access security.

l Enable the SFTP service.



login as: admin
<Huawei>
...

# Enable the first-time authentication function on the AP working as an SSH client.
[Huawei] ssh client first-time enable
# Switch the AP mode to Fat. Set the file name (including the extension) of the target
software package, IP address, user name, and password of the SFTP server. Wait until the AP
restart is complete.
[Huawei] ap-mode-switch fat sftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100 huawei huawei123

Warning: Do Not Power-off!
..................................................................................
........................
End of file......
Info: system is rebooting ,please wait...
NOTE
If FTP or TFTP is used, specify the following parameters in the switching command (as an example):
l FTP mode: ap-mode-switch fat ftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100 huawei huawei123
l TFTP mode: ap-mode-switch fat tftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100

login as: admin

...
----End
FAQ
An error message is displayed when you run a mode switching command.
[Huawei] ap-mode-switch fat sftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100 huawei huawei@123
Warning: Do Not Power-off!
.
Error: Upgrade failed due to a failure in downloading the version file.
The public key for the SSH server is not configured on the AP. When the AP accesses the
SSH server for the first time, authentication fails.
Run the ssh client first-time enable command in the system view to allow the AP to access
the server. The public key will be saved and used for authentication on the server.
Related Sources
4.3.1 Example for Switching a Fit AP with Factory Defaults to the Fat Mode by One
Command

4.3.3 Example for Switching a Fit AP to the Fat Mode Using FTP
Applicable Scope
Applicable models: AP5030DN, AP5130DN, AP5030DN-S, AP3030DN, AP3010DN-V2,
AP4030DN, AP4130DN, AP4030DN-E, AP9131DN, AP9132DN
This example is also applicable to switching a Fit AP to the Fat mode using TFTP. Note the
following differences:
l Configure the TFTP client software on the PC, which is not mentioned here.
l Different parameters are used in the command for switching the AP mode and are
described in the procedure.
Networking Scenario
When the PC serves as an FTP server, prepare the Fat AP software package for the AP to
obtain through FTP.

p o rt A C in p u t
E th e r n e t
p o rt p o rt
PC AP PC AP
Quick Configuration
following sections.

Pr Task
oc
ed
ur
e
1 Prepare the environment: Configure the IP address, STelnet client, and FTP server
software on the PC. Download the Fat AP software package of the target version to
the FTP server. Check network connectivity and the indicator states of the AP.
3 Start the switching: Execute commands sequentially in system view.

ap-mode-switch prepare //The AP may need to be restarted depending on the AP
status.
ap-mode-switch check
ap-mode-switch ftp filename server-ip-address user-name password [ port ] //The
AP will restart.
If TFTP is used, run ap-mode-switch tftp filename server-ip-address
Dev Description
ice

FTP server: WFTPD (third-party software)
IP address: 169.254.1.100
AP Model: AP5030DN
l User name: admin
# Power on the AP. The indicator is on for around 2 minutes during the startup. When the

# Set FTP server parameters
l Open WFTPD on the PC, set the Users and rights.
l Add a user to verify identity information entered by the client to ensure access security.
l Set the User's password.
l Select a local directory to provide file services for the client.


the Fat AP software package, and store the package on the FTP directory.
login as: admin


<Huawei>
...

# Enable the first-time authentication function on the AP working as an SSH client.
# Prepare the switching.

[Huawei] ap-mode-switch prepare
Info: Prepare is ok, Use ap-mode-switch command to switch to fat ap.
# Verify before the switching.

[Huawei] ap-mode-switch check
Info: Ap-mode-switch check ok.
# Switch the AP mode to Fat. Set the file name (including the extension) of the target
software package, IP address, user name, and password of the FTP server. Wait until the AP
restart is complete.
[Huawei] ap-mode-switch ftp FatAP5X30XN_V200R007C20SPCa00.bin 169.254.1.100
huawei huawei123
Warning: Do Not Power-off.........
Info: Upgrade upgrade-assistant-package successfully!
Warning: System will reboot, if you want to switch to upgrade-assistant-package.
Are you sure to execute these operations ? [Y/N]: y
NOTE
If TFTP is used, specify the following parameters in the switching command (as an example).
ap-mode-switch tftp FatAP5X30XN_V200R007C20SPCa00.bin 169.254.1.100

login as: admin

...
----End
Related Sources

4.3.4 Example for Switching an Online Fit AP to the Fat Mode

Through the AC
Applicable Scope
All APs that properly go online on an AC
Applicable models: APs supporting both the Fit and Fat modes
In centralized management mode, you can manage the upgrade and mode switching for a
single AP or APs of the same model or in the same group on the AC. This example describes
how to switch the working mode of a single AP.
Networking Scenario
Log in to the AC through the web platform, without the need to adjust the networking or cable
connection.
Quick Configuration
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Download the Fat AP software package of the target
version to the PC where you log in to the AC.
2 Check AP information: Log in to the web platform of the AC, choose Monitoring >
AP, and view information about the AP, including the IP address, model, and version.
3 Load the software package to the AP: Choose Maintenance > AP Maintenance >
AP Upgrade,, select the upgrade mode, and upload the software package, and
upgrade the AP. You can check the upgrade progress on the Upgrade Status page.
The upgrade state is displayed success after around 2 minutes (requiring mode
switching).
NOTE
To switch the working mode for APs in a batch, select an AP model or group on this page to
determine the upgrade scope and select the immediate or scheduled upgrade mode.
4 Start the switching: Choose Configuration > AP Config > AP Config, modify AP
mode as fat. The AP restarts. The restart takes around 2 minutes.
5 Verify the switching: Log in to the AC using the CLI console on the web platform,
STelnet to the AP and check the working mode of the AP.

Dev Description
ice

Browser:Google Chrome
IP address: 169.254.1.100
AC Model: AC6605
Management IP address: 169.254.1.1
Administrator account: Telnet and web platform
l User name: admin
l Password: huawei@123
AP Model: AP4050DN
Information for the radio used by the AP to go online:
l IP address: 192.168.10.227
l User name: admin (default)
l Password: admin@huawei.com (default)
l STelnet login port number: 22 (default)

the Fat AP software package, and store the package on the PC.
# Enter the IP address of the AC in the browser of the AC. Enter the user name and password
to log in to the web platform. If a security connection prompt is displayed, continue with the
operation.
# Choose Monitoring > AP. Search for the target AP in AP List, check AP information, and
record the IP address of the AP. Continue with the following operations only when the AP
status is normal or ver-mismatch.
Step 3 Load the software package to the AP.

# Choose Maintenance > AP Maintenance > AP Upgrade, select the software package
stored on the PC, and upload the upgrade file to the AC.
# Under AP Upgrade, select the target AP.
# Select the target software package and click Upgrade.
# Click the Upgrade Status tab to upgrade the AP upgrade progress. The upgrade takes
around 2 minutes.

# Go to AP Config page.

# Select AP, click Modify, select AP mode as fat, and click OK. The AP will restart and the
restart takes around 2 minutes.

# Click the CLI button, download and run the script as prompted, and enable Telnet through
the URL.
# In the Telnet window, enter the user name and password to log in to the AC, STelnet to the
AP to view AP information. The AP is working in Fat mode.

Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.

Login authentication
Username:admin
Password:huawei@123 //For information security, characters you entered are
invisible.
Enter system view, return user view with Ctrl+Z.
[AC6605] stelnet 192.168.10.227 //Log in to the target AP from the AC.
Please input the username:admin
Trying 192.168.10.227 ...
Press CTRL+K to abort
Connected to 192.168.10.227 ...
Enter password:admin@huawei.com //For information security, characters you
entered are invisible.
<ap1> system-view
[ap1] display version
...
----End
Related Sources
4.4 WLAN Basic Networking Configuration Examples

4.4.1 Example for Configuring Layer 2 Direct Forwarding in
Inline Mode
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs and STAs.

Figure 4-14 Networking for configuring Layer 2 direct forwarding in inline mode
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

profile



net
to go online.
Configuration Notes

user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
10.23.101.2/24.

NOTE
# On the AC, add GE0/0/1 to VLAN 100 and VLAN 101, and GE0/0/2 to VLAN 101.
[AC6605] sysname AC

# On the AC, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively, and configure a default route with the next hop of the address of Router.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE
the AP.

NOTE

[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
#

#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1

radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.4.2 Example for Configuring Layer 2 Tunnel Forwarding in

Inline Mode
area.
APs and STAs.
Figure 4-15 Networking for configuring Layer 2 tunnel forwarding in inline mode

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net

to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
[Switch] vlan batch 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

10.23.101.2/24.

NOTE
[AC6605] sysname AC
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0


#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

Bypass Mode
area.


addresses to STAs.
Figure 4-16 Networking for configuring Layer 2 direct forwarding in bypass mode
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
to go online.
Configuration Notes

user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
10.23.101.2/24.



NOTE
# Add GE0/0/1 on the AC to VLAN 100.

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------

address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#

#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

Bypass Mode
area.

addresses to STAs.
Figure 4-17 Networking for configuring Layer 2 tunnel forwarding in bypass mode
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

domain l Country code: CN
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios



net
Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms
2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan


to go online.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
user experience.
Procedure
VLAN 100.


10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

NOTE
view.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:


----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE
the AP.
Step 6 Set channels and power for the AP radios.
# Enable automatic channel and power calibration functions of the radio.

[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-txpower-select disable
# Configure a calibration channel set in the regulatory domain profile.

[AC-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161

# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
5G radio profile.
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------


address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#


#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
calibrate enable schedule time 03:00:00
ssid wlan-net
forward-mode tunnel
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
air-scan-profile wlan-airscan
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

Bypass Mode
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.

addresses to STAs.
Data Planning

Item Data

Item Data

SwitchB functions as a DHCP server to
assign IP addresses to STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24
VLAN pool l Name: sta-pool

and VLAN 102

net and regulatory domain profile
default



+AES

pool
2. Configure a VLAN pool for service VLANs.

to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.


102 to 10.23.102.2/24.

# Add GE0/0/1on the AC to VLAN 100, VLAN 101, and VLAN 102 and create VLANIF
100.
[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102

NOTE
view.

[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit
NOTE
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------

address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return


#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127


radio 1
channel 20mhz 149
eirp 127
#
return

Bypass Mode
addresses to STAs.

Data Planning

Item Data
Management VLANs for APs VLAN 10 and VLAN 100

l Name: sta-pool
and VLAN 102

The aggregation switch functions as a
DHCP server for STAs. The default
10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

default



+AES

pool

to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.


102 to 10.23.102.2/24.

[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit



NOTE
view.

[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit

NOTE

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

the AP.

NOTE
[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2


---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#

#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1

ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

Inline Mode
addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

Item Data

net, 2G radio profile wlan-radio2g, and
5G radio profile wlan-radio5g

l Calibration channel set: calibration
bandwidth and channels for 2.4 GHz and
5 GHz radios


+AES

pool
Air scan profile l Name: wlan-airscan

l Probe channel set: calibration channels

l Referenced profiles: air scan profile
wlan-airscan

wlan-airscan

to go online.
NOTE
optimal channels.
Configuration Notes
user experience.
Procedure

# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
102 to 10.23.102.2/24.
# On the AC, add GE0/0/1 to VLAN 100, VLAN 101, and VLAN 102, and GE0/0/2 to
VLAN 101 and VLAN 102. Create VLANIF 100.
[AC6605] sysname AC
[AC] vlan batch 100
[AC-Vlanif100] quit


NOTE
view.

[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit

NOTE

[AC] wlan
e?[Y/N]:y

[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE


the AP.


and scan duration.
2G radio profile.
5G radio profile.
ap-group1.


WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB

#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#

#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

Inline Mode
APs and STAs.

Data Planning
Item Data

l Name: sta-pool
and VLAN 102

assign IP addresses to APs and STAs.

10.23.102.3-10.23.102.254/24


Item Data

5 GHz radios


+AES

pool


wlan-airscan

wlan-airscan
to go online.


NOTE
optimal channels.
Configuration Notes
user experience.
Procedure
GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.


102 to 10.23.102.2/24.

# Configure GE0/0/1 on the AC to VLAN 100, and GE0/0/2 to VLAN 101 and VLAN 102.
[AC6605] sysname AC
[AC-Vlanif100] quit
# Create VLANIF 101 and VLANIF 102 on the AC to assign IP addresses to STAs.
NOTE
view.

[AC] dhcp enable

[AC-Vlanif101] quit
[AC-Vlanif102] quit
# On the AC, create a global IP address pool to allocate IP addresses to APs.

[AC] ip pool huawei

NOTE

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
the AP.




and scan duration.
2G radio profile.
5G radio profile.
ap-group1.

WID : WLAN ID

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 100
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#


#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
wlan
ssid wlan-net
forward-mode tunnel

radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.4.9 Example for Configuring WLAN IPv4/IPv6 Dual-Stack

Services
area. IPv4/IPv6 dual-stack needs to be configured on the AC so that users can access the
network using different protocol stacks.
l AC networking mode: Layer 2 inline mode
l DHCP deployment mode: The AC functions as a DHCP server to allocate IP addresses
to APs and STAs.
Figure 4-22 Networking for configuring WLAN IPv4/IPv6 dual-stack services

Data Planning
Item Data

server STAs.
IP address FC01::/64
pool for
APs
IP address IPv4 address pool: 10.23.101.2-10.23.101.254/24

pool for IPv6 address pool: FC02::/64
STAs
AC's source VLANIF 100: FC01::1/64

interface
address

default

profile



net
2. On the AC, configure a DHCPv6 server to assign IP addresses to APs, and a DHCPv4
and DHCPv6 server to assign IP addresses to STAs.

to go online.
Configuration Notes
user experience.
Procedure
VLAN 100.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IPv4 address to
10.23.101.2/24 and IPv6 address to FC02::2/64.
[Router] ipv6


[Router-Vlanif101] ipv6 enable
[Router-Vlanif101] ipv6 address fc02::2/64

NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 101.
[AC6605] sysname AC
[AC] ipv6
[AC] dhcp enable
[AC] dhcpv6 pool ap_pool
[AC-dhcpv6-pool-ap_pool] address prefix fc01::/64
[AC-dhcpv6-pool-ap_pool] quit
[AC-Vlanif100] ipv6 enable
[AC-Vlanif100] ipv6 address fc01::1/64
[AC-Vlanif100] undo ipv6 nd ra halt
[AC-Vlanif100] ipv6 nd autoconfig managed-address-flag
[AC-Vlanif100] ipv6 nd autoconfig other-flag
[AC-Vlanif100] dhcpv6 server ap_pool
[AC-Vlanif100] quit
# Configure the DHCPv4 and DHCPv6 servers on VLANIF 101 to assign IP addresses to
STAs.
NOTE
l For IPv4:
– In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in
the VLANIF interface view.
– In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address
pool view.
l For IPv6:
Run the dns-server ipv6-address command in the IPv6 address pool view.
[AC] dhcpv6 pool sta_pool
[AC-dhcpv6-pool-sta_pool] address prefix fc02::/64
[AC-dhcpv6-pool-sta_pool] quit
[AC-Vlanif101] ipv6 enable

[AC-Vlanif101] ipv6 address fc02::1/64

[AC-Vlanif101] undo ipv6 nd ra halt
[AC-Vlanif101] ipv6 nd autoconfig managed-address-flag
[AC-Vlanif101] ipv6 nd autoconfig other-flag
[AC-Vlanif101] dhcpv6 server sta_pool
[AC-Vlanif101] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

[AC] capwap ipv6 enable
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
nor : normal [1]
------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 FC01::3 AP5030DN nor 0 27S
------------------------------------------------------------------------------
Total: 1

# Enable the function of processing STA IPv6 services.

[AC-wlan-view] sta-ipv6-service enable
NOTE
the AP.

NOTE
[AC-wlan-ap-0] quit


WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
----------------------------------------------------------------------------------
-----------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4
address IPv6 address
----------------------------------------------------------------------------------
-----------------------------------
14cf-9202-13dc 0 area_1 0/1 2.4G 11n 5/1 -62 101
10.23.101.254 FC02::546E:C25C:F4C7:B2AD
----------------------------------------------------------------------------------
-----------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
l #Router configuration file

sysname Router
#
ipv6
#
vlan batch 101
#
interface Vlanif101
ipv6 enable
ip address 10.23.101.2 255.255.255.0
ipv6 address FC02::2/64

#
#
return
#
sysname AC
#
ipv6
#
#
dhcp enable
#
dhcpv6 pool ap_pool
address prefix FC01::/64
#
dhcpv6 pool sta_pool
address prefix FC02::/64
#
interface Vlanif100
ipv6 enable
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server ap_pool
#
interface Vlanif101
ipv6 enable
ip address 10.23.101.1 255.255.255.0
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server sta_pool
#
#
#
capwap ipv6 enable
#
wlan
sta-ipv6-service enable
ssid wlan-net
forward-mode tunnel
radio 0
radio 1


ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.4.10 Example for Configuring NAT Traversal Between the AC

and APs
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC. Therefore, NAT traversal is
configured between the AC and APs to save the enterprise's public IP addresses.
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.

Figure 4-23 Networking for configuring NAT traversal between the AC and APs
Data Planning

Item Data
DHCP server Router_1 functions as a DHCP server to


default

Item Data



+AES

NAT Outbound Router_1: translates the private IP addresses

in the network segment 10.23.100.0/24 to
the public IP addresses in the network
segment 2.2.2.1.
Static NAT Router_2: translates the private IP addresses

in the network segment 10.23.200.1 to the
public IP addresses in the network segment
3.3.3.3.
2. Configure NAT for address translation.
to go online.
Configuration Notes

user experience.
Procedure
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.

[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2] interface gigabitethernet 0/0/1
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit

# On the AC, add GE0/0/1 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.1/24.
[AC6605] sysname AC
[AC-Vlanif200] quit
# Configure a default route with the next hop address 10.23.200.2 on the AC.
Step 3 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs. The AC's
source interface address is translated into the public IP address 3.3.3.3 after NAT mapping.
[Router_1] dhcp enable
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 3.3.3.3
[Router_1-ip-pool-ap] quit
[Router_1-Vlanif101] dhcp select interface
NOTE
view.
Step 4 Configure NAT.

# Configure outbound NAT on Router_1.
[Router_1] acl 2000
[Router_1-acl-basic-2000] rule 5 permit source 10.23.100.0 0.0.0.255


[Router_1-acl-basic-2000] quit
[Router_1-GigabitEthernet0/0/1] nat outbound 2000
# Configure static NAT on Router_2.

[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
on the 2.4 GHz and 5 GHz bands, respectively.
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [1]

----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 11S
----------------------------------------------------------------------------------
---
Total: 2
NOTE
the AP.

NOTE

[AC-wlan-ap-0] quit
The AC automatically delivers WLAN service configuration to the AP. After the
displayed as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_2 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Switch
#
#
#
#


#
return
l Router_1 configuration file

#
sysname Router_1
#
#
dhcp enable
#
acl number 2000
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
port-isolate enable
#
ip address 2.2.2.1 255.255.255.0
nat outbound 2000
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
#
return
l Router_2 configuration file.

#
sysname Router_2
#
vlan batch 200
#
interface Vlanif200
ip address 10.23.200.2 24
#
#
ip address 3.3.3.1 255.255.255.0
nat static global 3.3.3.3 inside 10.23.200.1
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
#
return
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200

ip address 10.23.200.1 255.255.255.0

#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2
ap-group ap-group1
#
return
4.4.11 Example for Configuring VPN Traversal Between the AC

and APs
area.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.


APs and STAs.
Figure 4-24 Networking for configuring VPN traversal between the AC and APs
Data Planning

Item Data
WLAN service data planning on the AC


Item Data

default



+AES

IPSec data planning on Router_2
IKE parameters l IKE version: IKEv1

l Negotiation mode: main
l Peer IP address: 202.138.162.1
l Authentication mode: pre-shared key
authentication
l Pre-shared key: huawei@1234
l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l DH group number: group14
IPSec parameters l Security protocol: ESP

l ESP negotiation mode: main
l ESP authentication algorithm:
SHA2-256
l ESP encryption algorithm: AES-128
l Encapsulation mode: tunnel

Item Data
IPSec policy Connection name: map1

l Interface name: gigabitethernet 0/0/1
l Networking mode: branch site
l Connection number: 10
l ACL number: 3101
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
to go online.
Configuration Notes

user experience.
Procedure
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.


10.23.200.1/24.
<AC> system-view
[AC] sysname AC
[AC-Vlanif200] quit
# Configure a static route from the AC to APs with the next hop address 10.23.200.2 on the
AC.
# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.

NOTE
view.
Step 4 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination
10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
10.23.200.0 0.0.0.255
Step 5 Configure IPSec.

1. Create an IPSec proposal on Router_2 and Router_1.

# Create an IPSec proposal on Router_2.
[Router_2] ipsec proposal tran1
[Router_2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_2-ipsec-proposal-tran1] quit

2. Create IKE peers on Router_2 and Router_1.

# Create an IKE proposal on Router_2.
[Router_2] ike proposal 5
[Router_2-ike-proposal-5] authentication-algorithm sha2-256
[Router_2-ike-proposal-5] encryption-algorithm aes-128
[Router_2-ike-proposal-5] dh group14
[Router_2-ike-proposal-5] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit

[Router_1] ike peer spua
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
3. Create IPSec policies on Router_2 and Router_1.

# Configure an IPSec policy in IKE negotiation mode on Router_2.
[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit

[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.


[Router_2-GigabitEthernet0/0/1] ipsec policy map1

[Router_1-GigabitEthernet0/0/1] ipsec policy use1

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------


10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE
[AC-wlan-net-prof-wlan-net] forward-mode direct-forward
[AC-wlan-net-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-net-prof-wlan-net] security-profile wlan-net
[AC-wlan-net-prof-wlan-net] ssid-profile wlan-net
the AP.

NOTE

[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# After the configurations are complete, the AC can ping the APs successfully and the data
transmitted between them is encrypted. You can run the display ipsec statistics esp command
to view packet statistics.
Run the display ike sa command on Router_2, and the following information is displayed:
<Router_2> display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
16 202.138.162.1 0 RD|ST v1:2
14 202.138.162.1 0 RD|ST v1:1
Number of SA entries : 2
Number of SA entries of all cpu : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
----End
Configuration Files
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200

ip address 10.23.200.1 255.255.255.0

#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
#
sysname Router_1
#
#
dhcp enable
#
acl number 3101
rule 5 permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spua
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5

remote-address 202.138.163.1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer spua
proposal tran1
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
#
ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
#
return
l Router_2 configuration file.
#
sysname Router_2
#
vlan batch 200
#
acl number 3101
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spub v1
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5
remote-address 202.138.162.1
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer spub
proposal tran1
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
ip address 202.138.163.1 255.255.255.0

ipsec policy map1

#
#
ip route-static 10.23.100.0 255.255.255.0 202.138.163.2
ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
#
return

#
sysname Switch
#
#
#
#
return
4.4.12 Example for Configuring Hand-in-Hand WDS Services

addresses to STAs.

Data Planning
AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
Item Data

addresses to STAs.

Item Data


l Country code: CN


+AES



AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)

security

Item Data
l Name: wds-leaf
security

the group.
l Name: ap-group2
added to the group.
default
l Name: ap-group3
the group.
to go online.
virtual links.
Configuration Notes

user experience.
Procedure


10.23.101.2/24.
# On the AC, configure GE0/0/1 to allow packets from VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100
NOTE
view.
address pool.
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] quit
# Create AP groups ap-group1, ap-group2, and ap-group3.

[AC] wlan

e?[Y/N]:y
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Set WDS service parameters.

# Set key radio parameters for the WDS nodes. In this example, AP_1 and AP_3 use radio 1,
and AP_2 uses radio 0 and radio 1. Configure radio 0 of AP_2 to work on the 5 GHz
frequency band. To reduce channel interference, configure radio 0 and radio 1 of AP_2 to

work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds

[AC-wlan-wds-prof-wds-root] wds-mode root

[AC-wlan-wds-prof-wds-root] security-profile wds-security
[AC-wlan-wds-prof-wds-root] vlan tagged 101
[AC-wlan-wds-prof-wds-root] quit
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN
[AC-wlan-view] wds-profile name wds-leaf
[AC-wlan-wds-prof-wds-leaf] wds-name wlan-wds
[AC-wlan-wds-prof-wds-leaf] wds-mode leaf
[AC-wlan-wds-prof-wds-leaf] security-profile wds-security
[AC-wlan-wds-prof-wds-leaf] vlan tagged 101
[AC-wlan-wds-prof-wds-leaf] quit
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
# Bind WDS profile wds-root to AP group ap-group1.
# Bind WDS profiles wds-root and wds-leaf to AP group ap-group2.

# Bind WDS profile wds-leaf to AP group ap-group3.


NOTE


# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.

[AC-wlan-ap-1]quit
[AC-wlan-ap-2]quit
[AC-wlan-ap-3]quit


[AC-wlan-ap-1]quit
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 ap-group1 10.23.100.254 AP8130DN nor 0 20M:
16S -
2 dcd2-fc04-b500 AP_2 ap-group2 10.23.100.253 AP8130DN nor 0
17S -
3 dcd2-fc96-e4c0 AP_3 ap-group3 10.23.100.252 AP8130DN nor 0 3M:
55S -
----------------------------------------------------------------------------------
----------------
Total: 3
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -39 -30 0 5
55 42/57/-/-
AP_2 AP_3 0 4 149 root normal -56 -40 0 9
59 45/40/60/-
AP_2 AP_1 1 4 157 leaf normal -32 -30 0 15
58 41/36/60/-
AP_3 AP_2 1 4 149 leaf normal -33 -32 0 7
59 51/59/-/-
----------------------------------------------------------------------------------
-----------------
Total: 4
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Switch_B
#
#
#
#
return

#
sysname Router

#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-security
%# aes
ssid wlan-net
wds-profile name wds-leaf
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
vlan tagged 101
wds-name wlan-wds
wds-mode root
radio 0
radio 1
radio 0
radio 1

radio 0
radio 1
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
coverage distance 4
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
eirp 127
coverage distance 4
radio 1
eirp 127
coverage distance 4
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
radio 1
coverage distance 4
#
return
4.4.13 Example for Configuring Back-to-Back WDS
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.


addresses to PCs.
l Wireless backhaul mode: WDS back-to-back
Figure 4-26 Networking for configuring back-to-back WDS
Data Planning
AP Name Type MAC Address
AP_1 AP8130DN dcd2-fcf6-76a0

AP_2 AP8130DN 60de-4474-9640
AP_4 AP8130DN 60de-4476-e360

Item Data
Management VLAN for VLAN 100

APs
Service VLAN for PCs VLAN 101
DHCP server The AC functions as a DHCP server to assign IP addresses to

APs, and Switch_A functions as a DHCP server to assign IP
addresses to PCs.
IP address pool for PCs 10.23.101.3-10.23.101.254/24
IP address of the AC's VLANIF 100: 10.23.100.1/24

source interface
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf
WDS name wds-net
WDS whitelist l wds-list1: contains MAC address of AP_2 and is bound to

AP_1
l wds-list2: contains MAC address of AP_4 and is bound to
AP_3

Item Data
Radio used by WDS Radio 1 (AP_1 and AP_2):

l Bandwidth: 40 MHz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Channel: 149
Security profile l Name: wds-sec

AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. The wired interface of AP_4 is connected
to a PC, a wired port profile needs to be configured for
AP_4. Therefore, AP_2 and AP_4 are added to two separate
AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes

user experience.
Procedure
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
[Switch_C] vlan batch 100 to 101
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101


10.23.101.2/24.

NOTE
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100 to 101
Step 3 Configure the DHCP servers to assign IP addresses to APs and PCs.
# Configure Switch_A as a DHCP server to assign IP addresses to PCs from an interface
address pool.
NOTE
view.

# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1

[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-1] ap-group wds-root1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group wds-leaf1
[AC-wlan-ap-2] quit


[AC-wlan-ap-3] ap-group wds-root2
[AC-wlan-ap-3] quit
[AC-wlan-ap-4] ap-group wds-leaf2
[AC-wlan-ap-4] quit
Step 5 Configure WDS service parameters.

# Configure radio parameters for WDS nodes. This example uses radio 1 of the AP8130DN.
The coverage distance parameter indicates the radio coverage distance parameter. By default,
the radio coverage distance parameter is 3 (unit: 100 meters). This example sets the radio
coverage distance parameter is 4. You can configure the parameter according to actual
situations.
NOTE
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-root1/1] coverage distance 4
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
# Configure the security profile wds-sec used by WDS links. The profile wds-sec supports the
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac 60de-4474-9640

[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-wds-prof-wds-net2] wds-mode root
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. # Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
Step 6 Configure the wired port profile used by the wired interfaces on AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in untagged mode.
[AC-wlan-wired-port-wired-port] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode con
figuration will cause the AP to go out of management. This fault can be recovere
d only by modifying the configuration on the AP. Continue? [Y/N]:y
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan untagged 101

# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
NOTE
After referencing the AP wired port profile in endpoint mode, configure the AP to go online on the AC and
obtain the configuration. Then restart the AP to make the configuration effective.
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-view] quit
[AC] quit
Step 8 Check that the AP goes online and restart AP_4.

<AC> display ap all
nor : normal [4]
Extra information:
----------------------------------------------------------------------------------
-----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
-----------------
1 60de-4474-9640 AP_1 wds-root1 10.23.100.250 AP8130DN nor 0 20M:
16S -
4 60de-4476-e360 AP_4 wds-leaf2 10.23.100.251 AP8130DN nor 0
17S -
2 dcd2-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP8130DN nor 0 3M:
55S -
3 dcd2-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP8130DN nor 0 2M:
55S -
----------------------------------------------------------------------------------
---------------
Total: 4
Run the display wlan wds link all command to check information about the WDS links.
<AC> display wlan wds link all


----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re
TS NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -44 -40 0 3
50 45/49/-/-
AP_2 AP_1 1 4 157 leaf normal -38 -36 0 49
57 36/31/57/-
AP_3 AP_4 1 4 149 root normal -11 -7 0 1
83 81/80/-/-
AP_4 AP_3 1 4 149 leaf normal -4 -4 0 0
91 90/85/-/-
----------------------------------------------------------------------------------
---------------
Total: 4
Verify that the AP goes online and restart AP_4 to make the working mode of the AP wired
port effective.
<AC> system-view
[AC] wlan
[AC-wlan-view] ap-reset ap-group wds-leaf2
Warning: Reset AP(s), continue?[Y/N]:y

After AP_4 goes online again, verify that wired users connected to AP_4 can access the
network.
----End
Configuration Files
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Switch_B

#
#
#
#
return
l Switch_C configuration file
#
sysname Switch_C
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-

sec
%# aes

wds-whitelist-profile name wds-

list1
peer-ap mac 60de-4474-9640
wds-whitelist-profile name wds-
list2
peer-ap mac 60de-4476-
e360
wds-profile name wds-
net1
security-profile wds-
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net2
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net3
sec
vlan tagged
101
wds-name wds-
net
regulatory-domain-profile name
domain1
wired-port-profile name wired-
port
mode
endpoint
vlan pvid
101
vlan untagged
101
ap-group name wds-
leaf1
regulatory-domain-profile
domain1
radio 1
wds-profile wds-net3
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
leaf2
0
domain1
radio
1
wds-profile wds-
net3
channel 40mhz-plus
149
coverage distance 4
ap-group name wds-
root1

domain1
radio
1
wds-profile wds-
net1
wds-whitelist-profile wds-
list1
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
root2
domain1
radio
1
wds-profile wds-
net2
wds-whitelist-profile wds-
list2
channel 40mhz-plus
149
coverage distance
4
ap-name AP_1
ap-group wds-root1
ap-name AP_2
ap-group wds-leaf1
ap-id 3 type-id 39 ap-mac dcd2-fcf6-76a0 ap-sn 210235419610D2000097
ap-name AP_3
ap-group wds-root2
ap-id 4 type-id 39 ap-mac 60de-4476-e360 ap-sn 210235557610DB000046
ap-name AP_4
ap-group wds-leaf2
#
return
4.4.14 Example for Configuring Common Mesh Services

An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
l Wireless backhaul mode: Mesh portal-node

Figure 4-27 Networking for configuring mesh services
Data Planning
AP Type MAC Address
area_1 AP8130DN 60de-4476-e360
area_2 AP8130DN dcd2-fc04-b500
area_3 AP8130DN 60de-4474-9640
Item Data

APs

addresses to STAs.
Mesh profile name Name: mesh-net
Mesh role l area_1: Mesh-portal (MPP)

l area_2: Mesh-node (MP)
Mesh ID Name: mesh-net

Item Data
Mesh whitelist Name: mesh-list
AP system profile Name: mesh-sys
Radio used by Mesh Radio 1:

services l Bandwidth: 40 MHz-plus
l Channel: 157
Security profile l Name: mesh-sec

AP group l mesh-mpp: area_1

l mesh-mp: area_2 and area_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes
user experience.

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[Switch_B] vlan batch 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 on Switch_A to VLANs 100, and GE0/0/2 to VLAN 100.

[Switch_A] vlan batch 100

NOTE
[AC6605] sysname AC
[AC] vlan batch 100
Step 3 Configure the DHCP server to assign IP addresses to APs.
# Enable DHCP on the AC and configure the AC to assign IP addresses to APs through an
[AC] dhcp enable
[AC-Vlanif100] quit
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.

[AC] wlan
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add area_1 to the AP group mesh-mpp and area_2 and area_3 to the AP group mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group mesh-mp
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Configure Mesh parameters.

# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. The coverage distance parameter indicates the radio coverage distance, which is 3
(unit: 100 m) by default. This example sets the radio coverage distance parameter to 4. You
can configure the parameter according to your service needs.


[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4476-e360
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc04-b500
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set the Mesh role of area_1 to Mesh-portal. area_2 and area_3 use
the default Mesh role Mesh-node. Mesh roles are configured through the AP system profile.
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
# Bind the Mesh whitelist profile to AP radios.

[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on area_1.

# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-view] quit
[AC] quit
Step 7 Verify the Mesh service configuration.

# After the configuration is complete, run the display ap all command to check whether Mesh
<AC> display ap all
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------
1 60de-4476-e360 area_1 mesh-mpp 10.23.100.254 AP8130DN nor 0 13M:
45S -
2 dcd2-fc04-b500 area_2 mesh-mp 10.23.100.251 AP8130DN nor 0 5M:
22S -
3 60de-4474-9640 area_3 mesh-mp 10.23.100.253 AP8130DN nor 0 4M:
14S -
----------------------------------------------------------------------------------
------------------
Total: 3
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
----------------------------------------------------------------------------------
------------------------------------------------
----------------------------------------------------------------------------------
------------------------------------------------
area_1 area_2 dcd2-fc04-b500 1 4 157 portal
normal -30 -27 0 12 67 62/65/-/-
area_1 area_3 60de-4474-9640 1 4 157 portal
normal -26 -24 0 12 71 67/68/-/-
area_3 area_2 dcd2-fc04-b500 1 4 157 node
normal -19 -3 0 5 77 66/76/-/-
area_3 area_1 60de-4476-e360 1 4 157 node
normal -32 -4 0 26 64 55/63/-/-
area_2 area_1 60de-4476-e360 1 4 157 node
normal -32 -4 0 12 64 62/61/-/-
area_2 area_3 60de-4474-9640 1 4 157 node
normal -14 -12 0 4 82 71/82/-/-
----------------------------------------------------------------------------------

------------------------------------------------
Total: 6
----End
Configuration Files
l Configuration file of the Switch_A
#
sysname Switch_A
#
vlan batch 100
#
dhcp enable
#
#
#
return
l Configuration file of the Switch_B

#
sysname Switch_B
#
vlan batch 100
#
#
#
return
l Configuration file of the AC

#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
%# aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4476-e360


security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-group name mesh-mp
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
radio 1
coverage distance 4
ap-name area_1
ap-group mesh-mpp
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235557610DB000046
ap-name area_2
ap-group mesh-mp
ap-id 3 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_3
ap-group mesh-mp
#
return
4.4.15 Example for Configuring Dual-MPP Mesh Services

If an enterprise needs to provide wireless network access services for different areas, multiple
Mesh Portal Points (MPPs) can be configured to work on different channels. This can reduce
MP contention for wireless channels, thus improving coverage performance.
l Wireless backhaul node: dual Mesh portal-node

Figure 4-28 Networking for configuring dual-MPP Mesh services
Data Planning
AP_1 AP8130DN 60de-4474-9640
AP_4 AP8130DN 1047-80ac-cc60
Item Data

APs

APs.

Item Data
Mesh profile l Name: mesh-net

l Aging time of Mesh links: 30 (unit: s)
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-portal (MPP)
l AP_3: Mesh-node (MP)
Mesh whitelist Name: mesh-list
Regulatory domain l Name: default

profile l Country code: CN
AP system profile Name: mesh-sys

l Channel: 157
Security profile l Name: mesh-sec

AP group l mesh-mpp: AP_1 and AP_2

l mesh-mp: AP_3 and AP_4
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes


user experience.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
l On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios
of neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect
only with radios of neighbors with 802.11n chips. Table 4-30 lists types of chips used by
AP models.
Table 4-30 Radio chips used by APs

AP Model Radio 0 Radio 1 Radio 2
R450D Mesh not supported Mesh not supported N/A
R250D-E Mesh not supported Mesh not supported N/A
AP9330DN Mesh not supported Mesh not supported N/A
AP9132DN 802.11n 802.11ac N/A
AP9131DN 802.11n 802.11ac N/A
AP9130DN 802.11ac 802.11ac N/A
AP8150DN 802.11ac 802.11ac N/A
AP8130DN-W 802.11ac 802.11ac N/A
AP8130DN 802.11ac 802.11ac N/A
AP8050DN-S 802.11ac 802.11ac N/A
AP8050DN 802.11ac 802.11ac N/A

Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
AP8082DN 802.11ac 802.11ac NA
AP8182DN 802.11ac 802.11ac NA
AP8030DN 802.11ac 802.11ac N/A
AP7110SN-GN 802.11n N/A N/A
AP7110DN-AGN 802.11n 802.11n N/A
AP7050DN-E 802.11ac 802.11ac N/A
AP7050DE 802.11ac 802.11ac N/A
AP7052DE 802.11ac 802.11ac NA
AP7052DN 802.11ac 802.11ac NA
AP7152DN 802.11ac 802.11ac NA
AP7030DE Mesh not supported Mesh not supported N/A
AP6610DN-AGN 802.11n 802.11n N/A
AP6510DN-AGN 802.11n 802.11n N/A
AP6310SN-GN Mesh not supported N/A N/A
AP6150DN 802.11ac 802.11ac N/A
AP6050DN 802.11ac 802.11ac N/A
AP6052DN 802.11ac 802.11ac N/A
AP6010DN-AGN 802.11n 802.11n N/A
AP5130DN 802.11n 802.11ac N/A
AP5030DN 802.11n 802.11ac N/A
AP5010DN-AGN 802.11n 802.11n N/A
AP4151DN 802.11ac 802.11ac N/A
AP4130DN 802.11n 802.11ac N/A
AP4051DN 802.11ac 802.11ac N/A
AP4050DN-HD 802.11ac 802.11ac N/A
AP4050DN-E 802.11ac 802.11ac N/A

AP4050DN-S 802.11ac 802.11ac N/A
AP4050DN 802.11ac 802.11ac N/A
Mesh not
AP4051TN 802.11n 802.11ac
supported
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN 802.11n 802.11ac N/A
AP2050DN-E Mesh not supported Mesh not supported N/A
AP1050DN-S 802.11ac 802.11ac N/A
AD9430DN-24 Mesh not supported Mesh not supported N/A
AD9431DN-24X Mesh not supported Mesh not supported N/A
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_A to VLAN 100.

# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of



NOTE
[AC6605] sysname AC
[AC] vlan batch 100
Step 3 Configure the DHCP server to assign IP addresses to APs.

# Enable DHCP on the AC and configure the AC to assign IP addresses to APs through an
[AC] dhcp enable
[AC-Vlanif100] quit
# Create AP groups for MPPs and MPs respectively. You can add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1

e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 and AP_2 to the AP group mesh-mpp and AP_3 and AP_4 to the AP group
mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 1047-80ac-cc60
[AC-wlan-ap-4] quit
Step 5 Configure Mesh parameters.

# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. The radio coverage distance parameter is 3 (unit: 100 m) by default. This example
sets the radio coverage distance parameter to 4. You can configure the parameter according to
your service needs.
NOTE
During the configuration of a Mesh network with multiple MPPs, to enable MPs to set up wireless links with
multiple MPPs simultaneously, configure the MPPs to work on the same channel.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4

[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157

[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
# Configure the security profile mesh-sec used by Mesh links. The profile mesh-sec supports
the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc04-b500
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc96-e4c0
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 1047-80ac-cc60
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set Mesh roles of AP_1 and AP_2 to Mesh-portal. AP_3 and AP_4
use the default Mesh role Mesh-node. Mesh roles are configured through the AP system
profile.
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile to the Mesh profile.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
# Bind the Mesh whitelist profile to AP radios.

[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1 and AP_2.
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1

[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1

# After the configuration is complete, run the display ap all command to check whether Mesh
nor : normal [4]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 mesh-mpp 10.23.100.254 AP8130DN nor 0 5M:
44S -
2 dcd2-fc04-b500 AP_2 mesh-mpp 10.23.100.253 AP8130DN nor 0 6M:
15S -
3 dcd2-fc96-e4c0 AP_3 mesh-mp 10.23.100.252 AP8130DN nor 0 1M:
35S -
4 1047-80ac-cc60 AP_4 mesh-mp 10.23.100.251 AP8130DN nor 0 3M:
56S -
----------------------------------------------------------------------------------
----------------
Total: 4
# After dual-MPP Mesh services take effect, run the display wlan mesh link all command to
check Mesh link information.
[AC-wlan-view] display wlan mesh link all
----------------------------------------------------------------------------------
------------------------------------------------
----------------------------------------------------------------------------------
------------------------------------------------
AP_1 AP_4 1047-80ac-cc60 1 4 157 portal
normal -28 -27 0 25 70 62/69/-/-
AP_1 AP_3 dcd2-fc96-e4c0 1 4 157 portal
normal -18 -2 0 0 78 73/77/-/-
AP_2 AP_4 1047-80ac-cc60 1 4 157 portal
normal -17 -16 0 52 80 57/49/80/-
AP_2 AP_3 dcd2-fc96-e4c0 1 4 157 portal
normal -24 -21 0 0 72 58/54/72/-
AP_4 AP_1 60de-4474-9640 1 4 157 node
normal -29 -29 0 0 65 64/58/-/-
AP_4 AP_2 dcd2-fc04-b500 1 4 157 node
normal -21 -19 0 10 76 76/64/-/-
AP_4 AP_3 dcd2-fc96-e4c0 1 4 157 node
normal -7 -1 0 0 89 88/82/-/-
AP_3 AP_2 dcd2-fc04-b500 1 4 157 node
normal -35 -32 0 35 61 51/60/-/-
AP_3 AP_1 60de-4474-9640 1 4 157 node
normal -27 -23 0 0 70 68/66/-/-
AP_3 AP_4 1047-80ac-cc60 1 4 157 node
normal -13 -11 0 23 83 80/81/-/-
----------------------------------------------------------------------------------
------------------------------------------------
Total: 10

# Run the display wlan mesh route all command to check Mesh routes on the Mesh network.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_2 /dcd2-fc04-b500/MPP/1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_4 /1047-80ac-cc60/MP /1
--------------------------------------------------------------------------
Total: 2
# When the link between AP_2 and AC is faulty, AP_2 automatically changes to an MP and
goes online through Mesh links. Run the display wlan mesh route all command. The
command output shows that AP_2, AP_3, and AP_4 go online on AP_1.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_1 /60de-4474-9640/MPP/1
AP_2 /dcd2-fc04-b500/MP /1 AP_4 /1047-80ac-cc60/MP /1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_1 /60de-4474-9640/MPP/1
--------------------------------------------------------------------------
Total: 3
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
return

#
sysname Switch_B
#
vlan batch 100
#
#
#
#
return

#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%# aes
mesh-whitelist-profile name mesh-list
peer-ap mac 1047-80ac-cc60
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
ap-group name mesh-mp
radio 1
coverage distance 4
radio 1
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name
AP_1
ap-group mesh-mpp
ap-id 2 ap-mac dcd2-fc04-b500
ap-name
AP_2
ap-group mesh-mpp
ap-id 3 ap-mac dcd2-fc96-e4c0
ap-name
AP_3
ap-group mesh-mp
ap-id 4 ap-mac 1047-80ac-cc60
ap-name
AP_4
ap-group mesh-mp
#
return

4.5 AP's Wired Interface Configuration Examples

4.5.1 Example for Configuring an Eth-Trunk on an AP's Wired
Uplink Interfaces
The administrator wants to configure an Eth-Trunk on an AP's wired uplink interfaces to
ensure uplink reliability.
Figure 4-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces
Data Planning
Item Data
AP wired port profile l Name: wired-port1

l Eth-Trunk: Eth-Trunk0

l Referenced profile: AP wired port
profile wired-port1

1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
user experience.
Procedure
Check Item Command Data
Check the AP group to display ap all AP group: ap-group1

which an AP belongs. AP name: AP1
Step 2 Configure an Eth-Trunk on the switch.

# Create Eth-Trunk1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk1.
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] description Connect to AP1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk pvid vlan 100
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100
[Switch-Eth-Trunk1] undo port trunk allow-pass vlan 1
[Switch-Eth-Trunk1] port-isolate enable
[Switch-Eth-Trunk1] quit
[Switch-GigabitEthernet0/0/1] eth-trunk 1
Step 3 Configure an Eth-Trunk for the AP on the AC.

# Configure Eth-Trunk0.
[AC6605] sysname AC

[AC] vlan batch 100

[AC] interface eth-trunk 0
[AC-Eth-Trunk0] description Connect to switch
[AC-Eth-Trunk0] port link-type trunk
[AC-Eth-Trunk0] port trunk allow-pass vlan 100
[AC-Eth-Trunk0] undo port trunk allow-pass vlan 1
[AC-Eth-Trunk0] quit
# Create the AP wired port profile wired-port1. Add GE0 and GE1 on the AP to Eth-Trunk0.
[AC] wlan
[AC-wlan-view] wired-port-profile name wired-port1
[AC-wlan-wired-port-wired-port1] eth-trunk 0
[AC-wlan-wired-port-wired-port1] quit
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 0
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 1
# Run the display wired-port-profile name wired-port1 command to check the

configuration of the AP wired port profile.
[AC-wlan-view] display wired-port-profile name wired-port1
----------------------------------------------------------------------------
Port link profile : default
Description :
Ethernet trunk ID : 0
----------------------------------------------------------------------------
Step 5 Restart the AP.

NOTE
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
[AC-wlan-view] ap-reset ap-name AP1
Step 6 Connect the switch and AP physically.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
interface Eth-Trunk1
description Connect to AP1
undo port trunk allow-pass vlan 1
#
eth-trunk 1
#
eth-trunk 1
#
return

#
sysname AC
#
vlan batch 100
#
description Connect to switch
#
wlan
wired-port-profile name wired-port1
eth-trunk 0
wired-port-profile wired-port1 gigabitethernet 0
wired-port-profile wired-port1 gigabitethernet 1
#
return
4.6 PPPoE Configuration Examples (Fat AP and Fat Central

AP)
4.6.1 Example for Configuring the PPPoE Client
As shown in Figure 4-30, the device functioning as the PPPoE client connects to the PPPoE
server using GE0/0/0.
Users want the hosts to share an account. If the account is authenticated successfully on the
PPPoE server, a PPPoE session is established. Service requirements are as follows:
l The device establishes a PPPoE session with the PPPoE server using PPP authentication.
l The device automatically attempts to create a dial-up connection again at intervals after
the disconnection.
Figure 4-30 Networking diagram of the device functioning as the PPPoE client

1. Configure Challenge Handshake Authentication Protocol (CHAP) authentication on the

dialer interface so that the device can establish a PPPoE session with the PPPoE server
using PPP authentication.
2. Configure the dial-up mode to automatic dial-up so that the device will automatically
attempt to create a dial-up connection again at intervals after the disconnection.
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the
documentation of the PPPoE server.
Step 2 Configure a dialer interface.
[Huawei] sysname AP
[AP] interface dialer 1
[AP-Dialer1] ppp chap user user1@system
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
Step 3 Create a PPPoE session.

[AP] vlan batch 100
[AP-Vlanif100] pppoe-client dial-bundle-number 1
[AP-Vlanif100] quit
Step 4 Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
Step 5 Configure a static route from the local host to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit
Step 6 Verify the configurations.

# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. The following command output shows that the PPPoE session status
is Up and the session configuration is consistent with the data plan and networking.
<AP> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 vlanif00 00e0fc030201 0819a6cd0680 UP
----End
Configuration Files
Configuration file of the PPPoE client

#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#LHG2'Q8n%8NSLn'4-i'Z18)-%eT"v*||t1Mh;NbH%^%#
ip address ppp-negotiate
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return
4.6.2 Example for Connecting LAN to the Internet Using the

ADSL Modem
As shown in Figure 4-31, AP connects to ADSL modem using GE0/0/0, and Router connects
to the DSLAM using ATM1/0/0.
The private IP addresses of hosts in the LAN are 192.168.10.0/24. Users want hosts in the
LAN to access Router using AP and to access the external network. The user name is user1,
and the password is huawei123.

Figure 4-31 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
1. Configure AP as the PPPoE client so that hosts in the LAN can access the Internet
without installing PPPoE client software.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
3. Configure NAT so that LAN users can access the external network.
Procedure
Step 1 Configure the PPPoE client.
# Configure the dialer interface.
[Huawei] sysname AP
[AP-Dialer1] ppp chap user user1
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] dialer timer idle 300
[AP-Dialer1] dialer queue-length 8
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
# Create a PPPoE session.

[AP] vlan batch 100


[AP-Vlanif100] pppoe-client dial-bundle-number 1
[AP-Vlanif100] quit
# Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
# Configure a static route from the PPPoE client to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit

# Configure the global IP address pool pool1.
[AC6605] sysname Router
[Router] ip pool pool1
[Router-ip-pool-pool1] network 100.100.10.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 100.100.10.1
[Router-ip-pool-pool1] quit
# Configure a PPPoE user.

[Router] aaa
[Router-aaa] local-user user1 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, i
ncluding lowercase letters, uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Router-aaa] local-user user1 service-type ppp
[Router-aaa] quit
# Configure RADIUS authentication.

1. Configure a RADIUS server template.
[Router] radius-server template shiva
[Router-radius-shiva] radius-server authentication 129.6.6.66 1812
[Router-radius-shiva] radius-server accounting 129.6.6.66 1813
[Router-radius-shiva] radius-server shared-key cipher hello@123
[Router-radius-shiva] quit
2. Configure authentication and accounting schemes.

[Router] aaa
[Router-aaa] authentication-scheme 1
[Router-aaa-authen-1] authentication-mode radius
[Router-aaa-authen-1] quit
[Router-aaa] accounting-scheme 1
[Router-aaa-accounting-1] accounting-mode radius
[Router-aaa-accounting-1] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1

[Router-aaa-domain-system] radius-server shiva

[Router-aaa-domain-system] quit
[Router-aaa] quit
# Create and configure a VT.

[Router] interface virtual-template 1
[Router-Virtual-Template1] ppp authentication-mode chap domain system
[Router-Virtual-Template1] ip address 100.100.10.1 255.255.255.0
[Router-Virtual-Template1] remote address pool pool1
[Router-Virtual-Template1] quit
# Enable the PPPoE server function on the virtual Ethernet interface.

[Router] interface virtual-ethernet 0/0/1
[Router-Virtual-Ethernet0/0/1] pppoe-server bind virtual-template 1
[Router-Virtual-Ethernet0/0/1] quit
# Configure the ATM interface.

[Router] interface atm 1/0/0
[Router-Atm1/0/0] pvc 0/32
[Router-atm-pvc-Atm1/0/0-0/32] map bridge virtual-ethernet 0/0/1
[Router-atm-pvc-Atm1/0/0-0/32] quit

# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. The following command output shows that the PPPoE session status
is Up and the session configuration is consistent with the data plan and networking.
<AP> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
0 1 1 vlanif100 54899874dbc7 000000000000 PADI
# AP can successfully ping server Router.
----End
Configuration Files
l Configuration file of AP
#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1
ppp chap password cipher %^%#D]<B>${2C"o|jLLQwm<#=FP[~\b3P!w0Vr6BLp4A%^%#
ip address ppp-negotiate
dialer queue-length 8
dialer timer idle 300
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
#

ip route-static 0.0.0.0 0.0.0.0 Dialer1

#
return
l Configuration file of Router

#
sysname Router
#
radius-server template shiva
radius-server shared-key cipher %^%#s2BY1Z1+yAE}!(X0JTHB64T#,K$SFIfN5D!RjIGI
%^%#
radius-server accounting 129.6.6.66 1813 weight 80
#
ip pool pool1
network 100.100.10.0 mask 255.255.255.0
#
aaa
authentication-scheme 1
accounting-scheme 1
domain system
authentication-scheme 1
accounting-scheme 1
radius-server shiva
local-user user1 password cipher %^%#9T`|L}K(4#J3k=+I8SiJrsM:RO[iy@Uuc:LTQJ,
1%^%#
local-user user1 privilege level 0
local-user user1 service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool pool1
ppp keepalive retry-times 2
timer hold 30
ip address 100.100.10.1 255.255.255.0
#
interface Atm1/0/0
pvc 0/32
map bridge Virtual-Ethernet0/0/1
#
interface Virtual-Ethernet0/0/1
pppoe-server bind Virtual-Template 1
#
return
4.7 Authentication Configuration Examples

4.7.1 Example for Configuring External Portal Authentication
To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.


addresses to STAs.
l Authentication mode: External Portal authentication
Figure 4-32 Networking for configuring external Portal authentication
Data Planning
Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile

Item Data

on Profile l Referenced profile: Portal access profile wlan-net, RADIUS Server
profile wlan-net, authentication-free rule profile default_free_rule and
authentication scheme wlan-net

3. Configure external Portal authentication.
c. Configure an authentication-free rule profile so that the AC allows packets to the
d. Configure an authentication profile to manage external Portal authentication
configuration.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC


[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
accounting scheme.
NOTE


[AC] aaa

[AC-aaa] quit
NOTE
accounting packets.
1-99 3 minutes

100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
NOTE

NOTE

Step 11 Configure the authentication profile wlan-net.


[AC] wlan

the AP.
[AC-wlan-view] quit

l For interconnection with the Cisco ISE, see "Example for Configuring External Portal
Server.
complete.
network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#


#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
aaa

#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
%^%#
#
#
#
server-ip 10.23.103.1
port 50200
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.7.2 Example for Configuring Built-in Portal Authentication for

Local Users
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.

addresses to STAs.
l Authentication mode: built-in Portal authentication
Figure 4-33 Networking for configuring built-in Portal authentication for local users
Data Planning

Item Data

Item Data

gateway address of STAs is 10.23.101.2.
AC's source interface VLANIF100: 10.23.100.1/24

l Referenced profile: VAP profile wlan-
default

l Country code: CN


Local user l User name: guest

l Password: guest@123
Authentication scheme l Name: wlan-net

l Authentication scheme: local
Portal access profile l Name: wlan-net

l The built-in Portal server is used.
– Server IP: 10.1.1.1/24
– SSL policy: default_policy
– Port number: 20000
Authentication-free rule profile l Name: default_free_rule

l Authentication-free resource: IP address
of the DNS server (8.8.8.8)
Authentication Profile l Name: wlan-net

l Referenced profile: Portal access profile
wlan-net, Authentication-free rule
profile default_free_rule, authentication
scheme wlan-net

Item Data

l Referenced profile: SSID profile wlan-
net, security profile wlan-net and
3. Configure built-in Portal authentication for local users.
a. Configure local authentication parameters.
b. Configure a Portal access profile for the built-in Portal server to manage Portal
access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
d. Configure an authentication profile to manage built-in Portal authentication
configuration.
4. Configure WLAN service parameters to control access from STAs.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.
Step 4 Configure a route from the AC to DNS server.


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure local authentication.
# Configure the local authentication scheme wlan-net.

[AC] aaa
[AC-aaa-authen-wlan-net] authentication-mode local
# Configure the user name, password, and service type of the local user.
[AC-aaa] local-user guest password cipher guest@123
[AC-aaa] local-user guest service-type web
[AC-aaa] quit
Step 7 Configure SSL policy default_policy and load a digital certificate.
# Load certificates and the RSA key pair.
NOTE
The local certificate abc_local.pem, CA certificate abc_ca.pem, and RSA key pair privatekey.pem have
been requested, obtained, and uploaded to the storage medium of the device. If multiple CA certificates are
requested, perform the same operation to load the certificates to the memory of the device. When
privatekey.pem is generated, the key is Huawei@123.
[AC] pki realm abc
[AC-pki-realm-abc] quit
[AC] pki import-certificate local realm abc pem filename abc_local.pem
[AC] pki import-certificate ca realm abc pem filename abc_ca.pem
[AC] pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
# Configure the SSL policy default_policy and load the digital certificate.
[AC] ssl policy default_policy type server
[AC-ssl-policy-default_policy] pki-realm abc
[AC-ssl-policy-default_policy] version tls1.0 tls1.1 tls1.2
[AC-ssl-policy-default_policy] ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
[AC-ssl-policy-default_policy] quit
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable

# Check the configuration of the SSL policy. The status of the CA and local certificates must
be loaded.
[AC] display ssl policy default_policy
------------------------------------------------------------------------------
Policy name :
default_policy
Policy ID : 2
Policy type : Server
Cipher suite : rsa_aes_128_sha256
rsa_aes_256_sha256
PKI realm : abc
Version : tls1.0 tls1.1 tls1.2
Cache number : 32
Time out(second) : 3600
Server certificate load status : loaded
CA certificate chain load status : loaded
SSL renegotiation status : enable
Bind number : 1
SSL connection number : 0
------------------------------------------------------------------------------
Step 8 Configure the Portal access profile wlan-net
# Enable the built-in Portal server function.

[AC] interface loopback 1
[AC-LoopBack1] ip address 10.1.1.1 24
[AC-LoopBack1] quit
[AC] portal local-server ip 10.1.1.1
[AC] portal local-server https ssl-policy default_policy port 20000
# Create the Portal access profile wlan-net and configure it to use the built-in Portal server.
[AC-portal-access-profile-wlan-net] portal local-server enable
Step 9 Configure an authentication-free rule profile to allow users to access the DNS server before
authentication.

[AC] wlan

the AP.
[AC-wlan-view] quit

complete.
network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#

#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
http secure-server ssl-policy

default_policy
http server enable
#
portal local-server ip 10.1.1.1
portal local-server https ssl-policy default_policy port 20000
#
#
#
dhcp enable
#
pki realm
abc
pki import-certificate local realm abc pem filename abc_local.pem
pki import-certificate ca realm abc pem filename abc_ca.pem
pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
#
ssl policy default_policy type

server
pki-realm
abc
version tls1.0 tls1.1
tls1.2
ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
#
#

portal local-server enable

#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.7.3 Example for Configuring MAC Address-prioritized Portal

Authentication
addresses to STAs.

Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
MAC Name:wlan-net
access
profile

profile

Item Data


3. Configure MAC address-prioritized Portal authentication.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC


[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
accounting scheme.
NOTE


[AC] aaa

[AC-aaa] quit
NOTE
accounting packets.
1-99 3 minutes

100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
NOTE

NOTE

Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.

[AC] wlan
the AP.
[AC-wlan-view] quit

Server.

complete.
network.
l Assume that the MAC address validity period configured on the server is 60 minutes. If a
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#


#
dhcp enable
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
%^%#
#
#
#
server-ip 10.23.103.1
port 50200
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#


#
return
4.7.4 Example for Configuring 802.1X Authentication


Data Planning





wlan-net






net
4. Configure 802.1X authentication on the AC.
NOTE
Configuration Notes
user experience.
Procedure

[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.


[AC] dhcp enable
[AC-Vlanif100] quit

NOTE
view.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE
[AC-wlan-ap-0] quit


[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit



[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

802.1X Authentication (CLI)" in the WLAN Product Interoperation Configuration


Server.

algorithm to AES.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End

Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return

#
sysname Router
#
ip address 10.23.104.2 255.255.255.0

#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#
#
dhcp enable
#
%^%#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127


#
#
return
4.7.5 Example for Configuring MAC Address Authentication

MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.
l Authentication mode: open system authentication

Figure 4-36 Networking diagram for configuring MAC address authentication
Data Planning




MAC access profile Name: wlan-net

l Bound profile and authentication scheme: MAC
wlan-net, and authentication scheme wlan-net


l Country code: CN


l Security policy: open system authentication

net
4. Configure MAC address authentication on the AC.
NOTE

Configuration Notes
user experience.
Procedure


[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.

[AC] dhcp enable
[AC-Vlanif100] quit

NOTE
view.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE
[AC-wlan-ap-0] quit
Step 5 Configure MAC address authentication on the AC.

[AC-wlan-view] quit
[AC-radius-wlan-net] radius-attribute set Service-Type 10 auth-type mac

[AC] aaa
[AC-aaa] quit
2. Configure a MAC access profile.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
# Create the MAC access profile wlan-net.

3. Create the authentication profile wlan-net and bind it to the MAC access profile,


# Create the security profile wlan-net and set the security policy in the profile. By
default, the security policy is open system authentication.
[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

l For interconnection with the Cisco ISE, see "Example for Configuring MAC Address
l For interconnection with the Aruba ClearPass, see "Example for Configuring MAC
Address Authentication (CLI)" in the WLAN Product Interoperation Configuration
Server.
Wireless MAC Address Authentication" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and
Huawei Agile Controller-Campus Server.
l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
l After dumb terminals associate with the WLAN, run the display access-user access-
type mac-authen command on the AC. The command output shows that user huawei
using the mac-authen authentication mode has successfully gone online.
[AC] display access-user access-type mac-authen
------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#
#
dhcp enable
#
%^%#
radius-attribute set Service-Type 10 auth-type mac
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1

radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
4.7.6 Example for Configuring MAC Authentication for Local

Users
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.
addresses to STAs.
l Authentication mode: MAC authentication
l Security policy:open

Figure 4-37 Networking for configuring MAC authentication for local users
Data Planning
Item Data

AC's source interface VLANIF 100:10.23.100.1/24

default

l Country code: CN

Item Data


Local authentication parameters l Name of the local authentication

scheme: wlan-net
l User name and password of the local
user: 0011-2233-4455 and guest@123,
respectively, which must be consistent
with those in the MAC access profile
l Access type of the local user: MAC
MAC access profile l Name: wlan-net

l User name and password for MAC
address authentication: A MAC address
is used as the user name and the
password is guest@123, which must be
consistent with those in the local
authentication parameters

l Referenced profiles: MAC access profile
wlan-net and authentication scheme
wlan-net

3. Configure MAC authentication for local users.
a. Configure AAA local authentication.
b. Configure a MAC access profile to manage MAC access control parameters.
c. Configure an authentication profile to manage MAC configuration.
4. Configure WLAN service parameters to control access from STAs.
NOTE

Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 5 Configure local authentication.
# Configure the local authentication scheme wlan-net.

[AC] aaa
[AC-aaa-authen-wlan-net] authentication-mode local
# Configure the user name, password, and service type of the local user. (When AAA local
authentication is used for MAC address authentication users, the service type of the local user
is not matched and checked.)

[AC-aaa] local-user 0011-2233-4455 password cipher guest@123

[AC-aaa] local-user 0011-2233-4455 service-type 8021x
[AC-aaa] quit
Step 6 Configure the MAC access profile wlan-net.

NOTE
When AAA local authentication and authorization are used, the user name and password for MAC address
authentication must be the same as those of the AAA local user. In this example, the user name of the local
user is the terminal's MAC address with hyphens (-) and the password is guest@123.
[AC-mac-access-profile-wlan-net] mac-authen username macaddress format with-
hyphen password cipher guest@123

[AC] wlan
the AP.
[AC-wlan-view] quit
After dumb terminals associate with the WLAN, authentication is performed automatically.
Users can directly access the network after the authentication succeeds.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#

#
dhcp enable
#
aaa
local-user 0011-2233-4455 password cipher %^%#UOqb<rt$CW%80lUOh;xKLN;s~Îcp!
s7MZ.8(Y|5%^%#
local-user 0011-2233-4455 privilege level 0
local-user 0011-2233-4455 service-type 8021x
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
mac-authen username macaddress format with-hyphen password cipher %^
%#PW~_5m;sAFFI.cEB"%^@6@4$96ds_5+O'28+d3:A%^%#
#
return
4.7.7 Example for Configuring the RADIUS Server and AC to

Deliver User Group Rights to Users
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.

l WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 4-38 Networking for configuring user authorization based on user groups
Data Planning


DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP



wlan-net




l Security policy: WPA-WPA2+802.1X+AES

net
User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.

4. Configure 802.1x authentication and user authorization on the AC.
NOTE
Configuration Notes
user experience.
Procedure

[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.
[AC] dhcp enable
[AC-Vlanif100] quit

NOTE
view.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit

nor : normal [1]

--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE
[AC-wlan-ap-0] quit

[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit



[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit
Step 6 Configure a user group.
# Configure the user group group1 that can access the post-authentication domain. Enable
users in group1 to access network resources on the network segment 10.23.200.0/24.
NOTE
Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
[AC-acl-adv-3001] rule 2 deny ip destination any
[AC-acl-adv-3001] quit
[AC] user-group group1
[AC-user-group-group1] acl-id 3001
[AC-user-group-group1] quit

l For interconnection with the Cisco ISE, see "Example for Configuring User
Authorization Based on User Groups (CLI)" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and Cisco
ISE Server.

l For interconnection with the Aruba ClearPass, see "Example for Configuring User
Authorization Based on User Groups (CLI)" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and Aruba
ClearPass Server.
complete.
l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
algorithm to AES.
----End
Configuration Files
#
sysname SwitchA
#
#
#


#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
vlan batch 100 102
#
#

dhcp enable
#
%^%#
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

4.7.8 Example for Configuring WeChat Authentication Using a

Built-in Portal Server
As shown in Figure 4-39, the AC of a shop directly connects to an AP. The shop deploys a
WLAN wlan-net to provide wireless network access for consumers. The AC functions as a
DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.
To improve its brand popularity and image, the shop allows consumers to connect to the open
Wi-Fi network using WeChat. Users can obtain access to the Internet by WeChat
authentication, without the need to enter a user name or password.
Figure 4-39 Networking diagram for configuring WeChat authentication using a built-in
Portal server
Management VLAN:
VLAN 100
Service VLAN: VLAN 101
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2
1. Configure basic WLAN services so that the AC can communicate with upstream and
downstream network devices, and the AP can go online.
2. Set the AAA authentication mode to none.
3. Configure a Portal access profile for the built-in Portal server to manage Portal access
control parameters.
4. Configure the social media authentication server.
5. Configure WeChat authentication for WeChat users.
6. Configure an authentication profile to manage NAC configuration.
7. Configure WLAN service parameters, and bind a security policy profile and the
authentication profile to a VAP profile to control access of STAs.

Data Plan
Item Data
Portal l Name: portal1

access l The built-in Portal server is used.
profile
– IP address of the built-in portal server: 10.1.1.1/24
– HTTP port number: 1025
WeChat l WeChat public account ID: wxappid123

authenticati l WeChat public account key: huawei@123
on profile
l The AC automatically obtains shop information from the WeChat server.
Parameter settings of the WeChat server are:
– PKI domain: pki-wechat
– Default domain name: api.weixin.qq.com
– SSL policy name and type: ssl-wechat and client
– Default port number: 443
DNS server IP address: 10.23.200.2

profile
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1
and authentication scheme wechat
DHCP The AC functions as a DHCP server to assign IP addresses to the AP and

server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP:
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs
IP address VLANIF 100: 10.23.100.1/24

of the AC's
source
interface

l Bound profiles: VAP profile wlan-vap and regulatory domain profile
domain1
Regulatory l Name: domain1

profile

Item Data
SSID l Name: wlan-ssid

Security l Name: wlan-security

profile l Security policy: open system authentication
VAP profile l Name: wlan-vap

l Bound profiles: SSID profile wlan-ssid, security profile wlan-security,
and authentication profile p1
Procedure
Step 1 Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
NOTE
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used,
configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a
large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs
will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
[AC6605] sysname AC
Step 2 Configure the AC to communicate with upper-layer network devices.

# Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as a DHCP server to allocate an IP address to the AP from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the server area (Assume that the IP address of the upper-
layer device connected to the AC is 10.23.101.2).
Step 5 Configure the AP to go online.

# Create an AP group and add the AP to the AP group.
[AC] wlan
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------


Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure an AAA scheme.

[AC] aaa
[AC-aaa] authentication-scheme wechat
[AC-aaa-authen-wechat] authentication-mode none
Warning: The configured authentication modes include none authentication, and so
security risks exist. Continue?[Y/N]y
[AC-aaa-authen-wechat] quit
[AC-aaa] quit
Step 7 Configure the Portal access profile portal1.

# Enable the built-in Portal server function.
[AC] interface loopback 1
[AC-LoopBack1] ip address 10.1.1.1 24
[AC-LoopBack1] quit
[AC] portal local-server ip 10.1.1.1
[AC] portal local-server http port 1025
# Create the Portal access profile portal1 and configure it to use the built-in Portal server and
WeChat authentication function.
[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] portal local-server enable
[AC-portal-access-profile-portal1] portal local-server wechat
[AC-portal-access-profile-portal1] quit
Step 8 Configure the social media authentication server. For details, see Agile Controller-Campus
Product Documentation - Example for Configuring Guest Access Using Social Media
Accounts (GooglePlus, Facebook, or Twitter Accounts).
Step 9 Configure WeChat authentication.
# Configure the WeChat account.
[AC] portal local-server wechat-authen
[AC-wechat-authen] public-account appid wxappid123 appsecret hauwei@123
[AC-wechat-authen] quit
# Enable dynamic domain name resolution.

[AC] dns resolve
[AC] dns server 10.23.200.2
# Disable certificate authentication for the SSL server.

[AC] pki realm pki-wechat
[AC-pki-realm-pki-wechat] quit
[AC] ssl policy ssl-wechat type client
[AC-ssl-policy-ssl-wechat] pki-realm pki-wechat
[AC-ssl-policy-ssl-wechat] undo server-verify enable
[AC-ssl-policy-ssl-wechat] quit
# Configure the AC to automatically obtain shop information from the WeChat server.
[AC] portal local-server wechat-authen
[AC-wechat-authen] wechat-server-ip ssl-policy ssl-wechat
[AC-wechat-authen] polling-time 4800
[AC-wechat-authen] quit


Step 11 Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authentication-profile-p1] portal-access-profile portal1
[AC-authentication-profile-p1] free-rule-template default_free_rule
[AC-authentication-profile-p1] authentication-scheme wechat
[AC-authentication-profile-p1] quit

# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0

NOTE
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.

[AC-wlan-ap-0] quit

l After the configuration is complete, STAs can discover the wireless network with the
SSID wlan-net.
l STAs can be assigned IP addresses after they associate with the wireless network.
l When a user opens WeChat, the Portal authentication page is displayed automatically on
the STA. After the user can be authenticated, the user can connect to the Internet.
----End
Configuration Files
AC configuration file
#
sysname AC
#
portal local-server ip 10.1.1.1
portal local-server http port 1025
#
#
authentication-profile name p1
portal-access-profile portal1
authentication-scheme wechat
#
dns resolve
dns server 10.23.200.2
#
dhcp enable
#
pki realm pki-wechat
#
ssl policy ssl-wechat type client
pki-realm pki-wechat
undo server-verify enable
#
free-rule-template name
default_free_rule
free-rule 1 destination ip 10.23.200.2 mask

255.255.255.0
#
portal-access-profile name portal1
portal local-server enable
portal local-server wechat
#
aaa
authentication-scheme wechat
authentication-mode none
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101

ip address 10.23.101.1 255.255.255.0

#
#
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
radio 0
vap-profile wlan-vap wlan 1
radio 1
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
portal local-server wechat-authen
public-account appid wxappid123 appsecret %^%#/]:uVmjLj%zfx+%f5$*-6uV>6e8W`
$ZT"iEq)zNY%^%#
polling-time 4800
wechat-server-ip ssl-policy ssl-wechat
#
return

4.7.9 Example for Configuring Different Authentication Modes

for Multiple SSIDs
Enterprise users can access the Internet through the WLAN to meet basic mobile office
requirements. When roaming occurs in the coverage area, user services will not be
interrupted.
Administrators want to deploy different SSIDs for WLAN access of guests and employees,
and different authentication modes for them to ensure WLAN security.
addresses to STAs.
Figure 4-40 Networking diagram for configuring different authentication modes for multiple
SSIDs

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service l Employees: VLAN 101

VLAN for l Guests: VLAN 102
STAs

default gateways for STAs are 10.23.101.2 and 10.23.102.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for 10.23.102.3-10.23.102.254/24
STAs

of the AC's
source
interface
RADIUS l RADIUS server template name: wlan-net

authenticati l IP address: 10.23.102.1
on
parameters l Authentication port number: 1812
l Accounting scheme: wlan-net

template
l Port number: 50200
l Referenced template: URL template wlan-net

access l Referenced template: Portal server template wlan-net
profile
MAC Name: wlan-net

access
profile

Item Data

on-free rule l Authentication-free resource: DNS server with IP address 8.8.8.8
profile
802.1x l Name: wlan-net

access l Authentication mode: EAP
profile
Authenticati l Name: employee

on profile l Referenced profiles and authentication schemes: 802.1x access profile
wlan-net, RADIUS server template wlan-net, and authentication
scheme wlan-net
l Name: guest
l Referenced profiles and authentication schemes: Portal access profile
wlan-net, MAC access profile wlan-net, RADIUS server template
wlan-net, authentication scheme wlan-net, accounting scheme wlan-
net, and authentication-free rule template default_free_rule

l Referenced profiles: VAP profiles employee and guest, and regulatory
domain profile default

profile
SSID l Name: employee

profile l SSID name: employee
l Name: guest
l SSID name: guest
Security l Name: employee

profile l Security policy: WPA-WPA2+802.1x+AES
l Name: guest
VAP profile l Name: employee

l Referenced profiles: SSID profile employee, security profile employee,
and authentication profile employee
l Name: guest
l Referenced profiles: SSID profile guest, security profile guest, and
authentication profile guest

3. Configure 802.1x authentication and MAC address-prioritized Portal authentication.
Configuration Notes
user experience.
Procedure
VLAN 100.
# Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN
101 and VLAN 102, respectively.

[SwitchB] vlan batch 100 101 102
# Add GE1/0/0 on the router to VLAN 101 and VLAN 102. Create interfaces VLANIF 101
and VLANIF 102, and set the IP addresses of VLANIF 101 and VLANIF 102 to
10.23.101.2/24 and 10.23.102.2/24, respectively.

NOTE
# Add GE0/0/1 on the AC to VLAN 100, VLAN 101, and VLAN 102.
[AC6605] sysname AC
# On the AC, configure VLANIF 100 to provide IP addresses to APs.
[AC] dhcp enable
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 address pools to assign IP addresses
to employees and guests, respectively. Set the default gateway address for employees and
guests to 10.23.101.2 and 10.23.102.2, respectively. Specify the DNS server address 8.8.8.8
for VLANIF 101 and VLANIF 102 address pools.

NOTE
view.
Step 4 Configure the AC's default routes with VLANIF 101 and VLANIF 102 on the router as the
next hops.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
accounting scheme.
NOTE


[AC] aaa

[AC-aaa] quit
NOTE
accounting packets.

1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
NOTE

NOTE

Step 12 Configure an 802.1x access profile to manage 802.1x access control parameters.
# Create 802.1x access profile wlan-net.
# Set the authentication mode to EAP relay.


Step 13 Configure authentication profiles employee and guest.

[AC] authentication-profile name employee
[AC-authentication-profile-employee] dot1x-access-profile wlan-net
[AC-authentication-profile-employee] authentication-scheme wlan-net
[AC-authentication-profile-employee] radius-server wlan-net
[AC-authentication-profile-employee] quit
[AC] authentication-profile name guest
[AC-authentication-profile-guest] portal-access-profile wlan-net
[AC-authentication-profile-guest] mac-access-profile wlan-net
[AC-authentication-profile-guest] free-rule-template default_free_rule
[AC-authentication-profile-guest] authentication-scheme wlan-net
[AC-authentication-profile-guest] accounting-scheme wlan-net
[AC-authentication-profile-guest] radius-server wlan-net
[AC-authentication-profile-guest] quit
# Create security profiles employee and guest, and set the security policies to WPA-
WPA2+802.1X+AES and open, respectively.
[AC] wlan
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-employee] quit
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] quit
# Create SSID profiles employee and guest, and set the SSID names to employee and guest,
respectively.
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
# Create VAP profiles employee and guest, set the data forwarding mode and service
VLANs, and bind the security, SSID, and authentication profiles to the VAP profiles.
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-id 101
[AC-wlan-vap-prof-employee] security-profile employee
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile employee
[AC-wlan-vap-prof-employee] quit
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-id 102
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile guest
[AC-wlan-vap-prof-guest] quit
# Bind the VAP profiles to the AP groups, and apply configurations of VAP profiles employee
and guest to radio 0 and radio 1 of the APs.
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 1

NOTE
[AC-wlan-ap-0] quit

l An employee can use a STA to find the WLAN with SSID employee. After being
associated with the WLAN, the STA is assigned an IP address. After the employee uses
an 802.1x client on the STA for authentication and enter the correct user name and
password, the STA is authenticated and can access the WLAN. The configuration
method on the 802.1x client is as follows:
add SSID employee, set the authentication mode to WPA2, and encryption
algorithm to AES.
create a network profile. Add SSID employee. Set the authentication mode
to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.

l A guest can use a STA to find the WLAN with SSID guest. After being associated with
the WLAN, the STA is assigned an IP address. When the STA accesses the Internet
through a browser, the authentication page provided by the Portal server is automatically
displayed. After the correct user name and password are entered on the page, the STA is
authenticated and can access the WLAN. Assume that the MAC address configured on
the Portal server is valid for 60 minutes. When the STA is disconnected from the WLAN
for 5 minutes, the STA can access the Internet directly when reconnecting to the WLAN.
When the STA is disconnected from the WLAN for 65 minutes, it will be redirected to
the Portal authentication page when reconnecting to the WLAN.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return


#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
authentication-profile name employee
authentication-profile name guest
#
dhcp enable
#
%^%#
#
#
url-parameter ssid ssid redirect-url url
#
server-ip 10.23.103.1
port 50200
#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0


#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
ip route-static 0.0.0.0 0.0.0.0 10.23.102.2
#
#
wlan
security-profile name guest
security-profile name employee
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel
ssid-profile guest
security-profile guest
authentication-profile guest
vap-profile name employee
forward-mode tunnel
ssid-profile employee
security-profile employee
authentication-profile employee
radio 0
vap-profile employee wlan 1
vap-profile guest wlan 2
radio 1
vap-profile employee wlan 1
vap-profile guest wlan 2
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
#
return
4.8 Reliability Configuration Examples

4.8.1 Example for Configuring Wireless Configuration
Synchronization in VRRP HSB Scenarios

To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the
master and backup ACs are often deployed in the same location, and the service switchover is
fast and has higher reliability than dual-link HSB.
APs and STAs.
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.

Figure 4-41 Networking for configuring wireless configuration synchronization in VRRP

HSB scenarios (direct forwarding)
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP

STA
Management VLAN: VLAN 100
Data Planning
Item Data
AC1's source interface Virtual IP address: 10.23.100.3/24
Virtual IP address of the 10.23.100.3/24

management VRRP group
Virtual IP address of the service 10.23.101.3/24

VRRP group

l Referenced profiles: SSID profile wlan-net and
security profile wlan-net

l Referenced profiles: VAP profile wlan-net and



l Security policy: WPA-WPA2+PSK+AES

addresses to APs and STAs.
APs' gateway VLANIF 100: 10.23.100.3/24
IP address pool for APs 10.23.100.4 to 10.23.100.254/24
STAs' gateway VLANIF 101: 10.23.101.3/24
IP addresses and port numbers for IP address of VLANIF 102: 10.23.102.1/24

the active and standby channels Port number: 10241
of AC1

of AC2

1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
4. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
6. Configure the wireless configuration synchronization function in VRRP HSB scenarios.
Configuration Notes
user experience.
l Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
[SwitchB] set css mode css-card

[SwitchB] set css id 1

[SwitchB] set css priority 100
for SwitchC.
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
------------------------------------------------------------------------------
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is
rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
rebooted. T
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)


-------------------------------------------------------------------------------
<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
# Check whether the cluster links are normal.

<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7

32 1/14/0/8 10G 10G 2/14/0/8

--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
Eth-Trunk 10.
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1
on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101, respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10


# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
Step 3 Configure AC1 to communicate with AC2.
# Add GE0/0/2 on AC1 (connecting to AC2) to VLAN 102.

[AC1] vlan batch 102
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102

Step 4 Configure a DHCP server.

NOTE
view.
# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC1] vrrp recover-delay 60
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1
unflowdown
# Create HSB service 0 on AC1, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2
local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0
# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable

# Create a management VRRP group on AC2.

# Create a service VRRP group on AC2.

unflowdown
[AC2] hsb-service 0
group.
[AC2] hsb-group 0




[AC2] hsb-group 0
Step 7 Configure WLAN services on AC1.

1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3
2. Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State
STA Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor
0 10S -
------------------------------------------------------------------------------
--------------------
Total: 1
3. Configure WLAN service parameters on AC1.

NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.

[AC1-wlan-view] vap-profile name wlan-net

[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
Step 8 Configure private WLAN services on AC2.
# Configure the source address of AC2.

Step 9 Configure the wireless configuration synchronization function in VRRP HSB scenarios.
# Configure the wireless configuration synchronization function on AC1.

[AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip
ip-address 10.23.102.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
# Configure the wireless configuration synchronization function on AC2.

[AC2] wlan
[AC2-master-controller] master-redundancy peer-ip ip-address 10.23.102.1 local-ip
ip-address 10.23.102.2 psk H@123456
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
Step 10 Trigger wireless configuration synchronization manually.
# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The command output displays cfg-mismatch. Wireless configuration
synchronization must be manually triggered from the master AC to the backup master AC.
Wait until the backup master AC completes automatic restart.
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------
------------------
Controller IP Role Device Type Version
Status Last synced
----------------------------------------------------------------------------------
------------------
10.23.102.2 Backup AC6605 V200R009C00 cfg-mismatch(config check
fail) -
----------------------------------------------------------------------------------
------------------
Total: 1
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to
it, and save all its configurations. Whether to conti
nue? [Y/N]:y


1. Verify VRRP.
# After the configurations are complete, run the display vrrp command on AC1 and
AC2. In the command output, the State field of AC1 is Master and that of AC2 is
Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:22
Last change time : 2016-11-17 16:58:25

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Create time : 2016-11-17 16:58:35
Last change time : 2016-11-17 16:58:38
[AC2] display vrrp
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100


TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service
status. In the command output, the Service State field is Connected, indicating that the
HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key : -
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Shared-key : -
----------------------------------------------------------
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group
status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R009C00
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive


AP
DHCP
---------------------------------------------------------
2. Verify wireless configuration synchronization.

# Run the display sync-configuration status command on the master AC and backup
master AC to view the wireless configuration synchronization status. If the status is up,
the wireless configuration synchronization function is properly working.
------------------------------------------------------------------------------
-----------
Controller IP Role Device Type Version Status Last
synced
------------------------------------------------------------------------------
-----------
10.23.102.2 Backup AC6605 V200R009C00 up
2017-09-01/11:18:15
------------------------------------------------------------------------------
-----------
Total: 1
------------------------------------------------------------------------------
-----------
synced
------------------------------------------------------------------------------
-----------
10.23.102.1 Master AC6605 V200R009C00 up
2017-09-01/11:18:25
------------------------------------------------------------------------------
-----------
Total: 1
3. The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs
can connect to the WLAN.
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End
Configuration Files
#
sysname SwitchA
#
#
#
#

eth-trunk 10
#
eth-trunk 10
#
return
l CSS configuration file

#
sysname CSS
#
#
#
interface GigabitEthernet1/1/0/1
#
eth-trunk 10
#
#
eth-trunk 10
#
return
l AC1 configuration file

#
sysname AC1
#
vrrp recover-delay 60
#
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#


#
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!
=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid wlan-net
radio 0
radio 1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address
10.23.102.1 psk %^%#`P0}*pN+2P=Qf%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#
#
return
#
sysname AC2
#
#
#
dhcp enable
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
admin-vrrp vrid 1


#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
#
hsb-service 0
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!
=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid wlan-net
radio 0
radio 1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address
10.23.102.2 psk %^%#7KXNDf(-X/No\4)i&z|./NQ@)WDlUT'`K33Mef47%^%#
#
return
4.8.2 Example for Configuring Dual-Link HSB in Load Balancing

Mode

An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
dual-link HSB to improve data transmission reliability, and load balancing on the active and
standby ACs.
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
Figure 4-42 Networking diagram for configuring dual-Link HSB in load balancing mode for
ACs

Data Planning

Item Data
AC's backup VLAN VLAN 102
DHCP server The router functions as a DHCP server to

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
AC's source interface VLANIF 100
AC1's management IP address VLANIF 100: 10.23.100.2/24
Active and standby ACs AC1 serves as the active AC for AP1 and
the standby AC for AP2.
AC2 serves as the active AC for AP2 and
the standby AC for AP1.
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241

and AP system profile ap-system1
l Name: ap-group2
and AP system profile ap-system2
AP system profile l Name: ap-system1

l Active AC: AC1
l Standby AC: AC2

Item Data
l Name: ap-system2
l Active AC: AC2
l Standby AC: AC1



+AES

1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure the APs to go online and configure basic WLAN services.
3. Configure dual-link HSB in load balancing mode.
4. Configure HSB on the ACs so that the WLAN and NAC services on the active AC are
backed up to the standby AC in real time and in batches. If the active AC is faulty, the
standby AC takes over services of the active AC, ensuring user service continuity.
Configuration Notes

user experience.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that Router function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure the switches and Router.
# Set the PVID of GE0/0/1 and GE0/0/2 on SwitchA to management VLAN 100, and add the
interfaces to VLAN 100 and VLAN 101. Add GE0/0/3 on SwitchA connected to SwitchB to
VLAN 100 and VLAN 101.
# Add GE0/0/1 on SwitchB connected to SwitchA to VLAN 100 and VLAN 101. Add
GE0/0/2 (connected to AC1) and GE0/0/3 (connected to AC2) on SwitchB to VLAN 100 and
VLAN 102. Add GE0/0/4 on SwitchB connected to Router to VLAN 100 and VLAN 101.


# Add GE0/0/1 on Router connected to SwitchB to VLAN 100 and VLAN 101.
Step 2 Configure the communication between AC1, AC2, and Router.

# Add GE0/0/1 on AC1 to the service VLAN 101 and backup VLAN 102.
[AC1] vlan batch 100 to 102
# Add GE0/0/1 on AC2 to VLAN 101 and VLAN 102.

[AC2] vlan batch 100 to 102
Step 3 Configure Router to assign IP addresses to STAs and APs.

NOTE
view.
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit


[Router-Vlanif100] dhcp select global
Step 4 Configure the APs to go online.

NOTE
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on
AC1.
# Create AP groups ap-group1 and ap-group2.

[AC1] wlan
# Create a regulatory domain profile, configure the country code for AC1 in the profile, and
apply the profile to the AP group.
e?[Y/N]:y
e?[Y/N]:y
# Configure the source interface for AC1.

[AC1] capwap source interface vlanif 100
# Import AP1 and AP2 offline on AC1, and add AP1 to the AP group ap-group1 and AP2 to
the AP group ap-group2.
[AC1] wlan
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.


nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
31S -
10S -
----------------------------------------------------------------------------------
----------------
Total: 2

NOTE
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on AC1.
NOTE
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio 1 of
the AP.
Step 6 Configure dual-link HSB in load balancing mode on AC1 and AC2.
# On AC1, configure AC1 as the active AC for AP1 and the standby AC for AP2, and AC2 as
the active AC for AP2 and the standby AC for AP1.
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y

[AC1-wlan-view] ap-system-profile name ap-system1

[AC1-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-ap-system1] quit
[AC1-wlan-view] ap-system-profile name ap-system2
[AC1-wlan-ap-system-prof-ap-system2] primary-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-ap-system2] backup-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-ap-system2] quit
[AC1-wlan-ap-group-ap-group1] ap-system-profile ap-system1
[AC1-wlan-ap-group-ap-group2] ap-system-profile ap-system2
# On AC2, configure AC1 as the active AC for AP1 and the standby AC for AP2, and AC2 as
the active AC for AP2 and the standby AC for AP1. The configuration method on AC2 is the
same as that on AC1.
# Restart the APs on AC1 and AC2, and deliver the dual-link HSB configuration to the APs.
[AC1-wlan-view] ap-reset all
Step 7 Configure the HSB function.

# Create HSB service 0 on AC1, and configure the IP addresses and port numbers for the
active and standby channels.
[AC1] hsb-service 0
# Bind the WLAN and NAC services to AC1.

[AC1] hsb-service-type ap hsb-service 0
[AC1] hsb-service-type access-user hsb-service 0
# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for the
[AC2] hsb-service 0


# Run the display ac protect command on AC1 and AC2 to view dual-link HSB information.
[AC1] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : -
Priority : 0
Protect restore : enable
...
------------------------------------------------------------


------------------------------------------------------------
Protect AC : -
Priority : 0
...
------------------------------------------------------------
# Run the display ap-system-profile name ap-system1 command on AC1 and the display
ap-system-profile name ap-system2 command on AC2 to view information about the active
and standby ACs.
[AC1] display ap-system-profile name ap-system1
------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.100.2
Backup AC : 10.23.100.3
...
------------------------------------------------------------
------------------------------------------------------------
AC priority : -
Primary AC : 10.23.100.3
Backup AC : 10.23.100.2
...
------------------------------------------------------------
------------------------------------------------------------
AC priority : -
Primary AC : 10.23.100.2
Backup AC : 10.23.100.3
...
------------------------------------------------------------
------------------------------------------------------------
AC priority : -
Primary AC : 10.23.100.3
Backup AC : 10.23.100.2
...
------------------------------------------------------------
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, which indicates that the HSB channels are
set up.
----------------------------------------------------------
Source Port : 10241
Service Batch Modules : AP
Access-user
Shared-key : -
----------------------------------------------------------
----------------------------------------------------------

Source Port :
10241
Destination Port :
10241
Keep Alive Times 5:
Keep Alive Interval 3:
Service State :
Connected
AP
Access-user
Shared-key : -
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP1, and these STAs can
connect to the WLAN.
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. User services are not interrupted.
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
#
return

#
sysname SwitchB
#
#
#
#
#
#
return


#
sysname Router
#
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
#
return

#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
hsb-service 0
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
ac protect enable
security wpa-wpa2 psk pass-phrase %^%#A>0:F8{q)0PWFAON0*rK\{&<S>}oK#%
{]c~egp*.%^%# aes
ssid wlan-net

ap-system-profile name ap-system1

primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3
ap-system-profile ap-system1
radio 0
radio 1
radio 0
radio 1
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
hsb-service 0
#
#
#
wlan
ac protect enable
security wpa-wpa2 psk pass-phrase %^%#A>0:F8{q)0PWFAON0*rK\{&<S>}oK#%
{]c~egp*.%^%# aes
ssid wlan-net


radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return

Synchronization in Dual-Link HSB Scenarios
synchronization can be deployed in dual-link HSB to meet this requirement. This solution
frees active and standby ACs from location restrictions and allows both ACs to be flexibly
deployed.
to APs and STAs.

Figure 4-43 Networking diagram for configuring dual-link HSB
Data Planning
Table 4-42 AC Data planning

Item Data

Item Data
DHCP server The Router functions as the DHCP server

for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2

default



+AES

AP system profile l Name: wlan-net

l Primary AC's IP address: 10.23.100.2
l Backup AC's IP address: 10.23.100.3

1. Configure network interworking of the AC1, AC2, and other network devices. Configure
the Router as a DHCP server to assign IP addresses to APs and STAs.
2. Configure basic WLAN services on AC1 and only private WLAN service parameters on
AC2.
3. Configure AC1 as the active AC and AC2 as the standby AC. Configure dual-link HSB
on the active AC first and then on the standby AC. When dual-link HSB is enabled, all
APs are restarted.
4. Configure wireless configuration synchronization in the dual-link HSB scenarios.
Configuration Notes
user experience.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.


# Add GE0/0/1 (connecting to SwitchA) of SwitchB, GE0/0/2 (connecting to AC1) of

SwitchB, and GE0/0/3 (connecting to AC2) of SwitchB to VLAN 100.
[SwitchB] vlan batch 100
# Add GE0/0/1 (connecting to SwitchB) of AC1 to VLAN 100.



# Add GE0/0/1 of AC1 to service VLAN 101, and backup VLAN 102.
# Add GE0/0/1 of AC2 to VLAN 101, and VLAN 102.



# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.

NOTE
view.
[Router] ip pool ap
Step 4 Configure basic WLAN services on AC1.

[AC1] wlan

e?[Y/N]:y
[AC1] wlan
2. Configure AC1 to manage APs.

nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
NOTE

[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
of the AP.

Step 5 Configure private WLAN service parameters on AC2.

# Configure the source interface of AC2.
[AC2] wlan
Step 6 Configure dual-link backup for AC1 and AC2.

# On AC1, configure the IP address of the primary AC as the source IP address of AC1, and
the IP address of the backup AC as the source IP address of AC2.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ap-system-profile name wlan-net
[AC1-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-wlan-net] quit
[AC1-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC1-wlan-view] undo ac protect restore disable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# On AC2, configure the IP address of the primary AC as the source IP address of AC1, and
the IP address of the backup AC as the source IP address of AC2.
[AC2-wlan-view] ap-system-profile name wlan-net
[AC2-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC2-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC2-wlan-ap-system-prof-wlan-net] quit
[AC2-wlan-ap-group-ap-group1] ap-system-profile wlan-net
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
Step 7 Configure the hot standby function.

# Create HSB service 0 on AC1 and configure the IP addresses and port numbers for the
[AC1] hsb-service 0

[AC2] hsb-service 0



Step 8 Configure the master AC and local AC.

# Configure AC1 as the master AC and specify the IP address of a local AC.
[AC1] wlan
[AC1-master-controller] local-controller ip-address 10.23.100.3 psk H@123456
# Configure AC2 as a local AC and specify the IP address of the master AC.
[AC2] wlan
[AC2-wlan-view] master-controller ip-address 10.23.100.2 psk H@123456
Step 9 Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The command output displays cfg-mismatch. Wireless configuration
synchronization must be manually triggered from the master AC to the local AC. Wait until
the local AC completes automatic restart.
[AC1-wlan-view] display sync-configuration status
----------------------------------------------------------------------------------
------------------
Controller IP Role Device Type Version
Status Last synced
----------------------------------------------------------------------------------
------------------
10.23.100.3 Local AC6605 V200R009C00 cfg-mismatch(config check
fail) -
----------------------------------------------------------------------------------
------------------
Total: 1
[AC1-wlan-view] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to
it, and save all its configurations. Whether to conti
nue? [Y/N]:y

# Run the display sync-configuration status command on the master AC and local AC to
view the wireless configuration synchronization status. If the status is up, the wireless
configuration synchronization function is properly working.
----------------------------------------------------------------------------------
-------
synced
----------------------------------------------------------------------------------
-------
10.23.100.3 Local AC6605 V200R009C00 up
2017-09-01/11:18:15
----------------------------------------------------------------------------------
-------
Total: 1
----------------------------------------------------------------------------------

-------
synced
----------------------------------------------------------------------------------
-------
10.23.100.2 Master AC6605 V200R009C00 up
2017-09-01/11:18:25
----------------------------------------------------------------------------------
-------
Total: 1
# When public configurations are modified on the master AC, the public configurations are
automatically synchronized to the local AC. When the AP detects a fault on the link
connected to AC1, it instructs AC2 to take the active role. This ensures service stability.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
#
#
#
#
return

#
sysname Router
#
#
dhcp enable

#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
#
return
#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
hsb-service 0
#
#
#
wlan
ac protect enable
security wpa-wpa2 psk pass-phrase %^%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
ap-system-profile name wlan-net
ap-system-profile wlan-net
radio 0

radio 1
ap-name area_1
ap-group ap-group1
master controller
local-controller ip-address 10.23.100.3 psk %^%#/
q6ITBsonPkeDGXiV;!'^htAMm[n"(Z{ÊS|5[^.%^%#
#
return

#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
hsb-service 0
#
#
#
wlan
ac protect enable
fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
ap-system-profile name wlan-net
master-controller ip-address 10.23.100.2 psk %^%#mh|sYMl/}'U|"W/rBd
\9HICmNy{,BIi0c^F:z;V#%^%#
ap-system-profile wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

4.8.4 Example for Configuring Dual-link Cold Backup (Global

Configuration Mode)
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data transmission
reliability.
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.
Figure 4-44 Networking for configuring dual-link cold backup
Data Planning

Item Data

Item Data
DHCP server The switch functions as a DHCP server to

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

default



+AES

1. Configure network interworking of AC1, AC2, and other network devices. Configure the
switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.

3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Configuration Notes
user experience.
IP addresses if the active AC is faulty. It is recommended that the switch function as the
conflicts.
Procedure
Step 1 Configure the switch and ACs to enable the ACs to communicate with the APs.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass through. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and
configure the interfaces to allow packets of VLAN 100 to pass through.
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101

# Add GE0/0/1 that connects AC1 to the switch to VLAN 100.

# Add GE0/0/1 that connects AC2 to the switch to VLAN 100.

Step 2 Configure the DHCP function on the switch to assign IP addresses to APs and STAs.
NOTE
view.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.


[AC1] wlan
# Create a regulatory domain profile, configure the AC country code in the profile, and
e?[Y/N]:y

[AC1-Vlanif100] ip address 10.23.100.2 255.255.255.0
# Import the APs offline on the AC and add the APs to the AP group ap-group1.
Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can
know where the APs are deployed from their names. For example, if the AP with MAC
address 60de-4476-e360 is deployed in area 1, name the AP area_1, the AP with MAC
address 60de-4474-9640 is deployed in area 2, name the AP area_2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC1] wlan
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
nor : normal [2]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------

--------------------
10S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
------------------------------------------------------------------------------
--------------------
Total: 2
NOTE

# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the APs.
# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the source interface of AC2.

[AC2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC2] wlan
Step 5 Configure dual-link backup on AC1 and AC2.
# Configure the AC1 priority and AC2 IP address on AC1. Enable dual-link backup and
revertive switchover globally, and restart all APs to make the dual-link backup function take
effect.

NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
# Configure the AC2 priority and AC1 IP address on AC2.


Run the display ac protect command on the active and standby ACs to check the dual-link
information and priority on the two ACs.
[AC1-wlan-view] display ac protect
------------------------------------------------------------
Protect AC : 10.23.100.3
Priority : 0
...
------------------------------------------------------------
[AC2-wlan-view] display ac protect
------------------------------------------------------------
Protect AC : 10.23.100.2
Priority : 1
...
------------------------------------------------------------
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#


#
#
#
#
return
#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#
#
wlan
ac protect enable protect-ac 10.23.100.3
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#


#
#
wlan
ac protect enable protect-ac 10.23.100.2 priority 1
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
4.8.5 Example for Configuring Dual-Link HSB in Active/Standby

Mode
dual-link HSB to improve data transmission reliability.
to APs and STAs.

Figure 4-45 Networking for configuring dual-link HSB for ACs
Data Planning

Item Data

Item Data

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

default



+AES


1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure basic WLAN services to ensure that users can access the enterprise network.
3. Configure global dual-link backup on the ACs.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes over services
from AC1. User services are not interrupted.
Configuration Notes
user experience.
IP addresses if the active AC is faulty. It is recommended that Router function as the
conflicts.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
2.





# Add GE0/0/1 of AC1 to service VLAN 101, and backup VLAN 102.
# Add GE0/0/1 of AC2 to VLAN 101, and VLAN 102.




NOTE
view.
[Router] ip pool ap
Step 4 Configure WLAN service parameters on AC1 and AC2.

NOTE
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on
AC1.

[AC1] wlan
e?[Y/N]:y
[AC1] wlan
2. Configure AC1 to manage APs.

nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
10S -
------------------------------------------------------------------------------
--------------------
Total: 1

NOTE
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel

# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the AP.

# Configure the AC1 priority and AC2 IP address on AC1 to implement dual-link backup.
# Configure the AC2 priority and AC1 IP address on AC2 to implement dual-link backup.
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
Step 6 Configure the hot standby function.

[AC1] hsb-service 0

[AC2] hsb-service 0


# Run the display ac protect command on AC1 and AC2 to view dual-link backup
information.
------------------------------------------------------------
Protect AC : 10.23.100.3
Priority : 0

...
------------------------------------------------------------
------------------------------------------------------------
Protect AC : 10.23.100.2
Priority : 1
...
------------------------------------------------------------
The value of the Service State field is Connected, which indicates that the HSB channels are
set up.
----------------------------------------------------------
Source Port : 10241
Access-user
Shared-key : -
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Access-user
Shared-key : -
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP1, and these STAs can
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. User services are not interrupted.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#


#
return
#
sysname SwitchB
#
#
#
#
#
#
return
#
sysname Router
#
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
#
return
#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0

#
#
#
hsb-service 0
#
#
#
wlan
fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
hsb-service 0
#
#
#
wlan
fNA<TAP&}F%^%# aes


ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.8.6 Example for Configuring VRRP HSB
VRRP HSB to improve data transmission reliability.
APs and STAs.

Figure 4-46 Configuring VRRP HSB (direct forwarding)
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP

STA
Data Planning
Table 4-45 AC Data Planning
Item Configuration
AC1's source interface VLANIF 100: 10.23.100.3/24


VRRP group





DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA
AP's gateway VLANIF 100: 10.23.100.3/24
IP address pool for the AP 10.23.100.4 to 10.23.100.254/24
STA's gateway VLANIF 101: 10.23.101.3/24
IP address pool for STA 10.23.101.4 to 10.23.101.254/24
IP addresses and port numbers for IP address: VLANIF 102, 10.23.102.1/24

of AC1

of AC2

2. Set up connections between the AP, ACs, and other network devices.
3. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
4. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
NOTE
Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.
Configuration Notes
user experience.
Procedure
for SwitchB.


for SwitchC.

------------------------------------------------------------------------------

------------------------------------------------------------------------------

rebooted. T

rebooted. T
-------------------------------------------------------------------------------


-------------------------------------------------------------------------------
------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7

32 1/14/0/8 10G 10G 2/14/0/8

--------------------------------------------------------------------------------
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
Eth-Trunk 10.


# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
Step 3 Configure AC1 to communicate with AC2.


Step 4 Configure a DHCP server.

NOTE
view.
# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1-Vlanif100] vrrp vrid 1 priority 120
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
unflowdown
[AC1] hsb-service 0
group.
[AC1] hsb-group 0




[AC1] hsb-group 0

# Create a management VRRP group on AC2.

# Create a service VRRP group on AC2.

unflowdown
[AC2] hsb-service 0
group.
[AC2] hsb-group 0




[AC2] hsb-group 0
Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those on AC1.
An AP in normal state on the active AC is in standby state on AC2.
[AC1] wlan
e?[Y/N]:y
2. Import an AP offline on AC1.

[AC1] wlan
nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
STA Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor
0 10S -
------------------------------------------------------------------------------
--------------------
Total: 1
NOTE


of the AP.
# After the configurations are complete, run the display vrrp command on AC1 and AC2.
The command output displays that the State field of AC1 is Master and that of AC2 is
Backup.
[AC1] display vrrp
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2005-07-30 23:45:50 UTC+08:00
[AC2] display vrrp
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100

TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 02:11:07 UTC+08:00

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2005-07-31 00:32:33 UTC+08:00
The command output displays that the Service State field is Connected, indicating that the
HSB channel has been established.
----------------------------------------------------------
Source Port : 10241
Shared-key : -
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Shared-key : -
----------------------------------------------------------
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1

Service Index 0 :
Group Vrrp Status :
Master
Group Status :
Active
Group Backup Process :
Realtime
Peer Group Device Name :
AC6605
Peer Group Software Version :
V200R009C00
Group Backup Modules :
Access-user
DHCP
AP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
DHCP
AP
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs can
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
eth-trunk 10
#
eth-trunk 10
#
return
l CSS configuration file

#
sysname CSS
#


#
#
#
eth-trunk 10
#
#
eth-trunk 10
#
return
#
sysname AC1
#
#
#
dhcp enable
#
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#

hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC2
#
#
#
dhcp enable
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.8.7 Example for Configuring N+1 Backup (APs and ACs in

different network segments)
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.
APs and STAs.

Figure 4-47 Networking for configuring N+1 backup
Data Planning

Item Data
Management VLAN for APs AC_1 (active AC): VLAN 99
AC_2 (active AC): VLAN 100
Service VLAN for STAs AC_1: VLAN 101
AC_2: VLAN 102

Item Data

STAs' gateway:
l STA_1: 10.23.101.1/24
l STA_2: 10.23.102.1/24
APs' gateway:
l AP_1: 10.23.99.1/24
l AP_2: 10.23.100.1/24
IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24

AP_2: 10.23.100.2-10.23.100.254/24
IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24

STA2: 10.23.102.2-10.23.102.254/24
AC's source interface AC_1: VLANIF 201

AC_2: VLANIF 202
AC_3: VLANIF 203
AC_1's management IP address VLANIF 201: 10.23.201.1/24
AP group AC_1: (active AC):

l Name: ap-group1
l Referenced profiles: AP system profile
ap-system, VAP profile wlan-net, and
AC_2: (active AC):

l Name: ap-group2
ap-system, VAP profile wlan-net1, and

Item Data
AC_3 (standby AC):

l Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile wlan-
default
l Name: ap-group2
net1, and regulatory domain profile
default

SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Name: wlan-net
l Name: wlan-net1
Security profile AC_1, AC_3:

l Name: wlan-net
+AES
AC_2, AC_3:
l Name: wlan-net1
+AES
AP system profile AC_3 (standby AC): ap-system and ap-

system1

Item Data
VAP profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
net1 and security profile wlan-net1
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
wlan-net1 and security profile wlan-
net1
Global priority: AC_1: 0

AC_2: 0
AC_3: 5
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.

Configuration Notes
user experience.
Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.

# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to Router_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
[AC6605] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.1 255.255.255.0
[AC_1-Vlanif201] quit
# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# Configure reachable routes between AP_1 and AC_3, and between AP_2 and AC_3.
Perform the configurations according to networking requirements. The configuration
procedure is not provided here.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2

# Configure Router_1 as a DHCP relay agent.

[Router_1-Vlanif99] dhcp select relay

[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1

# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
view.
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
10.23.203.1
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
Step 3 Configure basic WLAN services on AC_1.

[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit

[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
e?[Y/N]:y
[AC_1-wlan-view] quit
# Configure the source interface of AC_1.

[AC_1] capwap source interface vlanif 201
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
will clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
[AC_1-wlan-view] display ap all
nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
10S -
------------------------------------------------------------------------------
--------------------
Total: 1

NOTE

[AC_1-wlan-view] security-profile name wlan-net

[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-net to radio 0
and radio 1 of the APs.
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0

# Configure basic parameters for AC_2 according to the configurations of AC_1.
# Create AP group ap-group2.

[AC_2] wlan
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
clear channel, power and antenna gain configurati
# Create security profile wlan-net1 and set the security policy in the profile.
NOTE
[AC_2-wlan-view] security-profile name wlan-net1
[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit

# Create an SSID profile and set the SSID name to wlan-net1.

[AC_2-wlan-view] ssid-profile name wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-net1 to radio 0 and
radio 1 of the APs.
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
# Set other parameters similarly as those of AC_1.

[AC_3] wlan
e?[Y/N]:y
e?[Y/N]:y

[AC_3] capwap source interface Vlanif 203
NOTE
[AC_3] wlan


# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
fault : fault [2]
Extra information:
------------------------------------------------------------------------------
----------
ExtraInfo
------------------------------------------------------------------------------
----------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
-
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
-
------------------------------------------------------------------------------
----------
Total: 2

# Create security profiles wlan-net and wlan-net1, and configure security policies.
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
# Create AP system profile ap-system and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.201.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system] quit
# Create AP system profile ap-system1 and configure the IP address of the standby AC.

[AC_3-wlan-view] ap-system-profile name ap-system1

[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.202.1
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
to radio 0 and radio 1 of the APs.
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
Step 6 Enable N+1 backup on AC_1, AC_2, and AC_3.

# On AC_1, configure the AC's global priority and IP address of AC_3.
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same,
the AC that connects to more APs is the active AC. If the ACs connect to the same number of APs, the AC
that connects to more STAs is the active AC. If the ACs connect to the same number of STAs, the AC with a
smaller IP address is the active AC.
[AC_1-wlan-view] ac protect priority 0 protect-ac 10.23.203.1

# Configure the global priority of AC_3.

[AC_3-wlan-view] ac protect priority 5
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all

# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you run the undo
ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.

# Run the display ac protect command on AC_1 to check N+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.203.1
Priority : 0
...
------------------------------------------------------------
# Run the display ac protect command on AC_2 to check N+1 backup information.
------------------------------------------------------------
Protect AC : 10.23.203.1
Priority : 0
...
------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
------------------------------------------------------------
Protect AC : -
Priority : 5
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.201.1
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------

The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#
#
#
return

#
sysname Switch_2
#
vlan batch 100 102
#
#
#
return
l AC_1 configuration file

#
sysname AC_1
#
vlan batch 101 201
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
#
wlan
ac protect protect-ac 10.23.203.1

ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
vlan batch 102 202
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
#
wlan
ac protect protect-ac 10.23.203.1
security-profile name wlan-net1
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
ssid-profile wlan-net1
security-profile wlan-net1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3
#
#
interface Vlanif203
ip address 10.23.203.1 255.255.255.0
#


#
#
wlan
ac protect priority 5
ssid wlan-net
ssid wlan-net1
ap-system-profile name ap-system
protect-ac ip-address 10.23.201.1
ap-system-profile ap-system
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
#
sysname Router_1
#
vlan batch 99 101 201
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif201
ip address 10.23.201.2 255.255.255.0

#
interface Ethernet2/0/0
#
#
return
#
sysname Router_2
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#
#
#
return
#
sysname Router_3
#
vlan batch 200 203
#
dhcp enable
#
ip pool ap_1_pool
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool ap_2_pool
network 10.23.100.0 mask 255.255.255.0
#
ip pool sta_1_pool
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta_2_pool
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0

#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
#
#
return
4.8.8 Example for Configuring N+1 Backup (APs and ACs in the
same network segment)
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.

Data Planning
Item Data

VLAN 102
DHCP server Switch_1 functions as a DHCP server to

STAs' gateway:
l 10.23.101.1/24
l 10.23.102.1/24
APs' gateway: 10.23.100.1/24

STA2: 10.23.102.3-10.23.102.254/24

Item Data
AP group AC_1 (active AC):

l Name: ap-group1
AC_2 (active AC):

l Name: ap-group2
ap-system1, VAP profile wlan-net1, and
AC_3 (standby AC):

l Name: ap-group1
default
l Name: ap-group2
profile ap-system1, VAP profile
wlan-net1, and regulatory domain
profile default

SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1

Item Data
Security profile AC_1:

l Name: wlan-net
+AES
AC_2:
l Name: wlan-net1
+AES
AC_3:
l Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
l Name: wlan-net1
+AES
VAP profile AC_1:

l Name: wlan-net
AC_1:
l Name: wlan-net1

Item Data
AC_3:
l Name: wlan-net
net
l Name: wlan-net1
net1
AP system profile l AC_1: ap-system

l AC_2: ap-system1
l AC_3: ap-system and ap-system1
Global priority AC_1: 6

AC_2: 6
AC_3: 5
Individual priority AP1: 3

AP2: 3
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
Configuration Notes


user experience.
Procedure
Step 1 Configure the switches and ACs to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.
[Switch_1] vlan batch 100 to 102
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.


# On AC_1, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 101.
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
# On AC_2, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 102.
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
# On AC_3, add GE0/0/1 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN 102.
[AC_3] vlan batch 100 to 102
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
NOTE
view.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit



[AC_1] wlan
e?[Y/N]:y

AP area_1.
NOTE
[AC_1] wlan
nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------

--------------------
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
NOTE

# Create AP system profile ap-system and configure the AP's individual priority.
[AC_1-wlan-ap-system-prof-ap-system] priority 3
wlan-net to radio 0 and radio 1 of the APs.
Step 4 Configure basic WLAN services and AP priority for AC_2.

[AC_2] wlan


the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.

# Create AP system profile ap-system1 and configure the AP priority.

[AC_2-wlan-ap-system-prof-ap-system1] priority 3
wlan-net1 to radio 0 and radio 1 of the APs.

[AC_3] wlan

e?[Y/N]:y
e?[Y/N]:y

NOTE
[AC_3] wlan
The command output shows that the status of the APs is both fault.
fault : fault [2]
Extra information:
------------------------------------------------------------------------------
----------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
----------------------
0 60de-4476-e360 area_1 ap-group1 - AP5030DN fault 0
- -
1 60de-4474-9640 area_2 ap-group2 - AP5030DN fault 0
- -
------------------------------------------------------------------------------
----------------------
Total: 2



[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.100.2
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net

NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same,
the AC that connects to more APs is the active AC. If the ACs connect to the same number of APs, the AC
that connects to more STAs is the active AC. If the ACs connect to the same number of STAs, the AC with a
smaller IP address is the active AC.

# Configure the global priority of AC_3.

[AC_3-wlan-view] ac protect priority 5
NOTE

NOTE
------------------------------------------------------------
Protect AC : 10.23.100.4
Priority : 6
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : 3
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------

------------------------------------------------------------
Protect AC : 10.23.100.4
Priority : 6
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : 3
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
------------------------------------------------------------
Protect AC : -
Priority : 5
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch_1
#
#
dhcp enable
#
interface Vlanif100

ip address 10.23.100.1 255.255.255.0

#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
#
return
#
sysname Switch_2
#
#
#
#
#
return
#
sysname AC_1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#
#
wlan

ac protect protect-ac 10.23.100.4 priority 6

ssid wlan-net
priority 3
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
vlan batch 100 102
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
#
#
wlan
ac protect protect-ac 10.23.100.4 priority 6
ssid wlan-net1
priority 3
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3
#


#
interface Vlanif100
ip address 10.23.100.4 255.255.255.0
#
#
#
wlan
ac protect priority 5
ssid wlan-net
ssid wlan-net1
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
4.8.9 Example for Configuring N+1 Backup and VRRP HSB (APs
and ACs in Different Network Segments)

backup of all ACs to save costs. In this scenario, the enterprise can deploy a high-performance
AC at the headquarters as a standby AC to provide backup services for active ACs at the
branches. To further improve reliability of ACs, VRRP HSB can be configured for each AC.
APs and STAs.
Figure 4-49 Networking for configuring N+1 backup and VRRP HSB
Enterprise
headquarters
GE0/0/2
AC_3b AC_3
GE0/0/2
GE0/0/1 GE0/0/1
Eth2/0/2 Eth2/0/1
Router_3
VLANIF200:
10.23.200.1/24
Eth2/0/0
Internet
AC_1b AC_2b
GE0/0/1 GE0/0/1
GE0/0/2 Eth2/0/2 Eth2/0/2 GE0/0/2
GE0/0/2 GE0/0/2
Eth2/0/1 Eth2/0/1
Router_1 Router_2
GE0/0/1 GE0/0/1
AC_1 Eth2/0/0 Eth2/0/0 AC_2
GE0/0/2 GE0/0/2
Switch_1 Switch_2
GE0/0/1 GE0/0/1
Enterprise branch 1 Enterprise branch 2
AP_1 AP_2
Management VLAN: 99 Management VLAN: 100

Service VLAN: 101 Service VLAN: 102
STA_1 STA_2
: VRRP

Data Planning

Item Data
Active and standby ACs in N+1 backup l The VRRP group consisting of AC_1
mode and AC_1b functions as an active AC in
N+1 backup mode.
l The VRRP group consisting of AC_2
and AC_2b functions as an active AC in
N+1 backup mode.
l The VRRP group consisting of AC_3
and AC_3b functions as the standby AC
in N+1 backup mode.
Management VLAN for APs AC_1 and AC_1b: VLAN 99
AC_2 and AC_2b: VLAN 100
Service VLAN for STAs AC_1 and AC_1b: VLAN 101
AC_2 and AC_2b: VLAN 102

STAs' gateway:
l STA_1: 10.23.101.1/24
l STA_2: 10.23.102.1/24
APs' gateway:
l AP_1: 10.23.99.1/24
l AP_2: 10.23.100.1/24

AP_2: 10.23.100.2-10.23.100.254/24

STA2: 10.23.102.2-10.23.102.254/24
AC_1's source IP address 10.23.201.1/24
AP group AC_1 and AC_1b:

l Name: ap-group1

Item Data
AC_2 and AC_2b:

l Name: ap-group2
AC_3 and AC_3b:

l Name: ap-group1
default
l Name: ap-group2
profile default

SSID profile AC_1 and AC_1b:

l Name: wlan-net
AC_2 and AC_2b:

l Name: wlan-net1
AC_3 and AC_3b:

l Name: wlan-net
l Name: wlan-net1
Security profile AC_1, AC_1b, AC_3, and AC_3b:

l Name: wlan-net
+AES
AC_2, AC_2b, AC_3, and AC_3b:
l Name: wlan-net1
+AES

Item Data
AP system profile ap-system:

l Primary AC: 10.23.201.1
l Secondary AC: 10.23.203.1
ap-system1:
l Primary AC: 10.23.202.1
l Secondary AC: 10.23.203.1
VAP profile AC_1 and AC_1b:

l Name: wlan-net
AC_2 and AC_2b:

l Name: wlan-net1
AC_3 and AC_3b:

l Name: wlan-net
net
l Name: wlan-net1
net1
Global priority: AC_1 and AC_1b: 0

AC_2 and AC_2b: 0
AC_3 and AC_3b: 5
IP address and port number of the HSB l IP address of VLANIF 111:

channel between AC_1 and AC_1b 10.23.111.1/24 (AC_1) and
10.23.111.2/24 (AC_1b)

Item Data

10.23.111.4/24 (AC_2b)

10.23.111.6/24 (AC_3b)
2. Configure a VRRP group on AC_1 and AC_1b, on AC_2 and AC_2b, as well as on
AC_3 and AC_3b, respectively.
3. Configure the VRRP group consisting of AC_1 and AC_1b as the active AC of AP_1
and the VRRP group consisting of AC_2 and AC_2b as the active AC of AP_2, and
configure basic WLAN services on the active ACs.
4. Configure AC_3 and AC_3b as the standby ACs of AP_1 and AP_2, and configure basic
WLAN services on the standby ACs. Ensure that service configurations on standby ACs
and are the same as those on the active ACs.
5. Configure N+1 backup on the active ACs first and then on the standby ACs. When N+1
Configuration Notes
user experience.

Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
Switch_1 to VLAN 99 and VLAN 101, and add Eth2/0/1 and Eth2/0/2 connected to AC_1
and AC_1b respectively to VLAN 201. Configure the IP address 10.23.99.1/24 for VLANIF
99, 10.23.101.1/24 for VLANIF 101 and 10.23.201.2/24 for VLANIF 201.
Switch_2 to VLAN 100 and VLAN 102, and add Eth2/0/1 and Eth2/0/2 connected to AC_2
and AC_2b respectively to VLAN 202. Configure the IP address 10.23.100.1/24 for VLANIF
100, 10.23.102.1/24 for VLANIF 102 and 10.23.202.2/24 for VLANIF 202. See Router_1 for
the detailed configuration procedure.
VLAN 200, and add Eth2/0/1 and Eth2/0/2 connected to AC_3 and AC_3b respectively to
VLAN 203. Configure the IP address 10.23.200.1/24 for VLANIF 200. Configure the IP
address 10.23.203.2/24 for VLANIF 203. See Router_1 for the detailed configuration
procedure.
99.

# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.3/24 for VLANIF 201.
# Configure AC_1b in the same way of configuring AC_1. The difference is that IP address
10.23.201.4/24 needs to be configured for VLANIF 201 on AC_1b.
# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.3/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.3/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# Configure AC_1b in the same way.

# Configure AC_2b in the same way.

Step 2 Configure network interworking between ACs in each VRRP group.
# Create VLAN 111 on AC_1, add GE0/0/2 on AC_1 connected to AC_1b to VLAN 111, and
set the IP address of VLANIF 111 to 10.23.111.1/24.
[AC_1] vlan batch 111
[AC_1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
# Configure AC_1b, AC_2, AC_2b, AC_3, and AC_3b in the same way. The difference relies
on the IP address of VLANIF 111.
l VLANIF 111 on AC_1b: 10.23.111.2/24

l VLANIF 111 on AC_2b: 10.23.111.3/24

l VLANIF 111 on AC_2b: 10.23.111.4/24
l VLANIF 111 on AC_3b: 10.23.111.5/24
l VLANIF 111 on AC_3b: 10.23.111.6/24

NOTE
AP_2 can discover AC_1, which will cause APs to connect to an correct AC based on the AC priority.
view.
10.23.203.1
10.23.203.1


Step 4 Configure VRRP HSB.

# Configure VRRP HSB on AC_1.
[AC_1] vrrp recover-delay 60
[AC_1-Vlanif201] vrrp vrid 1 virtual-ip 10.23.201.1
[AC_1-Vlanif201] vrrp vrid 1 priority 120
[AC_1-Vlanif201] vrrp vrid 1 preempt-mode timer delay 1800
[AC_1-Vlanif201] admin-vrrp vrid 1
[AC_1] hsb-service 0
[AC_1-hsb-service-0] service-ip-port local-ip 10.23.111.1 peer-ip 10.23.111.2
[AC_1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_1-hsb-service-0] quit
[AC_1] hsb-group 0
[AC_1-hsb-group-0] bind-service 0
[AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 201
[AC_1-hsb-group-0] quit
[AC_1] hsb-service-type access-user hsb-group 0
[AC_1] hsb-service-type ap hsb-group 0
[AC_1] hsb-service-type dhcp hsb-group 0
[AC_1] hsb-group 0
[AC_1-hsb-group-0] hsb enable
# Configure VRRP HSB on AC_1b.

[AC_1b] vrrp recover-delay 60
[AC_1b] interface vlanif 201
[AC_1b-Vlanif201] vrrp vrid 1 virtual-ip 10.23.201.1
[AC_1b-Vlanif201] admin-vrrp vrid 1
[AC_1b-Vlanif201] quit
[AC_1b] hsb-service 0
[AC_1b-hsb-service-0] service-ip-port local-ip 10.23.111.2 peer-ip 10.23.111.1
[AC_1b-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_1b-hsb-service-0] quit
[AC_1b] hsb-group 0
[AC_1b-hsb-group-0] bind-service 0
[AC_1b-hsb-group-0] track vrrp vrid 1 interface vlanif 201
[AC_1b-hsb-group-0] quit
[AC_1b] hsb-service-type access-user hsb-group 0
[AC_1b] hsb-service-type ap hsb-group 0
[AC_1b] hsb-service-type dhcp hsb-group 0
[AC_1b] hsb-group 0
[AC_1b-hsb-group-0] hsb enable

[AC_2] hsb-group 0


[AC_2] hsb-group 0

[AC_2b] hsb-group 0
[AC_2b] hsb-group 0

[AC_3] hsb-group 0
[AC_3] hsb-group 0

[AC_3b] hsb-group 0

[AC_3b] hsb-group 0
# Use virtual IP addresses of VRRP groups to configure static routes based on actual network
conditions. The configuration procedure is not provided here.
l Enable AP_1 to communicate with the VRRP group consisting of AC_3 and AC_3b.
l Enable AP_2 to communicate with the VRRP group consisting of AC_3 and AC_3b.
Step 5 Configure basic WLAN services on AC_1. Configure basic WLAN services on AC2 in the
similar way. The difference is that when an AP is in normal state on AC_1, it is in standby
state on AC_2.
[AC_1] wlan
e?[Y/N]:y
# Configure the source IP address of AC_1.

[AC_1] capwap source ip-address 10.23.201.1
AP area_1.
NOTE
[AC_1] wlan
will clear channel, power and antenna gain configurati


nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
10S -
------------------------------------------------------------------------------
--------------------
Total: 1

NOTE
# Create AP system profile ap-system and specify the IP address of the backup AC.
[AC_1-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1
[AC_1-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1
Step 6 Configure basic WLAN services on AC_2. Configure basic WLAN services on AC_2b in the
same way.



[AC_2] wlan
the AP with the MAC address of 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
clear channel, power and antenna gain configurati
NOTE

# Create AP system profile ap-system1 and specify the IP address of the backup AC.
[AC_2-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1
[AC_2-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1
wlan-net1 to radio 0 and radio 1 of the APs.


Step 7 Configure basic WLAN services on AC_3. Configure basic WLAN services on AC_3b in the
same way.
[AC_3] wlan
e?[Y/N]:y
e?[Y/N]:y

NOTE
[AC_3] wlan
# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.


fault : fault [2]
Extra information:
------------------------------------------------------------------------------
----------
ExtraInfo
------------------------------------------------------------------------------
----------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
-
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
-
------------------------------------------------------------------------------
----------
Total: 2
[AC_3-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1
[AC_3-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1
[AC_3-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1
[AC_3-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1


to radio 0 and radio 1 of the APs.
Step 8 Enable N+1 backup on AC_1, AC_2, and AC_3. Enable N+1 backup on AC_1b, AC_2b, and
AC_3b in the same way.
NOTE

NOTE

------------------------------------------------------------
Protect AC : -
Priority : 0
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -

Primary AC : 10.23.201.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile1 commands on AC_2 to check
N+1 backup information.
------------------------------------------------------------
Protect AC : -
Priority : 0
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : 10.23.202.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
------------------------------------------------------------
Protect AC : -
Priority : 0
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : 10.23.201.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : 10.23.202.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch_1

#
vlan batch 99 101
#
#
#
return
#
sysname Switch_2
#
vlan batch 100 102
#
#
#
return
#
sysname AC_1
#
#
#
interface Vlanif111
ip address 10.23.111.1 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.3 255.255.255.0
admin-vrrp vrid 1
#
#
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
#
hsb-service 0
#
hsb-group 0


bind-service 0
hsb enable
#
#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
l AC_1b configuration file
#
sysname AC_1b
#
#
#
interface Vlanif111
ip address 10.23.111.2 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.4 255.255.255.0
admin-vrrp vrid 1
#
#
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
#
hsb-service 0
#

hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
#
#
interface Vlanif111
ip address 10.23.111.3 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.3 255.255.255.0
admin-vrrp vrid 1
#
#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
#
hsb-service 0


#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
ssid wlan-net1
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_2b
#
#
#
interface Vlanif111
ip address 10.23.111.4 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.4 255.255.255.0
admin-vrrp vrid 1
#
#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
#
hsb-service 0


#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
ssid wlan-net1
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3
#
#
vlan batch 101 to 102 111 203
#
interface Vlanif111
ip address 10.23.111.5 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.3 255.255.255.0
admin-vrrp vrid 1
#
#
#
#

hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#uE[\Gj>>7~!wliJGW1YWgYpkKO*>S<J'^
\:QFb-Z%^%# aes
security wpa-wpa2 psk pass-phrase %^%#I/\D&_J<3Q\XPh#DL)5V^:1+.$8o@6uuo3/
mLXEK%^%# aes
ssid wlan-net
ssid wlan-net1
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3b
#
#
vlan batch 101 to 102 111 203

#
interface Vlanif111
ip address 10.23.111.6 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.4 255.255.255.0
admin-vrrp vrid 1
#
#
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#uE[\Gj>>7~!wliJGW1YWgYpkKO*>S<J'^
\:QFb-Z%^%# aes
security wpa-wpa2 psk pass-phrase %^%#I/\D&_J<3Q\XPh#DL)5V^:1+.$8o@6uuo3/
mLXEK%^%# aes
ssid wlan-net
ssid wlan-net1
radio 0
radio 1

radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
#
sysname Router_1
#
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif201
ip address 10.23.201.2 255.255.255.0
#
#
#
#
return
#
sysname Router_2
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#

#
#
#
return

#
sysname Router_3
#
vlan batch 200 203
#
dhcp enable
#
ip pool ap_1_pool
network 10.23.99.0 mask 255.255.255.0
#
ip pool ap_2_pool
network 10.23.100.0 mask 255.255.255.0
#
ip pool sta_1_pool
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta_2_pool
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
#
#
#
return

4.9 Roaming Configuration Examples

4.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming
mobile office. To differentiate department management, employees are assigned different
subnets by department. Furthermore, users' services are not affected during roaming in the
coverage area.
Networking Requirement
addresses to STAs.

Figure 4-50 Networking for configuring inter-VLAN Layer 3 roaming
Data Planning
Item Data
Service VLAN for STAs l area_1: VLAN 101

l area_2: VLAN 102

10.23.101.2/24 and 10.23.102.2/24.

Item Data
IP address pool for STAs l area_1: 10.23.101.3-10.23.101.254/24

l area_2: 10.23.102.3-10.23.102.254/24

net1, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g
l Name: ap-group2

5 GHz radios


+AES
VAP profile l Name: wlan-net1

l Name: wlan-net2

Item Data


wlan-airscan

wlan-airscan
to go online.
NOTE
optimal channels.
Configuration Notes

user experience.
Procedure
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10, VLAN 101,
and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1
and GE0/0/3 is VLAN 10.
102 to 10.23.102.2/24.



[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit
NOTE
view.

[AC] dhcp enable
[AC] ip pool huawei


[AC-Vlanif100] quit
NOTE
view.

[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y

e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add area_1 and area_2 to AP groups ap-group1 and
ap-group2, respectively. Assume that the MAC address of area_1 is 60de-4476-e360.
Configure a name for the AP based on the AP's deployment location, so that you can know
where the AP is deployed from its name. For example, name the AP area_1 if it is deployed
in Area 1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
15S -
1 dcd2-fc04-b500 area_2 ap-group2 10.23.10.253 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 2

NOTE
# Create VAP profiles wlan-net1 and wlan-net2, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net1
[AC-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net1] quit
[AC-wlan-view] vap-profile name wlan-net2
[AC-wlan-vap-prof-wlan-net2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net2] quit
# Bind the VAP profiles to the AP groups. Apply VAP profile wlan-net1 to radio 1 and radio
1 of area_1, and VAP profile wlan-net2 to radio 0 and radio 1 of area_2.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0



and scan duration.
2G radio profile.
5G radio profile.
# Bind 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to AP groups ap-
group1 and ap-group2.

Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 4

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L3 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname SwitchA
#
#
port-isolate enable

#
#
port-isolate enable
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return

#
sysname AC
#
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid wlan-net
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078
ap-name area_2
ap-group ap-group2
#
return

4.9.2 Example for Configuring Intra-VLAN Roaming
area.
addresses to STAs.
Figure 4-51 Networking for configuring intra-VLAN roaming

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile
and 5 GHz radios



net

Item Data



to go online.
NOTE
optimal channels.
Configuration Notes

user experience.
Procedure
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
10.23.101.2/24.

NOTE

[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
15S -
10S -
----------------------------------------------------------------------------------
----------------
Total: 2

NOTE


the AP.


and scan duration.
2G radio profile.
5G radio profile.
ap-group1.


Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 4
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC. The command output shows that the STA has
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC to check the
STA roaming track.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L2 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
port-isolate enable
#
#
port-isolate enable
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return


#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return

4.9.3 Example for Configuring Inter-AC Layer 2 Roaming

area.
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
Figure 4-52 Networking for configuring inter-AC Layer 2 roaming

Data Planning
Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface l AC_1: 10.23.100.1/24
address
l AC_2: 10.23.100.2/24

radio5g

profile
and 5 GHz radios



net



Item Data

Mobility l Name: mobility

group l Members: AC_1 and AC_2
to go online.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
optimal channels.
Configuration Notes
user experience.

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[Switch_1] vlan batch 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
VLAN 100.

# On AC_1, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 100 and VLAN 101.
# On AC_2, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 100 and VLAN 101.


# On AC_1, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively.
NOTE
view.
[AC_1] dhcp enable
[AC_1-Vlanif100] dhcp select interface
[AC_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
Step 4 Configure the AP to go online on AC_1.

[AC_1] wlan
e?[Y/N]:y

NOTE
radio).
[AC_1] wlan


nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
the AP.
Step 6 Configure AP_2 to go online and basic WLAN services on AC_2.

Configure AP_2 to go online and basic WLAN services on AC_2 according to the
configuration of AC_1. For details, see the configuration file of AC_2. The following lists
configuration differences between AC_1 and AC_2.
l The type of AP added on AC_2 is AP5030DN with MAC address dcd2-fc04-b500. The
AP name is set to area_2.


[AC_1-wlan-ap-group-ap-group1] radio 0
[AC_1-wlan-group-radio-ap-group1/0] undo calibrate auto-channel-select disable
[AC_1-wlan-group-radio-ap-group1/0] undo calibrate auto-txpower-select disable
[AC_1-wlan-group-radio-ap-group1/0] quit

[AC_1-wlan-regulate-domain-default] dca-channel 2.4g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC_1-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
2G radio profile.
[AC_1-wlan-view] radio-2g-profile name wlan-radio2g
[AC_1-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-2g-prof-wlan-radio2g] quit
5G radio profile.
ap-group1.
[AC_1-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
Step 8 Configure WLAN roaming on AC_1.

# Create a mobility group on AC_1, and add AC_1 and AC_2 to the mobility group.

[AC_1-wlan-view] mobility-group name mobility

[AC_1-mc-mg-mobility] member ip-address 10.23.100.1
[AC_1-mc-mg-mobility] quit
# The ACs automatically deliver WLAN service configuration to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command on AC_1 and AC_2
to check VAP information. If Status in the command output is displayed as ON, the VAPs
have been successfully created on AP radios.
[AC_1-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0
wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
WID : WLAN ID
----------------------------------------------------------------------------------
----
----------------------------------------------------------------------------------
----
1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0
wlan-net
1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
---
Total: 2
# Run the display mobility-group name mobility command on AC_1 to check the state of
AC_1 and AC_2 in the mobility group. If the State field is displayed as normal, AC_1 and
AC_2 are in normal state.
[AC_1-wlan-view] display mobility-group name mobility
--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.100.2 -
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.

[AC_1-wlan-view] display station ssid wlan-net

----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L2 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 100
#
#


#
return
#
sysname Switch_2
#
vlan batch 100
#
#
#
return
#
sysname AC_1
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
mobility-group name mobility
member ip-address 10.23.100.1
scan-period 60
scan-interval 60000


radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1


ap-name area_2
ap-group ap-group1
#
return

coverage area.
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
connected to it.

Data Planning
Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to allocate IP addresses to STAs and APs
connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for the 10.23.200.2-10.23.200.254/24
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs

Item Data
AC_1's VLANIF 100: 10.23.100.1/24

source
interface
address
AC_2's VLANIF 200: 10.23.200.1/24

source
interface
address

l Referenced profile: VAP profile wlan-net1 and regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio profile
wlan-radio5g
l Name: ap-group2
l Referenced profile: VAP profile wlan-net2 and regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio profile
wlan-radio5g

profile
and 5 GHz radios


VAP profile l Name: wlan-net1

net
l Name: wlan-net2
net


Item Data



to go online.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
optimal channels.
Configuration Notes
user experience.

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default VLAN
[Switch_1] interface GigabitEthernet 0/0/1
# Configure Router.
[HUAWEI] sysname Router
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0

# On AC_1, add GE0/0/1 to VLAN 100 and VLAN 101.
[AC_1] dhcp enable
[AC_1] vlan batch 100 101 102
# On AC_2, add GE0/0/1 to VLAN 200 and VLAN 102.

[AC_2] dhcp enable
[AC_2] vlan batch 200 101 102


Step 3 Configure network interworking of ACs.

# Add GE0/0/2 on AC_1 to VLAN 100.
# On AC_1, configure a route to AC_2 with the next hop as 10.23.100.2.

# Add GE0/0/2 on AC_2 to VLAN 200.

# On AC_2, configure a route to AC_1 with the next hop as 10.23.200.2.

NOTE
view.
STAs, respectively.
[AC_1] dhcp enable
STAs, respectively.
[AC_2] dhcp enable
Step 5 Configure the AP to go online on AC_1.

[AC_1] wlan


e?[Y/N]:y

NOTE
radio).
[AC_1] wlan
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


[AC_1-wlan-net-prof-wlan-net] quit
[AC_1-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
the AP.
Step 7 Configure AP_2 to go online and basic WLAN services on AC_2.

Configure AP_2 to go online and basic WLAN services on AC_2 according to the
configuration of AC_1. For details, see the configuration file of AC_2. The following lists
configuration differences between AC_1 and AC_2.
l The source interface of AC_2 is VLANIF 200.
l The type of AP added on AC_2 is AP5030DN with MAC address dcd2-fc04-b500. The
AP name is set to ap2.
l The service VLAN is set to VLAN 102 in the VAP profile on AC_2.


[AC_1-wlan-regulate-domain-default] dca-channel 2.4g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC_1-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
2G radio profile.


5G radio profile.
ap-group1.
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
Step 9 Configure radio calibration on AC_2.

Configure radio calibration on AC_2 according to the configuration of AC_1. For details, see
the configuration file of AC_2.


# Run the display mobility-group name mobility command on AC_1 to check the state of
AC_1 and AC_2 in the mobility group. If the State field is displayed as normal, AC_1 and
AC_2 are in normal state.
[AC_1-wlan-view] display mobility-group name mobility
--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.200.1 -
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,

run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L3 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_1
#
#
#

#
return
#
sysname Switch_2
#
vlan batch 102 200
#
#
#
return
#
sysname Router
#
ip address 10.23.100.2 255.255.255.0
#
ip address 10.23.200.2 255.255.255.0
#
return
#
sysname AC_1
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 10.23.200.0 255.255.255.0 10.23.100.2
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid wlan-net

forward-mode direct-forward
radio 0
radio 1
ap-name ap1
ap-group ap-group1
#
return
#
sysname AC_2
#
#
dhcp enable
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid wlan-net


radio 0
radio 1
ap-name ap2
ap-group ap-group2
#
return
4.9.5 Example for Configuring Agile Distributed SFN Roaming

A hospital wants to deploy an agile distributed WLAN to provide WLAN access to doctors
and nurses, meeting their basic office requirements. The administrator requires that STA
roaming within the coverage area be not perceived by STAs and do not interrupt services.
– The AC functions as a DHCP server to assign IP addresses to the central AP and
RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.

Figure 4-54 Networking for configuring agile distributed SFN roaming
Data Planning
Item Data
DHCP l The AC functions as a DHCP server to assign IP addresses to the central

server AP and RUs.
l SwitchA functions as a DHCP server to assign IP addresses to STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

domain l Country: China
profile


VAP Profile l Name: wlan-net

net
Working l ru_1: channel 6

channel of l ru_2: channel 6
RUs
Agile Enabled
distributed
SFN
roaming
1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at Layer 2.
2. Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
3. Configure the central AP and RUs to go online.
5. Configure agile distributed SFN roaming.
Configuration Notes
l Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12 (including
matching RUs) and AD9430DN-24 (including matching RUs). RUs support agile
distributed SFN roaming in the following combination modes:
n Between the R230D and R240D (Note: Only the 2.4 GHz radio of the R230D
and R240D supports agile distributed SFN roaming, and the 5 GHz radio does
not support.)

n Among the R250D, R250D-E, R251D, R251D-E and R450D

– For the central AP, after agile distributed SFN roaming is enabled, the total number
of agile distributed SFN roaming STAs on a single frequency band (2.4 GHz or 5
GHz) of all RUs does not exceed 128, and that of STAs associated with other VAPs
on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work on the
same channel. When agile distributed SFN roaming is enabled on the 5 GHz
frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but do not
support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed SFN
roaming is not performed on Layer 3.
l Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5 GHz
radios, it is recommended that different SSIDs be used. Otherwise, the radio
switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP rate
limit on all VAPs with agile distributed SFN roaming disabled be set to 5 Mbit/s.
– Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP groups but not
based on APs.
– RUs involved in agile distributed SFN roaming need to have the following items
configured the same:
n SSID
n VAP profile and VAP ID
n Security policy. Agile distributed SFN roaming supports these encryption
modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA+802.1X (EAP
authentication), WPA2+802.1X (EAP authentication), WPA-WPA2+802.1X
(EAP authentication), and Portal+PSK.
Procedure
# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to VLAN 100, and
add GE0/0/3 and GE0/0/4 to VLAN 101.


# Configure an IP address for GE1/0/0 on Router.


[AC6605] sysname AC
Step 3 Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to the central AP and RUs.
[AC] dhcp enable
[AC-Vlanif100] quit
# On SwitchA, configure VLANIF 101 to assign IP addresses to STAs, and configure a

default route with the next hop of the address of Router.
NOTE
view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
2M:25S -
3M:5S -
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3


NOTE
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 of the AP.
Step 6 Configure the RU channel and power.

NOTE
The automatic channel and power calibration function is enabled for radios by default. When this function is
enabled, the manual calibration configuration does not take effect. The settings of the RU channel and power
in this example are for reference only. You need to configure the RU channel and power based on the actual
country code and network planning.
# Disable the automatic channel and power calibration function for radio 0 of RUs, and
configure the channel and power for for radio 0 of RUs.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
Step 7 Enable agile distributed SFN roaming.

[AC-wlan-vap-prof-wlan-net] sfn-roam enable
Warning: This feature requires that radios work on the same channel. Enabling th
is feature will disable the channel calibration, channel scanning, and smart roa
ming functions on the AP and disconnect STAs connected to the VAP. Open, WEP, an
d WAPI encryption modes are not supported. The PSK + WPA2 mode is recommended. A

radio allows SFN to be enabled only for one VAP. Continue?[Y/N]:y

Step 8 Configure parameters related to agile distributed SFN roaming.

# Retain the default settings for roaming decision parameters.
# Set radio parameters related to roaming based on the network planning result. The
configuration is not mentioned here.
# Run the display vap ssid wlan-net command. If Status in the command output is displayed
as ON, the VAPs have been successfully created on the RU radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 ru_1 0 1 68A8-2845-62E0 ON WPA/WPA2-PSK 0 wlan-net
2 ru_2 0 1 68A8-2845-62E0 ON WPA/WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of ru_1, connect a STA to the WLAN with the SSID wlan-net and
enter the password a1234567 to associate with the WLAN. Run the display station ssid
wlan-net command on the AC. The command output shows that the STA has associated with
ru_1.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 ru_1 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
# When the STA moves from the coverage area of ru_1 to that of ru_2, run the display
station ssid wlan-net command on the AC. The command output shows that the STA has
associated with ru_2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 2 ru_2 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 1 5G: 0
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to

check the STA roaming track.
------------------------------------------------------------------------------


------------------------------------------------------------------------------
-- 10.23.100.1 ru_1 0
68a8-2845-62e0 2017/10/12 16:52:58 -51/-48 46/13
L2(s) 10.23.100.1 ru_2 1
68a8-2845-62e0 2016/10/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname SwitchA
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
return

#
sysname Router
#
ip address 10.23.101.2 255.255.255.0
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0

#
#
#
wlan
ssid wlan-net
sfn-roam enable
radio 0
ap-name central_AP
ap-group ap-group1
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
ap-name ru_2
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
#
return
4.10 Agile Distributed Networking Configuration

Examples
4.10.1 Example for Configuring an Agile Distributed WLAN

Data Planning

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
Configuration Notes

user experience.
Procedure
10.23.101.2/24.

NOTE
[AC6605] sysname AC
[AC-GigabitEthernet0/0/1] port-isolate enable
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.

# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
[AC] wlan
[AC-wlan-ap-0] quit


[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
2M:25S -
3M:5S -
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3

NOTE
the AP.


Step 6 Set channels and power for the RU radios.

NOTE
configurations take effect only when these two functions are disabled. The settings of the RU channel and
power in this example are for reference only. You need to configure the RU channel and power based on the
[AC-wlan-ap-1] quit

The AC automatically delivers WLAN service configuration to the RUs. After the
displayed as ON, the VAPs have been successfully created on RU radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 4
----------------------------------------------------------------------------------
-------
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------

-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
port-isolate enable
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1

ap-name central_AP
ap-group ap-group1
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name ru_2
ap-group ap-group1
#
return
4.11 High-Density Configuration Examples

addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

STAs.

Item Data

10.23.102.3-10.23.102.254/24




+AES

pool


rrm

rrm
1. Configure network interworking of the APs, AC, and other network devices.


to go online.

ent Item

on the users.
number of
access
users
n aging
time

STAs.


ent Item

coverage area.
roaming experience.

schedulin
g
threshold
which
Beacon
frames
are sent
Beacon
frames
(GI)
mode to
short GI
rate set


ent Item

for a radio

parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
Configuration Notes
user experience.

Procedure
102 to 10.23.102.2/24.


[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit
NOTE
view.

[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit


NOTE

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------

----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
the AP.

[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable

# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, EDCA parameters for AC_BE packets of STAs, and the transmit rate
of 2.4 GHz Beacon frames to 11 Mbit/s.
[AC-wlan-ssid-prof-wlan-net] association-timeout 1

ecwmax 10
[AC-wlan-ssid-prof-wlan-net] beacon-2g-rate 11
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
# Bind the traffic profile to the VAP profile.

[AC-wlan-net-prof-wlan-net] traffic-profile wlan-traffic
4. Create an RRM profile, enable airtime fair scheduling and smart roaming, and set the
SNR-based threshold for smart roaming to 15 dB.

supported by a radio profile.
– Set the 802.11bg basic rate to 6 Mbit/s, 9 Mbit/s, 12 Mbit/s, 18 Mbit/s, 24 Mbit/s,
36 Mbit/s, 48 Mbit/s, or 54 Mbit/s.
ecwmax 6




ecwmax 6



NOTE
[AC-wlan-ap-0] quit

WLAN service configuration is automatically delivered to the APs. After the service
command output displays as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
----End
Configuration Files
#
sysname SwitchA
#
#
port-isolate enable
#
#
port-isolate enable
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay

#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2

#
#
wlan
(jpeqE%^%# aes
ssid wlan-net
association-timeout 1
max-sta-number 128
beacon-2g-rate 11
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
multicast-rate 11
normal
beacon-interval 160
normal
multicast-rate 6
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

4.12 Example for Configuring Vehicle-Ground

Communication
4.12.1 Example for Configuring Vehicle-Ground Fast Link

Handover


Data Planning

AP Type MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......

AP (in the front)

AP (in the rear)
.......

Item Data


address

Item Data

trackside APs

mounted terminals





l Name: mesh-net
l Name: mesh-net

l Name: hand-over
l Name: hand-over

situations.


Item Data

device
and the AC.
NOTE
Configuration Notes
user experience.
Procedure

a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal

NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
f. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to


[Switch_A] vlan 101

[Switch_A] acl 2000



[Switch_A] vlan 101
[Switch_A] quit

NOTICE
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
[Switch_B] vlan 101

[Switch_C] vlan 101
g. Configure the AC to enable it to communicate with trackside APs at Layer 2.

# Create VLAN 100 on the AC and configure GE0/0/1 to allow packets from
VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100

[AC] dhcp enable
[AC-Vlanif100] quit
h. Configure the AP group, country code, and AC's source interface.

[AC] wlan
and apply the profile to the AP group.


e?[Y/N]:y
[AC-wlan-view] quit


NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN



gigabitethernet 0
j. Configure Mesh parameters.

# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
k. Apply the Mesh parameters to radios of trackside APs.

# Configure the radio and channel used by trackside APs and apply the Mesh
whitelist, Mesh profile, and AP system profile.

[AC-wlan-view] quit
[AC] quit

NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of
the train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the
vehicle-mounted AP in the front.
a. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
<Huawei> sysname AP
[AP] vlan batch 101
b. Configure system parameters for the vehicle-mounted APs.

# Configure the AP country code.
[AP] wlan
c. Configure vehicle-ground fast link handover parameters.

# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
direction forward
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
[AP-wlan-view] quit
d. Apply the Mesh parameters to radios of vehicle-mounted APs.

# Configure the radio and channel used by vehicle-mounted APs and apply the
Mesh profile.


# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101

101
101
[AP-wlan-view] quit
f. Enable IGMP snooping on the vehicle-mounted APs.

[AP] igmp-snooping enable
[AP] vlan 101
[AP-vlan101] igmp-snooping enable
[AP-vlan101] quit
[AP] quit

wlan mesh link all command on the AC to view Mesh connections between trackside
and vehicle-mounted APs.
------------------------------------------------------------------------------
----------------------------------------------------
------------------------------------------------------------------------------
----------------------------------------------------
L1_001 AP 0046-4b59-2e10 1 3 157 portal
- -51 -38 0 0 47 39/47/-/-
L1_003 AP 0046-4b59-2e10 1 3 157 portal
- -59 -7 0 0 50 19/14/37/-
L1_010 AP 0046-4b59-2e10 1 3 157 portal
- -45 -33 0 0 37 20/17/17/-
L1_150 AP 0046-4b59-2e10 1 3 157 portal
- -54 -39 0 0 46 34/43/-/-
L1_160 AP 0046-4b59-2e10 1 3 157 portal
- -52 -7 0 0 32 21/18/35/-
L1_170 AP 0046-4b59-2e10 1 3 157 portal
- -42 -33 0 0 29 26/14/19/-
------------------------------------------------------------------------------
----------------------------------------------------
Total: 6


of trackside APs.
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/1/1 -/0046-4b59-2e10/- -44

18:08:21
L1_003/0046-4b59-1d20/1/3 -/0046-4b59-2e10/- -50
18:08:20
L1_010/0046-4b59-1d30/1/10 -/0046-4b59-2e10/- -28
18:08:21
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e10/- -43
18:08:20
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e10/- -47
18:08:21
L1_170/0046-4b59-1d60/1/170 -/0046-4b59-2e10/- -38
18:08:21
------------------------------------------------------------------------------
Total: 6

------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
– Router configuration file
#
sysname Router
#
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return

#
sysname Switch_A
#
#
#
dhcp enable

#
vlan 101
#
acl number 2000
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
return
#
sysname Switch_B
#
#
#
vlan 101
#
acl number 2000
#


#
#
#
#
return
#
sysname Switch_C
#
#
#
vlan 101
#
acl number 2000
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#


#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
mesh-profile name mesh-
net
mesh-handover-profile hand-
over
security-profile
sp01
mesh-id mesh-net
vlan tagged 101
ap-group name mesh-
mpp
ap-system-profile mesh-
sys
0
radio
1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus
157
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
210235555310CC003587
ap-name
L1_160

ap-group mesh-mpp
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
#
sysname AP
#
#
vlan batch 101
#
vlan 101
#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
location-based-algorithm enable moving-direction
forward
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
#
return

Handover (VRRP Backup for Vehicle-Mounted APs)
enterprise wants to use WLAN technology to implement vehicle-ground communications. If a
vehicle-mounted AP is faulty, the network is faulty and vehicle-ground communication is
affected. To prevent such problem, the customer requires two vehicle-mounted APs to support
redundancy. The VRRP function is recommended.


Data Planning
Table 4-59 AP planning
AP Model MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......

AP (in the front)

AP (in the rear)
.......
Item Data
VLAN for vehicle-mounted VLAN 200

APs

l Configure a vehicle-mounted AP as a DHCP server to
assign IP addresses to vehicle-mounted terminals.

address
Gateway address VRRP IP address for vehicle-mounted APs: 10.23.161.1/24
IP address pool for 10.23.100.2 to 10.23.100.254/24

trackside APs

Item Data
IP address pool for vehicle- 10.23.161.4 to 10.23.161.254/24

mounted terminals




Mesh profile Radio 0 of trackside APs:

l Name: mesh-net
Radio 1 of trackside APs:
l Name: mesh-net2
l Identifier: mesh-net2
Vehicle-mounted AP (in the front):
l Name: mesh-net
Vehicle-mounted AP (in the rear):
l Name: mesh-net2
l Identifier: mesh-net2

l Name: hand-over
l Name: hand-over

situations.

Item Data

proxied ground device

device
Virtual IP address of the 10.23.161.1

Virtual IP address of the 10.23.200.1

service VRRP group
and the AC.
2. Configure the vehicle-ground fast link handover function on trackside and vehicle-
mounted APs so that the vehicle-mounted APs can set up Mesh links with the trackside
APs.
3. Configure the vehicle-mounted network to enable intra-network data communication,
and configure VRRP and BFD between the vehicle-mounted APs.
NOTE
l The switches and router used in this example are all Huawei products.
Configuration Notes
user experience.

Procedure
a. Create VLAN 100 and VLAN 200 on Switch_A, and add GE0/0/1 and GE0/0/2 to
VLAN 100 and VLAN 200, and GE0/0/3 to VLAN 100.
[Switch_A] vlan batch 100 200
b. Configure an IP address for VLANIF 200 on Switch_A.

NOTE
Configure a route to Router based on the actual networking so that packets destined for the public
network are forwarded from the ground network to Router.

c. Configure the IP address 10.23.200.1 as the next-hop address of the route for
packets from Switch_A to be forwarded to vehicle-mounted terminals.
d. Configure Switch_B and Switch_C to enable Layer 2 communication between

# Configure other interfaces on Switch_B connected to trackside APs according to

the configuration for GE0/0/1. Configure these interfaces to allow packets from
VLAN 100 and VLAN 200 to pass through, and set their PVIDs to VLAN 100.

# Configure other interfaces on Switch_C connected to trackside APs according to
the configuration for GE0/0/1. Configure these interfaces to allow packets from
VLAN 100 and VLAN 200 to pass through, and set their PVIDs to VLAN 100.
e. Configure the AC to enable it to communicate with trackside APs at Layer 2.

# Create VLAN 100 and VLAN 200 on the AC and configure GE0/0/1 to allow
packets from VLAN 100 to pass through.
[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
f. Configure the AP group, country code, and AC's source interface.

[AC] wlan
and bind the profile to the AP group.
e?[Y/N]:y
[AC-wlan-view] quit



NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
g. Configure uplink wired interfaces on trackside APs to allow packets from VLAN

gigabitethernet 0
h. Configure Mesh parameters.

# Configure the security profile sp01 used by Mesh links. Set the security policy to
WPA2+PSK+AES in the security profile.
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal in
the AP system profile.
# Configure Mesh profiles. Set the IDs of the Mesh networks to mesh-net and
mesh-net2, and bind the security profile and Mesh handover profile to the Mesh
profiles.
[AC-wlan-view] mesh-profile name mesh-net2
[AC-wlan-mesh-prof-mesh-net2] mesh-id mesh-net2
[AC-wlan-mesh-prof-mesh-net2] security-profile sp01
[AC-wlan-mesh-prof-mesh-net2] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net2] quit
i. Apply the Mesh parameters to radios of trackside APs.

# Configure the radio and channel used by trackside APs, and apply the Mesh
whitelist, Mesh profiles, and AP system profile.
[AC-wlan-group-radio-mesh-mpp/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power,
and antenna gain configurations of the current radio in the AP
group and reboot the AP. Continue?[Y/N]:y

[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net2

[AC-wlan-view] quit
[AC] quit
j. Configure Switch_D.
# Configure Switch_D to communicate with other devices.
[HUAWEI] sysname Switch_D
[Switch_D] vlan batch 161
[Switch_D] interface gigabitethernet 0/0/1
[Switch_D-GigabitEthernet0/0/1] port trunk allow-pass vlan 161
[Switch_D-GigabitEthernet0/0/1] port link-type trunk
[Switch_D-GigabitEthernet0/0/1] quit
[Switch_D-GigabitEthernet0/0/3] port trunk pvid vlan 161
[Switch_D-GigabitEthernet0/0/4] port trunk pvid vlan 161

NOTE
This example provides the detailed procedure for configuring the vehicle-mounted AP in the front of
the train. The procedure for configuring the vehicle-mounted AP in the rear is similar. The
configuration differences are described in the subsequent steps.
a. Configure system parameters for the vehicle-mounted AP.
# Configure the AP's country code.
<Huawei> sysname AP
[AP] wlan
b. Configure vehicle-ground fast link handover parameters.

# Configure the security profile sp01 used by Mesh links. Set the security policy to
WPA2+PSK+AES in the profile.
NOTE
The preceding configurations for the two vehicle-mounted APs are the same except the AP name.
Name the vehicle-mounted AP in the rear AP2. Configurations for the two vehicle-mounted APs
are different from this step.
# On the vehicle-mounted AP (in the front), configure the Mesh handover profile
hand-over, enable the location-based fast link handover algorithm, and set the
moving direction of the vehicle-mounted AP to forward.
direction forward

# On the vehicle-mounted AP (in the rear), configure the Mesh handover profile
hand-over, enable the location-based fast link handover algorithm, and set the
moving direction of the vehicle-mounted AP to backward.
[AP2-wlan-view] mesh-handover-profile name hand-over
[AP2-wlan-mesh-handover-hand-over] location-based-algorithm enable
moving-direction backward
[AP2-wlan-mesh-handover-hand-over] quit
# On the vehicle-mounted AP (in the front), configure the Mesh profile. Set the ID
of the Mesh network to mesh-net, and bind the security profile and Mesh handover
profile to the Mesh profile.
[AP-wlan-view] quit
# On the vehicle-mounted AP (in the rear), configure the Mesh profile. Set the ID of
the Mesh network to mesh-net2, and bind the security profile and Mesh handover
profile to the Mesh profile.
[AP2-wlan-view] mesh-profile name mesh-net2
[AP2-wlan-mesh-prof-mesh-net] mesh-id mesh-net2
[AP2-wlan-mesh-prof-mesh-net] security-profile sp01
[AP2-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP2-wlan-mesh-prof-mesh-net] quit
[AP2-wlan-view] quit
c. Apply the Mesh parameters to radios of the vehicle-mounted APs.

# Configure the radio and channel used by the vehicle-mounted AP (in the front),
and bind the Mesh profile.
# Configure the radio and channel used by the vehicle-mounted AP (in the rear) and
bind the Mesh profile.
[AP2] interface wlan-radio 0/0/1
[AP2-Wlan-Radio0/0/1] channel 40mhz-plus 157
[AP2-Wlan-Radio0/0/1] mesh-profile mesh-net2
[AP2-Wlan-Radio0/0/1] quit
d. Add proxied devices on the vehicle-mounted APs.

# Add proxied ground devices. Add MAC addresses of Switch_A on the vehicle-
mounted APs.
[AP] wlan
vlan 200

161

161
[AP-wlan-view] quit
# Configure the vehicle-mounted AP (in the rear) in the same way.

e. Configure VRRP and BFD on the vehicle-mounted AP in the front.
# Create VLANs and configure IP addresses for the VLANIF interfaces.

[AP] vlan batch 161 200
[AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 161 200
[AP] dhcp enable
[AP-Vlanif161] dhcp server excluded-ip-address 10.23.161.1 10.23.161.3
[AP-Vlanif161] quit
[AP-Vlanif200] quit
# Configure VRRP.
[AP] interface Vlanif 161
[AP-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.1
[AP-Vlanif161] admin-vrrp vrid 1
[AP-Vlanif161] vrrp vrid 1 priority 120
[AP-Vlanif161] quit
[AP-Vlanif200] vrrp vrid 2 virtual-ip 10.23.200.1
[AP-Vlanif200] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP-Vlanif200] vrrp vrid 2 priority 120
[AP-Vlanif200] quit
# Configure BFD.
[AP] bfd
[AP-bfd] quit
[AP] bfd atob bind peer-ip 10.23.161.3 interface vlanif161
[AP-bfd-session-atob] discriminator local 1
[AP-bfd-session-atob] discriminator remote 2
[AP-bfd-session-atob] min-rx-interval 50
[AP-bfd-session-atob] min-tx-interval 50
[AP-bfd-session-atob] commit
[AP-bfd-session-atob] quit
[AP-Vlanif161] vrrp vrid 1 track bfd-session 1 reduced 50
[AP-Vlanif161] quit
# Configure an uplink route.

[AP] ip route-static 0.0.0.0 0 10.23.200.2
f. Configure VRRP and BFD on the vehicle-mounted AP in the rear.
# Create VLANs and configure IP addresses for the VLANIF interfaces.

[AP2] vlan batch 161 200
[AP2] interface gigabitethernet 0/0/0
[AP2-GigabitEthernet0/0/0] port link-type trunk
[AP2-GigabitEthernet0/0/0] port trunk allow-pass vlan 161 200
[AP2-GigabitEthernet0/0/0] quit
[AP2] interface vlanif 161
[AP2-Vlanif161] ip address 10.23.161.3 24
[AP2-Vlanif161] dhcp select interface
[AP2-Vlanif161] dhcp server excluded-ip-address 10.23.161.1 10.23.161.3
[AP2-Vlanif161] quit
[AP2] interface vlanif 200
[AP2-Vlanif200] ip address 10.23.200.4 24

# Configure VRRP.
[AP2] interface Vlanif 161
[AP2-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.1
[AP2-Vlanif161] admin-vrrp vrid 1
[AP2-Vlanif161] vrrp vrid 1 priority 110
[AP2] interface Vlanif 200
[AP2-Vlanif200] vrrp vrid 2 virtual-ip 10.23.200.1
[AP2-Vlanif200] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP2-Vlanif200] vrrp vrid 2 priority 110
# Configure BFD.
[AP2] bfd
[AP2-bfd] quit
[AP2] bfd btoa bind peer-ip 10.23.161.2 interface vlanif161
[AP2-bfd-session-atob] discriminator local 2
[AP2-bfd-session-atob] discriminator remote 1
[AP2-bfd-session-atob] min-rx-interval 50
[AP2-bfd-session-atob] min-tx-interval 50
[AP2-bfd-session-atob] commit
[AP2-bfd-session-atob] quit
# Configure an uplink route.

[AP] ip route-static 0.0.0.0 0 10.23.200.2

wlan mesh link all command on the AC to view Mesh links between trackside and
vehicle-mounted APs.
------------------------------------------------------------------------------
----------------------------------------------------
------------------------------------------------------------------------------
----------------------------------------------------
L1_001 AP 0046-4b59-2e10 0 3 149 portal
- -51 -38 0 0 47 39/47/-/-
L1_001 AP2 0046-4b59-2e20 1 3 157 portal
- -51 -38 0 0 47 39/47/-/-
L1_003 AP 0046-4b59-2e10 0 3 149 portal
- -59 -7 0 0 50 19/14/37/-
L1_003 AP2 0046-4b59-2e20 1 3 157 portal
- -59 -7 0 0 50 19/14/37/-
L1_010 AP 0046-4b59-2e10 0 3 149 portal
- -45 -33 0 0 37 20/17/17/-
L1_010 AP2 0046-4b59-2e20 1 3 157 portal
- -45 -33 0 0 37 20/17/17/-
L1_150 AP 0046-4b59-2e10 0 3 149 portal
- -54 -39 0 0 46 34/43/-/-
L1_150 AP2 0046-4b59-2e20 1 3 157 portal
- -54 -39 0 0 46 34/43/-/-
L1_160 AP 0046-4b59-2e10 0 3 149 portal
- -52 -7 0 0 32 21/18/35/-
L1_160 AP2 0046-4b59-2e20 1 3 157 portal
- -52 -7 0 0 32 21/18/35/-
L1_170 AP 0046-4b59-2e10 0 3 149 portal
- -42 -33 0 0 29 26/14/19/-
L1_170 AP2 0046-4b59-2e20 1 3 157 portal
- -42 -33 0 0 29 26/14/19/-

------------------------------------------------------------------------------
----------------------------------------------------
Total: 12

about trackside APs.
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/0/1 -/0046-4b59-2e10/- -44

18:08:21
L1_001/0046-4b59-1d10/1/1 -/0046-4b59-2e20/- -44
18:08:21
L1_003/0046-4b59-1d20/0/3 -/0046-4b59-2e10/- -50
18:08:20
L1_003/0046-4b59-1d20/1/3 -/0046-4b59-2e20/- -50
18:08:20
L1_010/0046-4b59-1d30/0/10 -/0046-4b59-2e10/- -28
18:08:21
L1_010/0046-4b59-1d30/1/10 -/0046-4b59-2e20/- -28
18:08:21
L1_150/0046-4b59-1d40/0/150 -/0046-4b59-2e10/- -43
18:08:20
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e20/- -43
18:08:20
L1_160/0046-4b59-1d50/0/160 -/0046-4b59-2e10/- -47
18:08:21
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e20/- -47
18:08:21
L1_170/0046-4b59-1d6s0/0/170 -/0046-4b59-2e10/- -38
18:08:21
L1_170/0046-4b59-1d6s0/1/170 -/0046-4b59-2e20/- -38
18:08:21
------------------------------------------------------------------------------
Total: 6

------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
# Check information about BFD sessions.

<AP> display bfd session all
------------------------------------------------------------------------------
--
Local Remote PeerIpAddr State Type InterfaceName
------------------------------------------------------------------------------
--
1 2 10.23.161.3 Up S_IP_IF
Vlanif161
------------------------------------------------------------------------------

--
Total UP/DOWN Session Number : 1/0
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100 200
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
#
ip route-static 10.23.161.0 255.255.255.0 10.23.200.1
#
return

#
sysname Switch_B
#
vlan batch 100 200
#
#
#
#
#
return

#
sysname Switch_C
#
vlan batch 100 200
#


#
#
#
#
return
– Switch_D configuration file
#
sysname Switch_D
#
vlan batch 161
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name sp01
%NVibT@S@ITs<%^%# aes
mesh-handover-profile name hand-over


mesh-id mesh-net
mesh-profile name mesh-net2
mesh-id mesh-net2
vlan tagged 200
wired-port-profile wired-port gigabitethernet 0
radio 0
mesh-whitelist-profile whitelist01
frequency 5g
radio 1
mesh-profile mesh-net2
mesh-whitelist-profile whitelist01
ap-id 1 type-id 48 ap-mac 0046-4b59-1d10 ap-sn 210235554710CB000042
ap-name L1_001
ap-group mesh-mpp
ap-id 2 type-id 48 ap-mac 0046-4b59-1d20 ap-sn 210235555310CC000094
ap-name L1_003
ap-group mesh-mpp
ap-name L1_010
ap-group mesh-mpp
ap-id 101 type-id 48 ap-mac 0046-4b59-1d40 ap-sn 210235555310CC00AC69
ap-name L1_150
ap-group mesh-mpp
ap-id 102 type-id 48 ap-mac 0046-4b59-1d50 ap-sn 210235555310CC003587
ap-name L1_160
ap-group mesh-mpp
ap-name L1_170
ap-group mesh-mpp#
return

#
sysname AP
#
vlan batch 161 200
#
dhcp enable
#
interface Vlanif161
ip address 10.23.161.2 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track bfd-session 1 reduced 50
#
interface Vlanif200
ip address 10.23.200.3 255.255.255.0


#
#
bfd atob bind peer-ip 10.23.161.3 interface Vlanif161
discriminator local 1
discriminator remote 2
min-tx-interval 50
min-rx-interval 50
commit
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
wlan
location-based-algorithm enable moving-direction forward
mesh-id mesh-net
#
#
return
– Vehicle-mounted AP (in the rear) configuration file
#
sysname AP2
#
vlan batch 161 200
#
dhcp enable
#
interface Vlanif161
ip address 10.23.161.3 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif200
ip address 10.23.200.4 255.255.255.0
#
#
bfd btoa bind peer-ip 10.23.161.2 interface Vlanif161
discriminator local 2
discriminator remote 1
min-tx-interval 50
min-rx-interval 50
commit
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2

#
wlan
location-based-algorithm enable moving-direction backward
mesh-profile name mesh-net2
mesh-id mesh-net2
#
mesh-profile mesh-net2
#
return
4.13 Radio Resource Management Configuration

Examples
4.13.1 Example for Configuring Dynamic Load Balancing
mobile office. The enterprises also need to prevent one AP radio from being heavily loaded.
Furthermore, users' services are not affected during roaming in the coverage area.
As shown in Figure 4-59, before load balancing is configured, 30 users are connected to AP
area_1, and 10 users are connected to AP area_2.
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads on the APs
to prevent excessive user access to a single AP. A dynamic load balancing group can be set up
only when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.

Figure 4-59 Networking for configuring dynamic load balancing
Data Planning

Item Data
RRM profile l Name: wlan-net

l Start threshold for dynamic load
balancing: 15
l Load difference threshold for dynamic
load balancing: 25%

net

net
Configure dynamic load balancing to prevent one AP from being heavily loaded.

Configuration Notes
l Currently, the load balancing function is implemented in the STA access phase. In
scenarios with complex user service types and unstable traffic, the expected load
balancing effect cannot be achieved. In this case, you are not advised to enable load
balancing based on the channel usage.
user experience.
Procedure
Step 1 Check the basic configuration of the WLAN.

which an AP belongs.
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
Check all profiles display vap-profile name SSID profile: wlan-net

referenced by the VAP wlan-net
profile.
Step 2 Configure dynamic load balancing.
# Create the RRM profile wlan-net, and enable dynamic load balancing in the RRM profile
wlan-net and set the start threshold for dynamic load balancing to 15 and load difference
threshold to 25%.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-net

[AC-wlan-rrm-prof-wlan-net] sta-load-balance dynamic enable

[AC-wlan-rrm-prof-wlan-net] sta-load-balance dynamic sta-number start-threshold
15
[AC-wlan-rrm-prof-wlan-net] sta-load-balance dynamic sta-number gap-threshold
percentage 25
[AC-wlan-rrm-prof-wlan-net] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-net to the 2G
radio profile.
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-net
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-net to the 5G
radio profile.
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-net
ap-group1.
# Run the display rrm-profile name wlan-net command on the AC to check the dynamic
load balancing configuration.
[AC-wlan-view] display rrm-profile name wlan-net
----------------------------------------------------------------------------
...
Station load balance : enable
Station load balance start threshold : 15
Station load balance gap threshold(percentage) : 25
...
----------------------------------------------------------------------------
# Run the display station load-balance sta-mac e019-1dc7-1e08 command on the AC to

check AP radios participating in dynamic load balancing.
[AC-wlan-view] display station load-balance sta-mac e019-1dc7-1e08
Station load balance status: balance
------------------------------------------------------------------------------
AP name Radio ID
------------------------------------------------------------------------------
area_1 1
area_1 0
area_2 1
area_2 0
------------------------------------------------------------------------------
Total: 2
# When a new STA requests to connect to AP area_1, the AC uses a dynamic load balancing
algorithm to redirect the STA to the AP area_2 with a light load according to the information
reported by APs.
----End

Configuration Files
#
sysname AC
#
wlan
rrm-profile name wlan-net
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold percentage 25
rrm-profile wlan-net
rrm-profile wlan-net
radio 0
radio 1
#
return
4.13.2 Example for Configuring Static Load Balancing

AP area_1 and AP area_2 form a static load balancing group to balance loads on the APs to
prevent excessive user access to a single AP. A static load balancing group can be set up only
when:

Figure 4-60 Networking for configuring static load balancing
Data Planning

Item Data
Static load balancing group l Name: wlan-static

l Start threshold for load balancing based
on the number of users: 10
l Load difference threshold for load
balancing based on the number of users:
5%
Configure static load balancing based on the number of users to prevent one AP from being
heavily loaded.
Configuration Notes
l Load balancing takes effect during the STA association stage. In scenarios with complex
user service types and unstable traffic, loads cannot be balanced as expected. In this case,
load balancing based on the channel utilization is not recommended.

l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
user experience.
Procedure
Step 1 Configure static load balancing.
1. Create a static load balancing group, and add AP area_1 and AP area_2 to it.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
2. Configure the static load balancing mode and related parameters.

# Configure static load balancing based on the number of users.
[AC-wlan-sta-lb-static-wlan-static] mode sta-number
# Set the start threshold for static load balancing based on the number of users to 10 and
load difference threshold to 5%.
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 10
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold percentage 5
[AC-wlan-sta-lb-static-wlan-static] quit

l Run the display sta-load-balance static-group name wlan-static command on the AC
to check the static load balancing configuration.
[AC-wlan-view] display sta-load-balance static-group name wlan-static
------------------------------------------------------------
Group name : wlan-static

Load-balance status : balance

Load-balance mode : sta-number
Deny threshold : 3
Sta-number start threshold : 10
Sta-number gap threshold(percentage) : 5
Sta-number gap threshold(number) : -
Channel-utilization start threshold(%) : 50
Channel-utilization gap threshold(%) : 20
------------------------------------------------------------------------
RfID: Radio ID
CurEIRP: Current EIRP (dBm)
Act CH: Actual channel, Cfg CH: Config channel, CU: Channel utilization
-----------------------------------------------------------------------
AP ID AP Name RfID Act CH/Cfg CH CurEIRP/MaxEIRP Client CU
-----------------------------------------------------------------------
0 area_1 0 6/- 20/28 10 37%
0 area_1 1 153/- 29/29 20 45%
1 area_2 0 1/- 20/28 5 15%
1 area_2 1 149/- 29/29 5 5%
-----------------------------------------------------------------------
Total: 4
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP area_2 with a light load based on the configured
load balancing group.
----End
Configuration Files
#
sysname AC
#
wlan
sta-load-balance static-group name wlan-static
sta-number gap-threshold percentage 5
member ap-id 0 radio 0
sta-number start-threshold 10
#
return
4.13.3 Example for Configuring Band Steering

area. To relieve pressure on the 2.4 GHz frequency band, enable STAs to connect to the 5
GHz frequency band.
Use APs that support both 5 GHz and 2.4 GHz frequency bands.

Figure 4-61 Networking for configuring Band Steering
Data Planning
Item Data

l Band steering function: enabled
net
RRM l Name: wlan-rrm

profile l Start threshold for load balancing between radios: 15
l Load difference threshold for load balancing between radios: 25

profile l Referenced profiles: RRM profile wlan-rrm
Configure the band steering function and proper band steering parameters so that STAs can
preferentially access the 5 GHz frequency band.

Configuration Notes
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
user experience.
Procedure


profile.
Step 2 Configure the band steering function.

# Enable the band steering function in the VAP profile wlan-net. By default, the band steering
function is enabled.
NOTE
When band steering is enabled on one radio of an AP, the function takes effect on the SSID of the AP. If
different VAP profiles are applied to two radios of the AP, you only need to enable the band steering function
in the VAP profile of one radio.

[AC6605] sysname AC
[AC] wlan
[AC-wlan-vap-prof-wlan-vap] undo band-steer disable
# Create the RRM profile wlan-rrm and configure load balancing between radios in the
profile to prevent heavy load on a single radio. The start threshold for load balancing between
radios is 15, and the load difference threshold is 25%.
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance start-threshold 15
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance gap-threshold 25
# Create the 2G radio profile radio2g and bind the RRM profile wlan-rrm to the 2G radio
profile.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-radio2g] quit
# Bind the 2G radio profile radio2g to the AP group ap-group1.

[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g radio 0

# Run the display vap-profile name wlan-net command on the AC. The command output
shows that the band steering function is enabled in the VAP profile.
[AC-wlan-view] display vap-profile name wlan-net
--------------------------------------------------------------------------------
...
Band steer : enable
...
--------------------------------------------------------------------------------
# Run the display rrm-profile name wlan-rrm command on the AC to check the band
steering configuration.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
...
Band balance start threshold : 15
Band balance gap threshold(%) : 25
...
------------------------------------------------------------
# In the conference hall, most STAs connect to the 5 GHz frequency band, and users enjoy
good service experience.
----End
Configuration Files
#
sysname AC

#
wlan
band-steer balance gap-threshold 25
band-steer balance start-threshold 15
radio 0
radio 1
#
return
4.13.4 Example for Configuring Smart Roaming

To ensure optimal user experience, a stadium requires that users associate with the nearest
APs when moving on the stadium stand. Furthermore, users' services are not affected during
roaming in the coverage area.
Figure 4-62 Networking for configuring smart roaming

Data Planning
Item Data

l Smart roaming threshold type: SNR-
based
l SNR threshold for smart roaming: 15

rrm

rrm
Configure smart roaming and adjust smart roaming parameters to steer STAs (especially
sticky STAs) to reconnect or roam to APs with strong signals.
NOTE
Some STAs on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
STAs fail to roam to neighbor APs with better signals. They are called sticky STAs.
Configuration Notes

Procedure


profile.
Step 2 Configure smart roaming.

# Create the RRM profile wlan-rrm, enable smart roaming in the RRM profile, configure
SNR-based roaming trigger mode and roaming threshold to 15 dB.
[AC6605] sysname AC
[AC] wlan
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G
radio profile.
ap-group1.

# Run the display rrm-profile name wlan-rrm command on the AC to check the smart
roaming configuration.
------------------------------------------------------------
...
Smart-roam : enable
Smart-roam quick kickoff : enable
Smart-roam check SNR : enable

Smart-roam quick kickoff check SNR : enable

Smart-roam check rate : disable
Smart-roam quick kickoff check rate : disable
Smart-roam standing SNR threshold(dB) : 15
Smart-roam SNR quick-kickoff-threshold(dB) : 15
Smart-roam rate threshold(%) : 20
Smart-roam rate quick-kickoff-threshold(%) : 20
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) : 6
Smart-roam SNR check interval(s) : 3
Smart-roam unable roam client expire time(min) : 120
Smart-roam quick-kickoff SNR check interval(ms) : 500
Smart-roam quick-kickoff SNR P-N observe time : 6
Smart-roam quick-kickoff SNR P-N qualify time : 4
Smart-roam advanced scan : enable
Smart-roam quick-kickoff back off time : 60
...
------------------------------------------------------------
# When a large number of users in the stadium access the WLAN, they can still enjoy good
----End
Configuration Files
#
sysname AC
#
wlan
smart-roam roam-threshold check-snr
radio-2g-profile name radio2g
radio-5g-profile name radio5g
radio 0
radio 1
#
return
4.14 Spectrum Analysis Configuration Examples

4.14.1 Example for Configuring Spectrum Analysis
area. The enterprise is located in an open place, and the WLAN is vulnerable to interference.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.

Figure 4-63 Networking for configuring spectrum analysis
Data Planning

Item Data

default, 2G radio profile wlan-radio2g, 5G radio profile wlan-radio5g,
and AP system profile wlan-spectrum

profile l Air scan interval: 8000 ms
l Air scan duration: 100 ms



Item Data
AP system l Name: wlan-spectrum

profile l IP address of the spectrum server: 10.137.43.4
l Port number of the spectrum server: 55555
l Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to send
data to the spectrum server: 5001
l Aging time of non-Wi-Fi devices on an AC during spectrum analysis: 5
minutes
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send alarms to
the AC.
Configuration Notes
l If air scan related functions are enabled for a radio in normal mode, such as WIDS,
spectrum analysis, and terminal location, the radio transmits common WLAN service
data and provides the monitoring function that may affect transmission of common
WLAN service data.
l In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that
the scanning interval be set no more than 10 seconds and the scanning duration to 100
ms.
l The channels to be scanned for spectrum analysis are fixed as all channels supported by
the corresponding country code of an AP and are irrelevant to the configuration in an air
scan profile.
user experience.

Procedure


profile.
Step 2 Configure spectrum analysis.

# Create AP system profile wlan-spectrum, and configure the spectrum server information
and aging time of non-Wi-Fi device information on the AC during spectrum analysis.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] ap-system-profile name wlan-spectrum
[AC-wlan-ap-system-prof-wlan-spectrum] spectrum-analysis server ip-address
10.137.43.4 port 55555 via-ac ac-port 5001
[AC-wlan-ap-system-prof-wlan-spectrum] spectrum-analysis non-wifi-device aging-
time 5
[AC-wlan-ap-system-prof-wlan-spectrum] quit
# Create the air scan profile wlan-airscan and configure the scan interval and scan duration.
2G radio profile.
5G radio profile.
ap-group1.
# Bind the AP system profile wlan-spectrum to the AP group ap-group1 and enable
spectrum analysis in the AP group.


[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-spectrum
[AC-wlan-group-radio-ap-group1/0] spectrum-analysis enable
[AC-wlan-group-radio-ap-group1/1] spectrum-analysis enable
# Enable the function of reporting spectrum analysis data on AP radios. The spectrum server
performs spectrum analysis and draws spectrum graphs based on the data reported by the APs.
The spectrum-report command becomes invalid after a restart, and needs to be configured
again.
[AC-wlan-view] spectrum-report ap-name area_1 radio 0
[AC-wlan-view] spectrum-report ap-name area_1 radio 1
# Run the display ap-system-profile name wlan-spectrum command on the AC to check

spectrum analysis configuration.
[AC-wlan-view] display ap-system-profile name wlan-spectrum
------------------------------------------------------------------------------
...
AP report to : AC
Server IP : 10.137.43.4
Server port : 55555
AC port : 5001
Device aging-time(minute) : 5
...
------------------------------------------------------------------------------
# Run the display spectrum-analysis server-reporter command on the AC to check the APs
that report spectrum packets to the spectrum server.
[AC-wlan-view] display spectrum-analysis server-reporter
------------------------------------------------------------
ID AP name Radio ID
------------------------------------------------------------
1 area_1 0
1 area_1 1
------------------------------------------------------------
Total: 2
# Run the display wlan non-wifi-device all command on the AC to check the detected non-
Wi-Fi devices.
[AC-wlan-view] display wlan non-wifi-device all
----------------------------------------------------------------
Detect AP name : area_1
Detect AP radio ID : 1
Detect AP channel : 36
Non-Wi-Fi device type : 9
Non-Wi-Fi device name : Unknown fix freq device
Non-Wi-Fi device frequency type : Narrow bandwidth
Non-Wi-Fi device channel : 149,150
Non-Wi-Fi device RSSI : -62,-66
Non-Wi-Fi device detect time last : 2017-07-02/08:16:56
Non-Wi-Fi device center frequency(MHz) : 5749
Non-Wi-Fi device bandwidth(KHz) : 70
Non-Wi-Fi device duty(%) : 100
Non-Wi-Fi device interfere level : 3
----------------------------------------------------------------
Total: 1

# View AP spectrum on the web platform to learn AP channel interference in deployment

sites.
1. Choose Monitoring > Spectrum Analysis. The Radio List page is displayed.
2. Select an AP and click Start.

3. In the AP radio list, click View Drawing in the Operation column. The related spectrum
charts are displayed. A maximum of four spectrum charts can be displayed.
4. Select your desired spectrum chart from the drop-down list box in the upper left corner.
You can select Lower or Upper on the spectrum charts of a 5G radio to view spectrum
charts of different frequencies.
5. The Real-Time FFT chart shows that the signal strength of interference is mostly within
the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click Modify, set
the signal strength scope at both ends of the color bar, and click Apply. The Swept
Spectrogram chart shows that channel 149 has the most severe interference.
6. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.

----End
Configuration Files
#
sysname AC
#
wlan
scan-period 100
scan-interval 8000
ap-system-profile name wlan-spectrum
spectrum-analysis server ip-address 10.137.43.4 port 55555 via-ac ac-port
5001
spectrum-analysis non-wifi-device aging-time 5
ap-system-profile wlan-spectrum
radio 0
spectrum-analysis enable
radio 1
spectrum-analysis enable
#
return

4.15 WLAN Security Configuration Examples

4.15.1 Example for Configuring Rogue Device Detection and
Containment
rogue AP.
addresses to STAs.

Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address


profile



net

spoofing SSIDs
NOTE
mode.

Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit



# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
# Bind WIDS profile wlan-wids to AP group ap-group1.


Run the display wlan ids contain ap command. The command output shows information
about the contained AP2.
[AC-wlan-view] display wlan ids contain ap
#Rf: Number of monitor radios that have contained the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------
000b-6b8f-fc6a 11 wpa-wpa2 2014-11-20/16:16:57 1 wlan-net
-------------------------------------------------------------------------------
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
Request timed out.

Request timed out.
Request timed out.
Request timed out.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return


#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel

wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
radio 0
wids contain enable
radio 1
wids contain enable
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.15.2 Example for Configuring Attack Detection

area.
To ensure network stability and security, network administrators can configure attack
detection and dynamic blacklist to prevent flood attacks and brute force PSK cracking.
Detected attack devices are added to the dynamic blacklist, and packets from them are
discarded, preventing attacks.
addresses to STAs.

Figure 4-65 Networking for configuring attack detection
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address

default, WIDS profile wlan-wids, and AP system profile wlan-system
l Attack detection type of the AP radio: brute force PSK cracking attack
detection for WPA2-PSK authentication and flood attack detection

profile



net

profile l Interval for brute force PSK cracking attack detection: 70s
l Quiet time for brute force PSK cracking attack detection: 700s
l Maximum number of key negotiation failures allowed within a brute
force PSK cracking attack detection period: 25
l Flood attack detection interval: 70s
l Quiet time for flood attack detection: 700s
l Flood attack detection threshold: 350
l Dynamic blacklist: enabled
AP system l Name: wlan-system

profile l Aging time of a dynamic blacklist: 200s
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.

3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.
Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit
Step 7 Configure attack detection.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and flood
attack detection.
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood

[AC-wlan-group-radio-ap-group1/1] wids attack detect enable wpa2-psk

[AC-wlan-group-radio-ap-group1/1] wids attack detect enable flood
# Create the WIDS profile wlan-wids.

# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication,
the maximum number of key negotiation failures allowed within the detection period to 25,
and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70
[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to
350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
Step 8 Configure the dynamic blacklist function.
# Enable the dynamic blacklist function.

[AC-wlan-wids-prof-wlan-wids] dynamic-blacklist enable
# Create AP system profile wlan-system, and set the aging time of the dynamic blacklist to
200s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit
Step 9 Bind WIDS profile wlan-wids and AP system profile wlan-system to AP group ap-group1.
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
After the configurations are complete, run the display wlan ids attack-detected all command
to view detected attack devices.
[AC-wlan-view] display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detcted attack type
CH: Channel number
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address AT CH RSSI(dBm) Last detected time #AP
-------------------------------------------------------------------------------
000b-c002-9c81 pbr 165 -87 2014-11-20/15:51:13 1
0024-2376-03e9 pbr 165 -84 2014-11-20/15:51:13 1
0046-4b74-691f act 165 -67 2014-11-20/15:51:13 1

-------------------------------------------------------------------------------
The display wlan dynamic-blacklist command displays information about attack devices in
the dynamic blacklist.
[AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address Last detected time Reason #AP LAT
-------------------------------------------------------------------------------
000b-c002-9c81 2014-11-20/16:15:53 pbr 1 100
0024-2376-03e9 2014-11-20/16:15:53 pbr 1 100
0046-4b74-691f 2014-11-20/16:15:53 act 1 100
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#

#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-system-profile wlan-system
radio 0
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
wids attack detect enable flood
wids attack detect enable wpa2-psk

ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.15.3 Example for Configuring the STA Blacklist and Whitelist

An enterprise needs to provide WLAN services for management personnel so that they can
connect to the enterprise network from anywhere at any time. Furthermore, users' services are
Due to a small number of management personnel in the enterprise, MAC addresses of their
STAs can be added to a STA whitelist. In this manner, STAs of other employees cannot
In addition, network administrators have detected unauthorized access of some STAs and
need to deny access of them. The administrators can add MAC addresses of these STAs to the
blacklist, while other authorized STAs can still connect to the WLAN.
addresses to STAs.

Figure 4-66 Networking for configuring the STA blacklist and whitelist
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default, and AP system profile wlan-system

profile



l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and STA whitelist profile sta-whitelist
STA l Name: sta-whitelist

whitelist l STAs added to the STA whitelist: STA1 (0011-2233-4455) and STA2
profile (0011-2233-4466)
STA l Name: sta-blacklist

blacklist l STAs added to the STA blacklist: STA3 (0011-2233-4477) and STA4
profile (0011-2233-4488)

profile l Referenced profile: STA blacklist profile sta-blacklist
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
Configuration Notes

user experience.
Procedure
VLAN 100.
10.23.101.2/24.


NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

the AP.

NOTE
[AC-wlan-ap-0] quit
Step 7 Configure a STA whitelist in a VAP profile.

# Create STA whitelist profile sta-whitelist and add MAC addresses of STA1 and STA2 to
the whitelist.
[AC-wlan-view] sta-whitelist-profile name sta-whitelist
[AC-wlan-whitelist-prof-sta-whitelist] sta-mac 0011-2233-4455
[AC-wlan-whitelist-prof-sta-whitelist] sta-mac 0011-2233-4466
[AC-wlan-whitelist-prof-sta-whitelist] quit
# Create the VAP profile wlan-net and bind the STA whitelist profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] sta-access-mode whitelist sta-whitelist
Step 8 Configure a global STA blacklist.

# Create STA blacklist profile sta-blacklist and add MAC addresses of STA3 and STA4 to the
blacklist.

[AC-wlan-view] sta-blacklist-profile name sta-blacklist

[AC-wlan-blacklist-prof-sta-blacklist] sta-mac 0011-2233-4477
[AC-wlan-blacklist-prof-sta-blacklist] sta-mac 0011-2233-4488
[AC-wlan-blacklist-prof-sta-blacklist] quit
# Create the AP system profile wlan-system and bind the STA blacklist profile to the AP
system profile.
[AC-wlan-ap-system-prof-wlan-system] sta-access-mode blacklist sta-blacklist
# Bind AP system profile wlan-system to AP group ap-group1.


The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the WLAN.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#


#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
sta-blacklist-profile name sta-blacklist
sta-mac 0011-2233-4477
sta-mac 0011-2233-4488
sta-whitelist-profile name sta-whitelist
sta-mac 0011-2233-4455
sta-mac 0011-2233-4466
ssid wlan-net
forward-mode tunnel
sta-access-mode whitelist sta-whitelis
sta-access-mode blacklist sta-blacklist
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6

eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.16 WLAN Location Configuration Examples

4.16.1 Example for Configuring AeroScout Wi-Fi Tag Location
The administrator needs to trace locations of materials in the coverage area of a WLAN. With
the Wi-Fi tag location solution of AeroScout, the administrator does not need to deploy
additional information collection points. Tags can periodically send 802.11 protocol-
compliant signals. When scanning the signals from the tags, APs report the information to the
location server. The location server then calculates the locations of the tags. In this manner,
the administrator can view locations and historical tracks of the materials on the map.
For details about how to configure basic WLAN services, see WLAN Basic Networking
Configuration Examples.
An AeroScout location server is deployed on the network and can communicate with the AC.
AeroScout Wi-Fi tags that have been activated are installed on materials to be traced within
the coverage area of the WLAN.

Figure 4-67 Networking for configuring AeroScout Wi-Fi tag location
AeroScout
location server
10.23.103.1/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101 VLANIF 102
VLANIF 102 GE0/0/2
AC
AP gateway: VLANIF 100 GE0/0/1
AP1 GE0/0/2
Switch
AP2
RFID
AP3
AeroScout
Wi-Fi tag
STA
Data Planning
Item Data
AC -
Interface GE0/0/2: VLAN 102

connecting VLANIF 102: 10.23.102.2
the AC to the
server
Route Destination address: 10.23.103.1

connecting Next-hop address: 10.23.102.1 (address of VLANIF 102 on Router)
the AC to the
server

Item Data
AP group Name: ap-group1
Air scan l Name: wlan-air-scan

profile l Probe channel set: country code channels
2G radio l Name: wlan-radio-2g

profile l Referenced profile: air scan profile wlan-air-scan
Location l Name: wlan-location

profile l AeroScout tag location: enabled
l Source IP address of outgoing packets: 10.23.102.2
l Mode in which an AP reports tag information: AC
l Port through which an AP reports tag information: 1144
l Port number through which the AC reports location information: 10001
AeroScout -
product
Tag Sends signals through channels 1, 6, and 11
Location IP address: 10.23.103.1

server Port number: 1144
1. Activate the AeroScout tag and configure the AeroScout location server.
2. Configure the AC to communicate with the AeroScout location server. Plan an IP
address for the AC to send received tag information to the location server.
3. Configure the air scan function on the AC. Tags work on the 2.4 GHz band. Enable air
scan on the 2.4 GHz radios of APs. If automatic radio calibration is enabled, set the
channel set to within the range supported by the country code to cover available channels
used by the tags. If only the tag location service is required, configure radios to work on
fixed channels and set the air scan channel set to the working channels.
4. Configure the AeroScout tag location function on the AC.
Configuration Notes
When activating a tag, ensure that the channel through which the tag sends signals can be
scanned by APs.
Three-point location technology is used. To ensure location accuracy, ensure no more than 15
m distance between APs. The location accuracy is good when the RSSI is higher than -50
dBm.
When APs are not heavily loaded, it is recommended that the AC report tag information. In
this case, set APs' IP addresses on the AeroScout location server to the AC's IP address. To
configure APs to directly report tag information, specify the APs' IP addresses on the
AeroScout location server based on the actual situation.

Procedure
Step 1 Configure AeroScout products.
# On the PC, install the Tag Manager software and connect a tag activator to the PC. Deploy
the tag within the coverage of the activator. After configuring the tag, fix it to the materials.
# Install the AeroScout Engine software on the AeroScout server to configure it as the
location server. After the software is installed, open the management system on the server and
add information about the map and APs. If the AC has been configured, you can check
information about properly running APs (marked in green) on the AC. You can click the
location startup button on the page.
For details about install and configure AeroScout products, see the configuration guide of the
corresponding products.
Step 2 Configure the AC to communicate with the AeroScout location server.
# Configure Router. Create VLAN 102, add GE1/0/0 to VLAN 102, and configure VLANIF
102 to communicate with the AC.
<Router> system-view
[Router] vlan 102
[Router-vlan102] quit
# Configure the AC. Create VLAN 102, add GE0/0/2 to VLAN 102, and configure VLANIF
102 to communicate with Router.
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC-Vlanif102] quit
# On the AC, create a static route destined for the location server, with the next hop as Router.
# Ping the location server from the AC. If the ping operation succeeds, the AC can properly
communicate with the location server.
[AC] ping 10.23.103.1
Step 3 Check the basic WLAN configuration on the AC.
Check the AP display ap all AP group: ap-group1

group to which
an AP belongs. AP name: AP1, AP2, AP3...

Check profiles display ap-group name Radio 0:

referenced by xxx l 2G radio profile: wlan-radio-2g
the AP group.
l Location profile: null
Check profiles display radio-2g-profile Air scan profile: wlan-air-scan

referenced by name xxx
the 2G radio
profile.
NOTE
l If the configuration of an AP is different from that in the AP group, the configuration of the AP
takes precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
Step 4 Configure the air scan function on the AC.

# Enter the air scan profile wlan-air-scan and configure an air scan channel set. By default,
an air scan channel set contains all channels supported by the corresponding country code of
an AP.
[AC] wlan
[AC-wlan-view] air-scan-profile name wlan-air-scan
[AC-wlan-air-scan-prof-wlan-air-scan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-air-scan] quit
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Enter the AP group ap-group1 and bind it to the 2G radio profile.

[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio-2g radio 0
Step 5 Configure the AeroScout tag location function on the AC.

# Create the location profile wlan-location, enable the AeroScout tag location function, and
configure the mode in which location information is reported.
[AC-wlan-view] location-profile name wlan-location
[AC-wlan-location-prof-wlan-location] aeroscout tag-enable
[AC-wlan-location-prof-wlan-location] aeroscout server port 1144 via-ac ac-port
10001
Warning: Port number 1145 is recommended for communication with an AC. Otherwise
, the AP may fail to communicate with the AC. Continue?(y/n):y
[AC-wlan-location-prof-wlan-location] source ip-address 10.23.102.2
[AC-wlan-location-prof-wlan-location] quit
# Enter the AP group ap-group1 and bind it to the location profile.

[AC-wlan-ap-group-ap-group1] location-profile wlan-location radio 0

# Run the display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-name }
command to check the configuration delivered by the AeroScout location server to an AP. The
value start indicates that the AP is working properly.

[AC-wlan-view] display wlan location config-info aeroscout ap-name AP1

----------------------------------------------------------------
......
Response port : 1144
AP tag mode : start
......
# Move the tag to the coverage area of an AP, and run the display wlan location device-info
tag { ap-id ap-id | ap-name ap-name } command to check tag information scanned by the
AP.
[AC-wlan-view] display wlan location device-info tag ap-name AP1
AP ID AP name Tag type Tag MAC Channel RSSI
------------------------------------------------------------------------------
0 AP1 AeroScout 1040-8002-6f80 6 -30
------------------------------------------------------------------------------
Total: 1
# On the management page of the AeroScout location server, the location of the tag is
displayed on the map.
----End
Configuration Files
#
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
return
#
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
wlan
location-profile name wlan-location
aeroscout tag-enable
aeroscout server port 1144 via-ac ac-port 10001
source ip-address 10.23.102.2
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
location-profile wlan-location radio 0
radio 0
radio-2g-profile wlan-radio-2g
#
return

4.16.2 Example for Configuring AeroScout MU Location

The administrator needs to trace locations of mobile units (MUs) in the coverage area of a
WLAN. With the MU location solution of AeroScout, the administrator does not need to
deploy additional information collection points. APs periodically scan signals of MUs and
report location information to the location server. The location server then calculates the
locations of the MUs. In this manner, the administrator can view locations and historical
tracks of the MUs on the map.
An AeroScout location server is deployed on the network and can communicate with the AC.
Figure 4-68 Networking for configuring AeroScout MU location
AeroScout
location server
10.23.103.1/24
IP
Network
Router
GE1/0/0
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
AP3
MU

Data Planning

Item Data
AC -
Interface connecting the AC to the server GE0/0/2: VLAN 102

VLANIF 102: 10.23.102.2
Route connecting the AC to the server Destination address: 10.23.103.1

Next-hop address: 10.23.102.1 (address of
VLANIF 102 on Router)
Air scan profile l Name: wlan-air-scan

l Probe channel set: channels supported by
the country code
2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

wlan-air-scan
Location profile l Name: wlan-location

l AeroScout MU location: enabled
l Source IP address of outgoing packets:
10.23.102.2
l Mode in which MU information is
reported: through the AC
l Destination port number for the AC to
report MU information to the server:
1144
l Destination port number for APs to
report MU information to the AC: 10001
AeroScout product -
Location server IP address: 10.23.103.1

Port number: 1144
1. Configure the AeroScout location server.
2. Configure the AC to communicate with the AeroScout location server. Plan an IP
address for the AC to send received MU information to the location server.

3. Configure the air scan function on the AC.

4. Configure the AeroScout MU location function on the AC.
Configuration Notes
dBm.
When APs are not heavily loaded, it is recommended that the AC report MU information. In
this case, set APs' IP addresses on the AeroScout location server to the AC's IP address. To
configure APs to directly report MU information, specify the APs' IP addresses on the
AeroScout location server based on the actual situation.
Procedure
Step 1 Configure AeroScout products.
# Install the AeroScout Engine software on the AeroScout server to configure it as the
location server. After the software is installed, open the management system on the server and
add information about the map and APs. If the AC has been configured, you can check
information about properly running APs (marked in green) on the AC. You can click the
location startup button on the page.
For details about install and configure AeroScout products, see the configuration guide of the
[Router] vlan 102
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC-Vlanif102] quit
[AC] ping 10.23.103.1


group to which

the AP group.
Radio 1:
l 5G radio profile: wlan-radio-5g

the 2G radio
profile.

the 5G radio
profile.
NOTE
takes precedence.

an AP.
[AC] wlan
# Enter the AP group ap-group1 and bind it to the radio profiles.



Step 5 Configure the AeroScout MU location function on the AC.

# Create the location profile wlan-location, enable the AeroScout MU location function, and
configure the mode in which location information is reported.
[AC-wlan-location-prof-wlan-location] aeroscout mu-enable
[AC-wlan-location-prof-wlan-location] aeroscout server port 1144 via-ac ac-port
10001
Warning: Port number 1145 is recommended for communication with an AC. Otherwise
, the AP may fail to communicate with the AC. Continue?(y/n):y

[AC-wlan-ap-group-ap-group1] location-profile wlan-location radio all

# Run the display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-name }
command to check the configuration delivered by the AeroScout location server to an AP. The
value start indicates that the AP is working properly.
[AC-wlan-view] display wlan location config-info aeroscout ap-name AP1
----------------------------------------------------------------
......
Response port : 1144
AP tag mode : stop
AP MU mode : start
......
# On the management page of the AeroScout location server, the location of the MU is
displayed on the map.
----End
Configuration Files
#
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
return
#
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
wlan
aeroscout mu-enable
aeroscout server port 1144 via-ac ac-port 10001
location-profile wlan-location radio all
radio 0
radio 1
#
return
4.16.3 Example for Configuring Ekahau Wi-Fi Tag Location

The administrator needs to trace locations of materials in the coverage area of a WLAN. With
the Wi-Fi tag location solution of Ekahau, the administrator does not need to deploy
additional information collection points. Tags can periodically send 802.11 protocol-
compliant signals. When scanning the signals from the tags, APs report the information to the
location server. The location server then calculates the locations of the tags. In this manner,
the administrator can view locations and historical tracks of the materials on the map.
An Ekahau location server is deployed on the network and can communicate with the AC.
Ekahau Wi-Fi tags that have been activated are installed on materials to be traced within the
coverage area of the WLAN.

Figure 4-69 Networking for configuring Ekahau Wi-Fi tag location
Ekahau
location server
10.23.103.1/24
IP
Network
Router
GE1/0/0
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
RFID
AP3
Ekahau
Wi-Fi tag
STA
Data Planning
Item Data
AC -

VLANIF 102: 10.23.102.2


Item Data

the country code

wlan-air-scan

l Ekahau tag location: enabled
l Source IP address of outgoing packets:
10.23.102.2
l Mode in which tag information is
l Destination IP address and port number
for the AC to report tag information to
the server: 10.23.103.1/8569
report tag information to the AC: 10001
Ekahau product -
Tag Sends signals through channels 1, 6, and 11
Location server IP address: 10.23.103.1

Port number: 8569
1. Activate tags. Conduct the onsite survey to establish a signal distribution model. On the
server, install Ekahau RTLS Controller and import the signal distribution model file.
2. Configure the AC to communicate with the Ekahau location server. Plan an IP address
for the AC to send received tag information to the location server.
3. Configure the air scan function on the AC. Tags work on the 2.4 GHz band. Enable air
scan on the 2.4 GHz radios of APs. If automatic radio calibration is enabled, set the
channel set to within the range supported by the country code to cover available channels
used by the tags. If only the tag location service is required, configure radios to work on
fixed channels and set the air scan channel set to the working channels.
4. Configure the Ekahau tag location function on the AC.
Configuration Notes
When activating a tag, ensure that the channel through which the tag sends signals can be
scanned by APs.
dBm.

When APs are not heavily loaded, it is recommended that the AC report tag information. To
configure APs to directly report tag information, ensure that the APs have reachable routes to
the location server.
Procedure
Step 1 Configure Ekahau products.
# Ensure that the PC has a wireless network adapter installed or uses the Ekahau Wi-Fi
adapter. Install Ekahau Tag Activator on the PC. Deploy the tag within the wireless signal
coverage of the PC. After configuring the tag, fix it to the materials.
# Install Ekahau Site Survey on the PC. Import the onsite map, select APs for locating tags
from the scanned AP list, and export the signal distribution model file.
# Install the Ekahau RTLS Controller software on the Ekahau server to configure it as the
location server. Open the management system and import the signal distribution model file. If
the configuration on the AC is completed, you can view the location of the tag on the page.
For details about install and configure Ekahau products, see the configuration guide of the
[Router] vlan 102
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC-Vlanif102] quit
[AC] ping 10.23.103.1


group to which

the AP group.

the 2G radio
profile.
NOTE
takes precedence.
an AP.
[AC] wlan
# Enter the AP group ap-group1 and bind it to the 2G radio profile.

Step 5 Configure the Ekahau tag location function on the AC.
# Create the location profile wlan-location, enable Ekahau tag location, configure the
destination IP address and port number for reporting location information, and configure the
source IP address for the AC to send packets to the location server.
[AC-wlan-location-prof-wlan-location] ekahau tag-enable
[AC-wlan-location-prof-wlan-location] ekahau server ip-address 10.23.103.1 port
8569 via-ac ac-port 10001

[AC-wlan-ap-group-ap-group1] location-profile wlan-location radio 0


# Move the tag to the coverage area of an AP, and run the display wlan location device-info
tag { ap-id ap-id | ap-name ap-name } command to check tag information scanned by the
AP.
[AC-wlan-view] display wlan location device-info tag ap-name AP1
AP ID AP name Tag type Tag MAC Channel RSSI
------------------------------------------------------------------------------
0 AP1 Ekahau 1040-8002-6420 6 -50
------------------------------------------------------------------------------
Total: 1
# On the management page of the Ekahau location server, the location of the tag is displayed
on the map.
----End
Configuration Files
#
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
return
#
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
wlan
ekahau tag-enable
ekahau server ip-address 10.23.103.1 port 8569 via-ac ac-port 10001
location-profile wlan-location radio 0
radio 0
#
return

4.16.4 Example for Configuring Wi-Fi Terminal Location

The administrator needs to trace locations of terminals in the coverage area of a WLAN. With
the Wi-Fi terminal location solution, the administrator does not need to deploy additional
information collection points. APs periodically scan signals of terminals and report location
information to the location server. The location server then calculates the locations of the
terminals. In this manner, the administrator can view locations and historical tracks of the
terminals on the map.
The network management system (NMS) eSight is deployed on the network as a location
server and can communicate with the AC.
Figure 4-70 Networking for configuring Wi-Fi terminal location
eSight location
server
10.23.103.1/24
IP
Network
Router
GE1/0/0
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
AP3
Terminal

Data Planning

Item Data
AC -

VLANIF 102: 10.23.102.2

SNMP parameters l SNMP version: SNMPv2c

l Read community name: public123
l Write community name: private123

the country code

wlan-air-scan

wlan-air-scan

l Wi-Fi terminal location: enabled
l Mode in which terminal information is
l Destination IP address and port number
for the AC to report terminal information
to the server: 10.23.103.1/32180
report terminal information to the AC:
10001
Location server -
eSight IP address: 10.23.103.1

Port number: 32180

1. Install eSight.
2. Configure the AC to communicate with eSight. Plan an IP address for the AC to send
received terminal information to the location server.
3. Configure SNMP parameters for the AC to connect to eSight.
4. Configure the air scan function on the AC.
5. Configure the Wi-Fi terminal location function on the AC.
6. Configure the WLAN location function on eSight.
Configuration Notes
dBm.
When eSight serves as a location server, purchase licenses based on the number of APs used
for the location service.
When adding an AC to eSight, specify the same SNMP version, read community name, and
write community name as those of the AC. In this way, the AC can properly communicate
with eSight.
When APs are not heavily loaded, it is recommended that the AC report terminal information.
To configure APs to directly report terminal information, ensure that the APs have reachable
routes to the location server.
Procedure
Step 1 Install eSight.
# Log in to Huawei enterprise technical support website (http://support.huawei.com/e),
search for eSight Network, and obtain eSight product documentation. Under the guidance of
the documentation, obtain the eSight installation package and install eSight.
[Router] vlan 102
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC-Vlanif102] quit

[AC] ping 10.23.103.1
Step 3 Configure the AC to communicate with eSight.
# Configure the SNMP version on the AC.

[AC] snmp-agent sys-info version v2c
# Set the read community name to public123 and write community name to private123.
[AC] snmp-agent community read public123
[AC] snmp-agent community write private123

group to which

the AP group.
Radio 1:
l 5G radio profile: wlan-radio-5g

the 2G radio
profile.

the 5G radio
profile.
NOTE
takes precedence.

an AP.
[AC] wlan
# Enter the AP group ap-group1 and bind it to the radio profiles.

Step 6 Configure the Wi-Fi terminal location function.

# Create the location profile wlan-location, enable the Wi-Fi terminal location function, and
configure the destination IP address and port number for reporting location information.
[AC-wlan-location-prof-wlan-location] private mu-enable
[AC-wlan-location-prof-wlan-location] private server ip-address 10.23.103.1 port
32180 via-ac ac-port 10001

[AC-wlan-ap-group-ap-group1] location-profile wlan-location radio all
Step 7 Configure eSight.

1. Add an AC to eSight.
# Choose Resource > Add Resource > Add Resource from the main menu. The Add
Resource page is displayed.
# Click Apply.
2. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.

# Choose Business > WLAN Management > Region Monitor from the main menu.
# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.
# Right-click Add Region in the region topology view.
# Click OK.
3. Add APs in ap_region_1.
# Choose Region Topology > ap_region_1 in Resource, or double-click ap_region_1
in the view on the right. The location view of ap_region_1 is displayed.
# Right-click ap_region_1 and choose Add AP from the shortcut menu. Select the APs
that need to perform the location and click Confirm.

NOTE
The APs that perform the location cannot be less than three. Otherwise, Wi-Fi terminals cannot be
accurately located.
4. Set the background and scale for ap_region_1.
# Right-click ap_region_1 and choose Set Background for Subnet from the shortcut
menu.
# Select the background based on actual conditions. Click Apply Background.

NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.
# Right-click ap_region_1 and choose Set Scale from the shortcut menu. Set the start
point, end point, and actual distance between the two points.eSight automatically selects
the background and scale.
# In the ap_region_1 view, properly place each AP on the background.
# In the ap_region_1 view, click .

5. Enable the location function of eSight.
# Choose Region Topology > ap_region_1 in Resource, or right-click ap_region_1 in
the view on the right and choose Enable WIFI Location from the shortcut menu. In the
dialog box that is displayed, click OK.
# In the right view of ap_region_1 on eSight, click to return to the monitoring

mode, and click in the region topology toolbar to select information to be displayed on
the topology.
# Select the Wi-Fi terminals or heat maps to be displayed in the topology on the Terminal
Location tab.
----End
Configuration Files
#
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
return

#
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
snmp-agent local-engineid 800007DB030200000000E0
snmp-agent community read %^%#sP6,%Hno.$v[Lf#fiyP(eKm4)vNP*Q"mA~'$XjP4r}XXU4f
%'&y>D`/1.5\Clr]I5mUJ46!a7'9p#*o2%^%#
snmp-agent community write %^%#/.U;L9&iwS.dF15y]J"N\XU='K:YkWj/O.)=6W
$3q{M1J4.<X"\h{a:p)c\;TBL\=qn=u+7YR~L/#`V>%^%#
snmp-agent sys-info version v2c
snmp-agent
#
wlan
private mu-enable
private server ip-address 10.23.103.1 port 32180 via-ac ac-port 10001
location-profile wlan-location radio all
radio 0
radio 1
#
return
4.16.5 Example for Configuring Bluetooth Terminal Location
The network administrator of a shopping mall needs to leverage Bluetooth location
technology to provide the shopping mall navigation service and push shopping guide
information based on customers' locations. In the Bluetooth terminal location solution, APs
with Bluetooth modules scan surrounding BLE base stations. Together with the location
server, app server, and apps on terminals, the APs provide the shopping mall navigation and
shopping guide information pushing services.
eSight is deployed on the network as a location server. A third-party app server is deployed to
provide services for customers. BLE base stations broadcast information about themselves.
The AC needs to report BLE base station data to the location server.
The location server provides information about the map and BLE base stations to the app
server. The location server is configured to communicate with the app server.

Bluetooth terminals need to have apps installed and communicate with the app server.
Therefore, Wi-Fi or mobile data needs to be enabled on the Bluetooth terminals.
Figure 4-71 Networking for configuring Bluetooth terminal location
eSight
location server
10.23.103.1/24
App server
10.23.103.2/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101
VLANIF 102
VLANIF 102
GE0/0/2
AC
AP1 GE0/0/2
Switch
BLE base
station
Bluetooth terminal
Data Planning

Item Data
AC -

VLANIF 102: 10.23.102.2


Item Data
SNMP parameters l SNMP version: SNMPv2c

l Read community name: public123
l Write community name: private123
BLE profile l Name: wlan-ble

l Bluetooth monitoring: enabled
Location server -
eSight IP address: 10.23.103.1
1. Install eSight.
2. Install a third-party app server.
3. Install third-party BLE base stations.
4. Configure the AC to communicate with eSight. Plan an IP address for the AC to send
received BLE base station information to the location server.
5. Configure SNMP parameters for the AC to connect to eSight.
6. Configure the Bluetooth terminal location function on the AC.
7. Configure the BLE base station management function on eSight.
Configuration Notes
The Bluetooth terminal location function requires that Bluetooth devices support BLE 4.0 or
later.
When adding an AC to eSight, specify the same SNMP version, read community name, and
write community name as those of the AC. In this way, the AC can properly communicate
with eSight.
APs obtain battery power information about surrounding BLE base stations at the system time
of 02:00. Accurately set the system time of the AC so that services are not affected when the
AC obtains battery power information about BLE base stations.
After the Bluetooth terminal location function is enabled, it is recommended that channels 1,
6, and 11 be planned on the 2.4 GHz band to avoid interference.
Currently, only BLE base stations of Lanke Xuntong are supported.
Procedure
Step 1 Install eSight.
# Log in to Huawei enterprise technical support website (http://support.huawei.com/e),
search for eSight Network, and obtain eSight product documentation. Under the guidance of
the documentation, obtain the eSight installation package and install eSight.


[Router] vlan 102
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC-Vlanif102] quit
[AC] ping 10.23.103.1
Step 3 Configure the AC to communicate with eSight.

# Configure the SNMP version on the AC.
[AC] snmp-agent sys-info version v2c
# Set the read community name to public123 and write community name to private123.
[AC] snmp-agent community read public123
[AC] snmp-agent community write private123

group to which
NOTE
takes precedence.
Step 5 Configure the Bluetooth terminal location function.

# Create the BLE profile wlan-ble and enable Bluetooth monitoring to receive information
about surrounding BLE base stations.

[AC] wlan
[AC-wlan-view] ble-profile name wlan-ble
[AC-wlan-ble-prof-wlan-ble] sniffer enable ibeacon-mode
[AC-wlan-ble-prof-wlan-ble] quit
# Add BLE base stations within the coverage area of the AP to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
# Bind the BLE profile to the AP group.

[AC-wlan-ap-group-ap-group1] ble-profile wlan-ble
Step 6 Configure eSight.

1. Add an AC to eSight.
# Choose Resource > Add Resource > Add Resource from the main menu. The Add
Resource page is displayed.
# Click Apply.
2. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.
# Choose Business > WLAN Management > Region Monitor from the main menu.
# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.
# Right-click Add Region in the region topology view.

# Click OK.
3. Add a Beacon frame in ap_region_1.
# Choose Region Topology > ap_region_1 in Resource, or double-click ap_region_1

in the view on the right. The location view of ap_region_1 is displayed.
# Right-click ap_region_1 and choose Add Beacon from the shortcut menu. Add
Beacon information and click Confirm.

4. Set the background and scale for ap_region_1.

# Right-click ap_region_1 and choose Set Background for Subnet from the shortcut
menu.
# Select the background based on actual conditions. Click Apply Background.
NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.
# Right-click ap_region_1 and choose Set Scale from the shortcut menu. Set the start
point, end point, and actual distance between the two points. eSight automatically selects
the background and scale.
# In the ap_region_1 view, properly place each AP on the background.
# In the ap_region_1 view, click .

5. Enable Bluetooth terminal location ON eSight.
# Choose Region Topology > ap_region_1 in Resource. Alternatively, right-click
ap_region_1 in the view on the right and choose Enable Bluetooth Location from the
shortcut menu. In the dialog box that is displayed, click Yes.
# After the AP obtains information about BLE base stations, run the display wlan ble site-
info { all | mac-address mac-address } command to check BLE base station information
scanned by the AP.
[AC-wlan-view] display wlan ble site-info all
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
Index MAC Host AP ID Host AP name RSSI Power Type

DetachedFlag Aging-Timeout(m) Broadcast count Advertisement d

ata
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
0 0000-0101-0202 0 area_1 -30 50% ibeacon
N 57 10
02-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
1 0000-0101-0303 0 area_1 -31 51% ibeacon
N 57 12
01-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
2 0000-0101-0505 0 area_1 -33 55% ibeacon
N 57 22
03-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
Total: 3
# After Bluetooth terminals access the WLAN and have the Bluetooth function enabled, a
third-party app can be installed on the terminals to display the terminal locations and receive
shopping guide information.
----End
Configuration Files
#
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
return
#
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
snmp-agent local-engineid 800007DB030200000000E0
snmp-agent community read %^%#sP6,%Hno.$v[Lf#fiyP(eKm4)vNP*Q"mA~'$XjP4r}XXU4f
%'&y>D`/1.5\Clr]I5mUJ46!a7'9p#*o2%^%#
snmp-agent community write %^%#/.U;L9&iwS.dF15y]J"N\XU='K:YkWj/O.)=6W
$3q{M1J4.<X"\h{a:p)c\;TBL\=qn=u+7YR~L/#`V>%^%#
snmp-agent sys-info version v2c
snmp-agent
#
wlan
ble-profile name wlan-ble
sniffer enable ibeacon-mode
ble monitoring-list mac 1234-1234-1000

ble-profile wlan-ble
#
return
4.17 WLAN QoS Configuration Examples

4.17.1 Common Misconfigurations
4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network

Access of STAs
Symptom
are usually sent at low rates. If a large amount of abnormal multicast traffic is received on the
network side, the air interfaces may be congested, and STAs may suffer from slow network
access. You are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.


[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
l Configure multicast packet suppression in tunnel forwarding mode.
a. Create the traffic profile test and set the maximum traffic volume of multicast
packets in the profile.
[AC6605] wlan
[AC6605-wlan-view] traffic-profile name test
[AC6605-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 100 //Set the maximum traffic volume of multicast packets to
100 pps. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[AC6605-wlan-traffic-prof-test] quit
b. Bind the traffic profile to the VAP profile.
[AC6605-wlan-view] vap-profile name test
[AC6605-wlan-vap-prof-test] traffic-profile test
[AC6605-wlan-vap-prof-test] quit
----End
4.17.2 Example for Configuring WMM and Priority Mapping

area.
After accessing the network, users encounter poor experience in voice and video services. The
administrator wants to preferentially ensure forwarding of voice and video service traffic to
improve user experience.
Figure 4-72 Networking for configuring WMM and priority mapping

Data Planning

Item Data

radio5g

profile l EDCA parameters: specified to provide higher priorities for voice and
video services

l Referenced profiles: SSID profile wlan-net and traffic profile wlan-
traffic

video services

video services
Traffic l Name: wlan-traffic

profile l Downstream mapping on the air interface: DSCP
l Upstream tunnel mapping on the air interface: 802.11e
l Priority mapping: specified to provide higher priorities for voice and
video services
1. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.
Configuration Notes


user experience.
Procedure
Check Command Data
Item
Check the display ap all AP group: ap-group1

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 l VAP profile: wlan-net

profiles l 2G radio profile: wlan-radio2g
referenced
by the AP l 5G radio profile: wlan-radio5g
group.
Check all display vap-profile name wlan-net SSID profile: wlan-net

profiles
referenced
by the VAP
profile.
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
Step 2 Configure the WMM function.

# Enter 2G radio profile wlan-radio2g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth.
[AC6606] sysname AC
[AC] wlan

[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2

ecwmax 4 txoplimit 0 ack-policy normal
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8
# Enter 5G radio profile wlan-radio5g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth. The configuration is similar to that in
the 2G radio profile and is not mentioned here.
# Enter SSID profile wlan-net and set EDCA parameters on STAs to enable voice and video
services to preferentially use network bandwidth.
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax
10 txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax
10 txoplimit 0
Step 3 Configuring priority mapping.

NOTE
This example requires that voice and video packets have the highest priority so that these packets are
preferentially transmitted. By default, the uplink and downlink mapping modes on the air interface are
802.11e and DSCP, respectively. The uplink and downlink priority mapping on the air interface can ensure
that voice and video packets have the highest tunnel DSCP priority. Therefore, you do not need to modify
default priority mapping.
To change the default priority mapping, for example, to enable video packets with a higher priority than voice
packets, you can refer to this step.
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or 5. In
this example, the tunnel DSCP priority of video packets is set to 48 and 56, and that of voice packets is set to
32 and 40. Video packets with a higher priority are preferentially transmitted.
# Create traffic profile wlan-traffic and configure priority mapping in the profile.
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream trust dscp
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 48 to 55 dot11e 4
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream trust dot11e
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 6 dscp 32
# Bind traffic profile wlan-traffic to VAP profile wlan-net.

[AC-wlan-vap-prof-wlan-net] traffic-profile wlan-traffic


Run the display radio-2g-profile name wlan-radio2g command on the AC to check the
EDCA settings on APs in the 2G radio profile. The EDCA parameter priorities of AC_VI and
AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore, voice and
video services are enabled to preferentially use wireless channels. The configuration in the 5G
radio profile is similar to that in the 2G radio profile and is not mentioned here.
[AC-wlan-view] display radio-2g-profile name wlan-radio2g
------------------------------------------------------------
...
------------------------------------------------------------
AP EDCA parameters:
------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 4 2 2 0 normal
AC_VI 5 3 5 0 normal
AC_BE 10 6 12 0 normal
AC_BK 10 8 12 0 normal
------------------------------------------------------------
Run the display ssid-profile name wlan-net command on the AC to check the EDCA
settings on STAs in the SSID radio profile. The EDCA parameter priorities of AC_VI and
video services are enabled to preferentially use wireless channels.
[AC-wlan-view] display ssid-profile name wlan-net
-------------------------------------------------------------------
...
-------------------------------------------------------------------
WMM EDCA client parameters:
-------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us)
AC_VO 4 2 2 0
AC_VI 5 3 5 0
AC_BE 10 6 12 0
AC_BK 10 8 12 0
-------------------------------------------------------------------
Run the display traffic-profile name wlan-traffic command on the AC to check the priority
mapping configuration in the traffic radio profile. The DSCP priorities of AC_VI and
video services will be preferentially transmitted.
[AC-wlan-view] display traffic-profile name wlan-traffic
----------------------------------------------------
...
CAPWAP priority upstream map mode: 802.11e map DSCP
0 map 0
1 map 8
2 map 16
3 map 24
6 map 32
7 map 40
4 map 48
5 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0

8-15 map 1
16-23 map 2
24-31 map 3
48-55 map 4
56-63 map 5
32-39 map 6
40-47 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
......
----End
Configuration Files
#
sysname AC
#
wlan
priority-map downstream dscp 48 to 55 dot11e 4
priority-map tunnel-upstream dot11e 6 dscp 32
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
radio 0
radio 1


ap-name area_1
ap-group ap-group1
#
return
4.17.3 Example for Configuring Traffic Policing
area.
To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Figure 4-73 Networking for configuring traffic policing
Data Planning

Item Data

l Referenced profiles: VAP profile wlan-net

Item Data

l Referenced profiles: traffic profile wlan-traffic

profile l Uplink rate limit of a single STA: 2 Mbit/s
l Uplink rate limit of all STAs on a VAP: 30 Mbit/s
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.
Configuration Notes
user experience.
Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.

Check Command Data

Item
Check all display ap-group name ap-group1 l VAP profile: wlan-net

profiles
referenced
by the AP
group.
NOTE
precedence.
Step 2 Configure traffic policing.

# Create traffic profile wlan-traffic. Set the uplink rate limit of each STA to 2 Mbit/s and the
total uplink rate limit of all STAs on the VAP to 30 Mbit/s.
[AC6606] sysname AC
[AC] wlan
[AC-wlan-traffic-prof-wlan-traffic] rate-limit vap up 30720


Run the display traffic-profile name wlan-traffic command on the AC to check the rate
limit configuration in the traffic profile. The command output shows that the uplink rate limit
of a single STA is 2048 kbit/s (2 Mbit/s) and the total uplink rate limit of all STAs on a VAP is
30720 kbit/s (30 Mbit/s).
----------------------------------------------------
Profile ID : 1
Priority map downstream trust : DSCP
User isolate mode : disable
Rate limit client up(Kbps) : 2048
Rate limit client down(Kbps) : 4294967295
Rate limit VAP up(Kbps) : 30720
Rate limit VAP down(Kbps) : 4294967295
...
----End
Configuration Files
#
sysname AC

#
wlan
rate-limit vap up 30720
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.17.4 Example for Configuring Airtime Fair Scheduling

area.
The administrator requires that multiple users on the network be able to fairly use network
bandwidth to improve overall user experience.
Figure 4-74 Networking for configuring airtime fair scheduling

Data Planning

Item Data

l Referenced profiles: 2G radio profile wlan-radio2g, and 5G radio

profile l Airtime fair scheduling: enabled


1. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.
Configuration Notes
user experience.

Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 l 2G radio profile: wlan-radio2g

profiles l 5G radio profile: wlan-radio5g
referenced
by the AP
group.
NOTE
precedence.
Step 2 Configure airtime fair scheduling.
# Create the RRM profile wlan-rrm and enable airtime fair scheduling.
[AC6606] sysname AC
[AC] wlan
# Bind the RRM profile wlan-rrm to the 2G radio profile wlan-radio2g.

# Bind the RRM profile wlan-rrm to the 5G radio profile wlan-radio5g.

Run the display rrm-profile name wlan-rrm command on the AC to check the configuration
of the RRM profile. The command output shows that airtime fair scheduling has been
enabled. Therefore, users on the network can fairly use network bandwidth.
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : enable

Dynamic adjust EDCA parameter : disable

...
----End
Configuration Files
#
sysname AC
#
wlan
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.17.5 Example for Configuring ACL-based Packet Filtering

area.
To control network traffic, the administrator requires that packets with source IP address
10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Figure 4-75 Networking for configuring ACL-based packet filtering
Data Planning

Item Data



profile l Configuration of ACL-based IPv4 packet filtering
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes


user experience.
Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 VAP profile: wlan-net

profiles
referenced
by the AP
group.
NOTE
precedence.
Step 2 Configure ACL-based packet filtering.

# Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and destination IP
address 10.23.101.11 to pass.
[AC6605] sysname AC
[AC] acl 3001
[AC-acl-adv-3001] rule deny ip source 10.23.101.10 0 destination 10.23.101.11 0
[AC-acl-adv-3001] quit
# Create traffic profile wlan-traffic and apply the ACL to it.

[AC] wlan
[AC-wlan-traffic-prof-wlan-traffic] traffic-filter inbound ipv4 acl 3001


Run the display traffic-profile name wlan-traffic command on the AC to check the
configuration of the traffic profile. The command output shows that ACL 3001 has been
configured to filter out packets with source IP address 10.23.101.10 and destination IP
address 10.23.101.11.
----------------------------------------------------
...
----------------------------------------------------------------------------------
-----------
Traffic Type Direction AppliedRecord
----------------------------------------------------------------------------------
-----------
traffic-filter inbound IPv4 ACL 3001
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
#
sysname AC
#
acl number 3001
rule 5 deny ip source 10.23.101.10 0 destination 10.23.101.11 0
#
wlan
traffic-filter inbound ipv4 acl 3001
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

4.17.6 Example for Configuring Optimization for Voice and Video

Services
area.
Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video services of QQ and WeChat have a higher priority to ensure good user
experience in these QQ and WeChat services.
Figure 4-76 Networking for configuring optimization for voice and video services
Data Planning

Item Data

l Referenced profiles: VAP profile wlan-net, 2G radio profile wlan-
radio2g, and 5G radio profile wlan-radio5g

l Referenced profile: SAC profile wlan-sac

Item Data

profile l Referenced profile: RRM profile wlan-net


profile l Multimedia air interface optimization: enabled
SAC profile l Name: wlan-sac
Voice and l Applied protocols: QQ and WeChat

video
optimizatio
n
1. Enable the SAC function.
2. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.
Configuration Notes
l The configuration of optimization for voice and video services supports only tunnel
forwarding.
l The multimedia air interface optimization and dynamic EDCA parameter adjustment
functions are mutually exclusive.
user experience.

Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.

profiles
referenced
by the AP
group.
NOTE
precedence.
Step 2 Enable the SAC function.
# Enable the security engine.

[AC6605] sysname AC
[AC] defence engine enable
NOTE
After the security engine is enabled, the system automatically loads the default signature database.
# Create an SAC profile and bind it to the VAP profile mapping the AP group ap-group1.
[AC] wlan
[AC-wlan-view] sac-profile name wlan-sac
[AC-wlan-sac-prof-wlan-sac] quit
[AC-wlan-vap-prof-wlan-net] sac-profile wlan-sac
[AC-wlan-view] quit
Step 3 Configure optimization for voice and video services.
# Configure optimization for voice and video services on QQ and WeChat.

NOTE
By default, the voice and video traffic awareness and optimization function is enabled.
[AC] undo voice-aware app-protocol qq disable
[AC] undo voice-aware app-protocol weixin disable
[AC] undo video-aware app-protocol qq disable
[AC] undo video-aware app-protocol weixin disable
# Enable multimedia air interface optimization.

[AC] wlan
[AC-wlan-rrm-prof-wlan-rrm] undo dynamic-edca enable

[AC-wlan-rrm-prof-wlan-rrm] multimedia-air-optimize enable

# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-net to it.
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-net to it.
ap-group1.
[AC-wlan-view] quit
# If a user makes video calls after optimization is configured for video services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check video session information.
[AC] display video-aware-list ap-name area_1 radio 0
----------------------------------------------------------------------------------
-------------
Protocol Source IP/Port Destination IP/Port
----------------------------------------------------------------------------------
-------------
qq 191.168.1.254/123 191.168.1.253/123
weixin 191.168.1.253/123 191.168.1.254/123
----------------------------------------------------------------------------------
-------------
Total: 2
# If a user makes voice calls after optimization is configured for voice services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check voice session information.
[AC] display voice-aware-list ap-name area_1 radio 0
-------------------------------------------------------------------------------
Protocol Source IP/Port Destination IP/Port
-------------------------------------------------------------------------------
qq 191.168.1.254/123 191.168.1.253/123
weixin 191.168.1.253/123 191.168.1.254/123
-------------------------------------------------------------------------------
Total : 2
# Run the display rrm-profile name wlan-rrm command to check parameters related to
multimedia air interface optimization.
[AC] display rrm-profile name wlan-rrm
--------------------------------------------------------------------
......
Multimedia air optimize : enable
Multimedia air optimize threshold
Voice : 30
Video : 100
--------------------------------------------------------------------
----End

Configuration Files
#
defence engine enable
sysname AC
#
wlan
sac-profile name wlan-sac
sac-profile wlan-sac
multimedia-air-optimize enable
radio 0
radio 1
#
return
4.17.7 Example for Configuring Priorities for Skype4B Packets

area.
The administrator requires that voice and video packets of the Skype4B software have a
higher priority than desktop sharing and file transfer packets to ensure good user experience
in voice and video services.

Figure 4-77 Networking for configuring priorities for Skype4B packets
Data Planning

Item Data


l Referenced profiles: UCC profile wlan-ucc
UCC profile l Name: wlan-ucc

l 802.1p priority of Skype4B voice packets: 6
l 802.1p priority of Skype4B video packets: 5
l 802.1p priority of Skype4B desktop sharing packets: 4
l 802.1p priority of Skype4B file transfer packets: 3
Skype4B 9000
server port
number

1. Configure priorities for Skype4B packets to set higher priorities for voice and video
packets than those of desktop sharing and file transfer packets.
2. Configure the AC to interact with the Skype4B server.
Configuration Notes
user experience.
Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.

profiles
referenced
by the AP
group.

NOTE
precedence.
Step 2 Configure priorities for Skype4B packets.
# Create UCC profile wlan-ucc and configure priorities for Skype4B packets.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] ucc-profile name wlan-ucc
[AC-wlan-ucc-prof-wlan-ucc] skype4b-voice remark dot1p 6
[AC-wlan-ucc-prof-wlan-ucc] skype4b-video remark dot1p 5
[AC-wlan-ucc-prof-wlan-ucc] skype4b-app-share remark dot1p 4
[AC-wlan-ucc-prof-wlan-ucc] skype4b-file-transfer remark dot1p 3
[AC-wlan-ucc-prof-wlan-ucc] quit
# Bind UCC profile wlan-ucc to VAP profile wlan-net.

[AC-wlan-vap-prof-wlan-net] ucc-profile wlan-ucc
[AC-wlan-view] quit
Step 3 Configure the AC to interact with the Skype4B server.
# Set the port number of the HTTP service to 9000.

[AC] skype4b listener http-port 9000
[AC] wlan
NOTE
l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Skype4B server.
l You need to specify the IP address of the AC for the Skype4B server and the port number of the Skype4B
server.
Run the display ucc-profile name wlan-ucc command on the AC to check the priority
mapping configuration for Skype4B packets. The command output shows that the priorities of
Skype4B voice and video packets are higher than those of Skype4B desktop sharing and file
transfer packets. Therefore, Skype4B voice and video packets will be preferentially
transmitted.
[AC-wlan-view] display ucc-profile name wlan-ucc
--------------------------------------------------------------------------------
Skype4B voice 802.1p precedence : 6
Skype4B voice DSCP precedence : 46
Skype4B video 802.1p precedence : 5
Skype4B video DSCP precedence : 34
Skype4B app share 802.1p precedence : 4
Skype4B app share DSCP precedence : -
Skype4B file transfer 802.1p precedence : 3
Skype4B file transfer DSCP precedence : -
--------------------------------------------------------------------------------
----End

Configuration Files
#
sysname AC
#
skype4b listener http-port 9000
#
wlan
ucc-profile name wlan-ucc
skype4b-video remark dot1p 5
skype4b-app-share remark dot1p 4
skype4b-file-transfer remark dot1p 3
ucc-profile wlan-ucc
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.18 WLAN Enhanced Services Configuration Examples

4.18.1 Example for Configuring WLAN-based E-schoolbag
E-schoolbag is a digital teaching method. In a class, teachers and students use smart terminals
such as PCs, tablets, and mobile phones to participate in teaching and learning activities
online.
A teacher can teach students in multiple classrooms without space limitation.
To ensure successful teaching activities, AP4030TNs are used to deploy basic WLAN
services to support access of many students and provide sufficient bandwidth.
The AP4030TN has three radios: radios 0, 1, and 2. Radio 0 and radio 2 can switch between
2.4 GHz and 5 GHz while radio 1 operates on the 5 GHz band. By default, radio 0 works on
the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency band. If all radios are used
for WLAN coverage services, the default frequency bands for radios are recommended. If
some radios are used for air scan, run the frequency { 2.4g | 5g } command in the AP radio
view or AP group radio view to switch the frequency band of the radios.
addresses to STAs.

Figure 4-78 Networking for configuring the WLAN-based e-schoolbag service
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs


Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile

l Maximum number of users: 128
l EDCA parameters for AC_BE packets on STAs
– AIFSN: 3
– ECWmin: 7
– ECWmax: 10


l Band steering: enabled
l Broadcast flood detection: enabled
l Rate threshold for broadcast flood detection: 50 pps
and traffic profile wlan-traffic


Item Data

profile l RTS-CTS operation mode: rts-cts
l RTS-CTS threshold: 1400 bytes
l Beacon interval: 160 TUs
l Short preamble: enabled
l GI mode: short
l 802.11bg basic rate: 6, 9, 12, 18, 24, 36, 48, 54, in Mbit/s
l Multicast rate: 11 Mbit/s
l EDCA parameters for AC_BE packets on APs:
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6
l Referenced profile: RRM profile wlan-rrm

l GI mode: short
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6

profile l Uplink rate limit for a STA: 4000 kbit/s
l Downlink rate limit for a STA: 4000 kbit/s
to go online.


4. Adjust network parameters for e-schoolbag.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN
VLAN 100, and GE0/0/3 to VLAN 101.

10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4030TN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1

NOTE

# Bind VAP profile wlan-net to the AP group and apply the profile to all radios of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio all
Step 6 Adjust network parameters for e-schoolbag.

1. Adjust parameters in VAP profile wlan-net.
[AC-wlan-vap-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and configure the rate threshold for
broadcast flood detection. By default, the broadcast flood detection function is enabled.
[AC-wlan-vap-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-vap-prof-wlan-net] anti-attack broadcast-flood sta-rate-threshold 50
2. Adjust parameters in SSID profile wlan-net.
# Set the maximum number of STAs that can be associated with a VAP to 128 and set
EDCA parameters for AC_BE packets on STAs.
ecwmax 10
# Create traffic profile wlan-traffic and set the uplink and downlink rate limits for a STA
to 4000 kbit/s.
# Configure the traffic profile referenced by a VAP profile.

4. Create an RRM profile, enable airtime fair scheduling.

# Create 2G radio profile wlan-radio2g and set the parameters as follows:

– Set the RTS-CTS operation mode to rts-cts and the RTS-CTS threshold to 1400
bytes.

enabled in radio profiles.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.
ecwmax 6


# Create 5G radio profile wlan-radio5g and set the parameters as follows:
– Set the RTS-CTS operation mode to rts-cts and the RTS-CTS threshold to 1400
bytes.
ECWmax to 6.
ecwmax 6



NOTE

[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable


[AC-wlan-ap-0] quit
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 3
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254

---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return

#
sysname AC
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
(jpeqE%^%# aes
ssid wlan-net
max-sta-number 128
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
multicast-rate 11
normal
beacon-interval 160
normal
multicast-rate 6
radio 0
radio 1
radio 2
ap-name area_1
ap-group ap-group1

radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
radio 2
channel 20mhz 157
eirp 127
#
return
4.18.2 Example for Configuring WLAN Hotspot 2.0 Services
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot 2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.
– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.

Figure 4-79 Networking for configuring WLAN Hotspot 2.0 services
Data Planning
Item Data

The aggregation switch (Switch_B)
addresses to STAs. The default gateway
address of STAs is 10.23.101.2.

net

Item Data


l Security policy: WPA2-802.1X-AES

l Access authentication mode: 802.1X
Hotspot 2.0 profile Hotspot 2.0 profile

l Name: wlan-net
l Network type: free public network
l Internet access: supported
l Venue type: coffee shop (venue group
code 1 and venue type code 13)
l HESSID: 60de-4476-e360
l IP address availability: available
l Network authentication type: acceptance
l P2P cross connection: disabled
l Cellular network profile: wlan-net
– 46000
l Roaming consortium profile: wlan-net
– 50-6f-9a
l NAI realm profile: wlan-net
– www.mobileA.com
l Network connection capability profile:
wlan-net
– HTTP service: enabled
l Operator domain profile: wlan-net
– www.mobileA.com
l Operator name profile: wlan-net
– eng, mobileA
l Venue name profile: wlan-net
– eng, Coffee
l Operating class profile: wlan-net
– 81

Item Data

net, security profile wlan-net,
authentication profile wlan-net, and
Hotspot 2.0 profile wlan-net
RADIUS server l IP address: 10.23.102.1

l Port number: 1812
l Shared key: Huawei@123
to go online.
4. Configure WPA2-802.1X authentication based on the operator's AAA server information
5. Configure Hotspot 2.0 services based on the operator's network information.
Configuration Notes
user experience.

Procedure
10.23.101.2/24.

NOTE

[AC6605] sysname AC



[AC] dhcp enable
[AC-Vlanif100] quit
NOTE
view.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
[AC-wlan-sec-prof-wlan-net] security wpa2 dot1x aes
the AP.

NOTE

[AC-wlan-ap-0] quit
Step 7 Configure WPA2-802.1X.

[AC-wlan-view] quit
[AC] radius-server template wlan-radius
[AC-radius-wlan-radius] radius-server authentication 10.23.102.1 1812
[AC-radius-wlan-radius] radius-server shared-key cipher Huawei@123
[AC-radius-wlan-radius] radius-server retransmit 2
[AC-radius-wlan-radius] undo radius-server user-name domain-included
[AC-radius-wlan-radius] quit
# Configure an AAA authentication scheme and configure the device to use RADIUS
authentication preferentially.
[AC] aaa
[AC-aaa] authentication-scheme wlan-authen
[AC-aaa-authen-wlan-authen] authentication-mode radius local
[AC-aaa-authen-wlan-authen] quit
[AC-aaa] quit
# Configure an 802.1X access profile and configure EAP relay authentication for 802.1X
users.
# Configure an authentication profile and bind the AAA authentication scheme, RADIUS
server template, and 802.1X access profile to the authentication profile.
[AC-authentication-profile-wlan-net] authentication-scheme wlan-authen
[AC-authentication-profile-wlan-net] radius-server wlan-radius
Step 8 Configure Hotspot 2.0 services.

# Configure Hotspot 2.0 profile wlan-net based on the operator's network parameters. Ensure
that the WPA2-802.1X authentication profile has been bound to the VAP profile.
[AC] wlan
[AC-wlan-view] cellular-network-profile name wlan-net
[AC-wlan-cellular-network-prof-wlan-net] plmn-id 46000
[AC-wlan-cellular-network-prof-wlan-net] quit
[AC-wlan-view] connection-capability-profile name wlan-net
[AC-wlan-co-cap-prof-wlan-net] connection-capability tcp-http on
[AC-wlan-co-cap-prof-wlan-net] quit

[AC-wlan-view] operator-name-profile name wlan-net

[AC-wlan-wlan-op-name-prof-wlan-net] operator-friendly-name language-code eng
name mobileA
[AC-wlan-wlan-op-name-prof-wlan-net] quit
[AC-wlan-view] operating-class-profile name wlan-net
[AC-wlan-op-class-prof-wlan-net] operating-class-indication 81
[AC-wlan-op-class-prof-wlan-net] quit
[AC-wlan-view] operator-domain-profile name wlan-net
[AC-wlan-op-domain-prof-wlan-net] domain-name www.mobileA.com
[AC-wlan-op-domain-prof-wlan-net] quit
[AC-wlan-view] nai-realm-profile name wlan-net
[AC-wlan-nai-realm-prof-wlan-net] nai-realm realm-name www.mobileA.com
[AC-wlan-nai-realm-prof-wlan-net] quit
[AC-wlan-view] venue-name-profile name wlan-net
[AC-wlan-ve-na-prof-wlan-net] venue-name language-code eng name Coffee
[AC-wlan-ve-na-prof-wlan-net] quit
[AC-wlan-view] roaming-consortium-profile name wlan-net
[AC-wlan-ro-co-prof-wlan-net] roaming-consortium-oi 50-6f-9a in-beacon
[AC-wlan-ro-co-prof-wlan-net] quit
[AC-wlan-view] hotspot2-profile name wlan-net
[AC-wlan-hotspot2-prof-wlan-net] network-type public-free internet-access
[AC-wlan-hotspot2-prof-wlan-net] undo p2p-cross-connect disable
[AC-wlan-hotspot2-prof-wlan-net] venue-type group-code 1 type-code 13
[AC-wlan-hotspot2-prof-wlan-net] hessid 60de-4476-e360
[AC-wlan-hotspot2-prof-wlan-net] ipv4-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] ipv6-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] network-authen-type acceptance
[AC-wlan-hotspot2-prof-wlan-net] cellular-network-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] connection-capability-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operating-class-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-domain-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] nai-realm-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] venue-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] roaming-consortium-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] quit
Step 9 Apply the authentication profile and Hotspot 2.0 profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] hotspot2-profile wlan-net

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#


#
return
#
sysname AC
#
#
authentication-scheme wlan-authen
radius-server wlan-radius
#
dhcp enable
#
radius-server template wlan-radius
radius-server shared-key cipher %^%#3|_'15Yp[3cBVN4*3lB3o&@0%pll(XJ:9@Yw'`(!
%^%#
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme wlan-authen
authentication-mode radius local
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security wpa2 dot1x aes
ssid wlan-net
roaming-consortium-profile name wlan-net
roaming-consortium-oi 50-6f-9a in-beacon
operating-class-profile name wlan-net
operating-class-indication 81
cellular-network-profile name wlan-net
plmn-id 46000
connection-capability-profile name wlan-net
connection-capability tcp-http on
operator-domain-profile name wlan-net
domain-name www.mobileA.com
operator-name-profile name wlan-net
operator-friendly-name language-code eng name mobileA
venue-name-profile name wlan-net
venue-name language-code eng name Coffee
nai-realm-profile name wlan-net
nai-realm realm-name www.mobileA.com
hotspot2-profile name wlan-net
hessid 60de-4476-e360
network-type public-free internet-access
venue-type group-code 1 type-code 13
ipv4-address-avail available
ipv6-address-avail available
network-authen-type acceptance
cellular-network-profile wlan-net
connection-capability-profile wlan-net
operator-name-profile wlan-net

operator-domain-profile wlan-net
venue-name-profile wlan-net
nai-realm-profile wlan-net
operating-class-profile wlan-net
roaming-consortium-profile wlan-net
hotspot2-profile wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
4.18.3 Example for Configuring Service Holding upon CAPWAP

Link Disconnection
area.
The enterprise requires that data forwarding be not affected even when the AC is faulty to
improve data transmission reliability.
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.

Figure 4-80 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Data Planning

Item Data
DHCP server Switch functions as a DHCP server to assign IP

Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24
AC source interface VLANIF 100: 10.1.1.2/24

Item Data

l Referenced profiles: AP system profile ap-system,
VAP profile wlan-net, and regulatory domain
profile default




AP system profile l Name: ap-system

l Service holding upon CAPWAP link
disconnection: enabled
to go online.
4. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Configuration Notes


user experience.
Procedure
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.
10.1.2.2/24.
# Add GE0/0/1 that connects the AC to the switch to VLAN 100, Create VLANIF 100 and set
its IP address to 10.1.1.2/24.

[AC6605] sysname AC
[AC-Vlanif100] ip address 10.1.1.2 255.255.255.0
[AC-Vlanif100] quit
NOTE
view.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
# Create the AP system profile ap-system and configure the service holding function.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] keep-service enable allow new-access
[AC-wlan-ap-system-prof-ap-system] quit
# Bind the AP system profile and VAP profile to the AP group and apply the VAP profile to
radio 0 and radio 1 of the AP.


[AC-wlan-ap-group-ap-group1] ap-system-profile ap-system

NOTE
[AC-wlan-ap-0] quit
The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs
can connect to the WLAN without authentication. If the AC is powered off, service data
forwarding for wireless users in area A is not affected.
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#


#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.1.2.2 255.255.255.0
#
#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode direct-forward
keep-service enable allow new-access
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127


#
return
4.18.4 Example for Configuring Channel Switching Without

Service Interruption
area.
The enterprise requires that WLAN services not be interrupted even when the APs change
their working channels.
APs and STAs.
Figure 4-81 Networking for configuring channel switching without service interruption

Data Planning

Item Data


l Referenced profiles: 2G radio profile wlan-
radio2g, 5G radio profile wlan-radio5g, VAP
profile wlan-net, and regulatory domain profile
default





l Channel switch announcement: enabled
l Channel switch announcement mode: continue-
transmitting

Item Data

transmitting
to go online.
4. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.
Configuration Notes
user experience.

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
10.23.101.2/24.

NOTE
10.23.101.2/24.
[AC6605] sysname AC
[AC-Vlanif100] quit
# On Switch, configure VLANIF 100 to assign IP addresses to APs.


[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2

# On Switch, configure VLANIF 101 to assign IP addresses to STAs.
NOTE
view.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

MAC addresses of AP1 and AP2 are 60de-4476-e360 and dcd2-fc04-b500, respectively.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name AP1 area_1 if it is
deployed in Area 1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit


[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
10S -
----------------------------------------------------------------------------------
----------------
Total: 2

NOTE
# Create 2G radio profile wlan-radio2g and 5G radio profile wlan-radio5g. Configure

channel switching without service interruption.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
[AC-wlan-radio-2g-prof-wlan-radio2g] undo channel-switch announcement disable
[AC-wlan-radio-2g-prof-wlan-radio2g] channel-switch mode continue-transmitting
[AC-wlan-radio-5g-prof-wlan-radio5g] undo channel-switch announcement disable
[AC-wlan-radio-5g-prof-wlan-radio5g] channel-switch mode continue-transmitting
# Bind the 2G radio profile, 5G radio profile, and VAP profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the AP.


The WLAN with SSID huawei is available for STAs connected to AP1 and AP2, and these
STAs can connect to the WLAN. When radio calibration for AP1 or AP2 is implemented to
change the channel of AP1 or AP2, service data forwarding for wireless users in Area A is not
affected. Run the display radio all command to view the working channels of all APs.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
WM:Working Mode (normal/monitor/monitor dual-band-scan)
----------------------------------------------------------------------------------
--
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU WM
----------------------------------------------------------------------------------
--
0 area_1 0 2.4G bgn on 11/20M 23/23 0 8% normal
0 area_1 1 5G an11ac on 149/20M 23/23 0 7% normal
1 area_2 0 2.4G an11ac on 1/20M 23/23 0 30% normal
1 area_2 1 5G an on 149/20M 23/23 0 21% normal
----------------------------------------------------------------------------------
--
Total:4
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#

#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
4.18.5 Example for Configuring an AP to Go Online Using a Static

IP Address
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)

Figure 4-82 Networking for configuring an AP to go online using a static IP address
Data Planning

Item Data
AC's source interface address 10.23.100.1/24
AP's static IP address 10.23.100.100/24
to go online.
d. Configure static IP addresses for the APs and enable the APs to go online.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.



NOTE
10.23.100.1/24.
[AC6605] sysname AC
[AC] vlan batch 100
[AC-Vlanif100] quit
# Set the AP's static IP address to 10.23.100.100/24.

[AC] wlan
[AC-wlan-view] provision-ap
[AC-wlan-provision-ap] address-mode static
[AC-wlan-provision-ap] ip-address 10.23.100.100 24
[AC-wlan-provision-ap] quit
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return
#
sysname AC
#
vlan batch 100
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#


#
#
wlan
ap-name area_1
ap-group ap-group1
provision-ap
address-mode static
ip-address 10.23.100.100 255.255.255.0
#
return
4.18.6 Example for Configuring the Soft GRE Service
area. A wired network has been deployed in an area. To provide more convenient network
access services, administrators need to deploy a wireless network in this area. To facilitate the
unified management of wired and wireless users, administrators also need to use the existing
wired access gateway ME60 for authentication and accounting of wireless users.
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
l Service data forwarding mode: soft GRE forwarding

Figure 4-83 Networking for configuring the soft GRE service
Data Planning

Item Data
Switch data planning
DHCP Switch functions as a DHCP server to assign IP addresses to APs.

server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
AC data planning

Item Data

interface
address

default

profile


Soft GRE l Name: wlan-soft

profile l Destination address of the soft GRE tunnel: 10.23.200.1

l Forwarding mode: soft GRE forwarding
and soft GRE profile wlan-soft
ME60 data planning
DHCP The ME60 functions as a DHCP server to assign IP addresses to STAs.

server
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
VE Virtual-Ethernet2/0/0
interface for
soft GRE
Soft GRE l Name: group1

group l Virtual-Ethernet2/0/0 is referenced.
Destination l Name: Loopback 1

address of l IP address: 10.23.200.1/24
the soft
GRE tunnel l The soft GRE group group1 is referenced.

Item Data
RADIUS l Server group: radius1

server l Server IP address: 172.168.20.1
parameters
l Accounting port number: 1813
l Shared key: 123456
l RADIUS accounting scheme: radius
l RADIUS authentication scheme: radius
l Domain: aaadomain1
1. Configure network interworking of the APs, AC, Switch, and ME60.
2. Configure Switch and ME60 to function as DHCP servers to assign IP addresses to APs
and STAs, respectively.
3. Configure the ME60, soft GRE tunnel, and authentication and accounting functions.
to go online.
Configuration Notes
user experience.

Procedure
# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and VLAN
199, respectively. Create VLANIF 199 and set its IP address to 10.23.199.2/24.
[Switch] vlan batch 100 101 199
[Switch-Vlanif199] ip address 10.23.199.2 24
# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a route to
10.23.100.0/24.
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2

# On the AC, add GE0/0/1 to VLAN 100 (management VLAN). Create VLANIF 100 and set
its IP address to 10.23.100.1/24.
[AC6605] sysname AC
[AC-Vlanif100] quit
# Configure Switch as a DHCP server to assign IP addresses to APs, and configure a route to
10.23.200.0/24.

[Switch-Vlanif100] ip address 10.23.100.2 24

[Switch] ip route-static 10.23.200.0 24 10.23.199.1
# Configure the ME60 as a DHCP server to assign IP addresses to STAs.
NOTE
view.
[ME60] dhcp enable
[ME60] ip pool sta-pool bas local
[ME60-ip-pool-sta-pool] gateway 10.23.101.1 24
[ME60-ip-pool-sta-pool] section 1 10.23.101.3 10.23.101.254
[ME60-ip-pool-sta-pool] option 43 ip 10.23.101.1
[ME60-ip-pool-sta-pool] quit
Step 4 Configure the soft GRE tunnel on the ME60.

# Create a VE interface to support soft GRE.
[ME60] interface virtual-ethernet 2/0/0
[ME60-Virtual-Ethernet2/0/0] soft-gre enable
[ME60-Virtual-Ethernet2/0/0] quit
# Create a soft GRE group.

[ME60] soft-gre group group1
[ME60-softgre-group-group1] master virtual-ethernet 2/0/0
[ME60-softgre-group-group1] quit
# Configure an IP address for the loopback interface and bind the soft GRE group to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit
Step 5 Configure RADIUS authentication and accounting on the ME60.

# Configure a RADIUS server profile, an AAA authentication and accounting scheme, and
domain information.
[ME60] radius-server group radius1
[ME60-radius-radius1] radius-server authentication 172.168.20.1 1812
[ME60-radius-radius1] radius-server accounting 172.168.20.1 1813
[ME60-radius-radius1] radius-server shared-key 123456
[ME60-radius-radius1] quit
[ME60] aaa
[ME60-aaa] authentication-scheme radius
[ME60-aaa-authen-radius] authentication-mode radius
[ME60-aaa-authen-radius] quit
[ME60-aaa] accounting-scheme radius
[ME60-aaa-accounting-radius] accounting-mode radius
[ME60-aaa-accounting-radius] quit
[ME60-aaa] domain aaadomain1
[ME60-aaa-domain-aaadomain1] ip-pool sta-pool
[ME60-aaa-domain-aaadomain1] authentication-scheme radius
[ME60-aaa-domain-aaadomain1] accounting-scheme radius
[ME60-aaa-domain-aaadomain1] radius-server group radius1
[ME60-aaa-domain-aaadomain1] quit
[ME60-aaa] quit

Step 6 Configure the BAS interface on the ME60.

# Create a BAS interface and configure the BAS interface type and authentication mode.
Configure the user VLAN and service VLAN as the same VLAN.
[ME60] interface virtual-ethernet 2/0/0.1
[ME60-Virtual-Ethernet2/0/0.1] user-vlan 101
[ME60-Virtual-Ethernet2/0/0.1-vlan-101-101] bas
[ME60-Virtual-Ethernet2/0/0.1-bas] access-type layer2-subscriber default-domain
authentication aaadomain1
[ME60-Virtual-Ethernet2/0/0.1-bas] authentication-method bind

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------


Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and use the default security policy in the profile.
# Create soft GRE profile wlan-soft and set the soft GRE profile parameters.
[AC-wlan-view] softgre-profile name wlan-soft
[AC-wlan-softgre-prof-wlan-soft] destination ip-address 10.23.200.1
[AC-wlan-softgre-prof-wlan-soft] quit
[AC-wlan-vap-prof-wlan-net] forward-mode softgre wlan-soft
the AP.

NOTE

[AC-wlan-ap-0] quit

The AC automatically delivers WLAN service configuration to the AP. After the
displayed as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON open 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON open 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net. Run the display station ssid wlan-net
command on the AC. The command output shows that the STAs are connected to the WLAN
wlan-net.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif199
ip address 10.23.199.2 255.255.255.0
#
#

#
#
ip route-static 10.23.200.0 0.0.0.0 10.23.199.2
#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
softgre-profile name wlan-soft
destination ip-address 10.23.200.1
forward-mode softgre wlan-soft
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
l ME60 configuration file
#
sysname ME60
#
vlan batch 101
#
radius-server group radius1

radius-server shared-key 123456

#
ip pool sta-pool bas local
gateway 10.23.101.1 255.255.255.0
section 1 10.23.101.3 10.23.101.254
option 43 ip 10.23.101.1
#
aaa
authentication-scheme radius
#
accounting-scheme radius
#
domain aaadomain1
authentication-scheme radius
accounting-scheme radius
ip-pool sta-pool
radius-server group radius1
#
#
undo shutdown
ip address 10.23.199.1 255.255.255.0
#
soft-gre enable
#
interface Virtual-Ethernet2/0/0.1
user-vlan 101
bas
#
access-type layer2-subscriber default-domain authentication aaadomain1
authentication-method bind
#
#
interface LoopBack1
ip address 10.23.200.1 255.255.255.0
binding soft-gre group group1
#
soft-gre group group1
master Virtual-Ethernet2/0/0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.199.2
#
return
4.18.7 Example for Configuring Bandwidth-based Multicast CAC

area.
The multicast source for video conferences is deployed on the enterprise network to provide
enterprise video conferencing services. The multicast source address ranges from 225.1.1.1 to
225.1.1.5. To restrict the access of employees when the multicast bandwidth reaches the
maximum, administrators need to configure bandwidth-based multicast CAC, ensuring the
conference access quality.
APs and STAs.

Figure 4-84 Networking for configuring bandwidth-based multicast CAC
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

Item Data

interface
address

default, and traffic profile wlan-traffic

profile



net

profile l Maximum multicast bandwidth for a VAP: 40 Mbit/s

profile l Multicast group address: 225.1.1.1-225.1.1.5
l Bandwidth of the multicast program: 2 Mbit/s
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure bandwidth-based multicast CAC to control the access of multicast users.
Configuration Notes


user experience.
Procedure
10.23.101.2/24.

NOTE
[AC6605] sysname AC


NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
the AP.

NOTE

[AC-wlan-ap-0] quit
Step 7 Configure multicast-to-unicast conversion.

# Create traffic profile wlan-traffic. Configure IGMP snooping and multicast-to-unicast
conversion in the traffic profile.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping enable
[AC-wlan-traffic-prof-wlan-traffic] traffic-optimize multicast-unicast enable
Step 8 Configure bandwidth-based multicast CAC.

# Configure 40960 kbit/s as the maximum multicast bandwidth for a VAP.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-bandwidth 40960
# Create AP system profile wlan-system. Configure the multicast group address to range
from 225.1.1.1 to 225.1.1.5, and set the multicast group bandwidth to 2048 kbit/s.
[AC-wlan-ap-system-prof-wlan-system] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] igmp-snooping group-bandwidth start-group-
address 225.1.1.1 end-group-address 225.1.1.5 bandwidth 2048
# Apply traffic profile wlan-net to VAP profile wlan-traffic.

# Apply AP system profile wlan-system to the AP group.


WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
difference between the CurBw and MaxBw values is smaller than the configured bandwidth
of a multicast group, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/40960 0% 0/0 0%
1 1 0/40960 0% 0/0 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101

ip address 10.23.101.2 255.255.255.0

#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
igmp-snooping max-bandwidth 40960
traffic-optimize multicast-unicast enable
ssid wlan-net
forward-mode tunnel
igmp-snooping group-bandwidth start-group-address 225.1.1.1 end-group-
address 225.1.1.5 bandwidth 2048
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149

eirp 127
#
return
4.18.8 Example for Configuring CAC Based on the Number of

Multicast Group Memberships
area.
The multicast source for video conferences is deployed on the enterprise network to provide
enterprise video conferencing services. The multicast source address ranges from 225.1.1.1 to
225.1.1.5. To restrict the access of employees when the number of multicast group
memberships reaches the maximum, administrators need to configure CAC based on the
number of multicast group memberships, ensuring the conference access quality.
APs and STAs.
Figure 4-85 Networking for configuring CAC based on the number of multicast group
memberships

Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default, and traffic profile wlan-traffic

profile



net

profile l Maximum number of multicast group memberships for a VAP: 20

2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to control the
access of multicast users.
Configuration Notes
user experience.
Procedure
10.23.101.2/24.



NOTE
[AC6605] sysname AC
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

the AP.

NOTE
[AC-wlan-ap-0] quit
Step 7 Configure multicast-to-unicast conversion.
# Create traffic profile wlan-traffic. Configure IGMP snooping and multicast-to-unicast

conversion in the traffic profile.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping enable
[AC-wlan-traffic-prof-wlan-traffic] traffic-optimize multicast-unicast enable
Step 8 Configure CAC based on the number of multicast group memberships.
# Set the maximum number of multicast group memberships for a VAP to 20.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-user 20
# Apply traffic profile wlan-net to VAP profile wlan-traffic.


WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
CurUser value is equal to the MaxUser value, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/0 0% 0/20 0%
1 1 0/0 0% 0/20 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#


#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
igmp-snooping max-user 20
traffic-optimize multicast-unicast enable
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1

radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.18.9 Example for Configuring EoGRE to Implement Layer 2

Communication Between the Wireless Gateway and AC
As shown in Figure 4-86, an enterprise provides the Internet access service for users through
a WLAN. On the network, APs provide access to user traffic, AC_1 provides AP access and
user authentication, and AC_2 serves as the user gateway and assigns IP addresses to users.
AC_1 and AC_2 are connected by an IP/MPLS backbone network. A large number of APs
are involved in this scenario. To prevent severe resource consumption caused by frequent
setup and deletion of a large number of GRE tunnels on AC_2, an administrator configures
Ethernet over GRE (EoGRE) between AC_1 and AC_2 to implement Layer 2
communication.
Figure 4-86 Layer 2 communication between the wireless gateway and AC implemented
through EoGRE

Data Planning
Table 4-88 WLAN data planning

Item Data

APs

address
DHCP server AC_1 serves as a DHCP server to assign IP addresses to

APs, and AC_2 serves as a DHCP server to assign IP
addresses to STAs.


SID profile l Name: wlan-net



l Referenced profiles: SSID profile wlan-net and security
profile wlan-net

Table 4-89 EoGRE data planning

Item Data
Tunnel interface on AC_1 l Interface: Tunnel0/0/1

l Tunnel protocol type: GRE
l IP address: 40.1.1.1/24
l Source address: 20.1.1.1
l Destination address: 30.1.1.1
l Bound VE interface: VE0/0/1
Tunnel interface on AC_2 l Interface: Tunnel0/0/1

l Tunnel protocol type: GRE
l IP address: 40.1.1.2/24
l Source address: 30.1.1.1
l Destination address: 20.1.1.1
l Bound VE interface: VE0/0/1
VE interface on AC_1 l Interface type: Trunk

l Allowed VLAN: 101
VE interface on AC_2 l Interface type: Trunk

l Allowed VLAN: 101
To meet the preceding requirements, deploy the EoGRE function on AC_1 and AC_2 so that
Ethernet packets can be forwarded by VE interfaces through a GRE tunnel, achieving Layer 2
communication between AC_1 and AC_2.
1. Run the Interior Gateway Protocol (IGP) between all devices for communication on the
public network.
2. Create tunnel interfaces on AC_1 and AC_2, and deploy a GRE tunnel. The source
address of a tunnel interface is the IP address of the physical interface sending packets,
and the destination address is the IP address of the physical interface receiving packets.
3. Create VE interfaces on AC_1 and AC_2, and add them to the corresponding VLAN.
4. Bind the VE interfaces on AC_1 and AC_2 to the GRE tunnel so that Ethernet packets
can be forwarded over the GRE tunnel.
5. Configure WLAN services on AC_1. In this example, the WLAN security policy is
WPA-WPA2+PSK+AES. Configure the security policy based on site requirements.
Procedure
Step 1 Configure an IP address for each physical interface.
# Configure AC_1.

[AC_1] vlan batch 10 100 101
[AC_1-GigabitEthernet0/0/2] port trunk pvid vlan 100
[AC_1-Vlanif10] ip address 20.1.1.1 24
# Configure AC_2.
[Huawei] sysname AC_2
[AC_2-GigabitEthernet0/0/2] port link-type access
[AC_2-GigabitEthernet0/0/2] port default vlan 101
Step 2 Configure tunnel interfaces and deploy a GRE tunnel.
# This example assumes that IGP runs between all devices for communication on the public
network, the source and destination interface addresses of the GRE tunnel on AC_1 are
20.1.1.1 and 30.1.1.1, respectively.
# Configure AC_1.
[AC_1] interface tunnel 0/0/1
[AC_1-Tunnel0/0/1] tunnel-protocol gre
[AC_1-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[AC_1-Tunnel0/0/1] source 20.1.1.1
[AC_1-Tunnel0/0/1] destination 30.1.1.1
[AC_1-Tunnel0/0/1] quit
# Configure AC_2.
[AC_2-Tunnel0/0/1] tunnel-protocol gre
[AC_2-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[AC_2-Tunnel0/0/1] source 30.1.1.1
[AC_2-Tunnel0/0/1] destination 20.1.1.1
Step 3 Create VE interfaces and add them to the corresponding VLAN. Ensure that the VE interfaces
and the inbound interface of user packets are added to the same VLAN.
# Configure AC_1.
[AC_1] interface virtual-ethernet 0/0/1
[AC_1-Virtual-Ethernet0/0/1] port link-type trunk
[AC_1-Virtual-Ethernet0/0/1] undo port trunk allow-pass vlan 1
[AC_1-Virtual-Ethernet0/0/1] port trunk allow-pass vlan 101
[AC_1-Virtual-Ethernet0/0/1] quit
# Configure AC_2.
[AC_2] interface virtual-ethernet 0/0/1
[AC_2-Virtual-Ethernet0/0/1] port link-type trunk

[AC_2-Virtual-Ethernet0/0/1] undo port trunk allow-pass vlan 1

[AC_2-Virtual-Ethernet0/0/1] port trunk allow-pass vlan 101
[AC_2-Virtual-Ethernet0/0/1] quit
Step 4 Bind the VE interfaces to the GRE tunnel so that Ethernet packets can be forwarded over the
GRE tunnel.
# Configure AC_1.
[AC_1-Tunnel0/0/1] map interface virtual-ethernet 0/0/1
# Configure AC_2.
[AC_2-Tunnel0/0/1] map interface virtual-ethernet 0/0/1
# Check the states of VE interfaces on AC_1 and AC_2.
[AC_1] display interface virtual-ethernet
Virtual-Ethernet0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AC_1 Series, Virtual-Ethernet0/0/1 Interface
Switch Port, PVID : 1, TPID : 8100(Hex), The Maximum Transmit Unit is 1500
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0200-0000-00e0
Current system time: 2018-01-23 20:16:05
Input bandwidth utilization : 0%

Output bandwidth utilization : 0%
[AC_2] display interface virtual-ethernet
Virtual-Ethernet0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AC_2 Series, Virtual-Ethernet0/0/1 Interface
Switch Port, PVID : 1, TPID : 8100(Hex), The Maximum Transmit Unit is 1500
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is dcd2-fcf9-b5ca
Current system time: 2018-01-23 20:16:05
Input bandwidth utilization : 0%

Output bandwidth utilization : 0%
# On AC_1, configure VLANIF 100 to assign IP addresses to APs.
[AC_1] dhcp enable
# On AC_2, configure VLANIF 101 to assign IP addresses to STAs.
[AC_2] dhcp enable

[AC_1] wlan


e?[Y/N]:y

NOTE
radio).
[AC_1] wlan
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
the AP.

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname AC_1
#
#
dhcp enable
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0

#
#
#
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.1
map interface Virtual-Ethernet0/0/1
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#t2*V0VTj#9iEQkEnC)59YCFlO
\*RyW5];yUs&K4W%^%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 21500826412SG4900740
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
vlan batch 10 101
#
dhcp enable
#
interface Vlanif10
ip address 30.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
port link-type access
port default vlan 101
#

#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
destination 20.1.1.1
map interface Virtual-Ethernet0/0/1
#
return
4.19 Comprehensive Case

4.19.1 Example for Configuring Unified Access for Wired and
Wireless Users
In practice, both wired and wireless users need to access one network. For example, the PCs
and printers of a company connect to the network in wired mode, and laptops and mobile
phones connect wirelessly. After unified access for wired and wireless users is configured on
a network, users of both types can access the network and be managed in a unified manner.
A hospital needs to deploy both a wired and a wireless network. To simplify management and
maintenance, the administrator requires that wired and wireless users be centrally managed on
the AC, non-authentication and Portal authentication be configured for the wired and wireless
users respectively, and wireless users roam under the same AC.
As shown in Figure 4-87, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors, respectively. An AP2030DN is deployed in each room to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches directly providing power to connected
APs.
The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

Figure 4-87 Networking for unified wired and wireless access
Internet
Router
GE1/0/4 Agile Controller

GE1/0/3
GE1/0/1 GE1/0/2
AC
GE0/0/1 GE0/0/1
S5700-1 S5700-2
GE0/0/2 GE0/0/4 GE0/0/2 GE0/0/4
GE0/0/3 GE0/0/3
AP101 AP102 AP103 AP201 AP202 AP203
Data Planning
Table 4-90 Network data planning
Item Interface VLAN Description
AC GE1/0/1 100, 201 Connected to the

S5700-1
GE1/0/2 100, 202 Connected to the

S5700-2
GE1/0/3 200 Connected to the

Agile Controller
GE1/0/4 300 Connected to the

egress gateway
S5700-1 GE0/0/1 100, 201 Connected to the AC
GE0/0/2 100, 201 Connected to AP101
S5700-2 GE0/0/1 100, 202 Connected to the AC

Item Interface VLAN Description
AP101 and AP102 Eth0/0/0 201 GE0/0/0 connects to

Eth0/0/1 the S5700-1.
GE0/0/0 Eth0/0/0 and
Eth0/0/1 connects to
wired users.
AP101 and AP102
are AP2030DNs and
are deployed in
rooms on the first
floor to provide
wired and wireless
access.
AP103 - - AP103 is an
AP5030DN and is
deployed in the
corridor on the first
floor to provide
wireless access.
AP201 and AP202 Eth0/0/0 202 GE0/0/0 connects to

Eth0/0/1 the S5700-2.
GE0/0/0 Eth0/0/0 and
Eth0/0/1 connects to
wired users.
AP201 and AP202
are AP2030DNs and
are deployed in
rooms on the second
floor to provide
wired and wireless
access.
AP203 - - AP203 is an
AP5030DN and is
deployed in the
corridor on the
second floor to
provide wireless
access.

Table 4-91 Service data planning

Item Data Description
AC's source interface 10.23.100.1/24 -

address
AP group l Name: ap-group1 -

l Referenced profiles:
VAP profile wlan-vap1,
regulatory domain
profile domain1
l Name: ap-group2
VAP profile wlan-vap2,
regulatory domain
profile domain1
Portal access profile l Name: portal1 -

l Referenced profile:
Portal server profile
portal1
Authentication profile l Name: portal1 -

l Referenced profile:
Portal access profile
portal1
Regulatory domain profile l Name: domain1 -

l Country code: CN
AP wired port profile Name: wired1, wired2, -

wired3, or wired4
Security profile l Name: wlan-security -

l Security and
authentication policy:
OPEN
SSID profile l Name: wlan-ssid -

l SSID: hospital-wlan
Traffic profile Name: traffic1 -

VAP profile l Name: wlan-vap1 Provides WLAN network

l SSID: hospital-wlan coverage for the first floor
of the building.
l Data forwarding mode:
tunnel forwarding
l Service VLAN: VLAN
101
security profile wlan-
security, SSID profile
wlan-ssid, authentication
profile portal1, and
traffic profile traffic1
l Name: wlan-vap2 Provides WLAN network

l SSID: hospital-wlan coverage for the second
floor of the building.
l Data forwarding mode:
tunnel forwarding
l Service VLAN: VLAN
102
security profile wlan-
security, SSID profile
wlan-ssid, authentication
profile portal1, and
traffic profile traffic1
DHCP server The AC functions as a -

DHCP server to assign IP
addresses to APs, STAs, and
PCs.
AP gateway and IP address VLANIF 100: -

pool range 10.23.100.1/24
10.23.100.2-10.23.100.254/
24
Gateway and IP address VLANIF 101: -

pool range of the wireless 10.23.101.1/24
users 10.23.101.2-10.23.101.254/
24
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24

Gateway and IP address VLANIF 201: -

pool range of the wired 10.23.201.1/24
users 10.23.201.2-10.23.201.254/
24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Server parameters Authentication server: l The Service Controller

l IP address: 10.23.200.1 (SC) of the Agile
Controller provides
l Port number: 1812 RADIUS server and
l RADIUS shared key: Portal server functions;
Admin@123 therefore, the IP address
of the SC is used for the
Accounting server: authentication server,
l IP address: 10.23.200.1 accounting server,
l Port number: 1813 authorization server, and
Portal server.
l RADIUS shared key:
Admin@123 l Configure a RADIUS
accounting server to
Authorization server: collect user login and
l IP address: 10.23.200.1 logout information. The
port numbers of the
l RADIUS shared key: authentication server and
Admin@123 accounting server must
Portal server: be the same as those of
the RADIUS server.
l Configure an
l Port number that the AC authorization server to
uses to listen on Portal enable the RADIUS
protocol packets: 2000 server to deliver
l Destination port number authorization rules to the
in the packets that the AC. The shared key of
AC sends to the Portal the authorization server
server: 50100 must be the same as that
of the authentication
l Portal shared key:
server and accounting
Admin@123
server.
l Encryption key for the
URL parameters that the
AC sends to the Portal
server: Admin@123

Table 4-92 Radio channel data planning

AP101 Radio 0: channel 1 and Use the WLAN Planner to

power level 10 plan AP installation
locations, and the working
AP102 Radio 0: channel 6 and channel and power of the
power level 10 AP radio. Set the channel
AP103 Radio 0: channel 11 and mode and power mode to
power level 10 fixed, and configure the
channel and power for each
Radio 1: channel 153 and AP.
power level 10
AP201 Radio 0: channel 1 and

power level 10

power level 10

power level 10
Radio 1: channel 157 and
power level 10
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network
devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Configuration Notes


user experience.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and VLAN
201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN
100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly
connected to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic. The S5700-1 is used as an example here. The configuration on
the S5700-2 is similar. For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
# On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN 201,
GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to
the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the Agile Controller) to
VLAN 200.
[AC6605] sysname AC
[AC] vlan batch 100 200 201 202 300


# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] interface vlanif 100 //Configure an interface address pool to assign IP
addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] quit
addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] quit
addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] quit
addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] quit
addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] quit
Step 3 Configure a RADIUS server template, configure authentication, accounting, and authorization
in the template, and configure Portal authentication.

# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-
address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and
authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication
scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme
radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template
radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Configure the Portal server.

[AC] web-auth-server portal1 //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1 //Configure an IP address for
the Portal server.
[AC-web-auth-server-portal1] port 50100 //Set the destination port number used
by the device to send packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123 //Configure the shared
key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal //Configure the
URL for a Portal server.
[AC-web-auth-server-portal1] quit
# Enable Portal authentication for wireless users, and configure non-authentication for wired
users.
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the
Portal server template portal1 and specify Layer 2 authentication as the Portal
authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1

[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible

user domain portal1.
[AC-authen-profile-portal1] quit

# Create AP groups.
[AC] wlan
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC.

[AC] wlan
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1 //Add APs on the first floor to ap-group1.
[AC-wlan-ap-201] ap-group ap-group2 //Add APs on the second floor to ap-group2.


# Power on the APs and run the display ap all command to check the AP state. If the State
field is nor, the APs have gone online.
nor : normal [6]
----------------------------------------------------------------------------------
---------------
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP2030DN nor 0 10S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP5030DN nor 0 23S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP5030DN nor 0 55S
----------------------------------------------------------------------------------
---------------
Total: 6
# Configure an AP2030DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the
AP2030DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the
AP2030DN is used to connect wired terminals. Add the interface to VLAN 201 in
untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the
AP2030DN is used to connect to the upper-layer devices. Add the interface to VLAN
201 in tagged mode.
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the
AP2030DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0



# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has
been enabled on the interface. Set the security policy to OPEN (default setting),
that is, no authentication and no encryption.
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
# Create traffic profile traffic1 and configure Layer 2 user isolation.

[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
The default VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit
# Bind the VAP profile to the AP group.

[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0


# Configure the AP channel and power.

[AC-wlan-radio-101/0] channel 20mhz 1 //Configure the channel based on the
planning result of the WLAN Planner.
[AC-wlan-radio-101/0] eirp 10 //Configure the power based on the planning result
of the WLAN Planner.
[AC-wlan-ap-103] radio 1 //The AP5030 supports two radios. This step configures
radio 1.


# After the configuration is complete, run the display vap all command. The command output
shows that VAPs have been created.
[AC-wlan-view] display vap all
WID : WLAN ID
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
101 ap-101 0 1 60DE-4476-E320 ON OPEN 0 hospital-wlan
103 ap-103 0 1 DCD2-FC04-B520 ON OPEN 0 hospital-wlan
---------------------------------------------------------------------------------
Total: 8
# Connect STAs to the WLAN with SSID hospital-wlan. After you enter the password, the
STAs can access the wireless network. Run the display station all command on the AC. The
command output shows that the STAs are connected to the WLAN hospital-wlan.
[AC-wlan-view] display station all
----------------------------------------------------------------------------------
------------------------
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
l S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
#


#
#
#
return
l S5700-2 configuration file
#
sysname S5700-2
#
vlan batch 100 202
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
access-domain portal1
access-domain portal1 force
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-
PTj=H1p_J<1/%ZAXuB5)0%^%#
radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2
weight 80
radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2
weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %^

%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]$M{]DND|;=s"%^%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
url http://10.23.200.1:8080/portal
#
web-auth-server portal1 direct
#
aaa
authentication-scheme radius1
accounting-scheme radius1
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
#
#
#
#
#
#
wlan
traffic-profile name traffic1

user-isolate l2
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
traffic-profile traffic1
authentication-profile portal1
vap-profile name wlan-vap2
forward-mode tunnel
traffic-profile traffic1
authentication-profile portal1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201
vlan tagged 201
vlan pvid 202
vlan untagged 202
vlan tagged 202
radio 0
vap-profile wlan-vap1 wlan 1
undo calibrate auto-channel-select disable
undo calibrate auto-txpower-select disable
radio 1
radio 2
radio 0
radio 1
radio 2
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-name ap-102
ap-group ap-group1

radio 0
channel 20mhz 6
eirp 10
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
4.19.2 Higher Education Campus Network Deployment Case

(S12700 Used as the Gateway and Authentication Point)
4.19.2.1 Application Scenario and Service Requirements
Application Scenario
This solution uses the core switch as the gateway and authentication point and applies to
education campus networks with less than 10,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
The number of users at colleges and universities is considered for campus network
construction. Users at colleges and universities access networks only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
Education campus networks must meet the following requirements:

l Access
Provide both wired and wireless access.
l Security
Assign different network access rights to students, teachers, and other roles.
l Authentication and Accounting
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users. There are accounting requirements.
l O&M
Provide unified management of wired and wireless networks.
4.19.2.2 Solution Design
Networking Diagram
The core switch S12700 is configured as the authentication point and gateway for users on the
entire school campus backbone network. The S12700 has the X1E card installed, supports
native AC, and carries wireless services on the entire network.
Figure 4-88 Network topology

Network Design
l Configure egress FWs to carry outgoing services, isolate the external network from the
internal network, and implement service routing and NAT between the internal and
external networks.
l Enable the intelligent path selection function on the FWs to allow the FWs to select
egress interfaces according to the egress link bandwidth, thereby maximizing link
resource usage and improving user experience.
l To enable internal network users to access external networks, configure NAT on the
uplink interfaces of the egress FWs to convert between private network IP addresses and
public network IP addresses.
l Enable the smart domain name system (DNS) function on the FWs to ensure that user
access requests of different carriers are properly parsed
l Two S12700 switches constitute a Cluster Switch System (CSS) that is used as the core
of a campus network, providing high network reliability and scalability. Multi-active
detection (MAD) is configured for the CSS.
l The S7700 is used as the aggregation switch in each office building and connects to
access switches of each floor. The S5700 is used as the access switch.
l Inter-chassis and inter-card connection using Eth-Trunk interfaces are between
aggregation switches and core switches, between core switches and the FW. This ensures
proper service running if a card or a link is faulty.
l The core switch S12700 is configured with native AC to manage APs on the entire
network and transmits wireless services to implement wired and wireless convergence.
l The S12700 is used as the gateway for both wired and wireless users on the entire
network, and forwards packets of users based on routes. The S12700 also functions as
the authentication point to authenticate wired and wireless users.
l Port isolation is configured on the switch ports directly connected to APs to prevent
Layer 2 communication between STAs associated with different APs.
l Configure the core switches as the STP root bridges. Configure root protection on
downlink ports to retain the role of the root bridges. This prevents abnormal topology
convergence caused by lower-layer devices being elected as the root bridges.
l It is recommended that the ports connected to terminals or APs be configured as edge
ports.
l In actual deployment, VLAN 1 is not recommended as the service VLAN. You need to
delete all ports from VLAN 1. You must disable ports from transparently transmitting
packets of all VLANs but allow transparent transmission based on actual service
requirements.
l The unused ports should be shut down.
l Strict STA IP address learning through DHCP, dynamic ARP inspection, and IPSG are
enabled to prevent IP packets from unauthorized users from accessing the external
network through APs, improving device security.
l To enable DHCP clients to obtain IP addresses through valid DHCP servers, and prevent
bogus DHCP server attacks, DHCP server DoS attacks, and bogus DHCP packet attacks,
you are advised to configure DHCP snooping. If both wired and wireless users exist on
the network, you are not advised to enable DHCP snooping on switch interfaces
connecting to APs. This may cause the number of user binding entries on switches to
exceed the specification. Therefore, you are advised to configure DHCP snooping for
wired users based on VLANs and to configure DHCP snooping for wireless users on the
wireless-side VAP profiles.

l If there are no multicast services transmitted on the network, you are advised to
configure multicast packet suppression to reduce impact of a large number of low-rate
multicast packets on the wireless network.
Involved NEs and Software Versions

Product Software Version
S12700 V200R011C10
S7700 V200R011C10
S5700 V200R011C10
Agile Controller-Campus V100R003C30
FW(USG6650) V500R001C60
AP V200R007C20
4.19.2.3 Configuration Roadmap and Data Plan
1. Configure the aggregation switch.

2. Configure the access switch.
3. Use two S12700s to set up a CSS.
4. Configure interfaces and VLANs on the core switch S12700.
5. Configure Dynamic Host COnfiguration Protocol (DHCP) on the core switch, and
configure the core switch as a DHCP server to allocate IP addresses to users.
6. Configure the WLAN service on the core switch S12700.
7. Configure wired and wireless authentication and accounting services on the core switch
S12700. Portal authentication is used as an example here.
8. Configure Extensible Messaging and Presence Protocol (XMPP) parameters on the core
switch for interworking with the Agile Controller, and enable free mobility.
9. Configure interfaces and IP addresses on the firewall.
10. Configure zones and security policies on the firewall.
11. Configure Huawei Redundancy Protocol (HRP) on the firewall.
12. Configure intelligent route selection on the firewall.
13. Configure a NAT address pool and a NAT policy on the firewall.
14. Perform agile network configurations on the firewall.
15. Log in to the Agile Controller to add user groups and user accounts.
16. Configure Remote Authentication Dial In User Service (RADIUS), Portal, and XMPP
parameters, and add a core switch and a firewall on the Agile Controller.
17. Configure and deploy security groups and inter-group policies on the Agile Controller.

18. Configure and deploy QoS policies on the Agile Controller.

19. Add a RADIUS relay agent and define customization conditions on the Agile Controller.
20. Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
21. Configure authorization results and rules on the Agile Controller.
22. Add network devices on the Srun.
23. Add RADIUS attributes based on customization conditions of the Agile Controller on
the Srun.
24. Configure management of accounting and control policies on the Srun.
25. Configure user group management and create users on the Srun
Data Plan
Table 4-93 Basic service data plan of the core switch

Item VLAN ID Network Segment
Network segment connected VLAN 10 192.168.10.0/24

to the uplink interface
mVLAN for APs VLAN 20 192.168.20.0/24
Service VLAN of wireless VLAN 30 172.16.30.0/24

users
Service VLAN of wired VLAN 40 172.16.40.0/24

users

to the Agile Controller
Table 4-94 Authentication service data plan of the core switch

Item Data
RADIUS server template l Authentication server IP address:

168.88.77.10
l Authentication server port number: 1812
l Accounting server IP address:
168.88.77.10
l Accounting server port number: 1813
l RADIUS server shared key:
Admin@123
l Accounting interval: 15 minutes
Portal server l URL: http://168.88.77.10:8080/portal

l IP address: 168.88.77.10
l Shared key: Admin@123

Item Data
XMPP password Admin@123
Pre-authentication domain DNS server IP address: 168.88.77.140
Post-authentication domain l User1 matches the free mobility inter-

group policy and is allowed to access
Server1 and Server2.
l User2 matches the free mobility inter-
Server1 but is not allowed to access
Server2.
l User1 and User2 cannot access each
other.
Table 4-95 Service data plan of the Agile Controller

Item Data
IP address of the core switch 168.88.77.157
RADIUS authentication key Admin@123
RADIUS accounting key Admin@123
Portal parameters Settings on the two core switches:

l Port number: 2000
l Portal key: Admin@123
l IP address segment of access terminals:
172.16.0.0/16
Security group l group1

l group2
Resource group l server1: 21.0.0.100

l server2: 22.0.0.100
Table 4-96 Service data plan of the Srun

Item Parameter Data
Device management IP address of the core switch 168.88.77.157
RADIUS key Admin@123
Portal key Admin@123
Portal redirection page index_2.html

Item Parameter Data
Portal parameters Authentication address of 168.88.77.9

AAA
Authentication port of AAA 1812
Accounting address of AAA 168.88.77.9
Accounting port of AAA 1813
NAS IP address 168.88.77.157
Secret Admin@123
DM port 3799
RADIUS attribute Name group1 and group2
Attribute name Filter-ID
Vendor-ID 0
Vendor-name -
Attribute ID 11
Type Integer
Delivery condition Delivery without any

condition
Format %d
Fixed value 25 and 26
Dictionary dictionary.rfc2865
NAS type Huawei, H3C, Srun gateway
Accounting policy Name account_policy
Control policy Name group1_control and

group2_control
Accounting group Name group1_accounting bound to

account_policy and
group1_control
Name group2_accounting bound to

account_policy and
group2_control
User group Name group1 and group2

Item Parameter Data
User User name and password user1/Huawei123 bound to

the user group group1 and
accounting group
group1_accounting
user2/Huawei123 bound to
accounting group
group2_accounting
Table 4-97 Data plan of the egress solution and USG6600 HRP
Device Interface Member VLANIF IP Remote Remote
Number Interface Address Device Interface
Number
FW1 GE1/0/1 - - 201.0.0.1/ Public IP -

24 address 1
assigned
by ISP1 to
an
enterprise
GE1/0/2 - - 202.0.0.2/ Public IP -

24 address 2
assigned
by ISP2 to
an
enterprise
GE1/0/5 - - 10.10.0.1/ FW2 GE1/0/5

24
Eth-Trunk GE1/0/3 - 192.168.1 S12700 Eth-Trunk

30 and 0.1/24 CSS2 30
GE1/0/4
FW2 GE1/0/1 - - 201.0.0.2/ Public IP -

24 address 1
assigned
by ISP1 to
an
enterprise
GE1/0/2 - - 202.0.0.1/ Public IP -

24 address 2
assigned
by ISP2 to
an
enterprise


Number
GE1/0/5 - - 10.10.0.2/ FW1 GE1/0/5

24

40 and 0.2/24 CSS2 40
GE1/0/4
S12700 Eth-Trunk GE1/2/0/0 VLANIF 192.168.1 FW1 Eth-Trunk

CSS2 30 and 10 0.3/24 30
GE2/2/0/0
Eth-Trunk GE1/2/0/1 VLANIF 192.168.1 FW2 Eth-Trunk

40 and 10 0.3/24 40
GE2/2/0/1
Eth-Trunk XGE1/1/0 - - S7700-A Eth-Trunk

20 /0 and 20
XGE2/1/0
/0
Eth-Trunk XGE1/1/0 - - S7700-B Eth-Trunk

10 /1 and 10
XGE2/1/0
/1
S7700-A Eth-Trunk XGE3/0/1 - - S12700 Eth-Trunk

20 and CSS2 20
XGE2/0/2
S7700-B Eth-Trunk XGE3/0/1 - - S12700 Eth-Trunk

10 and CSS2 10
XGE2/0/2
4.19.2.4 Configuration Notes
Free Mobility Configuration Notes

l The Agile Controller-Campus can support the free mobility function only after a license
is loaded.
l To implement free mobility, authentication points for intranet users must be deployed on
agile switches. It is recommended that S12700 and S7700 with X1E/X2S/X2E/X2H
cards, and S5720-HI switches be used.
l Policy enforcement points for free mobility are deployed on agile switches or Next-
Generation Firewalls (NGFWs).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.

l If 802.1X authentication needs to be deployed on switches and firewalls function as

policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.
l To implement free mobility, only firewalls support the application-based access
permission control, bandwidth rate limit, and priority scheduling.
SVF Configuration Notes

l When an AS goes online, it must be unconfigured (without any startup configuration
file) and there is no input on the console port. Before an AS connects to an SVF system,
it is recommended that you remove the network cable from the console port. If
SecureCRT is used as a HyperTerminal, set SecureCRT not to automatically send
characters.
l Each AS can be a stack of up to five member devices that are the same model and
provide the same number or different numbers of ports. An AS can be a stack of devices
of the same series but different models. If an AS is a stack, you can run the slot
command to modify the preconfigured device type.
l Each AS has a unique management MAC address. You can view the MAC address of a
device on the MAC address label.

l In a stack system, before connecting an AS with the name and MAC address pre-
configured on the parent to an SVF system, it is recommended that you set up a stack for
the AS and then configure the pre-configured MAC address as the management MAC
address. You can configure the MAC address as the MAC address of the master switch
in the stack. In this situation, the AS management MAC address is the same as the pre-
configured one by default, and no management MAC address needs to be configured. If
the AS name and MAC address are configured after the AS connects to an SVF system,
the management MAC address does not need to be configured.
l Some Huawei switches can connect to an SVF system through downlink ports. Before
restarting an AS, check whether the port that connects this AS to the parent is a downlink
port. You can run the display port connection-type access all command on this AS to
view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port
before restarting this AS. Otherwise, this AS cannot go online.
l Stack member switches connected using downlink service ports cannot join an SVF
system as ASs.
l If downlink service ports of an AS are configured as member ports of an uplink fabric
port, all the downlink ports of the AS cannot be configured as stack member ports.
l Pay attention to the following notes when replacing a faulty AS:
– An AS can only be replaced by a device of the same model. If the new device is a
different model, the SVF system considers it as a new AS, which then cannot
inherit services on the previous AS.
– Only a standalone AS can be replaced, and a stacked AS cannot be replaced.
– AS automatic replacement is not supported when an AS connects to the parent
through a network.
– To ensure that a replacement AS can be successfully authenticated, run the auth-
mode none command to set the AS authentication mode to none, or run the
whitelist mac-address command to add the management MAC address of the
replacement AS to the whitelist. If the replacement AS has no management MAC
address configured, the system MAC address is used as the management MAC
address.
4.19.2.5 Configuration Procedure
4.19.2.5.1 Configuring the Aggregation Switch S7700-A in Office Building A

# Create a service VLAN for wired users and configure the VLAN allowed by an interface.
The configuration of the aggregation switch S7700 in office building B is similar to that in
office building A, and is not mentioned here.

# Create a VLAN.
[HUAWEI] sysname S7700-A
[S7700-A] vlan batch 40
# Create an Eth-Trunk connected to the core switch.

[S7700-A] interface eth-trunk 20
[S7700-A-Eth-Trunk20] description connect to S127
[S7700-A-Eth-Trunk20] port link-type trunk
[S7700-A-Eth-Trunk20] port trunk allow-pass vlan 40
[S7700-A-Eth-Trunk20] undo port trunk allow-pass vlan 1
[S7700-A-Eth-Trunk20] quit
# Create an Eth-Trunk connected to the core switch and add uplink interfaces to the Eth-
Trunk.
[S7700-A] interface xgigabitethernet 3/0/1
[S7700-A-XGigabitEthernet3/0/1] eth-trunk 20
[S7700-A-XGigabitEthernet3/0/1] quit
[S7700-A] interface xgigabitethernet 2/0/2
[S7700-A-XGigabitEthernet2/0/2] eth-trunk 20
[S7700-A-XGigabitEthernet2/0/2] quit
# Create VLAN 40 connected to the access switch and add downlink interfaces to VLAN 40.
[S7700-A] interface gigabitethernet 1/0/1
[S7700-A-GigabitEthernet1/0/1] port link-type trunk
[S7700-A-GigabitEthernet1/0/1] port trunk allow-pass vlan 40
[S7700-A-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[S7700-A-GigabitEthernet1/0/1] port-isolate enable
[S7700-A-GigabitEthernet1/0/1] quit
4.19.2.5.2 Configuring the Access Switch S5700-A in Office Building A

# Create a service VLAN for wired users and configure the VLAN allowed by an interface.
The configuration of the access switch S5700-B in office building B is similar to that of the
access switch in office building A, and is not mentioned here. The difference is that the
downlink interface of S5700-B is a trunk interface.
# Create a VLAN.
[HUAWEI] sysname S5700-A
# Configure an uplink interface connected to the aggregation switch.

# Configure a downlink interface connected to a user PC. Configure port isolation on the
interface and configure the interface as an STP edge port.
[S5700-A-GigabitEthernet0/0/1] port link-type access
[S5700-A-GigabitEthernet0/0/1] port default vlan 40
[S5700-A-GigabitEthernet0/0/1] stp edged-port enable

4.19.2.5.3 Configuring the Core Switch S12700

Step 1 Use two S12700s to set up a CSS.
# Install CSS cards on S12700-1 and S12700-2, and connect cluster cables.
For details on CSS setup, see CSS of S Switches.
# Configure the CSS connection mode, CSS ID, and CSS priority.
<S12700-1> system-view
[S12700-1] set css mode css-card
[S12700-1] set css id 1
Warning: Modifying the CSS chassis ID will cause interface configuration loss.
Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait....
Info: CSS configuration has been changed, and the new configuration will take
effect after a reboot and CSS has been enabled.
[S12700-1] set css priority 100 //On S12700-1, set the CSS ID and CSS
priority to 1 and 100, respectively.
[S12700-2] set css id 2
Continue? [Y/N]:y
# Enable the CSS function.

[S12700-1] css enable //Enable the CSS function on
S12708-1 and restart S12708-1.
rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
[S12700-2] css enable //Enable the CSS function on S12708-2
and restart S12708-2.
# Check whether a CSS is set up successfully. If the card status of two member switches is
displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.
1. Configure MAD in direct mode on GE1/1/1/7.
<CSS> system-view
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running
on this port is recommended. Continue?[Y/N]:y

3. Check detailed MAD configuration of the CSS.

[CSS] display mad
verbose
Current MAD domain:
0
Current MAD status:
Detect

Mad direct detect interfaces

configured:
GigabitEthernet1/1/1/7
Mad relay detect interfaces

configured:
Excluded
ports(configurable):
Excluded ports(can not be
configured):
XGigabitEthernet1/6/0/0
Step 3 Configure basic network parameters.
# Create VLANs.
<HAUWEI> system-view
[HUAWEI] sysname CORE-SWITCH
[CORE-SWITCH] vlan batch 10 20 30 40 1000
# Enable DHCP globally, and configure DHCP snooping for the service VLAN
[CORE-SWITCH] dhcp enable
[CORE-SWITCH] dhcp snooping enable
[CORE-SWITCH] vlan 30
[CORE-SWITCH-vlan30] dhcp snooping enable
[CORE-SWITCH-vlan30] quit
# Create a wireless management interface VLANIF 20, and assign addresses to APs from the
[CORE-SWITCH] interface vlanif 20
[CORE-SWITCH-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-SWITCH-Vlanif20] dhcp select interface
[CORE-SWITCH-Vlanif20] quit
# Create a wireless service interface VLANIF 30, and assign addresses to STAs from the
[CORE-SWITCH-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wireless users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
# Create a wired service interface VLANIF 40, and assign addresses to terminals from the
[CORE-SWITCH-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wired users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif40] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.

# Create VLANIF 1000 connected to the server.

# Create Eth-Trunk 20 connected to both the core switch and the aggregation switch S7700-A
in office building A, and add interfaces to the Eth-Trunk. The interconnection configuration
between the core switch and the aggregation switch in office building B is similar to that in
office building A, and is not mentioned here. (The service VLAN corresponding to office
building B is VLAN 20.)
[CORE-SWITCH] interface eth-trunk 20
[CORE-SWITCH-Eth-Trunk20] description con to S7700-A
[CORE-SWITCH-Eth-Trunk20] port link-type trunk
[CORE-SWITCH-Eth-Trunk20] port trunk allow-pass vlan 40
[CORE-SWITCH-Eth-Trunk20] undo port trunk allow-pass vlan 1
[CORE-SWITCH-Eth-Trunk20] quit
[CORE-SWITCH] interface xgigabitethernet 1/1/0/0
[CORE-SWITCH-XGigabitEthernet1/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet1/1/0/0] quit
[CORE-SWITCH] interface xgigabitethernet 2/1/0/0
[CORE-SWITCH-XGigabitEthernet2/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet2/1/0/0] quit
# Configure the core switch as the STP root bridge and root protection, disable TC packet-
triggered ARP entry update, and enable MAC address-triggered ARP entry update.
[CORE-SWITCH] stp root primary
[CORE-SWITCH] interface eth-trunk 20
[CORE-SWITCH-Eth-Trunk20] stp root-protection
[CORE-SWITCH] arp topology-change disable
[CORE-SWITCH] mac-address update arp
# Add an interface connected to the Agile Controller to VLAN 1000.

[CORE-SWITCH] interface gigabitethernet 1/3/0/0
[CORE-SWITCH-GigabitEthernet1/3/0/0] port link-type access
[CORE-SWITCH-GigabitEthernet1/3/0/0] port default vlan 1000
[CORE-SWITCH-GigabitEthernet1/3/0/0] quit
Step 4 Configure authentication parameters.
# Set the NAC mode to unified.

[CORE-SWITCH] authentication unified-mode

[CORE-SWITCH] radius-server template test01
[CORE-SWITCH-radius-test01] radius-server authentication 168.88.77.10 1812
source ip-address 168.88.77.157 //Configure the IP address of the primary RADIUS
authentication server, and set the authentication port number to 1812.
[CORE-SWITCH-radius-test01] radius-server accounting 168.88.77.10 1813 source ip-
address 168.88.77.157 //Configure the IP address of the primary
accounting server, and set the accounting port number to 1813.
[CORE-SWITCH-radius-test01] radius-server shared-key cipher Admin@123 //The
shared key must be the same as that configured on the Agile Controller.
[CORE-SWITCH-radius-test01] quit
[CORE-SWITCH] radius-server authorization 168.88.77.10 shared-key cipher Admin@123
# Configure an authentication scheme named test01 and set the authentication mode to
RADIUS.
[CORE-SWITCH] aaa
[CORE-SWITCH-aaa] authentication-scheme test01

[CORE-SWITCH-aaa-authen-test01] authentication-mode radius

[CORE-SWITCH-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[CORE-SWITCH-aaa] accounting-scheme test01
[CORE-SWITCH-aaa-accounting-test01] accounting-mode radius
[CORE-SWITCH-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[CORE-SWITCH-aaa-accounting-test01] quit
# Create an authentication domain named huawei, and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[CORE-SWITCH-aaa] domain huawei
[CORE-SWITCH-aaa-domain-huawei] authentication-scheme test01
[CORE-SWITCH-aaa-domain-huawei] accounting-scheme test01
[CORE-SWITCH-aaa-domain-huawei] radius-server test01
[CORE-SWITCH-aaa-domain-huawei] quit
[CORE-SWITCH-aaa] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.
[CORE-SWITCH] web-auth-server test01
[CORE-SWITCH-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP
address of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] source-ip 168.88.77.157
[CORE-SWITCH-web-auth-server-test01] port 50100 //Configure the port
number of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] shared-key cipher Admin@123 //Configure
the shared key for communication between the Portal authentication server and
switch. The shared key must be the same as that of the Agile Controller.
[CORE-SWITCH-web-auth-server-test01] url http://168.88.77.10:8080/portal //
Configure the URL of the web page.
[CORE-SWITCH-web-auth-server-test01] quit
[CORE-SWITCH] portal-access-profile name portal1
[CORE-SWITCH-portal-acces-profile-portal1] web-auth-server test01 direct
[CORE-SWITCH-portal-acces-profile-portal1] quit
# Configure an authentication-free rule named default_free_rule to permit packets from the

DNS server so that the Portal authentication page can be redirected.
[CORE-SWITCH] free-rule-template name default_free_rule
[CORE-SWITCH-free-rule-default_free_rule] free-rule 1 destination ip
168.88.77.140 mask 32 source any
[CORE-SWITCH-free-rule-default_free_rule] quit
# Configure an authentication profile named p1.

[CORE-SWITCH] authentication-profile name p1
[CORE-SWITCH-authen-profile-p1] portal-access-profile portal1
[CORE-SWITCH-authen-profile-p1] free-rule-template default_free_rule
[CORE-SWITCH-authen-profile-p1] access-domain huawei portal force
[CORE-SWITCH-authen-profile-p1] quit
Step 5 Configure the wired user interface and enable Portal authentication on the interface.
[CORE-SWITCH-Vlanif40] authentication-profile p1
Step 6 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[CORE-SWITCH] group-policy controller 168.88.77.10 password Admin@123 src-ip
168.88.77.157
Step 7 Configure WLAN services.

# Create an AP group and add APs with the same configuration to the AP group.

[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap-group name ap-
group1
[CORE-SWITCH-wlan-ap-group-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
[CORE-SWITCH-wlan-view] regulatory-domain-profile name domain1
[CORE-SWITCH-wlan-regulate-domain-domain1] country-code CN
[CORE-SWITCH-wlan-regulate-domain-domain1] quit
[CORE-SWITCH-wlan-view] ap-group name ap-group1
[CORE-SWITCH-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
configurations of the radio and reset the AP. Continue?[Y/N]:y
[CORE-SWITCH-wlan-ap-group-ap-group1] quit
[CORE-SWITCH-wlan-view] quit
# Configure the source interface of the AC.

[CORE-SWITCH] capwap source interface vlanif 20
MAC address of the AP is ac85-3d95-d800.
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap auth-mode mac-auth
[CORE-SWITCH-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[CORE-SWITCH-wlan-ap-0] ap-group ap-group1
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[CORE-SWITCH-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[CORE-SWITCH-wlan-view] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor
0 2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
# Configure WLAN service parameters.

[CORE-SWITCH-wlan-view] ssid-profile name portal
[CORE-SWITCH-wlan-ssid-prof-portal] ssid portal_test
[CORE-SWITCH-wlan-ssid-prof-portal] quit
[CORE-SWITCH-wlan-view] traffic-profile name test
[CORE-SWITCH-wlan-traffic-prof-test] quit
[CORE-SWITCH-wlan-view] vap-profile name wlan-vap //Create a VAP profile and
define 802.1X autthentication. Enable IPSG, dynamic ARP detection, and STA IP
address learning on APs to improve VAP security.
[CORE-SWITCH-wlan-vap-prof-wlan-vap] forward-mode tunnel
[CORE-SWITCH-wlan-vap-prof-wlan-vap] service-vlan vlan-id 30
[CORE-SWITCH-wlan-vap-prof-wlan-vap] ssid-profile portal
[CORE-SWITCH-wlan-vap-prof-wlan-vap] traffic-profile test
[CORE-SWITCH-wlan-vap-prof-wlan-vap] authentication-profile p1


[CORE-SWITCH-wlan-vap-prof-wlan-vap] ip source check user-bind enable
[CORE-SWITCH-wlan-vap-prof-wlan-vap] arp anti-attack check user-bind enable
[CORE-SWITCH-wlan-vap-prof-wlan-vap] learn-client-address dhcp-strict
[CORE-SWITCH-wlan-vap-prof-wlan-vap] quit
NOTE
The prerequisites for running the ip source check user-bind enable command are as follows:
The IP packet check is based on the binding table. So,
l The dynamic DHCP snooping binding table has been generated for DHCP users.
l The static binding table has been configured manually for users using static IP addresses.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
l The DHCP trusted port has been disabled using the undo dhcp trust port command in the VAP
profile view.
l STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command.

[CORE-SWITCH-wlan-view] ap-group name ap-group1
[CORE-SWITCH-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[CORE-SWITCH-wlan-ap-group-ap-group1] quit
# After the configuration, run the display vap ssid portal_test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[CORE-SWITCH-wlan-view] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0 portal_test
0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0 portal_test
----------------------------------------------------------------------------------
--
Total: 2
Step 8 Configure multicast/broadcast packet suppression.

packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected. The following configurations are used only in tunnel forwarding
mode:
l For the traffic from the user side to the network side, you are advised to configure
multicast packet suppression in the traffic profile of the core switch.
# Set the maximum rate of broadcast packets to 128 pps in traffic profile test.
[CORE-SWITCH-wlan-traffic-prof-test] traffic-optimize broadcast-suppression
packets 128
# Set the maximum rate of multicast packets to 128 pps in the traffic profile test.
[CORE-SWITCH-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 128

l If a large number of multicast or broadcast packets are sent from the network side to the
wireless user side, the air interface usage of the AP is high. In this instance, configure a
traffic policy on the core switch to suppress the broadcast/multicast packets going
upstream from the wireless user side to the AP. Before configuring a traffic policy, check
whether the corresponding multicast or broadcast services are available on the live
network.
# Create a traffic classifier named test and define a matching rule.
[CORE-SWITCH] traffic classifier test
[CORE-SWITCH-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[CORE-SWITCH-classifier-test] quit
# Create a traffic behavior named test, enable traffic statistics collection, and set the
traffic rate limit.
[CORE-SWITCH] traffic behavior test
[CORE-SWITCH-behavior-test] statistic enable
[CORE-SWITCH-behavior-test] car cir 100 //Configure the rate limit to 100
kbit/s. If multicast services are available, you are advised to rate-limit
the packets based on service traffic.
[CORE-SWITCH-behavior-test] quit
# Create a traffic policy named test, and bind the traffic classifier and traffic behavior to
the traffic policy.
[CORE-SWITCH] traffic policy test
[CORE-SWITCH-trafficpolicy-test] classifier test behavior test
[CORE-SWITCH-trafficpolicy-test] quit
# Apply the traffic policy to the outbound direction in an SSID profile.

[CORE-SWITCH] wlan
[CORE-SWITCH-wlan] ssid-profile name portal
[CORE-SWITCH-wlan-ssid-prof-portal] traffic-policy test outbound
[CORE-SWITCH-wlan-ssid-prof-portal] quit
Step 9 Configure LLDP.
# Configure LLDP on core switches.
To view the Layer 2 link status between network devices and analyze the network topology,
enable LLDP. To view the Layer 2 link status between APs and access switches or analyze the
network topology, enable WLAN LLDP. WLAN LLDP can be enabled in the system view
and the AP wired port link profile view. The AP sends or receives LLDP packets only when
the two switches are enabled. By default, the two switches are enabled.
[CORE-SWITCH] lldp enable
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap lldp enable
[CORE-SWITCH-wlan-view] port-link-profile name default
[CORE-SWITCH-wlan-port-link-prof-default] lldp enable
[CORE-SWITCH-wlan-port-link-prof-default] quit
[CORE-SWITCH-wlan-view] quit
# Configure LLDP on access switches.
After LLDP is configured, the device can analyze powered devices (PDs). When LLDP is
disabled, the device can detect and classify PDs only by analyzing the current and resistance
between the device and PDs. Compared with current and resistance analysis, the LLDP
function provides a more comprehensive and accurate analysis. After LLDP is enabled in the
system view, all interfaces are enabled with LLDP.
[S5700-B] lldp enable

Step 10 Create an Eth-Trunk between the core switch S12700 and the USG6600.
# Configure a VLANIF interface connecting the core switch to the USG6600.

[CORE-SWITCH-Vlanif10] ip address 192.168.10.3 24
# On the S12700, create Eth-Trunk 30 and Eth-Trunk 40 connected to FW1 and FW2
respectively, and add member interfaces to Eth-Trunk 30 and Eth-Trunk 40.
[CORE-SWITCH] interface eth-trunk 30 //Create Eth-Trunk30 connected to FW1.
[CORE-SWITCH-Eth-Trunk30] port link-type access
[CORE-SWITCH-Eth-Trunk30] port default vlan 10
[CORE-SWITCH-GigabitEthernet1/2/0/0] eth-trunk 30
[CORE-SWITCH] interface eth-trunk 40 //Create Eth-Trunk 40 connected to FW2.
[CORE-SWITCH-Eth-Trunk40] port link-type access
[CORE-SWITCH-Eth-Trunk40] port default vlan 10
Step 11 Configure routes.
# Configure a routing protocol based on site requirements. OSPF is used here.
# Configure a loopback interface.

[CORE-SWITCH] interface loopback 0
[CORE-SWITCH-LoopBack0] ip address 3.3.3.3 32 //The IP address is used as the
router ID.
[CORE-SWITCH-LoopBack0] quit
# Configure OSPF to advertise routes. You are advised to enable the sham-hello function of
OSPF. After this function is enabled, devices can maintain neighbor relationships through not
only the Hello packet but also all OSPF protocol packets, so as to sensitively sense the
existence of OSPF neighbors.
[CORE-SWITCH] ospf 1 router-id 3.3.3.3
[CORE-SWITCH-ospf-1] sham-hello enable
[CORE-SWITCH-ospf-1] area 0.0.0.0
[CORE-SWITCH-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
core switch to advertise the network segment of wireless users.
core switch to advertise the network segment of wired users.
core switch to advertise the address segment of the Agile Controller to
interconnect with the firewall.
[CORE-SWITCH-ospf-1-area-0.0.0.0] quit
[CORE-SWITCH-ospf-1] quit
----End

4.19.2.5.4 Configuring the Egress Firewall USG6650s

Step 1 Configure interfaces.
# Configure interfaces on FW1.

[USG6650] sysname FW1
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] ip address 201.0.0.1 24 //Configure an IP address for
the interface connected to ISP1.
[FW1-GigabitEthernet1/0/1] gateway 201.0.0.254
[FW1-GigabitEthernet1/0/1] quit
the heartbeat line where HRP is used.
[FW1] interface eth-trunk 30
[FW1-Eth-Trunk30] ip address 192.168.10.1 24 //Configure an IP address for the
Eth-Trunk connected to the CSS.
[FW1-Eth-Trunk30] quit
[FW1] interface loopback 0
[FW1-LoopBack0] ip address 1.1.1.1 32 //The IP address is used as the router ID.
[FW1-LoopBack0] quit

[FW2-LoopBack0] ip address 2.2.2.2 32 //The IP address is used as the router
ID.
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
# Add interconnected interfaces to the Eth-Trunk on FW1.

[FW1-GigabitEthernet1/0/3] eth-trunk 30


Step 3 Configure security zones where interfaces belong.

# Add interfaces to security zones.
[FW1] firewall zone trust //Add interfaces connected to the intranet to zones.
[FW1-zone-trust] add interface eth-trunk 30
[FW1-zone-trust] quit
[FW1] firewall zone dmz //Add the interface connected to the heartbeat line
of two network devices to the DMZ.
[FW1-zone-dmz] add interface gigabitethernet 1/0/5
[FW1-zone-dmz] quit
[FW1] firewall zone name isp1 //Add the interface connected to ISP1
to the ISP1 zone.
[FW1-zone-isp1] set priority 10
[FW1-zone-isp1] add interface gigabitethernet 1/0/1
[FW1-zone-isp1] quit
to the ISP2 zone.
[FW2] firewall zone trust //Add the interface connected to the intranet to a
zone.
[FW2-zone-dmz] quit
to the ISP1 zone.
to the ISP2 zone.

# Configure the firewall to advertise the network segment of the downlink interface.
[FW1] ospf 1 router-id 1.1.1.1
[FW1-ospf-1] sham-hello enable
[FW1-ospf-1] import-route static
[FW1-ospf-1] area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
[FW2] ospf 1 router-id 2.2.2.2
[FW2-ospf-1] sham-hello enable
[FW2-ospf-1] import-route static
[FW2-ospf-1] area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
# Configure default routes to the ISP. In this example, static routes are used.
[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254


Step 5 Configure intelligent route selection.

# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1] healthcheck enable
[FW1] healthcheck name isp1_health
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface GigabitEthernet
1/0/1 protocol tcp-simple destination-port 1001
[FW1-healthcheck-isp1_health] quit
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
[FW1-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] healthcheck isp1_health
# Configure a global route selection policy and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1] multi-interface
[FW1-multi-inter] mode proportion-of-bandwidth
[FW1-multi-inter] add interface gigabitethernet 1/0/1
[FW1-multi-inter] quit

Step 6 Configure HRP.

# Configure quick session backup, specify the heartbeat interface, and enable HRP on FW1
and FW2.
[FW1] hrp track interface eth-trunk 30
[FW1] hrp interface gigabitethernet 1/0/5 remote 10.10.0.2
[FW1] hrp mirror session enable
[FW1] hrp enable
[FW2] hrp enable
Step 7 Configure security policies.

# After the hot standby status is successfully created, the security policies of FW1 will be
automatically backed up to FW2.
HRP_M[FW1] security-policy
HRP_M[FW1-policy-security] rule name policy_dmz //Allow mutual access
between the local and DMZ zones.
HRP_M[FW1-policy-security-rule-policy_dmz] source-zone local
HRP_M[FW1-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FW1-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FW1-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FW1-policy-security-rule-policy_dmz] action permit
HRP_M[FW1-policy-security-rule-policy_dmz] quit
HRP_M[FW1-policy-security] rule name trust_to_untrust //Allow internal network
users to access external networks.
HRP_M[FW1-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW1-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FW1-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW1-policy-security-rule-trust_to_untrust] quit
Step 8 Connect the USG6600 to the Agile Controller.

# Configure a RADIUS server template on FW1. FW2 will automatically synchronize the
configuration of FW1.
HRP_M[FW1] radius-server template test01
HRP_M[FW1-radius-test01] radius-server shared-key cipher Admin@123
HRP_M[FW1-radius-test01] radius-server authentication 168.88.77.10 1812
HRP_M[FW1-radius-test01] radius-server accounting 168.88.77.10 1813
HRP_M[FW1-radius-test01] quit
# Perform agile network configurations on FW1. FW2 will automatically synchronize the
configuration of FW1.
HRP_M[FW1] agile-network
HRP_M[FW1-agile-network] radius-server test01
HRP_M[FW1-agile-network] server ip 168.88.77.10
HRP_M[FW1-agile-network] local ip 192.168.10.1
HRP_M[FW1-agile-network] password Admin@123
HRP_M[FW1-agile-network] agile-network enable
HRP_M[FW1-agile-network] xmpp connect
HRP_M[FW1-agile-network] quit
Step 9 Configure a NAT policy.

# Create address pools named addressgroup1 (201.0.0.10 to 201.0.0.12) and addressgroup2
(202.0.0.10 to 202.0.0.12) on FW1. The address pool configured on FW1 will be
automatically synchronized to FW2.
HRP_M[FW1] nat address-group addressgroup1
HRP_M[FW1-nat-address-group-addressgroup1] section 0 201.0.0.10 201.0.0.12

HRP_M[FW1-nat-address-group-addressgroup1] mode pat

HRP_M[FW1-nat-address-group-addressgroup1] route enable
HRP_M[FW1-nat-address-group-addressgroup1] quit
HRP_M[FW1-nat-address-group-addressgroup2] section 1 202.0.0.10 202.0.0.12
HRP_M[FW1-nat-address-group-addressgroup2] mode pat
HRP_M[FW1-nat-address-group-addressgroup2] route enable
HRP_M[FW1-nat-address-group-addressgroup2] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1
HRP_M[FW1-policy-nat-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-policy_nat1] source-address range 172.16.30.1 172.16.30.254
HRP_M[FW1-policy-nat-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-policy_nat1] quit
HRP_M[FW1-policy-nat-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
Step 10 Configure smart DNS.
HRP_M[FW1] dns-smart enable
HRP_M[FW1] dns-smart group 1 type multi
HRP_M[FW1-dns-smart-group-1] out-interface GigabitEthernet 1/0/1 map 202.10.1.10
HRP_M[FW1-dns-smart-group-1] quit
Step 11 Configure attack defense and application behavior control.

# Configure attack defense.
HRP_M[FW1] firewall defend land enable
HRP_M[FW1] firewall defend smurf enable
HRP_M[FW1] firewall defend fraggle enable
HRP_M[FW1] firewall defend winnuke enable
HRP_M[FW1] firewall defend source-route enable
HRP_M[FW1] firewall defend route-record enable
HRP_M[FW1] firewall defend time-stamp enable
HRP_M[FW1] firewall defend ping-of-death enable
HRP_M[FW1] interface GigabitEthernet 1/0/1
HRP_M[FW1-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
HRP_M[FW1-GigabitEthernet1/0/1] quit
HRP_M[FW1] anti-ddos baseline-learn start
HRP_M[FW1] anti-ddos baseline-learn tolerance-value 100
HRP_M[FW1] anti-ddos baseline-learn apply
HRP_M[FW1] anti-ddos syn-flood source-detect
HRP_M[FW1] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FW1] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FW1] anti-ddos http-flood defend alert-rate 2000
HRP_M[FW1] anti-ddos http-flood source-detect mode basic
# Configure application behavior control.

NOTE
This function requires a license. It also requires dynamic loading of the corresponding components.
Create a file of application behavior control to forbid HTTP and File Transfer Protocol (FTP)
operations in study time.
HRP_M[FW1] profile type app-control name profile_app_work
HRP_M[FW1-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control web-browse action
deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control file direction
upload action deny
download action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction
HRP_M[FW1-profile-app-control-profile_app_work] quit
Create a file of application behavior control to permit only HTTP web page browsing, proxy-
based Internet access, and file downloading in rest time.
HRP_M[FW1] profile type app-control name profile_app_rest
HRP_M[FW1-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_rest] http-control file direction
upload action deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file direction
HRP_M[FW1-profile-app-control-profile_app_rest] quit
Create a time range named working_hours. The time range is the class time.
HRP_M[FW1] time-range working_hours
HRP_M[FW1-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FW1-time-range-working_hours] quit
Create a time range named off_hours. The time range is the non-class time.
HRP_M[FW1] time-range off_hours
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
HRP_M[FW1-time-range-off_hours] quit
Configure a security policy named policy_sec_work and reference working_hours and

application behavior control configuration file profile_app_work to control application
behaviors of students during the class time.
HRP_A[FW1] security-policy
HRP_A[FW1-policy-security] rule name policy_sec_work
HRP_A[FW1-policy-security-rule-policy_sec_work] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_A[FW1-policy-security-rule-policy_sec_work] user any
HRP_A[FW1-policy-security-rule-policy_sec_work] time-range working_hours
HRP_A[FW1-policy-security-rule-policy_sec_work] profile app-control
profile_app_work
HRP_A[FW1-policy-security-rule-policy_sec_work] action permit
HRP_A[FW1-policy-security-rule-policy_sec_work] quit

Configure a security policy named policy_sec_rest and reference off_hours and application
behavior control configuration file profile_app_rest to control application behaviors of
students during the non-class time.
HRP_A[FW1-policy-security] rule name policy_sec_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_A[FW1-policy-security-rule-policy_sec_rest] user any
HRP_A[FW1-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_A[FW1-policy-security-rule-policy_sec_rest] profile app-control
profile_app_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] action permit
HRP_A[FW1-policy-security-rule-policy_sec_rest] quit
----End
4.19.2.5.5 Configuring the Agile Controller

Step 1 Log in to the Agile Controller.
# Open the Internet Explorer, enter the Agile Controller access address in the address bar, and
press Enter.
The following table describes addresses for accessing the Agile Controller.
Access Format Description
https://Agile Controller-IP:8443 Agile Controller-IP specifies the IP address

of the Agile Controller.
IP address of the Agile Controller If port 80 is enabled during installation, you

can access the Agile Controller by simply
entering its IP address without the port
number. The Agile Controller URL will
automatically change to https://Agile
Controller-IP:8443.
# Enter the administrator user name and password.
If you log in to the Agile Controller for the first time, use the super administrator user name
and password. Change the password immediately after logging in; otherwise, the Agile
Controller cannot be used.
Step 2 Add the S12700.
# Choose Resource > Device > Device Management
# Click Add to add the S12700.
Configure the IP address for the S12700 that communicates with the Agile Controller. Enable
RADIUS and Portal authentication, set the RADIUS authentication and accounting keys to
Admin@123, and set the real-time accounting interval to 15 minutes. Set the port number to
2000, Portal key to Admin@123, and access terminal IP address list to be within the
allocation scope of terminal IP addresses (a route for packets to be returned to the terminal IP
address should be added to the Agile Controller server, and its configuration is not mentioned
here).


# Click the XMPP tab and set XMPP interconnection parameters.
# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.

Step 3 Add the USG6600.

# Choose Resource > Device > Device Management and click Add to add the USG6600.
Configure the IP address of the USG6600 that communicates with the Agile Controller.
Enable RADIUS authentication, set the RADIUS authentication and accounting keys to
Admin@123, and set the real-time accounting interval to 15 minutes.
# Click the XMPP tab and set XMPP interconnection parameters.

# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.
Step 4 Create a device group named test and add two USG6600s to this group.
# Choose Resource > Device > Device Management, and then choose Device Group > Free
Mobility > Custom on the left side of the page to create a customized group named test.

# Click Add, select the S12700 and USG6600, and add them to the customized group.
Step 5 Configure two dynamic security groups group1 and group2, and two static security
groups server1 and server2.
# Choose Policy > Permission Control > Security Group > Dynamic Security Group
Management.
# Click Add and create group1 and group2.

# Choose Policy > Permission Control> Security Group > Static Security Group
Management.
# Click Add and create server1 and server2.
Step 6 Configure access control policies.
# Choose Policy > Free Mobility > Policy Configuration > Permission Control and click
Add.
# The policy matrix is as follows.

After the configuration is complete, group1 can access server1 and server2, group2 can only
access server1, and group1 and group2 cannot access each other.
# Click Global Deployment to deploy access control policies on the entire network.
Step 7 Deploy security groups.

# Choose Policy > Permission Control > Security Group > Dynamic Security Group
Management.
# Click Global Deployment to deploy security groups on the entire network.
Step 8 Add the internal network configuration on the Agile Controller.

# Choose Policy > Permission Control > Security Group > Intranet Configuration to add
a network segment of the internal network, click Save. When the system asks you whether to
deploy it immediately, select Yes. The internal network segment is delivered to the firewall.

# After the network segment of the internal network is deployed successfully, run the display
agile-network intranet-address command to check the internal network segment that is
delivered by the USG6600.
HRP_M[FW1] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
Step 9 Deploy a QoS policy based on customer requirements.

# Choose Policy > Free Mobility > Policy Configuration> QoS Policy to configure a QoS
policy.
Click next to the VIP security group and select group1.
# Click Add in Device List, select FW1 and FW2, and click OK.

# Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully, you
can view the deployment result on the USG6600. group1 is deployed as the VIP security
group.
HRP_M[FW1] display agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
Step 10 Add an authentication user on the Agile Controller.

# Choose Resource > User Management, click Add to add users teacher and student, and
configure passwords.
Step 11 Configure the RADIUS relay agent on the Agile Controller to obtain packets sent from
devices and forward the packets to the RADIUS server.
# Choose System > External Authentication > RADIUS Proxy.
# Click Add.
# Set parameters and click OK.


The following table describes RADIUS relay parameters.
Parameter Description
Communication parameters IP address of the primary IP addresses of the primary

RADIUS server and secondary RADIUS
IP address of the secondary servers (Srun)
RADIUS server
Shared key When packets are

exchanged between the
Agile Controller-Campus
and the RADIUS server, the
RADIUS server uses this
key to authenticate the
identity of the Agile
Controller-Campus.
Authentication port The configured shared key

Accounting port must be the same as that on
the RADIUS server.

Timeout interval The Agile Controller-

Retransmission count Campus sends request
packets to the RADIUS
server. If no response
packets are received within
the timeout interval, the
retransmits request packets.
If the retransmission count
is reached, the Agile
Controller-Campus
considers that the RADIUS
server is unavailable.
The timeout interval and
retransmission count of the
are the same as those of the
RADIUS server.
Other settings Forwarding accounting This function needs to be

packets to the external configured when accounting
RADIUS server is performed for access
users. The RADIUS
accounting server needs to
be configured.
Forwarding authorization This function enables the

results to the external Agile Controller-Campus to
RADIUS server forward authorization results
delivered from the RADIUS
server to network devices.
This function is configured
when the RADIUS server
and network devices support
the same RADIUS
attributes, that is, the
network devices can parse
authorization results
delivered by the RADIUS
server.
Using packet attributes This function is configured

returned by the RADIUS when the RADIUS server
server as the authorization and network devices support
condition different RADIUS
attributes, that is, the
network devices cannot
parse the authorization
results delivered by the
RADIUS server.

Delay in an attempt to When the Agile Controller-

connect to the primary Campus detects that the
RADIUS server when the primary RADIUS server
primary RADIUS server does not work properly,
fails services are switched to the
secondary RADIUS server.
After the delay, the Agile
Controller-Campus attempts
to send authentication
packets to the primary
RADIUS server again.
Step 12 Define customization conditions corresponding to security groups on the Agile Controller.
# Choose Policy > Policy Element > Customize Condition.
# Click Add.
# Set parameters and click OK.

Table 4-98 Information about customization conditions
Customization Parameter Value

Condition
group1 Name group1
Attribute list Vendor type or standard IETF standard attribute

attribute
Attribute number or name Filter-ID (11)
Attribute type String
Operator Equal

Customization Parameter Value

Condition
Attribute value 25
group2 Name group2
Attribute list Vendor type or standard IETF standard attribute

attribute
Attribute number or name Filter-ID (11)
Operator Equal
Attribute value 26
Step 13 Add authorization results on the Agile Controller.

# Choose Policy > Permission Control > Authentication & Authorization >
Authorization Result, and click Add to create an authorization result.

Table 4-99 Information about authorization results

Authorization Parameter Value Description
Result
group1 Name group1 -
Service type Access service -
ACL number/AAA group1 -

user group
ACL number/AAA group2 -

user group

# Click OK.
Step 14 Add an authorization rule.
Authorization rule, and click Add to create an authorization rule.
Table 4-100 Information about authorization rules

Authorization Parameter Value Description
rule
Customization group1 -
condition
Authorization result group1 -
Customization group2 -
condition
Authorization result group2 -

# Click OK.
Step 15 Define authentication rules on the Agile Controller and enable the RADIUS relay agent.

Authentication rule, and click Add to create an authorization rule.
# Click OK.
----End
4.19.2.5.6 Configuring the Srun

Step 1 Activate the software.
# Enter the URL http://168.88.77.9:8081/admin.php in the browser to access the Srun4000

management system. Both the account and password are admin. Choose System > System
Auth, enter the authorization code, and click Save.
# Run the following command to restart services on the console.

/srun3/bin/srun3d_all stop
/srun3/bin/srun3d_all start
Step 2 Add the Agile Controller and an authentication switch on the Srun4000.

# Choose Device > Add Device to add switches.
# Choose Radius > Radius Trust Setting to add an authentication switch as a trusted device.
# Click Generate.
# The configuration of the Agile Controller at 168.88.77.10 is similar to that of the RADIUS
trusted device, and is not mentioned here.
# Run the following commands to restart services on the console.

/srun3/bin/srun3d_all stop
/srun3/bin/srun3d_all start
Step 3 Add RADIUS attributes on the Srun.
# Choose Radius > Add Radius Attributes. The RADIUS attribute is the same as the
customization condition of the Agile Controller. The RADIUS attribute name is Filter-ID.
(input value is 11). The fixed value is the RADIUS attribute value customized on the Agile
Controller. (This value can be 25 or 26).

Step 4 Configure accounting policies on the Srun4000.

# Enter https://168.88.77.9:8080 in the browser to access the accounting management system
of the Srun4000. Enter the account and password to log in to the system and add a new
accounting policy.
# Choose Strategy > Billing, and then click Add to add an accounting policy.

# Click Save.
Step 5 Configure control policies on the Srun4000.
# Choose Strategy > Control. Click Add to add two control policies and associate the two
policies with the customized attributes group1 and group2 respectively. Other parameters can
be modified as needed.
# Click Save.

Step 6 Configure an accounting group on the Srun4000 and bind the accounting group to the
corresponding accounting and control policies.
# Choose Strategy > Product. Click Add to create two new accounting
groups group1_accounting and group2_accounting. Bind accounting
groups group1_accounting and group2_accounting to control
policies group1_control and group2_control and the accounting policy accounting_policy.
# Click Save.
Step 7 Create user groups on the Srun4000.
# Choose System Setting > Permission > Organization Structure, place the cursor on
, and click to add user groups group1 and group2.
# Click Save changed data.

Step 8 Create users on the Srun4000.
# Choose Account > Add, add two users named user1 and user2. The two users' passwords
are both Huawei123. Associate users with authentication and accounting groups.

# Click Save.
----End
4.19.2.6 Verification
Step 1 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the core switch to view deployment information.
# Run the display ucl-group all command on the core switch to view deployment
information of the security group.
[CORE-SWITCH] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command on the core switch to view the access control policy.
[CORE-SWITCH] display acl all
Total nonempty ACL number is 2
Ucl-group ACL Auto_PGM_U1 9998, 3 rules
Acl's step is 5

rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0 (match-

counter 0)
counter 0)
rule 3 deny ip source ucl-group name group1 destination ucl-group name group2
(match-counter 0)
Acl's step is 5
counter 0)
rule 2 deny ip source ucl-group name group2 destination ucl-group name group1
(match-counter 0)
rule 3 deny ip source ucl-group name group2 destination 22.0.0.100 0 (match-
counter 0)
Step 2 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 to check deployment information.
# Run the display agile-network security-group all command on the USG6600 to check the
security group configuration.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
2 group2 no 0
1 group1 yes 5
# Run the display security-policy rule all command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy all
Total:7
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable deny 128877
5 Auto_PGM_U2_1 enable permit 0
6 Auto_PGM_U2_2 enable deny 0
-------------------------------------------------------------------------------
# Run the display security-policy rule command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy rule name Auto_PGM_U2_1
(0 times matched)
rule name Auto_PGM_U2_1
destination-address 21.0.0.100 0.0.0.0
source-group 2
action permit
Step 3 Use the user name and password defined on the Srun to authenticate a wireless user. After the
wireless user is successfully authenticated, you can see that the user security group has been
successfully matched and the bandwidth has been successfully delivered by querying the
switch user table.
# Check online information of the wireless user named user1 on the core switch.
[CORE-SWITCH] display access-user user-id 16063
Basic:

User ID : 16063
User name : user1
Domain-name : huawei
User MAC : 0c96-bfe1-a39d
User IP address : 172.16.30.252
User vpn-instance : -
User IPv6 address : -
User access Interface : Wlan-Dbss0
User vlan event : Success
QinQVlan/UserVlan : 0/30
User access time : 2016/07/29 11:16:57
User accounting session ID : CORE-SW00210000000030f6dc890003ebf
Option82 information : -
User access type : WEB
AP name : ac85-3d95-d800
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 357(s)
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 1
Dynamic group name(Effective) : group1
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# Check online information of the wireless user named user2 on the core switch.
Basic:
User ID : 16064
User name : user2
User MAC : 0c96-bfe1-a2c2
User access time : 2016/07/29 11:30:04
User accounting session ID : CORE-SW00210000000030ab520e0003ec0
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 228(s)
AAA:
Step 4 Use the user name and password defined on the Srun to authenticate a wired user. After the
wired user is successfully authenticated, you can see that the user security group has been
successfully matched and the bandwidth has been successfully delivered by querying the
switch user table.
# Check online information of the wired user named user1 on the core switch.

Basic:
User ID : 16066
User name : user1
User MAC : 28f1-0e02-8647
User access Interface : Eth-Trunk20
User access time : 2016/07/29 11:41:08
User accounting session ID : CORE-SW002200000000404a82dc0003ec2
Terminal Device Type : Data Terminal
AAA:
# Check online information of the wired user named user2 on the core switch.
Basic:
User ID : 16067
User name : user2
User MAC : 3cd9-2b5d-d9dc
User access Interface : Eth-Trunk20
User access time : 2016/07/29 11:45:44
User accounting session ID : CORE-SW00220000000040b9a9400003ec3
AAA:
Step 5 After the user goes online, the user packet can trigger the USG6600 to obtain a correct
security group from the Agile Controller.
HRP_M[FW1] display agile-network user
Total user: 2, show user: 2.
-------------------------------------------------------------------------------
IP-address Create-time Rate(input,output) Security-group
-------------------------------------------------------------------------------
172.16.30.252 2016/07/29 13:53:50 0 0 1-group1
172.16.30.254 2016/07/29 14:12:47 0 0 2-group2

Step 6 After configuring HRP, run the display hrp state command to check the HRP status.
HRP_M[FW1] display hrp state
Role: active, peer: active
Running priority: 44998, peer: 44998
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 4 minutes
Last state change information: 2016-06-23 19:16:46 HRP core state changed,
old_state = abnormal(active), new_state = normal, local_priority = 44998,
peer_priority = 44998.
HRP_S[FW2] display hrp state

Last state change information: 2016-07-28 20:43:16 HRP link changes to up.
Step 7 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
Role: active, peer: standby (should be "active-active")
Core state: abnormal(active), peer: abnormal(standby)
old_state = normal, new_state = abnormal(active), local_priority = 44998,
peer_priority = 44996.
----End
4.19.2.7 Configuration Script

S5700-A S5700-B
# #
sysname S5700-A sysname S5700-B
# #
vlan batch 40 lldp enable
# #
interface GigabitEthernet0/0/1 vlan batch 20
port link-type access #
port default vlan 40 interface GigabitEthernet0/0/1
port-isolate enable group 1 port link-type trunk
stp edged-port enable port trunk pvid vlan 20
# port trunk allow-pass vlan 20
interface GigabitEthernet0/0/2 undo port trunk allow-pass vlan 1
port link-type trunk port-isolate enable group 1
port trunk allow-pass vlan 40 stp edged-port enable
undo port trunk allow-pass vlan 1 #
# interface GigabitEthernet0/0/2
return port link-type trunk
#
return

S7700-A S7700-B
# #
# #
vlan batch 40 vlan batch 20
# #
interface Eth-Trunk20 interface Eth-Trunk10
description connect to S127 description connect to S127
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
# #
interface XGigabitEthernet3/0/1 interface XGigabitEthernet3/0/1
eth-trunk 20 eth-trunk 10
# #
interface XGigabitEthernet2/0/2 interface XGigabitEthernet2/0/2
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port-isolate enable group 1 port-isolate enable group 1
# #
return return

S12700 CSS
#
sysname CORE-SWITCH
#
traffic classifier test
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior test
statistic enable
car cir 100
#
traffic policy test
classifier test behavior test
#
lldp enable
#
vlan batch 10 20 30 40 1000
#
stp instance 0 root primary
#
access-domain huawei portal force
#
group-policy controller 168.88.77.10 password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# src-ip 168.88.77.157
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
#
mac-address update arp
#
radius-server template test01
radius-server shared-key cipher %^%#[k>:K48o,,LpDo,|-GmSlC$p/vLsQ.nTSwS^C3I0%^
%#
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 168.88.77.157
weight 80
radius-server authorization 168.88.77.10 shared-key cipher %^%#_7zY2\gzd5na,V-
SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
#
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source any
#
web-auth-server test01
server-ip 168.88.77.10
port 50100
shared-key cipher %^%#_7zY2\gzd5na,V-SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
url http://168.88.77.10:8080/portal
source-ip 168.88.77.157
#
web-auth-server test01 direct
#
aaa
authentication-scheme test01
accounting-scheme test01
domain huawei

S12700 CSS
radius-server test01
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif1000
ip address 168.88.77.157 255.255.128.0
#
#
description con to S7700-A
stp root-protection
#
#
#
interface XGigabitEthernet 1/1/0/0
eth-trunk 20
#
eth-trunk 10
#
mad detect mode direct
#
interface GigabitEthernet 1/2/0/0
eth-trunk 30
#
eth-trunk 40
#
#

S12700 CSS
eth-trunk 20
#
eth-trunk 10
#
mad detect mode direct
#
eth-trunk 30
#
eth-trunk 40
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
sham-hello enable
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 172.16.30.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 192.168.10.0 0.0.0.255
#
arp topology-change disable
#
#
wlan
traffic-profile name test
traffic-optimize broadcast-suppression packets
128
traffic-optimize multicast-suppression packets 128
ssid-profile name portal
ssid portal_test
traffic-policy test outbound
forward-mode tunnel
ssid-profile portal
traffic-profile test
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
radio 0
radio 1
radio 2
ap-id 0 type-id 19 ap-mac ac85-3d95-d800 ap-sn 2102354483W0DC000733
ap-group ap-group1
#
return

FW1 FW2
# #
sysname FW1 sysname FW2
# #
hrp enable hrp enable
hrp interface GigabitEthernet1/0/5 hrp interface GigabitEthernet1/0/5
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface Eth-Trunk30 hrp track interface Eth-Trunk40
# #
healthcheck enable healthcheck enable
healthcheck name isp1_health healthcheck name isp1_health
destination 21.0.0.100 interface destination 21.0.0.100 interface
GigabitEthernet1/0/1 protocol tcp- GigabitEthernet1/0/1 protocol tcp-
simple destination-port 1001 simple destination-port 1003
healthcheck name isp2_health healthcheck name isp2_health
destination 22.0.0.100 interface destination 22.0.0.100 interface
GigabitEthernet1/0/2 protocol tcp- GigabitEthernet1/0/2 protocol tcp-
simple destination-port 1002 simple destination-port 1004
# #
radius-server template test01 radius-server template test01
radius-server shared-key cipher %^ radius-server shared-key cipher %^
%#[k>:K48o,,LpDo,|-GmSlC$p/ %#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
radius-server authentication radius-server authentication
168.88.77.10 1812 weight 80 168.88.77.10 1812 weight 80
radius-server accounting 168.88.77.10 radius-server accounting 168.88.77.10
1813 weight 80 1813 weight 80
undo radius-server user-name domain- undo radius-server user-name domain-
included included
radius-server group-filter class radius-server group-filter class
# #
interface Eth-Trunk30 interface Eth-Trunk40
ip address 192.168.10.1 255.255.255.0 ip address 192.168.10.2 255.255.255.0
# #
undo shutdown undo shutdown
healthcheck isp1_health healthcheck isp1_health
gateway 201.0.0.254 gateway 201.0.0.254
bandwidth ingress 100000 threshold 95 bandwidth ingress 100000 threshold 95
bandwidth egress 100000 threshold 95 bandwidth egress 100000 threshold 95
# #
healthcheck isp2_health healthcheck isp2_health
gateway 202.0.0.254 gateway 202.0.0.254
bandwidth ingress 50000 threshold 90 bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90 bandwidth egress 50000 threshold 90
# #
# #
# #
# #
interface LoopBack0 interface LoopBack0
# #
firewall zone trust firewall zone trust

FW1 FW2
add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/0
add interface Eth-Trunk30 add interface Eth-Trunk30
add interface Eth-Trunk40 add interface Eth-Trunk40
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
# #
firewall zone name isp1 id 4 firewall zone name isp1 id 4
# #
firewall zone name isp2 id 5 firewall zone name isp2 id 5
# #
ospf 1 router-id 1.1.1.1 ospf 1 router-id 2.2.2.2
sham-hello enable sham-hello enable
import-route static import-route static
area 0.0.0.0 area 0.0.0.0
network 192.168.10.0 0.0.0.255 network 192.168.10.0 0.0.0.255
# #
ip route-static 21.0.0.0 255.255.255.0 ip route-static 21.0.0.0 255.255.255.0
201.0.0.254 201.0.0.254
ip route-static 22.0.0.0 255.255.255.0 ip route-static 22.0.0.0 255.255.255.0
202.0.0.254 202.0.0.254
# #
nat address-group addressgroup1 0 nat address-group addressgroup1 0
mode pat mode pat
route enable route enable
section 0 201.0.0.10 201.0.0.12 section 0 201.0.0.10 201.0.0.12
# #
nat address-group addressgroup2 1 nat address-group addressgroup2 1
mode pat mode pat
route enable route enable
section 0 202.0.0.10 202.0.0.12 section 0 202.0.0.10 202.0.0.12
# #
multi-interface multi-interface
mode proportion-of-bandwidth mode proportion-of-bandwidth
# #
agile-network agile-network
agile-network enable agile-network enable
radius-server test01 radius-server test01
server ip 168.88.77.10 server ip 168.88.77.10
local ip 192.168.10.1 local ip 192.168.10.2
password %^%#[k>:K48o,,LpDo,|- GmSlC password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
$p/vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
xmpp connect xmpp connect
# #
security-policy security-policy
rule name policy_dmz rule name policy_dmz
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name trust_to_untrust rule name trust_to_untrust
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
rule name policy_sec_work rule name policy_sec_work

FW1 FW2
time-range working_hours time-range working_hours
profile app-control profile_app_work profile app-control profile_app_work
rule name policy_sec_rest rule name policy_sec_rest
time-range off_hours time-range off_hours
profile app-control profile_app_rest profile app-control profile_app_rest
# #
nat-policy nat-policy
rule name policy_nat1 rule name policy_nat1
source-address range 172.16.30.1 source-address range 172.16.30.1
172.16.30.254 172.16.30.254
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup1 addressgroup1
rule name policy_nat2 rule name policy_nat2
172.16.30.254 172.16.30.254
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup2 addressgroup2
# #
dns-smart enable dns-smart enable
dns-smart group 1 type multi dns-smart group 1 type multi
out-interface GigabitEthernet 1/0/1 out-interface GigabitEthernet 1/0/1
map 202.10.1.10 map 202.10.1.10
out-interface GigabitEthernet 1/0/5 out-interface GigabitEthernet 1/0/5
map 202.20.1.10 map 202.20.1.10
# #
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend route-record enable firewall defend route-record enable
firewall defend source-route enable firewall defend source-route enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
firewall defend smurf enable firewall defend smurf enable
irewall defend land enable irewall defend land enable
# #
anti-ddos baseline-learn start anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance- anti-ddos baseline-learn tolerance-
value 100 value 100
anti-ddos baseline-learn apply anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic- anti-ddos udp-flood dynamic-
fingerprint-learn fingerprint-learn
anti-ddos udp-frag-flood dynamic- anti-ddos udp-frag-flood dynamic-
fingerprint-learn fingerprint-learn
anti-ddos http-flood defend alert-rate anti-ddos http-flood defend alert-rate
2000 2000
anti-ddos http-flood source-detect anti-ddos http-flood source-detect
mode basic mode basic
# #
profile type app-control name profile type app-control name
profile_app_work profile_app_work
http-control post action deny http-control post action deny
http-control proxy action deny http-control proxy action deny

FW1 FW2
http-control web-browse action deny http-control web-browse action deny
http-control file direction upload http-control file direction upload
action deny action deny
http-control file direction download http-control file direction download
ftp-control file delete action deny ftp-control file delete action deny
ftp-control file direction upload ftp-control file direction upload
ftp-control file direction download ftp-control file direction download
# #
profile type app-control name profile type app-control name
profile_app_rest profile_app_rest
http-control post action deny http-control post action deny
http-control file direction upload http-control file direction upload
ftp-control file delete action deny ftp-control file delete action deny
ftp-control file direction upload ftp-control file direction upload
ftp-control file direction download ftp-control file direction download
# #
time-range working_hours time-range working_hours
period-range 09:00:00 to 17:30:00 period-range 09:00:00 to 17:30:00
working-day working-day
# #
time-range off_hours time-range off_hours
period-range 00:00:00 to 23:59:59 off- period-range 00:00:00 to 23:59:59 off-
day day
# #
return return
4.19.3 Higher Education Campus Network Deployment Case

(Aggregation Switch Used as the Gateway and Authentication
Point)
4.19.3.1 Application Scenario and Service Requirements
Application Scenario
This solution uses the aggregation switch as the gateway and authentication point and applies
to higher education campus networks with more than 15,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
The number of users of a school campus must be considered for school campus network
construction. Users on a school campus can access the campus network only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
The education industry networks must meet the following requirements.

l Access
Provide both wired and wireless access.
l Security
Assign different network rights to students, teachers, and other roles.
l Authentication
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users.
l Accounting
There are accounting requirements.
l O&M
Uniformly manage wired and wireless networks.
4.19.3.2 Solution Design
Networking Diagram
The aggregation switch S12700 or S7700 is configured as the authentication point and
gateway on the entire school campus backbone network. The S12700 and S7700 have the
X1E card installed, support native AC, and carry wireless services on the entire network.
Figure 4-89 Networking diagram

Network Design
l Configure egress FWs to carry outgoing services, isolate the external network from the
internal network, and implement service routing and NAT between the internal and
external networks.
l Enable the intelligent path selection function on the FWs to allow the FWs to select
egress interfaces according to the egress link bandwidth, thereby maximizing link
resource usage and improving user experience.
l To enable internal network users to access external networks, configure NAT on the
uplink interfaces of the egress FWs to convert between private network IP addresses and
public network IP addresses.
l Enable the smart domain name system (DNS) function on the FWs to ensure that user
access requests of different carriers are properly parsed
l Two S12700s constitute a Cluster Switch System (CSS) that is used as the core of a
campus network, providing high network reliability and scalability.
l The S12700 and S7700 are used as aggregation switches in each office building and
connect to access switches of each floor. The S5700 is used as the access switch.
l The aggregation switch S12700 and S7700 are configured with native AC to manage
APs on the entire network and transmit wireless services to implement wired and
wireless convergence.
l The aggregation switch S12700 and S7700 are used as the gateway for both wired and
wireless users on the entire network, and forward packets of users based on routes. The
S12700 and S7700 also function as the authentication point to authenticate wired and
wireless users.
l Strict STA IP address learning through DHCP, dynamic ARP inspection, and IPSG are
enabled to prevent IP packets from unauthorized users from accessing the external
network through APs, improving device security.
l To enable DHCP clients to obtain IP addresses through valid DHCP servers, and prevent
bogus DHCP server attacks, DHCP server DoS attacks, and bogus DHCP packet attacks,
you are advised to configure DHCP snooping. If both wired and wireless users exist on
the network, you are not advised to enable DHCP snooping on switch interfaces
connecting to APs. This may cause the number of user binding entries on switches to
exceed the specification. Therefore, you are advised to configure DHCP snooping for
wired users based on VLANs and to configure DHCP snooping for wireless users on the
wireless-side VAP profiles.
l If there are no multicast services transmitted on the network, you are advised to
configure multicast packet suppression to reduce impact of a large number of low-rate
multicast packets on the wireless network.
Involved NEs and Software Versions

S12700 equipped with the X1E card V200R011C10
S7700 equipped with the X1E card V200R011C10
S5700 V200R011C10
Agile Controller-Campus V100R003C30

FW(USG6650) V500R001C60
NGFW module V500R001C60
AP V200R007C20
4.19.3.3 Configuration Roadmap and Data Plan
1. Configure the access switch.
2. Use two S12700s to set up a CSS.
3. Configure the core switch connected to the NGFW module and USG6600.
4. Establish a connection between the NGFW card and the Agile Controller.
5. Configure interfaces and VLANs on the aggregation switch S12700.
6. Configure the aggregation switch as a DHCP server to allocate IP addresses to users.
7. Configure wireless services on the aggregation switch S12700 and configure wired
services on the S7700.
8. Configure wired and wireless authentication and accounting services on the aggregation
switch S12700 or S7700. Portal authentication is used as an example here.
9. Configure Extensible Messaging and Presence Protocol (XMPP) parameters on the
aggregation switch for interworking with the Agile Controller, and enable free mobility.
10. Configure interfaces and IP addresses on the firewall.
11. Configure zones and security policies on the firewall.
12. Configure HRP on the firewall.
13. Perform agile network configurations on the firewall.
14. Log in to the Agile Controller to add user groups and user accounts.
15. Configure Remote Authentication Dial In User Service (RADIUS), Portal, and XMPP
parameters, and add an aggregation switch and a firewall (including the NGFW module)
on the Agile Controller.
16. Configure and deploy security groups and inter-group policies on the Agile Controller.
17. Configure and deploy QoS policies on the Agile Controller.
18. Configure and deploy service chains on the Agile Controller.
19. Add a RADIUS relay agent and define customization conditions on the Agile Controller.
20. Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
21. Configure authorization results and rules on the Agile Controller.
22. Add network devices on the Srun.
23. Add RADIUS attributes based on customization conditions of the Agile Controller on
the Srun.
24. Configure management of accounting and control policies on the Srun.

25. Configure user group management and create users on the Srun.
Data Plan
Table 4-101 Basic service data plan of the core switch


to the NGFW card

to the uplink interface on the
USG6600

to the downlink interface on
the S12700

to the downlink interface on
the S7700

to the Agile Controller
LoopBack 1 - 3.3.3.3/32
Table 4-102 Basic service data plan of the NGFW module


to the core switch
Remote addresses for - 172.30.100.1/32

service chains 172.30.101.1/32
LoopBack 1 - 4.4.4.4/32
Table 4-103 Basic service data plan of the aggregation switch S12700

core switch S12700
mVLAN for APs VLAN 20 192.168.20.1/24
Service VLAN of wireless VLAN 30 172.16.30.1/24

users

Tunnel addresses of service - 172.30.100.2/32

chains 172.30.101.2/32
LoopBack 1 - 1.1.1.1/32
Table 4-104 Basic service data plan of the aggregation switch S7700

core switch S12700
Service VLAN of wired VLAN 40 172.16.40.1/24

users
Tunnel addresses of service - 172.30.100.3

chains 172.30.101.3
LoopBack 1 - 2.2.2.2/32
Table 4-105 Basic service data plan of the aggregation switch S12700 or S7700
Item Data
RADIUS server template l Authentication server IP address:

168.88.77.10
l Authentication server port number: 1812
l Accounting server IP address:
168.88.77.10
l Accounting server port number: 1813
l RADIUS server shared key:
Admin@123
l Accounting interval: 15 minutes
Portal server l URL: http://168.88.77.10:8080/portal

l IP address: 168.88.77.10
l Shared key: Admin@123
XMPP password Admin@123
Pre-authentication domain DNS server IP address: 168.88.77.140

Item Data
Post-authentication domain l User1 matches the free mobility intra-

Server1 and Server2.
l User2 matches the free mobility intra-
Server1 but is not allowed to access
Server2.
l User1 and user2 cannot access each
other.
Table 4-106 Service data plan of the Agile Controller

Item Data
IP address of the aggregation switch S12700 1.1.1.1

IP address of the aggregation switch S7700 2.2.2.2
IP address of the NGFW card 4.4.4.4
IP address of FW1 5.5.5.5
IP address of FW2 6.6.6.6
RADIUS authentication key Admin@123
RADIUS accounting key Admin@123
Portal parameters Settings on the two core switches:

l Port number: 2000
l Portal key: Admin@123
l IP address segment of access terminals:
172.16.0.0/16
Security group l group1

l group2
Resource group l server1: 21.0.0.100

l server2: 22.0.0.100
Table 4-107 Service data plan of the Srun

Item Parameter Data
Device management IP address of the core switch 168.88.77.157
RADIUS key Admin@123

Item Parameter Data
Portal redirection page index_2.html
Portal Authentication address of 168.88.77.9

AAA
Authentication port of AAA 1812
Accounting address of AAA 168.88.77.9
Accounting port (accounting 1813

port of AAA)
NAS IP 168.88.77.10/1.1.1.1/2.2.2.2
DM port 3799
RADIUS attribute Name group1 and group2
Attribute name Filter-ID
Vendor-ID 0
Vendor-name -
Attribute ID 11
Type Integer
Delivery condition Delivery without any

condition
Format %d
Fixed value 25 and 26
Dictionary dictionary.rfc2865
NAS type Huawei, H3C, Srun

gateways
Accounting policy Name account_policy
Control policy Name group1_control and

group2_control
Accounting group Name group1_accounting bound to

the accounting policy
account_policy and the
control policy
group1_control

Item Parameter Data
Name group2_accounting bound to

the accounting policy
account_policy and the
control policy
group2_control
User group Name group1 and group2
User User name/password user1/Huawei123 bound to

the accounting group
group1_accounting
user2/Huawei123 bound to
the accounting group
group2_accounting
Table 4-108 Data plan of the egress solution and USG6600 HRP
Number
FW1 GE1/0/1 - - 201.0.0.1/ Public IP address1

24 assigned by ISP1 to an
enterprise
GE1/0/2 - - 202.0.0.2/ Public IP address2

enterprise
GE1/0/5 - - 10.10.0.1/ FW2 GE1/0/5

24

1 0.1/24 CSS2 3
GE1/0/4
FW2 GE1/0/1 - - 201.0.0.2/ Public IP address3

enterprise
GE1/0/2 - - 202.0.0.1/ Public IP address4

enterprise
GE1/0/5 - - 10.10.0.2/ FW1 GE1/0/5

24

1 0.2/24 CSS2 4


Number
GE1/0/4
S12700 Eth-Trunk GE1/2/0/0 VLANIF 192.168.1 FW1 Eth-Trunk

CSS2 3 10 0.3/24 1
GE2/2/0/0
Eth-Trunk GE1/2/0/1 VLANIF 192.168.1 FW2 Eth-Trunk

4 10 0.3/24 1
GE2/2/0/1
Eth- XGE1/4/0 - - NGFW Eth-Trunk

Trunk0 /0 module 0
XGE1/4/0
/1
Eth-Trunk XGE1/3/1 - - Aggregati Eth-Trunk

1 /0 on switch 1
S12700
XGE2/3/1
/0
Eth-Trunk XGE1/3/1 - - Aggregati Eth-Trunk

2 /1 on switch 1
S7700
XGE2/3/1
/2
NGFW Eth-Trunk GE1/0/0 - - S12700 Eth-Trunk

module 0 CSS2 0
GE1/0/1
Aggregati Eth-Trunk XGE2/1/0 - - S12700 Eth-Trunk

on switch 1 CSS2 1
S12700 XGE2/1/1
GE1/1/0 - - - S5700-A GE0/0/25
Aggregati Eth-Trunk XGE2/1/0 - - S12700 Eth-Trunk

on switch 1 CSS2 2
S7700 XGE2/1/1
GE2/0/1 - - - S5700-B GE0/0/25
4.19.3.4 Configuration Notes
Free Mobility Configuration Notes

l The Agile Controller-Campus can support the free mobility function only after a license
is loaded.
l To implement free mobility, authentication points for intranet users must be deployed on
agile switches. It is recommended that S12700 and S7700 with X1E/X2S/X2E/X2H
cards, and S5720-HI switches be used.

l Policy enforcement points for free mobility are deployed on agile switches or Next-
Generation Firewalls (NGFWs).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.
l If 802.1X authentication needs to be deployed on switches and firewalls function as
policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.
l To implement free mobility, only firewalls support the application-based access
permission control, bandwidth rate limit, and priority scheduling.
SVF Configuration Notes

l When an AS goes online, it must be unconfigured (without any startup configuration
file) and there is no input on the console port. Before an AS connects to an SVF system,
it is recommended that you remove the network cable from the console port. If
SecureCRT is used as a HyperTerminal, set SecureCRT not to automatically send
characters.
l Each AS can be a stack of up to five member devices that are the same model and
provide the same number or different numbers of ports. An AS can be a stack of devices
of the same series but different models. If an AS is a stack, you can run the slot
command to modify the preconfigured device type.
l Each AS has a unique management MAC address. You can view the MAC address of a
device on the MAC address label.

l In a stack system, before connecting an AS with the name and MAC address pre-
configured on the parent to an SVF system, it is recommended that you set up a stack for
the AS and then configure the pre-configured MAC address as the management MAC
address. You can configure the MAC address as the MAC address of the master switch
in the stack. In this situation, the AS management MAC address is the same as the pre-
configured one by default, and no management MAC address needs to be configured. If
the AS name and MAC address are configured after the AS connects to an SVF system,
the management MAC address does not need to be configured.
l Some Huawei switches can connect to an SVF system through downlink ports. Before
restarting an AS, check whether the port that connects this AS to the parent is a downlink
port. You can run the display port connection-type access all command on this AS to
view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port
before restarting this AS. Otherwise, this AS cannot go online.
l Stack member switches connected using downlink service ports cannot join an SVF
system as ASs.
l If downlink service ports of an AS are configured as member ports of an uplink fabric
port, all the downlink ports of the AS cannot be configured as stack member ports.
l Pay attention to the following notes when replacing a faulty AS:
– An AS can only be replaced by a device of the same model. If the new device is a
different model, the SVF system considers it as a new AS, which then cannot
inherit services on the previous AS.
– Only a standalone AS can be replaced, and a stacked AS cannot be replaced.
– AS automatic replacement is not supported when an AS connects to the parent
through a network.
– To ensure that a replacement AS can be successfully authenticated, run the auth-
mode none command to set the AS authentication mode to none, or run the
whitelist mac-address command to add the management MAC address of the
replacement AS to the whitelist. If the replacement AS has no management MAC

address configured, the system MAC address is used as the management MAC
address.
4.19.3.5 Configuration Procedure
4.19.3.5.1 Configuring the Access Switch S5700-A in Office Building A

Step 1 Create a service VLAN for wireless users and configure the VLAN allowed by an interface.
The configuration of the access switch S5700 in office building B is similar to that in office
building A, and is not mentioned here.
# Create a VLAN.
<S5700-A> system-view
# Configure an uplink interface connected to the aggregation switch.

# Configure a downlink interface connected to APs.

[S5700-A-GigabitEthernet0/0/1] port trunk pvid vlan 20
[S5700-A-GigabitEthernet0/0/1] stp edged-port enable
----End
4.19.3.5.2 Configuring Core Switches

Step 1 Use two S12700s to set up a CSS.
# Install CSS cards on S12700-1 and S12700-2, and connect cluster cables.
For details on CSS setup, see CSS of S Switches.
# Configure the CSS connection mode, CSS ID, and CSS priority.
[S12700-1] set css id 1
Continue? [Y/N]:y
[S12700-2] set css id 2
Continue? [Y/N]:y

# Enable the CSS function.

[S12700-1] css enable //Enable the CSS function on
S12708-1 and restart S12708-1.
[S12700-2] css enable //Enable the CSS function on S12708-2
and restart S12708-2.
# Check whether a CSS is set up successfully. If the card status of two member switches is
displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.
<CSS> system-view

3. Check detailed MAD configuration of the CSS.

[CSS] display mad
verbose
Current MAD domain:
0
Current MAD status:
Detect
Mad direct detect interfaces
configured:
Mad relay detect interfaces

configured:
Excluded
ports(configurable):
Excluded ports(can not be
configured):

# Create VLANs.
[HUAWEI] sysname core-switch
[core-switch] vlan batch 9 10 11 12 1000
# Create a loopback interface, and specify the IP address of this interface as the OSPF router
ID.

[core-switch] interface loopback 1

[core-switch-LoopBack1] ip address 3.3.3.3 255.255.255.255
[core-switch-LoopBack1] quit
# Configure IP addresses for interconnected interfaces.

[core-switch] interface vlanif 9 //This interface is connected to the NGFW
module.
[core-switch-Vlanif9] ip address 192.168.9.2 255.255.255.0
[core-switch-Vlanif9] quit
[core-switch] interface vlanif 10 //The uplink interface connects to the
USG6600.
[core-switch] interface vlanif 11 //The downlink interface connects to the
aggregation switch S12700.
[core-switch] interface vlanif 12 //The downlink interface connects to the
[core-switch] interface vlanif 1000 //The interface connects to the Agile
Controller.
# Add interfaces to VLANs.

[core-switch] interface eth-trunk 0 //Create Eth-Trunk 0 connected to the NGFW
module.
[core-switch-Eth-Trunk0] port link-type trunk
[core-switch-Eth-Trunk0] undo port trunk allow-pass vlan 1
[core-switch-Eth-Trunk0] port trunk allow-pass vlan 9
[core-switch-Eth-Trunk0] stp disable //Disable STP on Eth-Trunk 0 connected to
the firewall.
[core-switch-Eth-Trunk0] quit
[core-switch] interface xgigabitethernet 1/4/0/0
[core-switch-XGigabitEthernet1/4/0/0] eth-trunk 0
[core-switch-XGigabitEthernet1/4/0/0] quit
[core-switch] interface eth-trunk 1 //Create Eth-Trunk 1 connected to the
[core-switch] interface eth-trunk 2 //Create Eth-Trunk 2 connected to the
[core-switch] interface eth-trunk 3 //Create Eth-Trunk 3 connected to FW1.
[core-switch-Eth-Trunk3] port link-type access
[core-switch-Eth-Trunk3] port default vlan 10

[core-switch] interface gigabitethernet 1/2/0/0
[core-switch-GigabitEthernet1/2/0/0] eth-trunk 3
[core-switch-GigabitEthernet1/2/0/0] quit
[core-switch] interface eth-trunk 4 //Create Eth-Trunk 4 connected to FW2.
[core-switch-Eth-Trunk4] port link-type access
[core-switch-Eth-Trunk4] port default vlan 10
[core-switch-GigabitEthernet1/2/0/20] port link-type access
[core-switch-GigabitEthernet1/2/0/20] port default vlan 1000
Step 4 Configure the NGFW module.
# Configure interworking between the NGFW module and the core switch.
[NGFW Module] vlan batch 9
[NGFW Module] interface vlanif 9
[NGFW Module-Vlanif9] ip address 192.168.9.1 255.255.255.0
[NGFW Module-Vlanif9] quit
[NGFW Module] interface eth-trunk 0
[NGFW Module-Eth-Trunk0] quit
[NGFW Module] interface gigabitethernet 1/0/0
[NGFW Module-GigabitEthernet1/0/0] eth-trunk 0
[NGFW Module-GigabitEthernet1/0/0] quit
[NGFW Module] interface gigabitethernet 1/0/1
[NGFW Module-GigabitEthernet1/0/0] eth-trunk 0
[NGFW Module-GigabitEthernet1/0/0] quit
[NGFW Module] interface eth-trunk 0
[NGFW Module-Eth-Trunk0] portswitch
[NGFW Module-Eth-Trunk0] port link-type trunk
[NGFW Module-Eth-Trunk0] port trunk allow-pass vlan 9
[NGFW Module-Eth-Trunk0] undo port trunk allow-pass vlan 1
[NGFW Module-Eth-Trunk0] quit
# Configure loopback interfaces' addresses.

[NGFW Module] interface loopback 1 //The interface is used to interwork with
the Agile Controller.
[NGFW Module-LoopBack1] ip address 4.4.4.4 255.255.255.255
[NGFW Module-LoopBack1] quit
[NGFW Module] interface loopback 100 //The interface is used for service
orchestration.
[NGFW Module] interface loopback 101 //The interface is used for service
orchestration.
# Configure a security zone.

[NGFW Module] firewall zone trust
[NGFW Module-zone-trust] add interface eth-trunk 0
[NGFW Module-zone-trust] add interface vlanif 9
[NGFW Module-zone-trust] quit
# Configure a security policy.

[NGFW Module] security-policy

[NGFW Module-policy-security] default action permit
[NGFW Module-policy-security] quit
# Configure agile services on the NGFW module.

[NGFW Module] radius-server template test01
[NGFW Module-radius-test01] radius-server shared-key cipher Admin@123
[NGFW Module-radius-test01] radius-server authentication 168.88.77.10 1812 source
LoopBack 0
[NGFW Module-radius-test01] radius-server accounting 168.88.77.10 1813 source
LoopBack 0
[NGFW Module-radius-test01] quit
[NGFW Module] agile-network
[NGFW Module-agile-network] radius-server test01
[NGFW Module-agile-network] server ip 168.88.77.10
[NGFW Module-agile-network] local ip 4.4.4.4
[NGFW Module-agile-network] password Admin@123
[NGFW Module-agile-network] agile-network enable
[NGFW Module-agile-network] xmpp connect
[NGFW Module-agile-network]
quit
# Configure a route on the NGFW module.

[NGFW Module] ip route-static 0.0.0.0 0.0.0.0 192.168.9.2
Step 5 Configure routes on the core switch.
# Configure a routing protocol based on site requirements. OSPF and static routing protocols
are used here.
[core-switch] ip ip-prefix test01 index 1 permit 172.16.30.0 24 //The route is
advertised to the firewall only.
[core-switch] ip ip-prefix test01 index 2 permit 172.16.40.0 24
[core-switch] ospf 1 router-id 3.3.3.3
[core-switch-ospf-1] filter-policy ip-prefix test01 export static //Configure
the core switch to advertise static routes to network segments of wired and
wireless users.
[core-switch-ospf-1] sham-hello enable
[core-switch-ospf-1] import-route static
[core-switch-ospf-1] area 0.0.0.0
[core-switch-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
[core-switch-ospf-1-area-0.0.0.0] network 168.88.0.0 0.0.127.255 //Configure the
core switch to advertise the address segment of the Agile Controller.
[core-switch-ospf-1-area-0.0.0.0] quit
[core-switch-ospf-1] quit
[core-switch] ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
----End
4.19.3.5.3 Configuring the Aggregation Switch S12700 in Office Building A

The configuration of the S7700 is similar to that of the aggregation switch, and is not
mentioned here.


# Create VLANs.
[HUAWEI] sysname S12700
[S12700] vlan batch 11 20 30
# Enable DHCP globally, and configure DHCP snooping for the service VLAN.
[S12700] dhcp enable
[S12700] dhcp snooping enable
[S12700] vlan 30
[S12700-vlan30] dhcp snooping enable
[S12700-vlan30] quit
# Create loopback interfaces.

[S12700] interface loopback 1 //The interface is used to interwork with
the Agile Controller.
[S12700-LoopBack1] ip address 1.1.1.1 255.255.255.255
[S12700-LoopBack1] quit
[S12700] interface loopback 100 //The interface is used for service
orchestration.
[S12700] interface loopback 101 //The interface is used for service
orchestration.
# Create VLANIF 11 connected to the core switch.

[S12700] interface vlanif 11
[S12700-Vlanif11] ip address 192.168.11.1 255.255.255.0
[S12700-Vlanif11] quit
# Create a wireless management interface VLANIF 20, and assign IP addresses to APs from
the interface address pool.
[S12700-Vlanif20] dhcp select interface
# Create a wireless service interface VLANIF 30, and assign IP addresses to STAs from the
[S12700-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN ARP
proxy; otherwise, wireless users cannot communicate through the AC. Determine the
configuration according to the actual situation.
[S12700-Vlanif30] dhcp select interface
[S12700-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS server
address for terminals.
# Add uplink and downlink interfaces to the corresponding VLANs.

[S12700] interface eth-trunk 1 //The interface is connected to the core
switch.
[S12700-Eth-Trunk1] port link-type trunk
[S12700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S12700-Eth-Trunk1] port trunk allow-pass vlan 11
[S12700-Eth-Trunk1] quit
[S12700] interface xgigabitethernet 2/1/0
[S12700-XGigabitEthernet2/1/0] eth-trunk 1
[S12700-XGigabitEthernet2/1/0] quit

[S12700] interface xgigabitethernet 2/1/1

[S12700-XGigabitEthernet2/1/1] eth-trunk 1
[S12700] interface gigabitethernet 1/1/0 //The interface is connected to
S5700-A.
[S12700-XGigabitEthernet1/1/0] port link-type trunk
[S12700-XGigabitEthernet1/1/0] undo port trunk allow-pass vlan 1
[S12700-XGigabitEthernet1/1/0] port trunk allow-pass vlan 20
# Configure the gateway S12700 disable TC packet-triggered ARP entry update, and enable
MAC address-triggered ARP entry update.
[S12700] arp topology-change disable
[S12700] mac-address update arp
# The gateway is specified as the root bridge and root protection is configured on the
designated port of the root bridge. (Root protection can be configured only on a downlink
port.)
[S12700] stp instance 0 root primary
[S12700] interface gigabitethernet 1/1/0
[S12700-GigabitEthernet1/1/0] stp root-protection

# Configure a routing protocol based on site requirements. Static routing protocols are used
here.
[S12700] ip route-static 0.0.0.0 0.0.0.0 192.168.11.2
Step 3 Configure authentication parameters.

# Set the NAC mode to unified.
[S12700] authentication unified-mode

[S12700] radius-server template test01
[S12700-radius-test01] radius-server authentication 168.88.77.10 1812 source ip-
address 1.1.1.1 //Configure the IP address of the primary RADIUS authentication
server, and set the authentication port number to 1812.
[S12700-radius-test01] radius-server accounting 168.88.77.10 1813 source ip-
address 1.1.1.1 //Configure the IP address of the primary accounting server, and
set the accounting port number to 1813.
[S12700-radius-test01] radius-server shared-key cipher Admin@123 //The shared
key must be the same as that configured on the Agile Controller.
[S12700-radius-test01] quit
# Configure the RADIUS authorization server.

[S12700] radius-server authorization 168.88.77.10 shared-key cipher Admin@123
# Configure an authentication scheme test01 and set the authentication mode to RADIUS.
[S12700] aaa
[S12700-aaa] authentication-scheme test01
[S12700-aaa-authen-test01] authentication-mode radius
[S12700-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[S12700-aaa] accounting-scheme test01
[S12700-aaa-accounting-test01] accounting-mode radius
[S12700-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[S12700-aaa-accounting-test01] quit

# Create an authentication domain named huawei and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[S12700-aaa] domain huawei
[S12700-aaa-domain-huawei] authentication-scheme test01
[S12700-aaa-domain-huawei] accounting-scheme test01
[S12700-aaa-domain-huawei] radius-server test01
[S12700-aaa-domain-huawei] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.
[S12700] web-auth-server test01
[S12700-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP address
of the Portal authentication server.
[S12700-web-auth-server-test01] source-ip 1.1.1.1
[S12700-web-auth-server-test01] port 50100 //Configure the port number
of the Portal authentication server.
[S12700-web-auth-server-test01] shared-key cipher Admin@123 //Configure the
shared key for communication between the Portal authentication server and switch.
The shared key must be the same as that of the Agile Controller.
[S12700-web-auth-server-test01] url http://168.88.77.10:8080/portal //Configure
the URL of the web page.
[S12700-web-auth-server-test01] quit
[S12700] portal-access-profile name portal1
[S12700-portal-acces-profile-portal1] web-auth-server test01 direct
[S12700-portal-acces-profile-portal1] quit
# Configure an authentication-free rule to permit packets from the DNS server so that the
Portal authentication page can be redirected.
[S12700] free-rule-template name default_free_rule
[S12700-free-rule-default_free_rule] free-rule 1 destination ip 168.88.77.140
mask 32 source any
[S12700-free-rule-default_free_rule] quit
# Configure an authentication profile named p1.

[S12700] authentication-profile name p1
[S12700-authen-profile-p1] portal-access-profile portal1
[S12700-authen-profile-p1] free-rule-template default_free_rule
[S12700-authen-profile-p1] access-domain huawei portal force
[S12700-authen-profile-p1] quit
Step 4 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[S12700] group-policy controller 168.88.77.10 password Admin@123 src-ip 1.1.1.1

# Create an AP group and add APs with the same configuration to the AP group.
[S12700] wlan
[S12700-wlan-view] ap-group name ap-group1
[S12700-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
[S12700-wlan-view] regulatory-domain-profile name domain1
[S12700-wlan-regulate-domain-domain1] country-code CN
[S12700-wlan-regulate-domain-domain1] quit
[S12700-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
configurations of the radio and reset the AP. Continue?[Y/N]:y
[S12700-wlan-view] quit
# Configure the source interface of the AC.

[S12700] capwap source interface vlanif 20
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Assume that
the MAC address of the AP is ac85-3d95-d800.
[S12700] wlan
[S12700-wlan-view] ap auth-mode mac-auth
[S12700-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[S12700-wlan-ap-0] ap-group ap-group1
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[S12700-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
[S12700-wlan-view] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor 0
2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
# Configure WLAN service parameters.

[S12700-wlan-view] ssid-profile name portal
[S12700-wlan-ssid-prof-portal] ssid portal_test
[S12700-wlan-ssid-prof-portal] quit
[S12700-wlan-view] traffic-profile name test
[S12700-wlan-traffic-prof-test] quit
[S12700-wlan-view] vap-profile name wlan-vap //Create a VAP profile and
define 802.1X autthentication. Enable IPSG, dynamic ARP detection, and STA IP
address learning on APs to improve VAP security.
[S12700-wlan-vap-prof-wlan-vap] forward-mode tunnel
[S12700-wlan-vap-prof-wlan-vap] service-vlan vlan-id 30
[S12700-wlan-vap-prof-wlan-vap] ssid-profile portal
[S12700-wlan-vap-prof-wlan-vap] traffic-profile test
[S12700-wlan-vap-prof-wlan-vap] authentication-profile p1
[S12700-wlan-vap-prof-wlan-vap] ip source check user-bind enable
[S12700-wlan-vap-prof-wlan-vap] arp anti-attack check user-bind enable
[S12700-wlan-vap-prof-wlan-vap] learn-client-address dhcp-strict
[S12700-wlan-vap-prof-wlan-vap] quit
NOTE
The prerequisites for running the ip source check user-bind enable command are as follows:
The IP packet check is based on the binding table. So,
l The dynamic DHCP snooping binding table has been generated for DHCP users.
l The static binding table has been configured manually for users using static IP addresses.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
l The DHCP trusted port has been disabled using the undo dhcp trust port command in the VAP
profile view.
l STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command.


[S12700-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
# After the configuration, run the display vap ssid portal-test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[S12700] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0
portal_test
0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0
portal_test
----------------------------------------------------------------------------------
--
Total: 2
Step 6 Configure multicast/broadcast packet suppression.

packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected. The following configurations are used only in tunnel forwarding
mode:
l For the traffic from the user side to the network side, you are advised to configure
multicast packet suppression in the traffic profile of the core switch.
# Set the maximum rate of broadcast packets to 128 pps in traffic profile test.
[S12700-wlan-traffic-prof-test] traffic-optimize broadcast-suppression
packets 128
# Set the maximum rate of multicast packets to 128 pps in the traffic profile test.
[S12700-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 128
l If a large number of multicast or broadcast packets are sent from the network side to the
wireless user side, the air interface usage of the AP is high. In this instance, configure a
traffic policy on the core switch to suppress the broadcast/multicast packets going
upstream from the wireless user side to the AP. Before configuring a traffic policy, check
whether the corresponding multicast or broadcast services are available on the live
network.
# Create a traffic classifier named test and define a matching rule.
[S12700] traffic classifier test
[S12700-classifier-test] if-match destination-mac 0100-5e00-0000 mac-address-
mask ffff-ff00-0000 //Match the destination MAC address of multicast
packets.
[S12700-classifier-test] quit
# Create a traffic behavior named test, enable traffic statistics collection, and set the
traffic rate limit.
[S12700] traffic behavior test
[S12700-behavior-test] statistic enable

[S12700-behavior-test] car cir 100 //Configure the rate limit to 100

kbit/s. If multicast services are available, you are advised to rate-limit
the packets based on service traffic.
[S12700-behavior-test] quit
# Create a traffic policy named test, and bind the traffic classifier and traffic behavior to
the traffic policy.
[S12700] traffic policy test
[S12700-trafficpolicy-test] classifier test behavior test
[S12700-trafficpolicy-test] quit
# Apply the traffic policy to the outbound direction in an SSID profile.

[S12700] wlan
[S12700-wlan] ssid-profile name portal
[S12700-wlan-ssid-prof-portal] traffic-policy test outbound
[S12700-wlan-ssid-prof-portal] quit
Step 7 Configure LLDP.

# Configure LLDP on core switch.
To view the Layer 2 link status between network devices and analyze the network topology,
enable LLDP. To view the Layer 2 link status between APs and access switches or analyze the
network topology, enable WLAN LLDP. WLAN LLDP can be enabled in the system view
and the AP wired port link profile view. The AP sends or receives LLDP packets only when
the two switches are enabled. By default, the two switches are enabled.
[S12700] lldp enable
[S12700] wlan
[S12700-wlan-view] ap lldp enable
[S12700-wlan-view] port-link-profile name default
[S12700-wlan-port-link-prof-default] lldp enable
[S12700-wlan-port-link-prof-default] quit
[S12700-wlan-view] quit
# Configure LLDP on access switches.

After LLDP is configured, the device can analyze powered devices (PDs). When LLDP is
disabled, the device can detect and classify PDs only by analyzing the current and resistance
between the device and PDs. Compared with current and resistance analysis, the LLDP
function provides a more comprehensive and accurate analysis. After LLDP is enabled in the
system view, all interfaces are enabled with LLDP.
[S5700-A] lldp enable
----End
4.19.3.5.4 Configuring the USG6650s

The configuration of FW2 is similar to that of FW1, and is not mentioned here. In addition,
after configuring HRP, some configurations will be automatically synchronized to FW2.
Step 1 Configure interfaces.



[FW1-LoopBack0] ip address 5.5.5.5 32 //The IP address is used as the router ID.
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.

Step 3 Configure security zones where interfaces belong.
# Add interfaces to security zones.

[FW1] firewall zone trust //Add the interface connected to the intranet to the
trust zone.
[FW1-zone-dmz] quit
to the ISP1 zone.
to the ISP2 zone.
Step 4 Configure intelligent route selection.
# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface gigabitethernet
[FW1-healthcheck-isp2_health] destination 22.0.0.100 interface gigabitethernet
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%

respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
# Configure a global route selection policy, and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1-multi-inter] add interface gigabitethernet1/0/1
[FW1-multi-inter] add interface gigabitethernet1/0/2
Step 5 Configure smart DNS.

HRP_M[FW1] dns-smart enable
HRP_M[FW1] dns-smart group 1 type multi
HRP_M[FW1-dns-smart-group-1] quit
Step 6 Configure HRP.
# Configure quick session backup, specify the heartbeat interface, and enable HRP on FW1
and FW2.
[FW1] hrp enable
[FW2] hrp enable
Step 7 Configure security policies.
# After the hot standby status is successfully created, the security policies of FW1 will be
automatically backed up to FW2.
HRP_M[FW1] security-policy
HRP_M[FW1-policy-security] rule name policy_dmz //Allow mutual access
between the local and DMZ zones.
HRP_M[FW1-policy-security-rule-policy_dmz] source-zone local
HRP_M[FW1-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FW1-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FW1-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FW1-policy-security-rule-policy_dmz] action permit
HRP_M[FW1-policy-security-rule-policy_dmz] quit
HRP_M[FW1-policy-security] rule name trust_to_untrust //Allow internal network
users to access external networks.
HRP_M[FW1-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW1-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW1-policy-security-rule-trust_to_untrust] quit
Step 8 Connect the USG6600 to the Agile Controller.


HRP_M[FW1] radius-server template test01
HRP_M[FW1-radius-test01] radius-server shared-key cipher Admin@123
HRP_M[FW1-radius-test01] radius-server authentication 168.88.77.10 1812 source
loopback 0
HRP_M[FW1-radius-test01] radius-server accounting 168.88.77.10 1813 source
loopback 0
HRP_M[FW1-radius-test01] quit
# Perform agile network configurations.

HRP_M[FW1] agile-network
HRP_M[FW1-agile-network] radius-server test01
HRP_M[FW1-agile-network] server ip 168.88.77.10
HRP_M[FW1-agile-network] local ip 5.5.5.5
HRP_M[FW1-agile-network] password Admin@123
HRP_M[FW1-agile-network] agile-network enable
HRP_M[FW1-agile-network] xmpp connect
HRP_M[FW1-agile-network] quit
Step 9 Configure a NAT policy.

# Create address pools named addressgroup1 (201.0.0.10 to 201.0.0.12) and addressgroup2
(202.0.0.10 to 202.0.0.12).
HRP_M[FW1-address-group-addressgroup1] section 0 201.0.0.10 201.0.0.12
HRP_M[FW1-address-group-addressgroup1] mode pat
HRP_M[FW1-address-group-addressgroup1] route enable
HRP_M[FW1-address-group-addressgroup1] quit
HRP_M[FW1-address-group-addressgroup2] section 1 202.0.0.10 202.0.0.12
HRP_M[FW1-address-group-addressgroup2] mode pat
HRP_M[FW1-address-group-addressgroup2] route enable
HRP_M[FW1-address-group-addressgroup2] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address range 172.16.30.1
172.16.30.254
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-rule-policy_nat1] quit
172.16.30.254
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-rule-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-rule-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
Step 10 Configure routes based on site requirements.
# Advertise OSPF routes.

HRP_M[FW1] ospf 1 router-id 5.5.5.5

HRP_M[FW1-ospf-1] import-route static
HRP_M[FW1-ospf-1] sham-hello enable
HRP_M[FW1-ospf-1] area 0.0.0.0
HRP_M[FW1-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
HRP_M[FW1-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0] quit
HRP_M[FW1-ospf-1] quit
# Configure default routes to the ISP server. In this example, static routes are used.
HRP_M[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254
HRP_M[FW1] ip route-static 22.0.0.0 255.255.255.0 202.0.0.254
Step 11 Configure attack defense and application behavior control.

# Configure attack defense.
HRP_M[FW1] firewall defend land enable
HRP_M[FW1] firewall defend smurf enable
HRP_M[FW1] firewall defend fraggle enable
HRP_M[FW1] firewall defend winnuke enable
HRP_M[FW1] firewall defend source-route enable
HRP_M[FW1] firewall defend route-record enable
HRP_M[FW1] firewall defend time-stamp enable
HRP_M[FW1] firewall defend ping-of-death enable
HRP_M[FW1] anti-ddos baseline-learn start
HRP_M[FW1] anti-ddos baseline-learn tolerance-value 100
HRP_M[FW1] anti-ddos baseline-learn apply
HRP_M[FW1] anti-ddos syn-flood source-detect
HRP_M[FW1] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FW1] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FW1] anti-ddos http-flood defend alert-rate 2000
HRP_M[FW1] anti-ddos http-flood source-detect mode basic
# Configure application behavior control.
NOTE
This function requires a license. It also requires dynamic loading of the corresponding components.
Create a file of application behavior control to forbid HTTP and File Transfer Protocol (FTP)
operations in study time.
HRP_M[FW1] profile type app-control name profile_app_work
HRP_M[FW1-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control web-browse action
deny
upload action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction
HRP_M[FW1-profile-app-control-profile_app_work] quit
Create a file of application behavior control to permit only HTTP web page browsing, proxy-
based Internet access, and file downloading in rest time.

HRP_M[FW1] profile type app-control name profile_app_rest

HRP_M[FW1-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_rest] http-control file direction
upload action deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file direction
HRP_M[FW1-profile-app-control-profile_app_rest] quit
Create a time range named working_hours. The time range is the class time.
HRP_M[FW1] time-range working_hours
HRP_M[FW1-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FW1-time-range-working_hours] quit
Create a time range named off_hours. The time range is the non-class time.
HRP_M[FW1] time-range off_hours
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FW1-time-range-off_hours] quit
Configure a security policy named policy_sec_work and reference working_hours and

application behavior control configuration file profile_app_work to control application
behaviors of students during the class time.
HRP_A[FW1] security-policy
HRP_A[FW1-policy-security] rule name policy_sec_work
HRP_A[FW1-policy-security-rule-policy_sec_work] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec_work] user any
HRP_A[FW1-policy-security-rule-policy_sec_work] time-range working_hours
HRP_A[FW1-policy-security-rule-policy_sec_work] profile app-control
profile_app_work
HRP_A[FW1-policy-security-rule-policy_sec_work] action permit
HRP_A[FW1-policy-security-rule-policy_sec_work] quit
Configure a security policy named policy_sec_rest and reference off_hours and application
behavior control configuration file profile_app_rest to control application behaviors of
students during the non-class time.
HRP_A[FW1-policy-security] rule name policy_sec_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec_rest] user any
HRP_A[FW1-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_A[FW1-policy-security-rule-policy_sec_rest] profile app-control
profile_app_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] action permit
HRP_A[FW1-policy-security-rule-policy_sec_rest] quit
----End
4.19.3.5.5 Configuring the Agile Controller

Step 1 Log in to the Agile Controller.
1. Open the Internet Explorer, enter the Agile Controller access address in the address bar,
and press Enter. The following table describes addresses for accessing the Agile
Controller.

Access Format Description
https://AgileController- Agile Controller-IP specifies the IP address of the Agile

IP:8443 Controller.
IP address of the Agile If port 80 is enabled during installation, you can access the
Controller Agile Controller by simply entering its IP address without
the port number. The Agile Controller address will
automatically change to https://Agile Controller-IP:8443.
2. Enter the administrator user name and password. If you log in to the Agile Controller for
the first time, use the super administrator user name and password. Change the password
immediately after logging in; otherwise, the Agile Controller cannot be used.
Step 2 Add the aggregation switch S12700.
1. Choose Resource > Device> Device Management and add the aggregation switch
S12700 to the authentication point device. Configure the IP address for the S12700 that
communicates with the Agile Controller. Enable RADIUS and Portal authentication, set
the RADIUS authentication and accounting keys to Admin@123, and set the real-time
accounting interval to 15 minutes. Set the Portal port to 2000, Portal key to Admin@123,
and access terminal IP address list to be within the allocation scope of terminal IP
addresses (a route for packets to be returned to the terminal IP address should be added
to the Agile Controller server, and its configuration is not mentioned here).


2. # Click the XMPP tab and set XMPP interconnection parameters.
3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
Step 3 Add the firewall USG6600 and the NGFW module.

1. Choose Resource > Device> Device Management and add the USG6600 and the
NGFW module. Configure the IP address of the USG6600 that communicates with the
Agile Controller. Enable RADIUS authentication, set the RADIUS authentication and
accounting keys to Admin@123, and set the real-time accounting interval to 15 minutes.
The configurations of FW2 and the NGFW module are similar to that of FW1, and are
not mentioned here.

2. Click the XMPP tab and set XMPP interconnection parameters.

3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
Step 4 Configure two dynamic security groups named group1 and group2, and two resource groups
named server1 and server2.
1. Choose Policy > Permission Control> Security Group > Dynamic Security Group
Management. Click Add and create group1 and group2.
2. Choose Policy > Permission Control> Security Group > Static Security Group
Management. Click Add and create server1 and server2.
Step 5 Configure access control policies.

1. Choose Policy > Free Mobility > Policy Configuration > Permission Control, and
click Add to add access rights.

2. The policy matrix is as follows.

After the configuration is complete, group1 can access server1 and server2, group2 can
only access server1. group1 and group2 cannot access each other.
3. Select the new policy and click Global Deployment to deploy the network policy on the
agile device.
Step 6 Deploy security groups.

Choose Policy > PermissionControl > Security Group > Dynamic Security Group
Management. Click Global Deployment to deploy security groups on the entire network.
Step 7 Configure a network segment of the internal network.

1. Choose Policy > Permission Control > Security Group > Intranet Configuration to
add a network segment of the internal network, click Save. When the system asks you
whether to deploy it immediately, select Yes. The internal network segment is delivered
to the firewall.
NOTE
The firewall uses the network segment of the internal network to query the security group based
on users' IP addresses. When user access traffic reaches the firewall, it queries the security group
where users belong on the Agile Controller-Campus. Only the IP address in the network segment
of the internal network can trigger such query.

2. After the network segment of the internal network is deployed successfully, run the
display agile-network intranet-address command to check the internal network
segment that is delivered by the NGFW module.
[NGFW] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
Step 8 Deploy a QoS policy.
1. Choose Policy > Free Mobility > Policy Configuration > QoS Policy. Click
next to the VIP security group configuration and select group1.
2. Click Add in Device List, select FW1 and FW2, and click OK.
3. Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully,
you can view the deployment result on the USG6600. group1 is deployed as the VIP
security group.

-------------------------------------------------------------------------------
GroupID GroupName VIP

priority
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
Step 9 Configure a service chain.

1. You can direct the traffic of cross-branch communication between users from the core
switch to the NGFW module by configuring a service chain. Free mobility is enabled on
the NGFW module to control the traffic of cross-branch communication and to unify
access policies on the entire school campus network.
2. Choose Policy > Service Chain > IP Address Pool, and click Add to add an IP address
pool (IP address of the GRE tunnel interface).
3. Choose Policy > Service Chain > Service Chain Resources.

Drag AggregationS127 and NGFW next to Orchestration Device to the orchestration
device and firewall nodes on the right, and select the IP address pool that is added in the
previous step from IP Pool on the left. Click Save and select Deploy.

4. After the service chain is successfully deployed, run the display interface tunnel
command on the aggregation switch or on the NGFW module to check the GRE tunnel
status.
[S12700] display interface tunnel
Tunnel16382 current state : UP
Description:Controller_MSV_from_172.30.100.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.5/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.100.2 (LoopBack100), destination 172.30.100.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
Tunnel16383 current state : UP
Description:Controller_MSV_to_172.30.101.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.1/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.101.2 (LoopBack101), destination
172.30.101.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
5. Choose Policy > Service Chain > Service Flow Definition. Click Add to add a service
flow, and set the definition mode to ACL to add intercommunication traffic between
office building A and office building B.

6. Choose Policy > Service Chain > Service Chain Orchestration.

Drag AggregationS127 and OfficeBulidingA2B on the left to the orchestration device
and the service flow on the right respectively. Drag the bottom NGFW module to the
firewall above the orchestration device, set Chain Exception Handling
Mode to Forward, and click Save. The procedure for adding AggregationS77 is similar
to that for adding AggregationS127 (set the S7700 service to OfficeBulidingB2A), and
is not mentioned here.

7. After deployment, run the display current-configuration| include traffic-

redirect command on AggregationS127 and AggregationS77 to view the redirection
policy delivered by the service chain, and run the display acl name command to view
the ACL rule delivered by the service chain.
[S12700] display current-configuration | include traffic-
redirect
traffic-redirect inbound acl name MSV_ACL_20160730144446_D8F7 interface
Tunnel16383
[S12700] display acl name MSV_ACL_20160730144446_D8F7
Advanced ACL MSV_ACL_20160730144446_D8F7 3998, 1 rule
Acl's step is 5
0.0.0.255
[S7700] display current-configuration | include traffic-redirect
traffic-redirect inbound acl name MSV_ACL_20160730144519_5F0E interface
Tunnel16383
[S7700] display acl name MSV_ACL_20160730144519_5F0E
Advanced ACL MSV_ACL_20160730144519_5F0E 3999, 1 rule
Acl's step is 5
0.0.0.255
Step 10 Configure the RADIUS relay agent to obtain packets sent from devices and forward the
packets to the RADIUS server.
1. Choose System > External Authentication > RADIUS Proxy, and click Add. Set
parameters and click OK.


Description of parameters of the RADIUS relay agent
Communication IP address of the primary IP addresses of the primary and secondary

parameters RADIUS server RADIUS servers (Srun)
IP address of the
secondary RADIUS
server
Shared key When packets are exchanged between the

Agile Controller-Campus and the RADIUS
server, the RADIUS server uses this key to
authenticate the Agile Controller-Campus.
Authentication port The configured shared key must be the same

Accounting port as that on the RADIUS server.
Timeout interval The Agile Controller-Campus sends request

Retransmission count packets to the RADIUS server. If no
response packets are received within the
timeout interval, the Agile Controller-
Campus retransmits request packets. If the
retransmission count is reached, the Agile
Controller-Campus considers that the
RADIUS server is unavailable.
The timeout interval and retransmission
count of the Agile Controller-Campus are
the same as those of the RADIUS server.
Other settings Forwarding accounting This function needs to be configured when

packets to the external accounting is performed for access users.
RADIUS server The RADIUS accounting server needs to be
configured.
Forwarding authorization This function enables the Agile Controller-

results delivered from the Campus to forward authorization results
external RADIUS server delivered from the RADIUS server to
to network devices network devices. This function is
configured when the RADIUS server and
network devices support the same RADIUS
attributes, that is, the network devices can
parse authorization results delivered by the
RADIUS server.
Using packet attributes This function is configured when the

returned by the RADIUS RADIUS server and network devices
server as the support different RADIUS attributes, that is,
authorization condition the network devices cannot parse the
authorization results delivered by the
RADIUS server.

Delay in an attempt to When the Agile Controller-Campus detects

connect to the primary that the primary RADIUS server does not
RADIUS server when the work properly, services are switched to the
primary RADIUS server secondary RADIUS server. After the delay,
fails the Agile Controller-Campus attempts to
send authentication packets to the primary
RADIUS server again.
Step 11 Define customization conditions corresponding to security groups.

1. Choose Policy > Policy Element > Customize Condition, and click Add. Set
parameters and click OK.
2. Information about customization conditions

Customi Parameter Value

zation
Conditio
n
group1 Name group1
Attribute list Vendor type or IETF standard

standard attribute attribute
Attribute number or Filter-ID (11)

name
Operator Equal
Attribute value 25
group2 Name group2
Attribute list Vendor type or IETF standard

standard attribute attribute
Attribute number or Filter-id(11)

name
Operator Equal
Attribute value 26
Step 12 Add authorization results.

1. Choose Policy > Permission Control > Authentication & Authorization >
Authorization Result, and click Add to create an authorization result.

2. Configure basic information about the authorization result and click OK.
Authorization Result Parameter Value
group1 Name group1
Service type Access service
ACL number/AAA user group1

group
group2 Name group2
ACL number/AAA user group2

group
Step 13 Add an authorization rule.

Authorization Rule, and click Add to create an authorization rule.

2. Configure basic information about the authorization rule and click OK.
Authorization Rule Parameter Value
group1 Name group1
Customization condition group1
Authorization result group1
group2 Name group2
Customization condition group2
Authorization result group2

Step 14 Define authentication rules and enable the RADIUS relay agent.
Authentication Rule, and click Add to create an authorization rule.
2. Enter and select related parameters, and click OK.
----End

4.19.3.5.6 Configuring the Srun

Step 1 Activate the software.
1. Enter the URL http://168.88.77.9:8081/admin.php in the browser to access the Srun4000
management system. Both the account and password are admin.
Choose System>System Auth, enter the authorization code, and click Save.
2. Run the /srun3/bin/srun3d_allstop and /srun3/bin/srun3d_allstart commands to

restart services on the console.
Step 2 Add the Agile Controller and two aggregation switches.

1. Choose Device > Add Device to add the aggregation switch S12700.
2. Choose Radius > RadiusTrust Setting to add an authentication switch as a trusted

device, and click Generate.
3. The configuration of other devices (the aggregation switch S7700 at 2.2.2.2 and the
Agile Controller at 168.88.77.10) is similar to that of the RADIUS trusted device, and is
not mentioned here.

4. Run the /srun3/bin/srun3d_all stop and /srun3/bin/srun3d_all start commands to

restart services on the console.
Step 3 Add RADIUS attributes.

l Choose Radius > Add RADIUS Attributes. The RADIUS attributes are consistent with
those on the Agile Controller. The attribute name is Filter-ID (input value 11), and the
fixed values are RADIUS attribute values (25 and 26) that are customized on the Agile
Controller.
Step 4 Configure accounting policies.

1. Enter https://168.88.77.9:8080 in the browser to access the accounting management
system of the Srun4000. Enter the account and password to log in to the system and add
a new accounting policy.
2. Choose Strategy > Billing, and then click add to add an accounting policy. Click Save.

Step 5 Configure control policies.

Choose Strategy> Control. Click add to add two control policies and associate the two
policies with the customized attributes group1 and group2 respectively. Other parameters can
be modified as needed. Then click Save.
Step 6 Configure an accounting group on the Srun4000 and bind the accounting group to the
corresponding accounting and control policies.
# Choose Strategy > Product. Click Add to create two new accounting
groups group1_accounting and group2_accounting. Bind accounting

groups group1_accounting and group2_accounting to control

policies group1_control and group2_control and the accounting policy accounting_policy.
# Click Save.
Step 7 Create user groups on the Srun4000.
# Choose System Setting > Permission > Organization Structure, place the cursor on
, and click to add user groups group1 and group2.
# Click Save changed data.

Step 8 Create users on the Srun4000.
# Choose Account > Add, add two users named user1 and user2. The two users' passwords
are both Huawei123. Associate users with authentication and accounting groups.

# Click Save.
----End
4.19.3.6 Verification
Step 1 After configuring HRP, you can run the display hrp state command to check the HRP status.
old_state = abnormal(active), new_state = normal, local_
priority = 44998, peer_priority = 44998.
HRP_S[FW2] display hrp state
old_state = abnormal(standby), new_state = normal, local
_priority = 44998, peer_priority = 44998.
Step 2 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.


Role: active, peer: standby (should be "active-active")
Core state: abnormal(active), peer: abnormal(standby)
old_state = normal, new_state = abnormal(active), local_
priority = 44998, peer_priority = 44996.
Step 3 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the aggregation switch to check deployment information.
# Run the display ucl-group all command to check the security group configuration.
[S12700] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command to check the access control policy configuration.
[S12700] display acl all
Total nonempty ACL number is 3
Advanced ACL MSV_ACL_20160730144446_D8F7 3998, 1 rule
Acl's step is 5
0.0.0.255
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0 rule
Acl's step is 5
Acl's step is 5
rule 1 permit ip source ucl-group name group2 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group2 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group2 destination ucl-group name
group1
Acl's step is 5
rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group1 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group1 destination ucl-group name
group2
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0 rule
Acl's step is 5
Step 4 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 and the NGFW module to check deployment
information.
# Run the display security-policy all command to check the security policy configuration.
HRP_M[FW1] display security-policy all
Total:9
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable permit

88
1 Auto_PGM_U1_1 enable permit
0
2 Auto_PGM_U1_2 enable deny

0
0
13
0
5
0
0
-------------------------------------------------------------------------------
Step 5 A wireless user is authenticated on a terminal using the user name and password that are
defined on the Srun. After the user is successfully authenticated, check the user table on the
switch. The wireless user successfully matches a security group.
# Check online information of the wireless user named user1.

[S12700] display access-user user-id 16016
Basic:
User ID : 16016
User name : user1
User MAC : 0c96-bfe1-a39d
User access time : 2016/07/30 16:05:34
User accounting session ID : S1270000000000000030acfc860003e90
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 22(s)
Work group ID : default
User forward slot : 3
AAA:
# Check online information of the wireless user named user2.

Basic:
User ID : 16017
User name : user2
User MAC : 0c96-bfe1-a2c2
User access time : 2016/07/30 16:07:36
User accounting session ID : S1270000000000000030d57a870003e91

Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 10(s)
Work group ID : default
User forward slot : 3
AAA:
Step 6 A wired user is authenticated on a terminal using the user name and password that are defined
on the Srun. After the user is successfully authenticated, check the user table on the switch.
The wired user successfully matches a security group.
# Check online information of the wired user named user1.

Basic:
User ID : 16016
User name : user1
User MAC : 3cd9-2b5d-d9dc
User access Interface : GigabitEthernet2/0/0
User access time : 2016/07/30 18:25:10 DST
User accounting session ID : S770002000000000040009d610003e90
AAA:
# Check online information of the wired user named user2.

Basic:
User ID : 16021
User name : user2
User MAC : 28f1-0e02-8647
User access Interface : GigabitEthernet2/0/0
User access time : 2016/07/30 18:28:41 DST
User accounting session ID : S7700020000000000402f119b0003e95


AAA:
Step 7 After the user goes online, the user packet can trigger the NGFW module to obtain a correct
security group from the Agile Controller.
[NGFW Module] display agile-network user
Total user: 4, show user: 4.
-------------------------------------------------------------------------------
IP-address Create-time Rate(input,output) Security-group
-------------------------------------------------------------------------------
172.16.30.253 2016/07/30 16:36:17 0 0 2-group2
172.16.40.254 2016/07/30 16:36:17 0 0 2-group2
172.16.30.254 2016/07/30 16:37:27 0 0 1-group1
172.16.40.253 2016/07/30 16:37:27 0 0 1-group1
Step 8 Verify traffics of cross-branch communication.

# The user user1 of office building A can communicate with the user user1 of office building
B.
C:\Users\Administrator>ping 172.16.40.253

Replay from 172.16.40.253: bytes=32 time=108ms TTL=254
Ping statistics for 172.16.40.253:

Packets: Sent = 4, Received = 4, Lost = 0 (0% Loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 108ms, Average = 42ms
# The user user1 of office building A cannot communicate with the user user2 of office
building B.
C:\Users\Administrator>ping 172.16.40.254

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.40.254:

Packets: Sent = 4, Received = 0, Lost = 4 (100% Loss),
----End

4.19.3.7 Configuration Script

S5700-A S5700-B
# #
# #
lldp enable vlan batch 40
# #
vlan batch 20 interface
# GigabitEthernet0/0/1
interface GigabitEthernet0/0/1 port link-type access
port link-type trunk port default vlan 40
port trunk pvid vlan 20 port-isolate enable group 1
port trunk allow-pass vlan 20 stp edged-port enable
undo port trunk allow-pass vlan #
1 interface
port-isolate enable group 1 GigabitEthernet0/0/25
stp edged-port enable port link-type trunk
# port trunk allow-pass vlan 40
interface GigabitEthernet0/0/25 undo port trunk allow-pass vlan 1
port link-type trunk #
undo port trunk allow-pass vlan
1
#

Aggregation Switch S12700

#
sysname S12700
#
traffic classifier test
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior test
statistic enable
car cir 100
#
traffic policy test
classifier test behavior test
#
lldp enable
#
vlan batch 11 20 30
#
#
#
group-policy controller 168.88.77.10 password %^%#duP\H"`mKM6&m`@&N4#82$i0+@:0^
$4f6]PNy_BL%^%# src-ip 1.1.1.1
#
dhcp enable
#
#
vlan 30
#
#
radius-server shared-key cipher %^%#'r14>>_+3*MZfB=3VWbRp#\;3WF!x$6)cg.s!E#S%^
%#
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 1.1.1.1 weight
80
radius-server authorization 168.88.77.10 shared-key cipher %^%#0_E"8;nWP6N`*\/
kIycN;[$'/
#
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source any
#
server-ip 168.88.77.10
port 50100
shared-key cipher %^%#)$Q5/GX+[-D+Dz(s_;OLPRvd$J=xa3>(|d#8.y,L%^
%#
url http://168.88.77.10:8080/portal
source-ip 1.1.1.1
#
#
aaa


domain huawei
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
#
stp root-protection
#
interface XGigabitEthernet2/1/0
eth-trunk 1
#
eth-trunk 1
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack100
ip address 172.30.100.2 255.255.255.255
#
ip address 172.30.101.2 255.255.255.255
#
#
ip route-static 0.0.0.0 0.0.0.0 192.168.11.2
#
#
wlan
traffic-profile name test
traffic-optimize broadcast-suppression packets 128
traffic-optimize multicast-suppression packets 128
ssid-profile name portal
ssid portal_test
traffic-policy test outbound
forward-mode tunnel
ssid-profile portal
traffic-profile test
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict


radio 0
radio 1
radio 2
ap-id 0 type-id 19 ap-mac ac85-3d95-d800 ap-sn
2102354483W0DC000733
ap-group ap-group1
#
return


#
sysname S7700
#
vlan batch 12 40
#
#
authentication mode multi-authen max-user 100
#
group-policy controller 168.88.77.10 password %^
%#2<1iP`j5kB]U#X>FGJM;na:J-}>E]X2QYJ#E]X[F%^%# src-ip 2.2.2.2
#
dhcp enable
#
#
radius-server shared-key cipher %^%#0Kc.C&eT<P91FzB4MP*ZSQaa$c8v_6,^N>6IAu&H%^
%#
weight 80
80
radius-server authorization 168.88.77.10 shared-key cipher %^%#PEIT<a/3w+D
+}M:q.^rQ}Amd#j=(n!p}!(G[O)wR%^%#
#
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source
any
#
server-ip 168.88.77.10
port 50100
url http://168.88.77.10:8080/portal
source-ip 2.2.2.2
#
#
aaa
domain huawei
#
interface Vlanif12
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#


#
eth-trunk 1
#
eth-trunk 1
#
stp root-protection
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ip address 172.30.100.3 255.255.255.255
#
ip address 172.30.101.3 255.255.255.255
#
#
ip route-static 0.0.0.0 0.0.0.0 192.168.12.2
#
return

Core S12700 CSS

#
sysname core-switch
#
#
interface Vlanif9
ip address 192.168.9.2 255.255.255.0
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif11
ip address 192.168.11.2 255.255.255.0
#
interface Vlanif12
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif1000
ip address 168.88.77.157 255.255.128.0
#
stp disable
#
#
#
#
#
eth-trunk 3
#
eth-trunk 3
#
eth-trunk 4
#
eth-trunk 4
#
#
interface XGigabitEthernet1/3/1/0
eth-trunk 1
#
eth-trunk 1
#

Core S12700 CSS
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 0
#
eth-trunk 0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
filter-policy ip-prefix test01 export static
import-route static
sham-hello enable
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 192.168.10.0 0.0.0.255
#
ip ip-prefix test01 index 1 permit 172.16.30.0 24
ip ip-prefix test01 index 2 permit 172.16.40.0 24
#
ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
ip route-static 2.2.2.2 255.255.255.255 192.168.12.1
ip route-static 4.4.4.4 255.255.255.255 192.168.9.1
ip route-static 172.16.30.0 255.255.255.0 192.168.11.1
ip route-static 172.16.40.0 255.255.255.0 192.168.12.1
ip route-static 172.30.100.1 255.255.255.255 192.168.9.1
ip route-static 172.30.100.2 255.255.255.255 192.168.11.1
ip route-static 172.30.100.3 255.255.255.255 192.168.12.1
ip route-static 172.30.101.1 255.255.255.255 192.168.9.1
ip route-static 172.30.101.2 255.255.255.255 192.168.11.1
ip route-static 172.30.101.3 255.255.255.255 192.168.12.1
#

NGFW Module
#
sysname NGFW Module
#
vlan batch 9
#
radius-server shared-key cipher %@%@eJb}7fm's=:^`p5QuT<77K&]%@%@
weight 80
80
undo radius-server user-name domain-
included
radius-server group-filter
class
#
interface Vlanif9
ip address 192.168.9.1 255.255.255.0
#
portswitch
#
undo shutdown
eth-trunk 0
#
undo shutdown
eth-trunk 0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
ip address 172.30.100.1 255.255.255.255
#
ip address 172.30.101.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk0
add interface GigabitEthernet0/0/0
add interface Vlanif9
#
ip route-static 0.0.0.0 0.0.0.0 192.168.9.2
#
agile-network
agile-network enable
server ip 168.88.77.10
local ip 4.4.4.4
password %$%$0}:jXH3"FLn__tY:4q^0Nof]%$%$
xmpp connect
#
security-policy
default action permit
#

FW1 FW2
sysname FW1 sysname FW2
# #
hrp enable hrp
hrp interface GigabitEthernet1/0/5 enable
remote 10.10.0.2
hrp mirror session enable hrp interface GigabitEthernet1/0/5
hrp track interface Eth-Trunk1 remote 10.10.0.1
# hrp mirror session enable
healthcheck enable hrp track interface Eth-Trunk1
healthcheck name #
isp1_health healthcheck enable
destination 21.0.0.100 interface healthcheck name
GigabitEthernet1/0/1 protocol tcp- isp1_health
simple destination-port 1001 destination 21.0.0.100 interface
healthcheck name isp2_health GigabitEthernet1/0/1 protocol tcp-
destination 22.0.0.100 interface simple destination-port 1003
GigabitEthernet1/0/2 protocol tcp- healthcheck name
simple destination-port 1002 isp2_health
# destination 22.0.0.100 interface
radius-server template test01 GigabitEthernet1/0/2 protocol tcp-
radius-server shared-key cipher %@ simple destination-port 1004
%@YeBxR{:_6A7/`xDG-3u7#BCr%@%@ #
radius-server authentication radius-server template test01
168.88.77.10 1812 source LoopBack 0 radius-server shared-key cipher %@
weight 80 %@YeBxR{:_6A7/`xDG-3u7#BCr%@
radius-server accounting 168.88.77.10 %@
1813 source LoopBack 0 weight radius-server authentication
80 168.88.77.10 1812 source LoopBack 0
undo radius-server user-name domain- weight 80
included radius-server accounting 168.88.77.10
radius-server group-filter class 1813 source LoopBack 0 weight 80
# undo radius-server user-name domain-
interface Eth-Trunk1 included
ip address 192.168.10.1 radius-server group-filter
255.255.255.0 class
# #
interface GigabitEthernet1/0/1 interface Eth-Trunk1
undo shutdown ip address 192.168.10.2
ip address 201.0.0.1 255.255.255.0
255.255.255.0 #
healthcheck isp1_health interface GigabitEthernet1/0/1
gateway 201.0.0.254 undo shutdown
bandwidth ingress 100000 threshold ip address 201.0.0.2
95 255.255.255.0
bandwidth egress 100000 threshold healthcheck
95 isp1_health
# gateway 201.0.0.254
interface GigabitEthernet1/0/2 bandwidth ingress 100000 threshold 95
undo shutdown bandwidth egress 100000 threshold
ip address 202.0.0.2 255.255.255.0 95
healthcheck isp2_health #
gateway 202.0.0.254 interface GigabitEthernet1/0/2
bandwidth ingress 50000 threshold undo
90 shutdown
bandwidth egress 50000 threshold ip address 202.0.0.1
90 255.255.255.0
# healthcheck isp2_health
interface GigabitEthernet1/0/3 gateway
undo shutdown 202.0.0.254
eth-trunk 1 bandwidth ingress 50000 threshold
# 90
interface GigabitEthernet1/0/4 bandwidth egress 50000 threshold
undo shutdown 90
eth-trunk 1 #
# interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/5 undo

FW1 FW2
undo shutdown shutdown
ip address 10.10.0.1 255.255.255.0 eth-trunk 1
# #
interface LoopBack0 interface
ip address 5.5.5.5 255.255.255.255 GigabitEthernet1/0/4
# undo shutdown
firewall zone trust eth-trunk 1
set priority 85 #
add interface GigabitEthernet0/0/0 interface GigabitEthernet1/0/5
add interface Eth-Trunk1 undo shutdown
# ip address 10.10.0.2
firewall zone dmz 255.255.255.0
set priority 50 #
add interface interface LoopBack0
GigabitEthernet1/0/5 ip address 6.6.6.6
# 255.255.255.255
#
firewall zone name isp1 id firewall zone trust
4 set priority 85
set priority 10 add interface
add interface GigabitEthernet1/0/1 GigabitEthernet0/0/0
# add interface Eth-Trunk1
firewall zone name isp2 id 5 #
set priority 20 firewall zone
add interface dmz
GigabitEthernet1/0/2 set priority 50
# add interface GigabitEthernet1/0/5
ospf 1 router-id 5.5.5.5 #
import-route static firewall zone name isp1 id 4
sham-hello enable set priority 10
area add interface
0.0.0.0 GigabitEthernet1/0/1
network 5.5.5.5 #
0.0.0.0
network 192.168.10.0 firewall zone name isp2 id 5
0.0.0.255 set priority
# 20
add interface
ip route-static 21.0.0.0 255.255.255.0 GigabitEthernet1/0/2
201.0.0.254 #
ip route-static 22.0.0.0 255.255.255.0 ospf 1 router-id
202.0.0.254 6.6.6.6
# import-route static
nat address-group addressgroup1 sham-hello enable
0 area
mode pat 0.0.0.0
route enable network 6.6.6.6
section 0 201.0.0.10 201.0.0.12 0.0.0.0
# network 192.168.10.0
nat address-group addressgroup2 1 0.0.0.255
mode pat #
route enable ip route-static 21.0.0.0 255.255.255.0
section 1 202.20.1.1 202.20.1.5 201.0.0.254
# ip route-static 22.0.0.0 255.255.255.0
multi-interface 202.0.0.254
mode proportion-of-bandwidth #
add interface nat address-group addressgroup1 0
GigabitEthernet1/0/1 mode pat
add interface GigabitEthernet1/0/2 route
# enable
agile- section 0 201.0.0.10
network 201.0.0.12
agile-network #
enable nat address-group addressgroup2
radius-server test01 1
server ip 168.88.77.10 mode pat

FW1 FW2
local ip 5.5.5.5 route enable
password %$%$"YrVNBu2PI{BlL0'$8UE680%$ section 1 202.20.1.1 202.20.1.5
%$ #
xmpp connect multi-interface
# mode proportion-of-bandwidth
# add interface
security-policy GigabitEthernet1/0/1
rule name policy_dmz add interface
source-zone local GigabitEthernet1/0/2
source-zone dmz #
destination-zone local agile-network
destination-zone dmz agile-network
action permit enable
rule name trust_to_untrust radius-server test01
source-zone trust server ip 168.88.77.10
destination-zone isp1 local ip 6.6.6.6
destination-zone isp2 password %$%$_i#0Mg|T-XkLhMY&VI&WGh$_%
action permit $%$
rule name policy_sec_work xmpp connect
source-zone trust #
destination-zone isp1
destination-zone isp2 #
time-range working_hours security-policy
profile app-control profile_app_work rule name policy_dmz
action permit source-zone local
rule name policy_sec_rest source-zone dmz
source-zone trust destination-zone local
destination-zone isp1 destination-zone dmz
destination-zone isp2 action permit
time-range off_hours rule name trust_to_untrust
profile app-control profile_app_rest source-zone trust
action permit destination-zone isp1
# destination-zone isp2
nat-policy action permit
rule name policy_nat1 rule name policy_sec_work
source-address range 172.16.30.1 destination-zone isp2
172.16.30.254 time-range working_hours
source-address range 172.16.40.1 profile app-control profile_app_work
172.16.40.254 action permit
action nat address-group rule name policy_sec_rest
addressgroup1 source-zone trust
rule name policy_nat2 destination-zone isp1
source-zone trust destination-zone isp2
destination-zone isp2 time-range off_hours
source-address range 172.16.30.1 profile app-control profile_app_rest
172.16.30.254 action permit
source-address range 172.16.40.1 #
172.16.40.254 nat-policy
action nat address-group rule name policy_nat1
addressgroup2 source-zone trust
# destination-zone isp1
firewall defend time-stamp enable source-address range 172.16.30.1
firewall defend route-record enable 172.16.30.254
firewall defend source-route enable source-address range 172.16.40.1
firewall defend winnuke enable 172.16.40.254
firewall defend fraggle enable action nat address-group
firewall defend ping-of-death enable addressgroup1
firewall defend smurf enable rule name
irewall defend land enable policy_nat2
# source-zone
anti-ddos baseline-learn start trust
anti-ddos baseline-learn tolerance- destination-zone
value 100 isp2
anti-ddos baseline-learn apply source-address range 172.16.30.1

FW1 FW2
anti-ddos syn-flood source-detect 172.16.30.254
anti-ddos udp-flood dynamic- source-address range 172.16.40.1
fingerprint-learn 172.16.40.254
anti-ddos udp-frag-flood dynamic- action nat address-group
fingerprint-learn addressgroup2
anti-ddos http-flood defend alert-rate #
2000 firewall defend time-stamp enable
anti-ddos http-flood source-detect firewall defend route-record enable
mode basic firewall defend source-route enable
# firewall defend winnuke enable
profile type app-control name firewall defend fraggle enable
profile_app_work firewall defend ping-of-death enable
http-control post action deny firewall defend smurf enable
http-control proxy action deny irewall defend land enable
http-control web-browse action deny #
http-control file direction upload anti-ddos baseline-learn start
action deny anti-ddos baseline-learn tolerance-
http-control file direction download value 100
action deny anti-ddos baseline-learn apply
ftp-control file delete action deny anti-ddos syn-flood source-detect
ftp-control file direction upload anti-ddos udp-flood dynamic-
action deny fingerprint-learn
ftp-control file direction download anti-ddos udp-frag-flood dynamic-
action deny fingerprint-learn
# anti-ddos http-flood defend alert-rate
profile type app-control name 2000
profile_app_rest anti-ddos http-flood source-detect
http-control post action deny mode basic
http-control file direction upload #
action deny profile type app-control name
ftp-control file delete action deny profile_app_work
ftp-control file direction upload http-control post action deny
action deny http-control proxy action deny
ftp-control file direction download http-control web-browse action deny
action deny http-control file direction upload
# action deny
time-range working_hours http-control file direction download
period-range 09:00:00 to 17:30:00 action deny
working-day ftp-control file delete action deny
# ftp-control file direction upload
time-range off_hours action deny
period-range 00:00:00 to 23:59:59 off- ftp-control file direction download
day action deny
period-range 00:00:00 to 08:59:59 #
working-day profile type app-control name
period-range 17:30:01 to 23:59:59 profile_app_rest
working-day http-control post action deny
# http-control file direction upload
return action deny
ftp-control file delete action deny
ftp-control file direction upload
action deny
ftp-control file direction download
action deny
#
time-range working_hours
period-range 09:00:00 to 17:30:00
working-day
#
time-range off_hours
period-range 00:00:00 to 23:59:59 off-
day
period-range 00:00:00 to 08:59:59
working-day
period-range 17:30:01 to 23:59:59
working-day

FW1 FW2
#
return

Typical Configuration Examples 5 Typical Configuration Examples (Web)
5 Typical Configuration Examples (Web)
5.1 WLAN Common Service Configuration Examples

5.1.1 Example for Configuring Internal Personnel to Access the
WLAN (802.1x Authentication)

Data Planning





wlan-net





net
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.


NOTE
Configuration Notes
user experience.
Procedure

STAs.
Step 2 Configure a DHCP server to assign IP addresses to STAs.

NOTE
view.
Step 3 Configure system parameters for the AC.

1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Set Country/Region based on actual situations. For example, set Country/Region to
China. Set System time to Manual and Date and time to PC Time.

# Click Next. The Port Configuration page is displayed.

2. Configure ports.
# Select GigabitEthernet0/0/1. Expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 102.
NOTE
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
# Click Apply. In the dialog box that is displayed, click OK.

# Click Next. The Network Interconnection Configuration page is displayed.
# Under Interface Configuration, click Create. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON, and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.

# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and Next hop

address to 10.23.102.1.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.

4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.

# Click Next. The Confirm Settings page is displayed.

5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
1. Configure an AP to go online.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.

# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.

4. # Set Security settings to 802.1x authentication, and configure parameters of the
external RADIUS server.
5. # Click Next. The Access Control page is displayed.

6. # Set Binding the AP group to ap-group1.
7. # Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and manually
configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.

# The configuration of Radio 1 is similar to that of Radio0. Disable automatic channel

and power calibration functions, and set the AP channel to 20-MHz channel 149 and
transmit power to 127 dBm.

Authentication (Web)" in the WLAN Product Interoperation Configuration Guide-
Typical Configuration for Interconnection Between AC and Cisco ISE Server.
802.1X Authentication (Web)" in the WLAN Product Interoperation Configuration
Server.

algorithm to AES.

OK.
----End
5.1.2 Example for Configuring Guests to Access the WLAN (MAC

Address-prioritized Portal Authentication)
addresses to STAs.

Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
MAC Name:wlan-net
access
profile

profile

Item Data


2. Select Config Wizard to configure system parameters for the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

displayed.



2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE

3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON and DHCP
type to Interface address pool.

# Click OK. An address pool for VLANIF 100 is configured.

displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.

# Set Security settings to Portal (applicable to enterprise networks) and select MAC
address-prioritized. Under External Portal Server Configuration, set the server name, IP
address, shared-key, port number, and server URL. Under External RADIUS Sever
Configuration, set the server name, authentication server IP address, and shared key.
# Click Next. The Access Control page is displayed.

# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile.The Profile Management page is
displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile >
Authentication-free Rule Profile. The Authentication-free Rule Profile page is
displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.

5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Server.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
----End


addresses to STAs.
Data Planning

Item Data

Item Data

l Name: sta-pool
and VLAN 102

STAs.

10.23.102.3-10.23.102.254/24




+AES

pool


Item Data

rrm

rrm
5. Select Config Wizard to configure WLAN services on the AC.

ent Item

on the users.
number of
access
users
n aging
time


ent Item

STAs.

coverage area.
roaming experience.

schedulin
g
threshold
which
Beacon
frames
are sent
Beacon
frames


ent Item
(GI)
mode to
short GI
rate set

for a radio

parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure


102 to 10.23.102.2/24.


NOTE
view.

displayed.

and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE



page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Configure the global IP address pool huawei.

– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1

# Click OK.
displayed.
address to 10.23.100.2.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the key.
Click Finish.


# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration.

# Click the VAP profile wlan-net. The VAP Profile page is displayed.
On the Advanced Configuration tab, enable band steering.


Under it, click in front of wlan-net. Click SSID Profile. The SSID Profile page is
displayed.
# On the Advanced Configuration tab, set the maximum number of users to 128 and
association aging time to 1 minute. Configure EDCA parameters for AC_BE packets of
STAs as follows: AIFSN: 3; ECWmin: 7; ECWmax: 10. Set the Beacon frame rate on
2.4G radio to 11 Mbps.



Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile page
is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the profile name wlan-traffic in Profile name and click OK. The new traffic
profile configuration page is displayed.
# Set the user isolation mode to All isolation, and the upstream and downstream rate
limits to 1000 kbit/s and 2000 kbit/s for STAs, respectively.


4. Set the AP channel and power.
displayed.
# Click next to Radio Management. The profiles in Radio Management are

displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 1 and transmit power to 127 dBm. Disable automatic channel and
power calibration functions. The configuration of Radio1 is similar to the configuration
of Radio 0, and is not mentioned here.

5. Configure the AP to work in dual-5G mode. This step is only for APs that support
switching between 2.4G and 5G radios.
# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the dual-5G
mode. In the dialog box that is displayed, click OK.


6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this step if the
AP has been configured to work in dual-5G mode. Go to the next step to create the 5G
radio profile and bind the 5G radio profile to radio 0.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Enable the short preamble function.
ECWmax to 6.



ECWmax to 6.

8. Create the RRM profile and adjust RRM profile parameters.

Radio Profile. Click in front of 2G Radio Profile. Profiles in the 2G radio profile
are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new RRM
# On the Advanced Configuration tab, enable airtime fair scheduling; enable smart
roaming; configure the SNR-based roaming trigger mode; and set the SNR threshold to
15 dB.

are displayed.
# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that is
displayed, click OK.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.


5. When a large number of users connect to the network in the stadium, the users still have
good Internet experience.
----End
5.1.4 Example for Configuring WLAN Backhaul


addresses to STAs.
Data Planning

AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640


Item Data

addresses to STAs.


l Country code: CN


+AES



AP_2 (leaf)

Item Data
l Name: wds-list2
AP_3 (leaf)

security
l Name: wds-leaf
security

the group.
l Name: ap-group2
added to the group.
default
l Name: ap-group3
the group.

to go online.
virtual links.
Configuration Notes
user experience.
Procedure

10.23.101.2/24.
address pool.
Step 3 Configure AC system parameters.

displayed.



NOTE

page is displayed.

# Click Next.

1. Configure the AP to go online.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
NOTE
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.


Step 5 Configure wireless services.
1. Click Create. The Basic Information page is displayed.
2. Set the SSID name, forwarding mode, and service VLAN ID.
3. Click Next. The Security Authentication page is displayed.

4. Configure the key authentication mode, AES algorithm, and key.
5. Click Next. The Access Control page is displayed.

6. Set Binding the AP group to ap-group1.
7. Click Finish. Bind the AP group ap-group3 in the same way.
Step 6 Configure the AP_1.
1. Create WDS profile wds-root and configure the WDS working mode and tagged VLAN.
# In the AP group list, click ap-group1. Select Display all profiles. Choose WDS >
WDS Profile. The WDS Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the profile
name wds-root, set Radio to 1, and click OK.
# Choose WDS > WDS Profile > wds-root. The WDS Profile page is displayed.
# Set WDS network bridge name, WDS working mode, and Tagged VLAN.

NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.

2. Create security profile wds-security and configure the security policy.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-security and click OK. The security profile configuration page is displayed.
# Set the key.

3. Create WDS whitelist profile wds-list1 and add the MAC address of the leaf AP to the
WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1, set Radio to 1, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click Add to configure the WDS whitelist.

# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Click the AP ID 1. The AP customized settings page is displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the bridge distance to 4. Disable automatic channel and power calibration. Set the
channel parameters to 40+ MHz and 157. Set the bridge distance to 4.
# Configure radio 0 in the same way. Disable automatic channel and power calibration
and set the channel parameters to 20 MHz and 6.
Step 7 Configure AP_3.

1. Create WDS profile wds-leaf and configure the WDS working mode and tagged VLAN.
# In the AP group list, click ap-group3. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.

# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
automatic channel and power calibration. Set parameters for Radio0. Set Channel to 20
MHz and 11.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-leaf, set Radio to 1, and click OK.
wds-root, set Radio to 0, and click OK.
WDS whitelist.
displayed.
page is displayed.
is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
displayed.


# Choose Radio Management > Radio1. The Radio 0 Settings(2.4G) page is
displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Disable automatic channel and
power calibration. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the
bridge distance to 4.

# Set the channel parameters of Radio1 to 40+ MHz and 157. Set the coverage distance
to 4. The configuration is the same as that for Radio0, and is not mentioned here.
1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If so, the
APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and check
WDS information. After the WDS links are successfully established, you can view
detailed information about the WDS links on the page.

----End
5.1.5 Example for Configuring Rail Transportation WLAN

Services


Data Planning

AP Type MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
...

AP (in the front)

AP (in the rear)
...

Item Data


address

Item Data

trackside APs

mounted terminals




l Name: mesh-net
l Name: mesh-net

l Name: hand-over
l Name: hand-over

situations.


device

Item Data
and the AC.
NOTE
Configuration Notes
user experience.
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add interfaces
GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from
VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add
GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow

packets from VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to
allow packets from VLAN 100 to pass through.
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.

# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
GE0/0/1 to VLAN 100.
PVIDs to VLAN 100.
6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to


[Switch_A] vlan 101

[Switch_A] acl 2000

[Switch_A] vlan 101
[Switch_A] quit


NOTICE
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.
[Switch_B] vlan 101

[Switch_C] vlan 101

displayed.

(service VLAN).
NOTE


page is displayed.

# Click Next.


Step 3 Configure trackside APs

1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group mesh-mpp for the MPPs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-mpp and click OK.

3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-mpp.
# Click the Service Settings tab and configure Mesh parameters.

– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the key type to PASS-PHRASE, and enter the key
a1234567.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added. Click
OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Set the AP names to
L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170, respectively. Click OK. The
APs are added as MPPs.

5. Configure a Mesh profile.

# In the AP group list, click the AP group mesh-mpp. Select Display all profiles choose
Mesh > Mesh Profile. The Mesh Profile List page is displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name to mesh-
net.
# Click OK.
6. Configure a Mesh handover profile.
# Choose Mesh > Mesh Profile > mesh-net > Mesh Handover Profile. The Mesh
Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set Profile
name to hand-over and click OK. The Mesh profile configuration page is displayed.
# Set Position-based handover algorithm to ON.

7. Configure the AP's wired port profile.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile management
page is displayed.

# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port mode to
Endpoint, add the wired port to VLAN 101 in tagged mode, and set the Port PVID to
101.

Step 4 Configure a vehicle-mounted AP.
NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of the
train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the vehicle-
mounted AP in the front.
1. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
# Choose Configuration > Interface > VLAN. On the VLAN tab, click Create. On the
Create VLAN page that is displayed, set VLAN ID to 101.

# Click OK.
# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.
# Click OK.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is displayed.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page is
displayed.

# Click Create. The Create Security Profile page is displayed.

# Set Profile name to sp01 and click OK. The Security Profile page is displayed.
# Set Security Mode to WPA2-PSK-AES, Password type to PASS-PHRASE, and
Password to a1234567.

# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh Handover
Profile page is displayed.
# Click Create and create the Mesh handover profile hand-over. Click OK. The Mesh
# Set Position-based handover algorithm to ON and Moving direction to forward.
Click Apply. In the dialog box that is displayed, click OK.
Step 5 Add proxied devices on the vehicle-mounted AP

# Add proxied ground devices. Add MAC addresses of Switch_A, network management
device, and multicast source on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground Device.
Click Create and add MAC addresses of proxied ground devices. In this example, MAC
addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-b6ab are added, click OK.

# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-mounted
Device. Click Create and add MAC addresses of proxied vehicle-mounted devices. In this
example, MAC addresses 286e-d488-d359 and 286e-d488-d270 are added, click OK.
Step 6 Configure IGMP snooping on the vehicle-mounted AP
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-Snooping. Set
IGMP-Snooping to ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to view
Mesh link information. If Mesh links are set up successfully, information about Mesh
links is displayed.
2. Verify the configuration on the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.

# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP Field

Strength to view field strength of the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP Roaming

Trace to view the roaming trace of the vehicle-mounted AP.
----End
5.1.6 Example for Configuring Agile Distributed Wi-Fi Services


Data Planning
Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

profile



net
3. Select Config Wizard to configure the central APs and RUs to go online on the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the configuration.
Configuration Notes

user experience.
Procedure
10.23.101.2/24.

displayed.

NOTE


# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface to VLAN
101 in the same way.
page is displayed.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the interface
address pool on VLANIF 101 in the same way. The IP address 10.23.101.2 cannot be
assigned.

NOTE
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.101.2.
# Click OK.
# Click Next.



1. Configure a central AP and RUs to go online.

– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
as required.
# Configure the SSID name, forwarding mode, and service VLAN.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.

# Click Finish.

NOTE
displayed.
displayed.


----End


Containment
rogue AP.
addresses to STAs.

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address


profile



Item Data

net

spoofing SSIDs
NOTE
mode.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
STAs.
NOTE
view.



displayed.


(service VLAN).
NOTE



page is displayed.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.

# Click Finish.

NOTE
displayed.
displayed.



1. Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0. The Radio 0 Settings(2.4G) page is

displayed.
# Configure radio 0 to work in normal mode, and enable rogue device detection and
containment.
# Click Apply. In the Info dialog box that is displayed, click OK.
containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile page is
displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the profile
name wlan-wids and click OK. The WIDS profile configuration page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.

Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.
l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.
----End

(FAT AP)
As shown in Figure 5-8, a Fat AP is connected to the Internet in wired mode and connects to
anywhere, anytime.
l Router functions as a DHCP server to assign IP addresses to STAs.


Copyright © Huawei
Service VLAN:Technologies
101 Co., Ltd.
GE0/0/0
10.23.101.2/24
Data planning
Item Data
DHCP server Router functions as a DHCP server to assign

IP addresses to STAs.


+AES

1. Configure Router as a DHCP server to assign IP addresses to STAs.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure Router as a DHCP server to assign IP addresses to STAs.
# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.

NOTE
view.
[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2
Step 2 Configure basic WLAN services.

1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
2. Configure Wi-Fi signals.
# Configure basic information about an SSID.
# Click Next. The IP and Rate page is displayed.

# Set IP address parameters.
# Click Finish.

3. Configure Internet connection parameters.

# Click Next. The Configure Internet Connection page is displayed.
# Add an interface to VLAN 101 in tagged mode.
NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
NOTE
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Click Radio Management. The Radio 0 Setting(2.4G) page is displayed.
# On the Radio 0 Setting(2.4G) page, disable automatic channel and power calibration
functions, and set the AP channel to 20-MHz channel 6 and transmit power to 127 dBm.


and power calibration functions of Radio 1, and set the AP channel to 20-MHz channel
149 and transmit power to 127 dBm.
Step 4 Configure the VLANIF interface.
1. Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
2. Select VLAN 101. On the Modify VLAN page, set the IP address of VLANIF 101 to
10.23.101.2/24.

3. Click OK.
2. STAs can associate with the WLAN and obtain IP addresses on the network segment
10.23.101.x/24.

3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
As shown in Figure 5-9, a Fat AP is connected to the Internet in wired mode and connected to
anywhere, anytime.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.


Service VLAN:© 101
Copyright Huawei Technologies Co., Ltd.
GE0/0/0
10.23.200.1/24
Data planning
Item Data



+AES

1. Configure Router to communicate with the AP.
Configuration Notes
Procedure
10.23.200.2/24.



NOTE

# Click Finish.
3. Configure Internet connections.
NOTE
delete VLAN 1.

# Click Finish.
NOTE
page is displayed.

Step 4 Configure Layer 3 network connectivity.
1. Create a VLANIF interface.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
10.23.200.1/24.

# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.

# Click OK.

2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
----End
5.2.3 Example for Configuring Users on the Fat AP to Access the

Public Network Through NAT
As shown in Figure 5-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.


l Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses
are translated to the IP address of the Fat AP outbound interface using Easy-IP for
employees to access the public network.

Figure 5-10 Networking diagram for configuring STAs to access the public network through
NAT

Service VLAN: 101
GE0/0/0
VLAN 200:
Data planning
Item Data



+AES

NAT Outbound The private IP address segment

10.23.101.0/24 is mapped to the public IP
address 202.169.10.1.
3. Configure NAT so that users can access the public network using public IP addresses.
Configuration Notes

Procedure

NOTE
# Click Finish.
3. Configure Internet connections.


NOTE
delete VLAN 1.
# Click Finish.

NOTE
page is displayed.


Step 3 Configure Layer 3 network connectivity.
1. Create a VLANIF interface.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
202.169.10.1/24.

# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.

# Click OK.
Step 4 Configure an ACL.
1. Choose Configuration > Security > ACL. The Basic ACL Settings page is displayed.
2. Click Create. On the Create Basic ACL page that is displayed, set ACL parameters.
3. Click OK.
4. In the new ACL, click Add Rule. On the Add Rule page, set ACL parameters.
5. Click OK.
1. Choose Configuration > IP Service > NAT. The NAT page is displayed.
2. Click Create in NAT Mapping and create a NAT mapping.
3. Click OK.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its

4. STAs can access the public network successfully.
----End
5.3 PPPoE Configuration Examples (Fat AP)

5.3.1 Example for Configuring the Device as a PPPoE Client
the disconnection.

Data Planning

Item Data
Uplink port GE0/0/0
IP address PPPoE dialup

allocation
mode
User name/ user1@system/huawei123

Password
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled
1. Configure the PPPoE server.
2. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function and enable NAT to translate private IP addresses to public IP addresses.
Procedure
pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.


1. Choose Wizard > Config Wizard. The Config Wizard page is displayed.
2. Click Next.
3. On the 2.Configure Internet Connection page, configure PPPoE dialup.
NOTE
delete VLAN 1.
4. Click Finish.In the dialog box that is displayed, click OK.

After the configuration is complete, a PPPoE dialup interface is automatically generated,
through which hosts on the LAN can connect to the Internet using dialup. When wireless
users attempt to connect to the public network, private IP addresses are translated into public
IP addresses for communication.
----End


ADSL Modem
modem
Data Planning

Item Data
Uplink port GE0/0/0

allocation
mode

Password

Item Data
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled
function and enable NAT to translate private IP addresses to public IP addresses.
Procedure

[Router] aaa
[Router-aaa] quit


[Router] aaa


[Router-aaa] quit




1. Choose Wizard > Config Wizard. The Config Wizard page is displayed.
2. Click Next.
3. On the 2.Configure Internet Connection page, configure PPPoE dialup.
NOTE
delete VLAN 1.

4. Click Finish.In the dialog box that is displayed, click OK.

----End
5.4 PPPoE Configuration Examples (Fat Central AP)

5.4.1 Example for Configuring the Device as a PPPoE Client
the disconnection.

Data Planning
Item Data
Uplink port GE0/0/0

allocation
mode

Password
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled
1. Configure the PPPoE server.
function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
Procedure

pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.
1. Create VLAN 100 and add GE0/0/0 to VLAN 100.
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
Select GigabitEthernet0/0/0 in Available Interface List and click . In the

Modify Link Type dialog box that is displayed, set Link type to Trunk and Mode to
Tagged.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click GigabitEthernet0/0/0. On the Modify Interface Settings page that is displayed,
set Default VLAN to 100.

# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.

----End

ADSL Modem

modem
Data Planning

Item Data
Uplink port GE0/0/0

allocation
mode

Password
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled

function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
Procedure

[Router] aaa
[Router-aaa] quit


[Router] aaa
[Router-aaa] quit





1. Create VLAN 100 and add GE0/0/0 to VLAN 100.
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
Select GigabitEthernet0/0/0 in Available Interface List and click . In the

Modify Link Type dialog box that is displayed, set Link type to Trunk and Mode to
Tagged.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click GigabitEthernet0/0/0. On the Modify Interface Settings page that is displayed,

set Default VLAN to 100.

# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.
----End

Inline Mode
area.

APs and STAs.
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
Configuration Notes


user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
10.23.101.2/24.

displayed.


(service VLAN).
NOTE

page is displayed.

# Click OK.
assigned.
NOTE
displayed.
10.23.101.2.
# Click OK.
# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Click Finish.

NOTE
displayed.

displayed.


----End

Inline Mode
area.
APs and STAs.

Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

profile



net
Configuration Notes

user experience.
Procedure
10.23.101.2/24.

displayed.

and add GigabitEthernet0/0/1 to VLAN 100.

NOTE

page is displayed.
# Click OK.

assigned.
NOTE
displayed.
10.23.101.2.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.

# Click Finish.
NOTE
displayed.
displayed.



----End

Bypass Mode
area.
addresses to STAs.

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address

default

profile



net
Configuration Notes

user experience.
Procedure
10.23.101.2/24.
STAs.

NOTE
view.

displayed.

NOTE


page is displayed.

# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Click Finish.

NOTE
displayed.
displayed.



----End

Bypass Mode
area.
addresses to STAs.

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address

radio5g

profile
and 5 GHz radios



net




Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.
STAs.
NOTE
view.

displayed.


(service VLAN).
NOTE


page is displayed.

# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic channel and

power calibration.

NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.

2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.

4. Enable radio calibration.

# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.


----End

Inline Mode
addresses to STAs.

Data Planning
Item Data

l Name: sta-pool
and VLAN 102

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

Item Data


5 GHz radios


+AES

pool


wlan-airscan

wlan-airscan


Configuration Notes
user experience.
Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.


102 to 10.23.102.2/24.
Step 2 Configure a DHCP server to allocate IP addresses to STAs.

NOTE
view.

displayed.


NOTE
and add GigabitEthernet0/0/1 to VLANs 100 through 102.

# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN101 and VLAN 102 in the same way.
page is displayed.

# Click OK.
displayed.
# Click OK.
displayed.
address to 10.23.100.2.

# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.
and 102.



Click Finish.
NOTE
here.

power calibration.

NOTE

NOTE
duration.
page is displayed.




----End

Inline Mode
APs and STAs.

Data Planning
Item Data

l Name: sta-pool
and VLAN 102


10.23.102.3-10.23.102.254/24


Item Data

5 GHz radios


+AES

pool


wlan-airscan

wlan-airscan

Configuration Notes
user experience.
Procedure
GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.

102 to 10.23.102.2/24.
Step 2 Configure DHCP relay.


displayed.

NOTE

# Click Apply.
GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
page is displayed.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF 102 to
10.23.102.1/24, DHCP status to ON, and DHCP type to Interface address pool.
displayed.


NOTE
# Click OK.
displayed.
address to 10.23.100.2.
# Click OK.

# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


and 102.



Click Finish.
NOTE
here.

power calibration.
NOTE

NOTE
duration.

page is displayed.




----End

Bypass Mode
addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

default



+AES

pool

Configuration Notes
user experience.
Procedure

102 to 10.23.102.2/24.

NOTE
view.



displayed.

NOTE

page is displayed.

# Click OK.
displayed.

# Click OK.
displayed.

address to 10.23.100.2.

# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.
and 102.



Click Finish.
NOTE
displayed.
displayed.



----End

Bypass Mode
area.
addresses to STAs.

Data Planning
Item Data

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24
VLAN pool l Name: sta-pool

and VLAN 102

Item Data

default



+AES

pool
Configuration Notes


user experience.
Procedure
GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
102 to 10.23.102.2/24.



NOTE
view.

displayed.

NOTE

and add GigabitEthernet0/0/1 to VLANs 100 through 102.


page is displayed.
# Click OK.
displayed.


# Click OK.
displayed.

address to 10.23.100.2.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


and 102.


Click Finish.


NOTE
displayed.
displayed.


----End
5.5.9 Example for Configuring NAT Traversal Between the AC

and APs
area.
Administrators require unified AP management by the AC. Therefore, NAT traversal is
configured between the AC and APs to save the enterprise's public IP addresses.
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
APs and STAs.

Figure 5-23 Networking for configuring NAT traversal between the AC and APs
Data Planning

Item Data


default

Item Data



+AES

NAT Outbound Router_1: translates the private IP addresses

in the network segment 10.23.100.0/24 to
the public IP addresses in the network
segment 2.2.2.1.
Static NAT Router_2: translates the private IP addresses

in the network segment 10.23.200.1 to the
public IP addresses in the network segment
3.3.3.3.
2. Configure NAT for address translation.
Configuration Notes


user experience.
Procedure
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
[Router_2] interface GigabitEthernet1/0/0


# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs. The AC's
source interface address is translated into the public IP address 3.3.3.3 after NAT mapping.
NOTE
view.
# Configure outbound NAT on Router_1.

[Router_1] acl 2000
[Router_1-acl-basic-2000] quit
[Router_1-GigabitEthernet0/0/1] nat outbound 2000
# Configure static NAT on Router_2.

[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1

displayed.




page is displayed.
NOTE

displayed.
10.23.200.2.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.




# Click Finish.
NOTE
displayed.
displayed.



----End
5.5.10 Example for Configuring VPN Traversal Between the AC

and APs
area.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.


APs and STAs.
Figure 5-24 Networking for configuring VPN traversal between the AC and APs
Data Planning

Item Data
WLAN service data planning on the AC


Item Data

default



+AES

IPSec data planning on Router_2
IKE parameters l IKE version: IKEv1

l Negotiation mode: main
l Peer IP address: 202.138.162.1
l Authentication mode: pre-shared key
authentication
l Pre-shared key: huawei@1234
l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l DH group number: group14
IPSec parameters l Security protocol: ESP

l ESP negotiation mode: main
l ESP authentication algorithm:
SHA2-256
l ESP encryption algorithm: AES-128
l Encapsulation mode: tunnel

Item Data
IPSec policy Connection name: map1

l Interface name: gigabitethernet 0/0/1
l Networking mode: branch site
l Connection number: 10
l ACL number: 3101
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
to go online.
Configuration Notes

user experience.
Procedure
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.



# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
NOTE
view.
Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
10.23.100.0 0.0.0.255
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
10.23.200.0 0.0.0.255
Step 4 Configure IPSec.

1. Create an IPSec proposal on Router_2 and Router_1.

2. Create IKE peers on Router_2 and Router_1.


[Router_2] ike peer spub
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit

[Router_1] ike peer spua
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
3. Create IPSec policies on Router_2 and Router_1.

[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit

[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.

[Router_2-GigabitEthernet0/0/1] ipsec policy map1

[Router_1-GigabitEthernet0/0/1] ipsec policy use1

displayed.




page is displayed.
NOTE

displayed.
10.23.200.2.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.




# Click Finish.
NOTE
displayed.
displayed.



----End
5.5.11 Example for Configuring Hand-in-Hand WDS Services
addresses to STAs.


Data Planning

AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640

Item Data

Item Data

addresses to STAs.


l Country code: CN


+AES



AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)

Item Data

security
l Name: wds-leaf
security

the group.
l Name: ap-group2
added to the group.
default
l Name: ap-group3
the group.
to go online.

virtual links.
Configuration Notes
user experience.
Procedure


10.23.101.2/24.

address pool.

displayed.

NOTE


page is displayed.

# Click Next.



NOTE
as required.
# Click OK.

1. Click Create. The Basic Information page is displayed.

2. Set the SSID name, forwarding mode, and service VLAN ID.
3. Click Next. The Security Authentication page is displayed.

4. Configure the key authentication mode, AES algorithm, and key.
5. Click Next. The Access Control page is displayed.

6. Set Binding the AP group to ap-group1.
7. Click Finish. Bind the AP group ap-group3 in the same way.
Step 6 Configure the AP_1.
1. Create WDS profile wds-root and configure the WDS working mode and tagged VLAN.
# In the AP group list, click ap-group1. Select Display all profiles. Choose WDS >
WDS Profile. The WDS Profile List page is displayed.
name wds-root, set Radio to 1, and click OK.
# Choose WDS > WDS Profile > wds-root. The WDS Profile page is displayed.

NOTE
VLAN.

2. Create security profile wds-security and configure the security policy.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
name wds-security and click OK. The security profile configuration page is displayed.
# Set the key.

WDS whitelist.
displayed.
page is displayed.
is displayed.
# Click OK.

4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
displayed.
# Set the bridge distance to 4. Disable automatic channel and power calibration. Set the
channel parameters to 40+ MHz and 157. Set the bridge distance to 4.

# Configure radio 0 in the same way. Disable automatic channel and power calibration
and set the channel parameters to 20 MHz and 6.
1. Create WDS profile wds-leaf and configure the WDS working mode and tagged VLAN.
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.
# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
automatic channel and power calibration. Set parameters for Radio0. Set Channel to 20
MHz and 11.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.

wds-leaf, set Radio to 1, and click OK.
wds-root, set Radio to 0, and click OK.
WDS whitelist.
displayed.
page is displayed.
is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
displayed.
# Choose Radio Management > Radio1. The Radio 0 Settings(2.4G) page is
displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Disable automatic channel and
power calibration. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the
bridge distance to 4.


# Set the channel parameters of Radio1 to 40+ MHz and 157. Set the coverage distance
to 4. The configuration is the same as that for Radio0, and is not mentioned here.
1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If so, the
APs have gone online on the AC through WDS links.

----End
5.5.12 Example for Configuring Back-to-Back WDS
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.
addresses to PCs.

l Wireless backhaul mode: WDS back-to-back

Figure 5-26 Networking for configuring back-to-back WDS
Data Planning
AP_1 AP8130DN dcd2-fcf6-76a0
AP_2 AP8130DN 60de-4474-9640

AP_4 AP8130DN 60de-4476-e360

Item Data

APs
Service VLAN for PCs VLAN 101

addresses to PCs.
IP address pool for PCs 10.23.101.3-10.23.101.254/24
IP address of the AC's VLANIF 100: 10.23.100.1/24

source interface
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf
WDS name wds-net
WDS whitelist l wds-list1: contains MAC address of AP_2 and is bound to

AP_1
l wds-list2: contains MAC address of AP_4 and is bound to
AP_3

Item Data
Radio used by WDS Radio 1 (AP_1 and AP_2):

l Channel: 157
l WDS/Mesh bridge distance: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Channel: 149
Security profile l Name: wds-sec

AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. The wired interface of AP_4 is connected
to a PC, a wired port profile needs to be configured for
AP_4. Therefore, AP_2 and AP_4 are added to two separate
AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes

user experience.
Procedure
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
[Switch_C] vlan batch 100 to 101


10.23.101.2/24.
Step 2 Configure the DHCP server to assign IP addresses to PCs.

# Configure Switch_A as a DHCP server to assign IP addresses to PCs from the interface
address pool.

displayed.

NOTE


page is displayed.

# Click Next.



NOTE
as required.
# Click OK.
# Confirm the configuration and click Finish.

Step 5 Configure the root node AP_1.

1. Configure the WDS profile wds-net1 for the root node AP_1.
# In the AP group list, click wds-root1. Select Display all profiles choose WDS > WDS
Profile. The WDS Profile List page is displayed.
name wds-net1 and click OK.
# Choose WDS > WDS Profile > wds-net1. The WDS Profile page is displayed.
NOTE
VLAN.

2. Create security profile wds-sec and configure the security policy.
# Choose WDS > WDS Profile > wds-net1 > Security Profile. The Security Profile
page is displayed.
name wds-sec and click OK. The security profile configuration page is displayed.
# Set the key.

3. Configure the WDS whitelist profile wds-list1 for AP_1 to permit access only from
AP_2 over the WDS link.

displayed.
profile name wds-list1 and click OK. The WDS Whitelist Profile List page is
displayed.
is displayed.
# Click Add to add the MAC address of AP_2 60de-4474-9640 to the profile.
# Click OK.
4. Configure WDS service parameters.
# Disable automatic channel and power calibration. Set the channel parameters to 40+
MHz and 157. Set the bridge distance to 4.
NOTE
Step 6 Configure the root node AP_3.

1. Configure the WDS profile wds-net2 in the AP group wds-root2. The configuration is
similar to that for the WDS profile wds-net1 in the AP group wds-root1.
If the WDS profile wds-net2 is the same as the WDS profile wds-net1, you do not need
to create the WDS profile wds-net2. AP_3 and AP_1 can share the WDS profile wds-
net1.
2. Bind the security profile wds-sec to the AP group wds-root2.
# Enter the Security Profile page under the AP group wds-root2. The configuration is
similar to that under the AP group wds-root1.

# Set Security Profile to wds-sec and click Apply. In the dialog box that is displayed,
click OK.
3. Configure the WDS whitelist profile wds-list2 for AP_3 to permit access only from
AP_4 over the WDS link.
# Add the MAC address of AP_4 60de-4476-e360 to wds-list2. The configuration is
similar to that for the WDS whitelist profile wds-list1 under the AP group wds-root1.
# Configure service parameters in the AP group wds-root2. The configuration is similar

to that in the AP group wds-root1. Set the channel parameters to 40+ MHz and 149. Set
the bridge distance to 4.
Step 7 Configure the leaf node AP_2.

1. Configure the WDS profile wds-net3 in the AP group wds-leaf1. The configuration is
similar to that for the WDS profile wds-net1 in the AP group wds-root1.
In the WDS profile wds-net3, set WDS working mode to Leaf.
2. Bind the security profile wds-sec to the AP group wds-leaf1. The configuration is
similar to that for binding the security profile to the AP group wds-root2.

Step 8 Configure the leaf node AP_4.

1. Configure the WDS profile wds-net3 in the AP group wds-leaf2.
# Enter the WDS Profile List page under the AP group wds-leaf2. The configuration is
similar to that under the AP group wds-root1.
# Click Add. On the page that is displayed, set WDS profile name to wds-net3 and
click OK. In the dialog box that is displayed, click OK.
2. Bind the security profile wds-sec to the AP group wds-leaf2. The configuration is
similar to that for binding the security profile to the AP group wds-root2.

page is displayed.
displayed.
Endpoint, add the wired port to VLAN 101 in untagged mode, and set the Port PVID to
101. This example assumes that the downlink network of AP_4's wired port GE0
transmits service traffic of VLAN 101.

# Click OK.
1. # Choose Configuration > AP Config > AP Config. The AP list page is displayed. If
the AP status is normal, the APs have gone online on the AC through WDS links.

3. Verify that the AP goes online and restart AP_4 to make the working mode of the AP
wired port effective. After AP_4 goes online again, verify that wired users connected to
AP_4 can access the network.
----End
5.5.13 Example for Configuring Common Mesh Services
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
l Wireless backhaul mode: Mesh portal-node
Figure 5-27 Networking for configuring mesh services
Data Planning
AP Type MAC Address
area_1 AP8130DN 60de-4476-e360
area_2 AP8130DN dcd2-fc04-b500
area_3 AP8130DN 60de-4474-9640


Item Data

APs

APs.
Mesh profile name Name: mesh-net
Mesh role l area_1: Mesh-portal (MPP)


l Channel: 157
Security profile l Security policy: WPA2+PSK+AES

AP group l ap-group1: area_1

l ap-group2: area_2 and area_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes


user experience.
AP models.
AP9132DN 802.11n 802.11ac N/A
AP9131DN 802.11n 802.11ac N/A
AP9130DN 802.11ac 802.11ac N/A
AP8150DN 802.11ac 802.11ac N/A
AP8130DN-W 802.11ac 802.11ac N/A
AP8130DN 802.11ac 802.11ac N/A
AP8050DN-S 802.11ac 802.11ac N/A
AP8050DN 802.11ac 802.11ac N/A
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
AP8082DN 802.11ac 802.11ac NA

AP8182DN 802.11ac 802.11ac NA
AP8030DN 802.11ac 802.11ac N/A
AP7110DN-AGN 802.11n 802.11n N/A
AP7050DN-E 802.11ac 802.11ac N/A
AP7050DE 802.11ac 802.11ac N/A
AP7052DE 802.11ac 802.11ac NA
AP7052DN 802.11ac 802.11ac NA
AP7152DN 802.11ac 802.11ac NA
AP6610DN-AGN 802.11n 802.11n N/A
AP6510DN-AGN 802.11n 802.11n N/A
AP6150DN 802.11ac 802.11ac N/A
AP6050DN 802.11ac 802.11ac N/A
AP6052DN 802.11ac 802.11ac N/A
AP6010DN-AGN 802.11n 802.11n N/A
AP5130DN 802.11n 802.11ac N/A
AP5030DN 802.11n 802.11ac N/A
AP5010DN-AGN 802.11n 802.11n N/A
AP4151DN 802.11ac 802.11ac N/A
AP4130DN 802.11n 802.11ac N/A
AP4051DN 802.11ac 802.11ac N/A
AP4050DN-HD 802.11ac 802.11ac N/A
AP4050DN-E 802.11ac 802.11ac N/A
AP4050DN-S 802.11ac 802.11ac N/A
AP4050DN 802.11ac 802.11ac N/A

Mesh not
AP4051TN 802.11n 802.11ac
supported
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN 802.11n 802.11ac N/A
AP1050DN-S 802.11ac 802.11ac N/A
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
# Add GE0/0/1 on Switch_A to VLANs 100, and GE0/0/2 to VLAN 100.




displayed.


NOTE


page is displayed.


# Click Next.

Step 3 Configure MPPs.
2. Create the AP group ap-group1 for the MPP.
# Enter the AP group name ap-group1 and click OK.
3. Configure Mesh parameters for the MPP.
# In AP Group List, select the AP group ap-group1.


40+MHz, channel to 157, and WDS/Mesh bridge distance to 4.
a1234567.
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.


4. Add MPPs.
# Set Mode to Manually add and manually add MPPs.
# Click OK.
Step 4 Configure the MP.

2. Create the AP group ap-group2 for the MP.
# Enter the AP group name ap-group2 and click OK.

3. Configure Mesh parameters for the MP.


– Set the Mesh role to Mesh-node.
a1234567.
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.


4. Add MPs.
# Set Mode to Manually add and manually add MPs.
# Click OK.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-group1
and ap-group2 to check whether the AP status is normal. If so, the APs have gone
online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh link
information. After the Mesh links are successfully established, you can view detailed
information about the Mesh links on the page.

----End
5.5.14 Example for Configuring Dual-MPP Mesh Services

If an enterprise needs to provide wireless network access services for different areas, multiple
Mesh Portal Points (MPPs) can be configured to work on different channels. This can reduce
MP contention for wireless channels, thus improving coverage performance.
l Wireless backhaul node: dual Mesh portal-node
Figure 5-28 Networking for configuring dual-MPP Mesh services

Data Planning

AP_1 AP8130DN 60de-4474-9640
AP_4 AP8130DN 1047-80ac-cc60

Item Data

APs

APs.
Mesh profile l Name: mesh-net
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-portal (MPP)
Regulatory domain l Name: default

profile l Country code: CN

l Channel: 157
Security profile l Security policy: WPA2+PSK+AES

AP group l mesh-mpp: AP_1 and AP_2

l mesh-mp: AP_3 and AP_4

1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
user experience.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
AP models.

AP9132DN 802.11n 802.11ac N/A
AP9131DN 802.11n 802.11ac N/A
AP9130DN 802.11ac 802.11ac N/A
AP8150DN 802.11ac 802.11ac N/A
AP8130DN-W 802.11ac 802.11ac N/A
AP8130DN 802.11ac 802.11ac N/A
AP8050DN-S 802.11ac 802.11ac N/A
AP8050DN 802.11ac 802.11ac N/A
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
AP8082DN 802.11ac 802.11ac NA
AP8182DN 802.11ac 802.11ac NA
AP8030DN 802.11ac 802.11ac N/A
AP7110DN-AGN 802.11n 802.11n N/A
AP7050DN-E 802.11ac 802.11ac N/A
AP7050DE 802.11ac 802.11ac N/A
AP7052DE 802.11ac 802.11ac NA
AP7052DN 802.11ac 802.11ac NA
AP7152DN 802.11ac 802.11ac NA
AP6610DN-AGN 802.11n 802.11n N/A
AP6510DN-AGN 802.11n 802.11n N/A
AP6150DN 802.11ac 802.11ac N/A
AP6050DN 802.11ac 802.11ac N/A
AP6052DN 802.11ac 802.11ac N/A

AP6010DN-AGN 802.11n 802.11n N/A
AP5130DN 802.11n 802.11ac N/A
AP5030DN 802.11n 802.11ac N/A
AP5010DN-AGN 802.11n 802.11n N/A
AP4151DN 802.11ac 802.11ac N/A
AP4130DN 802.11n 802.11ac N/A
AP4051DN 802.11ac 802.11ac N/A
AP4050DN-HD 802.11ac 802.11ac N/A
AP4050DN-E 802.11ac 802.11ac N/A
AP4050DN-S 802.11ac 802.11ac N/A
AP4050DN 802.11ac 802.11ac N/A
Mesh not
AP4051TN 802.11n 802.11ac
supported
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN 802.11n 802.11ac N/A
AP1050DN-S 802.11ac 802.11ac N/A
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_A to VLAN 100.

# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of

displayed.


NOTE


page is displayed.

# Click Next.


Step 3 Configure MPPs.



a1234567.

example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.
# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPPs.
# Set Mode to Manually add and manually add MPPs.
# In this example, APs with MAC addresses 60de-4474-9640 and dcd2-fc04-b500 are
added. Set AP ID to 1 and 2 for the APs respectively. Click OK. The APs are added as
MPPs.

Step 4 Configure MPs.

2. Create the AP group mesh-mp for the MPs.
# Set the AP group name to mesh-mp and click OK.

3. Configure Mesh parameters for the MPs.
# In AP Group List, select the AP group mesh-mp.

– Set the Mesh role to Mesh-node.
a1234567.
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.

# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPs.
# In AP Group List, select the AP group mesh-mp.
# Set Mode to Manually add and manually add MPs.
# In this example, APs with MAC addresses dcd2-fc96-e4c0 and 1047-80ac-cc60 are
added. Set AP ID to 3 and 4 for the APs respectively. Click OK. The APs are added as
MPs.


1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select mesh-mpp
and mesh-mp to check whether the status of APs in the AP list is normal. If the AP
status is normal, the APs have gone online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information and check information
about Mesh links. After the WDS links are successfully established, you can view details
about the WDS links on the following page.
----End
5.6 AP's Wired Interface Configuration Examples

5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired
Uplink Interfaces
The administrator wants to configure an Eth-Trunk on an AP's wired uplink interfaces to
ensure uplink reliability.
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces

Data Planning

Item Data
AP wired port profile l Name: wired-port1

l Eth-Trunk: Eth-Trunk0

l Referenced profile: AP wired port
profile wired-port1
1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
user experience.
Procedure

Check Item Operation on the Web Data

Platform
Check the AP's group. Choose Monitoring > AP > AP group name: ap-group1
AP Statistics Collection. AP name: AP1
Check the AP's group in AP
List.
Step 2 Configure an Eth-Trunk on the switch.
# Create Eth-Trunk1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk1.

[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] description Connect to AP1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk pvid vlan 100
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100
[Switch-Eth-Trunk1] undo port trunk allow-pass vlan 1
[Switch-Eth-Trunk1] port-isolate enable
[Switch-Eth-Trunk1] quit
Step 3 Configure an Eth-Trunk for the AP on the AC.

1. Create Eth-Trunk0.
# Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk page
is displayed.
# In Eth-Trunk Interface List, click Create. The Create Eth-Trunk page is displayed.
# Create Eth-Trunk0 and configure the interface description.
# Click OK.
2. Create VLAN 100 and add Eth-Trunk0 to it.
# Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. The Create VLAN page is displayed.
# Create VLAN 100. In Available Interface List, select Eth-Trunk0 and click
. On the Modify Link Type page, set Link type to Trunk and click OK.

# Click OK.
3. Create wired port profile wired-port1, and add GE0 and GE1 on the AP to Eth-Trunk0.
# In the AP group list, select AP group ap-group1. Choose AP > AP Wired Port
Settings. The AP Wired Port Configuration List page is displayed.
# Select GE0. The GE0 configuration page is displayed.
# Click Create and create AP wired port profile wired-port1. Click OK to return to the
GE0 configuration page.
# Set Enable Eth-Trunk to ON.
Click OK. In the dialog box that is displayed, click OK.

# Bind AP wired port profile wired-port1 to GE1 in the same way, and set Enable Eth-
Trunk to ON for GE1.
Step 4 Restart the AP.
NOTE
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
# Choose Maintenance > AP Maintenance > AP Restart.

# Select AP1 and click Restart. In the dialog box that is displayed, click OK to restart the AP.
Step 5 Connect the switch and AP physically.
----End
5.7 Authentication Configuration Examples

5.7.1 Example for Configuring External Portal Authentication
To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.
addresses to STAs.
l Authentication mode: External Portal authentication

Figure 5-30 Networking for configuring external Portal authentication
Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
profile

on Profile l Referenced profile: Portal access profile wlan-net, RADIUS Server
profile wlan-net, authentication-free rule profile default_free_rule and
authentication scheme wlan-net

Item Data

4. Configure WLAN services and external Portal authentication on the AC using the
WLAN configuration wizard.
Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.
STAs.

displayed.


(service VLAN).
NOTE

page is displayed.


displayed.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


# Set Security settings to Portal (applicable to enterprise networks) and deselect MAC
address, shared-key, port number, and server URL. Under External RADIUS Server
Configuration, set the server name, Port number, authentication server IP address, and shared
key.

Click Finish.
displayed.
displayed.


6. Click OK.
l For interconnection with the Cisco ISE, see "Example for Configuring External Portal
Server.

network.
----End
5.7.2 Example for Configuring Layer 2 External Portal

Authentication (Using HTTPS)
An enterprise uses HTTPS for Portal authentication.
As shown in Figure 5-31, an AC in an enterprise directly connects to an AP. The enterprise

deploys the WLAN wlan-net to provide wireless network access for employees. The AC
functions as the DHCP server to assign IP addresses on the network segment 10.23.101.0/24
to wireless users.
The AC and employees' STAs communicate at Layer 2. To reduce network security risks, you
can deploy Layer 2 Portal authentication on the AC. The AC works with the RADIUS server

(integrated with the Portal server) to implement access control on employees who attempt to
connect to the enterprise network, meeting the enterprise's security requirements.
Figure 5-31 Networking diagram for configuring Layer 2 external Portal authentication
RADIUS server/Portal server

Management VLAN:
10.23.200.1
VLAN 100
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101 Intranet
AC
STA
DNS server
10.23.200.2
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
3. Configure a Portal server template.
4. Configure a Portal access profile and configure Layer 2 Portal authentication.
5. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.
6. Configure an authentication profile to manage NAC configuration.
7. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Data plan
Item Data
RADIUS Name of the RADIUS authentication scheme: radius_huawei

authenticati Name of the RADIUS accounting scheme: scheme1
on
parameters Name of the RADIUS server template: radius_huawei
l Accounting port number: 1813
l Shared key: Huawei@123
SSL policy l Name: huawei

l PKI domain: default

Item Data
Portal l Name: abc

template
l URL address: https://10.23.200.1:8445/portal
l Portal shared key: Admin@123
Portal l Name: portal1

access l Bound template: Portal server template abc
profile

profile
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1,
RADIUS server template radius_huawei, RADIUS authentication
scheme radius_huawei, RADIUS accounting scheme scheme1,and
authentication-free rule profile default_free_rule
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for the
STAs

of the AC's
source
interface

l Bound profile: VAP profile wlan-vap and regulatory domain profile
domain1
Regulatory l Name: domain1

profile
SSID l Name: wlan-ssid

Security l Name: wlan-security

profile l Security policy: Open

Item Data
VAP profile l Name: wlan-vap

l Bound profile: SSID profile wlan-ssid, security profile wlan-security,
and authentication profile p1
Procedure
Step 1 Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
NOTE
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used,
configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a
large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs
will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
[AC6605] sysname AC
Step 2 Configure the AC to communicate with upper-layer network devices.

# Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).
Step 3 Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address
pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF
101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the server area (Assume that the IP address of the upper-
layer device connected to the AC is 10.23.101.2).

Step 5 Configure the AP to go online.

# Create an AP group and add the AP to the AP group.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

Step 6 Configure a RADIUS server template, and a RADIUS authentication scheme.

NOTE

[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
[AC-radius-radius_huawei] radius-server accounting 10.23.200.1 1813
[AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123
[AC-radius-radius_huawei] quit
# Configure a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] quit
# Configure a RADIUS accounting scheme.

[AC-aaa] accounting-scheme scheme1
[AC-aaa-accounting-scheme1] accounting-mode radius
[AC-aaa-accounting-scheme1] accounting realtime 15
[AC-aaa-accounting-scheme1] quit
[AC-aaa] quit
NOTE
accounting packets.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the HTTPS protocol for Portal authentication.

NOTE
If the HTTPS protocol is used for Portal authentication, you need to configure an SSL policy.
[AC] ssl policy huawei type server
[AC-ssl-policy-huawei] pki-realm default
[AC-ssl-policy-huawei] quit
[AC] http secure-server ssl-policy huawei
[AC] portal web-authen-server https ssl-policy huawei
[AC] web-auth-server abc
[AC-web-auth-server-abc] protocol http
[AC-web-auth-server-abc] quit

NOTE
[AC] web-auth-server abc
[AC-web-auth-server-abc] server-ip 10.23.200.1 10.23.101.1
[AC-web-auth-server-abc] shared-key cipher Admin@123
[AC-web-auth-server-abc] url https://10.23.200.1:8445/portal
[AC-web-auth-server-abc] quit
Step 9 Configure the Portal access profile portal1 and configure Layer 2 Portal authentication.
[AC-portal-access-profile-portal1] web-auth-server abc direct
[AC-portal-access-profile-portal1] quit

Step 11 Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authentication-profile-p1] portal-access-profile portal1
[AC-authentication-profile-p1] free-rule-template default_free_rule
[AC-authentication-profile-p1] authentication-scheme radius_huawei
[AC-authentication-profile-p1] accounting-scheme scheme1
[AC-authentication-profile-p1] radius-server radius_huawei
[AC-authentication-profile-p1] quit
# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.

NOTE
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
[AC-wlan-ap-0] quit

complete.
network.
----End
Configuration Files
AC configuration file
#
sysname AC
#
http secure-server ssl-policy huawei
#
#
authentication-scheme radius_huawei
accounting-scheme scheme1
radius-server radius_huawei
#
portal web-authen-server https ssl-policy huawei
#
dhcp enable
#
radius-server template radius_huawei

radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#

#
ssl policy huawei type server
pki-realm default
#
free-rule-template name
default_free_rule
free-rule 1 destination ip 10.23.200.2 mask

255.255.255.0
#
web-auth-server abc
server-ip 10.23.200.1 10.23.101.1
url https://10.23.200.1:8445/portal
protocol http
#
web-auth-server abc direct
#
aaa
authentication-scheme radius_huawei
accounting-scheme scheme1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
rrm-profile name default
radio 0


radio 1
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
5.7.3 Example for Configuring Built-in Portal Authentication for

Local Users
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.
addresses to STAs.
l Authentication mode: built-in Portal authentication

Figure 5-32 Networking for configuring built-in Portal authentication for local users
Data Planning

Item Data


default

Item Data



Local user l User name: guest

l Password: guest@123
Authentication scheme l Name: wlan-net

l Authentication scheme: local
Portal access profile l Name: wlan-net

l The built-in Portal server is used.
– Server IP: 10.1.1.1
– SSL policy: default_policy
– Port number: 20000
Authentication-free rule profile l Name: default_free_rule

l Authentication-free resource: IP address
of the DNS server (8.8.8.8)
Authentication Profile l Name: wlan-net

l Referenced profiles: Portal access profile
wlan-net, authentication-free rule profile
default_free_rule, and authentication
scheme wlan-net

net, security profile wlan-net, and
4. Configure WLAN services and built-in Portal authentication on the AC using the WLAN
configuration wizard.


Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.
STAs.
NOTE
view.

displayed.

(service VLAN).

NOTE

(service VLAN).
NOTE


page is displayed.

page is displayed. Set Interface type to Loopback, Interface number to 1, and IP
address of Loopback1 to 10.1.1.1/24.
# Click OK.
displayed.

# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Set Security settings to Portal (applicable to enterprise networks) and Portal server to
Built-in Portal server. Under Built-in Portal Server Configuration, configure the server IP
address and port number.

# Click Manage next to Local user. The Local User page is displayed
# Click Create. The Create Local User page is displayed.
# Set Creation mode to Manually add and configure the local user name and password.
# Click OK.
# On the Create Local User page, select the new user and click OK.
Click Finish.

displayed.
displayed.

6. Click OK.
3. When a user browses a web page, the browser automatically redirects the user to the
Portal authentication page. After entering the correct user name and password, the user
passes the authentication and can access the web page.

----End
5.7.4 Example for Configuring MAC Address-prioritized Portal

Authentication
addresses to STAs.

Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
MAC Name:wlan-net
access
profile

profile

Item Data


4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
STAs.

displayed.



(service VLAN).
NOTE

page is displayed.


displayed.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


# Set Security settings to Portal (applicable to enterprise networks) and select MAC
address, shared-key, port number, and server URL. Under External RADIUS Sever
Configuration, set the server name, authentication server IP address, and shared key.

# Click Finish.
displayed.
displayed.

6. Click OK.
Server.

network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
----End
5.7.5 Example for Configuring 802.1X Authentication



Data Planning





wlan-net






net
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
NOTE
Configuration Notes
user experience.

Procedure
STAs.


NOTE
view.

displayed.

2. Configure ports.
NOTE



page is displayed.
NOTE
# Click OK.

displayed.

address to 10.23.102.1.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.



7. # Click Finish.

NOTE
displayed.
displayed.



802.1X Authentication (Web)" in the WLAN Product Interoperation Configuration
Server.

algorithm to AES.
OK.
----End

5.7.6 Example for Configuring MAC Address Authentication
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.
l Authentication mode: open system authentication
Figure 5-35 Networking diagram for configuring MAC address authentication

Data Planning



MAC access profile Name: wlan-net

l Bound profile and authentication scheme: MAC
wlan-net, and authentication scheme wlan-net


l Country code: CN


l Security policy: open system authentication

net

security policy, select MAC and RADIUS authentication, and set the RADIUS server
parameters.
NOTE
Configuration Notes
user experience.
Procedure

STAs.

NOTE
view.


displayed.

2. Configure ports.
NOTE

page is displayed.
NOTE

# Click OK.
displayed.

address to 10.23.102.1.
# Click OK.
# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Set Security settings to Open (applicable to personal networks).
# Click Finish.
Step 6 Configure MAC address authentication.

1. Create the authentication profile wlan-net.
# Choose VAP Configuration > wlan-net > Authentication Profile. The

Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed, enter the
profile name wlan-net and click OK. The authentication profile configuration page is
displayed.
# Set Access mode to MAC authentication and Authentication mode to RADIUS

authentication.

2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC Authentication.

The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. On the MAC authentication profile
configuration page that is displayed, configure the user name format for MAC address
authentication.
NOTE
The user name and password used for MAC address authentication must be the same as those
configured for local authentication.


3. Configure a RADIUS server profile.
# Click in front of Authentication Profile. Under it, click RADIUS Server. The
RADIUS Server page is displayed.
# Click under RADIUS Server Profile. The RADIUS Server Profile page is
displayed.
# Click Create. On the Create RADIUS Server Profile page that is displayed, set
Profile name to wlan-net and Profile default shared key to huawei@123.
# Click Create Server. In the Create Server Configuration dialog box that is
displayed, configure the RADIUS server parameters.
# Click OK. On the Create RADIUS Server Profile page that is displayed, select the
created RADIUS server and click OK. On the RADIUS Server Profile page that is
displayed, select the created RADIUS server profile wlan-net and click OK.

NOTE
displayed.
displayed.


l For interconnection with the Cisco ISE, see "Example for Configuring MAC Address
l For interconnection with the Aruba ClearPass, see "Example for Configuring MAC
Address Authentication (Web)" in the WLAN Product Interoperation Configuration
Server.
Wireless MAC Address Authentication" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and
Huawei Agile Controller-Campus Server.


l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
----End
5.7.7 Example for Configuring MAC Authentication for Local

Users
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.
addresses to STAs.
l Authentication mode: MAC authentication
l Security policy:open
Figure 5-36 Networking for configuring MAC authentication for local users

Data Planning

Item Data

AC's source interface VLANIF 100:10.23.100.1/24

default

l Country code: CN


Local authentication parameters l Name of the local authentication

scheme: wlan-net
l User name and password of the local
user: 0011-2233-4455 and guest@123,
respectively, which must be consistent
with those in the MAC access profile
l Access type of the local user: MAC
MAC access profile l Name: wlan-net

l User name and password for MAC
address authentication: A MAC address
is used as the user name and the
password is guest@123, which must be
consistent with those in the local
authentication parameters

Item Data

l Referenced profiles: MAC access profile
wlan-net and authentication scheme
wlan-net

3. Select Config Wizard to configure the AP to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring a
security policy, select MAC address authentication and local authentication. When
adding a local user, ensure that the user name is the same as the MAC address of the
user, and the password is the same as that configured in the MAC access profile.
Configure the planned password in the MAC access profile.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
STAs.

NOTE
view.

displayed.

(service VLAN).
NOTE


3. Configure network interconnections.
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON, DHCP
NOTE

displayed.

# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.
# Set Security settings to Open (applicable to personal networks).
# Click Finish.
Step 6 Configure MAC authentication for local users.

1. Create the authentication profile wlan-net.

# Choose VAP Configuration > wlan-net > Authentication Profile. The

Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed, enter the
profile name wlan-net and click OK. The authentication profile configuration page is
displayed.
# Set Access mode to MAC authentication and Authentication mode to Local
authentication.
2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC Authentication.

The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. On the MAC authentication profile
configuration page that is displayed, configure the user name format for MAC address
authentication.
NOTE
The user name and password used for MAC address authentication must be the same as those
configured for local authentication.

3. Configure the local authentication scheme wlan-net.
# Click in front of Authentication Profile. Under it, click Local Authentication.

The Local Authentication page is displayed.
# Click Manage. The Create Local User page is displayed.
# Click Create. In the dialog box that is displayed, enter the user name and password.
NOTE
The local user name and password must be the same as those in the MAC authentication profile.

# Click OK.Click Close.Click Apply.

1. The STAs automatically access the WLAN with the SSID wlan-net.
----End
5.7.8 Example for Configuring the RADIUS Server and AC to

Deliver User Group Rights to Users
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l WLAN authentication mode: WPA-WPA2+802.1X+AES

Figure 5-37 Networking for configuring user authorization based on user groups
Data Planning

addresses to APs, and SwitchB functions as a DHCP




wlan-net




l Security policy: WPA-WPA2+802.1X+AES

net
User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.


security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure a user group.
NOTE
Configuration Notes
user experience.
Procedure

STAs.

NOTE
view.

displayed.



2. Configure ports.

NOTE


page is displayed.
NOTE

# Click OK.
displayed.

address to 10.23.102.1.
# Click OK.
# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.



7. # Click Finish.
NOTE
displayed.
displayed.


Step 7 Configure a user group.
1. Configure an ACL.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create on the ACLv4 tab. On the Create Advanced ACL page that is
displayed, configure an ACL.
# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3001. On the Add Rule page that is displayed, add an
ACL rule.

# Click OK. On the Advanced ACL Settings page that is displayed, use the same
method to add another ACL rule.
# Click OK.
2. Configure a user group.
# Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
# Click Create. On the Create User Group page that is displayed, set User group
name and bind an ACL.

# Click OK.

l For interconnection with the Cisco ISE, see "Example for Configuring User
Authorization Based on User Groups (Web)" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and Cisco
ISE Server.
l For interconnection with the Aruba ClearPass, see "Example for Configuring User
Authorization Based on User Groups (Web)" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and Aruba
ClearPass Server.

complete.
l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
algorithm to AES.

----End
5.7.9 Example for Configuring Built-in Portal WeChat

Authentication
As shown in Figure 5-38, the AC of a shop directly connects to an AP. The shop deploys a
WLAN wlan-net to provide wireless network access for consumers. The AC functions as a
DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.
To improve its brand popularity and image, the shop allows consumers to connect to the open
Wi-Fi network using WeChat. Users can obtain access to the Internet by WeChat
authentication, without the need to enter a user name or password.
Figure 5-38 Networking diagram for configuring WeChat authentication using a built-in
Portal server
Management VLAN:
VLAN 100
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2
Data Planning
Item Data

access l The built-in Portal server is used.
profile
– IP address of the built-in portal server: 10.1.1.1/24
– HTTP port number: 1025

Item Data
WeChat l WeChat public account ID: wxappid123

authenticati l WeChat public account key: huawei@123
on profile
l The AC automatically obtains shop information from the WeChat server.
Parameter settings of the WeChat server are:
– Default domain name: api.weixin.qq.com
– SSL policy name : default_policy
– Default port number: 443
DNS server IP address: 10.23.200.2
profile

on profile l Bound profile and authentication scheme: Portal access profile wlan-net
and authentication scheme wlan-net
DHCP The central AP functions as a DHCP server to assign IP addresses to the RU

server and STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

interface

l Bound profiles: VAP profile wlan-net and regulatory domain profile
wlan-net
Regulatory l Name: wlan-net

profile


profile l Security policy: open system authentication

Item Data

l Bound profiles: SSID profile wlan-net, security profile wlan-net, and
authentication profile wlan-net
4. Select Config Wizard to configure WLAN services on the AC. Configure WeChat
authentication to authenticate WeChat users.
5. Complete user service verification.
Procedure
1. Configure AC basic parameters.
Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Set Country/Region as required (China as an example). Set System Time to Manual
and Date and time to PC Time.

2. Configure ports.
and Default VLAN to 100, and add GigabitEthernet0/0/1 to VLAN 100 (management
VLAN).

# Click Apply.

and add GigabitEthernet0/0/2 to VLAN 101 (service VLAN).
# Click Apply.
# Click Next. The Network Interconnection page is displayed.


page is displayed.

# Click OK.
# Configure the address pool for VLANIF 101 in the similar way. Set the IP address of
VLANIF 101 to 10.23.101.1/24, DHCP status to ON, DHCP type to Interface address
pool, and Primary DNS serve to 10.23.200.2.
displayed.
# Set the destination IP address to 10.23.200.0/24 and Next hop address to 10.23.101.2
(assuming that the IP address of the uplink device is 10.23.101.2).
# Click OK.
# Click Next.

4. Configure the AC source address.

# Set AC source address to VLANIF. Click the button and select Vlanif100.


To add multiple APs, fill in the file with information about the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
NOTE
– If you set AP authentication to MAC address authentication, the AP MAC address is

mandatory but the AP SN is optional.
– If you set AP authentication to SN authentication, the AP SN is mandatory but the AP MAC
address is optional.
as required.

Confirm Configuration page is displayed.
# Set the SSID name, forwarding mode, and service VLAN ID.

# Select WeChat. Set Server IP address to 10.1.1.1 and Port number to 1025. Configure
the WeChat official account as follows:
l APP ID: wxappid123
l APP key: huawei@123

# Click Finish.

displayed.
displayed.

6. Click OK.
l After the configuration is complete, STAs can discover the wireless network with the
SSID wlan-net.
l STAs can be assigned IP addresses after they associate with the wireless network.
l When a user opens WeChat, the Portal authentication page is displayed automatically on
the STA. After the user can be authenticated, the user can connect to the Internet.
----End
5.7.10 Example for Configuring Different Authentication Modes

for Multiple SSIDs
Enterprise users can access the Internet through the WLAN to meet basic mobile office
requirements. When roaming occurs in the coverage area, user services will not be
interrupted.
Administrators want to deploy different SSIDs for WLAN access of guests and employees,
and different authentication modes for them to ensure WLAN security.
addresses to STAs.

Figure 5-39 Networking diagram for configuring different authentication modes for multiple
SSIDs
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service l Employees: VLAN 101

VLAN for l Guests: VLAN 102
STAs

default gateways for STAs are 10.23.101.2 and 10.23.102.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for 10.23.102.3-10.23.102.254/24
STAs

of the AC's
source
interface
RADIUS l RADIUS server template name: wlan-net

authenticati l IP address: 10.23.102.1
on
parameters l Authentication port number: 1812

template
Portal l Name: guest

access l Referenced template: Portal server template wlan-net
profile
MAC Name: guest

access
profile

on-free rule l Authentication-free resource: DNS server with IP address 8.8.8.8
profile
802.1x l Name: employee

access l Authentication mode: EAP
profile
Authenticati l Name: employee

on profile l Referenced profiles and authentication schemes: 802.1x access profile
employee, RADIUS server template wlan-net, and authentication
scheme employee
l Name: guest
l Referenced profiles and authentication schemes: Portal access profile
guest, MAC access profile guest, RADIUS server template wlan-net,
authentication scheme guest, and authentication-free rule template
default_free_rule

l Referenced profiles: VAP profiles employee and guest, and regulatory
domain profile default

Item Data

profile
SSID l Name: employee

profile l SSID name: employee
l Name: guest
l SSID name: guest
Security l Name: employee

profile l Security policy: WPA-WPA2+802.1x+AES
l Name: guest
VAP profile l Name: employee

l Referenced profiles: SSID profile employee, security profile employee,
and authentication profile employee
l Name: guest
l Referenced profiles: SSID profile guest, security profile guest, and
authentication profile guest
2. Use the configuration wizard to configure system parameters for the AC.
3. Use the configuration wizard to configure the APs to go online on the AC.
4. Use the configuration wizard to configure WLAN services, 802.1x authentication, and
MAC address-prioritized Portal authentication on the AC.
Configuration Notes


user experience.
Procedure
VLAN 100.
# Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN
101 and VLAN 102, respectively.
[SwitchB] vlan batch 100 101 102
# Add GE1/0/0 on the router to VLAN 101 and VLAN 102. Create interfaces VLANIF 101
and VLANIF 102, and set the IP addresses of VLANIF 101 and VLANIF 102 to
10.23.101.2/24 and 10.23.102.2/24, respectively.

# On SwitchB, configure VLANIF 101 and VLANIF 102 address pools to assign IP addresses
to employees and guests, respectively. Set the default gateway address for employees and
guests to 10.23.101.2 and 10.23.102.2, respectively. Specify the DNS server address 8.8.8.8
for VLANIF 101 and VLANIF 102 address pools.
NOTE
view.

displayed.


# Select GigabitEthernet0/0/1. Expand Batch Modify. Set Interface type to Trunk,

and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and service VLANs
101 and 102.

NOTE

page is displayed.

displayed.

# Click OK.
# Similarly, configure a default route with the next hop of 10.23.102.2.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

1. Configure WLAN services for employees.
# Set the SSID name to employee, forwarding mode to tunnel forwarding, and service
VLAN to 101.
# Set the authentication mode to 802.1x authentication, and configure parameters of the


# Click Finish.
2. Configure WLAN services for guests.
# Set the SSID name to guest, forwarding mode to tunnel forwarding, and service VLAN
to 102.

# Set Security settings to Portal(applicable to enterprise networks) and select MAC
address-prioritized. Under External Portal Server Configuration, set the server
name, IP address, shared key, port number, and server URL. Under External RADIUS
Server Configuration, select the configured server wlan-net.


# Click Finish.
displayed.
2. Choose Wireless Service > VAP Profile > guest > Authentication Profile >
displayed.
6. Click OK.

NOTE
displayed.
displayed.


l An employee can use a STA to find the WLAN with SSID employee. After being
associated with the WLAN, the STA is assigned an IP address. After the employee uses
an 802.1x client on the STA for authentication and enter the correct user name and
password, the STA is authenticated and can access the WLAN. The configuration
method on the 802.1x client is as follows:
add SSID employee, set the authentication mode to WPA2, and encryption
algorithm to AES.

create a network profile. Add SSID employee. Set the authentication mode
to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
OK.
l A guest can use a STA to find the WLAN with SSID guest. After being associated with
the WLAN, the STA is assigned an IP address. When the STA accesses the Internet
through a browser, the authentication page provided by the Portal server is automatically
displayed. After the correct user name and password are entered on the page, the STA is
authenticated and can access the WLAN. Assume that the MAC address configured on
the Portal server is valid for 60 minutes. When the STA is disconnected from the WLAN
for 5 minutes, the STA can access the Internet directly when reconnecting to the WLAN.
When the STA is disconnected from the WLAN for 65 minutes, it will be redirected to
the Portal authentication page when reconnecting to the WLAN.
----End
5.8 Reliability Configuration Examples

Synchronization in VRRP HSB Scenarios
synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the
master and backup ACs are often deployed in the same location, and the service switchover is
fast and has higher reliability than dual-link HSB.
APs and STAs.

Figure 5-40 Networking for configuring wireless configuration synchronization in VRRP

HSB scenarios (direct forwarding)
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP

STA
Data Planning
Item Data


VRRP group






APs' gateway VLANIF 100: 10.23.100.3/24
STAs' gateway VLANIF 101: 10.23.101.3/24

of AC1

of AC2

1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve core
layer reliability and configure SwitchB as the master switch.
2. Configure network connectivity between SwitchA, SwitchB, and SwitchC.
3. Configure AC1 based on the configuration wizard. VRRP HSB and wireless
configuration synchronization are both configured based on the configuration wizard.
4. Configure APs to go online and basic WLAN services on AC1.
5. Configure AC2 based on the configuration wizard.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
user experience.
l Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Procedure
for SwitchB.

for SwitchC.

------------------------------------------------------------------------------

------------------------------------------------------------------------------

rebooted. T

rebooted. T
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------

Step 2 Configure SwitchA, SwitchB, and SwitchC so that the AC and APs can transmit CAPWAP
packets.
NOTE
Eth-Trunk 10.

Step 3 Configure AC1.

displayed.
China, System time to Manual, and Date and time to PC Time.

# Select GigabitEthernet0/0/1 and expand Modify all. Set Interface type to Trunk and
add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN).
NOTE
# Click Apply.
GigabitEthernet0/0/2 to VLAN 102 in the same way.
page is displayed.

DHCP type to Interface address pool. Expand Advanced. Click to add 10.23.100.2
and 10.23.100.3 to Excluded IP address.
NOTE
# Repeat the preceding steps to configure an address pool for VLANIF 101. Set the IP
address of VLANIF 101 to 10.23.101.1/24. Add 10.23.101.2 and 10.23.101.3 to
Excluded IP address.
# Set the IP address of VLANIF 102 to 10.23.102.1/24.
# Click Next. The AC Backup Configuration page is displayed.

4. Configure AC backup.
# Enable HSB.
# Click Create. The Create VRID page is displayed.
# Create a management VRRP group. Set parameters as follows:

– VLANIF/IP: VLANIF 100
– VRID: 1
– VRRP type: mVRRP group
– Virtual IP address: 10.23.100.3
– Priority: 120
– Preemption delay(s): 1800

# Click OK.
# Configure a service VRRP group in the same way. Set parameters as follows:
– VRID: 2
– VRRP type: VRRP group
– VRID of the mVRRP group: 1
# Click OK.
# Configure HSB. Set parameters as follows:

– Local AC IP address: 10.23.102.1
– Peer AC IP address: 10.23.102.2
– Local port: 10241
– Remote port: 10241
– Associated VRID: 1

# Enable wireless configuration synchronization, and set PSK key.

5. Configure the source address for AC1.
# Set AC source address to IP address and set the IP address to 10.23.100.3.

Step 4 Configure APs connected to AC1.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287

– AP Name: area_1
NOTE
# Click Next.
2. Configure an AP group.
# The AP template file has AP group information added. Click Next. The Confirm
Configurations page is displayed.
1. Configure WLAN services.



Click Finish.

# Configure AC2 in the same way as that for configuring AC1.

# Configure interfaces on AC2 in the same way as that on AC1.

# Configure network interconnections on AC2 in the same way as that on AC1. The
differences are as follows:
– Set IP addresses of VLANIF 100, VLANIF 101, and VLANIF 102 to

10.23.100.2/24, 10.23.101.2/24, and 10.23.102.2/24, respectively.
– Add IP addresses 10.23.100.1 and 10.23.100.3 to Excluded IP address of VLANIF
100.
101.
# Configure AC backup on AC2 in the same way as that on AC1. The differences are as
follows:
– When configuring VRRP groups, use the default values of Priority and
Preemption delay(s).
– When configuring HSB, set Local AC IP address to 10.23.102.2 and Peer AC IP
address to 10.23.102.1.
# Configure the source address for AC2 in the same way as that for AC1.
Step 7 Trigger wireless configuration synchronization manually on AC1.
# Choose Monitoring > AC > Wireless Configuration Synchronization Information. The

Wireless Configuration Synchronization Information page is displayed. Set Auto refresh
to ON.
# Click Manual synchronization under Operation. In the Confirm dialog box that is
displayed, click OK. AC2 restarts automatically.
# After AC2 restarts, check the configuration synchronization state on AC1. If Configuration
Synchronization State is Synchronization success, wireless configuration synchronization
succeeds.

# STAs associated with the AP can find the SSID wlan-net and connect to the WLAN.
# If the link between the AP and AC1 is disconnected, AC2 becomes the active AC, ensuring
user service continuity.
----End

Synchronization in Dual-Link HSB Scenarios
synchronization can be deployed in dual-link HSB to meet this requirement. This solution
frees active and standby ACs from location restrictions and allows both ACs to be flexibly
deployed.
to APs and STAs.

Figure 5-41 Networking diagram for configuring dual-link HSB
Data Planning
Table 5-45 AC Data planning

Item Data

Item Data
DHCP server The Router functions as the DHCP server

for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2

default



+AES

AP system profile l Name: wlan-net

l Primary AC's IP address: 10.23.100.2
l Backup AC's IP address: 10.23.100.3

1. Configure network interconnection. Configure Router as a DHCP server to assign IP
2. Configure AC1, APs going online, and WLAN services following the configuration
wizard.
3. Configure dual-link hot standby (HSB) on AC1.
4. Configure AC2 following the configuration wizard.
5. Configure dual-link HSB on AC2.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
user experience.
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange CAPWAP
packets.
NOTE
2.



Step 2 Configure the communication between Router, AC1, and AC2.


NOTE
view.
[Router] ip pool ap



displayed.

and add GigabitEthernet0/0/1 to VLAN 100 to VLAN 102.
NOTE

# Click Apply.


page is displayed.
# Click OK. VLANIF 100 is configured.
# Repeat the preceding steps to configure VLANIF 102. Set the IP address of VLANIF
102 to 10.23.102.1/24.

# Set AC source address to VLANIF and set the IP address to Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
# Click Next.



Click Finish.
Step 7 Configure dual-link HSB on AC1.
1. Configure IP addresses for primary and backup ACs.
# In the AP group list, click ap-group1. On the page that is displayed, click in front
of AP. Under it, click AP System Profile. The AP System Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name wlan-net and click OK. The AP system profile configuration page is
displayed.
# On the Advanced Configuration page of the AP system profile, click in front of

Dual-Link/N+1 Backup. On the expanded page, set Primary AC IP address to
10.23.100.2 and Backup AC IP address to 10.23.100.3.

2. Configure dual-link HSB.
# Choose Configuration > Reliability > Reliability. The Reliability page is displayed.

# Set parameters as follows:

– Backup mode: Dual-link hot backup
– Wireless configuration synchronization: ON
– Synchronization mode: From local to peer
– PSK key: H@123456
– Set IP addresses of VLANIF 100 and VLANIF 102 to 10.23.100.3/24 and
10.23.102.2/24, respectively.
1. Configure IP addresses for primary and backup ACs.

# Click Create. On the page that is displayed, create the AP group ap-group1 and click
OK.
# In the AP group list, click ap-group1. On the page that is displayed, click in front
of AP. Under it, click AP System Profile. The AP System Profile page is displayed.
profile name wlan-net and click OK. The AP system profile configuration page is
displayed.
# On the Advanced Configuration page of the AP system profile, click in front of

Dual-Link/N+1 Backup. On the expanded page, set Primary AC IP address to
10.23.100.2 and Backup AC IP address to 10.23.100.3.

2. Configure dual-link HSB.

– Backup mode: Dual-link hot backup


– Wireless configuration synchronization: ON
– Synchronization mode: From peer to local
– PSK key: H@123456
Step 10 Trigger wireless configuration synchronization manually on AC1.
# Choose Monitoring > AC > Wireless Configuration Synchronization Information. The
Wireless Configuration Synchronization Information page is displayed. Set Auto refresh
to ON.
# Click Manual synchronization under Operation. In the Confirm dialog box that is
displayed, click OK. AC2 restarts automatically.

# After AC2 restarts, check the configuration synchronization state on AC1. If Configuration
Synchronization State is Synchronization success, wireless configuration synchronization
succeeds.
# STAs associated with the AP can find the SSID wlan-net and connect to the WLAN.
# If the link between the AP and AC1 is disconnected, AC2 becomes the active AC, ensuring
user service continuity.
----End
5.8.3 Example for Configuring Dual-link Cold Backup (Global

Configuration Mode)
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data transmission
reliability.
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.

Figure 5-42 Networking for configuring dual-link cold backup
Data Planning
Item Data
DHCP server The switch functions as a DHCP server to

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

Item Data

default



+AES

1. Configure network interworking of AC1, AC2, and other network devices. Configure the
switch as a DHCP server to assign IP addresses to APs and STAs.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Configuration Notes

user experience.
Procedure
Step 1 Configure the switch.
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass through. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and
configure the interfaces to allow packets of VLAN 100 to pass through.
Configure the DHCP function on the switch to assign IP addresses to APs and STAs.
NOTE
view.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3

# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.

displayed.

NOTE
# Click Apply.


page is displayed.
# Click OK.
# Click Next.

Step 3 Add APs on AC1.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


Click Finish.
The configuration is similar to that on AC1. The difference is that the IP address of VLANIF
100 is 10.23.100.3/24.
The configuration is similar to that on AC1.

1. Configure dual-link backup on AC1.
# On AC1, choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Set Backup mode to Dual-link cold backup, AC dual-link switchover status to ON

and configure Local priority and Backup AC IP address. Set Backup AC IP address
to 10.23.100.3 (AC2's IP address).
NOTE
A smaller value of Local priority indicates a higher local priority.

2. Configure dual-link backup on AC2.
# The configuration is similar to that on AC1.
# Set Local priority to 1, and Backup AC IP address to 10.23.100.2 (IP address of

AC1). The other configurations are the same as those of AC1.
NOTE
By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the APs are
restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs. Choose
Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs and make the dual-link
backup function take effect.

1. The WLAN with the SSID wlan-net is available for STAs connected to AP1 and AP2,
and the STAs can connect to the WLAN and go online properly.

2. When the link between an AP and AC1 fails, AC2 takes over the active role. This
ensures service stability.
----End
5.8.4 Example for Configuring Dual-Link Hot Standby (HSB) for

ACs
dual-link HSB to improve data transmission reliability.
to APs and STAs.

Figure 5-43 Networking for configuring dual-link HSB for ACs
Data Planning

Item Data

Item Data

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

default



+AES


1. Configure network interworking of the APs, ACs, and other network devices.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes over services
from AC1. User services are not interrupted.
Configuration Notes
user experience.
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange CAPWAP
packets.
NOTE
2.


Step 2 Configure the communication between Router, AC1, and AC2.


NOTE
view.
[Router] ip pool ap


displayed.

and add GigabitEthernet0/0/1 to VLAN 100 to VLAN 102.
NOTE
# Click Apply.


page is displayed.
# Click OK. VLANIF 100 is configured.

# Repeat the preceding steps to configure VLANIF 102. Set the IP address of VLANIF
102 to 10.23.102.1/24.
# Set AC source address to VLANIF and set the IP address to Vlanif100.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
# Click Next.


Click Finish.
The configuration is similar to that on AC1. The difference is that the IP addresses of
VLANIF 100 and VLANIF 102 are 10.23.100.3/24 and 10.23.102.2/24, respectively.

l Backup mode: Dual-link hot backup
l Local priority: 0
l Backup AC IP address: 10.23.100.3
l AC dual-link switchover status: ON
l Local AC IP address: 10.23.102.1
l Peer AC IP address: 10.23.102.2
l Local port: 10241
l Remote port: 10241
The configuration is similar to that on AC1. The following parameter settings are different:
l Local priority: 1
l Backup AC IP address: 10.23.100.2
l Local AC IP address: 10.23.102.2

l Peer AC IP address: 10.23.102.1

1. The WLAN with the SSID wlan-net is available for STAs connected to AP1 and AP2,
and these STAs can connect to the WLAN and go online properly.
2. When the link between an AP and AC1 fails, AC2 takes over the active role. User
services are not interrupted.
----End
5.8.5 Example for Configuring VRRP HSB
VRRP HSB to improve data transmission reliability.
APs and STAs.

Figure 5-44 Configuring VRRP HSB (direct forwarding)
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP

STA
Data Planning
Table 5-48 AC Data Planning
Item Configuration


VRRP group





DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA
AP's gateway VLANIF 100: 10.23.100.3/24
IP address pool for the AP 10.23.100.4 to 10.23.100.254/24
STA's gateway VLANIF 101: 10.23.101.3/24
IP address pool for STA 10.23.101.4 to 10.23.101.254/24

of AC1

of AC2

2. Configure AC1 and AC2 using the configuration wizard.
– Set up connections between the AP, AC, and other network devices.
– Configure a VRRP group on AC1 and AC2. Configure a higher priority for AC1
than AC2 so that AC1 functions as the master device to forward traffic and AC2
functions as a backup device.
– Configure the hot standby (HSB) function so that service information on AC1 is
backed up to AC2 in batches and in real time, ensuring seamless service switchover
from AC1 to AC2.
– Add APs on AC1 and AC2, and configure WLAN services.
NOTE
Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.
Configuration Notes
user experience.
Procedure
for SwitchB.

for SwitchC.

------------------------------------------------------------------------------

------------------------------------------------------------------------------

rebooted. T

rebooted. T
-------------------------------------------------------------------------------


-------------------------------------------------------------------------------
------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5

30 1/14/0/6 10G 10G 2/14/0/6

31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
Step 2 Configure SwitchA, SwitchB, and SwitchC so that the AC and APs can transmit CAPWAP
packets.
NOTE
Eth-Trunk 10.


displayed.

# Select GigabitEthernet0/0/1 and expand Modify all. Set Interface type to Trunk and
add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN).
NOTE
# Click Apply.
GigabitEthernet0/0/2 to VLAN 102 in the same way.


page is displayed.
DHCP type to Interface address pool. Expand Advanced. Click to add 10.23.100.2
and 10.23.100.3 to Excluded IP address.
NOTE
# Repeat the preceding steps to configure an address pool for VLANIF 101. Set the IP
address of VLANIF 101 to 10.23.101.1/24. Add 10.23.101.2 and 10.23.101.3 to
Excluded IP address.

# Enable HSB.
# Click Create. The Create VRID page is displayed.
# Create a management VRRP group. Set parameters as follows:

– VRID: 1
– VRRP type: mVRRP group
– Priority: 120

# Click OK.
# Configure a service VRRP group in the same way. Set parameters as follows:
– VRID: 2
– VRRP type: VRRP group
– VRID of the mVRRP group: 1
# Click OK.
# Configure HSB. Set parameters as follows:

– Associated VRID: 1


# Set AC source address to IP address and set the IP address to 10.23.100.3.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE

# Click Next.

1. Configure WLAN services.
Click Finish.




– Set IP addresses of VLANIF 100, VLANIF 101, and VLANIF 102 to
10.23.100.2/24, 10.23.101.2/24, and 10.23.102.2/24, respectively.
100.
101.
# Configure AC backup on AC2 in the same way as that on AC1. The differences are as
follows:
– When configuring VRRP groups, use the default values of Priority and
Preemption delay(s).
– When configuring HSB, set Local AC IP address to 10.23.102.2 and Peer AC IP
address to 10.23.102.1.
1. STAs associated with the AP can find the SSID wlan-net and connect to the WLAN.
2. If the link between the AP and AC1 is disconnected, AC2 becomes the active AC,
ensuring user service continuity.
----End
5.8.6 Example for Configuring N+1 Backup (APs and ACs in

different network segments)
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.

APs and STAs.
Data Planning

Item Data
Management VLAN for APs AC_1 (primary AC): VLAN 99
AC_2 (primary AC): VLAN 100
Service VLAN for STAs AC_1: VLAN 101

Item Data
AC_2: VLAN 102

STAs' gateway:
l STA_1: 10.23.101.1/24
l STA_2: 10.23.102.1/24
APs' gateway:
l AP_1: 10.23.99.1/24
l AP_2: 10.23.100.1/24

AP_2: 10.23.100.2-10.23.100.254/24

STA2: 10.23.102.2-10.23.102.254/24
AC's source interface AC_1: VLANIF 201

AC_2: VLANIF 202
AC_3: VLANIF 203
AP group On AC_1 (primary AC):

l Name: ap-group1
On AC_2 (primary AC):

l Name: ap-group2
ap-system, VAP profile wlan-net1, and

Item Data
On AC_3 (backup AC):

l Name: ap-group1
default
l Name: ap-group2
net1, and regulatory domain profile
default

SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
AC_3:
l Name: wlan-net
l Name: wlan-net1
Security profile AC_1, AC_3:

l Name: wlan-net
+AES
AC_2, AC_3:
l Name: wlan-net1
+AES

Item Data
VAP profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
AC_3:
l Name: wlan-net
net
l Name: wlan-net1
net1
AP system profile On AC_1:

l Name: ap-system
– Primary AC IP address: 10.23.201.1
– Backup AC IP address: 10.23.203.1
On AC_2:
l Name: ap-system1

Item Data
On AC_3:
l Name: ap-system
l Name: ap-system1
Configuration Notes
user experience.

Procedure
Step 1 Configure the routers and switches to communicate with each other.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
99.



NOTE
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
view.
10.23.203.1
10.23.203.1
Step 3 Configure AC_1.


displayed.

NOTE
# Click Apply.
page is displayed.

# Click OK. An address for VLANIF 201 is configured.
# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287

– AP Name: area_1
NOTE
as required.
Step 5 Configure WLAN services on AC_1.



# Click Finish.
Step 6 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The AP
System Profile page is displayed.
3. # Click Create. On the page that is displayed, set Profile name to ap-system and click
OK.
4. # On the Advanced Configuration page of the AP system profile, expand Dual-Link/N
+1 Backup. Set Configuration mode to IP address-based, Primary AC IP address to
10.23.201.1, and Backup AC IP address to 10.23.203.1.
5. # Click Apply. In the dialog box that is displayed, click OK.

The configuration is similar to that on AC_1. The following parameters are different:
l Add GigabitEthernet0/0/1 to VLAN 202.
l Create VLANIF 202 and set its IP address to 10.23.202.1/24.
l Add APs to ap-group2.
l When configuring WLAN services, set the SSID name to wlan-net1 and service VLAN
to 102.
l Set the AP system profile name to ap-system1 and Primary AC IP address to
10.23.202.1.
Set other parameters according to the configuration of AC_1.
l Add GigabitEthernet0/0/1 to VLAN 203.
l Create VLANIF 203 and set its IP address to 10.23.203.1/24.
l Import APs on AC_1 and AC_2 to AC_3, and add the APs to ap-group1 and ap-
group2, respectively.
l When configuring WLAN services on AC_3, choose Configuration > Config Wizard >
Wireless Service and create SSIDs wlan-net and wlan-net1. Set parameters on wlan-
net to the same as those on AC_1 and parameters on wlan-net1 to the same as those on
AC_2.
l Creates AP system profiles ap-system and ap-system1 in AP groups ap-group1 and ap-
group2, respectively. Set parameters on ap-system to the same as those on AC_1 and
parameters on ap-system1 to the same as those on AC_2.


1. Enable N+1 backup on AC_1.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Set Backup mode to N+1 backup, AC dual-link switchover status to ON.
# Choose Maintenance > AP Maintenance > AP Restart > Restart All to restart all
APs, so that the N+1 backup function can take effect.
NOTE
By default, N+1 backup is enabled. You need to restart all APs on the primary AC. After the APs are
restarted, N+1 backup takes effect.
2. Enable N+1 backup on AC_2 and AC_3. The configuration is similar to that on AC_1.

1. The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online properly.
2. When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the primary
role. This ensures accelerate service recovery.
----End
5.8.7 Example for Configuring N+1 Backup (APs and ACs in the
same network segment)
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.

Data Planning

Item Data

VLAN 102

Item Data
DHCP server Switch_1 functions as a DHCP server to

STAs' gateway:
l 10.23.101.1/24
l 10.23.102.1/24
APs' gateway: 10.23.100.1/24

STA2: 10.23.102.3-10.23.102.254/24
AP group On AC_1 (primary AC):

l Name: ap-group1
On AC_2 (primary AC):

l Name: ap-group2
On AC_3 (backup AC):

l Name: ap-group1
default
l Name: ap-group2
profile default


Item Data
SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1
Security profile AC_1:

l Name: wlan-net
+AES
AC_2:
l Name: wlan-net1
+AES
AC_3:
l Name: wlan-net
+AES
l Name: wlan-net1
+AES
VAP profile AC_1:

l Name: wlan-net

Item Data
AC_1:
l Name: wlan-net1
AC_3:
l Name: wlan-net
net
l Name: wlan-net1
net1
AP system profile On AC_1:

l Name: ap-system
On AC_2:
l Name: ap-system1
On AC_3:
l Name: ap-system
l Name: ap-system1
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.

2. Configure AC_1 and AC_2 as the primary ACs of AP_1 and AP_2 respectively, and
3. Configure AC_3 as the backup AC and configure basic WLAN services on AC_3.
4. Configure N+1 backup on the primary ACs first and then on the backup AC. When N+1
Configuration Notes
user experience.
Procedure
Step 1 Configure the switches to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.


# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
NOTE
view.
[Switch_1] dhcp enable
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4

displayed.



NOTE
# Click Apply.
page is displayed.

# Click OK. An address for VLANIF 100 is configured.
# Click Next.


Step 4 Add APs on AC_1.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.



# Click Finish.
Step 6 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The AP
3. # Click Create. On the page that is displayed, set Profile name to ap-system and click
OK.
4. # On the Advanced Configuration page of the AP system profile, expand Dual-Link/N
+1 Backup. Set Configuration mode to IP address-based, Primary AC IP address to
10.23.100.2, and Backup AC IP address to 10.23.100.4.

Step 7 Configure basic WLAN services and the IP addresses for primary ACs and the backup AC on
AC_2.
l Set the IP address of VLANIF 100 to 10.23.100.3/24.
l Add APs to ap-group2.
l Set the SSID name to wlan-net1 and service VLAN to 102.
l Set the AP system profile name to ap-system1 and Primary AC IP address to
10.23.100.3.
Set other parameters similarly as those of AC_1.

Step 8 Configure basic WLAN services and IP address of the backup AC for AC_3.
l Set the IP address of VLANIF 100 to 10.23.100.4/24.
l Import APs on AC_1 and AC_2 to AC_3, and add the APs to ap-group1 and ap-
group2, respectively.
l When configuring WLAN services on AC_3, choose Configuration > Config Wizard >
Wireless Service and create SSIDs wlan-net and wlan-net1. Set parameters on wlan-
net to the same as those on AC_1 and parameters on wlan-net1 to the same as those on
AC_2.
l Creates AP system profiles ap-system and ap-system1 in AP groups ap-group1 and ap-
group2, respectively. Set parameters on ap-system to the same as those on AC_1 and
parameters on ap-system1 to the same as those on AC_2.
1. Enable N+1 backup on AC_1.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Set Backup mode to N+1 backup, AC dual-link switchover status to ON.

# Choose Maintenance > AP Maintenance > AP Restart > Restart All to restart all
APs, so that the N+1 backup function can take effect.
NOTE
By default, N+1 backup is enabled. You need to restart all APs on the primary AC. After the APs are
restarted, N+1 backup takes effect.
2. Enable N+1 backup on AC_2 and AC_3. The configuration is similar to that on AC_1.
1. The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online properly.
2. When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the primary
role. This ensures accelerate service recovery.
----End

5.9 Roaming Configuration Examples

5.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming
coverage area.
addresses to STAs.

Figure 5-47 Networking for configuring inter-VLAN Layer 3 roaming
Data Planning
Item Data
Service VLAN for STAs l area_1: VLAN 101

l area_2: VLAN 102

10.23.101.2/24 and 10.23.102.2/24.

Item Data
IP address pool for STAs l area_1: 10.23.101.3-10.23.101.254/24

l area_2: 10.23.102.3-10.23.102.254/24

l Name: ap-group2

5 GHz radios


+AES

l Name: wlan-net2

Item Data


l Automatic channel calibration: enabled
l Automatic power calibration: enabled

wlan-airscan and RRM profile wlan-
rrm

wlan-airscan and RRM profile wlan-
rrm
Configuration Notes

user experience.
Procedure
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10, VLAN 101,
and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1
and GE0/0/3 is VLAN 10.
102 to 10.23.102.2/24.



NOTE
view.

displayed.


NOTE


page is displayed.
# Click OK.
displayed.



# Click OK.
displayed.

address to 10.23.100.2.
# Click OK.
# Click Next.



To add multiple APs, fill in the file with information of the APs. In this example, add
area_1 and area_2 to ap-group1 and ap-group2, respectively.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
NOTE
as required.

# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to Single
VLAN, and Service VLAN ID to 101.
# Click Finish.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page is
displayed.
# In the AP group list, click ap-group2. Click VAP Configuration. On the VAP Profile List
page, click Create. On the page that is displayed, create the VAP profile wlan-net2 and click
OK.
# In the VAP profile list, click wlan-net2. On the VAP profile configuration page, set Service
VLAN to Single VLAN and Service VLAN ID to 102, and click Apply. In the dialog box
that is displayed, click OK.

# Click in front of wlan-net2. The profiles referenced by the VAP profile are displayed.
# Click SSID Profile. On the SSID profile configuration page that is displayed, set SSID
Profile to wlan-net and click Apply. In the dialog box that is displayed, click OK.
# Click Security Profile. On the security profile configuration page that is displayed, set
Security Profile to wlan-net and click Apply. In the dialog box that is displayed, click OK.

NOTE
displayed.
displayed.


5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.
----End

5.9.2 Example for Configuring Intra-VLAN Roaming
area.
addresses to STAs.
Figure 5-48 Networking for configuring intra-VLAN roaming

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile
and 5 GHz radios



net

Item Data



Configuration Notes
user experience.
Procedure

# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
10.23.101.2/24.
STAs.
NOTE
view.



displayed.


(service VLAN).
NOTE


page is displayed.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.


# Click Finish.
NOTE
here.

power calibration.
NOTE


NOTE

duration.
page is displayed.




----End
area.
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.

Data Planning

Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface l AC_1: 10.23.100.1/24
address
l AC_2: 10.23.100.2/24

radio5g

profile
and 5 GHz radios



net






6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
NOTE
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels.
Configuration Notes
user experience.
Procedure
VLAN 100.
VLAN 100.

Step 2 Configure system parameters for AC_1.

displayed.


2. Configure ports.
NOTE


# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface to VLANs
100 and 101 in the same way.
page is displayed.
type to Interface address pool. Exclude the IP address 10.23.100.2 from being
automatically allocated.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. Exclude the IP address
10.23.101.2 from being automatically allocated.
NOTE
# Click Next.


Configure AC_2 according to the configuration of AC_1. The following lists configuration
differences between AC_1 and AC_2.
l Set the IP addresses of VLANIF 100 and VLANIF 101 to 10.23.100.2/24 and
10.23.101.2/24 respectively.
l Do not configure the DHCP address pool.
Step 4 Configure an AP to go online on AC_1.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

Configure the AP to go online on AC_2 according to the configuration of AC_1. The
following lists configuration differences between AC_1 and AC_2:
l Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078) on AC_2,
set the AP name to area_2, and add the AP to the AP group ap-group1.


Click Finish.
The configuration for WLAN services on AC_2 is similar to that on AC_1.


NOTE
here.

power calibration.
NOTE

NOTE
duration.
page is displayed.




1. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The Inter-
AC Roaming page is displayed.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the mobility group.
Click OK. The Inter-AC Roaming page is displayed.

The configuration is similar to that of AC_1 and is not mentioned here.

----End

coverage area.
connected to it.


connected to it.
Data Planning

Item Data
DHCP AC_1 functions as a DHCP server to assign IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to assign IP addresses to STAs and APs
connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for 10.23.200.2-10.23.200.254/24
APs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for 10.23.102.2-10.23.102.254/24
STAs
AC_1's VLANIF 100: 10.23.100.1/24

source
interface
address
AC_2's VLANIF 200: 10.23.200.1/24

source
interface
address
AP group AC_1:
l Name: ap-group1
default
AC_2:
l Name: ap-group2
default

profile
and 5 GHz radios


VAP profile AC_1:

l Name: wlan-net
net

Item Data
AC_2:
l Name: wlan-net
net


profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
NOTE
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels.
Configuration Notes

user experience.
Procedure
[Switch_1] interface GigabitEthernet 0/0/1
# Configure Router.
[HUAWEI] sysname Router


displayed.

(service VLAN).
NOTE

page is displayed.

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
displayed.
address to 10.23.100.2.
# Click OK.
# Click Next.


Configure AC_2 according to the configuration of AC_1. The following lists configuration
differences between AC_1 and AC_2.
l Create VLAN 200 and VLAN 102 on AC_2 and add GigabitEthernet0/0/1 to the two
VLANs in tagged mode.
l Add GigabitEthernet0/0/2 to VLAN 200 in tagged mode.
l Set the IP addresses of VLANIF 200 and VLANIF 102 to 10.23.200.1/24 and
10.23.102.1/24 respectively.
l Configure an IP address pool on VLANIF 200 and VLANIF 102.
l Configure the route between AC_2 and AC_1 on AC_2 with the destination address
10.23.100.0/24 and next-hop address 10.23.200.2.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

NOTE
as required.
Configure the AP to go online on AC_2 according to the configuration of AC_1. The
following lists configuration differences between AC_1 and AC_2:
l Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078) on AC_2,
set the AP name to area_2, and add the AP to the AP group ap-group2.
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to Single
VLAN, and Service VLAN ID to 101.



Click Finish.
Configure WLAN services on AC_2 according to the configuration of AC_1. The following
lists the configuration difference between AC_1 and AC_2:
l In the VAP profile wlan-net, set the service VLAN to VLAN 102.
NOTE
here.

power calibration.

NOTE

NOTE
duration.
page is displayed.



1. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The Inter-
AC Roaming page is displayed.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the mobility group.

Click OK. The Inter-AC Roaming page is displayed.

The configuration is similar to that of AC_1 and is not mentioned here.
----End

5.9.5 Example for Configuring Agile Distributed SFN Roaming

A hospital wants to deploy an agile distributed WLAN to provide WLAN access to doctors
and nurses, meeting their basic office requirements. The administrator requires that STA
roaming within the coverage area be not perceived by STAs and do not interrupt services.
– The AC functions as a DHCP server to assign IP addresses to the central AP and
RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.
Figure 5-51 Networking for configuring agile distributed SFN roaming

Data Planning
Item Data
DHCP l The AC functions as a DHCP server to assign IP addresses to the central

server AP and RUs.
l SwitchA functions as a DHCP server to assign IP addresses to STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

domain l Country: China
profile



net
Working l ru_1: channel 6

channel of l ru_2: channel 6
RUs
Agile Enabled
distributed
SFN
roaming

1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at Layer 2.
3. Select Config Wizard to configure the central AP and RUs to go online on the AC.
5. Configure agile distributed SFN roaming.
6. Deliver the WLAN services to the central AP and RUs and verify the configuration.
Configuration Notes
l Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12 (including
matching RUs) and AD9430DN-24 (including matching RUs). RUs support agile
distributed SFN roaming in the following combination modes:
n Between the R230D and R240D (Note: Only the 2.4 GHz radio of the R230D
and R240D supports agile distributed SFN roaming, and the 5 GHz radio does
not support.)
n Among the R250D, R250D-E, R251D, R251D-E and R450D
– For the central AP, after agile distributed SFN roaming is enabled, the total number
of agile distributed SFN roaming STAs on a single frequency band (2.4 GHz or 5
GHz) of all RUs does not exceed 128, and that of STAs associated with other VAPs
on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work on the
same channel. When agile distributed SFN roaming is enabled on the 5 GHz
frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but do not
support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed SFN
roaming is not performed on Layer 3.
l Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5 GHz
radios, it is recommended that different SSIDs be used. Otherwise, the radio
switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP rate
limit on all VAPs with agile distributed SFN roaming disabled be set to 5 Mbit/s.
– Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP groups but not
based on APs.
– RUs involved in agile distributed SFN roaming need to have the following items
configured the same:
n SSID
n VAP profile and VAP ID
n Security policy. Agile distributed SFN roaming supports these encryption
modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA+802.1X (EAP

authentication), WPA2+802.1X (EAP authentication), WPA-WPA2+802.1X

(EAP authentication), and Portal+PSK.
Procedure
# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to VLAN 100, and
add GE0/0/3 and GE0/0/4 to VLAN 101.
# Configure an IP address for GE1/0/0 on Router.


# On SwitchA, configure VLANIF 101 to assign IP addresses to STAs, and configure a
default route with the next hop of the address of Router.
NOTE
view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2

displayed.




page is displayed.

# Click Next.




– AP SN: 210235419610CB002287
NOTE
as required.

and set the key.

# Set Binding the AP group to ap-group1, and Valid radio to 0.
# Click Finish.

NOTE
The automatic channel and power calibration function is enabled for radios by default. When this function is
enabled, the manual calibration configuration does not take effect. The settings of the RU channel and power
in this example are for reference only. You need to configure the RU channel and power based on the actual
country code and network planning.
displayed.
# Click AP ID 1. The AP customized settings page for ru_1 is displayed.
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the automatic
channel and power calibration functions, and set the channel to 20-MHz channel 6 and

# Disable the automatic channel and power calibration functions for ru_2, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm. The configurations are the same as
those for ru_2, and is not mentioned here.
Step 7 Enable agile distributed SFN roaming.
# Click the AP group ap-group1. The AP group configuration page is displayed.
# Click in front of VAP Configuration and click wlan-net. The VAP profile
configuration page is displayed.
# On the Advanced Configuration page, set SFN to ON. In the dialog box that is displayed,
click OK.

Step 8 Configure parameters related to agile distributed SFN roaming.
# Retain the default settings for roaming decision parameters, as shown in the following
figure.

# Set radio parameters related to roaming based on the network planning result. The
configuration is not mentioned here. The following figure shows the default settings.



5. When a STA roams from ru_1 to ru_2, choose Monitoring > User. In User List, select
the STA of which you want to view the roaming tracks and click Roaming Track. The
roaming tracks of the STA are displayed.
----End
5.10 Agile Distributed Networking Configuration

Examples
5.10.1 Example for Configuring an Agile Distributed WLAN

Data Planning

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
3. Select Config Wizard to configure the central APs and RUs to go online on the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the configuration.
Configuration Notes


user experience.
Procedure
10.23.101.2/24.

displayed.

NOTE


page is displayed.
# Click OK.
assigned.

NOTE
displayed.
10.23.101.2.
# Click OK.
# Click Next.




– AP SN: 210235419610CB002287
NOTE
as required.
and set the key.

# Click Finish.

NOTE
displayed.
displayed.


----End

5.11 High-Density Configuration Examples

addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

STAs.

10.23.102.3-10.23.102.254/24




+AES

pool

Item Data


rrm

rrm

ent Item

on the users.
number of
access
users


ent Item
n aging
time

STAs.

coverage area.
roaming experience.

schedulin
g
threshold
which
Beacon
frames
are sent


ent Item
Beacon
frames
(GI)
mode to
short GI
rate set

for a radio

parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
Procedure


102 to 10.23.102.2/24.


NOTE
view.

displayed.

NOTE



page is displayed.
# Click OK.
displayed.


# Click OK.
displayed.
address to 10.23.100.2.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and 102.
Click Finish.



# Click the VAP profile wlan-net. The VAP Profile page is displayed.
On the Advanced Configuration tab, enable band steering.


displayed.
# On the Advanced Configuration tab, set the maximum number of users to 128 and
association aging time to 1 minute. Configure EDCA parameters for AC_BE packets of
STAs as follows: AIFSN: 3; ECWmin: 7; ECWmax: 10. Set the Beacon frame rate on
2.4G radio to 11 Mbps.



is displayed.
# Enter the profile name wlan-traffic in Profile name and click OK. The new traffic
# Set the user isolation mode to All isolation, and the upstream and downstream rate
limits to 1000 kbit/s and 2000 kbit/s for STAs, respectively.


4. Set the AP channel and power.
displayed.
# Click next to Radio Management. The profiles in Radio Management are

displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 1 and transmit power to 127 dBm. Disable automatic channel and
power calibration functions. The configuration of Radio1 is similar to the configuration
of Radio 0, and is not mentioned here.

5. Configure the AP to work in dual-5G mode. This step is only for APs that support
switching between 2.4G and 5G radios.
# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the dual-5G
mode. In the dialog box that is displayed, click OK.


6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this step if the
AP has been configured to work in dual-5G mode. Go to the next step to create the 5G
radio profile and bind the 5G radio profile to radio 0.
ECWmax to 6.



ECWmax to 6.


are displayed.
# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new RRM
# On the Advanced Configuration tab, enable airtime fair scheduling; enable smart
roaming; configure the SNR-based roaming trigger mode; and set the SNR threshold to
15 dB.

are displayed.
# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that is


5. When a large number of users connect to the network in the stadium, the users still have
good Internet experience.
----End
5.12 Example for Configuring Vehicle-Ground

Communication

Handover



Data Planning

AP Type MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
...

AP (in the front)

AP (in the rear)
...

Item Data


address

Item Data

trackside APs

mounted terminals




l Name: mesh-net
l Name: mesh-net

l Name: hand-over
l Name: hand-over

situations.


device

Item Data
and the AC.
NOTE
Configuration Notes
user experience.
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add interfaces
GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from
VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add
GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow

packets from VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to
allow packets from VLAN 100 to pass through.
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.

# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
PVIDs to VLAN 100.
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
GE0/0/1 to VLAN 100.
PVIDs to VLAN 100.
6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to


[Switch_A] vlan 101

[Switch_A] acl 2000

[Switch_A] vlan 101
[Switch_A] quit


NOTICE
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.
[Switch_B] vlan 101

[Switch_C] vlan 101

displayed.

(service VLAN).
NOTE


page is displayed.

# Click Next.


Step 3 Configure trackside APs



40+MHz and channel to 157.
a1234567.

example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added. Click
OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Set the AP names to
L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170, respectively. Click OK. The
APs are added as MPPs.


# In the AP group list, click the AP group mesh-mpp. Select Display all profiles choose
Mesh > Mesh Profile. The Mesh Profile List page is displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name to mesh-
net.
# Click OK.
# Choose Mesh > Mesh Profile > mesh-net > Mesh Handover Profile. The Mesh
Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set Profile
name to hand-over and click OK. The Mesh profile configuration page is displayed.
# Set Position-based handover algorithm to ON.

page is displayed.

displayed.
Endpoint, add the wired port to VLAN 101 in tagged mode, and set the Port PVID to
101.

Step 4 Configure a vehicle-mounted AP.
NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of the
train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the vehicle-
mounted AP in the front.
1. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
# Choose Configuration > Interface > VLAN. On the VLAN tab, click Create. On the
Create VLAN page that is displayed, set VLAN ID to 101.

# Click OK.
# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.
# Click OK.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is displayed.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page is
displayed.

# Click Create. The Create Security Profile page is displayed.

# Set Profile name to sp01 and click OK. The Security Profile page is displayed.
# Set Security Mode to WPA2-PSK-AES, Password type to PASS-PHRASE, and
Password to a1234567.

# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh Handover
Profile page is displayed.
# Click Create and create the Mesh handover profile hand-over. Click OK. The Mesh
# Set Position-based handover algorithm to ON and Moving direction to forward.
Click Apply. In the dialog box that is displayed, click OK.
Step 5 Add proxied devices on the vehicle-mounted AP

# Add proxied ground devices. Add MAC addresses of Switch_A, network management
device, and multicast source on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground Device.
Click Create and add MAC addresses of proxied ground devices. In this example, MAC
addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-b6ab are added, click OK.

# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-mounted
Device. Click Create and add MAC addresses of proxied vehicle-mounted devices. In this
example, MAC addresses 286e-d488-d359 and 286e-d488-d270 are added, click OK.
Step 6 Configure IGMP snooping on the vehicle-mounted AP
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-Snooping. Set
IGMP-Snooping to ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to view
Mesh link information. If Mesh links are set up successfully, information about Mesh
links is displayed.
2. Verify the configuration on the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.

# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP Field

Strength to view field strength of the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP Roaming

Trace to view the roaming trace of the vehicle-mounted AP.
----End
5.13 Radio Resource Management Configuration

Examples
5.13.1 Example for Configuring Dynamic Load Balancing
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads on the APs
to prevent excessive user access to a single AP. A dynamic load balancing group can be set up
only when:

Figure 5-55 Networking for configuring dynamic load balancing
Data Planning

Item Data
RRM profile l Name: wlan-net

l Start threshold for dynamic load
balancing: 15
l Load difference threshold for dynamic
load balancing: 25%

net

net
Configure dynamic load balancing to prevent one AP from being heavily loaded.

Configuration Notes
l Currently, the load balancing function is implemented in the STA access phase. In
scenarios with complex user service types and unstable traffic, the expected load
balancing effect cannot be achieved. In this case, you are not advised to enable load
balancing based on the channel usage.
user experience.
Procedure
Step 1 Configure dynamic load balancing.
1. In the RRM profile, enable dynamic load balancing, and set the start threshold for
dynamic load balancing to 15 and load difference threshold to 25%.
Radio Profile > RRM Profile. Click Create. The Create RRM Profile page that is
displayed
# Enter the profile name wlan-net and click OK. The RRM Profile page is displayed.
# On the Advanced Configuration tab, enable dynamic load balancing, and set the start
threshold for dynamic load balancing to 15 and load difference threshold to 25%.


# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile. The
RRM Profile page is displayed. Configure dynamic load balancing for radio 1. The
configuration is similar to that of radio 0 and is not mentioned here.
1. Choose Monitoring > User > User Distribution. The number of STAs on different APs
is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a dynamic load
balancing algorithm to redirect the STA to the AP area_2 with a light load according to
the information reported by APs.
----End
5.13.2 Example for Configuring Static Load Balancing

AP area_1 and AP area_2 form a static load balancing group to balance loads on the APs to
prevent excessive user access to a single AP. A static load balancing group can be set up only
when:

Figure 5-56 Networking for configuring static load balancing
Data Planning

Item Data
Static load balancing group l Name: wlan-static

l Start threshold for load balancing based
on the number of users: 10
l Load difference threshold for load
balancing based on the number of users:
5%
Configure static load balancing based on the number of users to prevent one AP from being
heavily loaded.
Configuration Notes
l Load balancing takes effect during the STA association stage. In scenarios with complex
user service types and unstable traffic, loads cannot be balanced as expected. In this case,
load balancing based on the channel utilization is not recommended.

l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
user experience.
Procedure
Step 1 Configure static load balancing.
1. Create the static load balancing group wlan-static and set the start threshold for static
load balancing to 10 and load difference threshold to 5%.
# Choose Configuration > AP Config > AP Group > Static Load Balancing Group.
The Static Load Balancing Group page is displayed.
# Click Create. On the page that is displayed, enter the profile name wlan-static, and set
the start threshold for static load balancing to 10 and load difference threshold to 5%.
Add AP area_1 and AP area_2 to the static load balancing group.

# Click OK.
1. Choose Monitoring > User > User Distribution. The number of STAs on different APs
is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP area_2 with a light load based on the configured
load balancing group.
----End
5.13.3 Example for Configuring Band Steering

area. To relieve pressure on the 2.4 GHz frequency band, enable STAs to connect to the 5
GHz frequency band.
Use APs that support both 5 GHz and 2.4 GHz frequency bands.

Figure 5-57 Networking for configuring Band Steering
Data Planning
Item Data

l Band steering function: enabled
net

profile l Start threshold for load balancing between radios: 15
l Load difference threshold for load balancing between radios: 25

Configure the band steering function and proper band steering parameters so that STAs can
preferentially access the 5 GHz frequency band.

Configuration Notes
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
user experience.
Procedure
Step 1 Configure the band steering function.
1. Enable the band steering function in the VAP profile wlan-net. By default, the band
steering function is enabled.
# In the AP group list, click ap-group1. Choose VAP Configuration > wlan-net. The
VAP profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function.

2. In the RRM profile, configure load balancing between radios to prevent heavy load on a
single radio. Set the start threshold for load balancing between radios to 15, and the load
difference threshold to 25%.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile. Click
Create. The Create RRM Profile page that is displayed

# Enter the profile name wlan-rrm and click OK. The RRM profile configuration page
is displayed.
# On the Advanced Configuration tab, set the start threshold for load balancing
between radios to 15, and the load difference threshold to 25%.

# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile > wlan-
rrm. The RRM profile configuration page is displayed. Configure inter-frequency load
balancing for radio 1. The configuration is similar to that of radio 0 and is not mentioned
here.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.

# Choose Monitoring > User > User Distribution. Most STAs can connect to the 5 GHz
frequency band, and users enjoy good service experience.
----End
5.13.4 Example for Configuring Smart Roaming

To ensure optimal user experience, a stadium requires that users associate with the nearest
APs when moving on the stadium stand. Furthermore, users' services are not affected during
roaming in the coverage area.

Figure 5-58 Networking for configuring smart roaming
Data Planning

Item Data

l Smart roaming threshold type: SNR-
based
l SNR threshold for smart roaming: 15

rrm

rrm

Configure smart roaming and adjust smart roaming parameters to steer STAs (especially
sticky STAs) to reconnect or roam to APs with strong signals.
NOTE
Some STAs on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
STAs fail to roam to neighbor APs with better signals. They are called sticky STAs.
Configuration Notes
user experience.
Procedure
Step 1 Configure smart roaming.
1. In the RRM profile wlan-rrm, enable smart roaming, configure SNR-based roaming
trigger mode and roaming threshold to 15 dB.
Radio Profile > RRM Profile. Click Create. The Create RRM Profile page that is
displayed
# Enter the profile name wlan-rrm and click OK. The RRM Profile page is displayed.
# On the Advanced Configuration tab, enable smart roaming, configure SNR-based

roaming trigger mode and roaming threshold to 15 dB.


# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile > wlan-
rrm. The RRM Profile page is displayed. Configure smart roaming for radio 1. The
configuration is similar to that of radio 0 and is not mentioned here.
When a large number of users in the stadium access the WLAN, they can still enjoy good
----End
5.14 Spectrum Analysis Configuration Examples

5.14.1 Example for Configuring Spectrum Analysis
area. The enterprise is located in an open place, and the WLAN is vulnerable to interference.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.

Figure 5-59 Networking for configuring spectrum analysis
Data Planning

Item Data

default, 2G radio profile wlan-radio2g, 5G radio profile wlan-radio5g,
and AP system profile wlan-spectrum

profile l Air scan interval: 8000 ms
l Air scan duration: 100 ms



Item Data
AP system l Name: wlan-spectrum

profile l IP address of the spectrum server: 10.137.43.4
l Port number of the spectrum server: 55555
l Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to send
data to the spectrum server: 5001
l Aging time of non-Wi-Fi devices on an AC during spectrum analysis: 5
minutes
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send alarms to
the AC.
Configuration Notes
l If air scan related functions are enabled for a radio in normal mode, such as WIDS,
spectrum analysis, and terminal location, the radio transmits common WLAN service
data and provides the monitoring function that may affect transmission of common
WLAN service data.
l In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that
the scanning interval be set no more than 10 seconds and the scanning duration to 100
ms.
l The channels to be scanned for spectrum analysis are fixed as all channels supported by
the corresponding country code of an AP and are irrelevant to the configuration in an air
scan profile.
user experience.

Procedure
Step 1 Configure spectrum analysis.
1. Set spectrum analysis parameters.
# In the AP group list, click ap-group1. Choose AP > AP System Profile. The AP
# Click Create. The Create AP System Profile page is displayed. Enter the profile
name wlan-spectrum and click OK. On the ap system profile configuration page that is
displayed.
# On the Advanced Configuration tab, set related parameters.

NOTE

3. Create an air scan profile and configure the scan channel set, scan interval, and scan
duration.
# Choose 2G Radio Profile > Air Scan Profile. The Air Scan Profile page is displayed.
Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.
# Enable scanning, and configure the scan channel set, scan interval, and scan duration.


4. Enable spectrum analysis on a radio.
# Click Radio 0. On the Radio 0 Settings(2.4G) page that is displayed, set the radio
parameters.
# Click Apply. In the dialog box that is displayed, click OK. The 5G radio configuration
is similar and not mentioned here.

1. View AP spectrum on the web platform to learn AP channel interference in deployment
sites.
a. Choose Monitoring > Spectrum Analysis. The Radio List page is displayed.
b. Select an AP and click Start.

c. In the AP radio list, click View Drawing in the Operation column. The related
spectrum charts are displayed. A maximum of four spectrum charts can be
displayed.

d. Select your desired spectrum chart from the drop-down list box in the upper left
corner. You can select Lower or Upper on the spectrum charts of a 5G radio to
view spectrum charts of different frequencies.
e. The Real-Time FFT chart shows that the signal strength of interference is mostly
within the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click
Modify, set the signal strength scope at both ends of the color bar, and click Apply.
The Swept Spectrogram chart shows that channel 149 has the most severe
interference.
f. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.
----End
5.15 WLAN Security Configuration Examples

Containment
rogue AP.

addresses to STAs.
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address


profile



net

spoofing SSIDs

NOTE
mode.
Configuration Notes
user experience.
Procedure
VLAN 100.


10.23.101.2/24.
STAs.
NOTE
view.

displayed.


(service VLAN).
NOTE

page is displayed.


# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.
# Click Finish.

NOTE
displayed.

displayed.

1. Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
displayed.
containment.

containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
displayed.
name wlan-wids and click OK. The WIDS profile configuration page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.

l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.
----End
5.15.2 Example for Configuring Attack Detection

area.
To ensure network stability and security, network administrators can configure attack
detection and dynamic blacklist to prevent flood attacks and brute force PSK cracking.
Detected attack devices are added to the dynamic blacklist, and packets from them are
discarded, preventing attacks.
addresses to STAs.
Figure 5-61 Networking for configuring attack detection

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default, WIDS profile wlan-wids, and AP system profile wlan-system
l Attack detection type of the AP radio: brute force PSK cracking attack
detection for WPA2-PSK authentication and flood attack detection

profile



net

Item Data

profile l Interval for brute force PSK cracking attack detection: 70s
l Quiet time for brute force PSK cracking attack detection: 700s
l Maximum number of key negotiation failures allowed within a brute
force PSK cracking attack detection period: 25
l Flood attack detection interval: 70s
l Quiet time for flood attack detection: 700s
l Flood attack detection threshold: 350
l Dynamic blacklist: enabled

profile l Aging time of a dynamic blacklist: 200s
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
STAs.
NOTE
view.



displayed.


(service VLAN).
NOTE



page is displayed.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.

# Click Finish.

NOTE
displayed.
displayed.


Step 7 Configure the attack detection function.

1. Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

displayed.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection on radio 0.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection on radio 1 in the same way.
2. Create WIDS profile wlan-wids, and set parameters for attack detection.
displayed.
name wlan-wids and click OK. The WIDS profile configuration page is displayed. Click
Advanced Configuration.

# Set parameters for the brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection WPA2-PSK. Enable the dynamic blacklist
function.
3. Create AP system profile wlan-system, and set the aging time of the dynamic blacklist.
# Choose AP > AP System Profile. The AP System Profile List page is displayed.
# Click Create. The Create AP System Profile page is displayed.
# Enter the name of the new AP system profile wlan-system in Profile name, and click
OK. The parameter setting page of the new AP system profile is displayed. Click
Advanced Configuration.
# Set the aging time of the dynamic blacklist to 200 seconds.

Choose Monitoring > WIDS and view attack detection result in the Attack Detection area.
l Click a number in the attack detection result list to view details.

l Click View Dynamic Blacklist. The View Dynamic Blacklist page is displayed.
----End
5.15.3 Example for Configuring the STA Blacklist and Whitelist
An enterprise needs to provide WLAN services for management personnel so that they can
connect to the enterprise network from anywhere at any time. Furthermore, users' services are
Due to a small number of management personnel in the enterprise, MAC addresses of their
STAs can be added to a STA whitelist. In this manner, STAs of other employees cannot
In addition, network administrators have detected unauthorized access of some STAs and
need to deny access of them. The administrators can add MAC addresses of these STAs to the
blacklist, while other authorized STAs can still connect to the WLAN.

addresses to STAs.
Figure 5-62 Networking for configuring the STA blacklist and whitelist
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default, and AP system profile wlan-system

profile



and STA whitelist profile sta-whitelist
STA l Name: sta-whitelist

whitelist l STAs added to the STA whitelist: STA1 (0011-2233-4455) and STA2
profile (0011-2233-4466)
STA l Name: sta-blacklist

blacklist l STAs added to the STA blacklist: STA3 (0011-2233-4477) and STA4
profile (0011-2233-4488)

profile l Referenced profile: STA blacklist profile sta-blacklist
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.

NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
Configuration Notes
user experience.
Procedure
VLAN 100.


10.23.101.2/24.
STAs.
NOTE
view.

displayed.



(service VLAN).
NOTE


page is displayed.


# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.
# Click Finish.

NOTE
displayed.

displayed.

Step 7 Configure a STA whitelist for VAPs.
1. Configure STA whitelist profile sta-whitelist and add MAC addresses of STA1 and
STA2 to the whitelist.
# Choose VAP Configuration > wlan-net > STA Blacklist And Whitelist Profile. On
the STA Blacklist And Whitelist Profile page, select Whitelist.
# Click Create. The Create STA Whitelist Profile page is displayed.
# Enter the name of the new STA whitelist profile sta-whitelist in Profile name, and
click OK. The parameter setting page of the new STA blacklist profile is displayed.
# Click Add. The Add Address page is displayed.
# Add MAC addresses of STA1 and STA2 to the whitelist.

# Click OK.
Step 8 Configure a global STA blacklist.
1. Create AP system profile wlan-system.
# Click in front of AP. Under it, click AP System Profile. The AP System Profile
page is displayed.
profile name wlan-system and click OK. The AP System Profile configuration page is
displayed.
2. Configure STA blacklist profile sta-blacklist and add MAC addresses of STA3 and
STA4 to the blacklist.
# Click in front of AP System Profile. Under it, click STA Blacklist Profile. On the
STA Blacklist Profile page, select Blacklist.
# Click Create. The Create STA Blacklist Profile page is displayed.
# Enter the name of the new STA blacklist profile sta-blacklist in Profile name, and
click OK. The parameter setting page of the new STA blacklist profile is displayed.
# Click Add. The Add MAC Address page is displayed.
# Add MAC addresses of STA3 and STA4 to the blacklist.
# Click OK.
The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the WLAN.
----End
5.16 WLAN QoS Configuration Examples

5.16.1 Example for Configuring WMM and Priority Mapping
area.

After accessing the network, users encounter poor experience in voice and video services. The
administrator wants to preferentially ensure forwarding of voice and video service traffic to
improve user experience.
Figure 5-63 Networking for configuring WMM and priority mapping
Data Planning

Item Data

radio5g

video services

l Referenced profiles: SSID profile wlan-net and traffic profile wlan-
traffic

video services

Item Data

video services

profile l Downstream mapping on the air interface: DSCP
l Upstream tunnel mapping on the air interface: 802.11e
l Priority mapping: specified to provide higher priorities for voice and
video services
1. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.
Configuration Notes
user experience.
Procedure
Step 1 Configure the WMM function.
1. In the radio profile, enable the WMM function and set EDCA parameters on APs to
enable voice and video services to preferentially use network bandwidth.

NOTE
# In the AP group list, click ap-group1. Click in front of Radio Management.

Under it, click in front of Radio 0. Click 2G Radio Profile. The 2G Radio Profile
page is displayed.
# On the Advanced Configuration tab, enable the WMM function, select scenario
Voice and video, and retain the default settings of EDCA parameters. Click Apply. In
the dialog box that is displayed, click OK.
2. In the SSID profile, enable the WMM function and set EDCA parameters on STAs to
enable voice and video services to preferentially use network bandwidth.

displayed.
# On the Advanced Configuration tab, select scenario Voice and video and retain the
default settings of EDCA parameters. Click Apply. In the dialog box that is displayed,
click OK.
Step 2 Configuring priority mapping.
This example requires that voice and video packets have the highest priority so that these
packets are preferentially transmitted. By default, the uplink and downlink mapping modes on
the air interface are 802.11e and DSCP, respectively. The uplink and downlink priority

mapping on the air interface can ensure that voice and video packets have the highest tunnel
DSCP priority. Therefore, you do not need to modify default priority mapping.
To change the default priority mapping, for example, to enable video packets with a higher
priority than voice packets, you can refer to this step.
# In the AP group list, click ap-group1. Click in front of VAP Configuration. Under it,
click in front of wlan-net. Click Traffic Profile. The Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter
setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, configure priority mapping and set the mapped
priority of video packets higher than that of the voice packets.
NOTE
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or 5.
In the following figure, the DSCP priorities of video packets are 48 and 56, and those of the voice packets are
32 and 40. Based on the settings, video packets will be preferentially transmitted.

1. Normal voice and video communication improves user experience in voice and video
services.
----End

Related Topics
5.16.2 Example for Configuring Traffic Policing
area.
To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Figure 5-64 Networking for configuring traffic policing
Data Planning

Item Data



Item Data

profile l Uplink rate limit of a single STA: 2 Mbit/s
l Uplink rate limit of all STAs on a VAP: 30 Mbit/s
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.
Configuration Notes
user experience.
Procedure
Step 1 Configure traffic policing.
Create traffic profile wlan-traffic. Set the uplink rate limit of a single AP to 2 Mbit/s and the
total uplink rate limit of all STAs on the VAP to 30 Mbit/s.
click in front of wlan-net. Click Traffic Profile. The Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter
setting page of the new traffic profile is displayed.

# On the Advanced Configuration tab, set the uplink rate limit to 2 Mbit/s for STAs and to
30 Mbit/s for VAPs.
1. STAs efficiently utilize network resources, reducing network congestion.
----End
5.16.3 Example for Configuring Airtime Fair Scheduling
area.
The administrator requires that multiple users on the network be able to fairly use network
bandwidth to improve overall user experience.
Figure 5-65 Networking for configuring airtime fair scheduling

Data Planning
Item Data

l Referenced profiles: 2G radio profile wlan-radio2g, and 5G radio



1. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.
Configuration Notes
user experience.

Procedure
Step 1 Configure airtime fair scheduling.
# In the AP group list, click ap-group1. Click in front of Radio Management. Under it,
click in front of radio 0.
# Click in front of 2G Radio Profile, and click RRM Profile. Click Create. On the page
that is displayed, set Profile name to wlan-rrm and click OK. The RRM Profile
configuration page is displayed.
# Enable airtime fair scheduling in the RRM profile.

1. Users can fairly use network bandwidth, improving overall user experience.
----End
5.16.4 Example for Configuring ACL-based Packet Filtering

area.
To control network traffic, the administrator requires that packets with source IP address
10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Figure 5-66 Networking for configuring ACL-based packet filtering
Data Planning

Item Data



profile l Configuration of ACL-based IPv4 packet filtering
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes


user experience.
Procedure
Step 1 Configure ACL-based packet filtering.
1. Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and
destination IPv4 address 10.23.101.11 to pass.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL dialog box that is displayed, set the ACL
name to ACL3001 and ACL number to 3001. Click OK.
# Click Add Rule in the new ACL.
# Click OK.
2. Create traffic profile wlan-traffic and apply the ACL to it.


is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, expand Packet Filtering. In Inbound ACL,
click Add. Set Packet Filtering Type to IPv4 and ACL used to filter incoming packets
to ACL3001. Click to save the settings.
1. Packets with the source IP address of 10.23.101.10 and destination IP address of
10.23.101.11 are forbidden to pass, achieving network traffic control.
----End
5.16.5 Example for Configuring Optimization for Voice and Video

Services
area.
Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video services of QQ and WeChat have a higher priority to ensure good user
experience in these QQ and WeChat services.

Figure 5-67 Networking for configuring optimization for voice and video services
Data Planning

Item Data

l Referenced profiles: VAP profile wlan-net, 2G radio profile wlan-
radio2g, and 5G radio profile wlan-radio5g

l Referenced profile: SAC profile wlan-sac



profile l Multimedia air interface optimization: enabled
SAC profile l Name: wlan-sac

Item Data
Voice and l Applied protocols: QQ and WeChat

video
optimizatio
n
1. Enable the SAC function.
2. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.
Configuration Notes
l The configuration of optimization for voice and video services supports only tunnel
forwarding.
user experience.
Procedure
Step 1 Enable the security engine.
NOTE
After the security engine is enabled, the system automatically loads the default signature database.
# Choose Configuration > Security > Attack Defense. The Attack Defense page is
displayed.
# Set Security Engine to ON. Click OK.

Step 2 # Create an SAC profile and bind it to the VAP profile mapping the AP group ap-group1.
# In the AP group list, click the AP group name ap-group1. Click next to VAP
Configuration and next to wlan-net, and select SAC Profile.
# Click SAC Profile and enter wlan-sac in Profile name. Click OK. The SAC Profile page
is displayed.
Step 3 Enable optimization for voice and video services on QQ and WeChat.
# Choose Configuration > Other Services > App Identification & Optimization >
Voice&Video Optimization. The Voice & Video Optimization page is displayed.
# Set Voice optimization and Video optimization to ON.
# Set the applications' Voice optimization and Video optimization to OFF except qq and
weixin.
NOTE
By default, dynamic optimization for voice and video services is enabled for all applications in Application
Detection Optimization List. To modify the status of the function for an application, select the application
and set Voice Detection Optimization and Video Detection Optimization to ON or OFF.
Step 4 Enable the multimedia air interface optimization function.

# In the AP group list, click the AP group name ap-group1. Click next to Radio
Management and next to Radio 0.
# Click next to 2G Radio Profile and select RRM Profile. Click Create, enter wlan-rrm
in Profile name, and then click OK. The RRM Profile configuration page is displayed.
# On the Advanced Configuration tab, disable Dynamic EDCA and enable Multimedia air
interface optimization.

# Click next to Radio 0 and next to 5G Radio Management, and select RRM
Profile. The RRM profile configuration page is displayed.
# Click the drop-down list box next to RRM Profile and select wlan-rrm.
1. Normal voice and video communication of QQ and WeChat ensures good user
experience in voice and video services of QQ and WeChat.
----End
5.16.6 Example for Configuring Priorities for Skype4B Packets

area.
The administrator requires that voice and video packets of the Skype4B software have a
higher priority than desktop sharing and file transfer packets to ensure good user experience
in voice and video services.

Figure 5-68 Networking for configuring priorities for Skype4B packets
Data Planning

Item Data


l Referenced profiles: UCC profile wlan-ucc
UCC profile l Name: wlan-ucc

l 802.1p priority of Skype4B voice packets: 6
l 802.1p priority of Skype4B video packets: 5
l 802.1p priority of Skype4B desktop sharing packets: 4
l 802.1p priority of Skype4B file transfer packets: 3
Skype4B 9000
server port
number

1. Configure priorities for Skype4B packets to set higher priorities for voice and video
packets than those of desktop sharing and file transfer packets.
2. Configure the AC to interact with the Skype4B server.
Configuration Notes
user experience.
Procedure
Step 1 Configure priorities for Skype4B packets.
click in front of wlan-net. Click UCC Profile. The UCC Profile page is displayed.
# Click Create. The Create UCC Profile page is displayed.
# Enter the UCC profile name wlan-ucc in Profile name and click OK. The parameter setting
page of the new UCC profile is displayed.
# Configure priorities for Skype4B packets according to the following figure.


Step 2 Configure the AC to interact with the Skype4B server.
# Choose Configuration > Other Services > App Identification & Optimization >
Skype4B. The Skype4B page is displayed.
# On the Skype4B page, set Skype4B listener to ON, Type to HTTP, and HTTP port to
9000.
NOTE
l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Skype4B server.
l You need to specify the IP address of the AC for the Skype4B server and the port number of the Skype4B
server.

1. The priorities of Skype4B voice and video packets are higher than those of Skype4B
desktop sharing and file transfer packets. Therefore, users are provided with good voice
and video service experience.
----End
5.17 WLAN Enhanced Services Configuration Examples

5.17.1 Example for Configuring WLAN-based E-Schoolbag
E-schoolbag is a digital teaching method. In a class, teachers and students use smart terminals
such as PCs, tablets, and mobile phones to participate in teaching and learning activities
online.
A teacher can teach students in multiple classrooms without space limitation.
To ensure successful teaching activities, AP4030TNs are used to deploy basic WLAN
services to support access of many students and provide sufficient bandwidth.
The AP4030TN has three radios: radios 0, 1, and 2. Radio 0 and radio 2 can switch between
2.4 GHz and 5 GHz while radio 1 operates on the 5 GHz band. By default, radio 0 works on

the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency band. If all radios are used
for WLAN coverage services, the default frequency bands for radios are recommended. If
some radios are used for air scan, run the frequency { 2.4g | 5g } command in the AP radio
view or AP group radio view to switch the frequency band of the radios.
addresses to STAs.
Figure 5-69 Networking for configuring the WLAN-based e-schoolbag service

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile

l Maximum number of users: 128
l EDCA parameters for AC_BE packets on STAs
– AIFSN: 3
– ECWmin: 7
– ECWmax: 10


Item Data

l Band steering: enabled
l Broadcast flood detection: enabled
l Rate threshold for broadcast flood detection: 50 pps
and traffic profile wlan-traffic


l Short preamble: enabled
l GI mode: short
l 802.11bg basic rate: 6, 9, 12, 18, 24, 36, 48, 54, in Mbit/s
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6

l GI mode: short
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6

profile l Uplink rate limit for a STA: 4000 kbit/s
l Downlink rate limit for a STA: 4000 kbit/s

5. Adjust network parameters for e-schoolbag.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN

VLAN 100, and GE0/0/3 to VLAN 101.
10.23.101.2/24.
STAs.
NOTE
view.

displayed.


(service VLAN).
NOTE

page is displayed.

# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.



# Click Finish.
Step 6 Adjust network parameters for e-schoolbag.
# In the AP group list, click ap-group1. Choose VAP Configuration > wlan-net. The
VAP Profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function and the
broadcast flood attack function and configure the rate threshold for broadcast flood
detection.

# Choose VAP Configuration > wlan-net > SSID Profile. The SSID Profile page is
displayed.
# On the Advanced Configuration tab, set the maximum number of users to 128. Set
EDCA parameters for AC_BE packets on STAs as follows: AIFSN to 3, ECWmin to 7,
and ECWmax to 10.

# Choose VAP Configuration > wlan-net > Traffic Profile. The Traffic Profile page is
displayed.
# Click Create. On the Create Traffic Profile page that is displayed, enter the profile
name wlan-traffic and click OK. The traffic profile configuration page is displayed.
# Set the upstream and downstream rate limits to 4000 kbit/s and 4000 kbit/s for STAs,
respectively.

# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio Profile
page is displayed.



ECWmax to 6.

page is displayed.

ECWmax to 6.


page is displayed.
# On the 5G radio profile configuration page that is displayed, set 5G Radio Profile to
wlan-radio5g and click Apply. In the dialog box that is displayed, click OK.

RRM Profile page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable airtime fair scheduling.

RRM Profile page is displayed.
# On the RRM profile configuration page that is displayed, set RRM Profile to wlan-
rrm and click Apply. In the dialog box that is displayed, click OK.
# The configuration of Radio 2 is similar to that of Radio 1 and is not mentioned here.
displayed.
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to 20-
MHz channel 6 and transmit power to 127 dBm. Disable automatic channel and power
calibration functions.
# Click Radio1 and Radio2 to set the channel to 20-MHz channel 149 and 20-MHz channel
153 respectively and transmit power to 127 dBm. The configuration is similar to that of
Radio0.

----End
5.17.2 Example for Configuring WLAN Hotspot2.0 Services

area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot 2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.

– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.
Figure 5-70 Networking for configuring WLAN Hotspot 2.0 services
Data Planning
Item Data

The aggregation switch (Switch_B)
addresses to STAs. The default gateway
address of STAs is 10.23.101.2.

Item Data

net


l Security policy: WPA2-802.1x-AES

l Access authentication mode: 802.1x

Item Data
Hotspot2.0 profile Hotspot2.0 profile

l Name: wlan-net
l Network type: free public network
l Internet access: supported
l Venue type and name: Assembly and
Coffee Shop
l HESSID: 60de-4476-e360
l IP address availability: available
l Network authentication type: acceptance
l P2P cross connection: disabled
l Cellular network profile: wlan-net
– 46000
l Roaming consortium profile: wlan-net
– 50-6f-9a
l NAI realm profile: wlan-net
– www.mobileA.com
l Network connection capability profile:
wlan-net
– HTTP service: enabled
l Operator domain profile: wlan-net
– www.mobileA.com
l Operator name profile: wlan-net
– eng, mobileA
l Venue name profile: wlan-net
– eng, Coffee
l Operating class profile: wlan-net
– 81

net, security profile wlan-net,
authentication profile wlan-net, and
Hotspot2.0 profile wlan-net
RADIUS server l IP address: 10.23.102.1

l Port number: 1812
l Shared key: huawei123

security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
3. In Profile Management, change the security policy to WPA2, and complete the
Hotspot2.0 service configuration based on the data planning.
Procedure
10.23.101.2/24.

NOTE
view.

displayed.

NOTE


page is displayed.

# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Configure security authentication.
Click Finish.

NOTE
displayed.
displayed.


Step 7 Configure Hotspot2.0 services.
1. Choose Configuration > AP Config > AP Group > AP Group. Click ap-group1. The
AP group configuration page is displayed.
2. Choose VAP Configuration > wlan-net > Security Profile, set the security policy to
WPA2, and click Apply. In the dialog box that is displayed, click OK.
3. Choose VAP Configuration > wlan-net > Hotspot2.0 Profile. The Hotspot2.0 profile
page is displayed. Click Create. On the Create Hotspot2.0 Profile page that is
displayed, set Profile name to wlan-net and click OK. Configure parameters and click
Apply. In the dialog box that is displayed, click OK.

4. Click in front of Hotspot2.0 Profile and select Cellular Network Profile. The
Cellular Network Profile page is displayed. Click Create. The Create Cellular
Network Profile page is displayed. Set Profile name to wlan-net, and click OK. Set
PLMN ID, and click Apply. In the dialog box that is displayed, click OK.
5. Select Roaming Consortium Profile, the Roaming Consortium Profile page is

displayed. Click Create. The Create Roaming Consortium Profile page is displayed.
Set Profile name to wlan-net, and click OK. Set Roaming consortium OI, and click
Apply. In the dialog box that is displayed, click OK.

6. Select NAI Realm Profile. The NAI Realm Profile page is displayed. Click Create.
The Create NAI Realm Profile page is displayed. Set Profile name to wlan-net, and
click OK. Set Realm name, and click Apply. In the dialog box that is displayed, click
OK.
7. Select Network Connection Capability Profile. The Network Connection Capability

Profile page is displayed. Click Create. The Create Network Connection Capability
Profile page is displayed. Set Profile name to wlan-net, and click OK. Set HTTP to
ON, and click Apply. In the dialog box that is displayed, click OK.
8. Select Operator Domain Profile. The Operator Domain Profile page is displayed.
Click Create, the Create Operator Domain Profile page is displayed. Set Profile name

to wlan-net, and click OK. Set Domain name, and click Apply. In the dialog box that is
9. Select Carrier Name Profile. The Carrier Name Profile page is displayed. Click
Create. The Create Carrier Name Profile page is displayed. Set Profile name to wlan-
net, and click OK. Set Operator name, and click Apply. In the dialog box that is
10. Select Venue Name Profile. The Venue Name Profile page is displayed. Click Create.
The Create Venue Name Profile page is displayed. Set Profile name to wlan-net, and
click OK. Set Venue name, and click Apply. In the dialog box that is displayed, click
OK.

11. Select Operating Class Profile. The Operating Class Profile page is displayed. Click
Create. The Create Operating Class Profile page is displayed. Set Profile name to
wlan-net, and click OK. Set Frequency band indication No., and click Apply. In the
dialog box that is displayed, click OK.


----End
5.17.3 Example for Configuring Service Holding upon WLAN

CAPWAP Link Disconnection
area.
The enterprise requires that data forwarding be not affected even when the AC is faulty to
improve data transmission reliability.
APs and STAs.

Figure 5-71 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Data Planning
Item Data


Item Data
AC source interface VLANIF 100: 10.1.1.2/24

l Referenced profiles: AP system profile ap-system,
VAP profile wlan-net, and regulatory domain
profile default




AP system profile l Name: ap-system

l Service holding upon CAPWAP link
disconnection: enabled
5. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Configuration Notes


user experience.
Procedure
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.
10.1.2.2/24.
NOTE
view.

# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.

displayed.

NOTE



page is displayed.
# Set the IP address of VLANIF 100 to 10.1.1.2/24. You do not need to configure DHCP
on the AC.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Click Finish.
Step 6 Create an AP system profile and configure service holding upon link disconnection.
# Choose AP > AP System Profile. The AP System Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the profile
name ap-system and click OK. The AP system profile configuration page is displayed.
# Set Policy for service holding upon link disconnection to Holding and prohibiting new
user access.

NOTE
displayed.

displayed.

The WLAN with the SSID wlan-net is available, and STAs can access the WLAN normally.
When the CAPWAP link is disconnected due to an AC fault, service data forwarding of STAs
in Area A is not affected.
----End
5.17.4 Example for Configuring Channel Switching Without

Service Interruption
area.
The enterprise requires that WLAN services not be interrupted even when the APs change
their working channels.
APs and STAs.

Figure 5-72 Networking for configuring channel switching without service interruption
Data Planning

Item Data


Item Data

l Referenced profiles: 2G radio profile wlan-
radio2g, 5G radio profile wlan-radio5g, VAP
profile wlan-net, and regulatory domain profile
default





transmitting

transmitting
5. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
10.23.101.2/24.
# On Switch, configure VLANIF 100 to assign IP addresses to APs.

# On Switch, configure VLANIF 101 to assign IP addresses to STAs.
NOTE
view.

displayed.


NOTE


page is displayed.
# Set the IP address of VLANIF 100 to 10.1.1.2/24. You do not need to configure DHCP
on the AC.


# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287

– AP Name: area_1
NOTE
as required.


# Click Finish.
Step 6 Create radio profiles and configure channel switching without service interruption.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# On the Advanced Configuration tab, enable channel switching announcement and

configure the AP to continue transmitting data on the current channel when the channel is
switched.

The WLAN with the SSID wlan-net is available, and STAs can access the WLAN properly.
When the channel of AP1 or AP2 is changed, service data forwarding of STAs in Area A is
not affected.
----End
5.17.5 Example for Configuring an AP to Go Online Using a Static

IP Address
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)
Figure 5-73 Networking for configuring an AP to go online using a static IP address
Data Planning
Item Data
AC's source interface address 10.23.100.1/24
AP's static IP address 10.23.100.100/24

2. Configure global parameters on the AC.
4. Configure a static IP address for the AP and enable the AP to go online.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.

displayed.

NOTE


page is displayed.

# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


Step 4 Configure a static IP address for the AP.
1. Choose Configuration > AC Config > IP > DHCP Address Pool.
2. Bind a static IP address to the AP.
# In the address pool list, click Vlanif100. The Modify DHCP Address Pool page is
displayed.
# Bind a static IP address to the AP.
NOTE
When the IP address in the interface address pool is statically bound to a MAC address, the IP address
must be in the range of IP addresses that can be assigned dynamically.
# Click OK.
After the configuration is complete, you can check online information about the AP with the
IP address 10.23.100.100 in AP List.
----End
5.17.6 Example for Configuring the Soft GRE Service


WLAN V200R009C00 Typical Configuration Examples PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

WLAN V200R009C00 Typical Configuration Examples PDF

Transféré par

Droits d'auteur :

Formats disponibles

Typical Configuration Examples

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2017-12-29) Huawei Proprietary and Confidential i

About This Document

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 01 (2017-12-29) Huawei Proprietary and Confidential ii

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Issue 01 (2017-12-29) Huawei Proprietary and Confidential iii

Interface Numbering Conventions

Issue 01 (2017-12-29) Huawei Proprietary and Confidential iv

Model Declaration for Carriers

Table 1 WLAN product models for carriers

Software Version Product Model

Issue 01 (2017-12-29) Huawei Proprietary and Confidential v

Software Version Product Model

Issue 01 (2017-12-29) Huawei Proprietary and Confidential vi

About This Document.....................................................................................................................ii

Issue 01 (2017-12-29) Huawei Proprietary and Confidential vii

3.1.26 WIDS Whitelist Profile........................................................................................................................................... 34

4 Typical Configuration Examples (CLI)................................................................................... 50

Issue 01 (2017-12-29) Huawei Proprietary and Confidential viii

Issue 01 (2017-12-29) Huawei Proprietary and Confidential ix

Issue 01 (2017-12-29) Huawei Proprietary and Confidential x

4.19.2.2 Solution Design.................................................................................................................................................. 871

5 Typical Configuration Examples (Web)..............................................................................1001

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xi

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xii

5.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................. 1468

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xiii

About This Document.....................................................................................................................ii

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xiv

3.1.35 WMI Profile.............................................................................................................................................................38

4 Typical Configuration Examples (CLI)................................................................................... 50

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xv

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xvi

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xvii

4.19.2.5.6 Configuring the Srun....................................................................................................................................... 915

5 Typical Configuration Examples (Web)..............................................................................1001

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xviii

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xix

5.12.1 Example for Configuring Vehicle-Ground Fast Link Handover......................................................................... 1540

About This Document.....................................................................................................................ii

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xx

2.2 AP Products Overview................................................................................................................................................... 4

4 Typical Configuration Examples (CLI)................................................................................... 50

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxi

4.1 WLAN Common Service Configuration Examples..................................................................................................... 50

Issue 01 (2017-12-29) Huawei Proprietary and Confidential xxii

4.7.4 Example for Configuring 802.1X Authentication................................................................................................... 358