Académique Documents
Professionnel Documents
Culture Documents
Issue 01
Date 2017-12-29
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Purpose
This document provides the typical configuration examples supported by the WLAN.
Intended Audience
This document is intended for network engineers responsible for WLAN configuration and
management. You should be familiar with basic Ethernet knowledge and have extensive
experience in network deployment and management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
NOTE
The interface types, command outputs, and device models provided in this manual vary according to
device configurations and may differ from the actual information.
To obtain better user experience, you are advised to set the number of columns displayed on the
command line editor to 132 or higher.
The pages displayed on your web platform may be different from those in this example and shall prevail.
Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, do not disable password complexity check, and change the password
periodically.
When configuring a plaintext password, do not start and end it with %$%$, %^%#, %#
%#, %@%@, or @%@%, which are considered valid ciphertext characters. The device
can decrypt such as password and display the same plaintext password as that configured
by the user in the configuration file. Ciphertext passwords starting and ending with %$%
$, %^%#, %#%#, %@%@, or @%@% are valid. However, ciphertext passwords for
different features are not interchangeable. For example, the ciphertext password
generated for Authentication, Authorization, Accounting (AAA) cannot be configured
for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,
SHA1, SHA-2, MD5 and SMS4. The encryption algorithm depends on the applicable
scenario. Use the recommended encryption algorithm; otherwise, security defense
requirements may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 128 bits or
more.
– For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or
more.
– For the hash algorithm, use SHA2 with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios)
have a low security, which may bring security risks. If protocols allowed, using
more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/
SHA2/HMAC-SHA2, is recommended.
– SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm
must be used for the administrator password.
l Personal data
Some personal data (such as the MAC or IP addresses of users) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
Configuration Conventions
Large-scale or batch service configuration using scripts may cause high CPU usage,
preventing the system from processing regular services.
V200R009C00 AC6005
AC6605
ACU2
AC6800V
AP2030DN
AP2050DN
AP2050DN-E
AP2051DN
AP2051DN-E
AP4030DN
AP4050DN
AP4050DN-E
AP4051DN
AP4130DN
AP4151DN
AP5030DN
AP5130DN
AP6050DN
AP6150DN
AP6510DN-AGN
AP7050DE
AP7050DN-E
AP7052DN
AP7152DN
AP8030DN
AP8050DN
AP8082DN
AP8130DN
AP8150DN
AP8182DN
AD9430DN-12
AD9430DN-24
R230D
R240D
R250D
R251D
R251D
R250D-E
R450D
Contents
3 WLAN Configuration................................................................................................................. 17
3.1 WLAN Service Configuration Procedure.....................................................................................................................17
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................17
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................19
3.1.3 AP Group and AP...................................................................................................................................................... 20
3.1.4 Regulatory Domain Profile........................................................................................................................................22
3.1.5 Radio Profile..............................................................................................................................................................22
3.1.6 Air Scan Profile......................................................................................................................................................... 22
3.1.7 RRM Profile.............................................................................................................................................................. 23
3.1.8 VAP Profile................................................................................................................................................................24
3.1.9 SSID Profile...............................................................................................................................................................25
3.1.10 Authentication Profile..............................................................................................................................................25
3.1.11 Security Profile........................................................................................................................................................ 26
3.1.12 Traffic Profile.......................................................................................................................................................... 26
3.1.13 UCC Profile............................................................................................................................................................. 27
3.1.14 Attack Defense Profile.............................................................................................................................................27
3.1.15 User Profile..............................................................................................................................................................28
3.1.16 Soft GRE profile...................................................................................................................................................... 28
3.1.17 STA Blacklist Profile............................................................................................................................................... 28
3.1.18 STA Whitelist Profile.............................................................................................................................................. 29
3.1.19 SAC Profile..............................................................................................................................................................29
3.1.20 Hotspot2.0 Profile....................................................................................................................................................29
3.1.21 AP System Profile................................................................................................................................................... 30
3.1.22 AP Wired Port Profile..............................................................................................................................................33
3.1.23 AP Wired Port Link Profile..................................................................................................................................... 33
3.1.24 WIDS Profile........................................................................................................................................................... 33
3.1.25 WIDS Spoof SSID Profile....................................................................................................................................... 34
4.4.11 Example for Configuring VPN Traversal Between the AC and APs.................................................................... 260
4.4.12 Example for Configuring Hand-in-Hand WDS Services...................................................................................... 272
4.4.13 Example for Configuring Back-to-Back WDS......................................................................................................285
4.4.14 Example for Configuring Common Mesh Services.............................................................................................. 298
4.4.15 Example for Configuring Dual-MPP Mesh Services............................................................................................ 306
4.5 AP's Wired Interface Configuration Examples...........................................................................................................318
4.5.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.........................................................318
4.6 PPPoE Configuration Examples (Fat AP and Fat Central AP).................................................................................. 321
4.6.1 Example for Configuring the PPPoE Client............................................................................................................ 321
4.6.2 Example for Connecting LAN to the Internet Using the ADSL Modem................................................................ 323
4.7 Authentication Configuration Examples.................................................................................................................... 327
4.7.1 Example for Configuring External Portal Authentication....................................................................................... 327
4.7.2 Example for Configuring Built-in Portal Authentication for Local Users.............................................................. 337
4.7.3 Example for Configuring MAC Address-prioritized Portal Authentication........................................................... 347
4.7.4 Example for Configuring 802.1X Authentication................................................................................................... 358
4.7.5 Example for Configuring MAC Address Authentication........................................................................................368
4.7.6 Example for Configuring MAC Authentication for Local Users............................................................................ 378
4.7.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............................386
4.7.8 Example for Configuring WeChat Authentication Using a Built-in Portal Server................................................. 397
4.7.9 Example for Configuring Different Authentication Modes for Multiple SSIDs..................................................... 405
4.8 Reliability Configuration Examples........................................................................................................................... 417
4.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios.............................. 417
4.8.2 Example for Configuring Dual-Link HSB in Load Balancing Mode..................................................................... 435
4.8.3 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios........................ 448
4.8.4 Example for Configuring Dual-link Cold Backup (Global Configuration Mode).................................................. 460
4.8.5 Example for Configuring Dual-Link HSB in Active/Standby Mode...................................................................... 468
4.8.6 Example for Configuring VRRP HSB.....................................................................................................................479
4.8.7 Example for Configuring N+1 Backup (APs and ACs in different network segments)......................................... 495
4.8.8 Example for Configuring N+1 Backup (APs and ACs in the same network segment)...........................................513
4.8.9 Example for Configuring N+1 Backup and VRRP HSB (APs and ACs in Different Network Segments)............ 529
4.9 Roaming Configuration Examples............................................................................................................................. 556
4.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 556
4.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 569
4.9.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 579
4.9.4 Example for Configuring Inter-AC Layer 3 Roaming............................................................................................ 590
4.9.5 Example for Configuring Agile Distributed SFN Roaming.................................................................................... 602
4.10 Agile Distributed Networking Configuration Examples.......................................................................................... 611
4.10.1 Example for Configuring an Agile Distributed WLAN........................................................................................ 611
4.11 High-Density Configuration Examples.................................................................................................................... 619
4.11.1 Example for Configuring High-Density WLAN Services.....................................................................................619
4.12 Example for Configuring Vehicle-Ground Communication.................................................................................... 634
4.12.1 Example for Configuring Vehicle-Ground Fast Link Handover........................................................................... 634
4.12.2 Example for Configuring Vehicle-Ground Fast Link Handover (VRRP Backup for Vehicle-Mounted APs)......650
4.13 Radio Resource Management Configuration Examples...........................................................................................668
4.13.1 Example for Configuring Dynamic Load Balancing.............................................................................................668
4.13.2 Example for Configuring Static Load Balancing.................................................................................................. 672
4.13.3 Example for Configuring Band Steering............................................................................................................... 675
4.13.4 Example for Configuring Smart Roaming.............................................................................................................679
4.14 Spectrum Analysis Configuration Examples............................................................................................................682
4.14.1 Example for Configuring Spectrum Analysis....................................................................................................... 682
4.15 WLAN Security Configuration Examples................................................................................................................689
4.15.1 Example for Configuring Rogue Device Detection and Containment.................................................................. 689
4.15.2 Example for Configuring Attack Detection...........................................................................................................698
4.15.3 Example for Configuring the STA Blacklist and Whitelist................................................................................... 708
4.16 WLAN Location Configuration Examples...............................................................................................................717
4.16.1 Example for Configuring AeroScout Wi-Fi Tag Location.................................................................................... 717
4.16.2 Example for Configuring AeroScout MU Location.............................................................................................. 723
4.16.3 Example for Configuring Ekahau Wi-Fi Tag Location......................................................................................... 728
4.16.4 Example for Configuring Wi-Fi Terminal Location..............................................................................................734
4.16.5 Example for Configuring Bluetooth Terminal Location....................................................................................... 742
4.17 WLAN QoS Configuration Examples...................................................................................................................... 750
4.17.1 Common Misconfigurations.................................................................................................................................. 750
4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network Access of STAs............................. 750
4.17.2 Example for Configuring WMM and Priority Mapping....................................................................................... 751
4.17.3 Example for Configuring Traffic Policing.............................................................................................................757
4.17.4 Example for Configuring Airtime Fair Scheduling............................................................................................... 760
4.17.5 Example for Configuring ACL-based Packet Filtering......................................................................................... 763
4.17.6 Example for Configuring Optimization for Voice and Video Services................................................................. 767
4.17.7 Example for Configuring Priorities for Skype4B Packets.....................................................................................771
4.18 WLAN Enhanced Services Configuration Examples...............................................................................................775
4.18.1 Example for Configuring WLAN-based E-schoolbag.......................................................................................... 775
4.18.2 Example for Configuring WLAN Hotspot 2.0 Services........................................................................................787
4.18.3 Example for Configuring Service Holding upon CAPWAP Link Disconnection.................................................798
4.18.4 Example for Configuring Channel Switching Without Service Interruption........................................................ 806
4.18.5 Example for Configuring an AP to Go Online Using a Static IP Address............................................................ 813
4.18.6 Example for Configuring the Soft GRE Service................................................................................................... 817
4.18.7 Example for Configuring Bandwidth-based Multicast CAC................................................................................ 827
4.18.8 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................... 836
4.18.9 Example for Configuring EoGRE to Implement Layer 2 Communication Between the Wireless Gateway and AC
.......................................................................................................................................................................................... 844
4.19 Comprehensive Case................................................................................................................................................ 852
4.19.1 Example for Configuring Unified Access for Wired and Wireless Users............................................................. 852
4.19.2 Higher Education Campus Network Deployment Case (S12700 Used as the Gateway and Authentication Point)
.......................................................................................................................................................................................... 870
4.19.2.1 Application Scenario and Service Requirements............................................................................................... 870
5.3.2 Example for Connecting LAN to the Internet Using the ADSL Modem.............................................................. 1113
5.4 PPPoE Configuration Examples (Fat Central AP)....................................................................................................1116
5.4.1 Example for Configuring the Device as a PPPoE Client.......................................................................................1116
5.4.2 Example for Connecting LAN to the Internet Using the ADSL Modem.............................................................. 1119
5.5 WLAN Basic Networking Configuration Examples................................................................................................ 1123
5.5.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode.................................................................. 1123
5.5.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode................................................................. 1132
5.5.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode................................................................ 1141
5.5.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode...............................................................1150
5.5.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode.................................................................. 1160
5.5.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode................................................................. 1172
5.5.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode................................................................ 1184
5.5.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode...............................................................1194
5.5.9 Example for Configuring NAT Traversal Between the AC and APs.................................................................... 1204
5.5.10 Example for Configuring VPN Traversal Between the AC and APs.................................................................. 1214
5.5.11 Example for Configuring Hand-in-Hand WDS Services.................................................................................... 1226
5.5.12 Example for Configuring Back-to-Back WDS....................................................................................................1239
5.5.13 Example for Configuring Common Mesh Services............................................................................................ 1251
5.5.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 1262
5.6 AP's Wired Interface Configuration Examples.........................................................................................................1273
5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.......................................................1273
5.7 Authentication Configuration Examples.................................................................................................................. 1277
5.7.1 Example for Configuring External Portal Authentication..................................................................................... 1277
5.7.2 Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)............................................. 1287
5.7.3 Example for Configuring Built-in Portal Authentication for Local Users............................................................ 1296
5.7.4 Example for Configuring MAC Address-prioritized Portal Authentication......................................................... 1307
5.7.5 Example for Configuring 802.1X Authentication................................................................................................. 1317
5.7.6 Example for Configuring MAC Address Authentication......................................................................................1328
5.7.7 Example for Configuring MAC Authentication for Local Users.......................................................................... 1338
5.7.8 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users..........................1347
5.7.9 Example for Configuring Built-in Portal WeChat Authentication........................................................................ 1359
5.7.10 Example for Configuring Different Authentication Modes for Multiple SSIDs................................................. 1367
5.8 Reliability Configuration Examples......................................................................................................................... 1379
5.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios............................ 1379
5.8.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios...................... 1392
5.8.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode)................................................ 1403
5.8.4 Example for Configuring Dual-Link Hot Standby (HSB) for ACs....................................................................... 1411
5.8.5 Example for Configuring VRRP HSB...................................................................................................................1420
5.8.6 Example for Configuring N+1 Backup (APs and ACs in different network segments)....................................... 1432
5.8.7 Example for Configuring N+1 Backup (APs and ACs in the same network segment).........................................1444
5.9 Roaming Configuration Examples........................................................................................................................... 1456
5.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming..................................................................................... 1456
Contents
3 WLAN Configuration................................................................................................................. 17
3.1 WLAN Service Configuration Procedure.....................................................................................................................17
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................17
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................19
3.1.3 AP Group and AP...................................................................................................................................................... 20
3.1.4 Regulatory Domain Profile........................................................................................................................................22
3.1.5 Radio Profile..............................................................................................................................................................22
3.1.6 Air Scan Profile......................................................................................................................................................... 22
3.1.7 RRM Profile.............................................................................................................................................................. 23
3.1.8 VAP Profile................................................................................................................................................................24
3.1.9 SSID Profile...............................................................................................................................................................25
3.1.10 Authentication Profile..............................................................................................................................................25
3.1.11 Security Profile........................................................................................................................................................ 26
3.1.12 Traffic Profile.......................................................................................................................................................... 26
3.1.13 UCC Profile............................................................................................................................................................. 27
3.1.14 Attack Defense Profile.............................................................................................................................................27
3.1.15 User Profile..............................................................................................................................................................28
3.1.16 Soft GRE profile...................................................................................................................................................... 28
3.1.17 STA Blacklist Profile............................................................................................................................................... 28
3.1.18 STA Whitelist Profile.............................................................................................................................................. 29
3.1.19 SAC Profile..............................................................................................................................................................29
3.1.20 Hotspot2.0 Profile....................................................................................................................................................29
3.1.21 AP System Profile................................................................................................................................................... 30
3.1.22 AP Wired Port Profile..............................................................................................................................................33
3.1.23 AP Wired Port Link Profile..................................................................................................................................... 33
3.1.24 WIDS Profile........................................................................................................................................................... 33
3.1.25 WIDS Spoof SSID Profile....................................................................................................................................... 34
3.1.26 WIDS Whitelist Profile........................................................................................................................................... 34
3.1.27 Location Profile....................................................................................................................................................... 34
3.1.28 BLE Profile..............................................................................................................................................................35
3.1.29 WDS Profile............................................................................................................................................................ 35
3.1.30 WDS Whitelist Profile.............................................................................................................................................36
3.1.31 Mesh Profile............................................................................................................................................................ 36
3.1.32 Mesh Handover Profile............................................................................................................................................37
3.1.33 Mesh Whitelist Profile.............................................................................................................................................37
3.1.34 IoT Profile................................................................................................................................................................37
4.6.2 Example for Connecting LAN to the Internet Using the ADSL Modem................................................................ 323
4.7 Authentication Configuration Examples.................................................................................................................... 327
4.7.1 Example for Configuring External Portal Authentication....................................................................................... 327
4.7.2 Example for Configuring Built-in Portal Authentication for Local Users.............................................................. 337
4.7.3 Example for Configuring MAC Address-prioritized Portal Authentication........................................................... 347
4.7.4 Example for Configuring 802.1X Authentication................................................................................................... 358
4.7.5 Example for Configuring MAC Address Authentication........................................................................................368
4.7.6 Example for Configuring MAC Authentication for Local Users............................................................................ 378
4.7.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............................386
4.7.8 Example for Configuring WeChat Authentication Using a Built-in Portal Server................................................. 397
4.7.9 Example for Configuring Different Authentication Modes for Multiple SSIDs..................................................... 405
4.8 Reliability Configuration Examples........................................................................................................................... 417
4.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios.............................. 417
4.8.2 Example for Configuring Dual-Link HSB in Load Balancing Mode..................................................................... 435
4.8.3 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios........................ 448
4.8.4 Example for Configuring Dual-link Cold Backup (Global Configuration Mode).................................................. 460
4.8.5 Example for Configuring Dual-Link HSB in Active/Standby Mode...................................................................... 468
4.8.6 Example for Configuring VRRP HSB.....................................................................................................................479
4.8.7 Example for Configuring N+1 Backup (APs and ACs in different network segments)......................................... 495
4.8.8 Example for Configuring N+1 Backup (APs and ACs in the same network segment)...........................................513
4.8.9 Example for Configuring N+1 Backup and VRRP HSB (APs and ACs in Different Network Segments)............ 529
4.9 Roaming Configuration Examples............................................................................................................................. 556
4.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 556
4.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 569
4.9.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 579
4.9.4 Example for Configuring Inter-AC Layer 3 Roaming............................................................................................ 590
4.9.5 Example for Configuring Agile Distributed SFN Roaming.................................................................................... 602
4.10 Agile Distributed Networking Configuration Examples.......................................................................................... 611
4.10.1 Example for Configuring an Agile Distributed WLAN........................................................................................ 611
4.11 High-Density Configuration Examples.................................................................................................................... 619
4.11.1 Example for Configuring High-Density WLAN Services.....................................................................................619
4.12 Example for Configuring Vehicle-Ground Communication.................................................................................... 634
4.12.1 Example for Configuring Vehicle-Ground Fast Link Handover........................................................................... 634
4.12.2 Example for Configuring Vehicle-Ground Fast Link Handover (VRRP Backup for Vehicle-Mounted APs)......650
4.13 Radio Resource Management Configuration Examples...........................................................................................668
4.13.1 Example for Configuring Dynamic Load Balancing.............................................................................................668
4.13.2 Example for Configuring Static Load Balancing.................................................................................................. 672
4.13.3 Example for Configuring Band Steering............................................................................................................... 675
4.13.4 Example for Configuring Smart Roaming.............................................................................................................679
4.14 Spectrum Analysis Configuration Examples............................................................................................................682
4.14.1 Example for Configuring Spectrum Analysis....................................................................................................... 682
4.15 WLAN Security Configuration Examples................................................................................................................689
4.15.1 Example for Configuring Rogue Device Detection and Containment.................................................................. 689
4.15.2 Example for Configuring Attack Detection...........................................................................................................698
4.15.3 Example for Configuring the STA Blacklist and Whitelist................................................................................... 708
4.16 WLAN Location Configuration Examples...............................................................................................................717
4.16.1 Example for Configuring AeroScout Wi-Fi Tag Location.................................................................................... 717
4.16.2 Example for Configuring AeroScout MU Location.............................................................................................. 723
4.16.3 Example for Configuring Ekahau Wi-Fi Tag Location......................................................................................... 728
4.16.4 Example for Configuring Wi-Fi Terminal Location..............................................................................................734
4.16.5 Example for Configuring Bluetooth Terminal Location....................................................................................... 742
4.17 WLAN QoS Configuration Examples...................................................................................................................... 750
4.17.1 Common Misconfigurations.................................................................................................................................. 750
4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network Access of STAs............................. 750
4.17.2 Example for Configuring WMM and Priority Mapping....................................................................................... 751
4.17.3 Example for Configuring Traffic Policing.............................................................................................................757
4.17.4 Example for Configuring Airtime Fair Scheduling............................................................................................... 760
4.17.5 Example for Configuring ACL-based Packet Filtering......................................................................................... 763
4.17.6 Example for Configuring Optimization for Voice and Video Services................................................................. 767
4.17.7 Example for Configuring Priorities for Skype4B Packets.....................................................................................771
4.18 WLAN Enhanced Services Configuration Examples...............................................................................................775
4.18.1 Example for Configuring WLAN-based E-schoolbag.......................................................................................... 775
4.18.2 Example for Configuring WLAN Hotspot 2.0 Services........................................................................................787
4.18.3 Example for Configuring Service Holding upon CAPWAP Link Disconnection.................................................798
4.18.4 Example for Configuring Channel Switching Without Service Interruption........................................................ 806
4.18.5 Example for Configuring an AP to Go Online Using a Static IP Address............................................................ 813
4.18.6 Example for Configuring the Soft GRE Service................................................................................................... 817
4.18.7 Example for Configuring Bandwidth-based Multicast CAC................................................................................ 827
4.18.8 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................... 836
4.18.9 Example for Configuring EoGRE to Implement Layer 2 Communication Between the Wireless Gateway and AC
.......................................................................................................................................................................................... 844
4.19 Comprehensive Case................................................................................................................................................ 852
4.19.1 Example for Configuring Unified Access for Wired and Wireless Users............................................................. 852
4.19.2 Higher Education Campus Network Deployment Case (S12700 Used as the Gateway and Authentication Point)
.......................................................................................................................................................................................... 870
4.19.2.1 Application Scenario and Service Requirements............................................................................................... 870
4.19.2.2 Solution Design.................................................................................................................................................. 871
4.19.2.3 Configuration Roadmap and Data Plan.............................................................................................................. 873
4.19.2.4 Configuration Notes........................................................................................................................................... 878
4.19.2.5 Configuration Procedure.....................................................................................................................................880
4.19.2.5.1 Configuring the Aggregation Switch S7700-A in Office Building A............................................................. 880
4.19.2.5.2 Configuring the Access Switch S5700-A in Office Building A......................................................................881
4.19.2.5.3 Configuring the Core Switch S12700..............................................................................................................882
4.19.2.5.4 Configuring the Egress Firewall USG6650s................................................................................................... 890
4.19.2.5.5 Configuring the Agile Controller.................................................................................................................... 896
5.5.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode.................................................................. 1160
5.5.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode................................................................. 1172
5.5.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode................................................................ 1184
5.5.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode...............................................................1194
5.5.9 Example for Configuring NAT Traversal Between the AC and APs.................................................................... 1204
5.5.10 Example for Configuring VPN Traversal Between the AC and APs.................................................................. 1214
5.5.11 Example for Configuring Hand-in-Hand WDS Services.................................................................................... 1226
5.5.12 Example for Configuring Back-to-Back WDS....................................................................................................1239
5.5.13 Example for Configuring Common Mesh Services............................................................................................ 1251
5.5.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 1262
5.6 AP's Wired Interface Configuration Examples.........................................................................................................1273
5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.......................................................1273
5.7 Authentication Configuration Examples.................................................................................................................. 1277
5.7.1 Example for Configuring External Portal Authentication..................................................................................... 1277
5.7.2 Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)............................................. 1287
5.7.3 Example for Configuring Built-in Portal Authentication for Local Users............................................................ 1296
5.7.4 Example for Configuring MAC Address-prioritized Portal Authentication......................................................... 1307
5.7.5 Example for Configuring 802.1X Authentication................................................................................................. 1317
5.7.6 Example for Configuring MAC Address Authentication......................................................................................1328
5.7.7 Example for Configuring MAC Authentication for Local Users.......................................................................... 1338
5.7.8 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users..........................1347
5.7.9 Example for Configuring Built-in Portal WeChat Authentication........................................................................ 1359
5.7.10 Example for Configuring Different Authentication Modes for Multiple SSIDs................................................. 1367
5.8 Reliability Configuration Examples......................................................................................................................... 1379
5.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios............................ 1379
5.8.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios...................... 1392
5.8.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode)................................................ 1403
5.8.4 Example for Configuring Dual-Link Hot Standby (HSB) for ACs....................................................................... 1411
5.8.5 Example for Configuring VRRP HSB...................................................................................................................1420
5.8.6 Example for Configuring N+1 Backup (APs and ACs in different network segments)....................................... 1432
5.8.7 Example for Configuring N+1 Backup (APs and ACs in the same network segment).........................................1444
5.9 Roaming Configuration Examples........................................................................................................................... 1456
5.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming..................................................................................... 1456
5.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................. 1468
5.9.3 Example for Configuring Inter-AC Layer 2 Roaming.......................................................................................... 1478
5.9.4 Example for Configuring Inter-AC Layer 3 Roaming.......................................................................................... 1489
5.9.5 Example for Configuring Agile Distributed SFN Roaming.................................................................................. 1502
5.10 Agile Distributed Networking Configuration Examples........................................................................................ 1513
5.10.1 Example for Configuring an Agile Distributed WLAN...................................................................................... 1513
5.11 High-Density Configuration Examples.................................................................................................................. 1522
5.11.1 Example for Configuring High-Density WLAN Services...................................................................................1522
5.12 Example for Configuring Vehicle-Ground Communication.................................................................................. 1540
Contents
3 WLAN Configuration................................................................................................................. 17
3.1 WLAN Service Configuration Procedure.....................................................................................................................17
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................17
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................19
3.1.3 AP Group and AP...................................................................................................................................................... 20
3.1.4 Regulatory Domain Profile........................................................................................................................................22
3.1.5 Radio Profile..............................................................................................................................................................22
3.1.6 Air Scan Profile......................................................................................................................................................... 22
3.1.7 RRM Profile.............................................................................................................................................................. 23
3.1.8 VAP Profile................................................................................................................................................................24
3.1.9 SSID Profile...............................................................................................................................................................25
3.1.10 Authentication Profile..............................................................................................................................................25
3.1.11 Security Profile........................................................................................................................................................ 26
3.1.12 Traffic Profile.......................................................................................................................................................... 26
3.1.13 UCC Profile............................................................................................................................................................. 27
3.1.14 Attack Defense Profile.............................................................................................................................................27
3.1.15 User Profile..............................................................................................................................................................28
3.1.16 Soft GRE profile...................................................................................................................................................... 28
3.1.17 STA Blacklist Profile............................................................................................................................................... 28
3.1.18 STA Whitelist Profile.............................................................................................................................................. 29
3.1.19 SAC Profile..............................................................................................................................................................29
3.1.20 Hotspot2.0 Profile....................................................................................................................................................29
3.1.21 AP System Profile................................................................................................................................................... 30
3.1.22 AP Wired Port Profile..............................................................................................................................................33
3.1.23 AP Wired Port Link Profile..................................................................................................................................... 33
3.1.24 WIDS Profile........................................................................................................................................................... 33
3.1.25 WIDS Spoof SSID Profile....................................................................................................................................... 34
3.1.26 WIDS Whitelist Profile........................................................................................................................................... 34
3.1.27 Location Profile....................................................................................................................................................... 34
3.1.28 BLE Profile..............................................................................................................................................................35
3.1.29 WDS Profile............................................................................................................................................................ 35
3.1.30 WDS Whitelist Profile.............................................................................................................................................36
3.1.31 Mesh Profile............................................................................................................................................................ 36
3.1.32 Mesh Handover Profile............................................................................................................................................37
3.1.33 Mesh Whitelist Profile.............................................................................................................................................37
3.1.34 IoT Profile................................................................................................................................................................37
3.1.35 WMI Profile.............................................................................................................................................................38
3.1.36 AP Provisioning Profile...........................................................................................................................................38
3.1.37 Common Operations of Profiles.............................................................................................................................. 38
3.2 Data Packet Processing.................................................................................................................................................39
5.5.10 Example for Configuring VPN Traversal Between the AC and APs.................................................................. 1214
5.5.11 Example for Configuring Hand-in-Hand WDS Services.................................................................................... 1226
5.5.12 Example for Configuring Back-to-Back WDS....................................................................................................1239
5.5.13 Example for Configuring Common Mesh Services............................................................................................ 1251
5.5.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 1262
5.6 AP's Wired Interface Configuration Examples.........................................................................................................1273
5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.......................................................1273
5.7 Authentication Configuration Examples.................................................................................................................. 1277
5.7.1 Example for Configuring External Portal Authentication..................................................................................... 1277
5.7.2 Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)............................................. 1287
5.7.3 Example for Configuring Built-in Portal Authentication for Local Users............................................................ 1296
5.7.4 Example for Configuring MAC Address-prioritized Portal Authentication......................................................... 1307
5.7.5 Example for Configuring 802.1X Authentication................................................................................................. 1317
5.7.6 Example for Configuring MAC Address Authentication......................................................................................1328
5.7.7 Example for Configuring MAC Authentication for Local Users.......................................................................... 1338
5.7.8 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users..........................1347
5.7.9 Example for Configuring Built-in Portal WeChat Authentication........................................................................ 1359
5.7.10 Example for Configuring Different Authentication Modes for Multiple SSIDs................................................. 1367
5.8 Reliability Configuration Examples......................................................................................................................... 1379
5.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios............................ 1379
5.8.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios...................... 1392
5.8.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode)................................................ 1403
5.8.4 Example for Configuring Dual-Link Hot Standby (HSB) for ACs....................................................................... 1411
5.8.5 Example for Configuring VRRP HSB...................................................................................................................1420
5.8.6 Example for Configuring N+1 Backup (APs and ACs in different network segments)....................................... 1432
5.8.7 Example for Configuring N+1 Backup (APs and ACs in the same network segment).........................................1444
5.9 Roaming Configuration Examples........................................................................................................................... 1456
5.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming..................................................................................... 1456
5.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................. 1468
5.9.3 Example for Configuring Inter-AC Layer 2 Roaming.......................................................................................... 1478
5.9.4 Example for Configuring Inter-AC Layer 3 Roaming.......................................................................................... 1489
5.9.5 Example for Configuring Agile Distributed SFN Roaming.................................................................................. 1502
5.10 Agile Distributed Networking Configuration Examples........................................................................................ 1513
5.10.1 Example for Configuring an Agile Distributed WLAN...................................................................................... 1513
5.11 High-Density Configuration Examples.................................................................................................................. 1522
5.11.1 Example for Configuring High-Density WLAN Services...................................................................................1522
5.12 Example for Configuring Vehicle-Ground Communication.................................................................................. 1540
5.12.1 Example for Configuring Vehicle-Ground Fast Link Handover......................................................................... 1540
5.13 Radio Resource Management Configuration Examples.........................................................................................1557
5.13.1 Example for Configuring Dynamic Load Balancing...........................................................................................1557
5.13.2 Example for Configuring Static Load Balancing................................................................................................ 1560
5.13.3 Example for Configuring Band Steering............................................................................................................. 1563
Figures
Figure 4-64 Networking for configuring rogue device detection and containment............................................ 690
Figure 4-65 Networking for configuring attack detection................................................................................... 699
Figure 4-66 Networking for configuring the STA blacklist and whitelist........................................................... 709
Figure 4-67 Networking for configuring AeroScout Wi-Fi tag location............................................................. 718
Figure 4-68 Networking for configuring AeroScout MU location......................................................................723
Figure 4-69 Networking for configuring Ekahau Wi-Fi tag location.................................................................. 729
Figure 4-70 Networking for configuring Wi-Fi terminal location.......................................................................734
Figure 4-71 Networking for configuring Bluetooth terminal location................................................................ 743
Figure 4-72 Networking for configuring WMM and priority mapping...............................................................751
Figure 4-73 Networking for configuring traffic policing.................................................................................... 757
Figure 4-74 Networking for configuring airtime fair scheduling........................................................................ 760
Figure 4-75 Networking for configuring ACL-based packet filtering................................................................ 764
Figure 4-76 Networking for configuring optimization for voice and video services.......................................... 767
Figure 4-77 Networking for configuring priorities for Skype4B packets........................................................... 772
Figure 4-78 Networking for configuring the WLAN-based e-schoolbag service............................................... 776
Figure 4-79 Networking for configuring WLAN Hotspot 2.0 services...............................................................788
Figure 4-80 Networking for configuring service holding upon WLAN CAPWAP link disconnection.............. 799
Figure 4-81 Networking for configuring channel switching without service interruption..................................806
Figure 4-82 Networking for configuring an AP to go online using a static IP address.......................................814
Figure 4-83 Networking for configuring the soft GRE service........................................................................... 818
Figure 4-84 Networking for configuring bandwidth-based multicast CAC........................................................ 828
Figure 4-85 Networking for configuring CAC based on the number of multicast group memberships............. 836
Figure 4-86 Layer 2 communication between the wireless gateway and AC implemented through EoGRE.....844
Figure 4-87 Networking for unified wired and wireless access.......................................................................... 853
Figure 4-88 Network topology............................................................................................................................ 871
Figure 4-89 Networking diagram........................................................................................................................ 933
Figure 5-1 Networking diagram for configuring 802.1x authentication........................................................... 1002
Figure 5-2 Networking for configuring MAC address-prioritized Portal authentication.................................. 1012
Figure 5-3 Networking diagram for configuring a high-density WLAN.......................................................... 1022
Figure 5-4 Networking diagram for configuring hand-in-hand WDS services................................................. 1041
Figure 5-5 Networking for configuring vehicle-ground fast link handover...................................................... 1054
Figure 5-6 Networking for configuring an agile distributed WLAN.................................................................1070
Figure 5-7 Networking for configuring rogue device detection and containment............................................ 1078
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services..............................................1088
Figure 5-9 Networking diagram for configuring basic Layer 3 WLAN services..............................................1095
Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT............... 1103
Figure 5-11 Networking diagram of the device functioning as the PPPoE client..............................................1111
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1113
Figure 5-13 Networking diagram of the device functioning as the PPPoE client............................................. 1117
Figure 5-14 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1120
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode......................................... 1124
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode........................................ 1133
Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode....................................... 1142
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode...................................... 1151
Figure 5-19 Networking for configuring Layer 3 direct forwarding in inline mode......................................... 1161
Figure 5-20 Networking for configuring Layer 3 tunnel forwarding in inline mode........................................ 1173
Figure 5-21 Networking for configuring Layer 3 direct forwarding in bypass mode....................................... 1184
Figure 5-22 Networking for configuring Layer 3 tunnel forwarding in bypass mode...................................... 1195
Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1205
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1215
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1227
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1240
Figure 5-27 Networking for configuring mesh services.................................................................................... 1251
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1262
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1273
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1278
Figure 5-31 Networking diagram for configuring Layer 2 external Portal authentication................................1288
Figure 5-32 Networking for configuring built-in Portal authentication for local users.....................................1297
Figure 5-33 Networking for configuring MAC address-prioritized Portal authentication................................ 1308
Figure 5-34 Networking diagram for configuring 802.1x authentication......................................................... 1318
Figure 5-35 Networking diagram for configuring MAC address authentication.............................................. 1328
Figure 5-36 Networking for configuring MAC authentication for local users..................................................1338
Figure 5-37 Networking for configuring user authorization based on user groups...........................................1348
Figure 5-38 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1359
Figure 5-39 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1368
Figure 5-40 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)......................................................................................................................................................... 1380
Figure 5-41 Networking diagram for configuring dual-link HSB..................................................................... 1393
Figure 5-42 Networking for configuring dual-link cold backup....................................................................... 1404
Figure 5-43 Networking for configuring dual-link HSB for ACs..................................................................... 1412
Figure 5-44 Configuring VRRP HSB (direct forwarding)................................................................................ 1421
Figure 5-45 Networking for configuring N+1 backup.......................................................................................1433
Figure 5-46 Networking for configuring N+1 backup.......................................................................................1445
Figure 5-47 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1457
Figure 5-48 Networking for configuring intra-VLAN roaming........................................................................ 1468
Figure 5-49 Networking for configuring inter-AC Layer 2 roaming................................................................ 1479
Figure 5-50 Networking for configuring inter-AC Layer 3 roaming................................................................ 1490
Figure 5-51 Networking for configuring agile distributed SFN roaming..........................................................1502
Figure 5-52 Networking for configuring an agile distributed WLAN...............................................................1514
Figure 5-53 Networking diagram for configuring a high-density WLAN........................................................ 1522
Figure 5-54 Networking for configuring vehicle-ground fast link handover.................................................... 1542
Figure 5-55 Networking for configuring dynamic load balancing.................................................................... 1558
Figure 5-56 Networking for configuring static load balancing......................................................................... 1561
Figure 5-57 Networking for configuring Band Steering................................................................................... 1564
Figure 5-58 Networking for configuring smart roaming................................................................................... 1567
Figures
Tables
Tables
1 Introduction to WLAN
WLAN Deployment
WLAN deployment is affected by technical factors and non-technical factors. Technical
factors include signal interference and wired network quality. Non-technical factors include
local laws and property management policies. Before deploying a WLAN, ensure that:
l The 2.4 GHz and 5 GHz frequency bands are allowed by local laws.
l The property management policy permits WLAN deployment.
WLAN Infrastructure
As shown in Figure 1-1, a WLAN consists of access points (APs), PoE switches, access
controllers (ACs), Remote Authentication Dial In User Service (RADIUS) server, and
network management system (NMS).
l AP: WLAN access device. Huawei provides a series of fit APs to meet indoor and
outdoor networking requirements.
l PoE switch: upstream devices for APs. It provides data switching and power for APs. If
only one AC is required and the AC has PoE ports, the PoE switch is not required.
l AC: manages APs and controls the rights of WLAN users.
l RADIUS server: authenticates WLAN users and assigns rights to them. The RADIUS
server is installed on the SPES server.
l NMS: manages APs and ACs. It monitors status of ACs and APs in real time, processes
alarms, and analyzes data.
2 Product Overview
Introduction to AC6005
Huawei AC6005 series (AC6005 for short) is access controllers (AC) applicable to MANs
and enterprise networks for wireless access. AC6005 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
Huawei AC6005 series has two models: AC6005-8 and AC6005-8-PWR.
The AC6005 has the following features:
l AC6005-8-PWR provides PoE power (15.4 W) for 8 interfaces or PoE+ power (30 W)
for 4 interfaces so that APs can directly connect to these interfaces.
l Has various user policy management and authority control capabilities.
l Can be managed using the eSight, web system, or command line interface.
Introduction to AC6605
Huawei AC6605-26-PWR (AC6605 for short) is access controller (AC) applicable to MANs
and enterprise networks for wireless access. AC6605 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
The AC6605 has the following features:
l Has the access and aggregation functions.
l Provides PoE power (15.4 W) or PoE+ power (30 W) on 24 interfaces, and can directly
connect to APs.
l Has various user policy management and authority control capabilities.
l Supports redundancy backup and hot swapping of AC or DC power supplies, ensuring
long-term operation.
l Can be maintained using the eSight, web system, or command line interface.
Introduction to AC6800V
Huawei AC6800V is an X86-based Access Controller (AC). The AC6800V has a large
capacity and high performance. It is highly reliable, easy to install and maintain, and features
such advantages as flexible networking and energy conservation.
The AC6800V has the following features:
l Has various user policy management and authority control capabilities.
l Can be managed using the eSight, web system, or command line interface.
Version
NOTICE
Before WLAN configurations, ensure that the AC and AP versions match. Otherwise, APs
cannot go online. When the AC and AP versions do not match, upgrade the AC or AP. For
details about the upgrade, see related product upgrade guides.
l Indoor distributed APs: applicable to medium-scale coverage scenarios that are subject
to coverage holes or important public places, such as hotels, airports, and conference
halls. Indoor distributed APs are not applicable to networks that require high capacities.
l Outdoor settled APs: applicable to open outdoor areas with high user densities, such as
squares, residential communities, schools, dormitories, and enterprise campus, or
outdoor places that have high demands for wireless access, such as pedestrian malls.
NOTE
Product Versions
NOTICE
Before performing WLAN configurations, ensure that the versions of the AC and APs match;
otherwise, the APs may fail to go online. If the versions of the AC and APs do not match,
upgrade the AC or APs. For the detailed upgrade procedure, see the upgrade guide of the
related products.
3 WLAN Configuration
URL-filter profile
UCC profile
Attack defense Antivirus profile
profile
VAP profile* User profile Intrusion prevention
profile
Soft-GRE profile
Location profile
BLE profile
Security profile*
WDS profile*
WDS whitelist profile
Security profile*
NOTE
WLAN profiles are designed to facilitate configuration and maintenance of WLAN functions.
When configuring WLAN service functions, users need to configure parameters in matching
WLAN profiles. After completing the configurations, they need to bind the profiles to upper-
level profiles, AP groups, or APs, and the configurations will be automatically delivered to
APs. After that, the configured functions automatically take effect on the APs.
NOTE
l If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound to an AP
group or AP.
l Configurations in an AP provisioning profile take effect only after they are manually delivered to APs.
Configurations in other WLAN profiles are automatically delivered to APs.
For example, to configure air interface scan parameters, you can configure the parameters in
an air scan profile and bind the air scan profile to a radio profile, which is then bound to an
AP group or AP, as shown in Figure 3-1. The configurations of air interface scan parameters
are automatically delivered to APs and take effect. If referencing relationships between
profiles are set in advance, parameter configurations in the air scan profile are automatically
delivered to APs.
Create an AP group
Configure the AC to
manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the AC’s source interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Bind
Bind
AP or AP group
To simplify the configuration of a large number of APs, you can add them to an AP group and
perform centralized configuration.
However, APs may have different configurations. These configurations cannot be uniformly
performed but can be directly performed on each AP.
Each AP must and can only join one AP group when going online. If an AP obtains both AP
group and specific configurations from an AC, the AP specific configurations are
preferentially used.
l If no configuration is available on each AP, the AP uses the configurations in the AP
group.
l If configurations are available on the AP, the AP uses the configurations preferentially.
However, if the configurations are incomplete, the AP obtains the configurations that do
not exist on itself from the AP group.
l Performance of APs in an AP group may vary according to the model. If the unified
configuration delivered to the AP group is not supported by an AP in the group, the
configuration does not take effect for this AP.
As shown in Figure 3-3, the AP with ID 1 does not find any configurations on itself;
therefore, the AP uses all WLAN configurations in the AP group a to which it belongs.
AP group name: a
AP ID: 1
Name of the AP group
to which it belongs: a
As shown in Figure 3-4, the AP with ID 101 finds configurations on itself so the AP
preferentially uses the configurations. Since there is only regulatory domain profile
configuration on the AP, the AP acquires other configurations in AP group a to which it
belongs, for example, VAP profile, AP system profile, and other profiles shown in the
following figure.
AP ID: 101
Name of the AP group to
which it belongs: a
A regulatory domain profile provides configurations of country code, calibration channel, and
calibration bandwidth for an AP.
l A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
channels. Correct country code configuration ensures that radio attributes of APs comply
with laws and regulations of countries and regions to which the APs are delivered. For
details, see Configuring Country Codes in the Configuration-WLAN Service
Configuration Guide.
l A calibration channel set limits the dynamic AP channel adjustment range when the
radio calibration function is configured. Radar channels and the channels that are not
supported by STAs are avoided. For details, see Radio Resource Management
Configuration Guide in the Configuration.
l The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz
channels, Different calibration bandwidths support different calibration channels. Larger-
bandwidth channels mean higher transmission rates. However, at least three channels are
required in radio calibration to achieve the optimal calibration effect. When configuring
the calibration bandwidth, ensure that enough calibration channels are available for use.
For details, see Radio Resource Management Configuration Guide in the Configuration.
Radio profiles are used to optimize radio parameters, and control the in-service channel
switching function. For details, see Configuring a Radio in the Configuration-WLAN Service
Configuration Guide.
Radio profiles are divided into 2G and 5G radio profiles. 2G and 5G radio profiles apply to
2.4 GHz and 5 GHz radios respectively. The differences between configurations of 2G and 5G
radio profiles are as follows:
l 2G radio profiles allow you to configure the 802.11bg basic rate set and supported rate
set.
l 5G radio profiles allow you to configure the 802.11a basic rate set and supported rate set,
and perform 802.11ac-related configurations.
Radio profiles can reference air scan profiles and RRM profiles.
l Air scan profiles are designed for radio calibration, spectrum analysis, location, and
WIDS data analysis. APs periodically scan radio signals in their surrounding
environment and report the collected information to ACs or servers.
l RRM profiles are designed to maintain optimal radio resource utilization. They enable
APs to check the surrounding radio environment, dynamically adjust working channels
and transmit power, and evenly distribute access users. This function helps adjust radio
coverage, reduce radio signal interference, and enable a wireless network to quickly
adapt to changes in the radio environment. With the radio resource management
function, the wireless network can provide high service quality for wireless users. For
details, see Radio Resource Management Configuration Guide in the Configuration.
The air scan profile is used for radio calibration, spectrum analysis, WLAN device location,
and Wireless Intrusion Detection System (WIDS) data analysis. An AP periodically scans
surrounding radio signals and reports the collected information to an AC or server.
l Radio calibration
An authorized AP scans surrounding radio signals, collects information about
surrounding authorized APs, rogue APs, and non-Wi-Fi devices, and reports the
information to an AC.
For the detailed configuration, see Configuring Radio Calibration in the Configuration-
Radio Resource Management Configuration Guide.
l Spectrum analysis
An AP detects different types of interference resources on wireless networks, and
displays the information to users. Users can then use the information to locate these
interference sources. This function improves user experience.
For the detailed configuration, see Configuring Spectrum Analysis in the Configuration-
Spectrum Analysis Configuration Guide.
l WLAN device location
An AP collects radio signals, and reports the location information to the positioning
server. Alternatively, the AP can send the location information to the AC, which filters
the information and sends the filtered information to the positioning server. An AP can
collect radio signals in either of the two modes:
– The AP collects Received Signal Strength Indicator (RSSI) information of WLAN
terminals and rogue APs and reports the information to the positioning server. The
information is then used to locate WLAN terminals or rogue APs
– An AP scans spectrums and reports fast Fourier transform (FFT) results of radio
signals to an AC. The information is then used to identify non-Wi-Fi interference
sources.
For the detailed configuration, see Configuring Wi-Fi Tag Location in the Configuration.
l WIDS data analysis
A monitor AP scans channels to monitor information about neighboring wireless
devices, collects information about neighboring wireless devices by listens on WLAN
packets sent from neighboring wireless devices, and periodically reports collected
information to an AC. The AC then uses the information to determine rogue devices.
For the detailed configuration, see Configuring Device Detection in the Configuration-
WLAN Security Configuration Guide.
The air scan profile takes effect only after it is referenced by the radio profile.
wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization. For the detailed configuration, see Radio Resource Management
Configuration Guide in the Configuration.
The RRM profile takes effect only after it is referenced by the radio profile.
sufficient bandwidths for them and limit traffic rates of non-critical services, thereby
providing refined QoS policy control. For details, see Configuring SAC in the
Configuration-QoS Configuration Guide.
l UCC profile: used to configure priorities for Microsoft Skype4B voice, video, desktop
sharing, and file transfer packets. For details, see Configuring Skype4B Traffic
Optimization in the Configuration-QoS Configuration Guide.
Cellular network profile You can configure Hotspot 2.0 services on cellular
networks. When connecting to the networks, user terminals
can obtain network information from APs, which helps
them to select desired networks.
NAI realm profile A NAI realm profile is used to configure the network access
identifier (NAI) realm name, authentication mode, and
authentication parameters for networks accessible to users.
Roaming consortium profile If the user terminals need to roam among Hotspot2.0
networks of different operators, configure a roaming
consortium profile and add the organization identifiers
(OIs) of the operators to the roaming consortium profile. In
this way, after the user terminals connect to a network of an
operator in the profile, they can roam to networks of the
other operators while maintaining online.
Connection capability You can configure Hotspot2.0 services for networks. When
profile user terminals connect to the networks, they can obtain
network connection capability information from APs,
including allowed protocols and ports, which helps them to
select desired networks.
Operating class profile The operating class profile is used to configure the
operating class indication of AP in on the hotspot2.0
network. When a STA accesses the network, it can obtain
channel information used to access a Wi-Fi frequency from
AP so that the STA can set up a connection.
Operator domain profile A network domain name profile is used to configure the
operator domain profile. STAs can obtain the domain name
information through ANQP, which is used as a basis for
network selection.
Operator name profile You can specify different friendly names for different
languages so that users can select networks.
An AP system profile is used to configure AP system parameters and can reference STA
blacklist and whitelist profiles as well as spectrum analysis configuration. The following
configurations are performed in an AP system profile:
PoE parameters include PoE power, parameters that are configured to allow high inrush
current during power-on, and PoE standard used by the AP. For details, see Managing
the PoE Function of an AP in the Configuration - AP Management Configuration Guide.
l Configure AP indicators.
Blinking indicators of indoor APs deployed in hospitals and hotels may affect people's
nighttime rest. Therefore, you can turn off AP indicators after APs are installed and run
properly.
l Configure the alarm function on an AP.
– You can configure alarm thresholds on an AP to monitor the AP in real time. When
the configured thresholds are exceeded, the AP generates alarms or logs to notify
the AC of AP status.
– If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During this
period, the AP sends a large number of STA association failure alarms to the AC,
which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
For details, see Configuring the Alarm Function on an AP in the Configuration - AP
Management Configuration Guide.
l Configure the log backup and log suppression functions on an AP.
– Logs record user operations and system running information. After logs are backed
up to a server, network administrators can summarize and analyze AP logs to learn
the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
– If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC
in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a
user to the AC within the log suppression period.
For details, see Configuring the Log Backup and Log Suppression Functions on an AP in
the Configuration - AP Management Configuration Guide.
l Configure LLDP on an AP.
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management
address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors.
For details, see Configuring LLDP on an AP in the Configuration - AP Management
Configuration Guide.
l Configure the effective scope of a STA blacklist or whitelist.
If a STA blacklist or whitelist is applied to an AP system profile, the STA blacklist or
whitelist takes effect on all APs using the AP system profile. For details, see Applying
the Configuration to a VAP Profile or an AP System Profile in the Configuration - User
Access and Authentication Configuration Guide.
An AP wired port profile provides configurations of AP wired ports. AP wired port link
profiles can be bound to AP wired port profiles. AP wired port link profiles are used to
configure link-layer parameters of AP wired ports. For details, see Managing an AP's Wired
Interface in the Configuration - AP Management Configuration Guide.
An AP wired port link profile provides link layer configurations on an AP's wired port.
WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to
AP groups or APs so that they can take effect. For details, see Configuring Device Detection
and Containment and Configuring Attack Detection and a Dynamic Blacklist in the
Configuration-WLAN Security Configuration Guide.
A WIDS profile supports the following functions:
l WIDS device detection and countering
– APs detect Wi-Fi devices within their coverage range and determine whether they
are authorized.
– You can configure a WIDS spoof SSID profile and a WIDS whitelist profile to
identify spoofing SSIDs and add the trusted devices to the whitelist. After
configuring these profiles, you bind them to the WIDS profile.
– Countermeasures are taken on the detected rogue device so that rogue STAs cannot
access the network or authorized STAs will not access rogue APs.
l WIDS attack detection and dynamic blacklist
– APs detect Wi-Fi devices on a network that launch attacks, including flood attacks,
weak IV attacks, spoofing attacks, and Brute force PSK cracking attacks.
– After the dynamic blacklist function is enabled, attacking devices are added to the
dynamic blacklist and packets from these devices are discarded.
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile
provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the Mesh function, configure the same channel for radios of Mesh APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.
l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not need to
configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
An IoT profile provides the following communication parameters between an AP and a host
computer:
For details, see Configuring Parameters for APs to Communicate with the Host Computer in
the Configuration - Healthcare IoT Solution.
Wi-Fi networks are open and shared, and work on free wireless frequency bands. Therefore,
co-channel interference may easily occur in wireless environments, causing Wi-Fi network
instability. These always-changing factors make post-event backtracking difficult. To improve
troubleshooting efficiency, configure APs to report key performance indicators (KPIs) to a
WLAN Maintaining Insight (WMI) server for possible fault cause analysis. In addition, data
statistics are centrally collected for observing device and network trends and identifying
potential device and network faults.
The server to which APs report information is called WMI server. You can set parameters for
APs to report KPI information to the WMI server in the WMI profile.
For details, see Configuring APs to Report KPIs in the AP Management Configuration Guide.
Copying Profiles
To improve configuration efficiency, you can copy configurations in one profile to another
profile and then modify specific parameters.
For example, if you need to copy the configurations in VAP profile b to VAP profile a, you
only need to run the copy-from profile-name command in VAP profile a. The detailed
procedure is as follows:
<AC6605> system-view
[AC6605] wlan
[AC6605-wlan-view] vap-profile name a
[AC6605-wlan-vap-prof-a] copy-from b
NOTE
l You can perform this operation only between profiles of the same type. For example, you can copy the
configurations in a VAP profile to another VAP profile other than a radio profile.
l If a profile is bound to another profile, you cannot perform this operation in this profile. For example, if
VAP profile a is bound to an AP group, you cannot perform this operation in VAP profile a.
Management packets transmit management data between an AC and AP. Data packets
transmit data from STAs and the upper-layer network when WLAN users surf on the Internet.
On a WLAN, packets transmitted between STAs and APs are 802.11 packets. APs are bridges
between STAs and the upper layer wired network. They convert 802.11 packets into 802.3
packets and forward 802.3 packets to the wired network.
Management packets and service data packets are marked with different VLAN tags on a
WLAN.The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and
VLAN s' represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
WLAN roaming is categorized as Layer 2 and Layer 3 roaming depending on whether a STA
roams within the same subnet. In roaming scenarios, management packets are forwarded
through the CAPWAP tunnel, while service data packets can be forwarded through the
CAPWAP tunnel or using direct forwarding mode.
them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
The devices between an AC and AP must be configured to allow VLAN m and transparently
transmit packets of VLAN m.
Figure 3-8 Forwarding service data packets over a soft GRE tunnel
Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming
l As shown in Figure 3-11, in direct forwarding mode, service packets exchanged between
the HAP and HAC are not encapsulated through the CAPWAP tunnel; therefore, whether
the HAP and HAC reside in the same subnet is unknown. Packets are forwarded back to
the HAP by default. If the HAP and HAC are located in the same subnet, configure the
HAC with higher performance as the home agent. This reduces the load on the HAP and
improves the forwarding efficiency.
Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming
Upstream service 1. The STA sends 1. The STA sends 1. The STA sends
data a service packet a service packet a service packet
to the HAP. to the FAP. to the FAP.
2. After receiving 2. After receiving 2. After receiving
the service the service the service
packet, the packet, the FAP packet, the FAP
HAP forwards sends it to the sends it to the
the service FAC over the FAC over the
packet to the CAPWAP CAPWAP
upper-layer tunnel. tunnel.
network 3. The FAC 3. The FAC
directly. forwards the forwards the
service packet service packet
to the HAC to the HAC
through a tunnel through a tunnel
between them. between them.
4. The HAC sends 4. The HAC
the service forwards the
packet to the service packet
HAP over the to the upper-
CAPWAP layer network.
tunnel.
5. The HAP
forwards the
service packet
to the upper-
layer network.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1X authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
dot1x-access-profile name wlan-net
#
return
Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
Data Planning
Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
Item Data
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
Service Requirements
The WLAN of a stadium needs to provide access for a large number of users; therefore, APs
are placed in close proximity, causing severe interference. The IT department of the stadium
requires that the interference be eliminated to maximize Internet experience for users.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, AC, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 4-4.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Adjust the To reduce wireless resource Set the transmit rate of 2.4 GHz Beacon
transmit occupation of Beacon frames to 11 Mbit/s.
rate of 2.4 frames and improve channel
GHz usage efficiency.
Beacon
frames
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# On the AC, create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the
VLAN assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
# Enable the band steering function. By default, the band steering function is enabled.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-net-prof-wlan-net] quit
# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, EDCA parameters for AC_BE packets of STAs, and the transmit rate
of 2.4 GHz Beacon frames to 11 Mbit/s.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] beacon-2g-rate 11
[AC-wlan-ssid-prof-wlan-net] quit
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
4. Create an RRM profile, enable airtime fair scheduling and smart roaming, and set the
SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-rrm-prof-wlan-rrm] undo smart-roam disable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
– Set the 802.11bg basic rate to 6 Mbit/s, 9 Mbit/s, 12 Mbit/s, 18 Mbit/s, 24 Mbit/s,
36 Mbit/s, 48 Mbit/s, or 54 Mbit/s.
– Set the multicast rate to 11 Mbit/s.
– Set EDCA parameters for AC_BE packets: AIFSN (3); ECWmin (5); ECWmax (6).
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-mode rts-cts
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-threshold 1400
[AC-wlan-radio-2g-prof-wlan-radio2g] beacon-interval 160
[AC-wlan-radio-2g-prof-wlan-radio2g] undo short-preamble disable
[AC-wlan-radio-2g-prof-wlan-radio2g] guard-interval-mode short
[AC-wlan-radio-2g-prof-wlan-radio2g] dot11bg basic-rate 6 9 12 18 24 36 48 54
[AC-wlan-radio-2g-prof-wlan-radio2g] multicast-rate 11
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-be aifsn 3 ecw ecwmin 5
ecwmax 6
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
Internet experience.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid-profile name wlan-net
ssid wlan-net
association-timeout 1
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
beacon-2g-rate 11
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
regulatory-domain-profile name default
rrm-profile name wlan-rrm
airtime-fair-schedule enable
smart-roam roam-threshold snr 15
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
radio-5g-profile name wlan-radio5g
beacon-interval 160
guard-interval-mode short
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
multicast-rate 6
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 60 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
l Backhaul radio: 5 GHz
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
# On the AC, configure GE0/0/1 to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] ap-group name ap-group3
[AC-wlan-ap-group-ap-group3] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group3] quit
[AC-wlan-view] quit
# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group ap-group3
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] coverage distance 4
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/0] coverage distance 4
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] radio 1
[AC-wlan-radio-2/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/1] coverage distance 4
[AC-wlan-radio-2/1] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3
[AC-wlan-ap-3] radio 1
[AC-wlan-radio-3/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-3/1] coverage distance 4
[AC-wlan-radio-3/1] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-leaf
[AC-wlan-wds-prof-wds-leaf] wds-name wlan-wds
[AC-wlan-wds-prof-wds-leaf] wds-mode leaf
[AC-wlan-wds-prof-wds-leaf] security-profile wds-security
[AC-wlan-wds-prof-wds-leaf] vlan tagged 101
[AC-wlan-wds-prof-wds-leaf] quit
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio 1
[AC-wlan-group-radio-ap-group2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-ap-group2/1] quit
[AC-wlan-ap-group-ap-group2] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Bind WDS profile wds-root to AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wds-profile wds-root radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group3
[AC-wlan-ap-group-ap-group3] vap-profile wlan-net wlan 3 radio 0
[AC-wlan-ap-group-ap-group3] quit
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AC-wlan-radio-1/0] quit
[AC-wlan-ap-1]quit
# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State is displayed as nor, APs have gone online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 ap-group1 10.23.100.254 AP8130DN nor 0 20M:
16S -
2 dcd2-fc04-b500 AP_2 ap-group2 10.23.100.253 AP8130DN nor 0
17S -
3 dcd2-fc96-e4c0 AP_3 ap-group3 10.23.100.252 AP8130DN nor 0 3M:
55S -
----------------------------------------------------------------------------------
----------------
Total: 3
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -39 -30 0 5
55 42/57/-/-
AP_2 AP_3 0 4 149 root normal -56 -40 0 9
59 45/40/60/-
AP_2 AP_1 1 4 157 leaf normal -32 -30 0 15
58 41/36/60/-
AP_3 AP_2 1 4 149 leaf normal -33 -32 0 7
59 51/59/-/-
----------------------------------------------------------------------------------
-----------------
Total: 4
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
security-profile name wds-security
security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac dcd2-fc96-e4c0
wds-profile name wds-leaf
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-mode root
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 3
radio 1
wds-profile wds-root
wds-whitelist-profile wds-list1
ap-group name ap-group2
radio 0
wds-profile wds-root
wds-whitelist-profile wds-list2
radio 1
wds-profile wds-leaf
ap-group name ap-group3
radio 0
vap-profile wlan-net wlan 1
radio 1
wds-profile wds-leaf
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 157
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
channel 40mhz-plus 149
eirp 127
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 157
eirp 127
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 149
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Service Requirements
To reduce network deployment costs and better serve passengers, a rail transportation
enterprise wants to use WLAN technology to implement vehicle-ground communications and
expects that multicast servers on the ground network can deliver multimedia information
services to passengers.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
Data Planning
......
.......
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
[Switch_A-Vlanif101] quit
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac 0046-4b59-1d60
[AC-wlan-ap-103] ap-name L1_170
[AC-wlan-ap-103] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
[AC-wlan-view] quit
[AC] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
Total: 6
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
return
– Switch_B configuration file
#
sysname Switch_B
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
ap-group mesh-mpp
ap-id 103 type-id 48 ap-mac 0046-4b59-1d60 ap-sn
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
l Vehicle-mounted network devices
– Vehicle-mounted AP (in the front) configuration file
#
sysname AP
#
igmp-snooping enable
#
vlan batch 101
#
vlan 101
igmp-snooping enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable moving-direction
forward
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d270 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
channel 40mhz-plus 157
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] port-isolate enable
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.
# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the RU channel and
power in this example are for reference only. You need to configure the RU channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 0
[AC-wlan-radio-1/0] calibrate auto-channel-select disable
[AC-wlan-radio-1/0] calibrate auto-txpower-select disable
[AC-wlan-radio-1/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/0] eirp 127
[AC-wlan-radio-1/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] calibrate auto-channel-select disable
[AC-wlan-radio-1/1] calibrate auto-txpower-select disable
[AC-wlan-radio-1/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] eirp 127
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------
-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-7 Networking for configuring rogue device detection and containment
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Configure radio 1 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] work-mode normal
[AC-wlan-group-radio-ap-group1/1] wids device detect enable
# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
ap-group name ap-group1
wids-profile wlan-wids
radio 0
vap-profile wlan-net wlan 1
wids device detect enable
wids contain enable
radio 1
vap-profile wlan-net wlan 1
wids device detect enable
wids contain enable
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
As shown in Figure 4-8, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Router functions as a DHCP server to assign IP addresses to STAs.
Figure 4-8 Networking diagram for configuring basic Layer 2 WLAN services
GE0/0/0
Fat AP VLAN 101: Router
10.23.101.2/24
Typical Configuration Examples 4 Typical Configuration Examples (CLI)
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the AP to communicate with the network devices.
NOTE
Configure the AP's uplink interfaces to transparently transmit packets of service VLANs as required.
# Create VLANIF 101 and configure its IP address for communication with Router.
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.2 24
[AP-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router] dhcp enable
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.101.1 24
[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2
[Router-GigabitEthernet1/0/0] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AP-wlan-view] security-profile name wlan-net
[AP-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of the radio, and configure the
channel and power for the radio.
[AP-wlan-view] quit
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/0] eirp 127
[AP-Wlan-Radio0/0/0] quit
[AP] interface wlan-radio0/0/1
[AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/1] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/1] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/1] eirp 127
[AP-Wlan-Radio0/0/1] quit
The configuration automatically takes effect after it is completed. Run the display vap ssid
wlan-net command. If Status in the command output is displayed as ON, the VAP has been
successfully created on the AP radios.
[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP MAC RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
00bc-da3f-e900 0 2 00BC-DA3F-E901 ON WPA/WPA2-PSK 0 wlan-net
00bc-da3f-e900 1 2 00BC-DA3F-E911 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AP] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
----------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
----------------
14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Router configuration file
#
sysname Router
#
dhcp enable
#
interface GigabitEthernet1/0/0
ip address 10.23.101.1
255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
return
l AP configuration file
#
sysname AP
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J
\ht3Y%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
#
interface Wlan-Radio0/0/0
vap-profile wlan-net wlan 2
channel 20mhz 6
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
interface Wlan-Radio0/0/1
vap-profile wlan-net wlan 2
channel 20mhz 149
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
As shown in Figure 4-9, a Fat AP is connected to the Internet in wired mode and connected to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.
Figure 4-9 Networking diagram for configuring basic Layer 3 WLAN services
GE0/0/0
Fat AP VLAN 200: Router
10.23.200.1/24
Typical Configuration Examples 4 Typical Configuration Examples (CLI)
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP and upper-layer devices to communicate with each other.
2. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address
pool on an interface.
3. Configure the AP's system parameters, including the country code.
4. Configure a VAP so that STAs can access the WLAN.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 200
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.2 24
[Router-Vlanif200] quit
# Configure a default route with the next hop IP address 10.23.200.2/24 on the AP.
[AP] ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AP] dhcp enable
[AP] vlan batch 101
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.1 24
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AP-wlan-view] security-profile name wlan-net
[AP-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net
[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of the radio, and configure the
channel and power for the radio.
[AP-wlan-view] quit
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/0] eirp 127
[AP-Wlan-Radio0/0/0] quit
[AP] interface wlan-radio0/0/1
[AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/1] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/1] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/1] eirp 127
[AP-Wlan-Radio0/0/1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AP] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
----------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
----------------
14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Router configuration file
#
sysname Router
#
vlan batch 200
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
return
l AP configuration file
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J
\ht3Y%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
#
interface Wlan-Radio0/0/0
vap-profile wlan-net wlan 2
channel 20mhz 6
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
interface Wlan-Radio0/0/1
vap-profile wlan-net wlan 2
channel 20mhz 149
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
As shown in Figure 4-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses
are translated to the IP address of the Fat AP outbound interface using Easy-IP for
employees to access the public network.
Figure 4-10 Networking diagram for configuring STAs to access the public network through
NAT
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.17.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the AP to communicate with the network devices.
# On the AP, create VLANIF 200, set its IP address to 202.169.10.1/24, and add GE0/0/0 to
VLAN 200.
<Huawei> system-view
[Huawei] sysname AP
[AP] vlan batch 200
[AP] interface vlanif 200
[AP-Vlanif200] ip address 202.169.10.1 24
[AP-Vlanif200] quit
[AP] interface gigabitethernet 0/0/0
[AP-GigabitEthernet0/0/0] port link-type trunk
[AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 200
[AP-GigabitEthernet0/0/0] quit
# Configure a default route. The following assumes that the public IP address of the peer end
is 202.169.10.2/24.
[AP] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AP] dhcp enable
[AP] vlan batch 101
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.1 24
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AP-wlan-view] security-profile name wlan-net
[AP-wlan-sec-prof-wlan-net] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net
[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of the radio, and configure the
channel and power for the radio.
[AP-wlan-view] quit
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/0] eirp 127
[AP-Wlan-Radio0/0/0] quit
[AP] interface wlan-radio0/0/1
[AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/1] calibrate auto-channel-select disable
[AP-Wlan-Radio0/0/1] calibrate auto-txpower-select disable
[AP-Wlan-Radio0/0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/1] eirp 127
[AP-Wlan-Radio0/0/1] quit
# The configuration automatically takes effect after it is completed. Run the display vap ssid
wlan-net command. If Status in the command output is displayed as ON, the VAP has been
successfully created on the AP radios.
<AP> display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
-------
AP MAC RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
-------
00bc-da3f-e900 0 2 00BC-DA3F-E901 ON WPA/WPA2-PSK 0 wlan-net
00bc-da3f-e900 1 2 00BC-DA3F-E911 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
-------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
<AP> display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
-------------------
14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
-------------------
Total: 1 2.4G: 1 5G: 0
# Run the display nat outbound command on the AP to check the IP address translation
result.
<AP> display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------------
Vlanif200 2000 1 no-pat
--------------------------------------------------------------------------------
Total : 1
# Run the ping command on the AP to verify that users on the private network can access the
public network.
<AP> ping -a 10.23.101.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms
-- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
----End
Configuration Files
l AP configuration file
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
acl number 2000
rule 5 permit source 10.23.101.0 0.0.0.255
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 202.169.10.1 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J
\ht3Y%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
#
interface Wlan-Radio0/0/0
vap-profile wlan-net wlan 2
channel 20mhz 6
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
interface Wlan-Radio0/0/1
vap-profile wlan-net wlan 2
channel 20mhz 149
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
NOTE
With factory defaults, the local configuration of an AP is not modified, and the AP has not obtained the
new configuration from an AC.
Networking Scenario
To use a new AP independently provide Wi-Fi coverage, you need to switch the AP to the Fat
mode and deploy services through the web platform or other way.
Connect the AP to a PC through an Ethernet cable in a proper mode, as shown in Figure 4-11.
When the AP supports DC power supply and works with a power adapter, connect the AP to
the AC directly through an Ethernet cable. If the AP does not support DC power supply or no
adapter is available, supply PoE power to the AP. In this case, connect the AP to the PC
through a PoE device.
E th e r n e t
PC c a b le AP D C p o w e r a d a p te r
A P p o w e r e d b y a P o E d e v ic e
P o E p o w e r a d a p te r
P o E s w it c h A C in p u t
N e tw o r k p o r t P o E _ O U T p o rt D A T A p o rt P o E p o rt
E th e r n e t E th e r n e t E th e r n e t E th e r n e t
c a b le c a b le c a b le c a b le
P o E _ IN P o E _ IN
p o rt p o rt
PC AP PC AP
Quick Configuration
This section helps you quickly configure an AP, without the need to read the entire document.
If you are not familiar with the product or operation, read the detailed guidance in the
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Configure the IP address of the PC and STelnet, check
network connectivity between the AP and PC, and observe indicator states.
2 Check AP information: On the PC, log in to the AP through STelnet to check the
version and working mode of the AP.
3 Start the switching: Run the ap-mode-switch fat command in the system view to
switch the working mode of the AP. The AP then restarts.
4 Verify the switching: Log in to the AP again and check the working mode of the AP.
Configuration Procedure
Step 1 Prepare the environment.
The following is used as an example. Prepare your environment based on site requirements.
D Description
ev
ic
e
A Model: AP4050DN
P Version: V200R007C20
Default information:
l IP address: 169.254.1.1
l User name: admin
l Password: admin@huawei.com
l STelnet login port number: 22
# Power on the AP. The indicator is green for around 2 minutes during the startup. When the
indicator blinks, the AP is started successfully.
# Set the IP address of the PC to 169.254.1.100 and mask to 255.255.0.0 so that the PC and
AP are located on the same network segment.
Step 2 Check AP information.
# Open PuTTY on the PC, enter the IP address and port number of the AP, select the SSH
mode, and click Open. If a key pair information prompt is displayed, click Yes.
# When the following information is displayed, the AP is connected successfully. Enter the
user name and password to log in to the AP.
login as: admin
Further authentication required
admin@169.254.1.1's password:admin@huawei.com //For information security,
characters you entered are invisible.
Info: Current mode: Fit (managed by the AC). //The current mode is Fit.
Info: You are advised to change the password to ensure security.
<Huawei>
# Check AP information.
<Huawei> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (AP4050DN FIT V200R007C20SPCa00) //Model,
working mode, and version
...
----End
FAQ
An error message is displayed when you run a mode switching command.
[Huawei] ap-mode-switch fat
Error: The fat mode does not exist. To switch to the fat AP mode, run the ap-mode-
switch fat tftp/ftp/sftp command.
The AP is not in factory defaults and therefore cannot be switched to the Fat mode by one
click. In this case, switch the working mode of the AP using SFTP. For details, see the related
sources.
Related Sources
4.3.2 Example for Switching a Fit AP to the Fat Mode Using SFTP
4.3.2 Example for Switching a Fit AP to the Fat Mode Using SFTP
Applicable Scope
Applicable version: V200R007, V200R008, and V200R009
For APs in factory defaults, it is recommended that you switch the working mode of an AP by
referring to 4.3.1 Example for Switching a Fit AP with Factory Defaults to the Fat Mode
by One Command.
This example is also applicable to switching a Fit AP to the Fat mode using FTP or TFTP.
Note the following differences:
l Configure the FTP or TFTP client software on the PC, which is not mentioned here.
l Different parameters are used in the command for switching the AP mode and are
described in the procedure.
Networking Scenario
To use a new AP independently provide Wi-Fi coverage, you need to switch the AP to the Fat
mode and deploy services through the web platform or other way.
Connect the AP to a PC through an Ethernet cable in a proper mode, as shown in Figure 4-12.
When the AP supports DC power supply and works with a power adapter, connect the AP to
the AC directly through an Ethernet cable. If the AP does not support DC power supply or no
adapter is available, supply PoE power to the AP. In this case, connect the AP to the PC
through a PoE device.
When the PC serves as an SFTP server, prepare the Fat AP software package for the AP to
obtain through SFTP.
E th e r n e t
PC c a b le AP D C p o w e r a d a p te r
A P p o w e r e d b y a P o E d e v ic e
P o E p o w e r a d a p te r
P o E s w it c h A C in p u t
N e tw o r k p o r t P o E _ O U T p o rt D A T A p o rt P o E p o rt
E th e r n e t E th e r n e t E th e r n e t E th e r n e t
c a b le c a b le c a b le c a b le
P o E _ IN P o E _ IN
p o rt p o rt
PC AP PC AP
Quick Configuration
This section helps you quickly configure an AP, without the need to read the entire document.
If you are not familiar with the product or operation, read the detailed guidance in the
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Configure the IP address, STelnet client, and SFTP server
software on the PC. Download the Fat AP software package of the target version to
the SFTP server. Check network connectivity and the indicator states of the AP.
2 Check AP information: On the PC, log in to the AP through STelnet to check the
version and working mode of the AP.
Pr Task
oc
ed
ur
e
3 Start the switching: Run the ap-mode-switch fat sftp filename server-ip-address
user-name password [ port ] command in the system view. The AP restarts.
If FTP or TFTP is used, run the following command:
l FTP mode: ap-mode-switch fat ftp filename server-ip-address user-name
password [ port ]
l TFTP mode: ap-mode-switch fat tftp filename server-ip-address
4 Verify the switching: Log in to the AP again and check the working mode of the AP.
Configuration Procedure
Step 1 Prepare the environment.
The following is used as an example. Prepare your environment based on site requirements.
Dev Description
ice
AP Model: AP4050DN
Version: V200R007C20
Default information:
l IP address: 169.254.1.1
l User name: admin
l Password: admin@huawei.com
l STelnet login port number: 22
# Power on the AP. The indicator is on for around 2 minutes during the startup. When the
indicator blinks, the AP is started successfully.
# Log in to Huawei enterprise technical support website (support.huawei.com/e), download
the Fat AP software package, and store the package on the PC.
# Set the IP address of the PC to 169.254.1.100 and mask to 255.255.0.0 so that the PC and
AP are located on the same network segment.
# Open FreeSSHd on the PC, and set SFTP server parameters:
l Set the IP address and port number for the client to access the server. Retain the default
settings here.
l Set the authentication mode so that the password is required for the client to access the
server.
l Select a local directory to provide file services for the client. Store the downloaded
software package in this directory.
l Add a user to verify identity information entered by the client to ensure access security.
# When the following information is displayed, the AP is connected successfully. Enter the
user name and password to log in to the AP.
login as: admin
Further authentication required
admin@169.254.1.1's password:admin@huawei.com //For information security,
characters you entered are invisible.
Info: Current mode: Fit (managed by the AC). //The current mode is Fit.
Info: You are advised to change the password to ensure security.
<Huawei>
# Check AP information.
<Huawei> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (AP4050DN FIT V200R007C20SPCa00) //Model,
working mode, and version
...
# Switch the AP mode to Fat. Set the file name (including the extension) of the target
software package, IP address, user name, and password of the SFTP server. Wait until the AP
restart is complete.
[Huawei] ap-mode-switch fat sftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100 huawei huawei123
Warning: The system will reboot and start in fat mode of V200R007C20SPCa00.
Continue? (y/n)[n]:y
Warning: Do Not Power-off!
..................................................................................
........................
End of file......
NOTE
If FTP or TFTP is used, specify the following parameters in the switching command (as an example):
l FTP mode: ap-mode-switch fat ftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100 huawei huawei123
l TFTP mode: ap-mode-switch fat tftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100
----End
FAQ
An error message is displayed when you run a mode switching command.
[Huawei] ap-mode-switch fat sftp Fat&CloudAP4050DN_V200R007C20SPCa00.bin
169.254.1.100 huawei huawei@123
Warning: The system will reboot and start in fat mode of V200R007C20SPCa00.
Continue? (y/n)[n]:y
Warning: Do Not Power-off!
.
Error: Upgrade failed due to a failure in downloading the version file.
The public key for the SSH server is not configured on the AP. When the AP accesses the
SSH server for the first time, authentication fails.
Run the ssh client first-time enable command in the system view to allow the AP to access
the server. The public key will be saved and used for authentication on the server.
[Huawei] ssh client first-time enable
Related Sources
4.3.1 Example for Switching a Fit AP with Factory Defaults to the Fat Mode by One
Command
WLAN Quick Configuartion Guide (Video)
4.3.3 Example for Switching a Fit AP to the Fat Mode Using FTP
Applicable Scope
Applicable version: V200R007, V200R008, and V200R009
Applicable models: AP5030DN, AP5130DN, AP5030DN-S, AP3030DN, AP3010DN-V2,
AP4030DN, AP4130DN, AP4030DN-E, AP9131DN, AP9132DN
This example is also applicable to switching a Fit AP to the Fat mode using TFTP. Note the
following differences:
l Configure the TFTP client software on the PC, which is not mentioned here.
l Different parameters are used in the command for switching the AP mode and are
described in the procedure.
Networking Scenario
To use a new AP independently provide Wi-Fi coverage, you need to switch the AP to the Fat
mode and deploy services through the web platform or other way.
Connect the AP to a PC through an Ethernet cable in a proper mode, as shown in Figure 4-13.
When the AP supports DC power supply and works with a power adapter, connect the AP to
the AC directly through an Ethernet cable. If the AP does not support DC power supply or no
adapter is available, supply PoE power to the AP. In this case, connect the AP to the PC
through a PoE device.
When the PC serves as an FTP server, prepare the Fat AP software package for the AP to
obtain through FTP.
E th e r n e t
PC c a b le AP D C p o w e r a d a p te r
A P p o w e r e d b y a P o E d e v ic e
P o E p o w e r a d a p te r
P o E s w it c h A C in p u t
N e tw o r k p o r t P o E _ O U T p o rt D A T A p o rt P o E p o rt
E th e r n e t E th e r n e t E th e r n e t E th e r n e t
c a b le c a b le c a b le c a b le
P o E _ IN P o E _ IN
p o rt p o rt
PC AP PC AP
Quick Configuration
This section helps you quickly configure an AP, without the need to read the entire document.
If you are not familiar with the product or operation, read the detailed guidance in the
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Configure the IP address, STelnet client, and FTP server
software on the PC. Download the Fat AP software package of the target version to
the FTP server. Check network connectivity and the indicator states of the AP.
2 Check AP information: On the PC, log in to the AP through STelnet to check the
version and working mode of the AP.
4 Verify the switching: Log in to the AP again and check the working mode of the AP.
Configuration Procedure
Step 1 Prepare the environment.
The following is used as an example. Prepare your environment based on site requirements.
Dev Description
ice
AP Model: AP5030DN
Version: V200R007C20
Default information:
l IP address: 169.254.1.1
l User name: admin
l Password: admin@huawei.com
l STelnet login port number: 22
# Power on the AP. The indicator is on for around 2 minutes during the startup. When the
indicator blinks, the AP is started successfully.
# Set the IP address of the PC to 169.254.1.100 and mask to 255.255.0.0 so that the PC and
AP are located on the same network segment.
# Set FTP server parameters
l Open WFTPD on the PC, set the Users and rights.
l Add a user to verify identity information entered by the client to ensure access security.
# When the following information is displayed, the AP is connected successfully. Enter the
user name and password to log in to the AP.
login as: admin
Further authentication required
admin@169.254.1.1's password:admin@huawei.com //For information security,
characters you entered are invisible.
Info: Current mode: Fit (managed by the AC). //The current mode is Fit.
# Check AP information.
<Huawei> display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (AP5030DN FIT V200R007C20SPCa00) //Model,
working mode, and version
...
# Switch the AP mode to Fat. Set the file name (including the extension) of the target
software package, IP address, user name, and password of the FTP server. Wait until the AP
restart is complete.
[Huawei] ap-mode-switch ftp FatAP5X30XN_V200R007C20SPCa00.bin 169.254.1.100
huawei huawei123
Warning: Do Not Power-off.........
Info: Upgrade upgrade-assistant-package successfully!
Warning: System will reboot, if you want to switch to upgrade-assistant-package.
Are you sure to execute these operations ? [Y/N]: y
NOTE
If TFTP is used, specify the following parameters in the switching command (as an example).
ap-mode-switch tftp FatAP5X30XN_V200R007C20SPCa00.bin 169.254.1.100
----End
Related Sources
WLAN Quick Configuartion Guide (Video)
Applicable Scope
All APs that properly go online on an AC
Applicable models: APs supporting both the Fit and Fat modes
In centralized management mode, you can manage the upgrade and mode switching for a
single AP or APs of the same model or in the same group on the AC. This example describes
how to switch the working mode of a single AP.
Networking Scenario
Log in to the AC through the web platform, without the need to adjust the networking or cable
connection.
Quick Configuration
This section helps you quickly configure an AP, without the need to read the entire document.
If you are not familiar with the product or operation, read the detailed guidance in the
following sections.
Pr Task
oc
ed
ur
e
1 Prepare the environment: Download the Fat AP software package of the target
version to the PC where you log in to the AC.
2 Check AP information: Log in to the web platform of the AC, choose Monitoring >
AP, and view information about the AP, including the IP address, model, and version.
3 Load the software package to the AP: Choose Maintenance > AP Maintenance >
AP Upgrade,, select the upgrade mode, and upload the software package, and
upgrade the AP. You can check the upgrade progress on the Upgrade Status page.
The upgrade state is displayed success after around 2 minutes (requiring mode
switching).
NOTE
To switch the working mode for APs in a batch, select an AP model or group on this page to
determine the upgrade scope and select the immediate or scheduled upgrade mode.
4 Start the switching: Choose Configuration > AP Config > AP Config, modify AP
mode as fat. The AP restarts. The restart takes around 2 minutes.
5 Verify the switching: Log in to the AC using the CLI console on the web platform,
STelnet to the AP and check the working mode of the AP.
Configuration Procedure
Step 1 Prepare the environment.
The following is used as an example. Prepare your environment based on site requirements.
Dev Description
ice
AC Model: AC6605
Version: V200R007C20
Management IP address: 169.254.1.1
Administrator account: Telnet and web platform
l User name: admin
l Password: huawei@123
AP Model: AP4050DN
Version: V200R007C20
Information for the radio used by the AP to go online:
l IP address: 192.168.10.227
l User name: admin (default)
l Password: admin@huawei.com (default)
l STelnet login port number: 22 (default)
# Enter the IP address of the AC in the browser of the AC. Enter the user name and password
to log in to the web platform. If a security connection prompt is displayed, continue with the
operation.
# Choose Monitoring > AP. Search for the target AP in AP List, check AP information, and
record the IP address of the AP. Continue with the following operations only when the AP
status is normal or ver-mismatch.
# Choose Maintenance > AP Maintenance > AP Upgrade, select the software package
stored on the PC, and upload the upgrade file to the AC.
# Click the Upgrade Status tab to upgrade the AP upgrade progress. The upgrade takes
around 2 minutes.
# Select AP, click Modify, select AP mode as fat, and click OK. The AP will restart and the
restart takes around 2 minutes.
# In the Telnet window, enter the user name and password to log in to the AC, STelnet to the
AP to view AP information. The AP is working in Fat mode.
Username:admin
Password:huawei@123 //For information security, characters you entered are
invisible.
<AC6605> system-view
Enter system view, return user view with Ctrl+Z.
[AC6605] stelnet 192.168.10.227 //Log in to the target AP from the AC.
Please input the username:admin
Trying 192.168.10.227 ...
Press CTRL+K to abort
Connected to 192.168.10.227 ...
Enter password:admin@huawei.com //For information security, characters you
entered are invisible.
Info: Current mode: Fat (working independently).
Warning: The default country code is CN. Ensure that AP radio attributes comply
with laws and regulations in different countries. Do you want to change the
country code? [Y/N]:n
Info: You are advised to change the password to ensure security.
<ap1> system-view
[ap1] display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (AP4050DN FAT V200R007C20SPCa00)
...
----End
Related Sources
WLAN Quick Configuartion Guide (Video)
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-14 Networking for configuring Layer 2 direct forwarding in inline mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100 and VLAN 101, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively, and configure a default route with the next hop of the address of Router.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC-Vlanif101] quit
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-15 Networking for configuring Layer 2 tunnel forwarding in inline mode
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively, and configure a default route with the next hop of the address of Router.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC-Vlanif101] quit
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
Figure 4-16 Networking for configuring Layer 2 direct forwarding in bypass mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-17 Networking for configuring Layer 2 tunnel forwarding in bypass mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-18 Networking for configuring Layer 3 tunnel forwarding in bypass mode
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
# On the AC, create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the
VLAN assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
Networking Requirements
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 4-19 Networking for configuring Layer 3 direct forwarding in bypass mode
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
return
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 4-20 Networking for configuring Layer 3 direct forwarding in inline mode
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On the AC, add GE0/0/1 to VLAN 100, VLAN 101, and VLAN 102, and GE0/0/2 to
VLAN 101 and VLAN 102. Create VLANIF 100.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[AC-GigabitEthernet0/0/2] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
return
#
vlan batch 10 100 to 102
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-21 Networking for configuring Layer 3 tunnel forwarding in inline mode
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# Create VLANIF 101 and VLANIF 102 on the AC to assign IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 2 inline mode
l DHCP deployment mode: The AC functions as a DHCP server to allocate IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
IP address FC01::/64
pool for
APs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. On the AC, configure a DHCPv6 server to assign IP addresses to APs, and a DHCPv4
and DHCPv6 server to assign IP addresses to STAs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IPv4 address to
10.23.101.2/24 and IPv6 address to FC02::2/64.
<Huawei> system-view
[Huawei] sysname Router
[Router] ipv6
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] ipv6
[AC] dhcp enable
[AC] dhcpv6 pool ap_pool
[AC-dhcpv6-pool-ap_pool] address prefix fc01::/64
[AC-dhcpv6-pool-ap_pool] quit
[AC] interface vlanif 100
[AC-Vlanif100] ipv6 enable
[AC-Vlanif100] ipv6 address fc01::1/64
[AC-Vlanif100] undo ipv6 nd ra halt
[AC-Vlanif100] ipv6 nd autoconfig managed-address-flag
[AC-Vlanif100] ipv6 nd autoconfig other-flag
[AC-Vlanif100] dhcpv6 server ap_pool
[AC-Vlanif100] quit
# Configure the DHCPv4 and DHCPv6 servers on VLANIF 101 to assign IP addresses to
STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l For IPv4:
– In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in
the VLANIF interface view.
– In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address
pool view.
l For IPv6:
Run the dns-server ipv6-address command in the IPv6 address pool view.
[AC] dhcpv6 pool sta_pool
[AC-dhcpv6-pool-sta_pool] address prefix fc02::/64
[AC-dhcpv6-pool-sta_pool] quit
[AC] interface vlanif 101
[AC-Vlanif101] ipv6 enable
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 FC01::3 AP5030DN nor 0 27S
------------------------------------------------------------------------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-----------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4
address IPv6 address
----------------------------------------------------------------------------------
-----------------------------------
14cf-9202-13dc 0 area_1 0/1 2.4G 11n 5/1 -62 101
10.23.101.254 FC02::546E:C25C:F4C7:B2AD
----------------------------------------------------------------------------------
-----------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
ipv6
#
vlan batch 100 to 101
#
dhcp enable
#
dhcpv6 pool ap_pool
address prefix FC01::/64
#
dhcpv6 pool sta_pool
address prefix FC02::/64
#
interface Vlanif100
ipv6 enable
ipv6 address FC01::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server ap_pool
#
interface Vlanif101
ipv6 enable
ip address 10.23.101.1 255.255.255.0
ipv6 address FC02::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcp select interface
dhcpv6 server sta_pool
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap ipv6 enable
capwap source interface vlanif100
#
wlan
sta-ipv6-service enable
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
Networking Requirements
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-23 Networking for configuring NAT traversal between the AC and APs
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure NAT for address translation.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/3] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 3.3.3.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a default route with the next hop address 3.3.3.2 on Router_2.
[Router_2] ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
# Configure a default route with the next hop address 10.23.200.2 on the AC.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands, respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 11S
----------------------------------------------------------------------------------
---
Total: 2
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
The AC automatically delivers WLAN service configuration to the AP. After the
configuration is complete, run the display vap ssid wlan-net command. If the Status field is
displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
0 area_2 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
0 area_2 1 1 60DE-4474-9650 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
l AC configuration file
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.
Networking Requirements
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
Figure 4-24 Networking for configuring VPN traversal between the AC and APs
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
202.138.162.2/24, set the IP address of GE0/0/1 to 202.138.162.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet 1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 202.138.162.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 202.138.162.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface gigabitethernet 1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 202.138.163.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.
# On the AC, add GE0/0/1 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.1/24.
<AC> system-view
[AC] sysname AC
[AC] vlan batch 101 200
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.1 24
[AC-Vlanif200] quit
# Configure a static route from the AC to APs with the next hop address 10.23.200.2 on the
AC.
[AC] ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
Step 4 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination
10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination
10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit
# Configure an IKE peer on Router_1, and configure the pre-shared key and peer ID
based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-net-prof-wlan-net] forward-mode direct-forward
[AC-wlan-net-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-net-prof-wlan-net] security-profile wlan-net
[AC-wlan-net-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-net-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# After the configurations are complete, the AC can ping the APs successfully and the data
transmitted between them is encrypted. You can run the display ipsec statistics esp command
to view packet statistics.
Run the display ike sa command on Router_2, and the following information is displayed:
<Router_2> display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
16 202.138.162.1 0 RD|ST v1:2
14 202.138.162.1 0 RD|ST v1:1
Number of SA entries : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
----End
Configuration Files
l AC configuration file
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200
remote-address 202.138.163.1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer spua
proposal tran1
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
#
return
l Router_2 configuration file.
#
sysname Router_2
#
vlan batch 200
#
acl number 3101
rule 5 permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spub v1
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5
remote-address 202.138.162.1
#
ipsec policy map1 10 isakmp
security acl 3101
ike-peer spub
proposal tran1
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 202.138.163.1 255.255.255.0
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
l Backhaul radio: 5 GHz
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
# On the AC, configure GE0/0/1 to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] ap-group name ap-group3
[AC-wlan-ap-group-ap-group3] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group3] quit
[AC-wlan-view] quit
# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group ap-group3
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] coverage distance 4
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/0] coverage distance 4
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] radio 1
[AC-wlan-radio-2/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/1] coverage distance 4
[AC-wlan-radio-2/1] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3
[AC-wlan-ap-3] radio 1
[AC-wlan-radio-3/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-3/1] coverage distance 4
[AC-wlan-radio-3/1] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-leaf
[AC-wlan-wds-prof-wds-leaf] wds-name wlan-wds
[AC-wlan-wds-prof-wds-leaf] wds-mode leaf
[AC-wlan-wds-prof-wds-leaf] security-profile wds-security
[AC-wlan-wds-prof-wds-leaf] vlan tagged 101
[AC-wlan-wds-prof-wds-leaf] quit
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio 1
[AC-wlan-group-radio-ap-group2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-ap-group2/1] quit
[AC-wlan-ap-group-ap-group2] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Bind WDS profile wds-root to AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wds-profile wds-root radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group3
[AC-wlan-ap-group-ap-group3] vap-profile wlan-net wlan 3 radio 0
[AC-wlan-ap-group-ap-group3] quit
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AC-wlan-radio-1/0] quit
[AC-wlan-ap-1]quit
# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State is displayed as nor, APs have gone online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 ap-group1 10.23.100.254 AP8130DN nor 0 20M:
16S -
2 dcd2-fc04-b500 AP_2 ap-group2 10.23.100.253 AP8130DN nor 0
17S -
3 dcd2-fc96-e4c0 AP_3 ap-group3 10.23.100.252 AP8130DN nor 0 3M:
55S -
----------------------------------------------------------------------------------
----------------
Total: 3
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -39 -30 0 5
55 42/57/-/-
AP_2 AP_3 0 4 149 root normal -56 -40 0 9
59 45/40/60/-
AP_2 AP_1 1 4 157 leaf normal -32 -30 0 15
58 41/36/60/-
AP_3 AP_2 1 4 149 leaf normal -33 -32 0 7
59 51/59/-/-
----------------------------------------------------------------------------------
-----------------
Total: 4
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
security-profile name wds-security
security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac dcd2-fc96-e4c0
wds-profile name wds-leaf
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-mode root
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 3
radio 1
wds-profile wds-root
wds-whitelist-profile wds-list1
ap-group name ap-group2
radio 0
wds-profile wds-root
wds-whitelist-profile wds-list2
radio 1
wds-profile wds-leaf
ap-group name ap-group3
radio 0
vap-profile wlan-net wlan 1
radio 1
wds-profile wds-leaf
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 157
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
channel 40mhz-plus 149
eirp 127
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 157
eirp 127
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 40mhz-plus 149
coverage distance 4
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Service Requirements
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
Data Planning
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
referenced WDS whitelist wds-list2, permitting access only
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
Item Data
Configuration Roadmap
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 to 101
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and PCs.
# Configure Switch_A as a DHCP server to assign IP addresses to PCs from an interface
address pool.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] quit
[AC-wlan-view] quit
# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group wds-root1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group wds-leaf1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-root1/1] coverage distance 4
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
[AC-wlan-ap-group-wds-leaf2] quit
# Configure the security profile wds-sec used by WDS links. The profile wds-sec supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac 60de-4474-9640
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
# Configure the WDS profile wds-net2. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net2
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
[AC-wlan-wds-prof-wds-net2] wds-mode root
[AC-wlan-wds-prof-wds-net2] security-profile wds-sec
[AC-wlan-wds-prof-wds-net2] vlan tagged 101
[AC-wlan-wds-prof-wds-net2] quit
# Configure the WDS profile wds-net3. Set the WDS name to wds-net and WDS mode to
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net3
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
[AC-wlan-wds-prof-wds-net3] security-profile wds-sec
[AC-wlan-wds-prof-wds-net3] vlan tagged 101
[AC-wlan-wds-prof-wds-net3] quit
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. # Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
Step 6 Configure the wired port profile used by the wired interfaces on AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in untagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode con
figuration will cause the AP to go out of management. This fault can be recovere
d only by modifying the configuration on the AP. Continue? [Y/N]:y
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan untagged 101
[AC-wlan-wired-port-wired-port] quit
Step 7 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-root1] quit
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-root2] quit
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-leaf1] quit
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
NOTE
After referencing the AP wired port profile in endpoint mode, configure the AP to go online on the AC and
obtain the configuration. Then restart the AP to make the configuration effective.
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-wds-leaf2] quit
[AC-wlan-view] quit
[AC] quit
Run the display wlan wds link all command to check information about the WDS links.
<AC> display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Verify that the AP goes online and restart AP_4 to make the working mode of the AP wired
port effective.
<AC> system-view
[AC] wlan
[AC-wlan-view] ap-reset ap-group wds-leaf2
Warning: Reset AP(s), continue?[Y/N]:y
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l Switch_C configuration file
#
sysname Switch_C
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
regulatory-domain-profile
domain1
radio
1
wds-profile wds-
net1
wds-whitelist-profile wds-
list1
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
root2
regulatory-domain-profile
domain1
radio
1
wds-profile wds-
net2
wds-whitelist-profile wds-
list2
channel 40mhz-plus
149
coverage distance
4
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group wds-root1
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group wds-leaf1
ap-id 3 type-id 39 ap-mac dcd2-fcf6-76a0 ap-sn 210235419610D2000097
ap-name AP_3
ap-group wds-root2
ap-id 4 type-id 39 ap-mac 60de-4476-e360 ap-sn 210235557610DB000046
ap-name AP_4
ap-group wds-leaf2
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
# Enable DHCP on the AC and configure the AC to assign IP addresses to APs through an
interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add area_1 to the AP group mesh-mpp and area_2 and area_3 to the AP group mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e360
[AC-wlan-ap-1] ap-name area_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name area_2
[AC-wlan-ap-2] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 60de-4474-9640
[AC-wlan-ap-3] ap-name area_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure Mesh roles. Set the Mesh role of area_1 to Mesh-portal. area_2 and area_3 use
the default Mesh role Mesh-node. Mesh roles are configured through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on area_1.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
[AC] quit
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
<AC> display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-
Status RSSI MaxR Per Re TSNR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
------------------------------------------------
area_1 area_2 dcd2-fc04-b500 1 4 157 portal
normal -30 -27 0 12 67 62/65/-/-
area_1 area_3 60de-4474-9640 1 4 157 portal
normal -26 -24 0 12 71 67/68/-/-
area_3 area_2 dcd2-fc04-b500 1 4 157 node
normal -19 -3 0 5 77 66/76/-/-
area_3 area_1 60de-4476-e360 1 4 157 node
normal -32 -4 0 26 64 55/63/-/-
area_2 area_1 60de-4476-e360 1 4 157 node
normal -32 -4 0 12 64 62/61/-/-
area_2 area_3 60de-4474-9640 1 4 157 node
normal -14 -12 0 4 82 71/82/-/-
----------------------------------------------------------------------------------
------------------------------------------------
Total: 6
----End
Configuration Files
l Configuration file of the Switch_A
#
sysname Switch_A
#
vlan batch 100
#
dhcp enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul node: dual Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
Mesh not
AP4051TN 802.11n 802.11ac
supported
Mesh not
AP4030TN 802.11n 802.11ac
supported
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/2 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively. You can add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add AP_1 and AP_2 to the AP group mesh-mpp and AP_3 and AP_4 to the AP group
mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 1047-80ac-cc60
[AC-wlan-ap-4] ap-name AP_4
[AC-wlan-ap-4] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-4] quit
During the configuration of a Mesh network with multiple MPPs, to enable MPs to set up wireless links with
multiple MPPs simultaneously, configure the MPPs to work on the same channel.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] radio 1
# Configure the security profile mesh-sec used by Mesh links. The profile mesh-sec supports
the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure Mesh roles. Set Mesh roles of AP_1 and AP_2 to Mesh-portal. AP_3 and AP_4
use the default Mesh role Mesh-node. Mesh roles are configured through the AP system
profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1 and AP_2.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
# After the configuration is complete, run the display ap all command to check whether Mesh
nodes go online successfully. If State is displayed as nor, APs have gone online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [4]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 mesh-mpp 10.23.100.254 AP8130DN nor 0 5M:
44S -
2 dcd2-fc04-b500 AP_2 mesh-mpp 10.23.100.253 AP8130DN nor 0 6M:
15S -
3 dcd2-fc96-e4c0 AP_3 mesh-mp 10.23.100.252 AP8130DN nor 0 1M:
35S -
4 1047-80ac-cc60 AP_4 mesh-mp 10.23.100.251 AP8130DN nor 0 3M:
56S -
----------------------------------------------------------------------------------
----------------
Total: 4
# After dual-MPP Mesh services take effect, run the display wlan mesh link all command to
check Mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-
Status RSSI MaxR Per Re TSNR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
------------------------------------------------
AP_1 AP_4 1047-80ac-cc60 1 4 157 portal
normal -28 -27 0 25 70 62/69/-/-
AP_1 AP_3 dcd2-fc96-e4c0 1 4 157 portal
normal -18 -2 0 0 78 73/77/-/-
AP_2 AP_4 1047-80ac-cc60 1 4 157 portal
normal -17 -16 0 52 80 57/49/80/-
AP_2 AP_3 dcd2-fc96-e4c0 1 4 157 portal
normal -24 -21 0 0 72 58/54/72/-
AP_4 AP_1 60de-4474-9640 1 4 157 node
normal -29 -29 0 0 65 64/58/-/-
AP_4 AP_2 dcd2-fc04-b500 1 4 157 node
normal -21 -19 0 10 76 76/64/-/-
AP_4 AP_3 dcd2-fc96-e4c0 1 4 157 node
normal -7 -1 0 0 89 88/82/-/-
AP_3 AP_2 dcd2-fc04-b500 1 4 157 node
normal -35 -32 0 35 61 51/60/-/-
AP_3 AP_1 60de-4474-9640 1 4 157 node
normal -27 -23 0 0 70 68/66/-/-
AP_3 AP_4 1047-80ac-cc60 1 4 157 node
normal -13 -11 0 23 83 80/81/-/-
----------------------------------------------------------------------------------
------------------------------------------------
Total: 10
# Run the display wlan mesh route all command to check Mesh routes on the Mesh network.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_2 /dcd2-fc04-b500/MPP/1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_4 /1047-80ac-cc60/MP /1
--------------------------------------------------------------------------
Total: 2
# When the link between AP_2 and AC is faulty, AP_2 automatically changes to an MP and
goes online through Mesh links. Run the display wlan mesh route all command. The
command output shows that AP_2, AP_3, and AP_4 go online on AP_1.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_1 /60de-4474-9640/MPP/1
AP_2 /dcd2-fc04-b500/MP /1 AP_4 /1047-80ac-cc60/MP /1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_1 /60de-4474-9640/MPP/1
--------------------------------------------------------------------------
Total: 3
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%# aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac dcd2-fc04-b500
peer-ap mac dcd2-fc96-e4c0
peer-ap mac 1047-80ac-cc60
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-system-profile name mesh-sys
mesh-role Mesh-portal
ap-group name mesh-mp
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name
AP_1
ap-group mesh-mpp
ap-id 2 ap-mac dcd2-fc04-b500
ap-name
AP_2
ap-group mesh-mpp
ap-id 3 ap-mac dcd2-fc96-e4c0
ap-name
AP_3
ap-group mesh-mp
ap-id 4 ap-mac 1047-80ac-cc60
ap-name
AP_4
ap-group mesh-mp
#
return
Service Requirements
The administrator wants to configure an Eth-Trunk on an AP's wired uplink interfaces to
ensure uplink reliability.
Networking Requirements
l AC networking mode: Layer 2 inline mode
l Service data forwarding mode: tunnel forwarding
Figure 4-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces
Data Planning
Item Data
Configuration Roadmap
1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check AP information.
Check Item Command Data
# Create the AP wired port profile wired-port1. Add GE0 and GE1 on the AP to Eth-Trunk0.
[AC] wlan
[AC-wlan-view] wired-port-profile name wired-port1
[AC-wlan-wired-port-wired-port1] eth-trunk 0
[AC-wlan-wired-port-wired-port1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 0
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 1
[AC-wlan-ap-group-ap-group1] quit
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
[AC-wlan-view] ap-reset ap-name AP1
Warning: Reset AP(s), continue?[Y/N]:y
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface Eth-Trunk1
description Connect to AP1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
interface Eth-Trunk0
description Connect to switch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
wlan
wired-port-profile name wired-port1
eth-trunk 0
ap-group name ap-group1
wired-port-profile wired-port1 gigabitethernet 0
wired-port-profile wired-port1 gigabitethernet 1
#
return
Figure 4-30 Networking diagram of the device functioning as the PPPoE client
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the
documentation of the PPPoE server.
Step 2 Configure a dialer interface.
<Huawei> system-view
[Huawei] sysname AP
[AP] interface dialer 1
[AP-Dialer1] ppp chap user user1@system
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
Step 4 Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP] interface dialer 1
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
Step 5 Configure a static route from the local host to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit
----End
Configuration Files
Configuration file of the PPPoE client
#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#LHG2'Q8n%8NSLn'4-i'Z18)-%eT"v*||t1Mh;NbH%^%#
ip address ppp-negotiate
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return
Figure 4-31 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AP as the PPPoE client so that hosts in the LAN can access the Internet
without installing PPPoE client software.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
3. Configure NAT so that LAN users can access the external network.
Procedure
Step 1 Configure the PPPoE client.
# Configure the dialer interface.
<Huawei> system-view
[Huawei] sysname AP
[AP] interface dialer 1
[AP-Dialer1] ppp chap user user1
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] dialer timer idle 300
[AP-Dialer1] dialer queue-length 8
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
# Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP] interface dialer 1
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
# Configure a static route from the PPPoE client to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1
----End
Configuration Files
l Configuration file of AP
#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1
ppp chap password cipher %^%#D]<B>${2C"o|jLLQwm<#=FP[~\b3P!w0Vr6BLp4A%^%#
ip address ppp-negotiate
dialer queue-length 8
dialer timer idle 300
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
Service Requirements
To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
Data Planning
Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure external Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
d. Configure an authentication profile to manage external Portal authentication
configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
capwap source interface vlanif100
#
radius-server template wlan-net
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.102.1 1812 weight 80
#
free-rule-template name default_free_rule
free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
url-template name wlan-net
url http://portal.com:8080/portal
#
web-auth-server wlan-net
server-ip 10.23.103.1
port 50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url-template wlan-net ciphered-parameter-name cpname iv-parameter-name iv-
value key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: built-in Portal authentication
l Security policy: open
Figure 4-33 Networking for configuring built-in Portal authentication for local users
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure built-in Portal authentication for local users.
a. Configure local authentication parameters.
b. Configure a Portal access profile for the built-in Portal server to manage Portal
access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
d. Configure an authentication profile to manage built-in Portal authentication
configuration.
4. Configure WLAN service parameters to control access from STAs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Configure the user name, password, and service type of the local user.
[AC-aaa] local-user guest password cipher guest@123
[AC-aaa] local-user guest service-type web
[AC-aaa] quit
NOTE
The local certificate abc_local.pem, CA certificate abc_ca.pem, and RSA key pair privatekey.pem have
been requested, obtained, and uploaded to the storage medium of the device. If multiple CA certificates are
requested, perform the same operation to load the certificates to the memory of the device. When
privatekey.pem is generated, the key is Huawei@123.
[AC] pki realm abc
[AC-pki-realm-abc] quit
[AC] pki import-certificate local realm abc pem filename abc_local.pem
[AC] pki import-certificate ca realm abc pem filename abc_ca.pem
[AC] pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
# Configure the SSL policy default_policy and load the digital certificate.
[AC] ssl policy default_policy type server
[AC-ssl-policy-default_policy] pki-realm abc
[AC-ssl-policy-default_policy] version tls1.0 tls1.1 tls1.2
[AC-ssl-policy-default_policy] ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
[AC-ssl-policy-default_policy] quit
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable
# Check the configuration of the SSL policy. The status of the CA and local certificates must
be loaded.
[AC] display ssl policy default_policy
------------------------------------------------------------------------------
Policy name :
default_policy
Policy ID : 2
Policy type : Server
Cipher suite : rsa_aes_128_sha256
rsa_aes_256_sha256
PKI realm : abc
Version : tls1.0 tls1.1 tls1.2
Cache number : 32
Time out(second) : 3600
Server certificate load status : loaded
CA certificate chain load status : loaded
SSL renegotiation status : enable
Bind number : 1
SSL connection number : 0
------------------------------------------------------------------------------
# Create the Portal access profile wlan-net and configure it to use the built-in Portal server.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] portal local-server enable
[AC-portal-access-profile-wlan-net] quit
Step 9 Configure an authentication-free rule profile to allow users to access the DNS server before
authentication.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 8.8.8.8 mask 32
[AC-free-rule-default_free_rule] quit
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
pki realm
abc
pki import-certificate local realm abc pem filename abc_local.pem
pki import-certificate ca realm abc pem filename abc_ca.pem
pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
#
Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1X authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: open system authentication
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure MAC address authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
3. Create the authentication profile wlan-net and bind it to the MAC access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
radius-attribute set Service-Type 10 auth-type mac
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
mac-access-profile name wlan-net
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC authentication
l Security policy:open
Figure 4-37 Networking for configuring MAC authentication for local users
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC authentication for local users.
a. Configure AAA local authentication.
b. Configure a MAC access profile to manage MAC access control parameters.
c. Configure an authentication profile to manage MAC configuration.
4. Configure WLAN service parameters to control access from STAs.
NOTE
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Configure the user name, password, and service type of the local user. (When AAA local
authentication is used for MAC address authentication users, the service type of the local user
is not matched and checked.)
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
After dumb terminals associate with the WLAN, authentication is performed automatically.
Users can directly access the network after the authentication succeeds.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net
#
dhcp enable
#
aaa
authentication-scheme wlan-net
local-user 0011-2233-4455 password cipher %^%#UOqb<rt$CW%80lUOh;xKLN;s~^Icp!
s7MZ.8(Y|5%^%#
local-user 0011-2233-4455 privilege level 0
local-user 0011-2233-4455 service-type 8021x
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-net
mac-authen username macaddress format with-hyphen password cipher %^
%#PW~_5m;sAFFI.cEB"%^@6@4$96ds_5+O'28+d3:A%^%#
#
return
Service Requirements
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
Figure 4-38 Networking for configuring user authorization based on user groups
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1x authentication and user authorization on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Configure the user group group1 that can access the post-authentication domain. Enable
users in group1 to access network resources on the network segment 10.23.200.0/24.
NOTE
Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
[AC-acl-adv-3001] rule 2 deny ip destination any
[AC-acl-adv-3001] quit
[AC] user-group group1
[AC-user-group-group1] acl-id 3001
[AC-user-group-group1] quit
l For interconnection with the Aruba ClearPass, see "Example for Configuring User
Authorization Based on User Groups (CLI)" in the WLAN Product Interoperation
Configuration Guide-Typical Configuration for Interconnection Between AC and Aruba
ClearPass Server.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
dot1x-access-profile name wlan-net
#
return
Networking Requirements
As shown in Figure 4-39, the AC of a shop directly connects to an AP. The shop deploys a
WLAN wlan-net to provide wireless network access for consumers. The AC functions as a
DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.
To improve its brand popularity and image, the shop allows consumers to connect to the open
Wi-Fi network using WeChat. Users can obtain access to the Internet by WeChat
authentication, without the need to enter a user name or password.
Figure 4-39 Networking diagram for configuring WeChat authentication using a built-in
Portal server
Management VLAN:
VLAN 100
Service VLAN: VLAN 101
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upstream and
downstream network devices, and the AP can go online.
2. Set the AAA authentication mode to none.
3. Configure a Portal access profile for the built-in Portal server to manage Portal access
control parameters.
4. Configure the social media authentication server.
5. Configure WeChat authentication for WeChat users.
6. Configure an authentication profile to manage NAC configuration.
7. Configure WLAN service parameters, and bind a security policy profile and the
authentication profile to a VAP profile to control access of STAs.
Data Plan
Item Data
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1
and authentication scheme wechat
Item Data
Procedure
Step 1 Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
NOTE
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used,
configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a
large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs
will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as a DHCP server to allocate an IP address to the AP from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
Step 4 Configure a route from the AC to the server area (Assume that the IP address of the upper-
layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
# Create the Portal access profile portal1 and configure it to use the built-in Portal server and
WeChat authentication function.
[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] portal local-server enable
[AC-portal-access-profile-portal1] portal local-server wechat
[AC-portal-access-profile-portal1] quit
Step 8 Configure the social media authentication server. For details, see Agile Controller-Campus
Product Documentation - Example for Configuring Guest Access Using Social Media
Accounts (GooglePlus, Facebook, or Twitter Accounts).
Step 9 Configure WeChat authentication.
# Configure the WeChat account.
[AC] portal local-server wechat-authen
[AC-wechat-authen] public-account appid wxappid123 appsecret hauwei@123
[AC-wechat-authen] quit
# Configure the AC to automatically obtain shop information from the WeChat server.
[AC] portal local-server wechat-authen
[AC-wechat-authen] wechat-server-ip ssl-policy ssl-wechat
[AC-wechat-authen] polling-time 4800
[AC-wechat-authen] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
AC configuration file
#
sysname AC
#
portal local-server ip 10.1.1.1
portal local-server http port 1025
#
vlan batch 100 to 101
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
authentication-scheme wechat
#
dns resolve
dns server 10.23.200.2
#
dhcp enable
#
pki realm pki-wechat
#
ssl policy ssl-wechat type client
pki-realm pki-wechat
undo server-verify enable
#
free-rule-template name
default_free_rule
#
portal-access-profile name portal1
portal local-server enable
portal local-server wechat
#
aaa
authentication-scheme wechat
authentication-mode none
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-40 Networking diagram for configuring different authentication modes for multiple
SSIDs
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for 10.23.102.3-10.23.102.254/24
STAs
Item Data
l Name: guest
l Referenced profiles and authentication schemes: Portal access profile
wlan-net, MAC access profile wlan-net, RADIUS server template
wlan-net, authentication scheme wlan-net, accounting scheme wlan-
net, and authentication-free rule template default_free_rule
l Name: guest
l SSID name: guest
l Name: guest
l Security policy: open
l Name: guest
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile guest, security profile guest, and
authentication profile guest
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure APs to go online.
3. Configure 802.1x authentication and MAC address-prioritized Portal authentication.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN
101 and VLAN 102, respectively.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on the router to VLAN 101 and VLAN 102. Create interfaces VLANIF 101
and VLANIF 102, and set the IP addresses of VLANIF 101 and VLANIF 102 to
10.23.101.2/24 and 10.23.102.2/24, respectively.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Add GE0/0/1 on the AC to VLAN 100, VLAN 101, and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to provide IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 address pools to assign IP addresses
to employees and guests, respectively. Set the default gateway address for employees and
guests to 10.23.101.2 and 10.23.102.2, respectively. Specify the DNS server address 8.8.8.8
for VLANIF 101 and VLANIF 102 address pools.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif102] quit
Step 4 Configure the AC's default routes with VLANIF 101 and VLANIF 102 on the router as the
next hops.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.102.2
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 12 Configure an 802.1x access profile to manage 802.1x access control parameters.
# Create 802.1x access profile wlan-net.
[AC] dot1x-access-profile name wlan-net
# Create security profiles employee and guest, and set the security policies to WPA-
WPA2+802.1X+AES and open, respectively.
[AC] wlan
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-employee] quit
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] quit
# Create SSID profiles employee and guest, and set the SSID names to employee and guest,
respectively.
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
# Create VAP profiles employee and guest, set the data forwarding mode and service
VLANs, and bind the security, SSID, and authentication profiles to the VAP profiles.
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-id 101
[AC-wlan-vap-prof-employee] security-profile employee
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile employee
[AC-wlan-vap-prof-employee] quit
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-id 102
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile guest
[AC-wlan-vap-prof-guest] quit
# Bind the VAP profiles to the AP groups, and apply configurations of VAP profiles employee
and guest to radio 0 and radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 1
[AC-wlan-ap-group-ap-group1] quit
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
l A guest can use a STA to find the WLAN with SSID guest. After being associated with
the WLAN, the STA is assigned an IP address. When the STA accesses the Internet
through a browser, the authentication page provided by the Portal server is automatically
displayed. After the correct user name and password are entered on the page, the STA is
authenticated and can access the WLAN. Assume that the MAC address configured on
the Portal server is valid for 60 minutes. When the STA is disconnected from the WLAN
for 5 minutes, the STA can access the Internet directly when reconnecting to the WLAN.
When the STA is disconnected from the WLAN for 65 minutes, it will be redirected to
the Portal authentication page when reconnecting to the WLAN.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name employee
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
authentication-profile name guest
mac-access-profile wlan-net
portal-access-profile wlan-net
free-rule-template default_free_rule
authentication-scheme wlan-net
accounting-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.102.1 1812 weight 80
#
free-rule-template name default_free_rule
free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
url-template name wlan-net
url http://portal.com:8080/portal
url-parameter ssid ssid redirect-url url
#
web-auth-server wlan-net
server-ip 10.23.103.1
port 50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url-template wlan-net ciphered-parameter-name cpname iv-parameter-name iv-
value key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
aaa
authentication-scheme wlan-net
authentication-mode radius
accounting-scheme wlan-net
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
Service Requirements
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the
master and backup ACs are often deployed in the same location, and the service switchover is
fast and has higher reliability than dual-link HSB.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP
STA
Management VLAN: VLAN 100
Typical Configuration Examples 4 Typical Configuration Examples (CLI)
Data Planning
Item Data
Configuration Roadmap
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
4. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
6. Configure the wireless configuration synchronization function in VRRP HSB scenarios.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1
on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101, respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit
# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC1-Vlanif101] quit
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC1] vrrp recover-delay 60
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1
unflowdown
[AC1-Vlanif101] quit
# Create HSB service 0 on AC1, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2
local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Create HSB service 0 on AC2, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
Step 9 Configure the wireless configuration synchronization function in VRRP HSB scenarios.
# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The command output displays cfg-mismatch. Wireless configuration
synchronization must be manually triggered from the master AC to the backup master AC.
Wait until the backup master AC completes automatic restart.
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------
------------------
Controller IP Role Device Type Version
Status Last synced
----------------------------------------------------------------------------------
------------------
10.23.102.2 Backup AC6605 V200R009C00 cfg-mismatch(config check
fail) -
----------------------------------------------------------------------------------
------------------
Total: 1
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to
it, and save all its configurations. Whether to conti
nue? [Y/N]:y
3. The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs
can connect to the WLAN.
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
dual-link HSB to improve data transmission reliability, and load balancing on the active and
standby ACs.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-42 Networking diagram for configuring dual-Link HSB in load balancing mode for
ACs
Data Planning
Active and standby ACs AC1 serves as the active AC for AP1 and
the standby AC for AP2.
AC2 serves as the active AC for AP2 and
the standby AC for AP1.
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.2/24
and standby channels of AC2 Port number: 10241
l Name: ap-group2
l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
and AP system profile ap-system2
Item Data
l Name: ap-system2
l Active AC: AC2
l Standby AC: AC1
Configuration Roadmap
1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure the APs to go online and configure basic WLAN services.
3. Configure dual-link HSB in load balancing mode.
4. Configure HSB on the ACs so that the WLAN and NAC services on the active AC are
backed up to the standby AC in real time and in batches. If the active AC is faulty, the
standby AC takes over services of the active AC, ensuring user service continuity.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that Router function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure the switches and Router.
# Set the PVID of GE0/0/1 and GE0/0/2 on SwitchA to management VLAN 100, and add the
interfaces to VLAN 100 and VLAN 101. Add GE0/0/3 on SwitchA connected to SwitchB to
VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] port-isolate enable
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 on SwitchB connected to SwitchA to VLAN 100 and VLAN 101. Add
GE0/0/2 (connected to AC1) and GE0/0/3 (connected to AC2) on SwitchB to VLAN 100 and
VLAN 102. Add GE0/0/4 on SwitchB connected to Router to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
# Add GE0/0/1 on Router connected to SwitchB to VLAN 100 and VLAN 101.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on
AC1.
# Create a regulatory domain profile, configure the country code for AC1 in the profile, and
apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group2] quit
[AC1-wlan-view] quit
# Import AP1 and AP2 offline on AC1, and add AP1 to the AP group ap-group1 and AP2 to
the AP group ap-group2.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC1-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on AC1.
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio 1 of
the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group2] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group2] quit
Step 6 Configure dual-link HSB in load balancing mode on AC1 and AC2.
# On AC1, configure AC1 as the active AC for AP1 and the standby AC for AP2, and AC2 as
the active AC for AP2 and the standby AC for AP1.
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
# On AC2, configure AC1 as the active AC for AP1 and the standby AC for AP2, and AC2 as
the active AC for AP2 and the standby AC for AP1. The configuration method on AC2 is the
same as that on AC1.
# Restart the APs on AC1 and AC2, and deliver the dual-link HSB configuration to the APs.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit
[AC2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC2-wlan-view] quit
# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for the
active and standby channels.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] quit
# Run the display ap-system-profile name ap-system1 command on AC1 and the display
ap-system-profile name ap-system2 command on AC2 to view information about the active
and standby ACs.
[AC1] display ap-system-profile name ap-system1
------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.100.2
Backup AC : 10.23.100.3
...
------------------------------------------------------------
[AC1] display ap-system-profile name ap-system2
------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.100.3
Backup AC : 10.23.100.2
...
------------------------------------------------------------
[AC2] display ap-system-profile name ap-system1
------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.100.2
Backup AC : 10.23.100.3
...
------------------------------------------------------------
[AC2] display ap-system-profile name ap-system2
------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.100.3
Backup AC : 10.23.100.2
...
------------------------------------------------------------
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, which indicates that the HSB channels are
set up.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
Shared-key : -
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port :
10241
Destination Port :
10241
Keep Alive Times 5:
Keep Alive Interval 3:
Service State :
Connected
Service Batch Modules :
AP
Access-user
Shared-key : -
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP1, and these STAs can
connect to the WLAN.
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. User services are not interrupted.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
Service Requirements
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in dual-link HSB to meet this requirement. This solution
frees active and standby ACs from location restrictions and allows both ACs to be flexibly
deployed.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2
Configuration Roadmap
1. Configure network interworking of the AC1, AC2, and other network devices. Configure
the Router as a DHCP server to assign IP addresses to APs and STAs.
2. Configure basic WLAN services on AC1 and only private WLAN service parameters on
AC2.
3. Configure AC1 as the active AC and AC2 as the standby AC. Configure dual-link HSB
on the active AC first and then on the standby AC. When dual-link HSB is enabled, all
APs are restarted.
4. Configure wireless configuration synchronization in the dual-link HSB scenarios.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source interface vlanif 100
[AC1] wlan
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ap-system-profile name wlan-net
[AC1-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-wlan-net] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# On AC2, configure the IP address of the primary AC as the source IP address of AC1, and
the IP address of the backup AC as the source IP address of AC2.
[AC2-wlan-view] ap-system-profile name wlan-net
[AC2-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC2-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC2-wlan-ap-system-prof-wlan-net] quit
[AC2-wlan-view] ap-group name ap-group1
[AC2-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC2-wlan-ap-group-ap-group1] quit
[AC2-wlan-view] undo ac protect restore disable
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit
# Create HSB service 0 on AC2 and configure the IP addresses and port numbers for the
active and standby channels.
[AC2-wlan-view] quit
[AC2] hsb-service 0
# Configure AC2 as a local AC and specify the IP address of the master AC.
[AC2] wlan
[AC2-wlan-view] master-controller ip-address 10.23.100.2 psk H@123456
-------
Controller IP Role Device Type Version Status Last
synced
----------------------------------------------------------------------------------
-------
10.23.100.2 Master AC6605 V200R009C00 up
2017-09-01/11:18:25
----------------------------------------------------------------------------------
-------
Total: 1
# When public configurations are modified on the master AC, the public configurations are
automatically synchronized to the local AC. When the AP detects a fault on the link
connected to AC1, it instructs AC2 to take the active role. This ensures service stability.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC1 configuration file
#
sysname AC1
#
vlan batch 100 to 102
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
capwap source interface vlanif100
#
hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port
10241 peer-data-port 10241
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
ac protect enable
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-system-profile name wlan-net
primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3
ap-group name ap-group1
ap-system-profile wlan-net
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
master controller
local-controller ip-address 10.23.100.3 psk %^%#/
q6ITBsonPkeDGXiV;!'^htAMm[n"(Z{^ES|5[^.%^%#
#
return
Service Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data transmission
reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
Configuration Roadmap
1. Configure network interworking of AC1, AC2, and other network devices. Configure the
switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that the switch function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure the switch and ACs to enable the ACs to communicate with the APs.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass through. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and
configure the interfaces to allow packets of VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
Step 2 Configure the DHCP function on the switch to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1.
Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can
know where the APs are deployed from their names. For example, if the AP with MAC
address 60de-4476-e360 is deployed in area 1, name the AP area_1, the AP with MAC
address 60de-4474-9640 is deployed in area 2, name the AP area_2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC1-wlan-ap-1] ap-name area_2
[AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.253 AP5030DN nor 0
10S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
------------------------------------------------------------------------------
--------------------
Total: 2
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the APs.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the AC1 priority and AC2 IP address on AC1. Enable dual-link backup and
revertive switchover globally, and restart all APs to make the dual-link backup function take
effect.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
dual-link HSB to improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.2/24
and standby channels of AC2 Port number: 10241
Configuration Roadmap
1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure basic WLAN services to ensure that users can access the enterprise network.
3. Configure global dual-link backup on the ACs.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes over services
from AC1. User services are not interrupted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that Router function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on
AC1.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source interface vlanif 100
[AC1] wlan
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
# Configure the AC2 priority and AC1 IP address on AC2 to implement dual-link backup.
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
[AC2-wlan-view] ac protect protect-ac 10.23.100.2 priority 1
[AC2-wlan-view] quit
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit
# Create HSB service 0 on AC2 and configure the IP addresses and port numbers for the
active and standby channels.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] quit
...
------------------------------------------------------------
[AC2] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.2
Priority : 1
Protect restore : enable
...
------------------------------------------------------------
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, which indicates that the HSB channels are
set up.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
Shared-key : -
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
Shared-key : -
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP1, and these STAs can
connect to the WLAN.
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. User services are not interrupted.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
capwap source interface vlanif100
#
hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port
10241 peer-data-port 10241
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
ac protect enable protect-ac 10.23.100.3 priority 0
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC2 configuration file
#
sysname AC2
#
vlan batch 100 to 102
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
capwap source interface vlanif100
#
hsb-service 0
service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port
10241 peer-data-port 10241
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
ac protect enable protect-ac 10.23.100.2 priority 1
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
VRRP HSB to improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP
Data Planning
Item Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
4. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
NOTE
Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1
on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101, respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit
# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC1-Vlanif101] quit
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC1] vrrp recover-delay 60
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1
unflowdown
[AC1-Vlanif101] quit
# Create HSB service 0 on AC1, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2
local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Create HSB service 0 on AC2, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit
Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those on AC1.
An AP in normal state on the active AC is in standby state on AC2.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
# After the configurations are complete, run the display vrrp command on AC1 and AC2.
The command output displays that the State field of AC1 is Master and that of AC2 is
Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 02:11:07 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The command output displays that the Service State field is Connected, indicating that the
HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key : -
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key : -
----------------------------------------------------------
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index 0 :
Group Vrrp Status :
Master
Group Status :
Active
Group Backup Process :
Realtime
Peer Group Device Name :
AC6605
Peer Group Software Version :
V200R009C00
Group Backup Modules :
Access-user
DHCP
AP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R009C00
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs can
connect to the WLAN.
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return
hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC2 configuration file
#
sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.23.101.3
vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode: Router_3 functions as a DHCP server to assign IP addresses to
APs and STAs.
Data Planning
Item Data
Item Data
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Name: wlan-net
l SSID name: wlan-net
l Name: wlan-net1
l SSID name: wlan-net1
Item Data
AC_2:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to Router_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to Router_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.1 255.255.255.0
[AC_1-Vlanif201] quit
# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# Configure reachable routes between AP_1 and AC_3, and between AP_2 and AC_3.
Perform the configurations according to networking requirements. The configuration
procedure is not provided here.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# Configure the route between AC_2 and AP_2 with the next hop as Router_2's VLANIF 202.
[AC_2] ip route-static 10.23.100.0 24 10.23.202.2
# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP5030DN nor 0
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-net to radio 0
and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group2. In this
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit
# Create security profile wlan-net1 and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_2-wlan-view] security-profile name wlan-net1
[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-net1 to radio 0 and
radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
fault : fault [2]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Uptime
ExtraInfo
------------------------------------------------------------------------------
----------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
-
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
-
------------------------------------------------------------------------------
----------
Total: 2
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create AP system profile ap-system and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.201.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system] quit
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# Run the display ac protect command on AC_2 to check N+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.203.1
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.201.1
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.202.1
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 99
port trunk allow-pass vlan 99 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 99 101
#
return
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 102 202
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
capwap source interface vlanif202
#
wlan
ac protect protect-ac 10.23.203.1
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-group name ap-group2
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
l AC_3 configuration file
#
sysname AC_3
#
vlan batch 101 to 102 203
#
interface Vlanif203
ip address 10.23.203.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 99 101
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
return
l Router_2 configuration file
#
sysname Router_2
#
vlan batch 100 102 202
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
return
l Router_3 configuration file
#
sysname Router_3
#
vlan batch 200 203
#
dhcp enable
#
ip pool ap_1_pool
gateway-list 10.23.99.1
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool ap_2_pool
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
#
ip pool sta_1_pool
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta_2_pool
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
return
4.8.8 Example for Configuring N+1 Backup (APs and ACs in the
same network segment)
Service Requirements
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1
Item Data
AC_2:
l Name: wlan-net1
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567
AC_3:
l Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
l Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
AC_1:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1
Item Data
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the switches and ACs to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 to 102
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_1-GigabitEthernet0/0/2] quit
[Switch_1] interface gigabitethernet 0/0/3
[Switch_1-GigabitEthernet0/0/3] port link-type trunk
[Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/3] quit
[Switch_1] interface gigabitethernet 0/0/4
[Switch_1-GigabitEthernet0/0/4] port link-type trunk
[Switch_1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/4] quit
# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100 to 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_2-GigabitEthernet0/0/1] port-isolate enable
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
# On AC_1, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 101.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 100 101
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC_1-Vlanif100] quit
# On AC_2, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC_2
[AC_2] vlan batch 100 102
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface vlanif 100
[AC_2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC_2-Vlanif100] quit
# On AC_3, add GE0/0/1 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC_3
[AC_3] vlan batch 100 to 102
[AC_3] interface gigabitethernet 0/0/1
[AC_3-GigabitEthernet0/0/1] port link-type trunk
[AC_3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102
[AC_3-GigabitEthernet0/0/1] quit
[AC_3] interface vlanif 100
[AC_3-Vlanif100] ip address 10.23.100.4 255.255.255.0
[AC_3-Vlanif100] quit
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit
[Switch_1] interface vlanif 101
[Switch_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch_1-Vlanif101] dhcp select interface
[Switch_1-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create AP system profile ap-system and configure the AP's individual priority.
[AC_1-wlan-view] ap-system-profile name ap-system
[AC_1-wlan-ap-system-prof-ap-system] priority 3
Warning: This action will take effect after resetting AP.
[AC_1-wlan-ap-system-prof-ap-system] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net to radio 0 and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_1-wlan-ap-group-ap-group1] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group2. In this
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit
# Create security profile wlan-net1 and set the security policy in the profile.
[AC_2-wlan-view] security-profile name wlan-net1
[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net1 to radio 0 and radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_2-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state.
The command output shows that the status of the APs is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
fault : fault [2]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
----------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
----------------------
0 60de-4476-e360 area_1 ap-group1 - AP5030DN fault 0
- -
1 60de-4474-9640 area_2 ap-group2 - AP5030DN fault 0
- -
------------------------------------------------------------------------------
----------------------
Total: 2
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create AP system profile ap-system and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.100.2
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system] quit
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same,
the AC that connects to more APs is the active AC. If the ACs connect to the same number of APs, the AC
that connects to more STAs is the active AC. If the ACs connect to the same number of STAs, the AC with a
smaller IP address is the active AC.
[AC_1-wlan-view] ac protect priority 6 protect-ac 10.23.100.4
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# Run the display ac protect and display ap-system-profile commands on AC_1 to check N
+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority : 6
Protect restore : enable
...
------------------------------------------------------------
[AC_1-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : 3
Protect AC IP address : 10.23.100.4
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_2 to check N
+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority : 6
Protect restore : enable
...
------------------------------------------------------------
[AC_2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : 3
Protect AC IP address : 10.23.100.4
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.100.2
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.100.3
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
4.8.9 Example for Configuring N+1 Backup and VRRP HSB (APs
and ACs in Different Network Segments)
Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high-performance
AC at the headquarters as a standby AC to provide backup services for active ACs at the
branches. To further improve reliability of ACs, VRRP HSB can be configured for each AC.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode: Router_3 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-49 Networking for configuring N+1 backup and VRRP HSB
Enterprise
headquarters
GE0/0/2
AC_3b AC_3
GE0/0/2
GE0/0/1 GE0/0/1
Eth2/0/2 Eth2/0/1
Router_3
VLANIF200:
10.23.200.1/24
Eth2/0/0
Internet
AC_1b AC_2b
GE0/0/1 GE0/0/1
GE0/0/2 Eth2/0/2 Eth2/0/2 GE0/0/2
GE0/0/2 GE0/0/2
Eth2/0/1 Eth2/0/1
Router_1 Router_2
GE0/0/1 GE0/0/1
AC_1 Eth2/0/0 Eth2/0/0 AC_2
GE0/0/2 GE0/0/2
Switch_1 Switch_2
GE0/0/1 GE0/0/1
Enterprise branch 1 Enterprise branch 2
AP_1 AP_2
STA_1 STA_2
: VRRP
Data Planning
Active and standby ACs in N+1 backup l The VRRP group consisting of AC_1
mode and AC_1b functions as an active AC in
N+1 backup mode.
l The VRRP group consisting of AC_2
and AC_2b functions as an active AC in
N+1 backup mode.
l The VRRP group consisting of AC_3
and AC_3b functions as the standby AC
in N+1 backup mode.
Item Data
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure a VRRP group on AC_1 and AC_1b, on AC_2 and AC_2b, as well as on
AC_3 and AC_3b, respectively.
3. Configure the VRRP group consisting of AC_1 and AC_1b as the active AC of AP_1
and the VRRP group consisting of AC_2 and AC_2b as the active AC of AP_2, and
configure basic WLAN services on the active ACs.
4. Configure AC_3 and AC_3b as the standby ACs of AP_1 and AP_2, and configure basic
WLAN services on the standby ACs. Ensure that service configurations on standby ACs
and are the same as those on the active ACs.
5. Configure N+1 backup on the active ACs first and then on the standby ACs. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and add Eth2/0/1 and Eth2/0/2 connected to AC_1
and AC_1b respectively to VLAN 201. Configure the IP address 10.23.99.1/24 for VLANIF
99, 10.23.101.1/24 for VLANIF 101 and 10.23.201.2/24 for VLANIF 201.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface ethernet 2/0/2
[Router_1-Ethernet2/0/2] port link-type trunk
[Router_1-Ethernet2/0/2] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/2] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and add Eth2/0/1 and Eth2/0/2 connected to AC_2
and AC_2b respectively to VLAN 202. Configure the IP address 10.23.100.1/24 for VLANIF
100, 10.23.102.1/24 for VLANIF 102 and 10.23.202.2/24 for VLANIF 202. See Router_1 for
the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and add Eth2/0/1 and Eth2/0/2 connected to AC_3 and AC_3b respectively to
VLAN 203. Configure the IP address 10.23.200.1/24 for VLANIF 200. Configure the IP
address 10.23.203.2/24 for VLANIF 203. See Router_1 for the detailed configuration
procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to Router_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to Router_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.3/24 for VLANIF 201.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.3 255.255.255.0
[AC_1-Vlanif201] quit
# Configure AC_1b in the same way of configuring AC_1. The difference is that IP address
10.23.201.4/24 needs to be configured for VLANIF 201 on AC_1b.
# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.3/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# Configure AC_2b in the same way of configuring AC_2. The difference is that IP address
10.23.202.4/24 needs to be configured for VLANIF 202 on AC_2b.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.3/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# Configure AC_3b in the same way of configuring AC_3. The difference is that IP address
10.23.203.4/24 needs to be configured for VLANIF 203 on AC_3b.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# Configure AC_1b, AC_2, AC_2b, AC_3, and AC_3b in the same way. The difference relies
on the IP address of VLANIF 111.
l VLANIF 111 on AC_1b: 10.23.111.2/24
# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs to connect to an correct AC based on the AC priority.
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[AC_3b-hsb-group-0] bind-service 0
[AC_3b-hsb-group-0] track vrrp vrid 1 interface vlanif 203
[AC_3b-hsb-group-0] quit
[AC_3b] hsb-service-type access-user hsb-group 0
[AC_3b] hsb-service-type ap hsb-group 0
[AC_3b] hsb-service-type dhcp hsb-group 0
[AC_3b] hsb-group 0
[AC_3b-hsb-group-0] hsb enable
[AC_3b-hsb-group-0] quit
# Use virtual IP addresses of VRRP groups to configure static routes based on actual network
conditions. The configuration procedure is not provided here.
l Enable AP_1 to communicate with the VRRP group consisting of AC_3 and AC_3b.
l Enable AP_2 to communicate with the VRRP group consisting of AC_3 and AC_3b.
Step 5 Configure basic WLAN services on AC_1. Configure basic WLAN services on AC2 in the
similar way. The difference is that when an AP is in normal state on AC_1, it is in standby
state on AC_2.
1. Configure the APs to go online.
# Create an AP group to which the APs with the same configuration can be added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configurati
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP5030DN nor 0
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create AP system profile ap-system and specify the IP address of the backup AC.
[AC_1-wlan-view] ap-system-profile name ap-system
[AC_1-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1
[AC_1-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1
[AC_1-wlan-ap-system-prof-ap-system] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net to radio 0 and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_1-wlan-ap-group-ap-group1] quit
Step 6 Configure basic WLAN services on AC_2. Configure basic WLAN services on AC_2b in the
same way.
# Import the APs offline on the AC and add the APs to the AP group ap-group2. In this
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with the MAC address of 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit
# Create security profile wlan-net1 and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_2-wlan-view] security-profile name wlan-net1
[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit
# Create AP system profile ap-system1 and specify the IP address of the backup AC.
[AC_2-wlan-view] ap-system-profile name ap-system1
[AC_2-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1
[AC_2-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1
[AC_2-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net1 to radio 0 and radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
Step 7 Configure basic WLAN services on AC_3. Configure basic WLAN services on AC_3b in the
same way.
1. Configure the APs to go online.
# Create an AP group to which the APs with the same configuration can be added.
[AC_3] wlan
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit
# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create AP system profile ap-system and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1
[AC_3-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1
[AC_3-wlan-ap-system-prof-ap-system] quit
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1
[AC_3-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit
Step 8 Enable N+1 backup on AC_1, AC_2, and AC_3. Enable N+1 backup on AC_1b, AC_2b, and
AC_3b in the same way.
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
Protect AC IP address : -
Primary AC : 10.23.201.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile1 commands on AC_2 to check
N+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
[AC_2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.202.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.201.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : -
Primary AC : 10.23.202.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 99
port trunk allow-pass vlan 99 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 99 101
#
return
l Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 100 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
return
l AC_1 configuration file
#
sysname AC_1
#
vrrp recover-delay 60
#
vlan batch 101 111 201
#
interface Vlanif111
ip address 10.23.111.1 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.201.1
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
capwap source ip-address 10.23.201.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.1 peer-ip 10.23.111.2 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vrrp recover-delay 60
#
vlan batch 102 111 202
#
interface Vlanif111
ip address 10.23.111.3 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.202.1
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
capwap source ip-address 10.23.202.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.3 peer-ip 10.23.111.4 local-data-port
hsb-service 0
service-ip-port local-ip 10.23.111.5 peer-ip 10.23.111.6 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#uE[\Gj>>7~!wliJGW1YWgYpkKO*>S<J'^
\:QFb-Z%^%# aes
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#I/\D&_J<3Q\XPh#DL)5V^:1+.$8o@6uuo3/
mLXEK%^%# aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-system-profile name ap-system1
primary-access ip-address 10.23.202.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
l AC_3b configuration file
#
sysname AC_3b
#
vrrp recover-delay 60
#
vlan batch 101 to 102 111 203
#
interface Vlanif111
ip address 10.23.111.6 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.4 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.203.1
admin-vrrp vrid 1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
capwap source ip-address 10.23.203.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.6 peer-ip 10.23.111.5 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#uE[\Gj>>7~!wliJGW1YWgYpkKO*>S<J'^
\:QFb-Z%^%# aes
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#I/\D&_J<3Q\XPh#DL)5V^:1+.$8o@6uuo3/
mLXEK%^%# aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-system-profile name ap-system1
primary-access ip-address 10.23.202.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
l Router_1 configuration file
#
sysname Router_1
#
vlan batch 99 101 201
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif201
ip address 10.23.201.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 99 101
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 201
#
return
l Router_2 configuration file
#
sysname Router_2
#
vlan batch 100 102 202
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 202
#
return
Networking Requirement
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: ap-group2
l Referenced profiles: VAP profile wlan-
net2, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g
l Name: wlan-net2
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10, VLAN 101,
and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1
and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 4 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add area_1 and area_2 to AP groups ap-group1 and
ap-group2, respectively. Assume that the MAC address of area_1 is 60de-4476-e360.
Configure a name for the AP based on the AP's deployment location, so that you can know
where the AP is deployed from its name. For example, name the AP area_1 if it is deployed
in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0
15S -
1 dcd2-fc04-b500 area_2 ap-group2 10.23.10.253 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profiles wlan-net1 and wlan-net2, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net1
[AC-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net1] quit
[AC-wlan-view] vap-profile name wlan-net2
[AC-wlan-vap-prof-wlan-net2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net2] quit
# Bind the VAP profiles to the AP groups. Apply VAP profile wlan-net1 to radio 1 and radio
1 of area_1, and VAP profile wlan-net2 to radio 0 and radio 1 of area_2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-net2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-net2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to AP groups ap-
group1 and ap-group2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group2] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group2] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L3 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 102
port-isolate enable
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 100 to 102
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net2
service-vlan vlan-id 102
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net1 wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net1 wlan 1
ap-group name ap-group2
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net2 wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net2 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078
ap-name area_2
ap-group ap-group2
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirement
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
15S -
1 dcd2-fc04-b500 area_2 ap-group1 10.23.100.253 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 2
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC. The command output shows that the STA has
associated with AP_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC to check the
STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit
# On AC_2, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 100 and VLAN 101.
<AC6605> system-view
[AC6605] sysname AC_2
[AC_2] vlan batch 100 101
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface gigabitethernet 0/0/2
[AC_2-GigabitEthernet0/0/2] port link-type trunk
[AC_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[AC_2-GigabitEthernet0/0/2] quit
[AC_2] interface vlanif 100
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On AC_1, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC_1] dhcp enable
[AC_1] interface vlanif 100
[AC_1-Vlanif100] dhcp select interface
[AC_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
[AC_1-Vlanif100] quit
[AC_1] interface vlanif 101
[AC_1-Vlanif101] dhcp select interface
[AC_1-Vlanif101] dhcp server excluded-ip-address 10.23.100.2
[AC_1-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC_1-wlan-view] radio-2g-profile name wlan-radio2g
[AC_1-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC_1-wlan-view] radio-5g-profile name wlan-radio5g
[AC_1-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC_1-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC_1-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# Create a mobility group on AC_2, and add AC_1 and AC_2 to the mobility group.
[AC_2-wlan-view] mobility-group name mobility
[AC_2-mc-mg-mobility] member ip-address 10.23.100.1
[AC_2-mc-mg-mobility] member ip-address 10.23.100.2
[AC_2-mc-mg-mobility] quit
# The ACs automatically deliver WLAN service configuration to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command on AC_1 and AC_2
to check VAP information. If Status in the command output is displayed as ON, the VAPs
have been successfully created on AP radios.
[AC_1-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0
wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
[AC_2-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
----
1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0
wlan-net
1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
---
Total: 2
# Run the display mobility-group name mobility command on AC_1 to check the state of
AC_1 and AC_2 in the mobility group. If the State field is displayed as normal, AC_1 and
AC_2 are in normal state.
[AC_1-wlan-view] display mobility-group name mobility
--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.100.2 -
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
[AC_2-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx: link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L2 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode:
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
– AC_2 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to allocate IP addresses to STAs and APs
connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for the 10.23.200.2-10.23.200.254/24
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
Item Data
l Name: ap-group2
l Referenced profile: VAP profile wlan-net2 and regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio profile
wlan-radio5g
l Name: wlan-net2
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 101
[Switch_1] interface GigabitEthernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default VLAN
of GE0/0/1 is VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 200 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 200
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/2] quit
# Configure Router.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/1] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0
[Router-GigabitEthernet0/0/2] quit
Step 4 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# On AC_1, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively.
[AC_1] dhcp enable
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC_1-Vlanif100] dhcp select interface
[AC_1-Vlanif100] quit
[AC_1] interface vlanif 101
[AC_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[AC_1-Vlanif101] dhcp select interface
[AC_1-Vlanif101] quit
# On AC_2, configure VLANIF 200 and VLANIF 102 to assign IP addresses to APs and
STAs, respectively.
[AC_2] dhcp enable
[AC_2] interface vlanif 200
[AC_2-Vlanif100] ip address 10.23.200.1 255.255.255.0
[AC_2-Vlanif100] dhcp select interface
[AC_2-Vlanif100] quit
[AC_2] interface vlanif 102
[AC_2-Vlanif102] ip address 10.23.102.1 255.255.255.0
[AC_2-Vlanif102] dhcp select interface
[AC_2-Vlanif102] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net1
[AC_1-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net1] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC_1-wlan-view] radio-5g-profile name wlan-radio5g
[AC_1-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC_1-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC_1-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
[AC_1-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
[AC_2-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx: link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L3 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 101
#
return
l Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 102 200
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 200 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 102 200
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.100.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.23.200.2 255.255.255.0
#
return
l AC_1 configuration file
#
sysname AC_1
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.200.0 255.255.255.0 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net1
forward-mode direct-forward
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
mobility-group name mobility
member ip-address 10.23.100.1
member ip-address 10.23.200.1
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net1 wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name ap1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 101 to 102 200
#
dhcp enable
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 102 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net2
service-vlan vlan-id 102
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
mobility-group name mobility
member ip-address 10.23.100.1
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to the central AP and
RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Agile Enabled
distributed
SFN
roaming
Configuration Roadmap
1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at Layer 2.
2. Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
3. Configure the central AP and RUs to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
5. Configure agile distributed SFN roaming.
Configuration Notes
l Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12 (including
matching RUs) and AD9430DN-24 (including matching RUs). RUs support agile
distributed SFN roaming in the following combination modes:
n Between the R230D and R240D (Note: Only the 2.4 GHz radio of the R230D
and R240D supports agile distributed SFN roaming, and the 5 GHz radio does
not support.)
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to VLAN 100, and
add GE0/0/3 and GE0/0/4 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
Step 3 Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to the central AP and RUs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] ap-name ru_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] quit
The automatic channel and power calibration function is enabled for radios by default. When this function is
enabled, the manual calibration configuration does not take effect. The settings of the RU channel and power
in this example are for reference only. You need to configure the RU channel and power based on the actual
country code and network planning.
# Disable the automatic channel and power calibration function for radio 0 of RUs, and
configure the channel and power for for radio 0 of RUs.
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 0
[AC-wlan-radio-1/0] calibrate auto-channel-select disable
[AC-wlan-radio-1/0] calibrate auto-txpower-select disable
[AC-wlan-radio-1/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/0] eirp 127
[AC-wlan-radio-1/0] quit
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] calibrate auto-channel-select disable
[AC-wlan-radio-2/0] calibrate auto-txpower-select disable
[AC-wlan-radio-2/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/0] eirp 127
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] quit
# In the coverage area of ru_1, connect a STA to the WLAN with the SSID wlan-net and
enter the password a1234567 to associate with the WLAN. Run the display station ssid
wlan-net command on the AC. The command output shows that the STA has associated with
ru_1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 ru_1 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
# When the STA moves from the coverage area of ru_1 to that of ru_2, run the display
station ssid wlan-net command on the AC. The command output shows that the STA has
associated with ru_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 2 ru_2 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
sfn-roam enable
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 55 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 2 type-id 55 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] port-isolate enable
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.
# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the RU channel and
power in this example are for reference only. You need to configure the RU channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 0
[AC-wlan-radio-1/0] calibrate auto-channel-select disable
[AC-wlan-radio-1/0] calibrate auto-txpower-select disable
[AC-wlan-radio-1/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/0] eirp 127
[AC-wlan-radio-1/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] calibrate auto-channel-select disable
[AC-wlan-radio-1/1] calibrate auto-txpower-select disable
[AC-wlan-radio-1/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] eirp 127
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------
-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, AC, and other network devices.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Adjust the To reduce wireless resource Set the transmit rate of 2.4 GHz Beacon
transmit occupation of Beacon frames to 11 Mbit/s.
rate of 2.4 frames and improve channel
GHz usage efficiency.
Beacon
frames
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-net-prof-wlan-net] quit
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] beacon-2g-rate 11
[AC-wlan-ssid-prof-wlan-net] quit
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
4. Create an RRM profile, enable airtime fair scheduling and smart roaming, and set the
SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-rrm-prof-wlan-rrm] undo smart-roam disable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
Internet experience.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
return
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid-profile name wlan-net
ssid wlan-net
association-timeout 1
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
beacon-2g-rate 11
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
regulatory-domain-profile name default
rrm-profile name wlan-rrm
airtime-fair-schedule enable
smart-roam roam-threshold snr 15
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
radio-5g-profile name wlan-radio5g
beacon-interval 160
guard-interval-mode short
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
multicast-rate 6
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 60 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
......
.......
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
[Switch_A-Vlanif101] quit
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac 0046-4b59-1d60
[AC-wlan-ap-103] ap-name L1_170
[AC-wlan-ap-103] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
[AC-wlan-view] quit
[AC] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
Total: 6
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
return
– Switch_B configuration file
#
sysname Switch_B
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
ap-group mesh-mpp
ap-id 103 type-id 48 ap-mac 0046-4b59-1d60 ap-sn
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
l Vehicle-mounted network devices
– Vehicle-mounted AP (in the front) configuration file
#
sysname AP
#
igmp-snooping enable
#
vlan batch 101
#
vlan 101
igmp-snooping enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable moving-direction
forward
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d270 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
channel 40mhz-plus 157
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
......
.......
Item Data
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure the vehicle-ground fast link handover function on trackside and vehicle-
mounted APs so that the vehicle-mounted APs can set up Mesh links with the trackside
APs.
3. Configure the vehicle-mounted network to enable intra-network data communication,
and configure VRRP and BFD between the vehicle-mounted APs.
NOTE
l This example uses Huawei AP8030DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l The switches and router used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Create VLAN 100 and VLAN 200 on Switch_A, and add GE0/0/1 and GE0/0/2 to
VLAN 100 and VLAN 200, and GE0/0/3 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] quit
Configure a route to Router based on the actual networking so that packets destined for the public
network are forwarded from the ground network to Router.
c. Configure the IP address 10.23.200.1 as the next-hop address of the route for
packets from Switch_A to be forwarded to vehicle-mounted terminals.
[Switch_A] ip route-static 10.23.161.0 24 10.23.200.1
# On Switch_B, create VLAN 100 and VLAN 200, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 200 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# On Switch_C, create VLAN 100 and VLAN 200, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 200 to pass through, and set the PVID
of GE0/0/1 to VLAN 100.
# Configure other interfaces on Switch_C connected to trackside APs according to
the configuration for GE0/0/1. Configure these interfaces to allow packets from
VLAN 100 and VLAN 200 to pass through, and set their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 200
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[Switch_C-GigabitEthernet0/0/1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac 0046-4b59-1d60
[AC-wlan-ap-103] ap-name L1_170
[AC-wlan-ap-103] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
g. Configure uplink wired interfaces on trackside APs to allow packets from VLAN
200 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 200 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 200
[AC-wlan-wired-port-wired-port] quit
# Create the Mesh whitelist whitelist01 and add MAC addresses of vehicle-
mounted APs to the Mesh whitelist.
[AC-wlan-view] mesh-whitelist name whitelist01
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e10
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e20
[AC-wlan-mesh-whitelist-whitelist01] quit
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. Set the security policy to
WPA2+PSK+AES in the security profile.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal in
the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure Mesh profiles. Set the IDs of the Mesh networks to mesh-net and
mesh-net2, and bind the security profile and Mesh handover profile to the Mesh
profiles.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
[AC-wlan-view] mesh-profile name mesh-net2
[AC-wlan-mesh-prof-mesh-net2] mesh-id mesh-net2
[AC-wlan-mesh-prof-mesh-net2] security-profile sp01
[AC-wlan-mesh-prof-mesh-net2] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net2] quit
j. Configure Switch_D.
# Configure Switch_D to communicate with other devices.
<HUAWEI> system-view
[HUAWEI] sysname Switch_D
[Switch_D] vlan batch 161
[Switch_D] interface gigabitethernet 0/0/1
[Switch_D-GigabitEthernet0/0/1] port trunk allow-pass vlan 161
[Switch_D-GigabitEthernet0/0/1] port link-type trunk
[Switch_D-GigabitEthernet0/0/1] quit
[Switch_D] interface gigabitethernet 0/0/2
[Switch_D-GigabitEthernet0/0/2] port link-type trunk
[Switch_D-GigabitEthernet0/0/2] port trunk allow-pass vlan 161
[Switch_D-GigabitEthernet0/0/2] quit
[Switch_D] interface gigabitethernet 0/0/3
[Switch_D-GigabitEthernet0/0/3] port link-type trunk
[Switch_D-GigabitEthernet0/0/3] port trunk pvid vlan 161
[Switch_D-GigabitEthernet0/0/3] port trunk allow-pass vlan 161
[Switch_D-GigabitEthernet0/0/3] quit
[Switch_D] interface gigabitethernet 0/0/4
[Switch_D-GigabitEthernet0/0/4] port link-type trunk
[Switch_D-GigabitEthernet0/0/4] port trunk pvid vlan 161
[Switch_D-GigabitEthernet0/0/4] port trunk allow-pass vlan 161
[Switch_D-GigabitEthernet0/0/4] quit
NOTE
The preceding configurations for the two vehicle-mounted APs are the same except the AP name.
Name the vehicle-mounted AP in the rear AP2. Configurations for the two vehicle-mounted APs
are different from this step.
# On the vehicle-mounted AP (in the front), configure the Mesh handover profile
hand-over, enable the location-based fast link handover algorithm, and set the
moving direction of the vehicle-mounted AP to forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
# On the vehicle-mounted AP (in the rear), configure the Mesh handover profile
hand-over, enable the location-based fast link handover algorithm, and set the
moving direction of the vehicle-mounted AP to backward.
[AP2-wlan-view] mesh-handover-profile name hand-over
[AP2-wlan-mesh-handover-hand-over] location-based-algorithm enable
moving-direction backward
[AP2-wlan-mesh-handover-hand-over] quit
# On the vehicle-mounted AP (in the front), configure the Mesh profile. Set the ID
of the Mesh network to mesh-net, and bind the security profile and Mesh handover
profile to the Mesh profile.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
# On the vehicle-mounted AP (in the rear), configure the Mesh profile. Set the ID of
the Mesh network to mesh-net2, and bind the security profile and Mesh handover
profile to the Mesh profile.
[AP2-wlan-view] mesh-profile name mesh-net2
[AP2-wlan-mesh-prof-mesh-net] mesh-id mesh-net2
[AP2-wlan-mesh-prof-mesh-net] security-profile sp01
[AP2-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP2-wlan-mesh-prof-mesh-net] quit
[AP2-wlan-view] quit
# Configure the radio and channel used by the vehicle-mounted AP (in the rear) and
bind the Mesh profile.
[AP2] interface wlan-radio 0/0/1
[AP2-Wlan-Radio0/0/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP2-Wlan-Radio0/0/1] mesh-profile mesh-net2
[AP2-Wlan-Radio0/0/1] quit
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 200
161
[AP-wlan-view] quit
# Configure VRRP.
[AP] interface Vlanif 161
[AP-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.1
[AP-Vlanif161] admin-vrrp vrid 1
[AP-Vlanif161] vrrp vrid 1 priority 120
[AP-Vlanif161] quit
[AP] interface Vlanif 200
[AP-Vlanif200] vrrp vrid 2 virtual-ip 10.23.200.1
[AP-Vlanif200] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP-Vlanif200] vrrp vrid 2 priority 120
[AP-Vlanif200] quit
# Configure BFD.
[AP] bfd
[AP-bfd] quit
[AP] bfd atob bind peer-ip 10.23.161.3 interface vlanif161
[AP-bfd-session-atob] discriminator local 1
[AP-bfd-session-atob] discriminator remote 2
[AP-bfd-session-atob] min-rx-interval 50
[AP-bfd-session-atob] min-tx-interval 50
[AP-bfd-session-atob] commit
[AP-bfd-session-atob] quit
[AP] interface Vlanif 161
[AP-Vlanif161] vrrp vrid 1 track bfd-session 1 reduced 50
[AP-Vlanif161] quit
# Configure VRRP.
[AP2] interface Vlanif 161
[AP2-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.1
[AP2-Vlanif161] admin-vrrp vrid 1
[AP2-Vlanif161] vrrp vrid 1 priority 110
[AP2-Vlanif161] quit
[AP2] interface Vlanif 200
[AP2-Vlanif200] vrrp vrid 2 virtual-ip 10.23.200.1
[AP2-Vlanif200] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP2-Vlanif200] vrrp vrid 2 priority 110
[AP2-Vlanif200] quit
# Configure BFD.
[AP2] bfd
[AP2-bfd] quit
[AP2] bfd btoa bind peer-ip 10.23.161.2 interface vlanif161
[AP2-bfd-session-atob] discriminator local 2
[AP2-bfd-session-atob] discriminator remote 1
[AP2-bfd-session-atob] min-rx-interval 50
[AP2-bfd-session-atob] min-tx-interval 50
[AP2-bfd-session-atob] commit
[AP2-bfd-session-atob] quit
------------------------------------------------------------------------------
----------------------------------------------------
Total: 12
Total: 6
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
--
Total UP/DOWN Session Number : 1/0
----End
Configuration Files
l Ground network devices
– Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 200
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.161.0 255.255.255.0 10.23.200.1
#
return
#
wlan
security-profile name sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%# aes
mesh-handover-profile name hand-over
location-based-algorithm enable moving-direction backward
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 200
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 161
mesh-proxy onboard-equip mac-address 286e-d488-d270 vlan 161
mesh-profile name mesh-net2
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net2
#
interface Wlan-Radio0/0/1
mesh-profile mesh-net2
channel 40mhz-plus 157
#
return
Networking Requirements
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads on the APs
to prevent excessive user access to a single AP. A dynamic load balancing group can be set up
only when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.
Data Planning
Configuration Roadmap
Configure dynamic load balancing to prevent one AP from being heavily loaded.
Configuration Notes
l Currently, the load balancing function is implemented in the STA access phase. In
scenarios with complex user service types and unstable traffic, the expected load
balancing effect cannot be achieved. In this case, you are not advised to enable load
balancing based on the channel usage.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the RRM profile wlan-net, and enable dynamic load balancing in the RRM profile
wlan-net and set the start threshold for dynamic load balancing to 15 and load difference
threshold to 25%.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-net
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-net to the 2G
radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-net to the 5G
radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC-wlan-ap-group-ap-group1] quit
# Run the display rrm-profile name wlan-net command on the AC to check the dynamic
load balancing configuration.
[AC-wlan-view] display rrm-profile name wlan-net
----------------------------------------------------------------------------
...
Station load balance : enable
Station load balance start threshold : 15
Station load balance gap threshold(percentage) : 25
...
----------------------------------------------------------------------------
# When a new STA requests to connect to AP area_1, the AC uses a dynamic load balancing
algorithm to redirect the STA to the AP area_2 with a light load according to the information
reported by APs.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-net
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold percentage 25
radio-2g-profile name wlan-radio2g
rrm-profile wlan-net
radio-5g-profile name wlan-radio5g
rrm-profile wlan-net
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Networking Requirements
AP area_1 and AP area_2 form a static load balancing group to balance loads on the APs to
prevent excessive user access to a single AP. A static load balancing group can be set up only
when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.
Data Planning
Configuration Roadmap
Configure static load balancing based on the number of users to prevent one AP from being
heavily loaded.
Configuration Notes
l Load balancing takes effect during the STA association stage. In scenarios with complex
user service types and unstable traffic, loads cannot be balanced as expected. In this case,
load balancing based on the channel utilization is not recommended.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure static load balancing.
1. Create a static load balancing group, and add AP area_1 and AP area_2 to it.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
# Set the start threshold for static load balancing based on the number of users to 10 and
load difference threshold to 5%.
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 10
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold percentage 5
[AC-wlan-sta-lb-static-wlan-static] quit
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP area_2 with a light load based on the configured
load balancing group.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
sta-load-balance static-group name wlan-static
sta-number gap-threshold percentage 5
member ap-id 0 radio 0
member ap-id 0 radio 1
member ap-id 1 radio 0
member ap-id 1 radio 1
sta-number start-threshold 10
#
return
Networking Requirements
Use APs that support both 5 GHz and 2.4 GHz frequency bands.
Data Planning
Item Data
Configuration Roadmap
Configure the band steering function and proper band steering parameters so that STAs can
preferentially access the 5 GHz frequency band.
Configuration Notes
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
When band steering is enabled on one radio of an AP, the function takes effect on the SSID of the AP. If
different VAP profiles are applied to two radios of the AP, you only need to enable the band steering function
in the VAP profile of one radio.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-vap] undo band-steer disable
[AC-wlan-vap-prof-wlan-vap] quit
# Create the RRM profile wlan-rrm and configure load balancing between radios in the
profile to prevent heavy load on a single radio. The start threshold for load balancing between
radios is 15, and the load difference threshold is 25%.
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance start-threshold 15
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance gap-threshold 25
[AC-wlan-rrm-prof-wlan-rrm] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-rrm to the 2G radio
profile.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-radio2g] quit
# Run the display rrm-profile name wlan-rrm command on the AC to check the band
steering configuration.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
...
Band balance start threshold : 15
Band balance gap threshold(%) : 25
...
------------------------------------------------------------
# In the conference hall, most STAs connect to the 5 GHz frequency band, and users enjoy
good service experience.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
vap-profile name wlan-net
rrm-profile name wlan-rrm
band-steer balance gap-threshold 25
band-steer balance start-threshold 15
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Data Planning
Item Data
Configuration Roadmap
Configure smart roaming and adjust smart roaming parameters to steer STAs (especially
sticky STAs) to reconnect or roam to APs with strong signals.
NOTE
Some STAs on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
STAs fail to roam to neighbor APs with better signals. They are called sticky STAs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G
radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC-wlan-ap-group-ap-group1] quit
# When a large number of users in the stadium access the WLAN, they can still enjoy good
Internet experience.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
smart-roam roam-threshold check-snr
smart-roam roam-threshold snr 15
radio-2g-profile name radio2g
rrm-profile wlan-rrm
radio-5g-profile name radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. The enterprise is located in an open place, and the WLAN is vulnerable to interference.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.
Networking Requirements
Data Planning
Item Data
Configuration Roadmap
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send alarms to
the AC.
Configuration Notes
l If air scan related functions are enabled for a radio in normal mode, such as WIDS,
spectrum analysis, and terminal location, the radio transmits common WLAN service
data and provides the monitoring function that may affect transmission of common
WLAN service data.
l In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that
the scanning interval be set no more than 10 seconds and the scanning duration to 100
ms.
l The channels to be scanned for spectrum analysis are fixed as all channels supported by
the corresponding country code of an AP and are irrelevant to the configuration in an air
scan profile.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the air scan profile wlan-airscan and configure the scan interval and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 100
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 8000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Bind the AP system profile wlan-spectrum to the AP group ap-group1 and enable
spectrum analysis in the AP group.
# Enable the function of reporting spectrum analysis data on AP radios. The spectrum server
performs spectrum analysis and draws spectrum graphs based on the data reported by the APs.
The spectrum-report command becomes invalid after a restart, and needs to be configured
again.
[AC-wlan-view] spectrum-report ap-name area_1 radio 0
[AC-wlan-view] spectrum-report ap-name area_1 radio 1
# Run the display spectrum-analysis server-reporter command on the AC to check the APs
that report spectrum packets to the spectrum server.
[AC-wlan-view] display spectrum-analysis server-reporter
------------------------------------------------------------
ID AP name Radio ID
------------------------------------------------------------
1 area_1 0
1 area_1 1
------------------------------------------------------------
Total: 2
# Run the display wlan non-wifi-device all command on the AC to check the detected non-
Wi-Fi devices.
[AC-wlan-view] display wlan non-wifi-device all
----------------------------------------------------------------
Detect AP name : area_1
Detect AP radio ID : 1
Detect AP channel : 36
Non-Wi-Fi device type : 9
Non-Wi-Fi device name : Unknown fix freq device
Non-Wi-Fi device frequency type : Narrow bandwidth
Non-Wi-Fi device channel : 149,150
Non-Wi-Fi device RSSI : -62,-66
Non-Wi-Fi device detect time last : 2017-07-02/08:16:56
Non-Wi-Fi device center frequency(MHz) : 5749
Non-Wi-Fi device bandwidth(KHz) : 70
Non-Wi-Fi device duty(%) : 100
Non-Wi-Fi device interfere level : 3
----------------------------------------------------------------
Total: 1
4. Select your desired spectrum chart from the drop-down list box in the upper left corner.
You can select Lower or Upper on the spectrum charts of a 5G radio to view spectrum
charts of different frequencies.
5. The Real-Time FFT chart shows that the signal strength of interference is mostly within
the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click Modify, set
the signal strength scope at both ends of the color bar, and click Apply. The Swept
Spectrogram chart shows that channel 149 has the most severe interference.
6. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
air-scan-profile name wlan-airscan
scan-period 100
scan-interval 8000
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-system-profile name wlan-spectrum
spectrum-analysis server ip-address 10.137.43.4 port 55555 via-ac ac-port
5001
spectrum-analysis non-wifi-device aging-time 5
ap-group name ap-group1
ap-system-profile wlan-spectrum
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
spectrum-analysis enable
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
spectrum-analysis enable
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-64 Networking for configuring rogue device detection and containment
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Configure radio 1 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] work-mode normal
[AC-wlan-group-radio-ap-group1/1] wids device detect enable
# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
ap-group name ap-group1
wids-profile wlan-wids
radio 0
vap-profile wlan-net wlan 1
wids device detect enable
wids contain enable
radio 1
vap-profile wlan-net wlan 1
wids device detect enable
wids contain enable
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and flood
attack detection.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] radio 1
# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication,
the maximum number of key negotiation failures allowed within the detection period to 25,
and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70
[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to
350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
# Create AP system profile wlan-system, and set the aging time of the dynamic blacklist to
200s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit
Step 9 Bind WIDS profile wlan-wids and AP system profile wlan-system to AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] quit
After the configurations are complete, run the display wlan ids attack-detected all command
to view detected attack devices.
[AC-wlan-view] display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detcted attack type
CH: Channel number
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address AT CH RSSI(dBm) Last detected time #AP
-------------------------------------------------------------------------------
000b-c002-9c81 pbr 165 -87 2014-11-20/15:51:13 1
0024-2376-03e9 pbr 165 -84 2014-11-20/15:51:13 1
0046-4b74-691f act 165 -67 2014-11-20/15:51:13 1
-------------------------------------------------------------------------------
Total: 3, printed: 3
The display wlan dynamic-blacklist command displays information about attack devices in
the dynamic blacklist.
[AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address Last detected time Reason #AP LAT
-------------------------------------------------------------------------------
000b-c002-9c81 2014-11-20/16:15:53 pbr 1 100
0024-2376-03e9 2014-11-20/16:15:53 pbr 1 100
0046-4b74-691f 2014-11-20/16:15:53 act 1 100
-------------------------------------------------------------------------------
Total: 3, printed: 3
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-group name ap-group1
ap-system-profile wlan-system
wids-profile wlan-wids
radio 0
vap-profile wlan-net wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
vap-profile wlan-net wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-66 Networking for configuring the STA blacklist and whitelist
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Create the VAP profile wlan-net and bind the STA whitelist profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] sta-access-mode whitelist sta-whitelist
[AC-wlan-vap-prof-wlan-net] quit
# Create the AP system profile wlan-system and bind the STA blacklist profile to the AP
system profile.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] sta-access-mode blacklist sta-blacklist
[AC-wlan-ap-system-prof-wlan-system] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
An AeroScout location server is deployed on the network and can communicate with the AC.
AeroScout Wi-Fi tags that have been activated are installed on materials to be traced within
the coverage area of the WLAN.
AeroScout
location server
10.23.103.1/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101 VLANIF 102
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
RFID
AP3
AeroScout
Wi-Fi tag
STA
Data Planning
Item Data
AC -
Item Data
AeroScout -
product
Configuration Roadmap
1. Activate the AeroScout tag and configure the AeroScout location server.
2. Configure the AC to communicate with the AeroScout location server. Plan an IP
address for the AC to send received tag information to the location server.
3. Configure the air scan function on the AC. Tags work on the 2.4 GHz band. Enable air
scan on the 2.4 GHz radios of APs. If automatic radio calibration is enabled, set the
channel set to within the range supported by the country code to cover available channels
used by the tags. If only the tag location service is required, configure radios to work on
fixed channels and set the air scan channel set to the working channels.
4. Configure the AeroScout tag location function on the AC.
Configuration Notes
When activating a tag, ensure that the channel through which the tag sends signals can be
scanned by APs.
Three-point location technology is used. To ensure location accuracy, ensure no more than 15
m distance between APs. The location accuracy is good when the RSSI is higher than -50
dBm.
When APs are not heavily loaded, it is recommended that the AC report tag information. In
this case, set APs' IP addresses on the AeroScout location server to the AC's IP address. To
configure APs to directly report tag information, specify the APs' IP addresses on the
AeroScout location server based on the actual situation.
Procedure
Step 1 Configure AeroScout products.
# On the PC, install the Tag Manager software and connect a tag activator to the PC. Deploy
the tag within the coverage of the activator. After configuring the tag, fix it to the materials.
# Install the AeroScout Engine software on the AeroScout server to configure it as the
location server. After the software is installed, open the management system on the server and
add information about the map and APs. If the AC has been configured, you can check
information about properly running APs (marked in green) on the AC. You can click the
location startup button on the page.
For details about install and configure AeroScout products, see the configuration guide of the
corresponding products.
# Configure Router. Create VLAN 102, add GE1/0/0 to VLAN 102, and configure VLANIF
102 to communicate with the AC.
<Router> system-view
[Router] vlan 102
[Router-vlan102] quit
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
# Configure the AC. Create VLAN 102, add GE0/0/2 to VLAN 102, and configure VLANIF
102 to communicate with Router.
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet0/0/2] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
# On the AC, create a static route destined for the location server, with the next hop as Router.
[AC] ip route-static 10.23.103.1 32 10.23.102.1
# Ping the location server from the AC. If the ping operation succeeds, the AC can properly
communicate with the location server.
[AC] ping 10.23.103.1
PING 10.23.102.2: 56 data bytes, press CTRL_C to break
Reply from 10.23.103.1: bytes=56 Sequence=1 ttl=255 time=1 ms
NOTE
l If the configuration of an AP is different from that in the AP group, the configuration of the AP
takes precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Move the tag to the coverage area of an AP, and run the display wlan location device-info
tag { ap-id ap-id | ap-name ap-name } command to check tag information scanned by the
AP.
[AC-wlan-view] display wlan location device-info tag ap-name AP1
AP ID AP name Tag type Tag MAC Channel RSSI
------------------------------------------------------------------------------
0 AP1 AeroScout 1040-8002-6f80 6 -30
------------------------------------------------------------------------------
Total: 1
# On the management page of the AeroScout location server, the location of the tag is
displayed on the map.
----End
Configuration Files
l Router configuration file
#
vlan batch 101 to 102
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
vlan batch 100 to 102
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
wlan
location-profile name wlan-location
aeroscout tag-enable
aeroscout server port 1144 via-ac ac-port 10001
source ip-address 10.23.102.2
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
ap-group name ap-group1
location-profile wlan-location radio 0
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-net wlan 1
#
return
Networking Requirements
An AeroScout location server is deployed on the network and can communicate with the AC.
AeroScout
location server
10.23.103.1/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101 VLANIF 102
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
AP3
MU
Data Planning
AC -
AeroScout product -
Configuration Roadmap
1. Configure the AeroScout location server.
2. Configure the AC to communicate with the AeroScout location server. Plan an IP
address for the AC to send received MU information to the location server.
Configuration Notes
Three-point location technology is used. To ensure location accuracy, ensure no more than 15
m distance between APs. The location accuracy is good when the RSSI is higher than -65
dBm.
When APs are not heavily loaded, it is recommended that the AC report MU information. In
this case, set APs' IP addresses on the AeroScout location server to the AC's IP address. To
configure APs to directly report MU information, specify the APs' IP addresses on the
AeroScout location server based on the actual situation.
Procedure
Step 1 Configure AeroScout products.
# Install the AeroScout Engine software on the AeroScout server to configure it as the
location server. After the software is installed, open the management system on the server and
add information about the map and APs. If the AC has been configured, you can check
information about properly running APs (marked in green) on the AC. You can click the
location startup button on the page.
For details about install and configure AeroScout products, see the configuration guide of the
corresponding products.
# Configure Router. Create VLAN 102, add GE1/0/0 to VLAN 102, and configure VLANIF
102 to communicate with the AC.
<Router> system-view
[Router] vlan 102
[Router-vlan102] quit
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
# Configure the AC. Create VLAN 102, add GE0/0/2 to VLAN 102, and configure VLANIF
102 to communicate with Router.
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet0/0/2] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
# On the AC, create a static route destined for the location server, with the next hop as Router.
[AC] ip route-static 10.23.103.1 32 10.23.102.1
# Ping the location server from the AC. If the ping operation succeeds, the AC can properly
communicate with the location server.
[AC] ping 10.23.103.1
PING 10.23.102.2: 56 data bytes, press CTRL_C to break
Reply from 10.23.103.1: bytes=56 Sequence=1 ttl=255 time=1 ms
NOTE
l If the configuration of an AP is different from that in the AP group, the configuration of the AP
takes precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Enter the 5G radio profile wlan-radio-5g and bind it to the air scan profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
# On the management page of the AeroScout location server, the location of the MU is
displayed on the map.
----End
Configuration Files
l Router configuration file
#
vlan batch 101 to 102
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
vlan batch 100 to 102
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
wlan
location-profile name wlan-location
aeroscout mu-enable
aeroscout server port 1144 via-ac ac-port 10001
source ip-address 10.23.102.2
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
radio-5g-profile name wlan-radio-5g
air-scan-profile wlan-air-scan
ap-group name ap-group1
location-profile wlan-location radio all
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio-5g
vap-profile wlan-net wlan 1
#
return
Networking Requirements
An Ekahau location server is deployed on the network and can communicate with the AC.
Ekahau Wi-Fi tags that have been activated are installed on materials to be traced within the
coverage area of the WLAN.
Ekahau
location server
10.23.103.1/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101 VLANIF 102
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
RFID
AP3
Ekahau
Wi-Fi tag
STA
Data Planning
Item Data
AC -
Item Data
Ekahau product -
Configuration Roadmap
1. Activate tags. Conduct the onsite survey to establish a signal distribution model. On the
server, install Ekahau RTLS Controller and import the signal distribution model file.
2. Configure the AC to communicate with the Ekahau location server. Plan an IP address
for the AC to send received tag information to the location server.
3. Configure the air scan function on the AC. Tags work on the 2.4 GHz band. Enable air
scan on the 2.4 GHz radios of APs. If automatic radio calibration is enabled, set the
channel set to within the range supported by the country code to cover available channels
used by the tags. If only the tag location service is required, configure radios to work on
fixed channels and set the air scan channel set to the working channels.
4. Configure the Ekahau tag location function on the AC.
Configuration Notes
When activating a tag, ensure that the channel through which the tag sends signals can be
scanned by APs.
Three-point location technology is used. To ensure location accuracy, ensure no more than 15
m distance between APs. The location accuracy is good when the RSSI is higher than -50
dBm.
When APs are not heavily loaded, it is recommended that the AC report tag information. To
configure APs to directly report tag information, ensure that the APs have reachable routes to
the location server.
Procedure
Step 1 Configure Ekahau products.
# Ensure that the PC has a wireless network adapter installed or uses the Ekahau Wi-Fi
adapter. Install Ekahau Tag Activator on the PC. Deploy the tag within the wireless signal
coverage of the PC. After configuring the tag, fix it to the materials.
# Install Ekahau Site Survey on the PC. Import the onsite map, select APs for locating tags
from the scanned AP list, and export the signal distribution model file.
# Install the Ekahau RTLS Controller software on the Ekahau server to configure it as the
location server. Open the management system and import the signal distribution model file. If
the configuration on the AC is completed, you can view the location of the tag on the page.
For details about install and configure Ekahau products, see the configuration guide of the
corresponding products.
# Configure Router. Create VLAN 102, add GE1/0/0 to VLAN 102, and configure VLANIF
102 to communicate with the AC.
<Router> system-view
[Router] vlan 102
[Router-vlan102] quit
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
# Configure the AC. Create VLAN 102, add GE0/0/2 to VLAN 102, and configure VLANIF
102 to communicate with Router.
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet0/0/2] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
# On the AC, create a static route destined for the location server, with the next hop as Router.
[AC] ip route-static 10.23.103.1 32 10.23.102.1
# Ping the location server from the AC. If the ping operation succeeds, the AC can properly
communicate with the location server.
[AC] ping 10.23.103.1
PING 10.23.102.2: 56 data bytes, press CTRL_C to break
Reply from 10.23.103.1: bytes=56 Sequence=1 ttl=255 time=1 ms
NOTE
l If the configuration of an AP is different from that in the AP group, the configuration of the AP
takes precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Enter the air scan profile wlan-air-scan and configure an air scan channel set. By default,
an air scan channel set contains all channels supported by the corresponding country code of
an AP.
[AC] wlan
[AC-wlan-view] air-scan-profile name wlan-air-scan
[AC-wlan-air-scan-prof-wlan-air-scan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-air-scan] quit
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Create the location profile wlan-location, enable Ekahau tag location, configure the
destination IP address and port number for reporting location information, and configure the
source IP address for the AC to send packets to the location server.
[AC-wlan-view] location-profile name wlan-location
[AC-wlan-location-prof-wlan-location] ekahau tag-enable
[AC-wlan-location-prof-wlan-location] ekahau server ip-address 10.23.103.1 port
8569 via-ac ac-port 10001
[AC-wlan-location-prof-wlan-location] source ip-address 10.23.102.2
[AC-wlan-location-prof-wlan-location] quit
# On the management page of the Ekahau location server, the location of the tag is displayed
on the map.
----End
Configuration Files
l Router configuration file
#
vlan batch 101 to 102
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
vlan batch 100 to 102
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
wlan
location-profile name wlan-location
ekahau tag-enable
ekahau server ip-address 10.23.103.1 port 8569 via-ac ac-port 10001
source ip-address 10.23.102.2
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
ap-group name ap-group1
location-profile wlan-location radio 0
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-net wlan 1
#
return
Networking Requirements
The network management system (NMS) eSight is deployed on the network as a location
server and can communicate with the AC.
eSight location
server
10.23.103.1/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101 VLANIF 102
VLANIF 102 GE0/0/2
AC
AP1 GE0/0/2
Switch
AP2
AP3
Terminal
Data Planning
AC -
Location server -
Configuration Roadmap
1. Install eSight.
2. Configure the AC to communicate with eSight. Plan an IP address for the AC to send
received terminal information to the location server.
3. Configure SNMP parameters for the AC to connect to eSight.
4. Configure the air scan function on the AC.
5. Configure the Wi-Fi terminal location function on the AC.
6. Configure the WLAN location function on eSight.
Configuration Notes
Three-point location technology is used. To ensure location accuracy, ensure no more than 15
m distance between APs. The location accuracy is good when the RSSI is higher than -65
dBm.
When eSight serves as a location server, purchase licenses based on the number of APs used
for the location service.
When adding an AC to eSight, specify the same SNMP version, read community name, and
write community name as those of the AC. In this way, the AC can properly communicate
with eSight.
When APs are not heavily loaded, it is recommended that the AC report terminal information.
To configure APs to directly report terminal information, ensure that the APs have reachable
routes to the location server.
Procedure
Step 1 Install eSight.
# Log in to Huawei enterprise technical support website (http://support.huawei.com/e),
search for eSight Network, and obtain eSight product documentation. Under the guidance of
the documentation, obtain the eSight installation package and install eSight.
Step 2 Configure the AC to communicate with the AeroScout location server.
# Configure Router. Create VLAN 102, add GE1/0/0 to VLAN 102, and configure VLANIF
102 to communicate with the AC.
<Router> system-view
[Router] vlan 102
[Router-vlan102] quit
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
# Configure the AC. Create VLAN 102, add GE0/0/2 to VLAN 102, and configure VLANIF
102 to communicate with Router.
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet0/0/2] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
# On the AC, create a static route destined for the location server, with the next hop as Router.
[AC] ip route-static 10.23.103.1 32 10.23.102.1
# Ping the location server from the AC. If the ping operation succeeds, the AC can properly
communicate with the location server.
[AC] ping 10.23.103.1
PING 10.23.102.2: 56 data bytes, press CTRL_C to break
Reply from 10.23.103.1: bytes=56 Sequence=1 ttl=255 time=1 ms
# Set the read community name to public123 and write community name to private123.
[AC] snmp-agent community read public123
[AC] snmp-agent community write private123
NOTE
l If the configuration of an AP is different from that in the AP group, the configuration of the AP
takes precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Enter the air scan profile wlan-air-scan and configure an air scan channel set. By default,
an air scan channel set contains all channels supported by the corresponding country code of
an AP.
[AC] wlan
[AC-wlan-view] air-scan-profile name wlan-air-scan
[AC-wlan-air-scan-prof-wlan-air-scan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-air-scan] quit
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Enter the 5G radio profile wlan-radio-5g and bind it to the air scan profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
# Click Apply.
2. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.
# Choose Business > WLAN Management > Region Monitor from the main menu.
# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.
# Right-click Add Region in the region topology view.
# Click OK.
3. Add APs in ap_region_1.
# Choose Region Topology > ap_region_1 in Resource, or double-click ap_region_1
in the view on the right. The location view of ap_region_1 is displayed.
# Right-click ap_region_1 and choose Add AP from the shortcut menu. Select the APs
that need to perform the location and click Confirm.
NOTE
The APs that perform the location cannot be less than three. Otherwise, Wi-Fi terminals cannot be
accurately located.
4. Set the background and scale for ap_region_1.
# Right-click ap_region_1 and choose Set Background for Subnet from the shortcut
menu.
# Select the background based on actual conditions. Click Apply Background.
NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.
# Right-click ap_region_1 and choose Set Scale from the shortcut menu. Set the start
point, end point, and actual distance between the two points.eSight automatically selects
the background and scale.
# In the ap_region_1 view, properly place each AP on the background.
----End
Configuration Files
l Router configuration file
#
vlan batch 101 to 102
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
vlan batch 100 to 102
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
snmp-agent local-engineid 800007DB030200000000E0
snmp-agent community read %^%#sP6,%Hno.$v[Lf#fiyP(eKm4)vNP*Q"mA~'$XjP4r}XXU4f
%'&y>D`/1.5\Clr]I5mUJ46!a7'9p#*o2%^%#
snmp-agent community write %^%#/.U;L9&iwS.dF15y]J"N\XU='K:YkWj/O.)=6W
$3q{M1J4.<X"\h{a:p)c\;TBL\=qn=u+7YR~L/#`V>%^%#
snmp-agent sys-info version v2c
snmp-agent
#
wlan
location-profile name wlan-location
private mu-enable
private server ip-address 10.23.103.1 port 32180 via-ac ac-port 10001
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
radio-5g-profile name wlan-radio-5g
air-scan-profile wlan-air-scan
ap-group name ap-group1
location-profile wlan-location radio all
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio-5g
vap-profile wlan-net wlan 1
#
return
Service Requirements
The network administrator of a shopping mall needs to leverage Bluetooth location
technology to provide the shopping mall navigation service and push shopping guide
information based on customers' locations. In the Bluetooth terminal location solution, APs
with Bluetooth modules scan surrounding BLE base stations. Together with the location
server, app server, and apps on terminals, the APs provide the shopping mall navigation and
shopping guide information pushing services.
For details about how to configure basic WLAN services, see WLAN Basic Networking
Configuration Examples.
Networking Requirements
eSight is deployed on the network as a location server. A third-party app server is deployed to
provide services for customers. BLE base stations broadcast information about themselves.
The AC needs to report BLE base station data to the location server.
The location server provides information about the map and BLE base stations to the app
server. The location server is configured to communicate with the app server.
Bluetooth terminals need to have apps installed and communicate with the app server.
Therefore, Wi-Fi or mobile data needs to be enabled on the Bluetooth terminals.
eSight
location server
10.23.103.1/24
App server
10.23.103.2/24
IP
Network
Router
GE1/0/0
STA gateway: VLANIF 101
VLANIF 102
VLANIF 102
GE0/0/2
AC
AP1 GE0/0/2
Switch
BLE base
station
Bluetooth terminal
Data Planning
AC -
Item Data
Location server -
Configuration Roadmap
1. Install eSight.
2. Install a third-party app server.
3. Install third-party BLE base stations.
4. Configure the AC to communicate with eSight. Plan an IP address for the AC to send
received BLE base station information to the location server.
5. Configure SNMP parameters for the AC to connect to eSight.
6. Configure the Bluetooth terminal location function on the AC.
7. Configure the BLE base station management function on eSight.
Configuration Notes
The Bluetooth terminal location function requires that Bluetooth devices support BLE 4.0 or
later.
When adding an AC to eSight, specify the same SNMP version, read community name, and
write community name as those of the AC. In this way, the AC can properly communicate
with eSight.
APs obtain battery power information about surrounding BLE base stations at the system time
of 02:00. Accurately set the system time of the AC so that services are not affected when the
AC obtains battery power information about BLE base stations.
After the Bluetooth terminal location function is enabled, it is recommended that channels 1,
6, and 11 be planned on the 2.4 GHz band to avoid interference.
Currently, only BLE base stations of Lanke Xuntong are supported.
Procedure
Step 1 Install eSight.
# Log in to Huawei enterprise technical support website (http://support.huawei.com/e),
search for eSight Network, and obtain eSight product documentation. Under the guidance of
the documentation, obtain the eSight installation package and install eSight.
# Configure the AC. Create VLAN 102, add GE0/0/2 to VLAN 102, and configure VLANIF
102 to communicate with Router.
<AC> system-view
[AC] vlan 102
[AC-vlan102] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet0/0/2] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
# On the AC, create a static route destined for the location server, with the next hop as Router.
[AC] ip route-static 10.23.103.1 32 10.23.102.1
# Ping the location server from the AC. If the ping operation succeeds, the AC can properly
communicate with the location server.
[AC] ping 10.23.103.1
PING 10.23.102.2: 56 data bytes, press CTRL_C to break
Reply from 10.23.103.1: bytes=56 Sequence=1 ttl=255 time=1 ms
# Set the read community name to public123 and write community name to private123.
[AC] snmp-agent community read public123
[AC] snmp-agent community write private123
NOTE
l If the configuration of an AP is different from that in the AP group, the configuration of the AP
takes precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
[AC] wlan
[AC-wlan-view] ble-profile name wlan-ble
[AC-wlan-ble-prof-wlan-ble] sniffer enable ibeacon-mode
[AC-wlan-ble-prof-wlan-ble] quit
# Add BLE base stations within the coverage area of the AP to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
# Click Apply.
2. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.
# Choose Business > WLAN Management > Region Monitor from the main menu.
# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.
# Right-click Add Region in the region topology view.
# Click OK.
3. Add a Beacon frame in ap_region_1.
# Right-click ap_region_1 and choose Add Beacon from the shortcut menu. Add
Beacon information and click Confirm.
NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.
# Right-click ap_region_1 and choose Set Scale from the shortcut menu. Set the start
point, end point, and actual distance between the two points. eSight automatically selects
the background and scale.
# In the ap_region_1 view, properly place each AP on the background.
# After Bluetooth terminals access the WLAN and have the Bluetooth function enabled, a
third-party app can be installed on the terminals to display the terminal locations and receive
shopping guide information.
----End
Configuration Files
l Router configuration file
#
vlan batch 101 to 102
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
vlan batch 100 to 102
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
ip route-static 10.23.103.1 255.255.255.255 10.23.102.1
#
snmp-agent local-engineid 800007DB030200000000E0
snmp-agent community read %^%#sP6,%Hno.$v[Lf#fiyP(eKm4)vNP*Q"mA~'$XjP4r}XXU4f
%'&y>D`/1.5\Clr]I5mUJ46!a7'9p#*o2%^%#
snmp-agent community write %^%#/.U;L9&iwS.dF15y]J"N\XU='K:YkWj/O.)=6W
$3q{M1J4.<X"\h{a:p)c\;TBL\=qn=u+7YR~L/#`V>%^%#
snmp-agent sys-info version v2c
snmp-agent
#
wlan
ble-profile name wlan-ble
sniffer enable ibeacon-mode
ble monitoring-list mac 1234-1234-1000
ble monitoring-list mac 1234-1234-1001
ble monitoring-list mac 1234-1234-1002
ap-group name ap-group1
ble-profile wlan-ble
#
return
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large amount of abnormal multicast traffic is received on the
network side, the air interfaces may be congested, and STAs may suffer from slow network
access. You are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
----End
Data Planning
Configuration Roadmap
1. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Enter 5G radio profile wlan-radio5g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth. The configuration is similar to that in
the 2G radio profile and is not mentioned here.
# Enter SSID profile wlan-net and set EDCA parameters on STAs to enable voice and video
services to preferentially use network bandwidth.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax
10 txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax
10 txoplimit 0
[AC-wlan-ssid-prof-wlan-net] quit
This example requires that voice and video packets have the highest priority so that these packets are
preferentially transmitted. By default, the uplink and downlink mapping modes on the air interface are
802.11e and DSCP, respectively. The uplink and downlink priority mapping on the air interface can ensure
that voice and video packets have the highest tunnel DSCP priority. Therefore, you do not need to modify
default priority mapping.
To change the default priority mapping, for example, to enable video packets with a higher priority than voice
packets, you can refer to this step.
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or 5. In
this example, the tunnel DSCP priority of video packets is set to 48 and 56, and that of voice packets is set to
32 and 40. Video packets with a higher priority are preferentially transmitted.
# Create traffic profile wlan-traffic and configure priority mapping in the profile.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream trust dscp
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 48 to 55 dot11e 4
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 56 to 63 dot11e 5
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 32 to 39 dot11e 6
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 40 to 47 dot11e 7
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream trust dot11e
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 6 dscp 32
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 7 dscp 40
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 4 dscp 48
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 5 dscp 56
[AC-wlan-traffic-prof-wlan-traffic] quit
Run the display ssid-profile name wlan-net command on the AC to check the EDCA
settings on STAs in the SSID radio profile. The EDCA parameter priorities of AC_VI and
AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore, voice and
video services are enabled to preferentially use wireless channels.
[AC-wlan-view] display ssid-profile name wlan-net
-------------------------------------------------------------------
...
-------------------------------------------------------------------
WMM EDCA client parameters:
-------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us)
AC_VO 4 2 2 0
AC_VI 5 3 5 0
AC_BE 10 6 12 0
AC_BK 10 8 12 0
-------------------------------------------------------------------
Run the display traffic-profile name wlan-traffic command on the AC to check the priority
mapping configuration in the traffic radio profile. The DSCP priorities of AC_VI and
AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore, voice and
video services will be preferentially transmitted.
[AC-wlan-view] display traffic-profile name wlan-traffic
----------------------------------------------------
...
CAPWAP priority upstream map mode: 802.11e map DSCP
0 map 0
1 map 8
2 map 16
3 map 24
6 map 32
7 map 40
4 map 48
5 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
48-55 map 4
56-63 map 5
32-39 map 6
40-47 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
......
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
traffic-profile name wlan-traffic
priority-map downstream dscp 48 to 55 dot11e 4
priority-map downstream dscp 56 to 63 dot11e 5
priority-map downstream dscp 32 to 39 dot11e 6
priority-map downstream dscp 40 to 47 dot11e 7
priority-map tunnel-upstream dot11e 6 dscp 32
priority-map tunnel-upstream dot11e 7 dscp 40
priority-map tunnel-upstream dot11e 4 dscp 48
priority-map tunnel-upstream dot11e 5 dscp 56
ssid-profile name wlan-net
wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
vap-profile name wlan-net
ssid-profile wlan-net
traffic-profile wlan-traffic
radio-2g-profile name wlan-radio2g
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
radio-5g-profile name wlan-radio5g
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Data Planning
Item Data
Configuration Roadmap
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 2048
rate-limit vap up 30720
vap-profile name wlan-net
traffic-profile wlan-traffic
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Data Planning
Configuration Roadmap
1. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Create the RRM profile wlan-rrm and enable airtime fair scheduling.
<AC6606> system-view
[AC6606] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
[AC-wlan-rrm-prof-wlan-rrm] quit
Run the display rrm-profile name wlan-rrm command on the AC to check the configuration
of the RRM profile. The command output shows that airtime fair scheduling has been
enabled. Therefore, users on the network can fairly use network bandwidth.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : enable
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
airtime-fair-schedule enable
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
radio 1
radio-5g-profile wlan-radio5g
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Data Planning
Configuration Roadmap
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
[AC] wlan
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] traffic-filter inbound ipv4 acl 3001
[AC-wlan-traffic-prof-wlan-traffic] quit
----End
Configuration Files
l AC configuration file
#
sysname AC
#
acl number 3001
rule 5 deny ip source 10.23.101.10 0 destination 10.23.101.11 0
#
wlan
traffic-profile name wlan-traffic
traffic-filter inbound ipv4 acl 3001
vap-profile name wlan-net
traffic-profile wlan-traffic
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video services of QQ and WeChat have a higher priority to ensure good user
experience in these QQ and WeChat services.
Figure 4-76 Networking for configuring optimization for voice and video services
Data Planning
Item Data
Configuration Roadmap
1. Enable the SAC function.
2. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.
Configuration Notes
l The configuration of optimization for voice and video services supports only tunnel
forwarding.
l The multimedia air interface optimization and dynamic EDCA parameter adjustment
functions are mutually exclusive.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
NOTE
After the security engine is enabled, the system automatically loads the default signature database.
# Create an SAC profile and bind it to the VAP profile mapping the AP group ap-group1.
[AC] wlan
[AC-wlan-view] sac-profile name wlan-sac
[AC-wlan-sac-prof-wlan-sac] quit
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] sac-profile wlan-sac
[AC-wlan-vap-prof-wlan-net] quit
[AC-wlan-view] quit
By default, the voice and video traffic awareness and optimization function is enabled.
[AC] undo voice-aware app-protocol qq disable
[AC] undo voice-aware app-protocol weixin disable
[AC] undo video-aware app-protocol qq disable
[AC] undo video-aware app-protocol weixin disable
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-net to it.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-net to it.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# If a user makes video calls after optimization is configured for video services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check video session information.
[AC] display video-aware-list ap-name area_1 radio 0
----------------------------------------------------------------------------------
-------------
Protocol Source IP/Port Destination IP/Port
----------------------------------------------------------------------------------
-------------
qq 191.168.1.254/123 191.168.1.253/123
weixin 191.168.1.253/123 191.168.1.254/123
----------------------------------------------------------------------------------
-------------
Total: 2
# If a user makes voice calls after optimization is configured for voice services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check voice session information.
[AC] display voice-aware-list ap-name area_1 radio 0
-------------------------------------------------------------------------------
Protocol Source IP/Port Destination IP/Port
-------------------------------------------------------------------------------
qq 191.168.1.254/123 191.168.1.253/123
weixin 191.168.1.253/123 191.168.1.254/123
-------------------------------------------------------------------------------
Total : 2
# Run the display rrm-profile name wlan-rrm command to check parameters related to
multimedia air interface optimization.
[AC] display rrm-profile name wlan-rrm
--------------------------------------------------------------------
......
Multimedia air optimize : enable
Multimedia air optimize threshold
Voice : 30
Video : 100
--------------------------------------------------------------------
----End
Configuration Files
l AC configuration file
#
defence engine enable
sysname AC
#
wlan
sac-profile name wlan-sac
vap-profile name wlan-net
sac-profile wlan-sac
rrm-profile name wlan-rrm
multimedia-air-optimize enable
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Data Planning
Skype4B 9000
server port
number
Configuration Roadmap
1. Configure priorities for Skype4B packets to set higher priorities for voice and video
packets than those of desktop sharing and file transfer packets.
2. Configure the AC to interact with the Skype4B server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Create UCC profile wlan-ucc and configure priorities for Skype4B packets.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] ucc-profile name wlan-ucc
[AC-wlan-ucc-prof-wlan-ucc] skype4b-voice remark dot1p 6
[AC-wlan-ucc-prof-wlan-ucc] skype4b-video remark dot1p 5
[AC-wlan-ucc-prof-wlan-ucc] skype4b-app-share remark dot1p 4
[AC-wlan-ucc-prof-wlan-ucc] skype4b-file-transfer remark dot1p 3
[AC-wlan-ucc-prof-wlan-ucc] quit
NOTE
l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Skype4B server.
l You need to specify the IP address of the AC for the Skype4B server and the port number of the Skype4B
server.
Run the display ucc-profile name wlan-ucc command on the AC to check the priority
mapping configuration for Skype4B packets. The command output shows that the priorities of
Skype4B voice and video packets are higher than those of Skype4B desktop sharing and file
transfer packets. Therefore, Skype4B voice and video packets will be preferentially
transmitted.
[AC-wlan-view] display ucc-profile name wlan-ucc
--------------------------------------------------------------------------------
Skype4B voice 802.1p precedence : 6
Skype4B voice DSCP precedence : 46
Skype4B video 802.1p precedence : 5
Skype4B video DSCP precedence : 34
Skype4B app share 802.1p precedence : 4
Skype4B app share DSCP precedence : -
Skype4B file transfer 802.1p precedence : 3
Skype4B file transfer DSCP precedence : -
--------------------------------------------------------------------------------
----End
Configuration Files
l AC configuration file
#
sysname AC
#
skype4b listener http-port 9000
#
wlan
ucc-profile name wlan-ucc
skype4b-video remark dot1p 5
skype4b-app-share remark dot1p 4
skype4b-file-transfer remark dot1p 3
vap-profile name wlan-net
ucc-profile wlan-ucc
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Service Requirements
E-schoolbag is a digital teaching method. In a class, teachers and students use smart terminals
such as PCs, tablets, and mobile phones to participate in teaching and learning activities
online.
To ensure successful teaching activities, AP4030TNs are used to deploy basic WLAN
services to support access of many students and provide sufficient bandwidth.
The AP4030TN has three radios: radios 0, 1, and 2. Radio 0 and radio 2 can switch between
2.4 GHz and 5 GHz while radio 1 operates on the 5 GHz band. By default, radio 0 works on
the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency band. If all radios are used
for WLAN coverage services, the default frequency bands for radios are recommended. If
some radios are used for air scan, run the frequency { 2.4g | 5g } command in the AP radio
view or AP group radio view to switch the frequency band of the radios.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100, and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4030TN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to all radios of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Enable the band steering function. By default, the band steering function is enabled.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and configure the rate threshold for
broadcast flood detection. By default, the broadcast flood detection function is enabled.
[AC-wlan-vap-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-vap-prof-wlan-net] anti-attack broadcast-flood sta-rate-threshold 50
[AC-wlan-vap-prof-wlan-net] quit
# Set the maximum number of STAs that can be associated with a VAP to 128 and set
EDCA parameters for AC_BE packets on STAs.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] quit
# Create traffic profile wlan-traffic and set the uplink and downlink rate limits for a STA
to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
– Enable the short preamble function. By default, the short preamble function is
enabled in radio profiles.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 11 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-mode rts-cts
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-threshold 1400
[AC-wlan-radio-2g-prof-wlan-radio2g] beacon-interval 160
[AC-wlan-radio-2g-prof-wlan-radio2g] undo short-preamble disable
[AC-wlan-radio-2g-prof-wlan-radio2g] guard-interval-mode short
[AC-wlan-radio-2g-prof-wlan-radio2g] dot11bg basic-rate 6 9 12 18 24 36 48 54
[AC-wlan-radio-2g-prof-wlan-radio2g] multicast-rate 11
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-be aifsn 3 ecw ecwmin 5
ecwmax 6
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 2 1 60DE-4476-E380 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 3
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid-profile name wlan-net
ssid wlan-net
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
regulatory-domain-profile name default
rrm-profile name wlan-rrm
airtime-fair-schedule enable
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
radio-5g-profile name wlan-radio5g
beacon-interval 160
guard-interval-mode short
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
multicast-rate 6
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
radio 2
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 60 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 2
channel 20mhz 157
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot 2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WPA2-802.1X authentication based on the operator's AAA server information
5. Configure Hotspot 2.0 services based on the operator's network information.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Configure an AAA authentication scheme and configure the device to use RADIUS
authentication preferentially.
[AC] aaa
[AC-aaa] authentication-scheme wlan-authen
[AC-aaa-authen-wlan-authen] authentication-mode radius local
[AC-aaa-authen-wlan-authen] quit
[AC-aaa] quit
# Configure an 802.1X access profile and configure EAP relay authentication for 802.1X
users.
[AC] dot1x-access-profile name wlan-net
[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit
# Configure an authentication profile and bind the AAA authentication scheme, RADIUS
server template, and 802.1X access profile to the authentication profile.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-authen
[AC-authentication-profile-wlan-net] radius-server wlan-radius
[AC-authentication-profile-wlan-net] quit
Step 9 Apply the authentication profile and Hotspot 2.0 profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-net] hotspot2-profile wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-net] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
operator-domain-profile wlan-net
venue-name-profile wlan-net
nai-realm-profile wlan-net
operating-class-profile wlan-net
roaming-consortium-profile wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
hotspot2-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
dot1x-access-profile name wlan-net
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-80 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Configure the network devices.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.1.2.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.1.2.2 24
[Router-Vlanif101] quit
# Add GE0/0/1 that connects the AC to the switch to VLAN 100, Create VLANIF 100 and set
its IP address to 10.1.1.2/24.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.1.1.2 255.255.255.0
[AC-Vlanif100] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.1.2.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the AP system profile ap-system and configure the service holding function.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] keep-service enable allow new-access
[AC-wlan-ap-system-prof-ap-system] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the AP system profile and VAP profile to the AP group and apply the VAP profile to
radio 0 and radio 1 of the AP.
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs
can connect to the WLAN without authentication. If the AC is powered off, service data
forwarding for wireless users in area A is not affected.
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-81 Networking for configuring channel switching without service interruption
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100. Create VLANIF 100 and set its IP address to
10.23.101.2/24.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.1.1.2 24
[AC-Vlanif100] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
MAC addresses of AP1 and AP2 are 60de-4476-e360 and dcd2-fc04-b500, respectively.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name AP1 area_1 if it is
deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.1.1.253 AP5030DN nor 0
10S -
1 dcd2-fc04-b500 area_2 ap-group1 10.1.1.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 2
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] undo channel-switch announcement disable
[AC-wlan-radio-2g-prof-wlan-radio2g] channel-switch mode continue-transmitting
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] undo channel-switch announcement disable
[AC-wlan-radio-5g-prof-wlan-radio5g] channel-switch mode continue-transmitting
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the 2G radio profile, 5G radio profile, and VAP profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the AP.
The WLAN with SSID huawei is available for STAs connected to AP1 and AP2, and these
STAs can connect to the WLAN. When radio calibration for AP1 or AP2 is implemented to
change the channel of AP1 or AP2, service data forwarding for wireless users in Area A is not
affected. Run the display radio all command to view the working channels of all APs.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
WM:Working Mode (normal/monitor/monitor dual-band-scan)
----------------------------------------------------------------------------------
--
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU WM
----------------------------------------------------------------------------------
--
0 area_1 0 2.4G bgn on 11/20M 23/23 0 8% normal
0 area_1 1 5G an11ac on 149/20M 23/23 0 7% normal
1 area_2 0 2.4G an11ac on 1/20M 23/23 0 30% normal
1 area_2 1 5G an on 149/20M 23/23 0 21% normal
----------------------------------------------------------------------------------
--
Total:4
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.1.2
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
radio-2g-profile name wlan-radio2g
radio-5g-profile name wlan-radio5g
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Service Requirements
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.
Networking Requirements
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
d. Configure static IP addresses for the APs and enable the APs to go online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100. Create VLANIF 100 and set its IP address to
10.23.100.1/24.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.100 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A wired network has been deployed in an area. To provide more convenient network
access services, administrators need to deploy a wireless network in this area. To facilitate the
unified management of wired and wireless users, administrators also need to use the existing
wired access gateway ME60 for authentication and accounting of wireless users.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
l Service data forwarding mode: soft GRE forwarding
Data Planning
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
AC data planning
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
VE Virtual-Ethernet2/0/0
interface for
soft GRE
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, AC, Switch, and ME60.
2. Configure Switch and ME60 to function as DHCP servers to assign IP addresses to APs
and STAs, respectively.
3. Configure the ME60, soft GRE tunnel, and authentication and accounting functions.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and VLAN
199, respectively. Create VLANIF 199 and set its IP address to 10.23.199.2/24.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101 199
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 199
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 199
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface vlanif 199
[Switch-Vlanif199] ip address 10.23.199.2 24
[Switch-Vlanif199] quit
# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a route to
10.23.100.0/24.
<HUAWEI> system-view
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure Switch as a DHCP server to assign IP addresses to APs, and configure a route to
10.23.200.0/24.
[Switch] dhcp enable
[Switch] interface vlanif 100
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[ME60] dhcp enable
[ME60] ip pool sta-pool bas local
[ME60-ip-pool-sta-pool] gateway 10.23.101.1 24
[ME60-ip-pool-sta-pool] section 1 10.23.101.3 10.23.101.254
[ME60-ip-pool-sta-pool] option 43 ip 10.23.101.1
[ME60-ip-pool-sta-pool] quit
# Configure an IP address for the loopback interface and bind the soft GRE group to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
# Create security profile wlan-net and use the default security policy in the profile.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create soft GRE profile wlan-soft and set the soft GRE profile parameters.
[AC-wlan-view] softgre-profile name wlan-soft
[AC-wlan-softgre-prof-wlan-soft] destination ip-address 10.23.200.1
[AC-wlan-softgre-prof-wlan-soft] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode softgre wlan-soft
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net. Run the display station ssid wlan-net
command on the AC. The command output shows that the STAs are connected to the WLAN
wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101 199
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.1
#
interface Vlanif199
ip address 10.23.199.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 199
port trunk allow-pass vlan 199
#
ip route-static 10.23.200.0 0.0.0.0 10.23.199.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
softgre-profile name wlan-soft
destination ip-address 10.23.200.1
vap-profile name wlan-net
forward-mode softgre wlan-soft
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
l ME60 configuration file
#
sysname ME60
#
vlan batch 101
#
radius-server group radius1
radius-server authentication 172.168.20.1 1812 weight 0
radius-server accounting 172.168.20.1 1813 weight 0
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure bandwidth-based multicast CAC to control the access of multicast users.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively, and configure a default route with the next hop of the address of Router.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC-Vlanif101] quit
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Create AP system profile wlan-system. Configure the multicast group address to range
from 225.1.1.1 to 225.1.1.5, and set the multicast group bandwidth to 2048 kbit/s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] igmp-snooping group-bandwidth start-group-
address 225.1.1.1 end-group-address 225.1.1.5 bandwidth 2048
[AC-wlan-ap-system-prof-wlan-system] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
difference between the CurBw and MaxBw values is smaller than the configured bandwidth
of a multicast group, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Info: This operation may take a few seconds, please wait.done.
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/40960 0% 0/0 0%
1 1 0/40960 0% 0/0 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-85 Networking for configuring CAC based on the number of multicast group
memberships
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to control the
access of multicast users.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively, and configure a default route with the next hop of the address of Router.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC-Vlanif101] quit
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Set the maximum number of multicast group memberships for a VAP to 20.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-user 20
[AC-wlan-traffic-prof-wlan-traffic] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
CurUser value is equal to the MaxUser value, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Info: This operation may take a few seconds, please wait.done.
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/0 0% 0/20 0%
1 1 0/0 0% 0/20 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
Figure 4-86 Layer 2 communication between the wireless gateway and AC implemented
through EoGRE
Data Planning
Configuration Roadmap
To meet the preceding requirements, deploy the EoGRE function on AC_1 and AC_2 so that
Ethernet packets can be forwarded by VE interfaces through a GRE tunnel, achieving Layer 2
communication between AC_1 and AC_2.
1. Run the Interior Gateway Protocol (IGP) between all devices for communication on the
public network.
2. Create tunnel interfaces on AC_1 and AC_2, and deploy a GRE tunnel. The source
address of a tunnel interface is the IP address of the physical interface sending packets,
and the destination address is the IP address of the physical interface receiving packets.
3. Create VE interfaces on AC_1 and AC_2, and add them to the corresponding VLAN.
4. Bind the VE interfaces on AC_1 and AC_2 to the GRE tunnel so that Ethernet packets
can be forwarded over the GRE tunnel.
5. Configure WLAN services on AC_1. In this example, the WLAN security policy is
WPA-WPA2+PSK+AES. Configure the security policy based on site requirements.
Procedure
Step 1 Configure an IP address for each physical interface.
# Configure AC_1.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 10 100 101
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface gigabitethernet 0/0/2
[AC_1-GigabitEthernet0/0/2] port link-type trunk
[AC_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[AC_1-GigabitEthernet0/0/2] port trunk pvid vlan 100
[AC_1-GigabitEthernet0/0/2] quit
[AC_1] interface vlanif 10
[AC_1-Vlanif10] ip address 20.1.1.1 24
[AC_1-Vlanif10] quit
# Configure AC_2.
<Huawei> system-view
[Huawei] sysname AC_2
[AC_2] vlan batch 10 101
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface gigabitethernet 0/0/2
[AC_2-GigabitEthernet0/0/2] port link-type access
[AC_2-GigabitEthernet0/0/2] port default vlan 101
[AC_2-GigabitEthernet0/0/2] quit
[AC_2] interface vlanif 10
[AC_2-Vlanif10] ip address 30.1.1.1 24
[AC_2-Vlanif10] quit
# This example assumes that IGP runs between all devices for communication on the public
network, the source and destination interface addresses of the GRE tunnel on AC_1 are
20.1.1.1 and 30.1.1.1, respectively.
# Configure AC_1.
[AC_1] interface tunnel 0/0/1
[AC_1-Tunnel0/0/1] tunnel-protocol gre
[AC_1-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[AC_1-Tunnel0/0/1] source 20.1.1.1
[AC_1-Tunnel0/0/1] destination 30.1.1.1
[AC_1-Tunnel0/0/1] quit
# Configure AC_2.
[AC_2] interface tunnel 0/0/1
[AC_2-Tunnel0/0/1] tunnel-protocol gre
[AC_2-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[AC_2-Tunnel0/0/1] source 30.1.1.1
[AC_2-Tunnel0/0/1] destination 20.1.1.1
[AC_2-Tunnel0/0/1] quit
Step 3 Create VE interfaces and add them to the corresponding VLAN. Ensure that the VE interfaces
and the inbound interface of user packets are added to the same VLAN.
# Configure AC_1.
[AC_1] interface virtual-ethernet 0/0/1
[AC_1-Virtual-Ethernet0/0/1] port link-type trunk
[AC_1-Virtual-Ethernet0/0/1] undo port trunk allow-pass vlan 1
[AC_1-Virtual-Ethernet0/0/1] port trunk allow-pass vlan 101
[AC_1-Virtual-Ethernet0/0/1] quit
# Configure AC_2.
[AC_2] interface virtual-ethernet 0/0/1
[AC_2-Virtual-Ethernet0/0/1] port link-type trunk
Step 4 Bind the VE interfaces to the GRE tunnel so that Ethernet packets can be forwarded over the
GRE tunnel.
# Configure AC_1.
[AC_1] interface tunnel 0/0/1
[AC_1-Tunnel0/0/1] map interface virtual-ethernet 0/0/1
[AC_1-Tunnel0/0/1] quit
# Configure AC_2.
[AC_2] interface tunnel 0/0/1
[AC_2-Tunnel0/0/1] map interface virtual-ethernet 0/0/1
[AC_2-Tunnel0/0/1] quit
# Check the states of VE interfaces on AC_1 and AC_2.
[AC_1] display interface virtual-ethernet
Virtual-Ethernet0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AC_1 Series, Virtual-Ethernet0/0/1 Interface
Switch Port, PVID : 1, TPID : 8100(Hex), The Maximum Transmit Unit is 1500
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0200-0000-00e0
Current system time: 2018-01-23 20:16:05
Step 5 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On AC_1, configure VLANIF 100 to assign IP addresses to APs.
[AC_1] dhcp enable
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.1 24
[AC_1-Vlanif100] dhcp select interface
[AC_1-Vlanif100] quit
# On AC_2, configure VLANIF 101 to assign IP addresses to STAs.
[AC_2] dhcp enable
[AC_2] interface vlanif 101
[AC_2-Vlanif101] ip address 10.23.101.1 24
[AC_2-Vlanif101] dhcp select interface
[AC_2-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC_2-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC_1-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l AC_1 configuration file
#
sysname AC_1
#
vlan batch 10 100 to 101
#
dhcp enable
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface Virtual-Ethernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.1
map interface Virtual-Ethernet0/0/1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#t2*V0VTj#9iEQkEnC)59YCFlO
\*RyW5];yUs&K4W%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 100
ssid-profile wlan-net
security-profile wlan-net
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 21500826412SG4900740
ap-name area_1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 10 101
#
dhcp enable
#
interface Vlanif10
ip address 30.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 101
#
interface Virtual-Ethernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
destination 20.1.1.1
map interface Virtual-Ethernet0/0/1
#
return
Service Requirements
In practice, both wired and wireless users need to access one network. For example, the PCs
and printers of a company connect to the network in wired mode, and laptops and mobile
phones connect wirelessly. After unified access for wired and wireless users is configured on
a network, users of both types can access the network and be managed in a unified manner.
A hospital needs to deploy both a wired and a wireless network. To simplify management and
maintenance, the administrator requires that wired and wireless users be centrally managed on
the AC, non-authentication and Portal authentication be configured for the wired and wireless
users respectively, and wireless users roam under the same AC.
Networking Requirements
As shown in Figure 4-87, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors, respectively. An AP2030DN is deployed in each room to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches directly providing power to connected
APs.
The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.
Internet
Router
Data Planning
AP103 - - AP103 is an
AP5030DN and is
deployed in the
corridor on the first
floor to provide
wireless access.
AP203 - - AP203 is an
AP5030DN and is
deployed in the
corridor on the
second floor to
provide wireless
access.
l Name: ap-group2
l Referenced profiles:
VAP profile wlan-vap2,
regulatory domain
profile domain1
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Configuration Roadmap
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network
devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and VLAN
201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN
100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly
connected to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic. The S5700-1 is used as an example here. The configuration on
the S5700-2 is similar. For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit
# On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN 201,
GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to
the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the Agile Controller) to
VLAN 200.
[AC6605] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100 //Configure an interface address pool to assign IP
addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101 //Configure an interface address pool to assign IP
addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102 //Configure an interface address pool to assign IP
addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201 //Configure an interface address pool to assign IP
addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202 //Configure an interface address pool to assign IP
addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit
Step 3 Configure a RADIUS server template, configure authentication, accounting, and authorization
in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-
address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and
authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication
scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme
radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template
radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Enable Portal authentication for wireless users, and configure non-authentication for wired
users.
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the
Portal server template portal1 and specify Layer 2 authentication as the Portal
authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Power on the APs and run the display ap all command to check the AP state. If the State
field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [6]
----------------------------------------------------------------------------------
---------------
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP2030DN nor 0 10S
102 60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP2030DN nor 0 15S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP5030DN nor 0 23S
201 60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP2030DN nor 0 45S
202 60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP2030DN nor 0 49S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP5030DN nor 0 55S
----------------------------------------------------------------------------------
---------------
Total: 6
# Configure an AP2030DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the
AP2030DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the
AP2030DN is used to connect wired terminals. Add the interface to VLAN 201 in
untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the
AP2030DN is used to connect to the upper-layer devices. Add the interface to VLAN
201 in tagged mode.
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] wired-port-profile name wired3
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the
AP2030DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired3] quit
[AC-wlan-view] wired-port-profile name wired4
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-wired-port-wired4] quit
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-101] quit
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
The default VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit
[AC-wlan-radio-203/0] quit
[AC-wlan-ap-203] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 1
[AC-wlan-radio-203/1] channel 20mhz 157
[AC-wlan-radio-203/1] eirp 10
[AC-wlan-radio-203/1] quit
[AC-wlan-ap-203] quit
# Connect STAs to the WLAN with SSID hospital-wlan. After you enter the password, the
STAs can access the wireless network. Run the display station all command on the AC. The
command output shows that the STAs are connected to the WLAN hospital-wlan.
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
l S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]$M{]DND|;=s"%^%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
web-auth-server portal1 direct
#
aaa
authentication-scheme radius1
authentication-mode radius
accounting-scheme radius1
accounting-mode radius
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 300
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
vap-profile name wlan-vap2
forward-mode tunnel
service-vlan vlan-id 102
ssid-profile wlan-ssid
security-profile wlan-security
traffic-profile traffic1
authentication-profile portal1
regulatory-domain-profile name domain1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201
wired-port-profile name wired2
vlan tagged 201
wired-port-profile name wired3
vlan pvid 202
vlan untagged 202
wired-port-profile name wired4
vlan tagged 202
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap1 wlan 1
undo calibrate auto-channel-select disable
undo calibrate auto-txpower-select disable
radio 1
radio 2
vap-profile wlan-vap1 wlan 1
undo calibrate auto-channel-select disable
undo calibrate auto-txpower-select disable
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap2 wlan 1
undo calibrate auto-channel-select disable
undo calibrate auto-txpower-select disable
radio 1
vap-profile wlan-vap2 wlan 1
undo calibrate auto-channel-select disable
undo calibrate auto-txpower-select disable
radio 2
vap-profile wlan-vap2 wlan 1
undo calibrate auto-channel-select disable
undo calibrate auto-txpower-select disable
ap-id 101 type-id 46 ap-mac 60de-4476-e320 ap-sn 210235419610CB002378
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired1 ethernet 1
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-id 102 type-id 46 ap-mac 60de-4476-e340 ap-sn 210235419610CB002204
ap-name ap-102
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired1 ethernet 1
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 6
eirp 10
ap-id 103 type-id 35 ap-mac dcd2-fc04-b520 ap-sn 210235419610CB002561
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-id 201 type-id 46 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
ap-name ap-201
ap-group ap-group2
wired-port-profile wired3 ethernet 0
wired-port-profile wired3 ethernet 1
wired-port-profile wired4 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-id 202 type-id 46 ap-mac 60de-4476-e380 ap-sn 210235419610CB002984
ap-name ap-202
ap-group ap-group2
wired-port-profile wired3 ethernet 0
wired-port-profile wired3 ethernet 1
wired-port-profile wired4 gigabitethernet 0
radio 0
channel 20mhz 6
eirp 10
ap-id 203 type-id 35 ap-mac dcd2-fc04-b540 ap-sn 210235419610CB002632
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
Application Scenario
This solution uses the core switch as the gateway and authentication point and applies to
education campus networks with less than 10,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
Service Requirements
The number of users at colleges and universities is considered for campus network
construction. Users at colleges and universities access networks only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
l Access
Provide both wired and wireless access.
l Security
Assign different network access rights to students, teachers, and other roles.
l Authentication and Accounting
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users. There are accounting requirements.
l O&M
Provide unified management of wired and wireless networks.
Networking Diagram
The core switch S12700 is configured as the authentication point and gateway for users on the
entire school campus backbone network. The S12700 has the X1E card installed, supports
native AC, and carries wireless services on the entire network.
Network Design
l Configure egress FWs to carry outgoing services, isolate the external network from the
internal network, and implement service routing and NAT between the internal and
external networks.
l Enable the intelligent path selection function on the FWs to allow the FWs to select
egress interfaces according to the egress link bandwidth, thereby maximizing link
resource usage and improving user experience.
l To enable internal network users to access external networks, configure NAT on the
uplink interfaces of the egress FWs to convert between private network IP addresses and
public network IP addresses.
l Enable the smart domain name system (DNS) function on the FWs to ensure that user
access requests of different carriers are properly parsed
l Two S12700 switches constitute a Cluster Switch System (CSS) that is used as the core
of a campus network, providing high network reliability and scalability. Multi-active
detection (MAD) is configured for the CSS.
l The S7700 is used as the aggregation switch in each office building and connects to
access switches of each floor. The S5700 is used as the access switch.
l Inter-chassis and inter-card connection using Eth-Trunk interfaces are between
aggregation switches and core switches, between core switches and the FW. This ensures
proper service running if a card or a link is faulty.
l The core switch S12700 is configured with native AC to manage APs on the entire
network and transmits wireless services to implement wired and wireless convergence.
l The S12700 is used as the gateway for both wired and wireless users on the entire
network, and forwards packets of users based on routes. The S12700 also functions as
the authentication point to authenticate wired and wireless users.
l Port isolation is configured on the switch ports directly connected to APs to prevent
Layer 2 communication between STAs associated with different APs.
l Configure the core switches as the STP root bridges. Configure root protection on
downlink ports to retain the role of the root bridges. This prevents abnormal topology
convergence caused by lower-layer devices being elected as the root bridges.
l It is recommended that the ports connected to terminals or APs be configured as edge
ports.
l In actual deployment, VLAN 1 is not recommended as the service VLAN. You need to
delete all ports from VLAN 1. You must disable ports from transparently transmitting
packets of all VLANs but allow transparent transmission based on actual service
requirements.
l The unused ports should be shut down.
l Strict STA IP address learning through DHCP, dynamic ARP inspection, and IPSG are
enabled to prevent IP packets from unauthorized users from accessing the external
network through APs, improving device security.
l To enable DHCP clients to obtain IP addresses through valid DHCP servers, and prevent
bogus DHCP server attacks, DHCP server DoS attacks, and bogus DHCP packet attacks,
you are advised to configure DHCP snooping. If both wired and wireless users exist on
the network, you are not advised to enable DHCP snooping on switch interfaces
connecting to APs. This may cause the number of user binding entries on switches to
exceed the specification. Therefore, you are advised to configure DHCP snooping for
wired users based on VLANs and to configure DHCP snooping for wireless users on the
wireless-side VAP profiles.
l If there are no multicast services transmitted on the network, you are advised to
configure multicast packet suppression to reduce impact of a large number of low-rate
multicast packets on the wireless network.
S12700 V200R011C10
S7700 V200R011C10
S5700 V200R011C10
FW(USG6650) V500R001C60
AP V200R007C20
Configuration Roadmap
The configuration roadmap is as follows:
Data Plan
Item Data
Secret Admin@123
DM port 3799
Vendor-ID 0
Vendor-name -
Attribute ID 11
Type Integer
Format %d
Dictionary dictionary.rfc2865
Table 4-97 Data plan of the egress solution and USG6600 HRP
Device Interface Member VLANIF IP Remote Remote
Number Interface Address Device Interface
Number
l In a stack system, before connecting an AS with the name and MAC address pre-
configured on the parent to an SVF system, it is recommended that you set up a stack for
the AS and then configure the pre-configured MAC address as the management MAC
address. You can configure the MAC address as the MAC address of the master switch
in the stack. In this situation, the AS management MAC address is the same as the pre-
configured one by default, and no management MAC address needs to be configured. If
the AS name and MAC address are configured after the AS connects to an SVF system,
the management MAC address does not need to be configured.
l Some Huawei switches can connect to an SVF system through downlink ports. Before
restarting an AS, check whether the port that connects this AS to the parent is a downlink
port. You can run the display port connection-type access all command on this AS to
view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port
before restarting this AS. Otherwise, this AS cannot go online.
l Stack member switches connected using downlink service ports cannot join an SVF
system as ASs.
l If downlink service ports of an AS are configured as member ports of an uplink fabric
port, all the downlink ports of the AS cannot be configured as stack member ports.
l Pay attention to the following notes when replacing a faulty AS:
– An AS can only be replaced by a device of the same model. If the new device is a
different model, the SVF system considers it as a new AS, which then cannot
inherit services on the previous AS.
– Only a standalone AS can be replaced, and a stacked AS cannot be replaced.
– AS automatic replacement is not supported when an AS connects to the parent
through a network.
– To ensure that a replacement AS can be successfully authenticated, run the auth-
mode none command to set the AS authentication mode to none, or run the
whitelist mac-address command to add the management MAC address of the
replacement AS to the whitelist. If the replacement AS has no management MAC
address configured, the system MAC address is used as the management MAC
address.
# Create a VLAN.
<HUAWEI> system-view
[HUAWEI] sysname S7700-A
[S7700-A] vlan batch 40
# Create an Eth-Trunk connected to the core switch and add uplink interfaces to the Eth-
Trunk.
[S7700-A] interface xgigabitethernet 3/0/1
[S7700-A-XGigabitEthernet3/0/1] eth-trunk 20
[S7700-A-XGigabitEthernet3/0/1] quit
[S7700-A] interface xgigabitethernet 2/0/2
[S7700-A-XGigabitEthernet2/0/2] eth-trunk 20
[S7700-A-XGigabitEthernet2/0/2] quit
# Create VLAN 40 connected to the access switch and add downlink interfaces to VLAN 40.
[S7700-A] interface gigabitethernet 1/0/1
[S7700-A-GigabitEthernet1/0/1] port link-type trunk
[S7700-A-GigabitEthernet1/0/1] port trunk allow-pass vlan 40
[S7700-A-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[S7700-A-GigabitEthernet1/0/1] port-isolate enable
[S7700-A-GigabitEthernet1/0/1] quit
# Create a VLAN.
<HUAWEI> system-view
[HUAWEI] sysname S5700-A
[S5700-A] vlan batch 40
# Configure a downlink interface connected to a user PC. Configure port isolation on the
interface and configure the interface as an STP edge port.
[S5700-A] interface gigabitethernet 0/0/1
[S5700-A-GigabitEthernet0/0/1] port link-type access
[S5700-A-GigabitEthernet0/0/1] port default vlan 40
[S5700-A-GigabitEthernet0/0/1] port-isolate enable
[S5700-A-GigabitEthernet0/0/1] stp edged-port enable
[S5700-A-GigabitEthernet0/0/1] quit
# Check whether a CSS is set up successfully. If the card status of two member switches is
displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.
1. Configure MAD in direct mode on GE1/1/1/7.
<CSS> system-view
[CSS] interface gigabitethernet 1/1/1/7
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running
on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet1/1/1/7] quit
GigabitEthernet1/1/1/7
GigabitEthernet2/1/1/7
XGigabitEthernet1/6/0/0
XGigabitEthernet2/6/0/0
# Create VLANs.
<HAUWEI> system-view
[HUAWEI] sysname CORE-SWITCH
[CORE-SWITCH] vlan batch 10 20 30 40 1000
# Enable DHCP globally, and configure DHCP snooping for the service VLAN
[CORE-SWITCH] dhcp enable
[CORE-SWITCH] dhcp snooping enable
[CORE-SWITCH] vlan 30
[CORE-SWITCH-vlan30] dhcp snooping enable
[CORE-SWITCH-vlan30] quit
# Create a wireless management interface VLANIF 20, and assign addresses to APs from the
interface address pool.
[CORE-SWITCH] interface vlanif 20
[CORE-SWITCH-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-SWITCH-Vlanif20] dhcp select interface
[CORE-SWITCH-Vlanif20] quit
# Create a wireless service interface VLANIF 30, and assign addresses to STAs from the
interface address pool.
[CORE-SWITCH] interface vlanif 30
[CORE-SWITCH-Vlanif30] ip address 172.16.30.1 255.255.255.0
[CORE-SWITCH-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wireless users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif30] dhcp select interface
[CORE-SWITCH-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
[CORE-SWITCH-Vlanif30] quit
# Create a wired service interface VLANIF 40, and assign addresses to terminals from the
interface address pool.
[CORE-SWITCH] interface vlanif 40
[CORE-SWITCH-Vlanif40] ip address 172.16.40.1 255.255.255.0
[CORE-SWITCH-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wired users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif40] dhcp select interface
[CORE-SWITCH-Vlanif40] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
[CORE-SWITCH-Vlanif40] quit
# Create Eth-Trunk 20 connected to both the core switch and the aggregation switch S7700-A
in office building A, and add interfaces to the Eth-Trunk. The interconnection configuration
between the core switch and the aggregation switch in office building B is similar to that in
office building A, and is not mentioned here. (The service VLAN corresponding to office
building B is VLAN 20.)
[CORE-SWITCH] interface eth-trunk 20
[CORE-SWITCH-Eth-Trunk20] description con to S7700-A
[CORE-SWITCH-Eth-Trunk20] port link-type trunk
[CORE-SWITCH-Eth-Trunk20] port trunk allow-pass vlan 40
[CORE-SWITCH-Eth-Trunk20] undo port trunk allow-pass vlan 1
[CORE-SWITCH-Eth-Trunk20] quit
[CORE-SWITCH] interface xgigabitethernet 1/1/0/0
[CORE-SWITCH-XGigabitEthernet1/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet1/1/0/0] quit
[CORE-SWITCH] interface xgigabitethernet 2/1/0/0
[CORE-SWITCH-XGigabitEthernet2/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet2/1/0/0] quit
# Configure the core switch as the STP root bridge and root protection, disable TC packet-
triggered ARP entry update, and enable MAC address-triggered ARP entry update.
[CORE-SWITCH] stp root primary
[CORE-SWITCH] interface eth-trunk 20
[CORE-SWITCH-Eth-Trunk20] stp root-protection
[CORE-SWITCH-Eth-Trunk20] quit
[CORE-SWITCH] arp topology-change disable
[CORE-SWITCH] mac-address update arp
# Configure an authentication scheme named test01 and set the authentication mode to
RADIUS.
[CORE-SWITCH] aaa
[CORE-SWITCH-aaa] authentication-scheme test01
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[CORE-SWITCH-aaa] accounting-scheme test01
[CORE-SWITCH-aaa-accounting-test01] accounting-mode radius
[CORE-SWITCH-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[CORE-SWITCH-aaa-accounting-test01] quit
# Create an authentication domain named huawei, and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[CORE-SWITCH-aaa] domain huawei
[CORE-SWITCH-aaa-domain-huawei] authentication-scheme test01
[CORE-SWITCH-aaa-domain-huawei] accounting-scheme test01
[CORE-SWITCH-aaa-domain-huawei] radius-server test01
[CORE-SWITCH-aaa-domain-huawei] quit
[CORE-SWITCH-aaa] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.
[CORE-SWITCH] web-auth-server test01
[CORE-SWITCH-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP
address of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] source-ip 168.88.77.157
[CORE-SWITCH-web-auth-server-test01] port 50100 //Configure the port
number of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] shared-key cipher Admin@123 //Configure
the shared key for communication between the Portal authentication server and
switch. The shared key must be the same as that of the Agile Controller.
[CORE-SWITCH-web-auth-server-test01] url http://168.88.77.10:8080/portal //
Configure the URL of the web page.
[CORE-SWITCH-web-auth-server-test01] quit
[CORE-SWITCH] portal-access-profile name portal1
[CORE-SWITCH-portal-acces-profile-portal1] web-auth-server test01 direct
[CORE-SWITCH-portal-acces-profile-portal1] quit
Step 5 Configure the wired user interface and enable Portal authentication on the interface.
[CORE-SWITCH] interface vlanif 40
[CORE-SWITCH-Vlanif40] authentication-profile p1
[CORE-SWITCH-Vlanif40] quit
Step 6 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[CORE-SWITCH] group-policy controller 168.88.77.10 password Admin@123 src-ip
168.88.77.157
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap-group name ap-
group1
[CORE-SWITCH-wlan-ap-group-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
apply the profile to the AP group.
[CORE-SWITCH-wlan-view] regulatory-domain-profile name domain1
[CORE-SWITCH-wlan-regulate-domain-domain1] country-code CN
[CORE-SWITCH-wlan-regulate-domain-domain1] quit
[CORE-SWITCH-wlan-view] ap-group name ap-group1
[CORE-SWITCH-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
[CORE-SWITCH-wlan-ap-group-ap-group1] quit
[CORE-SWITCH-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
MAC address of the AP is ac85-3d95-d800.
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap auth-mode mac-auth
[CORE-SWITCH-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[CORE-SWITCH-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[CORE-SWITCH-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[CORE-SWITCH-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
ID MAC Name Group IP Type State
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor
0 2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
NOTE
The prerequisites for running the ip source check user-bind enable command are as follows:
The IP packet check is based on the binding table. So,
l The dynamic DHCP snooping binding table has been generated for DHCP users.
l The static binding table has been configured manually for users using static IP addresses.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
l The DHCP trusted port has been disabled using the undo dhcp trust port command in the VAP
profile view.
l STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command.
# After the configuration, run the display vap ssid portal_test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[CORE-SWITCH-wlan-view] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0 portal_test
0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0 portal_test
----------------------------------------------------------------------------------
--
Total: 2
# Set the maximum rate of multicast packets to 128 pps in the traffic profile test.
[CORE-SWITCH-wlan-view] traffic-profile name test
[CORE-SWITCH-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 128
l If a large number of multicast or broadcast packets are sent from the network side to the
wireless user side, the air interface usage of the AP is high. In this instance, configure a
traffic policy on the core switch to suppress the broadcast/multicast packets going
upstream from the wireless user side to the AP. Before configuring a traffic policy, check
whether the corresponding multicast or broadcast services are available on the live
network.
# Create a traffic classifier named test and define a matching rule.
[CORE-SWITCH] traffic classifier test
[CORE-SWITCH-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[CORE-SWITCH-classifier-test] quit
# Create a traffic behavior named test, enable traffic statistics collection, and set the
traffic rate limit.
[CORE-SWITCH] traffic behavior test
[CORE-SWITCH-behavior-test] statistic enable
[CORE-SWITCH-behavior-test] car cir 100 //Configure the rate limit to 100
kbit/s. If multicast services are available, you are advised to rate-limit
the packets based on service traffic.
[CORE-SWITCH-behavior-test] quit
# Create a traffic policy named test, and bind the traffic classifier and traffic behavior to
the traffic policy.
[CORE-SWITCH] traffic policy test
[CORE-SWITCH-trafficpolicy-test] classifier test behavior test
[CORE-SWITCH-trafficpolicy-test] quit
To view the Layer 2 link status between network devices and analyze the network topology,
enable LLDP. To view the Layer 2 link status between APs and access switches or analyze the
network topology, enable WLAN LLDP. WLAN LLDP can be enabled in the system view
and the AP wired port link profile view. The AP sends or receives LLDP packets only when
the two switches are enabled. By default, the two switches are enabled.
[CORE-SWITCH] lldp enable
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap lldp enable
[CORE-SWITCH-wlan-view] port-link-profile name default
[CORE-SWITCH-wlan-port-link-prof-default] lldp enable
[CORE-SWITCH-wlan-port-link-prof-default] quit
[CORE-SWITCH-wlan-view] quit
After LLDP is configured, the device can analyze powered devices (PDs). When LLDP is
disabled, the device can detect and classify PDs only by analyzing the current and resistance
between the device and PDs. Compared with current and resistance analysis, the LLDP
function provides a more comprehensive and accurate analysis. After LLDP is enabled in the
system view, all interfaces are enabled with LLDP.
[S5700-B] lldp enable
Step 10 Create an Eth-Trunk between the core switch S12700 and the USG6600.
# On the S12700, create Eth-Trunk 30 and Eth-Trunk 40 connected to FW1 and FW2
respectively, and add member interfaces to Eth-Trunk 30 and Eth-Trunk 40.
[CORE-SWITCH] interface eth-trunk 30 //Create Eth-Trunk30 connected to FW1.
[CORE-SWITCH-Eth-Trunk30] port link-type access
[CORE-SWITCH-Eth-Trunk30] port default vlan 10
[CORE-SWITCH-Eth-Trunk30] quit
[CORE-SWITCH] interface gigabitethernet 1/2/0/0
[CORE-SWITCH-GigabitEthernet1/2/0/0] eth-trunk 30
[CORE-SWITCH-GigabitEthernet1/2/0/0] quit
[CORE-SWITCH] interface gigabitethernet 2/2/0/0
[CORE-SWITCH-GigabitEthernet2/2/0/0] eth-trunk 30
[CORE-SWITCH-GigabitEthernet2/2/0/0] quit
[CORE-SWITCH] interface eth-trunk 40 //Create Eth-Trunk 40 connected to FW2.
[CORE-SWITCH-Eth-Trunk40] port link-type access
[CORE-SWITCH-Eth-Trunk40] port default vlan 10
[CORE-SWITCH-Eth-Trunk40] quit
[CORE-SWITCH] interface gigabitethernet 1/2/0/1
[CORE-SWITCH-GigabitEthernet1/2/0/1] eth-trunk 40
[CORE-SWITCH-GigabitEthernet1/2/0/1] quit
[CORE-SWITCH] interface gigabitethernet 2/2/0/1
[CORE-SWITCH-GigabitEthernet2/2/0/1] eth-trunk 40
[CORE-SWITCH-GigabitEthernet2/2/0/1] quit
# Configure OSPF to advertise routes. You are advised to enable the sham-hello function of
OSPF. After this function is enabled, devices can maintain neighbor relationships through not
only the Hello packet but also all OSPF protocol packets, so as to sensitively sense the
existence of OSPF neighbors.
[CORE-SWITCH] ospf 1 router-id 3.3.3.3
[CORE-SWITCH-ospf-1] sham-hello enable
[CORE-SWITCH-ospf-1] area 0.0.0.0
[CORE-SWITCH-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
[CORE-SWITCH-ospf-1-area-0.0.0.0] network 172.16.30.0 0.0.0.255 //Configure the
core switch to advertise the network segment of wireless users.
[CORE-SWITCH-ospf-1-area-0.0.0.0] network 172.16.40.0 0.0.0.255 //Configure the
core switch to advertise the network segment of wired users.
[CORE-SWITCH-ospf-1-area-0.0.0.0] network 168.88.0.0 0.0.127.255 //Configure the
core switch to advertise the address segment of the Agile Controller to
interconnect with the firewall.
[CORE-SWITCH-ospf-1-area-0.0.0.0] quit
[CORE-SWITCH-ospf-1] quit
----End
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
# Configure default routes to the ISP. In this example, static routes are used.
[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254
[FW1] ip route-static 22.0.0.0 255.255.255.0 202.0.0.254
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] healthcheck isp1_health
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface gigabitethernet 1/0/2
[FW1-GigabitEthernet1/0/2] bandwidth ingress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] bandwidth egress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] healthcheck isp2_health
[FW1-GigabitEthernet1/0/2] quit
[FW2] interface gigabitethernet 1/0/1
[FW2-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW2-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW2-GigabitEthernet1/0/1] healthcheck isp1_health
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface gigabitethernet 1/0/2
[FW2-GigabitEthernet1/0/2] bandwidth ingress 50000 threshold 90
[FW2-GigabitEthernet1/0/2] bandwidth egress 50000 threshold 90
[FW2-GigabitEthernet1/0/2] healthcheck isp2_health
[FW2-GigabitEthernet1/0/2] quit
# Configure a global route selection policy and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1] multi-interface
[FW1-multi-inter] mode proportion-of-bandwidth
[FW1-multi-inter] add interface gigabitethernet 1/0/1
[FW1-multi-inter] add interface gigabitethernet 1/0/2
[FW1-multi-inter] quit
[FW2] multi-interface
[FW2-multi-inter] mode proportion-of-bandwidth
[FW2-multi-inter] add interface gigabitethernet 1/0/1
[FW2-multi-inter] add interface gigabitethernet 1/0/2
[FW2-multi-inter] quit
# Perform agile network configurations on FW1. FW2 will automatically synchronize the
configuration of FW1.
HRP_M[FW1] agile-network
HRP_M[FW1-agile-network] radius-server test01
HRP_M[FW1-agile-network] server ip 168.88.77.10
HRP_M[FW1-agile-network] local ip 192.168.10.1
HRP_M[FW1-agile-network] password Admin@123
HRP_M[FW1-agile-network] agile-network enable
HRP_M[FW1-agile-network] xmpp connect
HRP_M[FW1-agile-network] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1
HRP_M[FW1-policy-nat-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-policy_nat1] source-address range 172.16.30.1 172.16.30.254
HRP_M[FW1-policy-nat-policy_nat1] source-address range 172.16.40.1 172.16.40.254
HRP_M[FW1-policy-nat-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-policy_nat1] quit
HRP_M[FW1-policy-nat] rule name policy_nat2
HRP_M[FW1-policy-nat-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-policy_nat2] source-address range 172.16.30.1 172.16.30.254
HRP_M[FW1-policy-nat-policy_nat2] source-address range 172.16.40.1 172.16.40.254
HRP_M[FW1-policy-nat-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
Step 10 Configure smart DNS.
HRP_M[FW1] dns-smart enable
HRP_M[FW1] dns-smart group 1 type multi
HRP_M[FW1-dns-smart-group-1] out-interface GigabitEthernet 1/0/1 map 202.10.1.10
HRP_M[FW1-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 202.20.1.10
HRP_M[FW1-dns-smart-group-1] quit
NOTE
This function requires a license. It also requires dynamic loading of the corresponding components.
Create a file of application behavior control to forbid HTTP and File Transfer Protocol (FTP)
operations in study time.
HRP_M[FW1] profile type app-control name profile_app_work
HRP_M[FW1-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control web-browse action
deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control file direction
upload action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control file direction
download action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction
download action deny
HRP_M[FW1-profile-app-control-profile_app_work] quit
Create a file of application behavior control to permit only HTTP web page browsing, proxy-
based Internet access, and file downloading in rest time.
HRP_M[FW1] profile type app-control name profile_app_rest
HRP_M[FW1-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_rest] http-control file direction
upload action deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_rest] ftp-control file direction
download action deny
HRP_M[FW1-profile-app-control-profile_app_rest] quit
Create a time range named working_hours. The time range is the class time.
HRP_M[FW1] time-range working_hours
HRP_M[FW1-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FW1-time-range-working_hours] quit
Create a time range named off_hours. The time range is the non-class time.
HRP_M[FW1] time-range off_hours
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
HRP_M[FW1-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
HRP_M[FW1-time-range-off_hours] quit
Configure a security policy named policy_sec_rest and reference off_hours and application
behavior control configuration file profile_app_rest to control application behaviors of
students during the non-class time.
HRP_A[FW1-policy-security] rule name policy_sec_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_A[FW1-policy-security-rule-policy_sec_rest] destination-zone isp2
HRP_A[FW1-policy-security-rule-policy_sec_rest] user any
HRP_A[FW1-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_A[FW1-policy-security-rule-policy_sec_rest] profile app-control
profile_app_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] action permit
HRP_A[FW1-policy-security-rule-policy_sec_rest] quit
----End
# Open the Internet Explorer, enter the Agile Controller access address in the address bar, and
press Enter.
The following table describes addresses for accessing the Agile Controller.
If you log in to the Agile Controller for the first time, use the super administrator user name
and password. Change the password immediately after logging in; otherwise, the Agile
Controller cannot be used.
Configure the IP address for the S12700 that communicates with the Agile Controller. Enable
RADIUS and Portal authentication, set the RADIUS authentication and accounting keys to
Admin@123, and set the real-time accounting interval to 15 minutes. Set the port number to
2000, Portal key to Admin@123, and access terminal IP address list to be within the
allocation scope of terminal IP addresses (a route for packets to be returned to the terminal IP
address should be added to the Agile Controller server, and its configuration is not mentioned
here).
# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.
# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.
Step 4 Create a device group named test and add two USG6600s to this group.
# Choose Resource > Device > Device Management, and then choose Device Group > Free
Mobility > Custom on the left side of the page to create a customized group named test.
# Click Add, select the S12700 and USG6600, and add them to the customized group.
Step 5 Configure two dynamic security groups group1 and group2, and two static security
groups server1 and server2.
# Choose Policy > Permission Control > Security Group > Dynamic Security Group
Management.
# Click Add and create group1 and group2.
# Choose Policy > Permission Control> Security Group > Static Security Group
Management.
# Choose Policy > Free Mobility > Policy Configuration > Permission Control and click
Add.
After the configuration is complete, group1 can access server1 and server2, group2 can only
access server1, and group1 and group2 cannot access each other.
# Click Global Deployment to deploy access control policies on the entire network.
# After the network segment of the internal network is deployed successfully, run the display
agile-network intranet-address command to check the internal network segment that is
delivered by the USG6600.
HRP_M[FW1] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
# Click Add in Device List, select FW1 and FW2, and click OK.
# Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully, you
can view the deployment result on the USG6600. group1 is deployed as the VIP security
group.
HRP_M[FW1] display agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
Step 11 Configure the RADIUS relay agent on the Agile Controller to obtain packets sent from
devices and forward the packets to the RADIUS server.
# Choose System > External Authentication > RADIUS Proxy.
# Click Add.
# Set parameters and click OK.
Parameter Description
Parameter Description
Parameter Description
Step 12 Define customization conditions corresponding to security groups on the Agile Controller.
# Choose Policy > Policy Element > Customize Condition.
# Click Add.
# Set parameters and click OK.
Operator Equal
Attribute value 25
Operator Equal
Attribute value 26
# Click OK.
Step 14 Add an authorization rule.
# Choose Policy > Permission Control > Authentication & Authorization >
Authorization rule, and click Add to create an authorization rule.
Customization group1 -
condition
Customization group2 -
condition
# Click OK.
Step 15 Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
# Choose Policy > Permission Control > Authentication & Authorization >
Authentication rule, and click Add to create an authorization rule.
# Click OK.
----End
Step 2 Add the Agile Controller and an authentication switch on the Srun4000.
# Choose Radius > Radius Trust Setting to add an authentication switch as a trusted device.
# Click Generate.
# The configuration of the Agile Controller at 168.88.77.10 is similar to that of the RADIUS
trusted device, and is not mentioned here.
# Choose Radius > Add Radius Attributes. The RADIUS attribute is the same as the
customization condition of the Agile Controller. The RADIUS attribute name is Filter-ID.
(input value is 11). The fixed value is the RADIUS attribute value customized on the Agile
Controller. (This value can be 25 or 26).
# Click Save.
# Choose Strategy > Control. Click Add to add two control policies and associate the two
policies with the customized attributes group1 and group2 respectively. Other parameters can
be modified as needed.
# Click Save.
Step 6 Configure an accounting group on the Srun4000 and bind the accounting group to the
corresponding accounting and control policies.
# Choose Strategy > Product. Click Add to create two new accounting
groups group1_accounting and group2_accounting. Bind accounting
groups group1_accounting and group2_accounting to control
policies group1_control and group2_control and the accounting policy accounting_policy.
# Click Save.
Step 7 Create user groups on the Srun4000.
# Choose System Setting > Permission > Organization Structure, place the cursor on
, and click to add user groups group1 and group2.
# Click Save.
----End
4.19.2.6 Verification
Step 1 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the core switch to view deployment information.
# Run the display ucl-group all command on the core switch to view deployment
information of the security group.
[CORE-SWITCH] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command on the core switch to view the access control policy.
[CORE-SWITCH] display acl all
Total nonempty ACL number is 2
Ucl-group ACL Auto_PGM_U1 9998, 3 rules
Acl's step is 5
Step 2 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 to check deployment information.
# Run the display agile-network security-group all command on the USG6600 to check the
security group configuration.
HRP_M[FW1] display agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
2 group2 no 0
1 group1 yes 5
# Run the display security-policy rule all command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy all
Total:7
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable deny 128877
5 Auto_PGM_U2_1 enable permit 0
6 Auto_PGM_U2_2 enable deny 0
7 Auto_PGM_U2_3 enable deny 0
8 Auto_PGM_U1_1 enable permit 0
9 Auto_PGM_U1_2 enable permit 0
10 Auto_PGM_U1_3 enable deny 0
-------------------------------------------------------------------------------
# Run the display security-policy rule command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy rule name Auto_PGM_U2_1
(0 times matched)
rule name Auto_PGM_U2_1
destination-address 21.0.0.100 0.0.0.0
source-group 2
action permit
Step 3 Use the user name and password defined on the Srun to authenticate a wireless user. After the
wireless user is successfully authenticated, you can see that the user security group has been
successfully matched and the bandwidth has been successfully delivered by querying the
switch user table.
# Check online information of the wireless user named user1 on the core switch.
[CORE-SWITCH] display access-user user-id 16063
Basic:
User ID : 16063
User name : user1
Domain-name : huawei
User MAC : 0c96-bfe1-a39d
User IP address : 172.16.30.252
User vpn-instance : -
User IPv6 address : -
User access Interface : Wlan-Dbss0
User vlan event : Success
QinQVlan/UserVlan : 0/30
User access time : 2016/07/29 11:16:57
User accounting session ID : CORE-SW00210000000030f6dc890003ebf
Option82 information : -
User access type : WEB
AP name : ac85-3d95-d800
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 357(s)
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 1
Dynamic group name(Effective) : group1
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# Check online information of the wireless user named user2 on the core switch.
[CORE-SWITCH] display access-user user-id 16064
Basic:
User ID : 16064
User name : user2
Domain-name : huawei
User MAC : 0c96-bfe1-a2c2
User IP address : 172.16.30.254
User vpn-instance : -
User IPv6 address : -
User access Interface : Wlan-Dbss0
User vlan event : Success
QinQVlan/UserVlan : 0/30
User access time : 2016/07/29 11:30:04
User accounting session ID : CORE-SW00210000000030ab520e0003ec0
Option82 information : -
User access type : WEB
AP name : ac85-3d95-d800
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 228(s)
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 2
Dynamic group name(Effective) : group2
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 4 Use the user name and password defined on the Srun to authenticate a wired user. After the
wired user is successfully authenticated, you can see that the user security group has been
successfully matched and the bandwidth has been successfully delivered by querying the
switch user table.
# Check online information of the wired user named user1 on the core switch.
Basic:
User ID : 16066
User name : user1
Domain-name : huawei
User MAC : 28f1-0e02-8647
User IP address : 172.16.40.254
User vpn-instance : -
User IPv6 address : -
User access Interface : Eth-Trunk20
User vlan event : Success
QinQVlan/UserVlan : 0/40
User access time : 2016/07/29 11:41:08
User accounting session ID : CORE-SW002200000000404a82dc0003ec2
Option82 information : -
User access type : WEB
Terminal Device Type : Data Terminal
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 1
Dynamic group name(Effective) : group1
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# Check online information of the wired user named user2 on the core switch.
[CORE-SWITCH] display access-user user-id 16067
Basic:
User ID : 16067
User name : user2
Domain-name : huawei
User MAC : 3cd9-2b5d-d9dc
User IP address : 172.16.40.253
User vpn-instance : -
User IPv6 address : -
User access Interface : Eth-Trunk20
User vlan event : Success
QinQVlan/UserVlan : 0/40
User access time : 2016/07/29 11:45:44
User accounting session ID : CORE-SW00220000000040b9a9400003ec3
Option82 information : -
User access type : WEB
Terminal Device Type : Data Terminal
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 2
Dynamic group name(Effective) : group2
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 5 After the user goes online, the user packet can trigger the USG6600 to obtain a correct
security group from the Agile Controller.
HRP_M[FW1] display agile-network user
Total user: 2, show user: 2.
-------------------------------------------------------------------------------
IP-address Create-time Rate(input,output) Security-group
-------------------------------------------------------------------------------
172.16.30.252 2016/07/29 13:53:50 0 0 1-group1
172.16.30.254 2016/07/29 14:12:47 0 0 2-group2
Step 6 After configuring HRP, run the display hrp state command to check the HRP status.
HRP_M[FW1] display hrp state
Role: active, peer: active
Running priority: 44998, peer: 44998
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 4 minutes
Last state change information: 2016-06-23 19:16:46 HRP core state changed,
old_state = abnormal(active), new_state = normal, local_priority = 44998,
peer_priority = 44998.
Step 7 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
HRP_M[FW2] display hrp state
Role: active, peer: standby (should be "active-active")
Running priority: 44998, peer: 44994
Core state: abnormal(active), peer: abnormal(standby)
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2016-06-23 19:24:21 HRP core state changed,
old_state = normal, new_state = abnormal(active), local_priority = 44998,
peer_priority = 44996.
----End
S7700-A S7700-B
# #
sysname S7700-A sysname S7700-B
# #
vlan batch 40 vlan batch 20
# #
interface Eth-Trunk20 interface Eth-Trunk10
description connect to S127 description connect to S127
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
# #
interface XGigabitEthernet3/0/1 interface XGigabitEthernet3/0/1
eth-trunk 20 eth-trunk 10
# #
interface XGigabitEthernet2/0/2 interface XGigabitEthernet2/0/2
eth-trunk 20 eth-trunk 10
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
undo port trunk allow-pass vlan 1 undo port trunk allow-pass vlan 1
port-isolate enable group 1 port-isolate enable group 1
# #
return return
S12700 CSS
#
sysname CORE-SWITCH
#
traffic classifier test
if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000
#
traffic behavior test
statistic enable
car cir 100
#
traffic policy test
classifier test behavior test
#
lldp enable
#
vlan batch 10 20 30 40 1000
#
stp instance 0 root primary
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
access-domain huawei portal force
#
group-policy controller 168.88.77.10 password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# src-ip 168.88.77.157
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
#
mac-address update arp
#
radius-server template test01
radius-server shared-key cipher %^%#[k>:K48o,,LpDo,|-GmSlC$p/vLsQ.nTSwS^C3I0%^
%#
radius-server authentication 168.88.77.10 1812 source ip-address 168.88.77.157
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 168.88.77.157
weight 80
radius-server authorization 168.88.77.10 shared-key cipher %^%#_7zY2\gzd5na,V-
SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source any
#
web-auth-server test01
server-ip 168.88.77.10
port 50100
shared-key cipher %^%#_7zY2\gzd5na,V-SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
url http://168.88.77.10:8080/portal
source-ip 168.88.77.157
#
portal-access-profile name portal1
web-auth-server test01 direct
#
aaa
authentication-scheme test01
authentication-mode radius
accounting-scheme test01
accounting-mode radius
accounting realtime 15
domain huawei
S12700 CSS
authentication-scheme test01
accounting-scheme test01
radius-server test01
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 168.88.77.140
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
authentication-profile p1
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 168.88.77.140
#
interface Vlanif1000
ip address 168.88.77.157 255.255.128.0
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 20
undo port trunk allow-pass vlan 1
#
interface Eth-Trunk20
description con to S7700-A
port link-type trunk
port trunk allow-pass vlan 40
undo port trunk allow-pass vlan 1
stp root-protection
#
interface Eth-Trunk30
port link-type access
port default vlan 10
#
interface Eth-Trunk40
port link-type access
port default vlan 10
#
interface XGigabitEthernet 1/1/0/0
eth-trunk 20
#
interface XGigabitEthernet 1/1/0/1
eth-trunk 10
#
interface GigabitEthernet1/1/1/7
mad detect mode direct
#
interface GigabitEthernet 1/2/0/0
eth-trunk 30
#
interface GigabitEthernet 1/2/0/1
eth-trunk 40
#
interface GigabitEthernet 1/3/0/0
port link-type access
port default vlan 1000
#
S12700 CSS
interface XGigabitEthernet 2/1/0/0
eth-trunk 20
#
interface XGigabitEthernet 2/1/0/1
eth-trunk 10
#
interface GigabitEthernet2/1/1/7
mad detect mode direct
#
interface GigabitEthernet 2/2/0/0
eth-trunk 30
#
interface GigabitEthernet 2/2/0/1
eth-trunk 40
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
sham-hello enable
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 172.16.30.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 192.168.10.0 0.0.0.255
#
arp topology-change disable
#
capwap source interface vlanif20
#
wlan
traffic-profile name test
traffic-optimize broadcast-suppression packets
128
traffic-optimize multicast-suppression packets 128
ssid-profile name portal
ssid portal_test
traffic-policy test outbound
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile portal
traffic-profile test
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
radio 2
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac ac85-3d95-d800 ap-sn 2102354483W0DC000733
ap-group ap-group1
#
return
FW1 FW2
# #
sysname FW1 sysname FW2
# #
hrp enable hrp enable
hrp interface GigabitEthernet1/0/5 hrp interface GigabitEthernet1/0/5
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface Eth-Trunk30 hrp track interface Eth-Trunk40
# #
healthcheck enable healthcheck enable
healthcheck name isp1_health healthcheck name isp1_health
destination 21.0.0.100 interface destination 21.0.0.100 interface
GigabitEthernet1/0/1 protocol tcp- GigabitEthernet1/0/1 protocol tcp-
simple destination-port 1001 simple destination-port 1003
healthcheck name isp2_health healthcheck name isp2_health
destination 22.0.0.100 interface destination 22.0.0.100 interface
GigabitEthernet1/0/2 protocol tcp- GigabitEthernet1/0/2 protocol tcp-
simple destination-port 1002 simple destination-port 1004
# #
radius-server template test01 radius-server template test01
radius-server shared-key cipher %^ radius-server shared-key cipher %^
%#[k>:K48o,,LpDo,|-GmSlC$p/ %#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
radius-server authentication radius-server authentication
168.88.77.10 1812 weight 80 168.88.77.10 1812 weight 80
radius-server accounting 168.88.77.10 radius-server accounting 168.88.77.10
1813 weight 80 1813 weight 80
undo radius-server user-name domain- undo radius-server user-name domain-
included included
radius-server group-filter class radius-server group-filter class
# #
interface Eth-Trunk30 interface Eth-Trunk40
ip address 192.168.10.1 255.255.255.0 ip address 192.168.10.2 255.255.255.0
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
undo shutdown undo shutdown
ip address 201.0.0.1 255.255.255.0 ip address 201.0.0.2 255.255.255.0
healthcheck isp1_health healthcheck isp1_health
gateway 201.0.0.254 gateway 201.0.0.254
bandwidth ingress 100000 threshold 95 bandwidth ingress 100000 threshold 95
bandwidth egress 100000 threshold 95 bandwidth egress 100000 threshold 95
# #
interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/2
undo shutdown undo shutdown
ip address 202.0.0.2 255.255.255.0 ip address 202.0.0.1 255.255.255.0
healthcheck isp2_health healthcheck isp2_health
gateway 202.0.0.254 gateway 202.0.0.254
bandwidth ingress 50000 threshold 90 bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90 bandwidth egress 50000 threshold 90
# #
interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/3
undo shutdown undo shutdown
eth-trunk 30 eth-trunk 40
# #
interface GigabitEthernet1/0/4 interface GigabitEthernet1/0/4
undo shutdown undo shutdown
eth-trunk 30 eth-trunk 40
# #
interface GigabitEthernet1/0/5 interface GigabitEthernet1/0/5
undo shutdown undo shutdown
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
interface LoopBack0 interface LoopBack0
ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
# #
firewall zone trust firewall zone trust
FW1 FW2
add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/0
add interface Eth-Trunk30 add interface Eth-Trunk30
add interface Eth-Trunk40 add interface Eth-Trunk40
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/5 add interface GigabitEthernet1/0/5
# #
firewall zone name isp1 id 4 firewall zone name isp1 id 4
set priority 10 set priority 10
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
# #
firewall zone name isp2 id 5 firewall zone name isp2 id 5
set priority 20 set priority 20
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
# #
ospf 1 router-id 1.1.1.1 ospf 1 router-id 2.2.2.2
sham-hello enable sham-hello enable
import-route static import-route static
area 0.0.0.0 area 0.0.0.0
network 192.168.10.0 0.0.0.255 network 192.168.10.0 0.0.0.255
# #
ip route-static 21.0.0.0 255.255.255.0 ip route-static 21.0.0.0 255.255.255.0
201.0.0.254 201.0.0.254
ip route-static 22.0.0.0 255.255.255.0 ip route-static 22.0.0.0 255.255.255.0
202.0.0.254 202.0.0.254
# #
nat address-group addressgroup1 0 nat address-group addressgroup1 0
mode pat mode pat
route enable route enable
section 0 201.0.0.10 201.0.0.12 section 0 201.0.0.10 201.0.0.12
# #
nat address-group addressgroup2 1 nat address-group addressgroup2 1
mode pat mode pat
route enable route enable
section 0 202.0.0.10 202.0.0.12 section 0 202.0.0.10 202.0.0.12
# #
multi-interface multi-interface
mode proportion-of-bandwidth mode proportion-of-bandwidth
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
# #
agile-network agile-network
agile-network enable agile-network enable
radius-server test01 radius-server test01
server ip 168.88.77.10 server ip 168.88.77.10
local ip 192.168.10.1 local ip 192.168.10.2
password %^%#[k>:K48o,,LpDo,|- GmSlC password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
$p/vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
xmpp connect xmpp connect
# #
security-policy security-policy
rule name policy_dmz rule name policy_dmz
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name trust_to_untrust rule name trust_to_untrust
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
destination-zone isp2 destination-zone isp2
action permit action permit
rule name policy_sec_work rule name policy_sec_work
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
FW1 FW2
destination-zone isp2 destination-zone isp2
time-range working_hours time-range working_hours
profile app-control profile_app_work profile app-control profile_app_work
action permit action permit
rule name policy_sec_rest rule name policy_sec_rest
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
destination-zone isp2 destination-zone isp2
time-range off_hours time-range off_hours
profile app-control profile_app_rest profile app-control profile_app_rest
action permit action permit
# #
nat-policy nat-policy
rule name policy_nat1 rule name policy_nat1
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
source-address range 172.16.30.1 source-address range 172.16.30.1
172.16.30.254 172.16.30.254
source-address range 172.16.40.1 source-address range 172.16.40.1
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup1 addressgroup1
rule name policy_nat2 rule name policy_nat2
source-zone trust source-zone trust
destination-zone isp2 destination-zone isp2
source-address range 172.16.30.1 source-address range 172.16.30.1
172.16.30.254 172.16.30.254
source-address range 172.16.40.1 source-address range 172.16.40.1
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup2 addressgroup2
# #
dns-smart enable dns-smart enable
dns-smart group 1 type multi dns-smart group 1 type multi
out-interface GigabitEthernet 1/0/1 out-interface GigabitEthernet 1/0/1
map 202.10.1.10 map 202.10.1.10
out-interface GigabitEthernet 1/0/5 out-interface GigabitEthernet 1/0/5
map 202.20.1.10 map 202.20.1.10
# #
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend route-record enable firewall defend route-record enable
firewall defend source-route enable firewall defend source-route enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
firewall defend smurf enable firewall defend smurf enable
irewall defend land enable irewall defend land enable
# #
anti-ddos baseline-learn start anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance- anti-ddos baseline-learn tolerance-
value 100 value 100
anti-ddos baseline-learn apply anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic- anti-ddos udp-flood dynamic-
fingerprint-learn fingerprint-learn
anti-ddos udp-frag-flood dynamic- anti-ddos udp-frag-flood dynamic-
fingerprint-learn fingerprint-learn
anti-ddos http-flood defend alert-rate anti-ddos http-flood defend alert-rate
2000 2000
anti-ddos http-flood source-detect anti-ddos http-flood source-detect
mode basic mode basic
# #
profile type app-control name profile type app-control name
profile_app_work profile_app_work
http-control post action deny http-control post action deny
http-control proxy action deny http-control proxy action deny
FW1 FW2
http-control web-browse action deny http-control web-browse action deny
http-control file direction upload http-control file direction upload
action deny action deny
http-control file direction download http-control file direction download
action deny action deny
ftp-control file delete action deny ftp-control file delete action deny
ftp-control file direction upload ftp-control file direction upload
action deny action deny
ftp-control file direction download ftp-control file direction download
action deny action deny
# #
profile type app-control name profile type app-control name
profile_app_rest profile_app_rest
http-control post action deny http-control post action deny
http-control file direction upload http-control file direction upload
action deny action deny
ftp-control file delete action deny ftp-control file delete action deny
ftp-control file direction upload ftp-control file direction upload
action deny action deny
ftp-control file direction download ftp-control file direction download
action deny action deny
# #
time-range working_hours time-range working_hours
period-range 09:00:00 to 17:30:00 period-range 09:00:00 to 17:30:00
working-day working-day
# #
time-range off_hours time-range off_hours
period-range 00:00:00 to 23:59:59 off- period-range 00:00:00 to 23:59:59 off-
day day
period-range 00:00:00 to 08:59:59 period-range 00:00:00 to 08:59:59
working-day working-day
period-range 17:30:01 to 23:59:59 period-range 17:30:01 to 23:59:59
working-day working-day
# #
return return
Application Scenario
This solution uses the aggregation switch as the gateway and authentication point and applies
to higher education campus networks with more than 15,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
Service Requirements
The number of users of a school campus must be considered for school campus network
construction. Users on a school campus can access the campus network only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
The education industry networks must meet the following requirements.
l Access
Provide both wired and wireless access.
l Security
Assign different network rights to students, teachers, and other roles.
l Authentication
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users.
l Accounting
There are accounting requirements.
l O&M
Uniformly manage wired and wireless networks.
Networking Diagram
The aggregation switch S12700 or S7700 is configured as the authentication point and
gateway on the entire school campus backbone network. The S12700 and S7700 have the
X1E card installed, support native AC, and carry wireless services on the entire network.
Network Design
l Configure egress FWs to carry outgoing services, isolate the external network from the
internal network, and implement service routing and NAT between the internal and
external networks.
l Enable the intelligent path selection function on the FWs to allow the FWs to select
egress interfaces according to the egress link bandwidth, thereby maximizing link
resource usage and improving user experience.
l To enable internal network users to access external networks, configure NAT on the
uplink interfaces of the egress FWs to convert between private network IP addresses and
public network IP addresses.
l Enable the smart domain name system (DNS) function on the FWs to ensure that user
access requests of different carriers are properly parsed
l Two S12700s constitute a Cluster Switch System (CSS) that is used as the core of a
campus network, providing high network reliability and scalability.
l The S12700 and S7700 are used as aggregation switches in each office building and
connect to access switches of each floor. The S5700 is used as the access switch.
l The aggregation switch S12700 and S7700 are configured with native AC to manage
APs on the entire network and transmit wireless services to implement wired and
wireless convergence.
l The aggregation switch S12700 and S7700 are used as the gateway for both wired and
wireless users on the entire network, and forward packets of users based on routes. The
S12700 and S7700 also function as the authentication point to authenticate wired and
wireless users.
l Strict STA IP address learning through DHCP, dynamic ARP inspection, and IPSG are
enabled to prevent IP packets from unauthorized users from accessing the external
network through APs, improving device security.
l To enable DHCP clients to obtain IP addresses through valid DHCP servers, and prevent
bogus DHCP server attacks, DHCP server DoS attacks, and bogus DHCP packet attacks,
you are advised to configure DHCP snooping. If both wired and wireless users exist on
the network, you are not advised to enable DHCP snooping on switch interfaces
connecting to APs. This may cause the number of user binding entries on switches to
exceed the specification. Therefore, you are advised to configure DHCP snooping for
wired users based on VLANs and to configure DHCP snooping for wireless users on the
wireless-side VAP profiles.
l If there are no multicast services transmitted on the network, you are advised to
configure multicast packet suppression to reduce impact of a large number of low-rate
multicast packets on the wireless network.
S5700 V200R011C10
FW(USG6650) V500R001C60
AP V200R007C20
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the access switch.
2. Use two S12700s to set up a CSS.
3. Configure the core switch connected to the NGFW module and USG6600.
4. Establish a connection between the NGFW card and the Agile Controller.
5. Configure interfaces and VLANs on the aggregation switch S12700.
6. Configure the aggregation switch as a DHCP server to allocate IP addresses to users.
7. Configure wireless services on the aggregation switch S12700 and configure wired
services on the S7700.
8. Configure wired and wireless authentication and accounting services on the aggregation
switch S12700 or S7700. Portal authentication is used as an example here.
9. Configure Extensible Messaging and Presence Protocol (XMPP) parameters on the
aggregation switch for interworking with the Agile Controller, and enable free mobility.
10. Configure interfaces and IP addresses on the firewall.
11. Configure zones and security policies on the firewall.
12. Configure HRP on the firewall.
13. Perform agile network configurations on the firewall.
14. Log in to the Agile Controller to add user groups and user accounts.
15. Configure Remote Authentication Dial In User Service (RADIUS), Portal, and XMPP
parameters, and add an aggregation switch and a firewall (including the NGFW module)
on the Agile Controller.
16. Configure and deploy security groups and inter-group policies on the Agile Controller.
17. Configure and deploy QoS policies on the Agile Controller.
18. Configure and deploy service chains on the Agile Controller.
19. Add a RADIUS relay agent and define customization conditions on the Agile Controller.
20. Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
21. Configure authorization results and rules on the Agile Controller.
22. Add network devices on the Srun.
23. Add RADIUS attributes based on customization conditions of the Agile Controller on
the Srun.
24. Configure management of accounting and control policies on the Srun.
25. Configure user group management and create users on the Srun.
Data Plan
LoopBack 1 - 3.3.3.3/32
LoopBack 1 - 4.4.4.4/32
Table 4-103 Basic service data plan of the aggregation switch S12700
Item VLAN ID Network Segment
LoopBack 1 - 1.1.1.1/32
Table 4-104 Basic service data plan of the aggregation switch S7700
Item VLAN ID Network Segment
LoopBack 1 - 2.2.2.2/32
Table 4-105 Basic service data plan of the aggregation switch S12700 or S7700
Item Data
Item Data
NAS IP 168.88.77.10/1.1.1.1/2.2.2.2
DM port 3799
Vendor-ID 0
Vendor-name -
Attribute ID 11
Type Integer
Format %d
Dictionary dictionary.rfc2865
user2/Huawei123 bound to
the user group group2 and
the accounting group
group2_accounting
Table 4-108 Data plan of the egress solution and USG6600 HRP
Device Interface Member VLANIF IP Remote Remote
Number Interface Address Device Interface
Number
GE1/0/4
XGE1/4/0
/1
l Policy enforcement points for free mobility are deployed on agile switches or Next-
Generation Firewalls (NGFWs).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.
l If 802.1X authentication needs to be deployed on switches and firewalls function as
policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.
l To implement free mobility, only firewalls support the application-based access
permission control, bandwidth rate limit, and priority scheduling.
l In a stack system, before connecting an AS with the name and MAC address pre-
configured on the parent to an SVF system, it is recommended that you set up a stack for
the AS and then configure the pre-configured MAC address as the management MAC
address. You can configure the MAC address as the MAC address of the master switch
in the stack. In this situation, the AS management MAC address is the same as the pre-
configured one by default, and no management MAC address needs to be configured. If
the AS name and MAC address are configured after the AS connects to an SVF system,
the management MAC address does not need to be configured.
l Some Huawei switches can connect to an SVF system through downlink ports. Before
restarting an AS, check whether the port that connects this AS to the parent is a downlink
port. You can run the display port connection-type access all command on this AS to
view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port
before restarting this AS. Otherwise, this AS cannot go online.
l Stack member switches connected using downlink service ports cannot join an SVF
system as ASs.
l If downlink service ports of an AS are configured as member ports of an uplink fabric
port, all the downlink ports of the AS cannot be configured as stack member ports.
l Pay attention to the following notes when replacing a faulty AS:
– An AS can only be replaced by a device of the same model. If the new device is a
different model, the SVF system considers it as a new AS, which then cannot
inherit services on the previous AS.
– Only a standalone AS can be replaced, and a stacked AS cannot be replaced.
– AS automatic replacement is not supported when an AS connects to the parent
through a network.
– To ensure that a replacement AS can be successfully authenticated, run the auth-
mode none command to set the AS authentication mode to none, or run the
whitelist mac-address command to add the management MAC address of the
replacement AS to the whitelist. If the replacement AS has no management MAC
address configured, the system MAC address is used as the management MAC
address.
----End
[S12700-2] set css priority 10 //On S12700-2, set the CSS ID and CSS
priority to 2 and 10, respectively.
# Check whether a CSS is set up successfully. If the card status of two member switches is
displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.
1. Configure MAD in direct mode on GE1/1/1/7.
<CSS> system-view
[CSS] interface gigabitethernet 1/1/1/7
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running
on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet1/1/1/7] quit
GigabitEthernet1/1/1/7
GigabitEthernet2/1/1/7
XGigabitEthernet1/6/0/0
XGigabitEthernet2/6/0/0
# Create a loopback interface, and specify the IP address of this interface as the OSPF router
ID.
[core-switch-Eth-Trunk3] quit
[core-switch] interface gigabitethernet 1/2/0/0
[core-switch-GigabitEthernet1/2/0/0] eth-trunk 3
[core-switch-GigabitEthernet1/2/0/0] quit
[core-switch] interface gigabitethernet 2/2/0/0
[core-switch-GigabitEthernet2/2/0/0] eth-trunk 3
[core-switch-GigabitEthernet2/2/0/0] quit
[core-switch] interface eth-trunk 4 //Create Eth-Trunk 4 connected to FW2.
[core-switch-Eth-Trunk4] port link-type access
[core-switch-Eth-Trunk4] port default vlan 10
[core-switch-Eth-Trunk4] quit
[core-switch] interface gigabitethernet 1/2/0/1
[core-switch-GigabitEthernet1/2/0/1] eth-trunk 4
[core-switch-GigabitEthernet1/2/0/1] quit
[core-switch] interface gigabitethernet 2/2/0/1
[core-switch-GigabitEthernet2/2/0/1] eth-trunk 4
[core-switch-GigabitEthernet2/2/0/1] quit
[core-switch] interface gigabitethernet 1/2/0/20
[core-switch-GigabitEthernet1/2/0/20] port link-type access
[core-switch-GigabitEthernet1/2/0/20] port default vlan 1000
[core-switch-GigabitEthernet1/2/0/20] quit
# Configure interworking between the NGFW module and the core switch.
[NGFW Module] vlan batch 9
[NGFW Module] interface vlanif 9
[NGFW Module-Vlanif9] ip address 192.168.9.1 255.255.255.0
[NGFW Module-Vlanif9] quit
[NGFW Module] interface eth-trunk 0
[NGFW Module-Eth-Trunk0] quit
[NGFW Module] interface gigabitethernet 1/0/0
[NGFW Module-GigabitEthernet1/0/0] eth-trunk 0
[NGFW Module-GigabitEthernet1/0/0] quit
[NGFW Module] interface gigabitethernet 1/0/1
[NGFW Module-GigabitEthernet1/0/0] eth-trunk 0
[NGFW Module-GigabitEthernet1/0/0] quit
[NGFW Module] interface eth-trunk 0
[NGFW Module-Eth-Trunk0] portswitch
[NGFW Module-Eth-Trunk0] port link-type trunk
[NGFW Module-Eth-Trunk0] port trunk allow-pass vlan 9
[NGFW Module-Eth-Trunk0] undo port trunk allow-pass vlan 1
[NGFW Module-Eth-Trunk0] quit
# Configure a routing protocol based on site requirements. OSPF and static routing protocols
are used here.
[core-switch] ip ip-prefix test01 index 1 permit 172.16.30.0 24 //The route is
advertised to the firewall only.
[core-switch] ip ip-prefix test01 index 2 permit 172.16.40.0 24
[core-switch] ospf 1 router-id 3.3.3.3
[core-switch-ospf-1] filter-policy ip-prefix test01 export static //Configure
the core switch to advertise static routes to network segments of wired and
wireless users.
[core-switch-ospf-1] sham-hello enable
[core-switch-ospf-1] import-route static
[core-switch-ospf-1] area 0.0.0.0
[core-switch-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
[core-switch-ospf-1-area-0.0.0.0] network 168.88.0.0 0.0.127.255 //Configure the
core switch to advertise the address segment of the Agile Controller.
[core-switch-ospf-1-area-0.0.0.0] quit
[core-switch-ospf-1] quit
[core-switch] ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
[core-switch] ip route-static 2.2.2.2 255.255.255.255 192.168.12.1
[core-switch] ip route-static 4.4.4.4 255.255.255.255 192.168.9.1
[core-switch] ip route-static 172.16.30.0 255.255.255.0 192.168.11.1
[core-switch] ip route-static 172.16.40.0 255.255.255.0 192.168.12.1
[core-switch] ip route-static 172.30.100.1 255.255.255.255 192.168.9.1
[core-switch] ip route-static 172.30.100.2 255.255.255.255 192.168.11.1
[core-switch] ip route-static 172.30.100.3 255.255.255.255 192.168.12.1
[core-switch] ip route-static 172.30.101.1 255.255.255.255 192.168.9.1
[core-switch] ip route-static 172.30.101.2 255.255.255.255 192.168.11.1
[core-switch] ip route-static 172.30.101.3 255.255.255.255 192.168.12.1
----End
# Enable DHCP globally, and configure DHCP snooping for the service VLAN.
[S12700] dhcp enable
[S12700] dhcp snooping enable
[S12700] vlan 30
[S12700-vlan30] dhcp snooping enable
[S12700-vlan30] quit
# Create a wireless management interface VLANIF 20, and assign IP addresses to APs from
the interface address pool.
[S12700] interface vlanif 20
[S12700-Vlanif20] ip address 192.168.20.1 255.255.255.0
[S12700-Vlanif20] dhcp select interface
[S12700-Vlanif20] quit
# Create a wireless service interface VLANIF 30, and assign IP addresses to STAs from the
interface address pool.
[S12700] interface vlanif 30
[S12700-Vlanif30] ip address 172.16.30.1 255.255.255.0
[S12700-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN ARP
proxy; otherwise, wireless users cannot communicate through the AC. Determine the
configuration according to the actual situation.
[S12700-Vlanif30] dhcp select interface
[S12700-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS server
address for terminals.
[S12700-Vlanif30] quit
# Configure the gateway S12700 disable TC packet-triggered ARP entry update, and enable
MAC address-triggered ARP entry update.
[S12700] arp topology-change disable
[S12700] mac-address update arp
# The gateway is specified as the root bridge and root protection is configured on the
designated port of the root bridge. (Root protection can be configured only on a downlink
port.)
[S12700] stp instance 0 root primary
[S12700] interface gigabitethernet 1/1/0
[S12700-GigabitEthernet1/1/0] stp root-protection
# Configure an authentication scheme test01 and set the authentication mode to RADIUS.
[S12700] aaa
[S12700-aaa] authentication-scheme test01
[S12700-aaa-authen-test01] authentication-mode radius
[S12700-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[S12700-aaa] accounting-scheme test01
[S12700-aaa-accounting-test01] accounting-mode radius
[S12700-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[S12700-aaa-accounting-test01] quit
# Create an authentication domain named huawei and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[S12700-aaa] domain huawei
[S12700-aaa-domain-huawei] authentication-scheme test01
[S12700-aaa-domain-huawei] accounting-scheme test01
[S12700-aaa-domain-huawei] radius-server test01
[S12700-aaa-domain-huawei] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.
[S12700] web-auth-server test01
[S12700-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP address
of the Portal authentication server.
[S12700-web-auth-server-test01] source-ip 1.1.1.1
[S12700-web-auth-server-test01] port 50100 //Configure the port number
of the Portal authentication server.
[S12700-web-auth-server-test01] shared-key cipher Admin@123 //Configure the
shared key for communication between the Portal authentication server and switch.
The shared key must be the same as that of the Agile Controller.
[S12700-web-auth-server-test01] url http://168.88.77.10:8080/portal //Configure
the URL of the web page.
[S12700-web-auth-server-test01] quit
[S12700] portal-access-profile name portal1
[S12700-portal-acces-profile-portal1] web-auth-server test01 direct
[S12700-portal-acces-profile-portal1] quit
# Configure an authentication-free rule to permit packets from the DNS server so that the
Portal authentication page can be redirected.
[S12700] free-rule-template name default_free_rule
[S12700-free-rule-default_free_rule] free-rule 1 destination ip 168.88.77.140
mask 32 source any
[S12700-free-rule-default_free_rule] quit
Step 4 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[S12700] group-policy controller 168.88.77.10 password Admin@123 src-ip 1.1.1.1
# Create a regulatory domain profile, configure the AC's country code in the profile, and
apply the profile to the AP group.
[S12700-wlan-view] regulatory-domain-profile name domain1
[S12700-wlan-regulate-domain-domain1] country-code CN
[S12700-wlan-regulate-domain-domain1] quit
[S12700-wlan-view] ap-group name ap-group1
[S12700-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
[S12700-wlan-ap-group-ap-group1] quit
[S12700-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Assume that
the MAC address of the AP is ac85-3d95-d800.
[S12700] wlan
[S12700-wlan-view] ap auth-mode mac-auth
[S12700-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[S12700-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[S12700-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field displays nor, the AP has gone online.
[S12700-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
ID MAC Name Group IP Type State
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor 0
2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
NOTE
The prerequisites for running the ip source check user-bind enable command are as follows:
The IP packet check is based on the binding table. So,
l The dynamic DHCP snooping binding table has been generated for DHCP users.
l The static binding table has been configured manually for users using static IP addresses.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
l The DHCP trusted port has been disabled using the undo dhcp trust port command in the VAP
profile view.
l STA IP address learning has been enabled using the undo learn-client-address { ipv4 |
ipv6 } disable command.
# After the configuration, run the display vap ssid portal-test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[S12700] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0
portal_test
0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0
portal_test
----------------------------------------------------------------------------------
--
Total: 2
# Create a traffic policy named test, and bind the traffic classifier and traffic behavior to
the traffic policy.
[S12700] traffic policy test
[S12700-trafficpolicy-test] classifier test behavior test
[S12700-trafficpolicy-test] quit
----End
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1] healthcheck enable
[FW1] healthcheck name isp1_health
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface gigabitethernet
1/0/1 protocol tcp-simple destination-port 1001
[FW1-healthcheck-isp1_health] quit
[FW1] healthcheck name isp2_health
[FW1-healthcheck-isp2_health] destination 22.0.0.100 interface gigabitethernet
1/0/2 protocol tcp-simple destination-port 1002
[FW1-healthcheck-isp2_health] quit
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] healthcheck isp1_health
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface gigabitethernet 1/0/2
[FW1-GigabitEthernet1/0/2] bandwidth ingress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] bandwidth egress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] healthcheck isp2_health
[FW1-GigabitEthernet1/0/2] quit
# Configure a global route selection policy, and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1] multi-interface
[FW1-multi-inter] mode proportion-of-bandwidth
[FW1-multi-inter] add interface gigabitethernet1/0/1
[FW1-multi-inter] add interface gigabitethernet1/0/2
[FW1-multi-inter] quit
# Configure quick session backup, specify the heartbeat interface, and enable HRP on FW1
and FW2.
[FW1] hrp track interface eth-trunk 30
[FW1] hrp interface gigabitethernet 1/0/5 remote 10.10.0.2
[FW1] hrp mirror session enable
[FW1] hrp enable
[FW2] hrp track interface eth-trunk 40
[FW2] hrp interface gigabitethernet 1/0/5 remote 10.10.0.1
[FW2] hrp mirror session enable
[FW2] hrp enable
# After the hot standby status is successfully created, the security policies of FW1 will be
automatically backed up to FW2.
HRP_M[FW1] security-policy
HRP_M[FW1-policy-security] rule name policy_dmz //Allow mutual access
between the local and DMZ zones.
HRP_M[FW1-policy-security-rule-policy_dmz] source-zone local
HRP_M[FW1-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FW1-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FW1-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FW1-policy-security-rule-policy_dmz] action permit
HRP_M[FW1-policy-security-rule-policy_dmz] quit
HRP_M[FW1-policy-security] rule name trust_to_untrust //Allow internal network
users to access external networks.
HRP_M[FW1-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW1-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FW1-policy-security-rule-trust_to_untrust] destination-zone isp2
HRP_M[FW1-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW1-policy-security-rule-trust_to_untrust] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1
HRP_M[FW1-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address range 172.16.30.1
172.16.30.254
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address range 172.16.40.1
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-rule-policy_nat1] quit
HRP_M[FW1-policy-nat] rule name policy_nat2
HRP_M[FW1-policy-nat-rule-policy_nat2] source-address range 172.16.30.1
172.16.30.254
HRP_M[FW1-policy-nat-rule-policy_nat2] source-address range 172.16.40.1
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-rule-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-rule-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
Step 10 Configure routes based on site requirements.
# Advertise OSPF routes.
# Configure default routes to the ISP server. In this example, static routes are used.
HRP_M[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254
HRP_M[FW1] ip route-static 22.0.0.0 255.255.255.0 202.0.0.254
NOTE
This function requires a license. It also requires dynamic loading of the corresponding components.
Create a file of application behavior control to forbid HTTP and File Transfer Protocol (FTP)
operations in study time.
HRP_M[FW1] profile type app-control name profile_app_work
HRP_M[FW1-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control web-browse action
deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control file direction
upload action deny
HRP_M[FW1-profile-app-control-profile_app_work] http-control file direction
download action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file delete action
deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction upload
action deny
HRP_M[FW1-profile-app-control-profile_app_work] ftp-control file direction
download action deny
HRP_M[FW1-profile-app-control-profile_app_work] quit
Create a file of application behavior control to permit only HTTP web page browsing, proxy-
based Internet access, and file downloading in rest time.
Create a time range named working_hours. The time range is the class time.
HRP_M[FW1] time-range working_hours
HRP_M[FW1-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FW1-time-range-working_hours] quit
Create a time range named off_hours. The time range is the non-class time.
HRP_M[FW1] time-range off_hours
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FW1-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
HRP_M[FW1-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
HRP_M[FW1-time-range-off_hours] quit
Configure a security policy named policy_sec_rest and reference off_hours and application
behavior control configuration file profile_app_rest to control application behaviors of
students during the non-class time.
HRP_A[FW1-policy-security] rule name policy_sec_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] source-zone trust
HRP_A[FW1-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_A[FW1-policy-security-rule-policy_sec_rest] destination-zone isp2
HRP_A[FW1-policy-security-rule-policy_sec_rest] user any
HRP_A[FW1-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_A[FW1-policy-security-rule-policy_sec_rest] profile app-control
profile_app_rest
HRP_A[FW1-policy-security-rule-policy_sec_rest] action permit
HRP_A[FW1-policy-security-rule-policy_sec_rest] quit
----End
IP address of the Agile If port 80 is enabled during installation, you can access the
Controller Agile Controller by simply entering its IP address without
the port number. The Agile Controller address will
automatically change to https://Agile Controller-IP:8443.
2. Enter the administrator user name and password. If you log in to the Agile Controller for
the first time, use the super administrator user name and password. Change the password
immediately after logging in; otherwise, the Agile Controller cannot be used.
Step 2 Add the aggregation switch S12700.
1. Choose Resource > Device> Device Management and add the aggregation switch
S12700 to the authentication point device. Configure the IP address for the S12700 that
communicates with the Agile Controller. Enable RADIUS and Portal authentication, set
the RADIUS authentication and accounting keys to Admin@123, and set the real-time
accounting interval to 15 minutes. Set the Portal port to 2000, Portal key to Admin@123,
and access terminal IP address list to be within the allocation scope of terminal IP
addresses (a route for packets to be returned to the terminal IP address should be added
to the Agile Controller server, and its configuration is not mentioned here).
3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
Step 4 Configure two dynamic security groups named group1 and group2, and two resource groups
named server1 and server2.
1. Choose Policy > Permission Control> Security Group > Dynamic Security Group
Management. Click Add and create group1 and group2.
2. Choose Policy > Permission Control> Security Group > Static Security Group
Management. Click Add and create server1 and server2.
3. Select the new policy and click Global Deployment to deploy the network policy on the
agile device.
The firewall uses the network segment of the internal network to query the security group based
on users' IP addresses. When user access traffic reaches the firewall, it queries the security group
where users belong on the Agile Controller-Campus. Only the IP address in the network segment
of the internal network can trigger such query.
2. After the network segment of the internal network is deployed successfully, run the
display agile-network intranet-address command to check the internal network
segment that is delivered by the NGFW module.
[NGFW] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
1. Choose Policy > Free Mobility > Policy Configuration > QoS Policy. Click
next to the VIP security group configuration and select group1.
2. Click Add in Device List, select FW1 and FW2, and click OK.
3. Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully,
you can view the deployment result on the USG6600. group1 is deployed as the VIP
security group.
HRP_M[FW1] display agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
4. After the service chain is successfully deployed, run the display interface tunnel
command on the aggregation switch or on the NGFW module to check the GRE tunnel
status.
[S12700] display interface tunnel
Tunnel16382 current state : UP
Description:Controller_MSV_from_172.30.100.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.5/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.100.2 (LoopBack100), destination 172.30.100.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
Tunnel16383 current state : UP
Description:Controller_MSV_to_172.30.101.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.1/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.101.2 (LoopBack101), destination
172.30.101.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
5. Choose Policy > Service Chain > Service Flow Definition. Click Add to add a service
flow, and set the definition mode to ACL to add intercommunication traffic between
office building A and office building B.
Step 10 Configure the RADIUS relay agent to obtain packets sent from devices and forward the
packets to the RADIUS server.
1. Choose System > External Authentication > RADIUS Proxy, and click Add. Set
parameters and click OK.
Parameter Description
Parameter Description
Operator Equal
Attribute value 25
Operator Equal
Attribute value 26
2. Configure basic information about the authorization result and click OK.
Authorization Result Parameter Value
2. Configure basic information about the authorization rule and click OK.
Authorization Rule Parameter Value
Step 14 Define authentication rules and enable the RADIUS relay agent.
1. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and click Add to create an authorization rule.
----End
3. The configuration of other devices (the aggregation switch S7700 at 2.2.2.2 and the
Agile Controller at 168.88.77.10) is similar to that of the RADIUS trusted device, and is
not mentioned here.
Step 6 Configure an accounting group on the Srun4000 and bind the accounting group to the
corresponding accounting and control policies.
# Choose Strategy > Product. Click Add to create two new accounting
groups group1_accounting and group2_accounting. Bind accounting
# Click Save.
Step 7 Create user groups on the Srun4000.
# Choose System Setting > Permission > Organization Structure, place the cursor on
, and click to add user groups group1 and group2.
# Click Save.
----End
4.19.3.6 Verification
Step 1 After configuring HRP, you can run the display hrp state command to check the HRP status.
HRP_M[FW1] display hrp state
Role: active, peer: active
Running priority: 44998, peer: 44998
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2016-07-30 15:04:36 HRP core state changed,
old_state = abnormal(active), new_state = normal, local_
priority = 44998, peer_priority = 44998.
HRP_S[FW2] display hrp state
Role: active, peer: active
Running priority: 44998, peer: 44998
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2016-07-30 15:04:37 HRP core state changed,
old_state = abnormal(standby), new_state = normal, local
_priority = 44998, peer_priority = 44998.
Step 2 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
Step 3 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the aggregation switch to check deployment information.
# Run the display ucl-group all command to check the security group configuration.
[S12700] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command to check the access control policy configuration.
[S12700] display acl all
Total nonempty ACL number is 3
Advanced ACL MSV_ACL_20160730144446_D8F7 3998, 1 rule
Acl's step is 5
rule 5 permit ip source 172.16.30.0 0.0.0.255 destination 172.16.40.0
0.0.0.255
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0 rule
Acl's step is 5
Ucl-group ACL Auto_PGM_U2 9997, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group2 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group2 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group2 destination ucl-group name
group1
Ucl-group ACL Auto_PGM_U1 9998, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group1 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group1 destination ucl-group name
group2
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0 rule
Acl's step is 5
Step 4 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 and the NGFW module to check deployment
information.
# Run the display security-policy all command to check the security policy configuration.
HRP_M[FW1] display security-policy all
Total:9
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0
3 Auto_PGM_U1_3 enable permit
0
4 Auto_PGM_U1_4 enable permit
13
5 Auto_PGM_U2_1 enable permit
0
6 Auto_PGM_U2_2 enable deny
5
7 Auto_PGM_U2_3 enable deny
0
8 Auto_PGM_U2_4 enable permit
0
-------------------------------------------------------------------------------
Step 5 A wireless user is authenticated on a terminal using the user name and password that are
defined on the Srun. After the user is successfully authenticated, check the user table on the
switch. The wireless user successfully matches a security group.
Option82 information : -
User access type : WEB
AP name : ac85-3d95-d800
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 10(s)
Work group ID : default
User forward slot : 3
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 2
Dynamic group name(Effective) : group2
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 6 A wired user is authenticated on a terminal using the user name and password that are defined
on the Srun. After the user is successfully authenticated, check the user table on the switch.
The wired user successfully matches a security group.
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 7 After the user goes online, the user packet can trigger the NGFW module to obtain a correct
security group from the Agile Controller.
[NGFW Module] display agile-network user
Total user: 4, show user: 4.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.16.30.253 2016/07/30 16:36:17 0 0 2-group2
172.16.40.254 2016/07/30 16:36:17 0 0 2-group2
172.16.30.254 2016/07/30 16:37:27 0 0 1-group1
172.16.40.253 2016/07/30 16:37:27 0 0 1-group1
# The user user1 of office building A cannot communicate with the user user2 of office
building B.
C:\Users\Administrator>ping 172.16.40.254
----End
interface GigabitEthernet1/3/1/1
eth-trunk 2
#
interface GigabitEthernet2/3/1/1
eth-trunk 2
#
interface XGigabitEthernet1/4/0/0
eth-trunk 0
#
interface XGigabitEthernet1/4/0/1
eth-trunk 0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
filter-policy ip-prefix test01 export static
import-route static
sham-hello enable
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 192.168.10.0 0.0.0.255
#
ip ip-prefix test01 index 1 permit 172.16.30.0 24
ip ip-prefix test01 index 2 permit 172.16.40.0 24
#
ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
ip route-static 2.2.2.2 255.255.255.255 192.168.12.1
ip route-static 4.4.4.4 255.255.255.255 192.168.9.1
ip route-static 172.16.30.0 255.255.255.0 192.168.11.1
ip route-static 172.16.40.0 255.255.255.0 192.168.12.1
ip route-static 172.30.100.1 255.255.255.255 192.168.9.1
ip route-static 172.30.100.2 255.255.255.255 192.168.11.1
ip route-static 172.30.100.3 255.255.255.255 192.168.12.1
ip route-static 172.30.101.1 255.255.255.255 192.168.9.1
ip route-static 172.30.101.2 255.255.255.255 192.168.11.1
ip route-static 172.30.101.3 255.255.255.255 192.168.12.1
#
NGFW Module
#
sysname NGFW Module
#
vlan batch 9
#
radius-server template test01
radius-server shared-key cipher %@%@eJb}7fm's=:^`p5QuT<77K&]%@%@
radius-server authentication 168.88.77.10 1812 source ip-address 4.4.4.4
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 4.4.4.4 weight
80
undo radius-server user-name domain-
included
radius-server group-filter
class
#
interface Vlanif9
ip address 192.168.9.1 255.255.255.0
#
interface Eth-Trunk0
portswitch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 9
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 0
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface LoopBack100
ip address 172.30.100.1 255.255.255.255
#
interface LoopBack101
ip address 172.30.101.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk0
add interface GigabitEthernet0/0/0
add interface Vlanif9
#
ip route-static 0.0.0.0 0.0.0.0 192.168.9.2
#
agile-network
agile-network enable
radius-server test01
server ip 168.88.77.10
local ip 4.4.4.4
password %$%$0}:jXH3"FLn__tY:4q^0Nof]%$%$
xmpp connect
#
security-policy
default action permit
#
FW1 FW2
sysname FW1 sysname FW2
# #
hrp enable hrp
hrp interface GigabitEthernet1/0/5 enable
remote 10.10.0.2
hrp mirror session enable hrp interface GigabitEthernet1/0/5
hrp track interface Eth-Trunk1 remote 10.10.0.1
# hrp mirror session enable
healthcheck enable hrp track interface Eth-Trunk1
healthcheck name #
isp1_health healthcheck enable
destination 21.0.0.100 interface healthcheck name
GigabitEthernet1/0/1 protocol tcp- isp1_health
simple destination-port 1001 destination 21.0.0.100 interface
healthcheck name isp2_health GigabitEthernet1/0/1 protocol tcp-
destination 22.0.0.100 interface simple destination-port 1003
GigabitEthernet1/0/2 protocol tcp- healthcheck name
simple destination-port 1002 isp2_health
# destination 22.0.0.100 interface
radius-server template test01 GigabitEthernet1/0/2 protocol tcp-
radius-server shared-key cipher %@ simple destination-port 1004
%@YeBxR{:_6A7/`xDG-3u7#BCr%@%@ #
radius-server authentication radius-server template test01
168.88.77.10 1812 source LoopBack 0 radius-server shared-key cipher %@
weight 80 %@YeBxR{:_6A7/`xDG-3u7#BCr%@
radius-server accounting 168.88.77.10 %@
1813 source LoopBack 0 weight radius-server authentication
80 168.88.77.10 1812 source LoopBack 0
undo radius-server user-name domain- weight 80
included radius-server accounting 168.88.77.10
radius-server group-filter class 1813 source LoopBack 0 weight 80
# undo radius-server user-name domain-
interface Eth-Trunk1 included
ip address 192.168.10.1 radius-server group-filter
255.255.255.0 class
# #
interface GigabitEthernet1/0/1 interface Eth-Trunk1
undo shutdown ip address 192.168.10.2
ip address 201.0.0.1 255.255.255.0
255.255.255.0 #
healthcheck isp1_health interface GigabitEthernet1/0/1
gateway 201.0.0.254 undo shutdown
bandwidth ingress 100000 threshold ip address 201.0.0.2
95 255.255.255.0
bandwidth egress 100000 threshold healthcheck
95 isp1_health
# gateway 201.0.0.254
interface GigabitEthernet1/0/2 bandwidth ingress 100000 threshold 95
undo shutdown bandwidth egress 100000 threshold
ip address 202.0.0.2 255.255.255.0 95
healthcheck isp2_health #
gateway 202.0.0.254 interface GigabitEthernet1/0/2
bandwidth ingress 50000 threshold undo
90 shutdown
bandwidth egress 50000 threshold ip address 202.0.0.1
90 255.255.255.0
# healthcheck isp2_health
interface GigabitEthernet1/0/3 gateway
undo shutdown 202.0.0.254
eth-trunk 1 bandwidth ingress 50000 threshold
# 90
interface GigabitEthernet1/0/4 bandwidth egress 50000 threshold
undo shutdown 90
eth-trunk 1 #
# interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/5 undo
FW1 FW2
undo shutdown shutdown
ip address 10.10.0.1 255.255.255.0 eth-trunk 1
# #
interface LoopBack0 interface
ip address 5.5.5.5 255.255.255.255 GigabitEthernet1/0/4
# undo shutdown
firewall zone trust eth-trunk 1
set priority 85 #
add interface GigabitEthernet0/0/0 interface GigabitEthernet1/0/5
add interface Eth-Trunk1 undo shutdown
# ip address 10.10.0.2
firewall zone dmz 255.255.255.0
set priority 50 #
add interface interface LoopBack0
GigabitEthernet1/0/5 ip address 6.6.6.6
# 255.255.255.255
#
firewall zone name isp1 id firewall zone trust
4 set priority 85
set priority 10 add interface
add interface GigabitEthernet1/0/1 GigabitEthernet0/0/0
# add interface Eth-Trunk1
firewall zone name isp2 id 5 #
set priority 20 firewall zone
add interface dmz
GigabitEthernet1/0/2 set priority 50
# add interface GigabitEthernet1/0/5
ospf 1 router-id 5.5.5.5 #
import-route static firewall zone name isp1 id 4
sham-hello enable set priority 10
area add interface
0.0.0.0 GigabitEthernet1/0/1
network 5.5.5.5 #
0.0.0.0
network 192.168.10.0 firewall zone name isp2 id 5
0.0.0.255 set priority
# 20
add interface
ip route-static 21.0.0.0 255.255.255.0 GigabitEthernet1/0/2
201.0.0.254 #
ip route-static 22.0.0.0 255.255.255.0 ospf 1 router-id
202.0.0.254 6.6.6.6
# import-route static
nat address-group addressgroup1 sham-hello enable
0 area
mode pat 0.0.0.0
route enable network 6.6.6.6
section 0 201.0.0.10 201.0.0.12 0.0.0.0
# network 192.168.10.0
nat address-group addressgroup2 1 0.0.0.255
mode pat #
route enable ip route-static 21.0.0.0 255.255.255.0
section 1 202.20.1.1 202.20.1.5 201.0.0.254
# ip route-static 22.0.0.0 255.255.255.0
multi-interface 202.0.0.254
mode proportion-of-bandwidth #
add interface nat address-group addressgroup1 0
GigabitEthernet1/0/1 mode pat
add interface GigabitEthernet1/0/2 route
# enable
agile- section 0 201.0.0.10
network 201.0.0.12
agile-network #
enable nat address-group addressgroup2
radius-server test01 1
server ip 168.88.77.10 mode pat
FW1 FW2
local ip 5.5.5.5 route enable
password %$%$"YrVNBu2PI{BlL0'$8UE680%$ section 1 202.20.1.1 202.20.1.5
%$ #
xmpp connect multi-interface
# mode proportion-of-bandwidth
# add interface
security-policy GigabitEthernet1/0/1
rule name policy_dmz add interface
source-zone local GigabitEthernet1/0/2
source-zone dmz #
destination-zone local agile-network
destination-zone dmz agile-network
action permit enable
rule name trust_to_untrust radius-server test01
source-zone trust server ip 168.88.77.10
destination-zone isp1 local ip 6.6.6.6
destination-zone isp2 password %$%$_i#0Mg|T-XkLhMY&VI&WGh$_%
action permit $%$
rule name policy_sec_work xmpp connect
source-zone trust #
destination-zone isp1
destination-zone isp2 #
time-range working_hours security-policy
profile app-control profile_app_work rule name policy_dmz
action permit source-zone local
rule name policy_sec_rest source-zone dmz
source-zone trust destination-zone local
destination-zone isp1 destination-zone dmz
destination-zone isp2 action permit
time-range off_hours rule name trust_to_untrust
profile app-control profile_app_rest source-zone trust
action permit destination-zone isp1
# destination-zone isp2
nat-policy action permit
rule name policy_nat1 rule name policy_sec_work
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
source-address range 172.16.30.1 destination-zone isp2
172.16.30.254 time-range working_hours
source-address range 172.16.40.1 profile app-control profile_app_work
172.16.40.254 action permit
action nat address-group rule name policy_sec_rest
addressgroup1 source-zone trust
rule name policy_nat2 destination-zone isp1
source-zone trust destination-zone isp2
destination-zone isp2 time-range off_hours
source-address range 172.16.30.1 profile app-control profile_app_rest
172.16.30.254 action permit
source-address range 172.16.40.1 #
172.16.40.254 nat-policy
action nat address-group rule name policy_nat1
addressgroup2 source-zone trust
# destination-zone isp1
firewall defend time-stamp enable source-address range 172.16.30.1
firewall defend route-record enable 172.16.30.254
firewall defend source-route enable source-address range 172.16.40.1
firewall defend winnuke enable 172.16.40.254
firewall defend fraggle enable action nat address-group
firewall defend ping-of-death enable addressgroup1
firewall defend smurf enable rule name
irewall defend land enable policy_nat2
# source-zone
anti-ddos baseline-learn start trust
anti-ddos baseline-learn tolerance- destination-zone
value 100 isp2
anti-ddos baseline-learn apply source-address range 172.16.30.1
FW1 FW2
anti-ddos syn-flood source-detect 172.16.30.254
anti-ddos udp-flood dynamic- source-address range 172.16.40.1
fingerprint-learn 172.16.40.254
anti-ddos udp-frag-flood dynamic- action nat address-group
fingerprint-learn addressgroup2
anti-ddos http-flood defend alert-rate #
2000 firewall defend time-stamp enable
anti-ddos http-flood source-detect firewall defend route-record enable
mode basic firewall defend source-route enable
# firewall defend winnuke enable
profile type app-control name firewall defend fraggle enable
profile_app_work firewall defend ping-of-death enable
http-control post action deny firewall defend smurf enable
http-control proxy action deny irewall defend land enable
http-control web-browse action deny #
http-control file direction upload anti-ddos baseline-learn start
action deny anti-ddos baseline-learn tolerance-
http-control file direction download value 100
action deny anti-ddos baseline-learn apply
ftp-control file delete action deny anti-ddos syn-flood source-detect
ftp-control file direction upload anti-ddos udp-flood dynamic-
action deny fingerprint-learn
ftp-control file direction download anti-ddos udp-frag-flood dynamic-
action deny fingerprint-learn
# anti-ddos http-flood defend alert-rate
profile type app-control name 2000
profile_app_rest anti-ddos http-flood source-detect
http-control post action deny mode basic
http-control file direction upload #
action deny profile type app-control name
ftp-control file delete action deny profile_app_work
ftp-control file direction upload http-control post action deny
action deny http-control proxy action deny
ftp-control file direction download http-control web-browse action deny
action deny http-control file direction upload
# action deny
time-range working_hours http-control file direction download
period-range 09:00:00 to 17:30:00 action deny
working-day ftp-control file delete action deny
# ftp-control file direction upload
time-range off_hours action deny
period-range 00:00:00 to 23:59:59 off- ftp-control file direction download
day action deny
period-range 00:00:00 to 08:59:59 #
working-day profile type app-control name
period-range 17:30:01 to 23:59:59 profile_app_rest
working-day http-control post action deny
# http-control file direction upload
return action deny
ftp-control file delete action deny
ftp-control file direction upload
action deny
ftp-control file direction download
action deny
#
time-range working_hours
period-range 09:00:00 to 17:30:00
working-day
#
time-range off_hours
period-range 00:00:00 to 23:59:59 off-
day
period-range 00:00:00 to 08:59:59
working-day
period-range 17:30:01 to 23:59:59
working-day
FW1 FW2
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Configure third-party server interconnection parameters.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users" in the WLAN Product Interoperation Configuration Guide-Typical
Configuration for Interconnection Between AC and Huawei Agile Controller-Campus
Server.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 5-4.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Adjust the To reduce wireless resource Set the transmit rate of 2.4 GHz Beacon
transmit occupation of Beacon frames to 11 Mbit/s.
rate of 2.4 frames and improve channel
GHz usage efficiency.
Beacon
frames
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Set Security settings to Key (applicable to personnel networks) and set the key.
Click Finish.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 1 and transmit power to 127 dBm. Disable automatic channel and
power calibration functions. The configuration of Radio1 is similar to the configuration
of Radio 0, and is not mentioned here.
# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the dual-5G
mode. In the dialog box that is displayed, click OK.
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the multicast rate to 6 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a large number of users connect to the network in the stadium, the users still have
good Internet experience.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
Data Planning
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-security and click OK. The security profile configuration page is displayed.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1, set Radio to 1, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the bridge distance to 4. Disable automatic channel and power calibration. Set the
channel parameters to 40+ MHz and 157. Set the bridge distance to 4.
# Configure radio 0 in the same way. Disable automatic channel and power calibration
and set the channel parameters to 20 MHz and 6.
# In the AP group list, click ap-group3. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the profile
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.
# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
automatic channel and power calibration. Set parameters for Radio0. Set Channel to 20
MHz and 11.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
Step 8 Configure AP_2.
1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group2. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-leaf, set Radio to 1, and click OK.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-root, set Radio to 0, and click OK.
2. Create WDS whitelist profile wds-list2 and add the MAC address of the leaf AP to the
WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list2, set Radio to 0, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list2. The WDS Whitelist Profile page
is displayed.
# Click Add to configure the WDS whitelist.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
3. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
4. The WLAN with the SSID wlan-net is available.
5. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
6. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
...
...
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add interfaces
GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from
VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add
GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow
packets from VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to
allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[Switch_A-Vlanif101] quit
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added. Click
OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# In AP Group List, select the AP group mesh-mpp.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Set the AP names to
L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170, respectively. Click OK. The
APs are added as MPPs.
# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port mode to
Endpoint, add the wired port to VLAN 101 in tagged mode, and set the Port PVID to
101.
# Click OK.
# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.
# Click OK.
2. Configure a Mesh profile.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page is
displayed.
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-mounted
Device. Click Create and add MAC addresses of proxied vehicle-mounted devices. In this
example, MAC addresses 286e-d488-d359 and 286e-d488-d270 are added, click OK.
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-Snooping. Set
IGMP-Snooping to ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the central APs and RUs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the interface
address pool on VLANIF 101 in the same way. The IP address 10.23.101.2 cannot be
assigned.
NOTE
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.101.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
An enterprise branch needs to deploy WLAN services for mobile office so that branch users
can access the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks. For
example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the WLAN to
establish connections with STAs to intercept enterprise information, posing great threats to the
enterprise network. To prevent such attack, the detection and containment function can be
configured for authorized APs. In this way, the AC can detect rogue AP area_2 (neither
managed by the AC nor in the authorized AP list), preventing STAs from associating with the
rogue AP.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-7 Networking for configuring rogue device detection and containment
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Configure radio 0 to work in normal mode, and enable rogue device detection and
containment.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Configure radio 1 to work in normal mode, and enable rogue device detection and
containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile page is
displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the profile
name wlan-wids and click OK. The WIDS profile configuration page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 8 Verify the configuration.
Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.
l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.
----End
Networking Requirements
As shown in Figure 5-8, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Router functions as a DHCP server to assign IP addresses to STAs.
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services
GE0/0/0
Fat AP VLAN 101: Router
10.23.101.2/24
Typical Configuration Examples 5 Typical Configuration Examples (Web)
Data planning
Item Data
Configuration Roadmap
1. Configure Router as a DHCP server to assign IP addresses to STAs.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure Router as a DHCP server to assign IP addresses to STAs.
# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router] dhcp enable
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.101.1 24
[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2
[Router-GigabitEthernet1/0/0] quit
# Click Finish.
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
Step 3 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and manually
configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Click Radio Management. The Radio 0 Setting(2.4G) page is displayed.
# On the Radio 0 Setting(2.4G) page, disable automatic channel and power calibration
functions, and set the AP channel to 20-MHz channel 6 and transmit power to 127 dBm.
3. Click OK.
Step 5 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. STAs can associate with the WLAN and obtain IP addresses on the network segment
10.23.101.x/24.
3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
Networking Requirements
As shown in Figure 5-9, a Fat AP is connected to the Internet in wired mode and connected to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.
Figure 5-9 Networking diagram for configuring basic Layer 3 WLAN services
GE0/0/0
Fat AP VLAN 200: Router
10.23.200.1/24
Typical Configuration Examples 5 Typical Configuration Examples (Web)
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Router to communicate with the AP.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 200
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.2 24
[Router-Vlanif200] quit
# Click Finish.
3. Configure Internet connections.
# Click Next. The Configure Internet Connection page is displayed.
# Add an interface to VLAN 200 in tagged mode.
NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
Step 3 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and manually
configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Click Radio Management. The Radio 0 Setting(2.4G) page is displayed.
# On the Radio 0 Setting(2.4G) page, disable automatic channel and power calibration
functions, and set the AP channel to 20-MHz channel 6 and transmit power to 127 dBm.
# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.
# Click OK.
3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
Networking Requirements
As shown in Figure 5-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.
Figure 5-10 Networking diagram for configuring STAs to access the public network through
NAT
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services using the WLAN configuration wizard.
2. Configure the AP channel and transmit power.
3. Configure NAT so that users can access the public network using public IP addresses.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure basic WLAN services.
1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
2. Configure Wi-Fi signals.
# Click Finish.
3. Configure Internet connections.
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# On the Radio 0 Setting(2.4G) page, disable automatic channel and power calibration
functions, and set the AP channel to 20-MHz channel 6 and transmit power to 127 dBm.
# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.
# Click OK.
Step 4 Configure an ACL.
1. Choose Configuration > Security > ACL. The Basic ACL Settings page is displayed.
2. Click Create. On the Create Basic ACL page that is displayed, set ACL parameters.
3. Click OK.
4. In the new ACL, click Add Rule. On the Add Rule page, set ACL parameters.
5. Click OK.
Step 5 Configure NAT.
1. Choose Configuration > IP Service > NAT. The NAT page is displayed.
2. Click Create in NAT Mapping and create a NAT mapping.
3. Click OK.
Step 6 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
gateway address is 10.23.101.1.
3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
4. STAs can access the public network successfully.
----End
Figure 5-11 Networking diagram of the device functioning as the PPPoE client
Data Planning
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE server.
2. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function and enable NAT to translate private IP addresses to public IP addresses.
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
----End
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
Data Planning
Item Data
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function and enable NAT to translate private IP addresses to public IP addresses.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
Procedure
Step 1 Configure the PPPoE server.
# Configure the global IP address pool pool1.
<AC6605> system-view
[AC6605] sysname Router
[Router] ip pool pool1
[Router-ip-pool-pool1] network 100.100.10.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 100.100.10.1
[Router-ip-pool-pool1] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1
[Router-aaa-domain-system] radius-server shiva
[Router-aaa-domain-system] quit
[Router-aaa] quit
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
----End
Networking Requirements
As shown in Figure 5-13, the device functioning as the PPPoE client connects to the PPPoE
server using GE0/0/0.
Users want the hosts to share an account. If the account is authenticated successfully on the
PPPoE server, a PPPoE session is established. Service requirements are as follows:
l The device establishes a PPPoE session with the PPPoE server using PPP authentication.
l The device automatically attempts to create a dial-up connection again at intervals after
the disconnection.
Figure 5-13 Networking diagram of the device functioning as the PPPoE client
Data Planning
Item Data
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE server.
2. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.
Step 2 Configure the PPPoE client.
1. Create VLAN 100 and add GE0/0/0 to VLAN 100.
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click GigabitEthernet0/0/0. On the Modify Interface Settings page that is displayed,
set Default VLAN to 100.
# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.
----End
Networking Requirements
As shown in Figure 5-14, AP connects to ADSL modem using GE0/0/0, and Router connects
to the DSLAM using ATM1/0/0.
The private IP addresses of hosts in the LAN are 192.168.10.0/24. Users want hosts in the
LAN to access Router using AP and to access the external network. The user name is user1,
and the password is huawei123.
Figure 5-14 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
Data Planning
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
Procedure
Step 1 Configure the PPPoE server.
# Configure the global IP address pool pool1.
<AC6605> system-view
[AC6605] sysname Router
[Router] ip pool pool1
[Router-ip-pool-pool1] network 100.100.10.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 100.100.10.1
[Router-ip-pool-pool1] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1
[Router-aaa-domain-system] radius-server shiva
[Router-aaa-domain-system] quit
[Router-aaa] quit
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.
Step 3 Verify the configuration.
After the configuration is complete, a PPPoE dialup interface is automatically generated,
through which hosts on the LAN can connect to the Internet using dialup. When wireless
users attempt to connect to the public network, private IP addresses are translated into public
IP addresses for communication.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the interface
address pool on VLANIF 101 in the same way. The IP address 10.23.101.2 cannot be
assigned.
NOTE
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks) and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the interface
address pool on VLANIF 101 in the same way. The IP address 10.23.101.2 cannot be
assigned.
NOTE
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.101.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks) and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
Figure 5-19 Networking for configuring Layer 3 direct forwarding in inline mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLANs 100 through 102.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Configure the global IP address pool huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-20 Networking for configuring Layer 3 tunnel forwarding in inline mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100.
# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF 102 to
10.23.102.1/24, DHCP status to ON, and DHCP type to Interface address pool.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Configure the global IP address pool huawei.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 5-21 Networking for configuring Layer 3 direct forwarding in bypass mode
Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-22 Networking for configuring Layer 3 tunnel forwarding in bypass mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLANs 100 through 102.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
Figure 5-23 Networking for configuring NAT traversal between the AC and APs
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure NAT for address translation.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/3] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
# Configure a default route with the next hop address 3.3.3.2 on Router_2.
[Router_2] ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs. The AC's
source interface address is translated into the public IP address 3.3.3.3 after NAT mapping.
[Router_1] dhcp enable
[Router_1] interface vlanif 100
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1-Vlanif100] quit
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 3.3.3.3
[Router_1-ip-pool-ap] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] dhcp select interface
[Router_1-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.200.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif200.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.
Networking Requirements
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
Figure 5-24 Networking for configuring VPN traversal between the AC and APs
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
202.138.162.2/24, set the IP address of GE0/0/1 to 202.138.162.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet 1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 202.138.162.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 202.138.162.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface gigabitethernet 1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 202.138.163.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination
10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination
10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit
[Router_2-ike-proposal-5] dh group14
[Router_2-ike-proposal-5] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit
# Configure an IKE peer on Router_1, and configure the pre-shared key and peer ID
based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.200.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif200.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
Data Planning
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-security and click OK. The security profile configuration page is displayed.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1, set Radio to 1, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Click the AP ID 1. The AP customized settings page is displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the bridge distance to 4. Disable automatic channel and power calibration. Set the
channel parameters to 40+ MHz and 157. Set the bridge distance to 4.
# In the AP group list, click ap-group2. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-leaf, set Radio to 1, and click OK.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-root, set Radio to 0, and click OK.
2. Create WDS whitelist profile wds-list2 and add the MAC address of the leaf AP to the
WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list2, set Radio to 0, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list2. The WDS Whitelist Profile page
is displayed.
# Click Add to configure the WDS whitelist.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Click the AP ID 2. The AP customized settings page is displayed.
# Choose Radio Management > Radio1. The Radio 0 Settings(2.4G) page is
displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Disable automatic channel and
power calibration. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the
bridge distance to 4.
3. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
4. The WLAN with the SSID wlan-net is available.
5. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
6. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to PCs.
Data Planning
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
referenced WDS whitelist wds-list2, permitting access only
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
Item Data
Configuration Roadmap
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Finish.
NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1 and click OK. The WDS Whitelist Profile List page is
displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click Add to add the MAC address of AP_2 60de-4474-9640 to the profile.
# Click OK.
4. Configure WDS service parameters.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Disable automatic channel and power calibration. Set the channel parameters to 40+
MHz and 157. Set the bridge distance to 4.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
# Enter the Security Profile page under the AP group wds-root2. The configuration is
similar to that under the AP group wds-root1.
# Set Security Profile to wds-sec and click Apply. In the dialog box that is displayed,
click OK.
3. Configure the WDS whitelist profile wds-list2 for AP_3 to permit access only from
AP_4 over the WDS link.
# Add the MAC address of AP_4 60de-4476-e360 to wds-list2. The configuration is
similar to that for the WDS whitelist profile wds-list1 under the AP group wds-root1.
4. Configure WDS service parameters.
# Enter the WDS Profile List page under the AP group wds-leaf2. The configuration is
similar to that under the AP group wds-root1.
# Click Add. On the page that is displayed, set WDS profile name to wds-net3 and
click OK. In the dialog box that is displayed, click OK.
2. Bind the security profile wds-sec to the AP group wds-leaf2. The configuration is
similar to that for binding the security profile to the AP group wds-root2.
3. Configure WDS service parameters.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile management
page is displayed.
# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port mode to
Endpoint, add the wired port to VLAN 101 in untagged mode, and set the Port PVID to
101. This example assumes that the downlink network of AP_4's wired port GE0
transmits service traffic of VLAN 101.
# Click OK.
Step 9 Verify the configuration.
1. # Choose Configuration > AP Config > AP Config. The AP list page is displayed. If
the AP status is normal, the APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and check
WDS information. After the WDS links are successfully established, you can view
detailed information about the WDS links on the page.
3. Verify that the AP goes online and restart AP_4 to make the working mode of the AP
wired port effective. After AP_4 goes online again, verify that wired users connected to
AP_4 can access the network.
----End
Service Requirements
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
Mesh not
AP4051TN 802.11n 802.11ac
supported
Mesh not
AP4030TN 802.11n 802.11ac
supported
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Click OK.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.
# Click OK.
Step 5 Verify the configuration.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-group1
and ap-group2 to check whether the AP status is normal. If so, the APs have gone
online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh link
information. After the Mesh links are successfully established, you can view detailed
information about the Mesh links on the page.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul node: dual Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
l On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios
of neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect
only with radios of neighbors with 802.11n chips. Table 5-34 lists types of chips used by
AP models.
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
Mesh not
AP4051TN 802.11n 802.11ac
supported
Mesh not
AP4030TN 802.11n 802.11ac
supported
Procedure
Step 1 Configure the network devices.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/2 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] port-isolate enable
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/3
[Switch_B-GigabitEthernet0/0/3] port link-type trunk
[Switch_B-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/3] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.
# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPPs.
# In AP Group List, select the AP group mesh-mpp.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add MPPs.
# In this example, APs with MAC addresses 60de-4474-9640 and dcd2-fc04-b500 are
added. Set AP ID to 1 and 2 for the APs respectively. Click OK. The APs are added as
MPPs.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.
# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPs.
# On the AP List tab page, click Add. The Add AP page is displayed.
# In this example, APs with MAC addresses dcd2-fc96-e4c0 and 1047-80ac-cc60 are
added. Set AP ID to 3 and 4 for the APs respectively. Click OK. The APs are added as
MPs.
----End
Networking Requirements
l AC networking mode: Layer 2 inline mode
l Service data forwarding mode: tunnel forwarding
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces
Data Planning
Configuration Roadmap
1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check AP information.
Check the AP's group. Choose Monitoring > AP > AP group name: ap-group1
AP Statistics Collection. AP name: AP1
Check the AP's group in AP
List.
# Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk page
is displayed.
# In Eth-Trunk Interface List, click Create. The Create Eth-Trunk page is displayed.
# Click OK.
2. Create VLAN 100 and add Eth-Trunk0 to it.
# Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
# Create VLAN 100. In Available Interface List, select Eth-Trunk0 and click
. On the Modify Link Type page, set Link type to Trunk and click OK.
# Click OK.
3. Create wired port profile wired-port1, and add GE0 and GE1 on the AP to Eth-Trunk0.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, select AP group ap-group1. Choose AP > AP Wired Port
Settings. The AP Wired Port Configuration List page is displayed.
# Select GE0. The GE0 configuration page is displayed.
# Click Create and create AP wired port profile wired-port1. Click OK to return to the
GE0 configuration page.
# Set Enable Eth-Trunk to ON.
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
# Select AP1 and click Restart. In the dialog box that is displayed, click OK to restart the AP.
Step 5 Connect the switch and AP physically.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: External Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and external Portal authentication on the AC using the
WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Configure third-party server interconnection parameters.
7. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Configure third-party server interconnection parameters.
l For interconnection with the Cisco ISE, see "Example for Configuring External Portal
Authentication (Web)" in the WLAN Product Interoperation Configuration Guide-
Typical Configuration for Interconnection Between AC and Cisco ISE Server.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users" in the WLAN Product Interoperation Configuration Guide-Typical
Configuration for Interconnection Between AC and Huawei Agile Controller-Campus
Server.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
----End
Networking Requirements
An enterprise uses HTTPS for Portal authentication.
The AC and employees' STAs communicate at Layer 2. To reduce network security risks, you
can deploy Layer 2 Portal authentication on the AC. The AC works with the RADIUS server
(integrated with the Portal server) to implement access control on employees who attempt to
connect to the enterprise network, meeting the enterprise's security requirements.
Figure 5-31 Networking diagram for configuring Layer 2 external Portal authentication
AC
STA
DNS server
10.23.200.2
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a Portal server template.
4. Configure a Portal access profile and configure Layer 2 Portal authentication.
5. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.
6. Configure an authentication profile to manage NAC configuration.
7. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Data plan
Item Data
Item Data
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1,
RADIUS server template radius_huawei, RADIUS authentication
scheme radius_huawei, RADIUS accounting scheme scheme1,and
authentication-free rule profile default_free_rule
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
Item Data
Procedure
Step 1 Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
NOTE
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used,
configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a
large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs
will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address
pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF
101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the server area (Assume that the IP address of the upper-
layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
If the HTTPS protocol is used for Portal authentication, you need to configure an SSL policy.
[AC] ssl policy huawei type server
[AC-ssl-policy-huawei] pki-realm default
[AC-ssl-policy-huawei] quit
[AC] http secure-server ssl-policy huawei
[AC] portal web-authen-server https ssl-policy huawei
[AC] web-auth-server abc
[AC-web-auth-server-abc] protocol http
[AC-web-auth-server-abc] quit
NOTE
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server abc
[AC-web-auth-server-abc] server-ip 10.23.200.1 10.23.101.1
[AC-web-auth-server-abc] shared-key cipher Admin@123
[AC-web-auth-server-abc] url https://10.23.200.1:8445/portal
[AC-web-auth-server-abc] quit
Step 9 Configure the Portal access profile portal1 and configure Layer 2 Portal authentication.
[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] web-auth-server abc direct
[AC-portal-access-profile-portal1] quit
# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
AC configuration file
#
sysname AC
#
http secure-server ssl-policy huawei
#
vlan batch 100 to 101
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
authentication-scheme radius_huawei
accounting-scheme scheme1
radius-server radius_huawei
#
portal web-authen-server https ssl-policy huawei
#
dhcp enable
#
radius-server template radius_huawei
#
web-auth-server abc
server-ip 10.23.200.1 10.23.101.1
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url https://10.23.200.1:8445/portal
protocol http
#
portal-access-profile name portal1
web-auth-server abc direct
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
accounting-scheme scheme1
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server dns-list 10.23.200.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: built-in Portal authentication
l Security policy: open
Figure 5-32 Networking for configuring built-in Portal authentication for local users
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and built-in Portal authentication on the AC using the WLAN
configuration wizard.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
5. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Manage next to Local user. The Local User page is displayed
# Set Creation mode to Manually add and configure the local user name and password.
# Click OK.
# On the Create Local User page, select the new user and click OK.
Click Finish.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. When a user browses a web page, the browser automatically redirects the user to the
Portal authentication page. After entering the correct user name and password, the user
passes the authentication and can access the web page.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Configure third-party server interconnection parameters.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users" in the WLAN Product Interoperation Configuration Guide-Typical
Configuration for Interconnection Between AC and Huawei Agile Controller-Campus
Server.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON, and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
----End
Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: open system authentication
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select MAC and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Set Country/Region based on actual situations. For example, set Country/Region to
China. Set System time to Manual and Date and time to PC Time.
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Finish.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed, enter the
profile name wlan-net and click OK. The authentication profile configuration page is
displayed.
# Click Create. On the Create MAC Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. On the MAC authentication profile
configuration page that is displayed, configure the user name format for MAC address
authentication.
NOTE
The user name and password used for MAC address authentication must be the same as those
configured for local authentication.
# Click in front of Authentication Profile. Under it, click RADIUS Server. The
RADIUS Server page is displayed.
# Click under RADIUS Server Profile. The RADIUS Server Profile page is
displayed.
# Click Create. On the Create RADIUS Server Profile page that is displayed, set
Profile name to wlan-net and Profile default shared key to huawei@123.
# Click Create Server. In the Create Server Configuration dialog box that is
displayed, configure the RADIUS server parameters.
# Click OK. On the Create RADIUS Server Profile page that is displayed, select the
created RADIUS server and click OK. On the RADIUS Server Profile page that is
displayed, select the created RADIUS server profile wlan-net and click OK.
1. Disable automatic channel and power calibration functions of AP radios, and manually
configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
----End
Service Requirements
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC authentication
l Security policy:open
Figure 5-36 Networking for configuring MAC authentication for local users
Data Planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the AP to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring a
security policy, select MAC address authentication and local authentication. When
adding a local user, ensure that the user name is the same as the MAC address of the
user, and the password is the same as that configured in the MAC access profile.
Configure the planned password in the MAC access profile.
5. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Finish.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 5-37 Networking for configuring user authorization based on user groups
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON, and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
# Click OK. On the Advanced ACL Settings page that is displayed, use the same
method to add another ACL rule.
# Click OK.
2. Configure a user group.
# Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
# Click Create. On the Create User Group page that is displayed, set User group
name and bind an ACL.
# Click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
----End
Figure 5-38 Networking diagram for configuring WeChat authentication using a built-in
Portal server
Management VLAN:
VLAN 100
Service VLAN: VLAN 101
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2
Data Planning
Item Data
Item Data
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (10.23.200.2)
profile
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. Configure WeChat
authentication to authenticate WeChat users.
5. Complete user service verification.
Procedure
Step 1 Configure AC system parameters.
1. Configure AC basic parameters.
Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Set Country/Region as required (China as an example). Set System Time to Manual
and Date and time to PC Time.
# Click Apply.
# Click Apply.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON, and
DHCP type to Interface address pool.
# Click OK.
# Configure the address pool for VLANIF 101 in the similar way. Set the IP address of
VLANIF 101 to 10.23.101.1/24, DHCP status to ON, DHCP type to Interface address
pool, and Primary DNS serve to 10.23.200.2.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set the destination IP address to 10.23.200.0/24 and Next hop address to 10.23.101.2
(assuming that the IP address of the uplink device is 10.23.101.2).
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information about the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE
# Click next to Import AP file, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configuration page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 3 Configure wireless services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN ID.
# Click Finish.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 5 Verify the configuration.
l After the configuration is complete, STAs can discover the wireless network with the
SSID wlan-net.
l STAs can be assigned IP addresses after they associate with the wireless network.
l When a user opens WeChat, the Portal authentication page is displayed automatically on
the STA. After the user can be authenticated, the user can connect to the Internet.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-39 Networking diagram for configuring different authentication modes for multiple
SSIDs
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for 10.23.102.3-10.23.102.254/24
STAs
l Name: guest
l Referenced profiles and authentication schemes: Portal access profile
guest, MAC access profile guest, RADIUS server template wlan-net,
authentication scheme guest, and authentication-free rule template
default_free_rule
Item Data
l Name: guest
l SSID name: guest
l Name: guest
l Security policy: open
l Name: guest
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile guest, security profile guest, and
authentication profile guest
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Use the configuration wizard to configure system parameters for the AC.
3. Use the configuration wizard to configure the APs to go online on the AC.
4. Use the configuration wizard to configure WLAN services, 802.1x authentication, and
MAC address-prioritized Portal authentication on the AC.
5. Configure authentication-free rules for an AP group.
6. Deliver WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN
101 and VLAN 102, respectively.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on the router to VLAN 101 and VLAN 102. Create interfaces VLANIF 101
and VLANIF 102, and set the IP addresses of VLANIF 101 and VLANIF 102 to
10.23.101.2/24 and 10.23.102.2/24, respectively.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 address pools to assign IP addresses
to employees and guests, respectively. Set the default gateway address for employees and
guests to 10.23.101.2 and 10.23.102.2, respectively. Specify the DNS server address 8.8.8.8
for VLANIF 101 and VLANIF 102 address pools.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif102] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set the SSID name to employee, forwarding mode to tunnel forwarding, and service
VLAN to 101.
# Set the authentication mode to 802.1x authentication, and configure parameters of the
external RADIUS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and manually
configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID employee. Set the authentication mode
to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l A guest can use a STA to find the WLAN with SSID guest. After being associated with
the WLAN, the STA is assigned an IP address. When the STA accesses the Internet
through a browser, the authentication page provided by the Portal server is automatically
displayed. After the correct user name and password are entered on the page, the STA is
authenticated and can access the WLAN. Assume that the MAC address configured on
the Portal server is valid for 60 minutes. When the STA is disconnected from the WLAN
for 5 minutes, the STA can access the Internet directly when reconnecting to the WLAN.
When the STA is disconnected from the WLAN for 65 minutes, it will be redirected to
the Portal authentication page when reconnecting to the WLAN.
----End
Service Requirements
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the
master and backup ACs are often deployed in the same location, and the service switchover is
fast and has higher reliability than dual-link HSB.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP
STA
Management VLAN: VLAN 100
Typical Configuration Examples 5 Typical Configuration Examples (Web)
Data Planning
Item Data
Configuration Roadmap
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve core
layer reliability and configure SwitchB as the master switch.
2. Configure network connectivity between SwitchA, SwitchB, and SwitchC.
3. Configure AC1 based on the configuration wizard. VRRP HSB and wireless
configuration synchronization are both configured based on the configuration wizard.
4. Configure APs to go online and basic WLAN services on AC1.
5. Configure AC2 based on the configuration wizard.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, and SwitchC so that the AC and APs can transmit CAPWAP
packets.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1
on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101, respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool. Expand Advanced. Click to add 10.23.100.2
and 10.23.100.3 to Excluded IP address.
NOTE
# Repeat the preceding steps to configure an address pool for VLANIF 101. Set the IP
address of VLANIF 101 to 10.23.101.1/24. Add 10.23.101.2 and 10.23.101.3 to
Excluded IP address.
# Enable HSB.
# Click OK.
# Configure a service VRRP group in the same way. Set parameters as follows:
– VLANIF/IP: VLANIF 101
– VRID: 2
– VRRP type: VRRP group
– Virtual IP address: 10.23.101.3
– Preemption delay(s): 1800
– VRID of the mVRRP group: 1
# Click OK.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next.
2. Configure an AP group.
# The AP template file has AP group information added. Click Next. The Confirm
Configurations page is displayed.
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure basic WLAN services on AC1.
1. Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Finish.
# Configure network interconnections on AC2 in the same way as that on AC1. The
differences are as follows:
# Configure AC backup on AC2 in the same way as that on AC1. The differences are as
follows:
– When configuring VRRP groups, use the default values of Priority and
Preemption delay(s).
– When configuring HSB, set Local AC IP address to 10.23.102.2 and Peer AC IP
address to 10.23.102.1.
5. Configure the source address for AC2.
# Configure the source address for AC2 in the same way as that for AC1.
6. Confirm the configuration.
# Confirm the configuration and click Finish.
# Click Manual synchronization under Operation. In the Confirm dialog box that is
displayed, click OK. AC2 restarts automatically.
# After AC2 restarts, check the configuration synchronization state on AC1. If Configuration
Synchronization State is Synchronization success, wireless configuration synchronization
succeeds.
# STAs associated with the AP can find the SSID wlan-net and connect to the WLAN.
# If the link between the AP and AC1 is disconnected, AC2 becomes the active AC, ensuring
user service continuity.
----End
Service Requirements
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in dual-link HSB to meet this requirement. This solution
frees active and standby ACs from location restrictions and allows both ACs to be flexibly
deployed.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2
Configuration Roadmap
1. Configure network interconnection. Configure Router as a DHCP server to assign IP
addresses to APs and STAs.
2. Configure AC1, APs going online, and WLAN services following the configuration
wizard.
3. Configure dual-link hot standby (HSB) on AC1.
4. Configure AC2 following the configuration wizard.
5. Configure dual-link HSB on AC2.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange CAPWAP
packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Repeat the preceding steps to configure VLANIF 102. Set the IP address of VLANIF
102 to 10.23.102.1/24.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next.
2. Configure an AP group.
# The AP template file has AP group information added. Click Next. The Confirm
Configurations page is displayed.
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 6 Configure basic WLAN services on AC1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# In the AP group list, click ap-group1. On the page that is displayed, click in front
of AP. Under it, click AP System Profile. The AP System Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name wlan-net and click OK. The AP system profile configuration page is
displayed.
# Click Create. On the page that is displayed, create the AP group ap-group1 and click
OK.
# In the AP group list, click ap-group1. On the page that is displayed, click in front
of AP. Under it, click AP System Profile. The AP System Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name wlan-net and click OK. The AP system profile configuration page is
displayed.
# Choose Configuration > Reliability > Reliability. The Reliability page is displayed.
# STAs associated with the AP can find the SSID wlan-net and connect to the WLAN.
# If the link between the AP and AC1 is disconnected, AC2 becomes the active AC, ensuring
user service continuity.
----End
Service Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data transmission
reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.
Data Planning
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
Item Data
Configuration Roadmap
1. Configure network interworking of AC1, AC2, and other network devices. Configure the
switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the switch.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass through. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and
configure the interfaces to allow packets of VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
Configure the DHCP function on the switch to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 4 Configure WLAN services on AC1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Finish.
The configuration is similar to that on AC1. The difference is that the IP address of VLANIF
100 is 10.23.100.3/24.
# On AC1, choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
NOTE
A smaller value of Local priority indicates a higher local priority.
By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the APs are
restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs. Choose
Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs and make the dual-link
backup function take effect.
2. When the link between an AP and AC1 fails, AC2 takes over the active role. This
ensures service stability.
----End
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
dual-link HSB to improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.2/24
and standby channels of AC2 Port number: 10241
Configuration Roadmap
1. Configure network interworking of the APs, ACs, and other network devices.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes over services
from AC1. User services are not interrupted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange CAPWAP
packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next.
2. Configure an AP group.
# The AP template file has AP group information added. Click Next. The Confirm
Configurations page is displayed.
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 6 Configure basic WLAN services on AC1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Finish.
The configuration is similar to that on AC1. The difference is that the IP addresses of
VLANIF 100 and VLANIF 102 are 10.23.100.3/24 and 10.23.102.2/24, respectively.
# Choose Configuration > Reliability > Reliability. The Reliability page is displayed.
The configuration is similar to that on AC1. The following parameter settings are different:
l Local priority: 1
l Backup AC IP address: 10.23.100.2
l Local AC IP address: 10.23.102.2
----End
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
VRRP HSB to improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP
Data Planning
Item Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Configure AC1 and AC2 using the configuration wizard.
– Set up connections between the AP, AC, and other network devices.
– Configure a VRRP group on AC1 and AC2. Configure a higher priority for AC1
than AC2 so that AC1 functions as the master device to forward traffic and AC2
functions as a backup device.
– Configure the hot standby (HSB) function so that service information on AC1 is
backed up to AC2 in batches and in real time, ensuring seamless service switchover
from AC1 to AC2.
– Add APs on AC1 and AC2, and configure WLAN services.
NOTE
Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, and SwitchC so that the AC and APs can transmit CAPWAP
packets.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1
on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101, respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool. Expand Advanced. Click to add 10.23.100.2
and 10.23.100.3 to Excluded IP address.
NOTE
# Repeat the preceding steps to configure an address pool for VLANIF 101. Set the IP
address of VLANIF 101 to 10.23.101.1/24. Add 10.23.101.2 and 10.23.101.3 to
Excluded IP address.
# Enable HSB.
# Click OK.
# Configure a service VRRP group in the same way. Set parameters as follows:
– VLANIF/IP: VLANIF 101
– VRID: 2
– VRRP type: VRRP group
– Virtual IP address: 10.23.101.3
– Preemption delay(s): 1800
– VRID of the mVRRP group: 1
# Click OK.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next.
2. Configure an AP group.
# The AP template file has AP group information added. Click Next. The Confirm
Configurations page is displayed.
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Set Security settings to Key (applicable to personnel networks) and set the key.
Click Finish.
----End
Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode: Router_3 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Name: wlan-net
l SSID name: wlan-net
l Name: wlan-net1
l SSID name: wlan-net1
Item Data
AC_2:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1
On AC_2:
l Name: ap-system1
– Primary AC IP address: 10.23.202.1
– Backup AC IP address: 10.23.203.1
Item Data
On AC_3:
l Name: ap-system
– Primary AC IP address: 10.23.201.1
– Backup AC IP address: 10.23.203.1
l Name: ap-system1
– Primary AC IP address: 10.23.202.1
– Backup AC IP address: 10.23.203.1
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the routers and switches to communicate with each other.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to Router_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to Router_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Set Country/Region based on actual situations. For example, set Country/Region to
China. Set System time to Manual and Date and time to PC Time.
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 201 to 10.23.201.1/24.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif201.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Choose Maintenance > AP Maintenance > AP Restart > Restart All to restart all
APs, so that the N+1 backup function can take effect.
NOTE
By default, N+1 backup is enabled. You need to restart all APs on the primary AC. After the APs are
restarted, N+1 backup takes effect.
2. Enable N+1 backup on AC_2 and AC_3. The configuration is similar to that on AC_1.
----End
5.8.7 Example for Configuring N+1 Backup (APs and ACs in the
same network segment)
Service Requirements
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.
Data Planning
Item Data
Item Data
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1
AC_2:
l Name: wlan-net1
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567
AC_3:
l Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
l Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
Item Data
AC_1:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1
On AC_2:
l Name: ap-system1
– Primary AC IP address: 10.23.100.3
– Backup AC IP address: 10.23.100.4
On AC_3:
l Name: ap-system
– Primary AC IP address: 10.23.100.2
– Backup AC IP address: 10.23.100.4
l Name: ap-system1
– Primary AC IP address: 10.23.100.3
– Backup AC IP address: 10.23.100.4
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the primary ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the backup AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the primary ACs first and then on the backup AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the switches to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 to 102
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_1-GigabitEthernet0/0/2] quit
[Switch_1] interface gigabitethernet 0/0/3
[Switch_1-GigabitEthernet0/0/3] port link-type trunk
[Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/3] quit
[Switch_1] interface gigabitethernet 0/0/4
# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100 to 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_2-GigabitEthernet0/0/1] port-isolate enable
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_2-GigabitEthernet0/0/2] port-isolate enable
[Switch_2-GigabitEthernet0/0/2] quit
[Switch_2] interface gigabitethernet 0/0/3
[Switch_2-GigabitEthernet0/0/3] port link-type trunk
[Switch_2-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_2-GigabitEthernet0/0/3] quit
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit
[Switch_1] interface vlanif 101
[Switch_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch_1-Vlanif101] dhcp select interface
[Switch_1-Vlanif101] quit
[Switch_1] interface vlanif 102
[Switch_1-Vlanif102] ip address 10.23.102.1 255.255.255.0
[Switch_1-Vlanif102] dhcp select interface
[Switch_1-Vlanif102] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.2/24.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Step 8 Configure basic WLAN services and IP address of the backup AC for AC_3.
The configuration is similar to that on AC_3. The following parameters are different:
l Set the IP address of VLANIF 100 to 10.23.100.4/24.
l Import APs on AC_1 and AC_2 to AC_3, and add the APs to ap-group1 and ap-
group2, respectively.
l When configuring WLAN services on AC_3, choose Configuration > Config Wizard >
Wireless Service and create SSIDs wlan-net and wlan-net1. Set parameters on wlan-
net to the same as those on AC_1 and parameters on wlan-net1 to the same as those on
AC_2.
l Creates AP system profiles ap-system and ap-system1 in AP groups ap-group1 and ap-
group2, respectively. Set parameters on ap-system to the same as those on AC_1 and
parameters on ap-system1 to the same as those on AC_2.
Step 9 Enable N+1 backup on AC_1, AC_2, and AC_3.
1. Enable N+1 backup on AC_1.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Set Backup mode to N+1 backup, AC dual-link switchover status to ON.
----End
Networking Requirement
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: ap-group2
l Referenced profiles: VAP profile wlan-
net2, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g
l Name: wlan-net2
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10, VLAN 101,
and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1
and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs. In this example, add
area_1 and area_2 to ap-group1 and ap-group2, respectively.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to Single
VLAN, and Service VLAN ID to 101.
# Set Security settings to Key (applicable to personnel networks) and set the key.
# Click Finish.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page is
displayed.
# In the AP group list, click ap-group2. Click VAP Configuration. On the VAP Profile List
page, click Create. On the page that is displayed, create the VAP profile wlan-net2 and click
OK.
# In the VAP profile list, click wlan-net2. On the VAP profile configuration page, set Service
VLAN to Single VLAN and Service VLAN ID to 102, and click Apply. In the dialog box
that is displayed, click OK.
# Click in front of wlan-net2. The profiles referenced by the VAP profile are displayed.
# Click SSID Profile. On the SSID profile configuration page that is displayed, set SSID
Profile to wlan-net and click Apply. In the dialog box that is displayed, click OK.
# Click Security Profile. On the security profile configuration page that is displayed, set
Security Profile to wlan-net and click Apply. In the dialog box that is displayed, click OK.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirement
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. Exclude the IP address
10.23.101.2 from being automatically allocated.
NOTE
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure an AP to go online on AC_2.
Configure the AP to go online on AC_2 according to the configuration of AC_1. The
following lists configuration differences between AC_1 and AC_2:
l Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078) on AC_2,
set the AP name to area_2, and add the AP to the AP group ap-group1.
Step 6 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the mobility group.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.
----End
Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode:
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
Data Planning
DHCP AC_1 functions as a DHCP server to assign IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to assign IP addresses to STAs and APs
connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for 10.23.200.2-10.23.200.254/24
APs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for 10.23.102.2-10.23.102.254/24
STAs
AP group AC_1:
l Name: ap-group1
l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default
AC_2:
l Name: ap-group2
l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default
Item Data
AC_2:
l Name: wlan-net
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 101
[Switch_1] interface GigabitEthernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default VLAN
of GE0/0/1 is VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 200 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 200
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/2] quit
# Configure Router.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/1] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0
[Router-GigabitEthernet0/0/2] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.200.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
Configure AC_2 according to the configuration of AC_1. The following lists configuration
differences between AC_1 and AC_2.
l Create VLAN 200 and VLAN 102 on AC_2 and add GigabitEthernet0/0/1 to the two
VLANs in tagged mode.
l Add GigabitEthernet0/0/2 to VLAN 200 in tagged mode.
l Set the IP addresses of VLANIF 200 and VLANIF 102 to 10.23.200.1/24 and
10.23.102.1/24 respectively.
l Configure an IP address pool on VLANIF 200 and VLANIF 102.
l Configure the route between AC_2 and AC_1 on AC_2 with the destination address
10.23.100.0/24 and next-hop address 10.23.200.2.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure an AP to go online on AC_2.
Configure the AP to go online on AC_2 according to the configuration of AC_1. The
following lists configuration differences between AC_1 and AC_2:
l Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078) on AC_2,
set the AP name to area_2, and add the AP to the AP group ap-group2.
Step 6 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to Single
VLAN, and Service VLAN ID to 101.
Radio 0 is used as an example. The configuration for other radios is similar and will not be mentioned
here.
NOTE
By default, the global automatic channel and power calibration functions are enabled. Therefore, select
Follow. If the global automatic channel and power calibration functions are disabled, choose
Configuration > AP Config > Radio Planning/ Calibration > Radio Calibration Configuration,
and set Calibration to ON.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan Profile
page is displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile configuration
page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is displayed.
On the Radio Calibration Configuration page, set Triggering condition to Scheduled
and set the start time to 3:00 am.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the mobility group.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to the central AP and
RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Agile Enabled
distributed
SFN
roaming
Configuration Roadmap
1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at Layer 2.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the central AP and RUs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Configure agile distributed SFN roaming.
6. Deliver the WLAN services to the central AP and RUs and verify the configuration.
Configuration Notes
l Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12 (including
matching RUs) and AD9430DN-24 (including matching RUs). RUs support agile
distributed SFN roaming in the following combination modes:
n Between the R230D and R240D (Note: Only the 2.4 GHz radio of the R230D
and R240D supports agile distributed SFN roaming, and the 5 GHz radio does
not support.)
n Among the R250D, R250D-E, R251D, R251D-E and R450D
– For the central AP, after agile distributed SFN roaming is enabled, the total number
of agile distributed SFN roaming STAs on a single frequency band (2.4 GHz or 5
GHz) of all RUs does not exceed 128, and that of STAs associated with other VAPs
on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work on the
same channel. When agile distributed SFN roaming is enabled on the 5 GHz
frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but do not
support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed SFN
roaming is not performed on Layer 3.
l Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5 GHz
radios, it is recommended that different SSIDs be used. Otherwise, the radio
switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP rate
limit on all VAPs with agile distributed SFN roaming disabled be set to 5 Mbit/s.
– Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP groups but not
based on APs.
– RUs involved in agile distributed SFN roaming need to have the following items
configured the same:
n SSID
n VAP profile and VAP ID
n Security policy. Agile distributed SFN roaming supports these encryption
modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA+802.1X (EAP
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to VLAN 100, and
add GE0/0/3 and GE0/0/4 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/4] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Finish.
The automatic channel and power calibration function is enabled for radios by default. When this function is
enabled, the manual calibration configuration does not take effect. The settings of the RU channel and power
in this example are for reference only. You need to configure the RU channel and power based on the actual
country code and network planning.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the automatic
channel and power calibration functions, and set the channel to 20-MHz channel 6 and
transmit power to 127 dBm.
# Disable the automatic channel and power calibration functions for ru_2, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm. The configurations are the same as
those for ru_2, and is not mentioned here.
Step 7 Enable agile distributed SFN roaming.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Click the AP group ap-group1. The AP group configuration page is displayed.
# Click in front of VAP Configuration and click wlan-net. The VAP profile
configuration page is displayed.
# On the Advanced Configuration page, set SFN to ON. In the dialog box that is displayed,
click OK.
# Set radio parameters related to roaming based on the network planning result. The
configuration is not mentioned here. The following figure shows the default settings.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from ru_1 to ru_2, choose Monitoring > User. In User List, select
the STA of which you want to view the roaming tracks and click Roaming Track. The
roaming tracks of the STA are displayed.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the central APs and RUs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the interface
address pool on VLANIF 101 in the same way. The IP address 10.23.101.2 cannot be
assigned.
NOTE
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.101.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
The WLAN of a stadium needs to provide access for a large number of users; therefore, APs
are placed in close proximity, causing severe interference. The IT department of the stadium
requires that the interference be eliminated to maximize Internet experience for users.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 5-58.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Adjust the To reduce wireless resource Set the transmit rate of 2.4 GHz Beacon
transmit occupation of Beacon frames to 11 Mbit/s.
rate of 2.4 frames and improve channel
GHz usage efficiency.
Beacon
frames
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Set Security settings to Key (applicable to personnel networks) and set the key.
Click Finish.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 1 and transmit power to 127 dBm. Disable automatic channel and
power calibration functions. The configuration of Radio1 is similar to the configuration
of Radio 0, and is not mentioned here.
# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the dual-5G
mode. In the dialog box that is displayed, click OK.
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the multicast rate to 6 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a large number of users connect to the network in the stadium, the users still have
good Internet experience.
----End
expects that multicast servers on the ground network can deliver multimedia information
services to passengers.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
...
...
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add interfaces
GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from
VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add
GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow
packets from VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to
allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[Switch_A-Vlanif101] quit
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added. Click
OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# In AP Group List, select the AP group mesh-mpp.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Set the AP names to
L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170, respectively. Click OK. The
APs are added as MPPs.
# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port mode to
Endpoint, add the wired port to VLAN 101 in tagged mode, and set the Port PVID to
101.
# Click OK.
# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.
# Click OK.
2. Configure a Mesh profile.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page is
displayed.
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-mounted
Device. Click Create and add MAC addresses of proxied vehicle-mounted devices. In this
example, MAC addresses 286e-d488-d359 and 286e-d488-d270 are added, click OK.
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-Snooping. Set
IGMP-Snooping to ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.
----End
Networking Requirements
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads on the APs
to prevent excessive user access to a single AP. A dynamic load balancing group can be set up
only when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.
Data Planning
Configuration Roadmap
Configure dynamic load balancing to prevent one AP from being heavily loaded.
Configuration Notes
l Currently, the load balancing function is implemented in the STA access phase. In
scenarios with complex user service types and unstable traffic, the expected load
balancing effect cannot be achieved. In this case, you are not advised to enable load
balancing based on the channel usage.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure dynamic load balancing.
1. In the RRM profile, enable dynamic load balancing, and set the start threshold for
dynamic load balancing to 15 and load difference threshold to 25%.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. Click Create. The Create RRM Profile page that is
displayed
# Enter the profile name wlan-net and click OK. The RRM Profile page is displayed.
# On the Advanced Configuration tab, enable dynamic load balancing, and set the start
threshold for dynamic load balancing to 15 and load difference threshold to 25%.
----End
Networking Requirements
AP area_1 and AP area_2 form a static load balancing group to balance loads on the APs to
prevent excessive user access to a single AP. A static load balancing group can be set up only
when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.
Data Planning
Configuration Roadmap
Configure static load balancing based on the number of users to prevent one AP from being
heavily loaded.
Configuration Notes
l Load balancing takes effect during the STA association stage. In scenarios with complex
user service types and unstable traffic, loads cannot be balanced as expected. In this case,
load balancing based on the channel utilization is not recommended.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure static load balancing.
1. Create the static load balancing group wlan-static and set the start threshold for static
load balancing to 10 and load difference threshold to 5%.
# Choose Configuration > AP Config > AP Group > Static Load Balancing Group.
The Static Load Balancing Group page is displayed.
# Click Create. On the page that is displayed, enter the profile name wlan-static, and set
the start threshold for static load balancing to 10 and load difference threshold to 5%.
Add AP area_1 and AP area_2 to the static load balancing group.
# Click OK.
Step 2 Verify the configuration.
1. Choose Monitoring > User > User Distribution. The number of STAs on different APs
is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP area_2 with a light load based on the configured
load balancing group.
----End
Networking Requirements
Use APs that support both 5 GHz and 2.4 GHz frequency bands.
Data Planning
Item Data
Configuration Roadmap
Configure the band steering function and proper band steering parameters so that STAs can
preferentially access the 5 GHz frequency band.
Configuration Notes
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the band steering function.
1. Enable the band steering function in the VAP profile wlan-net. By default, the band
steering function is enabled.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose VAP Configuration > wlan-net. The
VAP profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function.
# Enter the profile name wlan-rrm and click OK. The RRM profile configuration page
is displayed.
# On the Advanced Configuration tab, set the start threshold for load balancing
between radios to 15, and the load difference threshold to 25%.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
----End
Data Planning
Configuration Roadmap
Configure smart roaming and adjust smart roaming parameters to steer STAs (especially
sticky STAs) to reconnect or roam to APs with strong signals.
NOTE
Some STAs on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
STAs fail to roam to neighbor APs with better signals. They are called sticky STAs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure smart roaming.
1. In the RRM profile wlan-rrm, enable smart roaming, configure SNR-based roaming
trigger mode and roaming threshold to 15 dB.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. Click Create. The Create RRM Profile page that is
displayed
# Enter the profile name wlan-rrm and click OK. The RRM Profile page is displayed.
----End
Networking Requirements
Data Planning
Item Data
Configuration Roadmap
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send alarms to
the AC.
Configuration Notes
l If air scan related functions are enabled for a radio in normal mode, such as WIDS,
spectrum analysis, and terminal location, the radio transmits common WLAN service
data and provides the monitoring function that may affect transmission of common
WLAN service data.
l In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that
the scanning interval be set no more than 10 seconds and the scanning duration to 100
ms.
l The channels to be scanned for spectrum analysis are fixed as all channels supported by
the corresponding country code of an AP and are irrelevant to the configuration in an air
scan profile.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure spectrum analysis.
1. Set spectrum analysis parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose AP > AP System Profile. The AP
System Profile page is displayed.
# Click Create. The Create AP System Profile page is displayed. Enter the profile
name wlan-spectrum and click OK. On the ap system profile configuration page that is
displayed.
# On the Advanced Configuration tab, set related parameters.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Click Radio 0. On the Radio 0 Settings(2.4G) page that is displayed, set the radio
parameters.
# Click Apply. In the dialog box that is displayed, click OK. The 5G radio configuration
is similar and not mentioned here.
d. Select your desired spectrum chart from the drop-down list box in the upper left
corner. You can select Lower or Upper on the spectrum charts of a 5G radio to
view spectrum charts of different frequencies.
e. The Real-Time FFT chart shows that the signal strength of interference is mostly
within the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click
Modify, set the signal strength scope at both ends of the color bar, and click Apply.
The Swept Spectrogram chart shows that channel 149 has the most severe
interference.
f. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-60 Networking for configuring rogue device detection and containment
Data Planning
Item Data
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Configure radio 1 to work in normal mode, and enable rogue device detection and
containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile page is
displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the profile
name wlan-wids and click OK. The WIDS profile configuration page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 8 Verify the configuration.
Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.
l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection on radio 0.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection on radio 1 in the same way.
2. Create WIDS profile wlan-wids, and set parameters for attack detection.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile page is
displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the profile
name wlan-wids and click OK. The WIDS profile configuration page is displayed. Click
Advanced Configuration.
# Set parameters for the brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection WPA2-PSK. Enable the dynamic blacklist
function.
# Click Apply. In the Info dialog box that is displayed, click OK.
3. Create AP system profile wlan-system, and set the aging time of the dynamic blacklist.
# Choose AP > AP System Profile. The AP System Profile List page is displayed.
# Click Create. The Create AP System Profile page is displayed.
# Enter the name of the new AP system profile wlan-system in Profile name, and click
OK. The parameter setting page of the new AP system profile is displayed. Click
Advanced Configuration.
# Set the aging time of the dynamic blacklist to 200 seconds.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Click Apply. In the Info dialog box that is displayed, click OK.
Choose Monitoring > WIDS and view attack detection result in the Attack Detection area.
----End
Service Requirements
An enterprise needs to provide WLAN services for management personnel so that they can
connect to the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
Due to a small number of management personnel in the enterprise, MAC addresses of their
STAs can be added to a STA whitelist. In this manner, STAs of other employees cannot
connect to the WLAN.
In addition, network administrators have detected unauthorized access of some STAs and
need to deny access of them. The administrators can add MAC addresses of these STAs to the
blacklist, while other authorized STAs can still connect to the WLAN.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-62 Networking for configuring the STA blacklist and whitelist
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
# Click OK.
Step 8 Configure a global STA blacklist.
1. Create AP system profile wlan-system.
# Click in front of AP. Under it, click AP System Profile. The AP System Profile
page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name wlan-system and click OK. The AP System Profile configuration page is
displayed.
# Click Apply. In the Info dialog box that is displayed, click OK.
2. Configure STA blacklist profile sta-blacklist and add MAC addresses of STA3 and
STA4 to the blacklist.
# Click in front of AP System Profile. Under it, click STA Blacklist Profile. On the
STA Blacklist Profile page, select Blacklist.
# Click Create. The Create STA Blacklist Profile page is displayed.
# Enter the name of the new STA blacklist profile sta-blacklist in Profile name, and
click OK. The parameter setting page of the new STA blacklist profile is displayed.
# Click Add. The Add MAC Address page is displayed.
# Add MAC addresses of STA3 and STA4 to the blacklist.
# Click OK.
Step 9 Verify the configuration.
The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the WLAN.
----End
After accessing the network, users encounter poor experience in voice and video services. The
administrator wants to preferentially ensure forwarding of voice and video service traffic to
improve user experience.
Data Planning
Item Data
Configuration Roadmap
1. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the WMM function.
1. In the radio profile, enable the WMM function and set EDCA parameters on APs to
enable voice and video services to preferentially use network bandwidth.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# On the Advanced Configuration tab, enable the WMM function, select scenario
Voice and video, and retain the default settings of EDCA parameters. Click Apply. In
the dialog box that is displayed, click OK.
2. In the SSID profile, enable the WMM function and set EDCA parameters on STAs to
enable voice and video services to preferentially use network bandwidth.
# On the Advanced Configuration tab, select scenario Voice and video and retain the
default settings of EDCA parameters. Click Apply. In the dialog box that is displayed,
click OK.
This example requires that voice and video packets have the highest priority so that these
packets are preferentially transmitted. By default, the uplink and downlink mapping modes on
the air interface are 802.11e and DSCP, respectively. The uplink and downlink priority
mapping on the air interface can ensure that voice and video packets have the highest tunnel
DSCP priority. Therefore, you do not need to modify default priority mapping.
To change the default priority mapping, for example, to enable video packets with a higher
priority than voice packets, you can refer to this step.
# In the AP group list, click ap-group1. Click in front of VAP Configuration. Under it,
click in front of wlan-net. Click Traffic Profile. The Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter
setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, configure priority mapping and set the mapped
priority of video packets higher than that of the voice packets.
NOTE
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or 5.
In the following figure, the DSCP priorities of video packets are 48 and 56, and those of the voice packets are
32 and 40. Based on the settings, video packets will be preferentially transmitted.
# Click Apply. In the Info dialog box that is displayed, click OK.
----End
Related Topics
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Data Planning
Item Data
Configuration Roadmap
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure traffic policing.
Create traffic profile wlan-traffic. Set the uplink rate limit of a single AP to 2 Mbit/s and the
total uplink rate limit of all STAs on the VAP to 30 Mbit/s.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration. Under it,
click in front of wlan-net. Click Traffic Profile. The Traffic Profile page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The parameter
setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, set the uplink rate limit to 2 Mbit/s for STAs and to
30 Mbit/s for VAPs.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 2 Verify the configuration.
1. STAs efficiently utilize network resources, reducing network congestion.
----End
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The administrator requires that multiple users on the network be able to fairly use network
bandwidth to improve overall user experience.
Data Planning
Item Data
Configuration Roadmap
1. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure airtime fair scheduling.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of Radio Management. Under it,
click in front of radio 0.
# Click in front of 2G Radio Profile, and click RRM Profile. Click Create. On the page
that is displayed, set Profile name to wlan-rrm and click OK. The RRM Profile
configuration page is displayed.
# Enable airtime fair scheduling in the RRM profile.
----End
Data Planning
Configuration Roadmap
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Configure ACL-based packet filtering.
1. Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and
destination IPv4 address 10.23.101.11 to pass.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL dialog box that is displayed, set the ACL
name to ACL3001 and ACL number to 3001. Click OK.
# Click Add Rule in the new ACL.
# Click OK.
2. Create traffic profile wlan-traffic and apply the ACL to it.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 2 Verify the configuration.
1. Packets with the source IP address of 10.23.101.10 and destination IP address of
10.23.101.11 are forbidden to pass, achieving network traffic control.
----End
Figure 5-67 Networking for configuring optimization for voice and video services
Data Planning
Item Data
Configuration Roadmap
1. Enable the SAC function.
2. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.
Configuration Notes
l The configuration of optimization for voice and video services supports only tunnel
forwarding.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Enable the security engine.
NOTE
After the security engine is enabled, the system automatically loads the default signature database.
# Choose Configuration > Security > Attack Defense. The Attack Defense page is
displayed.
Step 2 # Create an SAC profile and bind it to the VAP profile mapping the AP group ap-group1.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click the AP group name ap-group1. Click next to VAP
Configuration and next to wlan-net, and select SAC Profile.
# Click SAC Profile and enter wlan-sac in Profile name. Click OK. The SAC Profile page
is displayed.
# Click OK. In the dialog box that is displayed, click OK.
Step 3 Enable optimization for voice and video services on QQ and WeChat.
# Choose Configuration > Other Services > App Identification & Optimization >
Voice&Video Optimization. The Voice & Video Optimization page is displayed.
# Set Voice optimization and Video optimization to ON.
# Set the applications' Voice optimization and Video optimization to OFF except qq and
weixin.
NOTE
By default, dynamic optimization for voice and video services is enabled for all applications in Application
Detection Optimization List. To modify the status of the function for an application, select the application
and set Voice Detection Optimization and Video Detection Optimization to ON or OFF.
# In the AP group list, click the AP group name ap-group1. Click next to Radio
Management and next to Radio 0.
# Click next to 2G Radio Profile and select RRM Profile. Click Create, enter wlan-rrm
in Profile name, and then click OK. The RRM Profile configuration page is displayed.
# On the Advanced Configuration tab, disable Dynamic EDCA and enable Multimedia air
interface optimization.
# Click next to Radio 0 and next to 5G Radio Management, and select RRM
Profile. The RRM profile configuration page is displayed.
# Click the drop-down list box next to RRM Profile and select wlan-rrm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 5 Verify the configuration.
1. Normal voice and video communication of QQ and WeChat ensures good user
experience in voice and video services of QQ and WeChat.
----End
Data Planning
Skype4B 9000
server port
number
Configuration Roadmap
1. Configure priorities for Skype4B packets to set higher priorities for voice and video
packets than those of desktop sharing and file transfer packets.
2. Configure the AC to interact with the Skype4B server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure priorities for Skype4B packets.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration. Under it,
click in front of wlan-net. Click UCC Profile. The UCC Profile page is displayed.
# Click Create. The Create UCC Profile page is displayed.
# Enter the UCC profile name wlan-ucc in Profile name and click OK. The parameter setting
page of the new UCC profile is displayed.
# Configure priorities for Skype4B packets according to the following figure.
NOTE
l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Skype4B server.
l You need to specify the IP address of the AC for the Skype4B server and the port number of the Skype4B
server.
----End
the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency band. If all radios are used
for WLAN coverage services, the default frequency bands for radios are recommended. If
some radios are used for air scan, run the frequency { 2.4g | 5g } command in the AP radio
view or AP group radio view to switch the frequency band of the radios.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Adjust network parameters for e-schoolbag.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.17.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100, and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Choose VAP Configuration > wlan-net > SSID Profile. The SSID Profile page is
displayed.
# On the Advanced Configuration tab, set the maximum number of users to 128. Set
EDCA parameters for AC_BE packets on STAs as follows: AIFSN to 3, ECWmin to 7,
and ECWmax to 10.
# Choose VAP Configuration > wlan-net > Traffic Profile. The Traffic Profile page is
displayed.
# Click Create. On the Create Traffic Profile page that is displayed, enter the profile
name wlan-traffic and click OK. The traffic profile configuration page is displayed.
# Set the upstream and downstream rate limits to 4000 kbit/s and 4000 kbit/s for STAs,
respectively.
# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio Profile
page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Create. On the Create 5G Radio Profile page that is displayed, enter the profile
name wlan-radio5g and click OK. The 5G radio profile configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the multicast rate to 6 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile. The
RRM Profile page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable airtime fair scheduling.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to 20-
MHz channel 6 and transmit power to 127 dBm. Disable automatic channel and power
calibration functions.
# Click Radio1 and Radio2 to set the channel to 20-MHz channel 149 and 20-MHz channel
153 respectively and transmit power to 127 dBm. The configuration is similar to that of
Radio0.
# Click Apply. In the dialog box that is displayed, click OK.
Step 8 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
Item Data
Configuration Roadmap
1. Select Config Wizard to configure the APs to go online on the AC.
2. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
3. In Profile Management, change the security policy to WPA2, and complete the
Hotspot2.0 service configuration based on the data planning.
4. Complete service verification.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
3. Choose VAP Configuration > wlan-net > Hotspot2.0 Profile. The Hotspot2.0 profile
page is displayed. Click Create. On the Create Hotspot2.0 Profile page that is
displayed, set Profile name to wlan-net and click OK. Configure parameters and click
Apply. In the dialog box that is displayed, click OK.
4. Click in front of Hotspot2.0 Profile and select Cellular Network Profile. The
Cellular Network Profile page is displayed. Click Create. The Create Cellular
Network Profile page is displayed. Set Profile name to wlan-net, and click OK. Set
PLMN ID, and click Apply. In the dialog box that is displayed, click OK.
6. Select NAI Realm Profile. The NAI Realm Profile page is displayed. Click Create.
The Create NAI Realm Profile page is displayed. Set Profile name to wlan-net, and
click OK. Set Realm name, and click Apply. In the dialog box that is displayed, click
OK.
8. Select Operator Domain Profile. The Operator Domain Profile page is displayed.
Click Create, the Create Operator Domain Profile page is displayed. Set Profile name
to wlan-net, and click OK. Set Domain name, and click Apply. In the dialog box that is
displayed, click OK.
9. Select Carrier Name Profile. The Carrier Name Profile page is displayed. Click
Create. The Create Carrier Name Profile page is displayed. Set Profile name to wlan-
net, and click OK. Set Operator name, and click Apply. In the dialog box that is
displayed, click OK.
10. Select Venue Name Profile. The Venue Name Profile page is displayed. Click Create.
The Create Venue Name Profile page is displayed. Set Profile name to wlan-net, and
click OK. Set Venue name, and click Apply. In the dialog box that is displayed, click
OK.
11. Select Operating Class Profile. The Operating Class Profile page is displayed. Click
Create. The Create Operating Class Profile page is displayed. Set Profile name to
wlan-net, and click OK. Set Frequency band indication No., and click Apply. In the
dialog box that is displayed, click OK.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The enterprise requires that data forwarding be not affected even when the AC is faulty to
improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
Figure 5-71 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the network devices.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.1.2.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.1.2.2 24
[Router-Vlanif101] quit
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.1.1.2/24. You do not need to configure DHCP
on the AC.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks) and set the key.
# Click Finish.
Step 6 Create an AP system profile and configure service holding upon link disconnection.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the profile
name ap-system and click OK. The AP system profile configuration page is displayed.
# Set Policy for service holding upon link disconnection to Holding and prohibiting new
user access.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-MHz
channel 6 and transmit power to 127 dBm.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
Figure 5-72 Networking for configuring channel switching without service interruption
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.
6. Deliver the WLAN services to the APs and verify the configuration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.1.1.2/24. You do not need to configure DHCP
on the AC.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Finish.
Step 6 Create radio profiles and configure channel switching without service interruption.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
The WLAN with the SSID wlan-net is available, and STAs can access the WLAN properly.
When the channel of AP1 or AP2 is changed, service data forwarding of STAs in Area A is
not affected.
----End
Service Requirements
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.
Networking Requirements
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure global parameters on the AC.
3. Configure an AP to go online.
4. Configure a static IP address for the AP and enable the AP to go online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
When the IP address in the interface address pool is statically bound to a MAC address, the IP address
must be in the range of IP addresses that can be assigned dynamically.
# Click OK.
Step 5 Verify the configuration.
After the configuration is complete, you can check online information about the AP with the
IP address 10.23.100.100 in AP List.
----End