Professional Documents
Culture Documents
S5700 Configuration Guide - WLAN-AC
S5700 Configuration Guide - WLAN-AC
V200R012C00
Issue 04
Date 2018-08-17
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the WLAN feature supported by the device.
This document describes how to configure the WLAN feature. The
S5720HI&S5730HI&S6720HI are referred to as Access Controllers (ACs) in this document
to facilitate WLAN AC function descriptions unless otherwise stated.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
To obtain better user experience, you are advised to set the number of columns displayed on
the command line editor to 132 or higher.
Security Conventions
l Password setting
– To ensure device security, use ciphertext when configuring a password and change
the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#%#, %@
%@ or @%@% as ciphertext and attempts to decrypt them. If you configure a
plaintext password that starts and ends with %^%#, %#%#, %@%@ or @%@%,
the switch decrypts it and records it into the configuration file (plaintext passwords
are not recorded for the sake of security). Therefore, do not set a password starting
and ending with %^%#, %#%#, %@%@ or @%@%.
– When you configure passwords in ciphertext, different features must use different
ciphertext passwords. For example, the ciphertext password set for the AAA feature
cannot be used for other features.
l Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5. 3DES,
RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are irreversible. Using
the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower), MD5 (in digital
signature scenarios and password encryption), or SHA1 (in digital signature scenarios) is
a security risk. If protocols allow, use more secure encryption algorithms, such as AES,
RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator password. SHA2
is recommended for this purpose.
l Personal data
Some personal data (such as MAC or IP addresses of terminals) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
l Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of communication error
or failure detection, and do not involve collection or processing of any personal
information or communication data of users.
Disclaimer
This document is designed as a reference for you to configure your devices. Its contents,
including web pages, command line input and output, are based on laboratory conditions. It
provides instructions for general scenarios, but does not cover all use cases of all product
models. The examples given may differ from your use case due to differences in software
versions, models, and configuration files. When configuring your device, alter the
configuration depending on your use case.
The specifications provided in this document are tested in lab environment (for example, a
certain type of cards have been installed on the tested device or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
AP Version Support
The following table describes the mapping relationship between the product and AP software
versions.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
The central AP and RU must have the same version. For example, if the central AP version is
V200R006C20, the RU version must be also V200R006C20.
Contents
5.10.1 Setting the Working Mode for the Central AP's Wired Interface.......................................................................... 116
5.11 Configuring STAs to Go Online............................................................................................................................... 117
5.11.1 Configuring a Radio...............................................................................................................................................117
5.11.1.1 Configuring Basic Radio Parameters..................................................................................................................117
5.11.1.2 Creating a Radio Profile..................................................................................................................................... 120
5.11.1.3 (Optional) Configuring Smooth Channel Switching.......................................................................................... 121
5.11.1.4 (Optional) Adjusting Radio Parameters..............................................................................................................122
5.11.1.5 Binding a Radio Profile...................................................................................................................................... 131
5.11.1.6 Verifying the Radio Configuration..................................................................................................................... 132
5.11.2 Configuring a VAP.................................................................................................................................................132
5.11.2.1 Creating a VAP Profile....................................................................................................................................... 132
5.11.2.2 Configuring a Data Forwarding Mode................................................................................................................133
5.11.2.3 Configuring Service VLANs.............................................................................................................................. 134
5.11.2.4 (Optional) Configuring the VAP Type................................................................................................................135
5.11.2.5 (Optional) Configuring the Scheduled VAP Auto-Off Function........................................................................ 137
5.11.2.6 (Optional) Configuring MU-MIMO................................................................................................................... 137
5.11.2.7 (Optional) Configuring the Device to Forcibly Disconnect STAs Without Traffic............................................139
5.11.2.8 (Optional) Adjusting VAP Parameters................................................................................................................139
5.11.2.9 Configuring a Security Profile............................................................................................................................140
5.11.2.10 Configuring an SSID Profile.............................................................................................................................141
5.11.2.11 Binding VAP Profiles........................................................................................................................................144
5.11.2.12 Verifying the VAP, Security, and SSID Profile Configuration..........................................................................145
5.11.3 (Optional) Configuring the STA Offline Delay Function......................................................................................146
5.11.4 Checking the STA Online Result...........................................................................................................................147
5.12 Configuring STAs to Go Online (Agile Distributed WLAN).................................................................................. 148
5.13 Maintaining Basic WLAN Services......................................................................................................................... 148
5.13.1 Checking Wireless Link Quality Between an AP and a STA................................................................................148
5.13.2 Checking Connectivity Between an AP and a Network Device............................................................................149
5.13.3 Checking AP Running Statistics............................................................................................................................149
5.13.4 Checking AP Online Failure and Offline Records................................................................................................ 150
5.13.5 Clearing AP Online Failure and Offline Records..................................................................................................150
5.13.6 Clearing the List of Unauthorized APs..................................................................................................................150
5.13.7 Checking STA Running Statistics......................................................................................................................... 151
5.13.8 Checking STA Online Failure and Offline Records.............................................................................................. 151
5.13.9 Clearing STA Online Failure and Offline Records................................................................................................152
5.13.10 Enabling the Function of Recording Successful STA Associations in the Log.................................................. 152
5.14 Configuration Examples for WLAN Services..........................................................................................................153
5.14.1 Example for Configuring WLAN Services on a Small-Scale Network................................................................ 153
5.14.2 Example for Configuring WLAN Services on a Medium-Scale Network............................................................ 161
5.14.3 Example for Configuring WLAN Services on a Large-Scale Network................................................................ 171
5.14.4 Example for Configuring Seamless Channel Switching....................................................................................... 185
5.14.5 Example for Configuring an Agile Distributed WLAN........................................................................................ 194
8 Spectrum Analysis.....................................................................................................................399
8.1 Overview of Spectrum Analysis.................................................................................................................................399
8.2 Understanding Spectrum Analysis............................................................................................................................. 399
8.3 Application Scenarios for Spectrum Analysis............................................................................................................403
8.4 Licensing Requirements and Limitations for Spectrum Analysis.............................................................................. 403
8.5 Default Settings for Spectrum Analysis..................................................................................................................... 405
8.6 Configuring Spectrum Analysis................................................................................................................................. 406
8.6.1 Configuring Spectrum Analysis on an AC.............................................................................................................. 408
8.6.2 Checking Spectrum Graphs..................................................................................................................................... 411
8.7 Maintaining Spectrum Analysis................................................................................................................................. 412
8.7.1 Checking Information About Non-Wi-Fi Devices on an AC.................................................................................. 412
8.7.2 Clearing Information About Non-Wi-Fi Devices on an AC....................................................................................412
8.8 Configuration Examples for Spectrum Analysis........................................................................................................ 413
8.8.1 Example for Configuring Spectrum Analysis......................................................................................................... 413
26.3 Implementation Precautions for the Education IoT Solution - Student Health and Safety.................................... 1242
26.4 Software and Hardware Installation for the Education IoT Solution - Student Health and Safety........................ 1243
26.5 Configuration Guide for the Education IoT Solution - Student Health and Safety................................................1243
26.5.1 Configuring Network Interworking.....................................................................................................................1243
26.5.2 Configuring APs to Go Online............................................................................................................................ 1244
26.5.3 Configuring the Wireless Coverage Service........................................................................................................1245
26.5.4 Configuring APs to Communicate with the Host Computer............................................................................... 1247
26.5.5 Example for Configuring the Education IoT Solution - Student Health and Safety........................................... 1249
30 Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow
Analysis........................................................................................................................................ 1314
30.1 Overview of the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow Analysis1314
30.2 Understanding the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow Analysis
........................................................................................................................................................................................ 1317
30.3 Implementation Precautions for the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis................................................................................................................................................................. 1318
30.4 Software and Hardware Installation for the Shopping Mall and Supermarket IoT Solution - Hotspot Service and
Customer Flow Analysis................................................................................................................................................ 1319
30.5 Configuration Guide for the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow
Analysis.......................................................................................................................................................................... 1319
30.5.1 Configuring Network Interworking.....................................................................................................................1319
30.5.2 Configuring APs to Go Online............................................................................................................................ 1320
30.5.3 Configuring the Hotspot Service......................................................................................................................... 1322
30.5.4 Configuring Customer Flow Analysis................................................................................................................. 1324
30.5.5 Configuring Servers.............................................................................................................................................1327
30.5.6 Example for Configuring the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis................................................................................................................................................................. 1328
32.5.6 Example for Configuring the Personnel and Asset Management IoT Solution.................................................. 1373
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Basic Not Not Not Not Not Only Not Not Only
WLA supp supp support support support support suppo suppo suppo
N orted orted ed ed ed ed by rted rted rted
servic the by the
es (AP S5720 S6720
online HI and HI
, STA S5730
online HI
)
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Radio Not Not Not Not Not Only Not Not Only
resour supp supp support support support support suppo suppo suppo
ce orted orted ed ed ed ed by rted rted rted
manag the by the
ement S5720 S6720
HI and HI
S5730
HI
Spectr Not Not Not Not Not Only Not Not Only
um supp supp support support support support suppo suppo suppo
Analy orted orted ed ed ed ed by rted rted rted
sis the by the
S5720 S6720
HI and HI
S5730
HI
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Roami Not Not Not Not Not Only Not Not Only
ng supp supp support support support support suppo suppo suppo
orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
WLA Not Not Not Not Not Only Not Not Only
N supp supp support support support support suppo suppo suppo
QoS orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
WLA Not Not Not Not Not Only Not Not Only
N supp supp support support support support suppo suppo suppo
securit orted orted ed ed ed ed by rted rted rted
y the by the
S5720 S6720
HI and HI
S5730
HI
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
WDS Not Not Not Not Not Only Not Not Only
supp supp support support support support suppo suppo suppo
orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Mesh Not Not Not Not Not Only Not Not Only
supp supp support support support support suppo suppo suppo
orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Vehicl Not Not Not Not Not Only Not Not Only
e- supp supp support support support support suppo suppo suppo
groun orted orted ed ed ed ed by rted rted rted
d fast the by the
link S5720 S6720
hando HI and HI
ver S5730
HI
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Tag Not Not Not Not Not Only Not Not Only
Locati supp supp support support support support suppo suppo suppo
on orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Termi Not Not Not Not Not Only Not Not Only
nal supp supp support support support support suppo suppo suppo
Locati orted orted ed ed ed ed by rted rted rted
on the by the
S5720 S6720
HI and HI
S5730
HI
Blueto Not Not Not Not Not Only Not Not Only
oth supp supp support support support support suppo suppo suppo
Locati orted orted ed ed ed ed by rted rted rted
on the by the
S5720 S6720
HI and HI
S5730
HI
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
IoT Not Not Not Not Not Only Not Not Only
AP supp supp support support support support suppo suppo suppo
orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Air Not Not Not Not Not Only Not Not Only
Interfa supp supp support support support support suppo suppo suppo
ce orted orted ed ed ed ed by rted rted rted
Perfor the by the
mance S5720 S6720
HI and HI
S5730
HI
Dual- Not Not Not Not Not Only Not Not Only
link supp supp support support support support suppo suppo suppo
backu orted orted ed ed ed ed by rted rted rted
p the by the
S5720 S6720
HI and HI
S5730
HI
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
N+1 Not Not Not Not Not Only Not Not Only
backu supp supp support support support support suppo suppo suppo
p orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Hotsp Not Not Not Not Not Only Not Not Only
ot 2.0 supp supp support support support support suppo suppo suppo
orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
NOTE
The central AP and RU must use the same version. For example, if the AD9430DN-24 version is
V200R006C20, the R240D version must be also V200R006C20.
AP Version AP Model
NOTE
WDS and Mesh are not supported by the AP6310SN-GN, AP7030DE, AP2010DN, AP2030DN, AP9330DN,
AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, R250D, R250D-E, AP2050DN,
AP2050DN-E, AP2051DN, AP2051DN-E, R251D, and R251D-E.
Enable LLDP globally. After LLDP is enabled globally, the LLDP function is enabled on all
ports by default.
<HUAWEI> system-view
[HUAWEI] lldp enable
Configuring VLANs
In practice, the management VLAN and service VLAN must be configured for management
packets and service data packets.
l Management VLAN: transmits packets that are forwarded through CAPWAP tunnels,
including management packets and service data packets forwarded through CAPWAP
tunnels.
l It is recommended that you use different VLANs for the management VLAN and service VLAN.
l You are not advised to use VLAN 1 as the management VLAN or service VLAN.
l In tunnel forwarding mode, the management VLAN and service VLAN must be different. The network
between the AC and AP can only permit packets with management VLAN tags to pass through, and
cannot permit packets with service VLAN tags to pass through.
l When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface allows
packets from all VLANs but no VLAN is created by default. VLANs are automatically created or deleted
based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data packets.
Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and VLAN s'
represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
l Figure 3-1 shows the process of forwarding management packets through CAPWAP
tunnels.
In Figure 3-1:
– In the uplink direction (from the AP to the AC): When receiving management
packets, the AP encapsulates the packets in CAPWAP packets. The switch tags the
packets with VLAN m. The AC decapsulates the CAPWAP packets and removes
the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and
tags them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
l Figure 3-2 shows the process of directly forwarding service data packets.
Internet
802.11 Payload
STA
Payload
Data packet
In Figure 3-2, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the
packets into 802.3 packets, tags the packets with VLAN s, and forwards the packets
to the destination.
– In the downlink direction (from the Internet to the STA): When downstream service
data packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by
upstream devices), the AP converts the 802.3 packets into 802.11 packets and
forwards them to the STA.
l Figure 3-3 shows the process of forwarding service data packets through CAPWAP
tunnels.
Internet
802.11 Payload
STA
Payload
In Figure 3-3, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the
packets into 802.3 packets, tags the packets with VLAN s, and encapsulates them in
CAPWAP packets. The upstream switch tags the packets with VLAN m. The AC
decapsulates the CAPWAP packets and removes the tag VLAN m' from the
packets.
– In the downlink direction (from the Internet to the STA): When downstream service
data packets reach the AC, the AC encapsulates the packets in CAPWAP packets,
allows the packets carrying VLAN s to pass through, and tags the packets with
VLAN m'. The switch removes VLAN m from the packets. The AP decapsulates
the CAPWAP packets, removes VLAN s, converts the 802.3 packets into 802.11
packets, and forwards them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets.
The intermediate devices between the AC and AP can only transparently transmit
packets carrying VLAN m and cannot be configured with VLAN s encapsulated in the
CAPWAP packets.
When the STP topology changes, the device sends Topology Change (TC) packets to instruct
other devices to update their forwarding tables. If network flapping occurs, the devices will
receive a large number of TC packets in a short period of time, and update MAC address or
ARP entries frequently. As a result, the devices are heavily burdened, threatening network
stability.
The STP TC protection function is enabled by default. After enabling the TC protection
function, you can set the number of times a switching device processes TC packets within a
given time. If the number of TC packets received by the switching device within the given
time exceeds the specified threshold, the switching device processes TC packets only for the
specified number of times. For the TC packets exceeding the threshold, the switching device
processes them together after the timer expires. In this way, the switching device is prevented
from frequently deleting its MAC address and ARP entries, and therefore relieved from the
ensuing burdens.
# If you need to understand how the switching device processes TC packets, enable the TC
protection alarm function.
<HUAWEI> system-view
[HUAWEI] stp tc-protection
To prevent this situation, you can disable APR tables from responding to TC packets. In this
way, ARP entries of network devices on the network are not aged out or deleted even if the
network topology changes. In addition, you can enable MAC address-triggered ARP entry
update to prevent user service interruption even if ARP entries are not updated in a timely
manner.
# Disable the device from aging out or deleting ARP entries upon network topology changes.
<HUAWEI> system-view
[HUAWEI] arp topology-change disable
# Configure traffic profile traffic1 and Layer 2 wireless user isolation in the profile.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name traffic1
[HUAWEI-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y
To address the preceding problem, enable optimized ARP reply, which improves the switch's
capability of defending against ARP flood attack. After this function is enabled, the stack
performs the following operations:
l When receiving an ARP Request packet of which the destination IP address is the local
interface address, the switch where the interface is located directly returns an ARP Reply
packet.
l When a stack system receives an ARP Request packet of which the destination IP
address is not the local interface address and intra-VLAN proxy ARP is enabled on the
master switch, the switch where the interface is located checks whether the ARP Request
packet meets the proxy condition. If so, the switch returns an ARP Reply packet. If not,
the switch discards the packet.
NOTE
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does not take
effect.
By default, the optimized ARP reply function is enabled. After a device receives an ARP
Request packet, the device checks whether an ARP entry corresponding to the source IP
address of the ARP Request packet exists.
l If the corresponding ARP entry exists, the stack performs optimized ARP reply to this
ARP Request packet.
l If the corresponding ARP entry does not exist, the stack does not performs optimized
ARP reply to this ARP Request packet.
Optimized ARP reply enabled globally or on a specified VLANIF does not take effect if any
of the following commands is executed:
l arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-collision
function.
l arp ip-conflict-detect enable: enables IP address conflict detection.
l arp anti-attack check user-bind enable: enables dynamic ARP inspection.
l dhcp snooping arp security enable: enables egress ARP inspection.
l arp over-vpls enable: enables ARP proxy on the device located on a VPLS network.
Reliability Configuration
ACs use iStack technology for networking, and access switches are connected to different
members in the iStack through Eth-Trunks. If one AC is faulty, the network can be restored
rapidly.
PM is a technology used to collect and measure various system performance indicators. The
following uses the collection interval of 30 minutes as an example.
<HUAWEI> system-view
[HUAWEI] pm
[HUAWEI-pm] statistics-task task1
[HUAWEI-pm-statistics-task1] sample-interval 30
PM technology periodically collects system data and consumes system resources. If eSight is
not deployed, it is recommended that PM be disabled.
If STAs of multiple types exist, you can configure different authentication and encryption
modes. Hybrid encryption is recommended.
In wireless city scenarios, you are advised to reduce the association aging time of STAs. One
minute is recommended.
# Set the association aging time of STAs to 1 minute in the SSID profile ssid1.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ssid-profile name ssid1
[HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
Reporting Information about STA Traffic and Online Duration on APs Is Not
Recommended
You can enable an AC to report information about STA traffic and online duration on APs to
eSight. After this function is enabled, the AC collects and reports the information to eSight
through Syslog when STAs get offline or roam within the AC, which facilitates data query on
eSight.
# Disable the AC from reporting information about STA traffic and online duration on APs.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-info enable
l Control traffic limiting: ARP, ND, and IGMP flood attack detection is enabled on an AP
by default. The rate thresholds for ARP, ND, and IGMP flood attack detection are 5 pps,
16 pps, and 4 pps, respectively. You are not advised to change the default values. When
service traffic is heavy on a network, the values can be increased properly. However, it is
recommended that the values be increased by no more than 100%.
# Set the rate threshold for ARP flood attack detection to 10 pps. (This function is
supported only by V200R010.)
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack arp-flood sta-rate-threshold 10
l Data traffic limiting: The rate limit of upstream and downstream packets for each STA or
all STAs associated with a VAP is configured in a traffic profile on an AP.
# Set the rate limit of upstream packets to 1 Mbit/s for each STA associated with the
VAP that has the traffic profile p1.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name p1
[HUAWEI-wlan-traffic-prof-p1] rate-limit client up 1024
Different suggestions are provided for X series cards and non-X series cards of ACs.
l The user-level rate limiting function is recommended for X series cards and is enabled
by default. Supported packet types include ARP Request, ARP Reply, ND, DHCP
Request, DHCPv6 Request, and 802.1X. By default, the user-level rate limit is 10 pps.
You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c to 20 pps.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20
l The attack source tracing function is recommended for non-X series cards and is enabled
by default. If the number of protocol packets of normal services exceeds the specified
checking threshold and an attack source punishment action is configured, the attack
source tracing function may affect these normal services. You can attempt to disable the
attack source tracing function or disable this function for corresponding protocols to
restore the services.
# Configure the device to discard packets from the identified source every 10 seconds.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
# Delete IGMP and TTL-expired packets from the list of traced packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
1: channel
2.412: center frequency
(GHz)
Frequent radio calibration degrades AC performance. Because radio signals are centralized in
high-density stadiums, radio calibration is triggered frequently to prevent signal overlapping
and interference. Therefore, it is recommended that radio calibration be disabled in high-
density stadiums, and manual or scheduled calibration be used.
AP2 AP2
Channel 6 Channel 6
AP1 AP1
Channel 1 Channel 1
AP4 AP4
AP3 Channel 6 AP3 Channel 11
Channel 11 Channel 6
# Set the radio calibration mode to schedule and set the time for scheduled radio calibration
to 20:30:00.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable schedule time 20:30:00
Most STAs support both the 5 GHz and 2.4 GHz frequency bands, and usually associate with
the 2.4 GHz frequency band by default when connecting to the Internet through APs. To
associate STAs with the 5 GHz frequency band, you need to manually select the 5 GHz
frequency band. The band steering function addresses this issue.
After the band steering function is enabled for a specified SSID on the AC, the AP
preferentially associates the STAs connected to the SSID with the 5 GHz frequency band.
After the 5 GHz frequency band is fully loaded, the AP steers the STAs to the 2.4 GHz
frequency band.
If both radios of an AP use the same VAP profile, the band steering function takes effect on
both the radios as long as the function is enabled for an SSID on one radio of the AP. For
example, if the band steering function is enabled for the SSID huawei on the 2.4 GHz radio
but not on the 5 GHz radio, the AP preferentially steers STAs associated with the SSID to the
5 GHz radio.
The band steering function is enabled by default. Single-radio APs do not support the band
steering function.
before sending data each time, RTS frames consume high channel bandwidth. In high-density
indoor scenarios of universities, you are advised to use the RTS/CTS mode.
# Set the RTS-CTS operation mode to rts-cts in a radio profile.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] radio-2g-profile name default
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-2g-prof-default] quit
[HUAWEI-wlan-view] radio-5g-profile name default
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-5g-prof-default] quit
# Enable the function of disconnecting weak-signal STAs (V200R011C10 and later versions).
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] undo smart-roam quick-kickoff-threshold disable
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold check-snr
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
SSID profile*
Security profile*
Location profile
BLE profile
Security profile*
WDS profile*
WDS whitelist profile
Security profile*
NOTE
WLAN profiles are designed to facilitate configuration and maintenance of WLAN functions.
When configuring WLAN service functions, users need to configure parameters in matching
WLAN profiles. After completing the configurations, they need to bind the profiles to upper-
level profiles, AP groups, or APs, and the configurations will be automatically delivered to
APs. After that, the configured functions automatically take effect on the APs.
NOTE
l If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound to an AP
group or AP.
l Configurations in an AP provisioning profile take effect only after they are manually delivered to APs.
Configurations in other WLAN profiles are automatically delivered to APs.
For example, to configure air interface scan parameters, you can configure the parameters in
an air scan profile and bind the air scan profile to a radio profile, which is then bound to an
AP group or AP, as shown in Figure 4-1. The configurations of air interface scan parameters
are automatically delivered to APs and take effect. If referencing relationships between
profiles are set in advance, parameter configurations in the air scan profile are automatically
delivered to APs.
Configure the AC to
manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the AC’s source interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Bind
Bind
AP or AP group
However, APs may have different configurations. These configurations cannot be uniformly
performed but can be directly performed on each AP.
Each AP must and can only join one AP group when going online. If an AP obtains both AP
group and specific configurations from an AC, the AP specific configurations are
preferentially used.
l If no configuration is available on each AP, the AP uses the configurations in the AP
group.
l If configurations are available on the AP, the AP uses the configurations preferentially.
However, if the configurations are incomplete, the AP obtains the configurations that do
not exist on itself from the AP group.
l Performance of APs in an AP group may vary according to the model. If the unified
configuration delivered to the AP group is not supported by an AP in the group, the
configuration does not take effect for this AP.
As shown in Figure 4-3, the AP with ID 1 does not find any configurations on itself;
therefore, the AP uses all WLAN configurations in the AP group a to which it belongs.
AP group name: a
AP ID: 1
Name of the AP group
to which it belongs: a
As shown in Figure 4-4, the AP with ID 101 finds configurations on itself so the AP
preferentially uses the configurations. Since there is only regulatory domain profile
configuration on the AP, the AP acquires other configurations in AP group a to which it
belongs, for example, VAP profile, AP system profile, and other profiles shown in the
following figure.
AP ID: 101
Name of the AP group to
which it belongs: a
The air scan profile is used for radio calibration and Wireless Intrusion Detection System
(WIDS) data analysis. An AP periodically scans surrounding radio signals and reports the
collected information to an AC or server.
l Radio calibration
An authorized AP scans surrounding radio signals, collects information about
surrounding authorized APs, rogue APs, and non-Wi-Fi devices, and reports the
information to an AC.
For the detailed configuration, see 7.7 Configuring Radio Calibration.
l WIDS data analysis
A monitor AP scans channels to monitor information about neighboring wireless
devices, collects information about neighboring wireless devices by listens on WLAN
packets sent from neighboring wireless devices, and periodically reports collected
information to an AC. The AC then uses the information to determine rogue devices.
For the detailed configuration, see .
The air scan profile takes effect only after it is referenced by the radio profile.
NAC implements access control on users. To facilitate NAC function configuration, the
device uses authentication profiles to uniformly manage NAC configuration. You can
configure parameters in an authentication profile to provide different access control modes for
users. For example, you can configure the access profile bound to the authentication profile to
determine the authentication mode for the authentication profile. The device then uses the
authentication mode to authenticate users on the interface or VAP profile to which the
authentication profile is applied.
For the configuration, see Configuring an Authentication Profile.
l Traffic optimization
On a WLAN, a large number of wireless packets need to be forwarded, which may easily
cause network congestion and degrade network performance. WLAN traffic optimization
measures, such as traffic limit and multicast optimization, can be taken to adjust network
traffic in real time, significantly reducing impact of burst data on the network and
improving network performance.
For details, see 21 WLAN Traffic Optimization Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet filtering to enable a device to permit or deny
packets matching ACL rules to control network traffic.
For details, see 10.7.5 Configuring ACL-based Packet Filtering.
l ACL-based packet priority re-marking
You can configure ACL-based packet re-marking priorities of packets matching ACL
rules to implement differentiated services for wireless packets.
For details, see 10.7.6 Configuring ACL-based Priority Remarking.
For the detailed configuration, see 13.4.1 Configuring a STA Whitelist Profile in the
Configuration-User Access and Authentication Configuration Guide.
The parameters include the IP address and port number of a spectrum server and aging
time of information about non-Wi-Fi devices on an AC during spectrum analysis. For
details, see 8.6.1 Configuring Spectrum Analysis on an AC.
Detection and Containment and 11.7 Configuring Attack Detection and a Dynamic
Blacklist.
For the detailed configuration, see 11.6.5 (Optional) Configuring Fuzzy Matching Rules
for Identifying Spoofing SSIDs.
For the detailed configuration, see 11.6.6 (Optional) Configuring a WIDS Whitelist in the
Configuration-WLAN Security Configuration Guide.
When configuring WDS services, use the WDS profile with the following profiles:
l Security profile: After a security profile is bound to a WDS profile, parameters in the
security profile will be used for WDS link setup to ensure security of WDS links, The
WPA2+PSK+AES security policy is recommended for a WDS security profile.
l WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring
APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. In the WDS, only APs with radios working in root mode and middle
mode can have a whitelist configured. APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile
provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the Mesh function, configure the same channel for radios of Mesh APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.
l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not need to
configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
For details, see 25.5.4 Configuring Parameters for APs to Communicate with the Host
Computer in the Configuration - Healthcare IoT Solution.
The server to which APs report information is called WMI server. You can set parameters for
APs to report KPI information to the WMI server in the WMI profile.
For details, see 6.11 Configuring APs to Report KPIs in the AP Management Configuration
Guide.
Copying Profiles
To improve configuration efficiency, you can copy configurations in one profile to another
profile and then modify specific parameters.
For example, if you need to copy the configurations in VAP profile b to VAP profile a, you
only need to run the copy-from profile-name command in VAP profile a. The detailed
procedure is as follows:
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name a
[HUAWEI-wlan-vap-prof-a] copy-from b
NOTE
l You can perform this operation only between profiles of the same type. For example, you can copy the
configurations in a VAP profile to another VAP profile other than a radio profile.
l If a profile is bound to another profile, you cannot perform this operation in this profile. For example, if
VAP profile a is bound to an AP group, you cannot perform this operation in VAP profile a.
802.11 was originally a wireless LAN communications standard defined by the Institute of
Electrical and Electronics Engineers (IEEE) in 1997. The IEEE then made amendments to the
standard, forming the 802.11 family, including 802.11, 802.11a, 802.11b, 802.11e, 802.11g,
802.11i, 802.11n and 802.11ac.
Purpose
WLAN technology allows you to easily access a wireless network and move around within
the coverage of the wireless network. Wired LANs use wired cables or optical fibers as
transmission media, which are expensive and have fixed locations. As further emphasis was
placed on network mobility, wired LANs were unable to meet user's requirements. This led to
the development of WLAN, which has become the most cost-efficient and convenient
network access mode.
Benefits
l High network mobility: WLANs are easily connected, and are not limited by cable and
port positions. This makes WLANs great for scenarios where users are often moving,
such as office buildings, airport halls, resorts, hotels, stadiums, and cafes.
l Flexible network deployment: WLANs provide wireless network coverage in places
where cables are difficult to deploy, such as subways and highways. WLANs reduce the
number of required cables, offer low-cost, easy deployment, and have high scalability.
l Station (STA): a terminal that supports 802.11 standards. For example, a PC that has a
wireless network interface card (NIC) or a mobile phone that supports WLAN, as shown
in Figure 5-1.
STA
FIT AP
STA
CA
PW
AP AC
STA
STA WAP
CAPWAP CAP
STA
RU Central AP
l Access controller (AC): a device that controls and manages all of the access points (APs)
on a WLAN in the centralized architecture. For example, an AC can connect to an
authentication server to authenticate STAs, as shown in Figure 5-1.
l Access point (AP): a device that provides 802.11-compliant wireless access for STAs.
APs connect wired networks to wireless networks.
– Fit AP: an AP that provides wireless access for STAs in the Fit AP architecture. A
Fit AP provides only reliable, high-performance wireless connections and depends
on an AC to provide other functions, as shown in Figure 5-1.
– Central AP: an AP that takes over some of an AC's work in the agile distributed
architecture to perform central management and collaboration of remote units
(RUs), such as STA going online, configuration delivery, and STA roaming between
RUs.
– Remote unit (RU): a remote radio module for a central AP in the agile distributed
architecture. An RU receives and sends 802.11 packets through the air interface, as
shown in Figure 5-1.
l Radio signal: a high-frequency electromagnetic wave that has long-distance transmission
capabilities. Radio signals provide transmission media for 802.11-compliant WLANs.
Radio signals described in this document are electromagnetic waves in the 2.4 GHz or 5
GHz frequency band.
l Control And Provisioning of Wireless Access Points (CAPWAP): an encapsulation and
transmission mechanism defined in RFC 5415. CAPWAP implements communication
between APs and ACs, as shown in Figure 5-1.
l Virtual access point (VAP): a WLAN service entity on an AP. You can create different
VAPs on an AP to provide wireless access service for different user groups.
l Service set identifier (SSID): a unique identifier that identifies a wireless network. When
you search for available wireless networks on your laptop, SSIDs are displayed to
identify the available wireless networks.
SSIDs are classified into two types:
– Basic service set identifier (BSSID): the link-layer MAC address of a VAP on an
AP. Figure 5-2 shows the relationship between VAP and BSSID.
STA1:
I join the guest network
VAP1:
SSID: guest
BSSID:0025.9e45.24a0
AP
VAP2:
SSID: internal
BSSID:0025.9e45.24a9
STA2:
I join the internal network
– Extended service set identifier (ESSID): a chosen identifier for one or a group of
wireless networks. For example, in Figure 5-2, SSID guest identifies one wireless
network, and SSID internal identifies another wireless network. A STA scans all
wireless networks and selects a wireless network based on the SSID. In general
terms, an SSID refers to an ESSID.
NOTE
Multiple APs can use one ESSID to provide roaming service for users; however, their
BSSIDs must be unique because the MAC address of each AP is unique.
l Basic service set (BSS): an area covered by an AP. STAs in a BSS can communicate
with each other.
l Extend service set (ESS): a group of BSSs that share the same SSID.
Figure 5-3 shows the relationship between SSID, BSSID, BSS, and ESS.
ESS
AP1 AP2
BSSID: BSSID:
BSS 0025.9e45.24a0 BSS 0025.9e45.3100
SSID=”huawei” SSID=”huawei”
Introduction to 802.11
Figure 5-4 illustrates the role of 802.11 standards within the IEEE 802 standard family,
involving the physical layer and data link layer.
Figure 5-4 Role of 802.11 standards within the IEEE 802 standard family
l Physical Layer
The different 802.11 standards use different physical layer technologies, including
frequency hopping spread spectrum (FHSS), direct sequence spread spectrum (DSSS),
orthogonal frequency division multiplexing (OFDM), and multiple-input multiple-output
(MIMO). These physical layer technologies support different frequency bands and
transmission rates, as detailed in Table 5-1.
MAC Header
2bytes 2bytes 6bytes 6bytes 6bytes 2bytes 6bytes 2bytes 0 - 2312bytes 4bytes
Frame Duration Address Address Address Sequence Address QoS Frame
/ID FCS
Control 1 2 3 Control 4 Control Body
1bit 1bit
2bits 2bits 4bits 1bit 1bit 1bit 1bit 1bit 1bit
Protocol To From More Pwr More Protected
Type Subtype Retry Order
Version DS DS Frag Mgmt Data Frame
An 802.11 MAC frame has a maximum length of 2348 bytes. The following describes the
purpose of each field in an 802.11 MAC frame.
l Frame Control field: includes the following sub-fields:
– Protocol Version: indicates the MAC version of the frame. Currently, only MAC
version 0 is supported.
– Type/Subtype: identifies the frame type, such as data, control, and management
frames.
n Data frame: transmits data packets: includes a special type of frame, the Null
frame. A Null frame has a zero-length frame body. A STA can send a Null
frame to notify an AP of changes in the power-saving state.
NOTE
802.11 supports the power-saving mode, allowing STAs to shut down antennas to save
power when no data is being transmitted.
n Control frame: helps transmit data frames, releases and obtains channels, and
acknowledges received data. Some common control frames include:
○ Acknowledgement (ACK) frame: After receiving a data frame, the
receiving STA will send an ACK frame to the sending STA to confirm the
receipt.
○ Request to Send (RTS) and Clear to Send (CTS) frames: These frames
provide a mechanism to reduce collisions for APs with hidden STAs. A
STA sends an RTS frame before sending data frames. The STA that
receives the RTS frame responds with a CTS frame. This mechanism is
used to release a channel and enable a sending STA to obtain data
transmission media.
n Management frame: manages WLANs. Functions include notifying network
information, adding or removing STAs, and managing radio. Some common
management frames include:
○ Beacon frame: is periodically sent by an AP to announce the WLAN
presence and provide WLAN parameters, such as the SSID, rate, and
authentication type.
○ Association Request/Response frame: A STA sends an Association
Request frame to an AP to request to join a WLAN. After receiving the
Association Request frame, the AP sends an Association Response frame
to the STA to accept or reject the association request.
○ Disassociation frame: is sent from a STA to terminate association with an
AP.
○ Authentication Request/Response frame: is used in link authentication
between a STA and an AP for identity authentication.
○ Deauthentication frame: is sent from a STA to terminate link
authentication with an AP.
○ Probe Request/Response frame: A STA or an AP sends a Probe Request
frame to detect available WLANs. After another STA or AP receives the
Probe Request frame, it needs to reply with a Probe Response frame that
carries all of the parameters specified in a Beacon frame.
– To DS and From DS: indicates whether a data frame is destined for a distribution
system (or an AP). If both fields are set to 1, the data frame is transmitted between
APs.
– More Frag: indicates whether a packet is divided into multiple fragments for
transmission.
– Retry: indicates whether to retransmit a frame. This field helps eliminate duplicate
frames.
– Pwr Mgmt: indicates the desired power management mode of a STA after the
completion of a frame exchange, such as Active or Sleep mode.
– More Data: indicates that an AP transmits buffered packets to a STA in power-
saving mode.
– Protected Frame: indicates whether a frame is encrypted.
– Order: indicates whether a frame is transmitted in order.
l Duration/ID field: provides the following functions according to its values.
– Indicates the duration for which a STA can occupy a channel. This field is used for
CSMA/CA.
– Identifies an MAC frame transmitted during Contention-Free Period (CFP). The
value of this field is fixed as 32768, indicating that a STA keeps occupying a
channel and other STAs cannot use the channel.
– Specifies the Association ID (AID) of a PS-Poll frame, which identifies the BSS to
which a STA belongs. A STA may work in active or sleep mode. When a STA
works in sleep mode, an AP buffers data frames destined for the STA. When the
STA transitions from the sleep mode to the active mode, the STA sends a PS-Poll
frame to request the buffered data frames. After receiving the PS-Poll frame, the AP
delivers the requested data frames to the STA based on the AID in the PS-Poll
frame.
l Address field: transmits information about MAC addresses. An 802.11 frame can have
up to four address fields. The four address fields vary according to the values of the To
DS/From DS sub-field in the Frame Control field. For example, the values of the four
address fields are different when a frame is sent from a STA to an AP and when a frame
is sent from an AP to a STA. Table 5-2 describes the scenarios and rules for filling in the
four address fields.
Internet
AC
(3) To DS=1;
From DS=1
AP1 AP2
(1) To DS=0;
From DS=1 (2) To DS=1;
From DS=0
l Sequence Control field: is used to eliminate duplicate frames and reassemble fragments.
It includes two sub-fields:
– Fragment Number: is used to reassemble fragments.
– Sequence Number: is used to eliminate duplicate frames. When a device receives an
802.11 MAC frame, it discards the frame if the Sequence Number field value is the
same as a previous frame.
l QoS Control field: exists only in a data frame to implement 802.11e-compliant WLAN
QoS.
l Frame Body field: transmits payload from higher layers. It is also called the data field. In
802.11 standards, the transmitted payload is also called a MAC service data unit
(MSDU).
l Frame Check Sequence (FCS) field: checks the integrity of received frames. The FCS
field is similar to the cyclic redundancy check (CRC) field in an Ethernet packet.
Fit AP Architecture
In Fit AP architecture, an AC manages and controls multiple APs (Fit APs) in a centralized
manner, as shown in Figure 5-7.
STA
FIT AP DNS DHCP
STA server server
CA Campus egress
PW AC
STA AP gateway
Campus Internet
network
STA WAP
CAP
FIT AP NMS
STA
RU
Central AP NMS
STA
In agile distributed architecture, RUs, central APs, and ACs work together to implement
wireless access.
l The AC implements all security, control, and management functions. These functions
include mobile user management, identity authentication, VLAN assignment, radio
management, and data forwarding.
l RUs are connected to a central AP, and receive and send 802.11 packets through the air
interface. A central AP takes over some of an AC's work to perform central management
and collaboration of RUs, such as STA going online, configuration delivery, and STA
roaming between RUs.
l The AC and central APs, or central APs and RUs both communicate using CAPWAP.
For the AD9431DN-24X, in tunnel forwarding mode, RUs set up CAPWAP tunnels with
the AC. The AC and central APs are connected across a Layer 2 or Layer 3 network, and
central APs and RUs are connected across a Layer 2 network.
In centralized architecture, Fit APs need to go online before being managed and controlled by
an AC. AP login includes the following steps:
1. IP Address Allocation
2. CAPWAP Tunnel Establishment
3. AP Access Control
4. AP Software Upgrade
5. CAPWAP Tunnel Maintenance
6. AC Configuration Delivery
IP Address Allocation
An AP obtains an IP address through any of the following modes:
l Static mode: An IP address is manually configured for the AP.
l DHCP mode: The AP functions as a DHCP client and requests an IP address from a
DHCP server.
Discovery Request
Discovery Response
DTLS
In Discovery phase, the AC determines whether to permit access from an AP based on the Discovery
Request packet that the AP sends and will not respond to Discovery Request packets of APs not
permitted for access. The process is similar to Figure 5-10.
An AP can discover an AC in static or dynamic mode.
– Static mode
An AC IP address list is preconfigured on the AP. When the AP goes online, the AP
unicasts a Discovery Request packet to each AC whose IP address is specified in
the preconfigured AC IP address list. After receiving the Discovery Request packet,
the ACs send Discovery Response packets to the AP. The AP then selects an AC to
establish a CAPWAP tunnel according to the received Discovery Response packets.
– Dynamic mode
An AP can dynamically discover an AC in DHCP, DNS, or broadcast mode. Details
on each of the modes are as follows:
n DHCP mode: An AP obtains the AC IP address through DHCP (by
configuring a DHCP response packet to carry Option 43 containing the AC IP
address list on the DHCP server), and sends a Discovery Request unicast
packet to the AC. The AC then sends a Discovery Response packet to the AP.
n DNS mode: An AP obtains the AC domain name and DNS server IP address
through the DHCP service ( by configuring a DHCP response packet to carry
Option 15 containing the AC domain name on the DHCP server), and sends a
request to the DNS server to obtain the IP address corresponding to the AC
For details about the setup of active and standby CAPWAP links, see 22.2 Understanding Dual-Link
Cold Backup.
AP Access Control
The AP sends a Join Request packet to an AC. The AC then determines whether to allow the
AP access and sends a Join Response packet to the AP. The Join Response packet carries the
AP software upgrade mode and AP version information.
Figure 5-10 shows a flowchart depicting the process for AP access control.
Start
No
MAC authentication
Is the AP
Yes with the specified Is the AP Yes
MAC address added with the specified SN
offline? added offline?
No No
No No
Add the AP to list of
unauthenticated
APs
Manually confirm
the AP (entering the
MAC or SN)
Prohibit the AP
AP goes online
from going online
AP Software Upgrade
The AP determines whether its system software version is the same as that specified on the
AC according to parameters in the received Join Response packet. If the two versions are
different, the AP updates its software version in AC, FTP, or SFTP mode.
After the software version is updated, the AP restarts and repeats steps 1 to 3.
The AP and AC exchange Echo (UDP port 5246) packets to monitor the control tunnel
connectivity.
AC Configuration Delivery
The AC sends a Configuration Update Request packet to the AP, which then replies with a
Configuration Update Response packet. The AC then delivers service configuration to the AP.
IP Address Allocation
An RU obtains an IP address in any of the following modes:
l Static mode: An IP address is manually configured for an RU. CAPWAP packets
between the central AP and RUs are forwarded at Layer 2 and are independent of IP
addresses on an agile distributed WLAN. Therefore, the configuration of a static IP
address does not affect the RU going online. Ensure that a route is reachable between the
IP address of the RU and the central AP source address. Otherwise, services involving IP
addresses may be affected, for example, Telnet.
l DHCP mode: An RU functions as a DHCP client and requests an IP address from a
DHCP server.
CAPWAP control tunnel between the AC and central AP associated with the RU and that
between the RU and central AP.
l See 5.2.4 AP Online Process for the process of establishing a CAPWAP control tunnel
between the AC and central AP.
l See Figure 5-11 for the process of establishing a CAPWAP control tunnel between the
central AP and RU.
Figure 5-11 CAPWAP tunnel establishment between the central AP and RUs
RU Center AP
Discovery Request
Discovery Response
DTLS
In Discovery phase, the central AP determines whether to permit access from an RU based on the
Discovery Request packet that the RU sends and will not respond to Discovery Request packets of RUs
not permitted for access. The process is similar to Figure 5-12.
An RU can discover a central AP in either of the following two modes.
– When no IP address list of central APs is configured on an RU or an RU does not
receive any Discovery Response packet after sending unicast Discovery Request
packets ten consecutive times, the RU will broadcast Discovery Request packets to
automatically discover a central AP in the same network segment and then selects a
central AP to establish a CAPWAP tunnel according to the returned Discovery
Response packets.
– A static IP address list of central APs is preconfigured on an RU. When the RU
goes online, it sends a unicast Discovery Request packet to each central AP whose
IP address is specified in the IP address list. After receiving the Discovery Request
packet, the central APs return Discovery Response packets to the RU. The RU then
selects a central AP to establish a CAPWAP tunnel.
2. The RU establishes a CAPWAP tunnel with a central AP.
CAPWAP tunnels include data tunnels and control tunnels.
– Data tunnel: transmits service data from the RU to an AC for centralized
forwarding.
– Control tunnel: transmits control packets between the RU and central AP or
between the RU and AC. You can choose to enable datagram transport layer
security (DTLS) encryption over the control tunnel to ensure security of CAPWAP
control packets. Subsequently, all CAPWAP control packets will be encrypted and
decrypted through DTLS, ensuring integrity and privacy of the CAPWAP control
packets.
RU Access Control
When an RU requests to access the AC, the central AP sends an Authentication Request
packet to the AC. The AC then determines whether to allow the RU access and returns an
Authentication Response packet to the AP. The Authentication Response packet carries the
RU software upgrade mode and RU version.
Figure 5-12 shows a flowchart depicting the process for RU access control.
Start
No
Non- SN
authentication authentication
Check the RU
authentication mode.
MAC
authentication
No No
Manually confirm
the RU (enter the
MAC address or
SN)
Forbid the RU to
RU goes online
go online
RU Software Upgrade
The RU determines whether its system software version is the same as that specified on the
AC according to parameters in the received Authentication Response packet.
AC Configuration Delivery
The AC sends a Configuration Update Request packet to the central AP, which then replies
with a Configuration Update Response packet. The AC then delivers service configurations of
RUs to the central AP, and the central AP delivers the service configurations to the RUs.
STAs can access wireless networks after APs are logged in and CAPWAP tunnels are
established. STA access involves the following steps:
l Scanning
l Link authentication
l Association
STA access depends on the number of access users supported by the AC and a single AP.
l If the number of STAs associated with an AP reaches the maximum limit of the AP but
not the maximum limit of the AC, a new STA cannot connect to the current AP.
However, the STA can associate with another AP on the network.
l If the number of STAs associated with an AP reaches the maximum limit of the AC, a
new STA cannot access the WLAN even though the maximum limit of the AP is not
reached.
l If the number of STAs associated with an AP does not reach the maximum limit of the
AP or AC, a new STA can access the WLAN.
Scanning
The STA scanning stage is similar for Fit AP and agile distributed architectures. The only
difference is that STAs scan different objects: APs in Fit AP architecture and RUs in agile
distributed architecture.
Active Scanning
In active scanning, a STA periodically searches for nearby wireless networks. The STA can
send two types of Probe Request frames: probes containing an SSID and probes that do not
contain an SSID.
l Probes containing an SSID: The STA sends a Probe Request frame containing an SSID
in each channel to search for the AP with the same SSID. Only the AP with the same
SSID will respond to the STA. For example, in Figure 5-13, the STA sends a Probe
Request frame containing the SSID huawei to search for an AP with the SSID huawei.
Figure 5-13 Active scanning by sending a Probe Request frame containing an SSID
STA AP1
(SSID=huawei)
This method applies to the scenario where a STA actively scans wireless networks to
access a specified wireless network.
l Probes that do not contain an SSID: The STA periodically broadcasts a Probe Request
frame that does not contain an SSID in the supported channels as shown in Figure 5-14.
The APs return Probe Response frames to notify the STA of the wireless services they
can provide.
Figure 5-14 Active scanning by sending a Probe Request frame containing no SSID
AP1
ll)
= Nu
SID
t (S onse
es sp
equ Re
e
e R rob
P rob P
STA
Prob
e Requ
est (
SSID
=Nul
l)
APn
This method applies to the scenario where a STA actively scans wireless networks to
determine whether wireless services are available.
Passive Scanning
When passive scanning is enabled, a STA listens on the Beacon frames that an AP
periodically sends in each channel to obtain AP information, as shown in Figure 5-15. A
Beacon frame contains information including the SSID and supported rate.
Beac
o n
STA1
on
Beac
AP
STA2
To converse power, enable the STA to passively scan wireless networks. In most cases, VoIP
terminals passively scan wireless networks.
Link Authentication
The link authentication stage is similar for Fit AP and agile distributed architectures. The only
difference is that different objects authenticate STAs: APs in Fit AP architecture and RUs in
agile distributed architecture.
To ensure wireless link security, an AP needs to authenticate STAs that attempt to access the
AP. IEEE 802.11 defines two authentication modes: open system authentication and shared
key authentication.
l Open system authentication requires no authentication. STAs that attempt to access the
AP are successfully authenticated as long as the AP supports this mode. An illustration
of the open system authentication procedure is shown in Figure 5-16.
Authentication Request
Authentication Response
STA AP
l Shared key authentication requires that the STA and AP have the same shared key
preconfigured. The AP checks whether the STA has the same shared key to determine
whether the STA can be authenticated. If the STA has the same shared key as the AP, the
STA is authenticated. Otherwise, STA authentication fails. Figure 5-17 shows the shared
key authentication process.
STA AP
Authentication Request
1
Authentication Response(Challenge)
2
Authentication Response
(EncryptedChallenge)
3
Authentication Response(Success)
4
Association
Client association is also known as link negotiation. After link authentication is complete, a
STA initiates link negotiation using Association packets, as shown in Figure 5-18 in Fit AP
architecture and Figure 5-19 and Figure 5-20 in agile distributed architecture.
STA AP AC
1 Association Request
2 Association Request
3 Association Response
4 Association Response
a. The STA sends an Association Request packet to the AP. The Association Request
packet carries the STA's parameters and the parameters that the STA selects
according to the service configuration, including the transmission rate, channel,
QoS capabilities, access authentication algorithm, and encryption algorithm.
b. The AP receives the Association Request packet, encapsulates the packet into a
CAPWAP packet, and sends the CAPWAP packet to the AC.
c. The AC determines whether to associate with the STA according to the received
Association Request packet and replies with an Association Response packet.
d. The AP decapsulates the received Association Response packet and sends it to the
STA.
STA RU Central AP AC
1 Association Request
2 Association Request
3 Determine an intra-
central AP roaming
4 Process intra-
central AP roaming
5 Association Response
STA RU Central AP AC
1 Association Request
2 Association Request
3 Determine a
non-intra-central
AP roaming
4 Association Request
5 Association Response
After association, the STA determines whether it needs to be authenticated according to the received
Association Response packet:
l If the STA does not need to be authenticated, the STA can access the wireless network.
l If the STA needs to be authenticated, the STA initiates user access authentication. After authentication,
the STA can access the wireless network. For details about user access authentication, see NAC
Configuration in S1720, S2700, S5700, and S6720 V200R012C00 Configuration Guide - User Access
and Authentication.
Tunnel Forwarding
In tunnel forwarding mode, APs encapsulate service data packets over a CAPWAP data tunnel
and send them to an AC, which then forwards these packets to an upper-layer network, as
shown in Figure 5-21.
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
Data packet
Control packet
STA
Direct Forwarding
In direct forwarding mode, an AP directly forwards service data packets to an upper-layer
network without encapsulating them over a CAPWAP data tunnel, as shown in Figure 5-22.
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
Data packet
Control packet
STA
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
Control packet
Authentication packet
STA
Direct Service data packets do not need Service data packets cannot be
forwarding to be forwarded by an AC, centrally managed or controlled. New
improving packet forwarding device deployment causes large
efficiency and reducing the changes to the existing network.
burden on the AC.
Internet
AC
Switch
l
ne
n
tu
AP
W
AP
C
AP
: data packets
: control packets
STA
STA information through logs. For Portal or MAC address authentication STAs, after the
broken CAPWAP link is restored, the AP forces all these STAs to go offline and reports
STA information through logs.
NOTE
This function allows all the users who enter the correct key to go online. The STA whitelist and
blacklist configured on the AC do not take effect after the CAPWAP link is broken.
When the function that allows user access after CAPWAP link disconnection is disabled,
STA association and key negotiation are performed between the AC and STA. After this
function is enabled, STA authentication, association, and key negotiation are performed
between the AP and STA. The different processes for association and authentication are
shown in Figure 5-25.
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
①
②
STA
① Authentication packet exchange before user access permission after
CAPWAP link disconnection is disabled
② Authentication packet exchange before user access permission
after CAPWAP link disconnection is enabled
On an agile distributed WLAN, the service holding or user access permission functions apply
only to scenarios where the CAPWAP link between the AC and central AP is disconnected
but not to scenarios where the CAPWAP link between the central AP and RU is disconnected.
Most of these campus networks use the centralized WLAN architecture (AC+Fit AP) to
facilitate network maintenance and enhance security. Based on the AC deployment mode, two
AC solutions are available: centralized AC solution and distributed AC solution.
Centralized AC Solution
The centralized AC solution deploys independent ACs to manage APs on the network.
Figure 5-26 shows the centralized AC solution on a medium or large campus network.
Internet
Campus
network
Campus egress Campus egress
gateway gateway
NMS AC
Aggregation Aggregation
switch switch
Access Access
switch switch
AP AP
Distributed AC Solution
The distributed AC solution deploys multiple ACs in different areas to manage APs. This
mode integrates AC functions on an aggregation switch to manage all the APs connected to
the aggregation switch, without using an independent AC.
Figure 5-27 shows the distributed AC solution on a medium or large campus network.
Internet
Campus
network
Campus egress Campus egress
gateway gateway
NMS
AC AC
Switch Switch
AP AP
To reduce costs, a small-scale campus network does not use dedicated NMS devices or
authentication servers, resulting in low reliability.
A small-scale campus network often uses the centralized AC solution. In Figure 5-28.
Internet
Campus
Router network
(campus egress
gateway)
AC
AP
AP
AC
Branch Headquarters
WAN
network network
Branch Headquarters
Access
egress egress
switch
gateway gateway NMS
(manages WLANs in a
unified manner)
AP
AC
Branch Headquarters
network WAN
network
Branch Headquarters
Access
egress egress
switch
gateway gateway NMS
(manages
WLANs in a
unified manner)
Staircase
AC
RU RU RU RU Central AP
Corridor
Network
RU RU RU RU PoE switch
Internet
AC
Online
user
AP
Enterprise Enterprise
Online WAN
branch headquarters
user
In practice, the management VLAN and service VLAN must be configured for management
packets and service data packets.
l Management VLAN: transmits packets that are forwarded through CAPWAP tunnels,
including management packets and service data packets forwarded through CAPWAP
tunnels.
l Service VLAN: transmits service data packets.
NOTE
l It is recommended that you use different VLANs for the management VLAN and service VLAN.
l You are not advised to use VLAN 1 as the management VLAN or service VLAN.
l In tunnel forwarding mode, the management VLAN and service VLAN must be different. The network
between the AC and AP can only permit packets with management VLAN tags to pass through, and
cannot permit packets with service VLAN tags to pass through.
l When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface allows
packets from all VLANs but no VLAN is created by default. VLANs are automatically created or deleted
based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data packets.
Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and VLAN s'
represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
l Figure 5-33 shows the process of forwarding management packets through CAPWAP
tunnels.
In Figure 5-33:
– In the uplink direction (from the AP to the AC): When receiving management
packets, the AP encapsulates the packets in CAPWAP packets. The switch tags the
packets with VLAN m. The AC decapsulates the CAPWAP packets and removes
the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and
tags them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
l Figure 5-34 shows the process of directly forwarding service data packets.
Internet
802.11 Payload
STA
Payload
Data packet
In Figure 5-34, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the
packets into 802.3 packets, tags the packets with VLAN s, and forwards the packets
to the destination.
– In the downlink direction (from the Internet to the STA): When downstream service
data packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by
upstream devices), the AP converts the 802.3 packets into 802.11 packets and
forwards them to the STA.
l Figure 5-35 shows the process of forwarding service data packets through CAPWAP
tunnels.
Internet
802.11 Payload
STA
Payload
In Figure 5-35, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the
packets into 802.3 packets, tags the packets with VLAN s, and encapsulates them in
CAPWAP packets. The upstream switch tags the packets with VLAN m. The AC
decapsulates the CAPWAP packets and removes the tag VLAN m' from the
packets.
– In the downlink direction (from the Internet to the STA): When downstream service
data packets reach the AC, the AC encapsulates the packets in CAPWAP packets,
allows the packets carrying VLAN s to pass through, and tags the packets with
VLAN m'. The switch removes VLAN m from the packets. The AP decapsulates
the CAPWAP packets, removes VLAN s, converts the 802.3 packets into 802.11
packets, and forwards them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets.
The intermediate devices between the AC and AP can only transparently transmit
packets carrying VLAN m and cannot be configured with VLAN s encapsulated in the
CAPWAP packets.
In WLAN networking, management VLANs and service VLANs must be properly planned.
The following assumes that an AP connects to an AC through a Layer 2 network.
l In Figure 5-36, to implement direct forwarding, ensure that the AP can exchange
management VLAN packets with the AC and exchange service VLAN packets with
upstream devices.
Internet
VLAN 101
SW2 AC
VLAN 100 VLAN 100
VLAN 101
VLAN 100
l
ne
n
tu
VLAN 101 VLAN 100
AP
PW
CA
AP
l In Figure 5-37, to implement tunnel forwarding, ensure that the AP can exchange
management VLAN packets with the AC and the AC can exchange service VLAN
packets with upstream devices.
Internet
VLAN 101
SW2 VLAN 101 VLAN 101
AC
VLAN 100 VLAN 100
VLAN 100
VLAN 100
SW1
el
nn
tu
VLAN 100
AP
PW
CA
AP
l When central APs and RUs are used, ensure that their versions are the same. For
example, if the central AP version is V200R007C10, the RU version must be
V200R007C10.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 5-5 Products and minimum version supporting the WLAN service
Series Product Model Minimum Version
Required
Feature Limitations
Packets transmitted on a WLAN include management packets and service data packets.
l It is recommended that you use different VLANs for the management VLAN and service
VLAN.
l You are not advised to use VLAN 1 as the management VLAN or service VLAN.
l In tunnel forwarding mode, management VLAN and service VLAN must be different.
In actual WLAN networking, management VLANs and service VLANs must be properly
planned. The following example assumes that an AP connects to an AC through a Layer 2
network.
l In direct forwarding mode, ensure that the AP can exchange management VLAN packets
with the AC and exchange service VLAN packets with upstream devices.
l In tunnel forwarding mode, ensure that the AP can exchange management VLAN
packets with the AC and the AC can exchange service VLAN packets with upstream
devices.
Networking restrictions
l In tunnel forwarding mode, the AC and AP do not support IP packet fragmentation.
l In the AC + AP networking, to prevent loops, port flapping, or AP disconnection, do not
use Smart Link, equal-cost routing, or port protection services.
l The AC cannot manage APs through VPNs. That is, the source interface cannot be added
to a VPN.
l APs cannot connect to physical Layer 3 interfaces or subinterfaces on the AC.
l The AC can manage APs and STAs using IPv4 addresses but not IPv6 addresses.
l VXLAN is supported from V200R011C10. The VXLAN service cannot be configured
on the CAPWAP source interface specified for the AC. Otherwise, the AC cannot
manage APs, and APs fail to go online.
The AC and AP exchange CAPWAP packets to communicate with each other. To prevent
CAPWAP packet attacks from affecting normal device communication, you can configure
local attack defense on devices. To configure local attack defense, specify a trusted AP source
address in an ACL rule and then configure a whitelist in the attack defense policy or configure
user-defined flows to limit the rate of specified CAPWAP packets. For details, see Local
Attack Defense Configuration.
In wireless city scenarios, it is recommended that the STA aging time be reduced. The
recommended value is 1 minute.
Each AP must and can only join one AP group. An AP group contains configurations shared
by all APs. You can configure configurations specific to a single AP in the AP view.
By default, an AP automatically joins the AP group default. The AP group default cannot be
deleted, but you can modify configurations in the default AP group.
By default, an AP group has the following profiles bound: AP system profile default, 2G
radio profile default, 5G radio profile default, regulatory domain profile default, WIDS
profile default, and AP wired port profile default.
Pre-configuration Tasks
Before creating an AP group, perform the task of CLI Login Configuration.
Procedure
Step 1 Run system-view
----End
Follow-up Procedure
After an AP group is created, you need to add APs to the AP group so that the APs can use
configurations in the group. For details, see 5.9.8 Adding APs.
Before configuring APs to go online, perform the task of CLI Login Configuration.
Configuration Procedure
Perform the following steps in the listed order.
You can configure a DHCP server to assign IP addresses to APs and STAs.
A service DHCP address pool and a management DHCP address pool are used to assign IP
addresses to STAs and APs, respectively. The two types of DHCP address pools must be
configured separately.
When the AC and APs are on the same network segment, the APs can discover the AC in
broadcast mode. You do not need to configure Option 43 or DNS. If either of the two methods
is configured to notify the APs of the AC's IP address, the APs will preferentially send unicast
Discovery Request packets to this IP address. If the APs do not receive any Discovery
Response packet after sending the unicast packets 10 consecutive times, the APs broadcast
packets on the local network segment to discover an AC.
If the AC and APs are on different network segments, you must configure Option 43 or DNS
to specify the AC's CAPWAP source IP address for the APs. Otherwise, the APs cannot
discover the AC and go online successfully.
Configuring Option 43
l If an AC functions as a DHCP server to assign IP addresses to APs, perform the
following operations:
a. Run the system-view command to enter the system view.
b. Run the ip pool ip-pool-name command to create a global address pool and enter its
view.
c. Run any of the following commands to configure the option 43 field.
n option 43 hex hex-string
n option 43 sub-option 3 ascii ascii-string
n option 43 sub-option 2 ip-address ip-address &<1-8>
n option 43 sub-option 1 hex hex-string
NOTE
Run any of the following commands to configure the option 43 field. If multiple commands are
executed on an AP in V200R006, only the last command takes effect. If multiple commands are
executed on an AP in V200R007C10 or a later version, all the commands take effect.
l option 43 sub-option 3 ascii ascii-string
l option 43 sub-option 2 ip-address ip-address &<1-8>
l option 43 sub-option 1 hex hex-string
Configuring DNS
NOTE
In this mode, you need to configure the domain name and address of the AC on the DNS server.
l If an AC functions as a DHCP server to assign IP addresses to APs, perform the
following operations:
a. Run the system-view command to enter the system view.
b. Run the ip pool ip-pool-name command to create a global address pool and enter its
view.
c. Run the gateway-list ip-address &<1-8> command to configure a gateway address
for DHCP clients.
d. Run the network ip-address [ mask { mask | mask-length } ] command to set a
network segment of the global address pool.
e. Run the dns-list ip-address &<1-8> command to configure a DNS server address
for DHCP clients.
f. Run the domain-name domain-name to configure a domain name suffix for APs.
After obtaining the suffix, the APs concatenate the suffix and huawei-wlan-
controller into a fully qualified domain name (FQDN). The APs then use this
FQDN to request the AC's IP address from the DNS server.
l If an independent DHCP server is used to assign IP addresses to APs, you must
configure the domain name suffix for APs. Otherwise, the APs cannot discover the AC
and go online successfully. For details about how to configure an independent DHCP
server, see related product configuration manuals.
To enable APs and STAs to obtain IP addresses, APs to discover the AC and go online on the
AC, and STAs to access the network, configure interconnections between network devices.
The APs need to send service packets to STAs, and forward management packets and STAs'
service packets the AC. When configuring network interconnections, configure the
management and service packets separately.
NOTE
The PVIDs of network device interfaces directly connected to the APs must be set to management VLAN
IDs.
Context
A country code identifies the country to which AP radios belong. Different countries support
different AP radio attributes, including the transmit power and supported channels. Correct
country code configuration ensures that radio attributes of APs comply with laws and
regulations of countries and regions to which the APs are delivered.
The country code is configured in a regulatory domain profile. Two configuration scenarios
are available:
l If the APs managed by an AC are located in the same country or region, you only need
to configure one country code.
l If the APs managed by an AC are located in different countries, you need to configure
different country codes for the APs.
As shown in Figure 5-38, APs using regulatory domain profile 1 in country 1 and those using
regulatory domain profile 2 in country 2 are all managed and controlled by the same AC. In
this situation, you need to configure the country code of country 1 in regulatory domain
profile 1 and that of country 2 in regulatory domain profile 2.
Branch
Headquarters Country 2
Country 1
AP regulatory
AP regulatory Switch Internet Switch
domain profile 2
domain profile 1
AC AP PC
AP AP AP
NOTE
l When configuring an AC for the first time, you must configure the correct country code. The
country code must comply with local laws and regulations.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created, and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 4 Run country-code country-code
A country code is configured.
By default, the country code CN is configured.
For details about country codes, see country-code.
Modifying the country code in a regulatory domain profile will restart APs using the profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the regulatory domain profile to an AP group or AP.
l Binding the regulatory domain profile to an AP group
a. Run the ap-group name group-name command to enter the AP group view.
----End
Context
You need to specify at least one VLANIF interface, or loopback interface. In this manner, APs
managed by an AC can learn the IP address of the specified interface to set up a CAPWAP
tunnel with the AC. This interface is called the source interface.
l VLANIF interface: applies to the scenario where the APs that associate with the AC
belong to the same management VLAN.
l Loopback interface: applies to the scenario where the APs that associate with the AC
belong to different management VLANs. When the APs belong to multiple management
VLANs, the AC must have multiple VLANIF interfaces configured. If one of the
VLANIF interfaces is specified as the source interface, all the APs cannot go online
when the source interface fails. A loopback interface remains Up after being created.
When a loopback interface is used as the source interface and a VLANIF interface
becomes faulty, only the AP that connects to the VLANIF interface cannot go online.
Procedure
l Configure an IPv4 source interface.
– Specify a VLANIF interface.
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
The created VLAN is a management VLAN.
iii. Run quit
Return to the system view.
Context
A network element is a physical device or service unit on the network topology. Each AC is a
network element.
You can configure network element names for ACs so that the ACs can be identified by an
NMS.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ac sysnetid ac-sysnetid
----End
Context
After an AP is powered on and obtains an AC IP address, the AP begins to establish
CAPWAP tunnels with the AC. CAPWAP tunnels include control and data tunnels.
The AC sends management packets over the control tunnel to manage APs in a centralized
manner. Data packets of users are all forwarded to the AC for centralized processing through
the data tunnel. To improve link reliability and prevent CAPWAP control tunnels from being
terminated when the service traffic volume is high, configure a high priority for CAPWAP
management packets.
CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption and sensitive
information encryption and integrity check and heartbeat detection to ensure security.
l DTLS encryption: When an AP establishes CAPWAP tunnels with an AC, the AP
determines whether to perform DTLS negotiation with the AC. The DTLS protocol can
be used to encrypt packets exchanged between the AP and AC to ensure integrity and
privacy of management packets. Currently, the device can only encrypt management
packets using the pre-shared key (PSK).
l Sensitive information encryption: When sensitive information is transmitted between an
AP and an AC, the information can be encrypted to ensure information security.
Sensitive information includes the FTP user name, FTP password, AP login user name,
AP login password, and service configuration key.
l Integrity check: When CAPWAP packets are transmitted between an AP and an AC,
these packets may be forged or tampered or attackers may construct malformed packets
to launch attacks. Integrity check can protect CAPWAP packets between the AP and AC.
l Heartbeat detection: The AP and AC periodically exchange Echo packets to determine
whether the control tunnel is working properly and periodically exchange Keepalive
packets to determine whether the data tunnel is working properly. If the AP or AC does
not receive any response from each other after Echo or Keepalive packets are sent for the
specified number of times, the AP and AC consider that the control or data tunnel is
terminated. The tunnel needs to be re-established.
Procedure
Step 1 Run system-view
Set the Configure capwap echo interval After the CAPWAP heartbeat
CAPW the interval-value detection interval is configured,
AP heartbeat By default, the CAPWAP the interval for sending Echo
heartbea detection heartbeat detection interval is packets is configured.
t interval. 25s. After the number of CAPWAP
detectio heartbeat detections is
n. Configure capwap echo times times- configured, the number of times
the number value for sending Echo packets is
of By default, a maximum configured.
CAPWAP number of six CAPWAP
heartbeat If no response is received after
heartbeat detections can be
detections. packets are sent for the specified
performed.
number of times, the AP or AC
If dual-link backup is considers the link between them
enabled, a maximum of three is disconnected.
CAPWAP heartbeat
If you set the CAPWAP
detections can be performed.
heartbeat detection interval and
the number of CAPWAP
heartbeat detections smaller than
the default values, the CAPWAP
link reliability is degraded.
Exercise caution when you set
the values. The default values
are recommended.
If dual-link backup is enabled,
the CAPWAP heartbeat
detection interval is 25s and the
number of CAPWAP heartbeat
detections is 3. When the
Wireless Distribution System
(WDS) is required in dual-link
backup configuration, the WDS
link may be unstable and users
may not access the network.
You need to run this command
to set the interval for CAPWAP
heartbeat detection to 25
seconds and the number of
CAPWAP heartbeat detections
to 6.
Radio traffic statistics packets
are sent and received together
with Echo packets.
----End
Context
APs can be upgraded on an AC in the following modes:
l Automatic upgrade: used when APs are not online on an AC yet. Usually, automatic
upgrade parameters are configured prior to AP access. When going online, APs upgrade
automatically.
For APs that are already online on the AC, you can trigger AP restart after configuring
the automatic upgrade parameters, and the APs upgrade automatically during restart.
Compared to the automatic upgrade, the in-service upgrade can reduce service
interruption time.
l In-service upgrade: mainly used when APs are already online on the AC and carry
WLAN services. For details about the in-service upgrade, see 6.4.4 Performing an In-
Service Upgrade on APs.
l Scheduled upgrade: mainly used when APs are already online on the AC and carry
WLAN services. A scheduled upgrade is recommended when the access traffic volume
on the network is low.
In automatic upgrade mode, an AP checks whether its version is the same as that configured
on the AC, SFTP server, or FTP server during login. If the two versions are different, the AP
upgrades its version, restarts, and goes online again. If the two versions are the same, the AP
does not upgrade its version.
Table 5-7 lists the automatic upgrade modes supported by APs.
NOTE
If multiple APs are upgraded simultaneously in AC mode, the upgrade takes a long time and many AC
resources are consumed. To reduce service interruption caused by AP upgrade, the FTP or SFTP mode is
recommended.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run the following commands as required.
l AC mode
Run ap update mode ac-mode
The AP upgrade mode is set to AC mode.
By default, the AP upgrade mode is AC mode.
l FTP mode
a. Run ap update mode ftp-mode
----End
Context
You can add APs in any of the following modes:
l Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are
configured on an AC before APs go online. The AC starts to set up connections with the
APs if the MAC addresses or SNs of the APs match the configured ones.
When you add an AP in any of the preceding modes, the AP cannot connect to the AC if the
MAC address of the AP is in the AP blacklist.
After you add an AP to an AC offline and configure AP parameters, for example, AP group
which the AP joins by default, the AP can go online and use the configured data to work.
When the AC is configured to automatically discover APs, an AP uses the default parameters
to work after going online.
The AP blacklist and whitelist can be configured at the same time. However, the MAC
address of an AP cannot be added to the AP blacklist and whitelist at the same time.
If AP whitelist and blacklist are all configured, check whether an AP is on the blacklist first.
Procedure
l Add an AP offline.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The non-authentication mode brings security risks. You are advised to set the
authentication mode to MAC address authentication or SN authentication, which is
more secure.
– Set the AP authentication mode to MAC address or SN authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add
the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the
AP with the specified MAC address to the whitelist if the AP
authentication mode is set to MAC address authentication.
By default, no MAC address is added to the AP whitelist.
○ Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with
the specified SN to the whitelist if the AP authentication mode is set to
SN authentication.
By default, no SN is added to the AP whitelist.
l Manually confirm the AP added to the list of unauthorized APs.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.
e. Run the display ap unauthorized record command to check information about
unauthorized APs.
f. Run the ap-confirm { all | mac ap-mac | sn ap-sn } command to confirm the
unauthorized APs. After confirmation, the APs work in normal state.
----End
Context
Before deploying APs onsite, complete network planning operations, for example, configure
the AC and involved NEs, and add APs on the AC. After APs are connected to the network
and powered on, they can automatically upgrade and go online. Users do not need to perform
other configurations on the APs onsite.
You can check whether the APs go online properly on the AC as planned. If the AP status
displays as normal, the APs have gone online properly.
Procedure
l Run the display ap all command to check whether APs go online on an AC.
AP state. For details, see Table 5-8.
command to
add correct AP
information.
If the fault persists,
expand the license
capacity. Note that
RUs managed by
the AC do not
occupy license
resources of the
AC.
countryCode- The country code The current version The AP does not
mismatch of an AP does not of the AP does not support the country
match that of the support the country code. Upgrade the
AC on which the code configured on AP or change the
AP is about to go the AC. country code
online. configured on the
AC.
----End
Configuration Procedure
The procedure for configuring the central AP and RUs to go online is similar to that for
configuring the APs to go online. For details, see 5.9 Configuring APs to Go Online. The
differences are as follows:
l The RUs and central AP reside on the same Layer 2 network on an agile distributed
WLAN. The default PVID of the central AP's downlink interfaces is the management
VLAN ID and cannot be changed. That is, the central AP's downlink interfaces join the
management VLAN (mVLAN) by default and cannot be removed from the mVLAN, but
they can be added to other VLANs. The working mode of the interfaces must be set to
middle.
l RUs can go online only after the central AP reports RU information to the AC.
Therefore, the central AP must go online first.
l Each RU can only discover one central AP. After the central AP and RUs go online, the
AC delivers configurations to the central AP, and the central AP delivers configurations
to its connected RUs.
5.10.1 Setting the Working Mode for the Central AP's Wired
Interface
Context
When the central AP is connected to RUs, set the working mode of the central AP's downlink
interfaces to middle.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run the wired-port-profile name profile-name command to create an AP wired port profile
and enter the profile view.
By default, the system provides the AP wired port profile default.
Step 4 Run the mode middle command to set the working mode of the AP's wired interface to
middle.
By default,
l On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in endpoint
mode, and Eth-Trunk interfaces in root mode.
l On a central AP: Its uplink GE interfaces in root mode and downlink GE interfaces work
in middle mode.
l On an R230D: Its Ethernet interface works in root mode.
l On an R240D: Its Ethernet interface works in endpoint mode and GE interface in root
mode.
l On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D, R251D-E
and AP2050DN-E: Their uplink GE interfaces work in root mode and downlink GE
interfaces in endpoint mode.
l On an R450D: Its GE interface works in root mode.
After changing the working mode of the central AP's wired interfaces, restart the AP to make
the change effective.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the AP wired port profile to the central AP.
1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
2. Run the wired-port-profile profile-name interface-type interface-number command to
bind the AP wired port profile to the AP.
By default, no AP wired port profile is bound to an AP.
----End
Configuration Procedure
5.11.1 Configuring a Radio and 5.11.2 Configuring a VAP can be performed in any
sequence. 5.11.4 Checking the STA Online Result is performed after all configuration tasks
are complete.
Context
You need to configure different radio parameters for AP radios based on actual WLAN
environments, enabling the AP radios to work at the optimal performance.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Enter the radio view.
l Enter the AP group radio view.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
l Enter the AP radio view.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
Step 4 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel or channel
80+80mhz channel1 channel2.
To avoid signal interference, ensure that adjacent APs work in non-overlapping channels.
If an AP works in dual-5G mode, the channels of the two 5G radios must be separated by at
least one channel.
For example, a country supports 40 MHz 5G channels 36, 44, 52, and 60. When deploying 5G
radio channels, if one radio is deployed on channel 36, it is recommended that the other radio
be deployed on channel 52 or 60. Channel 44 is not recommended in this case.
The 80 MHz, 160 MHz, and 80+80 MHz working bandwidths are only supported in the 5G
radio view.
802.11ac APs support the 80 MHz configuration, whereas four-spatial-stream 802.11ac APs
allow for the 160 MHz or 80+80 MHz configuration.
The antenna gain is the ratio of the power density produced by an antenna to the power
density that should be obtained at the same point if the power accepted by the antenna were
radiated equally. It can measure the capability for an antenna to receive and send signals in a
specified direction, which is one of the most important parameters to select a BTS antenna. In
the same condition, if the antenna gain is high, the wave travels far.
The antenna gain of an AP radio configured using the command must be consistent with the
gain of the antenna connected to the AP.
The maximum antenna gain should comply with laws and regulations of the corresponding
country. For details, see the Country Code & Channel Compliance Table. You can obtain this
table at Huawei technical support website.
By default, the transmit power of a radio is 127 dBm. The transmit power that takes effect on
APs is related to the AP type, country code, channel, and channel bandwidth. It is the
maximum transmit power supported by the AP radio under the current configuration. Run the
display radio { ap-name ap-name | ap-id ap-id } command to check the maximum value.
You can configure the transmit power for a radio based on actual network environments,
enabling radios to provide the required signal strength and improving signal quality on
WLANs.
----End
Context
Basic radio parameters are directly configured on radio interfaces, while other radio
parameters are configured in a radio profile. The radio profile is classified into the 2G and 5G
radio profiles. The configurations in the 2G and 5G radio profiles take effect on 2.4 GHz and
5 GHz radios, respectively. The commands in the 2G radio profile are used to configure 2.4
GHz radio parameters while those in the 5G radio profile are used to configure 5 GHz radio
parameters. 5.11.1.4 (Optional) Adjusting Radio Parameters describes different commands
used for the 2G and 5G radio profiles. Unless otherwise specified, the other commands are
applicable to both the 2G and 5G radio profiles.
The 2.4 GHz radio supports the 802.11bgn radio mode, and the 5 GHz radio supports the
802.11an and 802.11ac radio modes. Currently, 802.11ac is supported only by the 5 GHz radio
of the AP2030DN, AP7030DE, AP9330DN, AP8130DN-W, AD9430DN-12 (including the
mapping RUs), AD9430DN-24 (including the mapping RUs), AD9431DN-24X (including
the mapping RUs), AP3010DN-V2, AP4030DN, AP4030TN, AP4130DN, AP5030DN,
AP5130DN, AP8030DN, AP8130DN, AP9131DN, AP9132DN, AP1050DN-S, AP2050DN,
AP2050DN-E, AP2051DN, AP2051DN-E, AP4050DN, AP4050DN-E, AP4050DN-HD,
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
A 2G or 5G radio profile is created and the radio profile view is displayed.
By default, the system provides the 2G radio profile default and 5G radio profile default.
----End
Context
When a STA associated with an AP detects a channel switching on the AP, the STA needs to
reassociate with the AP on the new channel. During this process, services of the STA are
interrupted, degrading Internet experience of users. After smooth channel switching is
configured, when the AP channel needs to be switched, the AP requests STAs to switch the
channel after a fixed number of Beacon intervals so that the STAs and AP switch the channel
simultaneously. Smooth channel switching can prevent STA reassociations and ensure rapid
service recovery to improve Internet experience of users.
The channel switching announcement function must be supported by both the AP and STA.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
The 2G or 5G radio profile view is displayed.
Step 4 Run undo channel-switch announcement disable
----End
Context
You can adjust and optimize radio parameters to adapt to different network environments,
enabling APs to provide required radio capabilities and improving signal quality of WLANs.
After parameters in a radio profile are delivered to an AP, only the parameters supported by
the AP can take effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
The 2G or 5G radio profile view is displayed.
Step 4 Adjust radio parameters:
Procedure Command Description
Configure the radio radio-type { dot11b | dot11g | Usually, the default radio type is
type dot11n } used and does not need to be
By default, the radio type in a modified. If the default radio
2G radio profile is dot11n. mode cannot meet requirements
or a fault needs to be located,
radio-type { dot11a | dot11ac | configure the radio type as
dot11n } required.
By default, the radio type in a l The radio-type { dot11b |
5G radio profile is dot11ac. dot11g | dot11n } command
can only be configured in a
2G radio profile.
l The radio-type { dot11a |
dot11ac | dot11n } command
can only be configured in a
5G radio profile.
Configure the radio dot11a basic-rate { dot11a-rate- All rates specified in the basic
rate value &<1-8> | all } rate set must be supported by
By default, a basic rate set of the both the AP and STA; otherwise,
802.11a protocol in a 5G radio the STA cannot associate with
profile includes rates 6 Mbps, 12 the AP.
Mbps, and 24 Mbps. l The dot11a basic-rate
{ dot11a-rate-value &<1-8> |
dot11bg basic-rate { dot11bg- all } command can only be
rate-value &<1-12> | all } configured in a 5G radio
By default, the basic rate set of profile.
the 802.11bg protocol includes l The dot11bg basic-rate
rates 1 Mbps and 2 Mbps in a 2G { dot11bg-rate-value
radio profile. &<1-12> | all } command
can only be configured in a
2G radio profile.
----End
Context
After the configuration in a radio profile is complete, you need to bind the radio profile to an
AP group, AP, AP radio, or AP group radioAfter being delivered to APs, the configuration in
a radio profile can take effect on the APs.
After a radio profile is applied to an AP group or AP, the parameter settings in the profile take
effect on all radios of the AP group or AP. After a radio profile is applied in the AP group
radio or AP radio view, the parameter settings in the profile take effect on the specified AP
radio or radios in the AP group. The configuration under an AP and AP radio has a higher
priority than that under an AP group and AP group radio. The 2G and 5G radio profiles take
effect on 2G and 5G radios, respectively.
Procedure
l Bind a radio profile to an AP group.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-group name group-name command to enter the AP group view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-
profile profile-name { radio { id | all } } command to bind the radio profile to the
radio.
By default, the 2G radio profile default and 5G radio profile default are bound to
an AP group.
l Bind a radio profile to an AP.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-
profile profile-name { radio { id | all } } command to bind the radio profile to the
radio.
By default, no 2G radio profile or 5G radio profile is bound to an AP.
l Apply a radio profile in the AP group radio view.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-group name group-name command to enter the AP group view.
d. Run the radio radio-id command to enter the radio view.
e. Run the radio-2g-profile profile-name or radio-5g-profile profile-name command
to bind the radio profile to the radio.
By default, the 2G radio profile default and 5G radio profile default are bound to
an AP group radio.
l Apply a radio profile in the AP radio view.
a. Run the system-view command to enter the system view.
Prerequisites
The radio profile configuration is complete.
Procedure
l Run the display radio-2g-profile { all | name profile-name } command to check
configuration and reference information about a 2G radio profile.
l Run the display radio-5g-profile { all | name profile-name } command to check
configuration and reference information about a 5G radio profile.
l Run the display references radio-2g-profile name profile-name command to check
reference information about a 2G radio profile.
l Run the display references radio-5g-profile name profile-name command to check
reference information about a 5G radio profile.
l Run the display ap configurable channel { ap-name ap-name | ap-id ap-id } [ radio-id
radio-id ] command to check configurable channels supported by an AP.
l Run the display ap config-info { ap-name ap-name | ap-id ap-id } command to check
the AP configuration.
----End
Context
After you create a VAP profile, configure parameters in the profile. After the profile is applied
in the AP group view, AP view, AP radio view, or AP group radio view, VAPs are generated
and can provide wireless access services for STAs. You can configure different parameters in
the VAP profile to enable APs to provide different wireless services.
Procedure
Step 1 Run system-view
----End
Context
Data on a WLAN involves control packets (management packets) and data packets. Control
packets are forwarded through CAPWAP control tunnels. Data packets are forwarded in
tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode
according to whether data packets are forwarded through CAPWAP data tunnels.
Table 5-9 compares tunnel forwarding and direct forwarding.
Direct Service data packets do not need Service data packets cannot be
forwarding to be forwarded by an AC, centrally managed or controlled. New
improving packet forwarding device deployment causes large
efficiency and reducing the changes to the existing network.
burden on the AC.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
----End
Context
Layer 2 data packets delivered from a VAP to an AP carry the service VLAN IDs.
Since WLANs provide flexible access modes, STAs may connect to the same WLAN at the
office entrance or stadium entrance, and then roam to different APs.
l If a single VLAN is configured as the service VLAN, IP address resources may become
insufficient in areas where many STAs access the WLAN, and IP addresses in the other
areas are wasted.
l After a VLAN pool is created, add multiple VLANs to the VLAN pool and configure the
VLANs as service VLANs. In this way, an SSID can use multiple service VLANs to
provide wireless access services. STAs are dynamically assigned to VLANs in the
VLAN pool, which reduces the number of STAs in each VLAN and also the size of the
broadcast domain. Additionally, IP addresses are evenly allocated, preventing IP address
waste.
VLAN assignment algorithms include even and hash.
– When the VLAN assignment algorithm is set to even, service VLANs are assigned
to STAs from the VLAN pool based on the order in which STAs go online. Address
pools mapping the service VLANs evenly assign IP addresses to STAs. If a STA
goes online many times, it obtains different IP addresses.
– When the VLAN assignment algorithm is set to hash, VLANs are assigned to STAs
from the VLAN pool based on the harsh result of their MAC addresses. As long as
the VLANs in the VLAN pool do not change, the STAs obtain fixed service
VLANs. A STA is preferentially assigned the same IP address when going online at
different times.
Note the following when adding service VLANs to the VLAN pool:
l After a VLAN pool is configured to provide service VLANs, VLANs in the VLAN pool
cannot be deleted. To delete the VLAN pool, cancel the service VLAN configuration of
the VLAN pool.
l In scenarios where a dual-stack address pool is configured, a STA successfully obtains
an IP address if the VLAN pool has assigned an IPv4 or IPv6 address to it. In this case,
the VLAN pool will not assign a new VLAN to the STA.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Context
Configure the VAP type based on the site requirements. Different VAP types are used
depending on scenarios as follows:
l If the type of a VAP is set to service, STAs connected to the VAP can only access
network resources but not APs. Service VAPs are used in regular WLAN deployment
scenarios.
l If the type of a VAP is set to ap-management, STAs connected to the VAP can only
access APs but not network resources. AP management VAPs are used in STA access
and AP management scenarios.
l If the type of a VAP is set to service-backup ap-offline, STAs can access the network
through the backup service VAP after the AP goes offline. For example, on a
headquarters-branch network, when APs at branches connect to the AC at the
headquarters through a WAN, APs may go offline due to the WAN instability. You can
configure a backup service VAP to allow new STAs to access the network if the AP goes
offline.
l If the type of a VAP is set to service-backup auth-server-down, the VAP is
automatically enabled to allow network access of associated STAs when the
authentication server is not accessible. When the authentication server recovers, this
VAP is not automatically disabled. You can manually disable it if needed. If the
authentication server is accessible but rejects user access, this VAP is not automatically
enabled. You can manually enable it if needed. To enable or disable this VAP, run the
vap-service-backup auth-server-down command.
Procedure
Step 1 Run system-view
Context
In actual WLAN applications, the network administrator wants to disable WLAN services in a
specified period, ensuring security and reducing power consumption. You can disable the
VAP as scheduled.
This configuration is applicable to enterprises that want to disable WLAN services in a
specified period for security or at midnight when the user service traffic volume is low.
l The scheduled VAP auto-off function enabled in a VAP profile view takes effect only on
the APs using the profile.
l The scheduled VAP auto-off function enabled in a radio profile takes effect only on the
APs using the profile. For details on how to configure the scheduled VAP auto-off
function in a VAP profile view, see 5.11.1.4 (Optional) Adjusting Radio Parameters.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Run undo service-mode disable
The service mode of a VAP is enabled.
By default, the service mode of a VAP is enabled.
Enabling the service mode of a VAP is the prerequisite for normal VAP working.
Step 5 Run auto-off service start-time start-time end-time end-time
The scheduled VAP auto-off function is enabled and the time range when the VAP is disabled
is set.
By default, the scheduled VAP auto-off function is disabled.
----End
Context
Carrier sense multiple access with collision avoidance (CSMA-CA) allows an air interface
channel to be occupied only by one STA, and other STAs cannot communicate with the AP.
Backoff
Backoff STA_4
Before MU-MIMO is After MU-MIMO is
enabled enabled
STA_2 STA_3
AP AP
STA_2
STA_1
STA_1
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ssid-profile name profile-name
An SSID radio profile is created and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 4 Run undo mu-mimo disable
MU-MIMO is enabled.
By default, the MU-MIMO function is enabled.
----End
Context
After the device is enabled to monitor user traffic and forcibly disconnect STAs without
traffic, a STA meeting all the following conditions is forcibly disconnected after reassociation
and going online:
l The STA does not send DHCP Request messages or receive ARP Reply packets within
5s after going online.
l The IP address of the STA changes after roaming.
l The STA has only uplink traffic but no downlink traffic.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run undo sta-network-detect disable
The device is enabled to monitor user traffic and forcibly disconnect STAs without traffic.
By default, the device is enabled to monitor user traffic and forcibly disconnect STAs without
traffic.
----End
Context
You can flexibly adjust VAP parameters to adapt to different network requirements.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Adjust VAP parameters.
Procedure Command Description
Enable the service mode of a VAP undo service-mode Enabling the service
disable mode of a VAP is the
By default, the service prerequisite for normal
mode of a VAP is VAP working.
enabled.
----End
Context
As WLAN technology uses radio signals to transmit service data, service data can easily be
intercepted or tampered by attackers when being transmitted on the open wireless channels.
Security is critical to WLANs. You can create a security profile to configure security policies,
which protect privacy of users and ensure data transmission security on WLANs.
A security profile provides four WLAN security policies: Wired Equivalent Privacy (WEP),
Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure
(WAPI). Each security policy has a series of security mechanisms, including the link
authentication mechanism used to establish a wireless link, user authentication mechanism
used when users attempt to connect to a wireless network, and data encryption mechanism
used during data transmission.
If no security policy is configured during the creation of a security profile, the default
authentication mode (open system authentication) is used. When a user searches for a wireless
network, the user can connect to the wireless network without being authenticated.
The default security policy has low security. You are advised to configure a proper security
policy. For details on how to configure security policies, see Security Policy Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
A security profile is created, and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After a security profile is created, you need to configure a proper security policy according to
service requirements because the default security policy has security risks. For the detailed
configuration, see Security Policy Configuration.
Step 4 Run quit
Return to the WLAN view.
Step 5 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 6 Run security-profile profile-name
The security profile is bound to a VAP profile.
By default, the security profile default is bound to a VAP profile.
----End
Context
SSIDs identify different wireless networks. When you search for available wireless networks
on your laptop, the displayed wireless network names are SSIDs. In an SSID profile, you can
define an SSID name and configure related parameters. After the SSID profile configuration
is complete, bind the SSID profile to a VAP profile.
Procedure
Step 1 Run system-view
When creating a WLAN, configure an AP to hide the SSID of the WLAN to ensure security.
Only the users who know the SSID can connect to the WLAN.
More access users on a VAP indicate fewer network resources that each user can occupy. To
ensure Internet experience of users, you can configure a proper maximum number of access
users on a VAP according to actual network situations.
APs are disabled from automatically hiding SSIDs when the number of users reaches the
maximum.
By default, automatic SSID hiding is enabled when the number of users reaches the
maximum.
After automatic SSID hiding is enabled, SSIDs are automatically hidden when the number of
users connected to the WLAN reaches the maximum, and SSIDs are unavailable for new
users.
Step 9 (Optional) Run legacy-station [ only-dot11b ] disable
Access of non-HT STAs is denied.
By default, access of non-HT STAs is permitted.
Non-HT STAs support only 802.11a/b/g and provide a data transmission rate far smaller than
the rate of 802.11n/ac STAs. If the non-HT STAs access the wireless network, the data
transmission rate of 802.11n/ac STAs will be reduced. To prevent the transmission rate of
802.11n/ac STAs from being affected, you can run the legacy-station [ only-dot11b ] disable
command to deny access of all or only 802.11b-compliant non-HT STAs.
After the legacy-station disable command is run, the access of non-HT STAs supporting only
802.11a/b/g fails to be denied if any of the following functions is configured on the non-HT
STAs:
l WMM function in a 2G or 5G radio profile enabled using the wmm disable command
l Pre-shared key authentication and TKIP encryption for WPA/WPA2 configured using the
security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value tkip
command
l 802.1X authentication and TKIP encryption for WPA/WPA2 configured using the
security { wpa | wpa2 | wpa-wpa2 } dot1x tkip command
l WEP shared key authentication mode configured using the security wep [ share-key ]
command
l 802.11b/g radio type in the 2G radio profile configured using the radio-type { dot11b |
dot11g } command
l 802.11a radio type in the 5G radio profile configured using radio-type dot11a command
After the legacy-station only-dot11b disable command is run, the access of non-HT STAs
supporting only 802.11b is denied. If 802.11b radio type in the 2G radio profile has been
configured using the radio-type dot11b command, the access of non-HT STAs supporting
only 802.11b fails to be denied.
Step 10 (Optional) Run single-txchain enable
The single-antenna transmission mode is enabled.
By default, the single-antenna transmission mode is disabled.
Only 802.11ac Wave 2 APs support the single-antenna transmission mode.
Step 11 (Optional) Run association-timeout association-timeout
The association aging time of STAs is configured.
By default, the association aging time is 5 minutes.
After the association aging time of STAs is configured, if the AP receives no data packet from
a STA in a specified time, the STA goes offline after the association aging time expires.
Step 12 (Optional) Run dtim-interval dtim-interval
A DTIM interval is configured.
By default, the DTIM interval is 1.
The DTIM interval specifies how many Beacon frames are sent before the Beacon frame that
contains the DTIM. An AP sends a Beacon fame to wake a STA in power-saving mode,
indicating that the saved broadcast and multicast frames will be transmitted to the STA.
l A short DTIM interval helps transmit data in a timely manner, but the STA is wakened
frequently, causing high power consumption.
l A long DTIM interval lengthens the dormancy time of a STA and saves power, but
degrades the transmission capability of the STA.
Step 13 (Optional) Run u-apsd enable
The U-APSD function is enabled.
By default, the U-APSD function is disabled.
If some STAs on the network do not support the U-APSD function, disable the U-APSD
function.
Step 14 (Optional) Run active-dull-client enable
The function of preventing terminals from entering energy-saving mode is enabled.
By default, the function of preventing terminals from entering energy-saving mode is
disabled.
Due to individual reasons, some terminals may not run services normally when entering
energy-saving mode. You can run the active-dull-client enable command to enable the
function of preventing terminals from entering energy-saving mode. After that, an AP
frequently sends null data frames to these terminals to prevent them from entering energy-
saving mode, ensuring normal services.
Step 15 (Optional) Run qbss-load enable
APs are enabled to notify STAs of their load.
By default, the function of notifying STA of the AP load is disabled.
Step 16 Run quit
Return to the WLAN view.
Step 17 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 18 Run ssid-profile profile-name
The SSID profile is bound to a VAP profile.
By default, the SSID profile default is bound to a VAP profile.
----End
Context
After the configuration in a VAP profile is complete, you need to bind the VAP profile to an
AP group, AP, AP radio, or AP group radio.After being delivered to APs, the configuration in
a VAP profile can take effect on the APs.
After a VAP profile is applied to an AP group or AP, the parameter settings in the profile take
effect on all radios of the AP group or AP. After a radio profile is applied in the AP group
radio or AP radio view, the parameter settings in the profile take effect on the specified AP
radio or radios in the AP group.
Procedure
l Bind a VAP profile to an AP group.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-group name group-name command to enter the AP group view.
d. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
command to bind the VAP profile to the radio.
----End
Prerequisites
The configuration of the VAP, security, and SSID profiles is complete.
Procedure
l Run the display vap { all | ssid ssid } or display vap { ap-group ap-group-name | { ap-
name ap-name | ap-id ap-id } [ radio radio-id ] } [ ssid ssid ] command to check service
VAP information.
l Run the display vap-profile { all | name profile-name } command to check
configuration and reference information about a VAP profile.
l Run the display references vap-profile name profile-name command to check reference
information about a VAP profile.
l Run the display security-profile { all | name profile-name } command to check
configuration and reference information about a security profile.
l Run the display references security-profile name profile-name command to check
reference information about a security profile.
l Run the display ssid-profile { all | name profile-name } command to check
configuration and reference information about an SSID profile.
l Run the display references ssid-profile name profile-name command to check
reference information about an SSID profile.
l Run the display vlan pool { name pool-name | all [ verbose ] } command to check
configurations in a VLAN pool.
l Run the display references vlan pool pool-name command to check reference
information about a VLAN pool.
l Run the display vap create-fail-record all command to check records about VAP
creation failures.
l Run the display wlan config-errors command to check WLAN configuration errors.
----End
Context
On a WLAN, some online STAs may go offline due to reasons such as screen lock. When
these STAs go online again, they are reauthenticated, increasing the load on the authentication
server. After the STA offline delay function is enabled, STAs can go offline and online again
in the aging time without being authenticated by the external or built-in authentication server.
This reduces the load on the authentication server and avoids multiple authentication
operations. This function takes effect for STAs only in Portal, MAC address, or MAC
address-prioritized Portal authentication mode.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The maximum number of STAs that are allowed to delay going offline is set.
The default maximum number of STAs that are allowed to delay going offline is one fifth of
the maximum number of STAs supported by an AC.
The default aging time for STA offline delay is 180 seconds.
APs are enabled to force STAs in offline delay state to go offline and allow STAs are allowed
to go online after the number of STAs reaches the maximum.
By default, an AP is enabled to force STAs in offline delay state to go offline and allow new
STAs to go online after the number of STAs reaches the maximum.
----End
Context
After basic WLAN service configurations are complete, APs generate WLAN signals in their
coverage ranges. Users can use STAs, such as mobile phones and laptops with wireless
network adapters to associate with WLANs of the configured SSIDs. After entering the user
names and passwords, users can associate with the WLANs. By checking the STA online
result, you can know STAs connected to the WLAN.
Procedure
l Run the display station { ap-group ap-group-name | ap-name ap-name | ap-id ap-id |
ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all } command to check STA access
information.
----End
Procedure
The procedure for configuring STAs to go online on an agile distributed WLAN is the same
as that on a common WLAN. For details, see 5.11 Configuring STAs to Go Online.
On an agile distributed WLAN, the central AP does not have radios. The RUs act as radios of
the central AP. Therefore, the radio and VAP configurations need to be delivered to RUs, but
not the central AP.
Context
On wireless networks, wireless radio, as the transmission media, is easily interfered by
surroundings. The transmission quality of service data changes greatly depending on the
interference. Therefore, you must evaluate and check the transmission quality of wireless
links to ensure better service data transmission and efficient cooperation between densely
deployed wireless networks, and reduces signal interference.
Use the RF ping function and exchange data packets between APs and STAs to check the
transmission quality of wireless links. The link check result includes the signal strength, radio
interface rate, packet sending delay, which can comprehensively indicate the transmission
quality of wireless links.
Procedure
Step 1 Run system-view
Step 3 Run the rf-ping [ -m time | -c number ] * mac-address command to check wireless link
quality.
----End
Context
When a network fault occurs, use an AP to ping other network devices to check the
connectivity.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run the ap-ping { ap-name ap-name | ap-id ap-id } [ -c count | -s packetsize | -m time | -t
timeout ] * host command to ping a network device from an AP to check network connectivity
between them.
----End
Context
After AP online and management AP configurations are complete, run the following
commands in any view to check AP running statistics.
Procedure
l Run the display ap run-info { ap-name ap-name | ap-id ap-id } command to check AP
running information.
l Run the display ap performance statistics { ap-name ap-name | ap-id ap-id }
command to check AP performance statistics.
l Run the display radio { all | ap-group ap-group-name | ap-name ap-name | ap-id ap-
id } command to check AP radio information.
l Run the display ap asyn-message err-info { all | ap-name ap-name | ap-id ap-id }
command to check records about AP restart failures.
l Run the display ap uncontrol all command to check unauthorized APs.
l Run the display channel switch-record { all | ap-name ap-name radio radio-id | ap-id
ap-id radio radio-id | reason reason } command to check channel switching records.
l Run the display ap traffic statistics wireless { ap-name ap-name | ap-id ap-id } radio
radio-id [ ssid ssid ] command to check packet statistics on an AP radio.
l Run the display ap elabel { ap-name ap-name | ap-id ap-id } command to check AP
electronic label information.
l Run the display ap service-config acl { ap-name ap-name | ap-id ap-id } command to
check ACL configurations on an AP.
l Run the display ap port { all | ap-name ap-name | ap-id ap-id | ap-mac ap-mac }
command to check the AP port status and traffic information.
l Run the display distribute-ap { all | ap-id ap-id | ap-mac ap-mac | ap-name ap-name |
central-ap-id central-ap-id | central-ap-mac central-ap-mac | central-ap-name
central-ap-name } command to check RU information.
l Run the display ap statistics command to check statistics on the types of APs added to
an AC.
----End
Context
You can check the AP online failure and offline records to locate the reason for AP online
failures and offline reasons. This helps the maintenance personnel manage and maintain the
APs.
Procedure
l Run the display ap online-fail-record { all | mac mac-address } command to check AP
online failure records.
l Run the display ap offline-record { all | mac mac-address } command to check AP
offline records.
----End
Context
Before re-collecting AP online failure and offline records, you can clear AP online failure
records and offline records. This helps the maintenance personnel manage and maintain APs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these operations.
Procedure
l Run the reset ap online-fail-record { all | mac mac-address } command to clear AP
online failure records.
l Run the reset ap offline-record { all | mac mac-address } command to clear AP offline
records.
----End
Context
You can clear the list of unauthorized APs to clear the removed or unauthenticated APs that
disconnect with an AC. This operation helps re-collect and confirm unauthenticated APs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these operations.
Procedure
Step 1 Run system-view
----End
Context
After STAs successfully associate with an AP, you can run the following commands in any
view to monitor the STA running status.
Procedure
l Run the display station { ap-group ap-group-name | ap-name ap-name | ap-id ap-id |
ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all } command to check STA access
information.
l Run the display station statistics [ sta-mac sta-mac-address | ap-name ap-name | ap-id
ap-id ] command to check STA statistics.
l Run the display ap sta-signal strength { ap-name ap-name | ap-id ap-id } [ radio
radio-id ] command to check the average signal strength of STAs on an AP.
----End
Context
You can check STA online failure and offline records to locate online failure and offline
reasons. This helps the maintenance personnel rectify the fault, enabling STAs to connect to
the wireless network properly.
Procedure
l Run the display station online-fail-record { all | ap-name ap-name | ap-id ap-id | sta-
mac sta-mac-address } command to check records about STA online failures.
l Run the display station offline-record { all | ap-name ap-name | ap-id ap-id | sta-mac
sta-mac-address } command to check STA offline records.
----End
Context
Before re-collecting STA online failure and offline records, clear STA online failure records
and offline records. This helps the maintenance personnel manage and maintain STAs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these operations.
Procedure
l Run the reset station online-fail-record { all | ap-name ap-name | ap-id ap-id | sta-
mac sta-mac-address } command to clear STA online failure records.
l Run the reset station offline-record { all | ap-name ap-name | ap-id ap-id | sta-mac
sta-mac-address } command to clear STA offline records.
----End
Context
After the function of recording successful STA associations in the log is enabled, successfully
associated STAs are recorded in the log, so that the administrator can view information about
successful STA associations.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run report-sta-assoc enable
The function of recording successful STA associations in the log is enabled.
By default, this function is disabled.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 5-40, the AP is directly connected to the AC. An enterprise branch needs
to deploy WLAN services for mobile office so that branch users can access the enterprise
internal network from anywhere at any time.
The following requirements must be met:
l A WLAN named wlan-net is available.
l Branch users are assigned IP addresses on 10.23.101.0/24.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Layer 2 connections between the AP, AC, Switch, and upstream device.
2. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
AP.
3. Configure the AP to go online.
a. Create an AP group and add the AP to the group. The APs that require the same
configuration can be added to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that the AP can
go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l For details about common WLAN configuration notes, see 2 General Precautions for
WLAN. For more deployment and configuration suggestions, see 3 Wireless Network
Deployment and Configuration Suggestions.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 5-41, an enterprise AC connects to the egress gateway Router of the
campus network and connects to the AP through access switch SwitchA.
The enterprise requires a WLAN with SSID wlan-net so that users can access the enterprise
internal network from anywhere at any time. The Router needs to function as a DHCP server
to assign IP addresses to users and manage users on the AC.
A large number of users connect to the WLAN. To reduce broadcast domains and ensure that
sufficient IP addresses are available, configure a VLAN pool to use VLANs in the VLAN
pool as service VLANs and configure interface address pools corresponding to the VLANs to
allocate addresses to STAs.
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure connections between the AP, AC, and upstream device.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters for STAs to access the WLAN.
DHCP The AC functions as a DHCP server to assign IP addresses to the APs, the
server Router functions as a DHCP server to assign IP addresses to the STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for 10.23.102.2-10.23.102.254/24
STAs
Configuration Notes
l For details about common WLAN configuration notes, see 2 General Precautions for
WLAN. For more deployment and configuration suggestions, see 3 Wireless Network
Deployment and Configuration Suggestions.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure Switch_A and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on Switch_A to VLAN 100 (management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] port-isolate enable
[Switch_A-GigabitEthernet0/0/3] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
[AC] vlan batch 101 102 200
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] quit
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24
[AC-Vlanif200] quit
Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.200.1
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] dhcp select relay
[AC-Vlanif102] dhcp relay server-ip 10.23.200.1
[AC-Vlanif102] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
# Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the VLAN
assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is not changed before, you do not need to run the assignment hash
command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses and interface address pools.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLANs, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
1 area_2 0 1 60DE-4474-9640 ON WPA2-PSK 0 wlan-net
1 area_2 1 1 60DE-4474-9650 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 102
10.23.102.254
14cf-9202-13dc 1 area_2 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 2 2.4G: 1 5G: 1
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102 200
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
On a network of a large enterprise in Figure 5-42, an aggregation switch Switch_B connects
to an access switch Switch_A and an upstream Router. The enterprise needs to deploy a
WLAN, with as few changes to the current network structure as possible.
The enterprise requirements are as follows:
l A WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for visitors.
l A WLAN with the SSID employee is deployed in office areas to provide wireless access
services for employees.
Internet
Router
GE2/0/0
VLANIF 201: 10.67.201.1/24
Switch_A GE0/0/5
GE0/0/1 GE0/0/4
GE0/0/2
GE0/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Switch_A and Switch_B to implement Layer 2 interconnection and configure
Switch_B, Router, and AC to implement Layer 3 interconnection.
2. Configure the Router as a DHCP server to assign IP addresses from a global address
pool to STAs and APs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline so that the APs
can go online properly.
5. Configure WLAN service parameters for STAs to access the WLAN.
Name: employee
Referenced profile: VAP profile employee and regulatory domain
profile domain1
Name: employee
SSID name: employee
Item Data
Name: employee
l Security policy: WPA2+PSK+AES
l Password: b1234567
Name: employee
l Forwarding mode: direct forwarding
l Service VLAN: sta-pool2
l Referenced profile: SSID profile employee and security
profile employee
NOTE
l For details about common WLAN configuration notes, see 2 General Precautions for WLAN. For
more deployment and configuration suggestions, see 3 Wireless Network Deployment and
Configuration Suggestions.
l In this example, Switch_A is a Huawei fixed switch, and Switch_B is a Huawei modular switch.
l When a VLAN pool is used to provide service VLANs on a large network, many VLANs are usually
added to the VLAN pool, and interfaces of many devices need to be added to these VLANs. In this
situation, quite a lot of broadcast domains are created if you configure the direct forwarding mode.
To reduce the number of broadcast domains, set the data forwarding mode to direct forwarding.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition,
wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent
at low rates. If a large number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet suppression to reduce
impact of a large number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression in
traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet
Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless
Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the
corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is
not configured and direct forwarding is used, a large number of unnecessary broadcast packets may
be generated in the VLAN, blocking the network and degrading user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only
packets from the management VLAN are transmitted between the AC and APs. Packets from the
service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
# Configure aggregation switch Switch_B. Add GE1/0/1 to VLAN 100 to VLAN 104,
GE1/0/2 to VLAN 200, and GE1/0/3 to VLAN 201.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 104 200 201
[Switch_B] interface gigabitethernet 1/0/1
[Switch_B-GigabitEthernet1/0/1] port link-type trunk
[Switch_B-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 104
[Switch_B-GigabitEthernet1/0/1] quit
[Switch_B] interface gigabitethernet 1/0/2
[Switch_B-GigabitEthernet1/0/2] port link-type trunk
[Switch_B-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[Switch_B-GigabitEthernet1/0/2] quit
[Switch_B] interface gigabitethernet 1/0/3
[Switch_B-GigabitEthernet1/0/3] port link-type trunk
[Switch_B-GigabitEthernet1/0/3] port trunk allow-pass vlan 201
[Switch_B-GigabitEthernet1/0/3] quit
# Create VLANIF interfaces VLANIF 100 to VLANIF 104, VLANIF 200, and VLANIF 201
on Switch_B and configure their IP addresses. VLANIF 100 works as the gateway of APs.
VLANIF 101 and VLANIF 102 work as the gateways of visitors while VLANIF 103 and
VLANIF 104 work as the gateways of enterprise employees. Switch_B uses VLANIF 200 to
communicate with the AC and VLANIF 201 to communicate with Router.
[Switch_B] interface vlanif 100
[Switch_B-Vlanif100] ip address 10.23.100.1 24
[Switch_B-Vlanif100] quit
[Switch_B] interface vlanif 101
[Switch_B-Vlanif101] ip address 10.23.101.1 24
[Switch_B-Vlanif101] quit
[Switch_B] interface vlanif 102
[Switch_B-Vlanif102] ip address 10.23.102.1 24
[Switch_B-Vlanif102] quit
[Switch_B] interface vlanif 103
[Switch_B-Vlanif103] ip address 10.23.103.1 24
[Switch_B-Vlanif103] quit
[Switch_B] interface vlanif 104
[Switch_B-Vlanif104] ip address 10.23.104.1 24
[Switch_B-Vlanif104] quit
[Switch_B] interface vlanif 200
[Switch_B-Vlanif200] ip address 10.45.200.2 24
[Switch_B-Vlanif200] quit
[Switch_B] interface vlanif 201
[Switch_B-Vlanif201] ip address 10.67.201.2 24
[Switch_B-Vlanif201] quit
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 101 to 104 200
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.45.200.1 24
[AC-Vlanif200] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[AC-GigabitEthernet0/0/1] quit
# Add GE2/0/0 on Router to VLAN 201 and configure an IP address for VLANIF 201 so that
Router can communicate with Switch_B.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 201
[Router] interface vlanif 201
[Router-Vlanif201] ip address 10.67.201.1 24
[Router-Vlanif201] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 201
[Router-GigabitEthernet2/0/0] quit
# Configure a default route on Switch_B with the outbound interface as the Router's VLANIF
201.
[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
# Configure a route on the AC with the next hop as Switch_B's VLANIF 200.
[AC] ip route-static 10.23.100.0 24 10.45.200.2
# Configure the Router as a DHCP server to allocate IP addresses to APs and STAs. If the AP
and AC communicate through a Layer 3 network, configure Option 43 to notify the AP of the
AC's IP address.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router] dhcp enable
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1
[Router-ip-pool-ap] quit
[Router] ip pool sta1
[Router-ip-pool-sta1] network 10.23.101.0 mask 24
[Router-ip-pool-sta1] gateway-list 10.23.101.1
[Router-ip-pool-sta1] quit
[Router] ip pool sta2
[Router-ip-pool-sta2] network 10.23.102.0 mask 24
[Router-ip-pool-sta2] gateway-list 10.23.102.1
[Router-ip-pool-sta2] quit
[Router] ip pool sta3
[Router-ip-pool-sta3] network 10.23.103.0 mask 24
[Router-ip-pool-sta3] gateway-list 10.23.103.1
[Router-ip-pool-sta3] quit
[Router] ip pool sta4
[Router-ip-pool-sta4] network 10.23.104.0 mask 24
[Router-ip-pool-sta4] gateway-list 10.23.104.1
[Router-ip-pool-sta4] quit
[Router] interface vlanif 201
[Router-Vlanif201] dhcp select global
[Router-Vlanif201] quit
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is not changed before, you do not need to run the assignment hash
command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses on Switch_B, and configure interface address
pools on Router.
[AC] vlan pool sta-pool1
[AC-vlan-pool-sta-pool1] vlan 101 102
[AC-vlan-pool-sta-pool1] assignment hash
[AC-vlan-pool-sta-pool1] quit
[AC] vlan pool sta-pool2
[AC-vlan-pool-sta-pool2] vlan 103 104
[AC-vlan-pool-sta-pool2] assignment hash
[AC-vlan-pool-sta-pool2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] quit
# Import the APs offline on the AC. Add APs deployed in the lobby to AP group guest and
APs in office areas to AP group employee. Configure names for the APs based on the APs'
deployment locations, so that you can know where the APs are deployed from their names.
For example, if the AP with MAC address 60de-4474-9640 is deployed in room 1 of the
second floor of the office building, name the AP office2-1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name lobby-1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name lobby-2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name office2-1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-2] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 60de-4474-9660
[AC-wlan-ap-3] ap-name office2-2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-3] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [4]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------
0 60de-4474-9640 office2-1 employee 10.23.100.253 AP5030DN nor 0 2H:
30M:1S -
1 60de-4474-9660 office2-2 employee 10.23.100.251 AP5030DN nor 0 2H:
35M:2S -
2 60de-4476-e360 lobby-1 guest 10.23.100.254 AP5030DN nor 0 2H:
29M:29S -
3 60de-4476-e380 lobby-2 guest 10.23.100.252 AP5030DN nor 0 2H:
34M:11S -
----------------------------------------------------------------------------------
------------------
Total: 4
In this example, the security policy is set to WPA2+PSK+AES and passwords to a1234567 and b1234567,
respectively. In actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-guest] quit
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase b1234567 aes
[AC-wlan-sec-prof-employee] quit
# Create SSID profiles guest and employee, and set the SSID names to guest and employee,
respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the data forwarding mode and service
VLANs, and apply the security profiles and SSID profiles to the VAP profiles.
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode direct-forward
[AC-wlan-vap-prof-guest] service-vlan vlan-pool sta-pool1
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode direct-forward
[AC-wlan-vap-prof-employee] service-vlan vlan-pool sta-pool2
[AC-wlan-vap-prof-employee] security-profile employee
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio 0 and radio 1 of the
APs.
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 1
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-employee] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Connect STAs to the WLANs with SSIDs guest and employee and enter the passwords
a1234567 and b1234567 respectively. Run the display station ssid guest and display station
ssid employee commands on the AC. The command output shows that the STAs are
connected to the WLANs guest and employee.
[AC-wlan-view] display station ssid guest
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
------------------------------------------------------------------------------
581f-28fc-7ead 0 lobby-1 0/1 2.4G 11n 2/4 -53 101
10.23.101.254
------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
[AC-wlan-view] display station ssid employee
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
------------------------------------------------------------------------------
e019-1dc7-1e08 2 office2-1 1/1 5G 11n 26/51 -61 102
10.23.103.254
------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 103 to 104
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 103 to 104
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.45.200.1
#
ip pool sta1
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta2
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
ip pool sta3
gateway-list 10.23.103.1
network 10.23.103.0 mask 255.255.255.0
#
ip pool sta4
gateway-list 10.23.104.1
network 10.23.104.0 mask 255.255.255.0
#
interface Vlanif201
ip address 10.67.201.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 201
#
ip route-static 10.23.100.0 255.255.255.0 10.67.201.2
ip route-static 10.23.101.0 255.255.255.0 10.67.201.2
ip route-static 10.23.102.0 255.255.255.0 10.67.201.2
ip route-static 10.23.103.0 255.255.255.0 10.67.201.2
ip route-static 10.23.104.0 255.255.255.0 10.67.201.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 101 to 104 200
#
vlan pool sta-pool1
vlan 101 to 102
vlan pool sta-pool2
vlan 103 to 104
#
interface Vlanif200
ip address 10.45.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 101 to 104 200
#
ip route-static 10.23.100.0 255.255.255.0 10.45.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name guest
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
security-profile name employee
security wpa2 psk pass-phrase %^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^
%# aes
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
service-vlan vlan-pool sta-pool1
ssid-profile guest
security-profile guest
vap-profile name employee
service-vlan vlan-pool sta-pool2
ssid-profile employee
security-profile employee
regulatory-domain-profile name domain1
ap-group name guest
regulatory-domain-profile domain1
radio 0
vap-profile guest wlan 1
radio 1
vap-profile guest wlan 1
ap-group name employee
regulatory-domain-profile domain1
radio 0
vap-profile employee wlan 1
radio 1
vap-profile employee wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name lobby-1
ap-group guest
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 1 type-id 35 ap-mac 60de-4476-e380 ap-sn 210235419610D2000066
ap-name lobby-2
ap-group guest
ap-id 2 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235554710CB000075
ap-name office2-1
ap-group employee
ap-id 3 type-id 35 ap-mac 60de-4474-9660 ap-sn 210235419610D2000097
ap-name office2-2
ap-group employee
#
return
Networking Requirements
An enterprise deploys WLAN area A to provide WLAN services. As shown in Figure 5-43,
AP1 and AP2 are directly connected to the switch, service data is directly forwarded in AC
bypass deployment mode, and the switch connects to the Internet through the egress route.
The enterprise requires that WLAN services not be interrupted even when the APs change
their working channels.
Intranet
Switch AC
GE0/0/3
GE1/0/1
/2
GE
/0
E0
0 /0/
G
AP2 AP1
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 5 WLAN Service Configuration
Configuration Roadmap
1. Configure basic WLAN services.
2. Configure seamless channel switching to improve WLAN service reliability so that
services are not interrupted even when APs change their working channels.
Configuration Notes
l For details about common WLAN configuration notes, see 2 General Precautions for
WLAN. For more deployment and configuration suggestions, see 3 Wireless Network
Deployment and Configuration Suggestions.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to AP1 and GE0/0/2 that connects the switch
to AP2 to trunk and PVID of the interfaces to 100, and configure the interfaces to allow
packets of VLAN100 and VLAN101 to pass. Set the link type of GE0/0/3 on the switch to
trunk, and configure the interface to allow packets of VLAN100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
Step 3 Configure the DHCP function on the switch to allocate IP addresses to APs and STAs.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch-Vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add AP1 and AP2 to the AP group ap-group1. In this
example, the MAC addresses of AP1 and AP2 are 60de-4476-e360 and dcd2-fc04-b500,
respectively. Configure names for the APs based on the APs' deployment locations, so that
you can know where the APs are located. For example, if AP1 with MAC address 60de-4476-
e360 is deployed in area 1, name AP1 area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.1.1.253 AP6010DN-AGN nor 0
10S -
1 dcd2-fc04-b500 area_2 ap-group1 10.1.1.254 AP6010DN-AGN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the 2G radio profile wlan-radio2g and the 5G radio profile wlan-radio5g, and
configure the seamless channel switching function.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] undo channel-switch announcement disable
[AC-wlan-radio-2g-prof-wlan-radio2g] channel-switch mode continue-transmitting
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] undo channel-switch announcement disable
[AC-wlan-radio-5g-prof-wlan-radio5g] channel-switch mode continue-transmitting
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the 2G radio profile, 5G radio profile and VAP profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.1.2
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode direct-forward
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
A school plans to deploy a WLAN to cover its dormitory building. However, the dormitory
building has a high density of rooms, and WLAN signals are likely to attenuate severely when
passing through obstacles between rooms, such as walls.
As shown in Figure 5-44, the AC connects to a central AP through the switch, and the central
AP connects to and supplies PoE power for remote units (RUs). All RUs (one for each room)
and the central AP are uniformly managed by the AC to provide a high-quality WLAN.
Intranet
AC
GE0/0/1
GE0/0/2
Switch
GE0/0/1
GE0/0/25
Central AP
GE0/0/1 GE0/0/2
STA STA
Dormitory room 1 Dormitory room 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the central AP, RUs, Switch, AC, and upper-layer devices to communicate at
Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to the central AP, RUs, and
STAs.
3. Configure the central AP and RUs to go online.
a. Create an AP group and add the central AP and RUs that require the same
configuration to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface.
c. Configure the AP authentication mode and import the central AP and RUs offline
so that they can go online normally.
4. Configure WLAN service parameters for STAs to access the WLAN.
Item Data
DHCP The AC works as a DHCP server to assign IP addresses to the central AP,
server RUs, and STAs.
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Configuration Notes
l For details about common WLAN configuration notes, see 2 General Precautions for
WLAN. For more deployment and configuration suggestions, see 3 Wireless Network
Deployment and Configuration Suggestions.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the AC and switch to enable it to transmit CAPWAP packets to the central AP and
RUs.
# Add GE0/0/1 that connects Switch to the AP to management VLAN 100 and add GE0/0/2
that connects Switch to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Step 4 Configure the AC as a DHCP server to assign IP addresses to the central AP, RUs, and STAs.
# Configure the AC as a DHCP server to allocate IP addresses to the central AP and RUs
from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP
address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to the AP
group ap-group1. Assume that the central AP has the MAC address 68a8-2845-62fd and is
named central_AP, and two RUs have the MAC addresses fcb6-9897-c520 and fcb6-9897-
ca40, and are named rru_1 and rru_2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
# After the central AP and RUs are powered on, run the display ap all command to check
their states. If the State field displays nor, the central AP and RUs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 rru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 rru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
------------------------
Total: 3
# Create the security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the RU channel and
power in this example are for reference only. You need to configure the RU channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 0
[AC-wlan-radio-1/0] calibrate auto-channel-select disable
[AC-wlan-radio-1/0] calibrate auto-txpower-select disable
[AC-wlan-radio-1/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/0] eirp 127
[AC-wlan-radio-1/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] calibrate auto-channel-select disable
[AC-wlan-radio-1/1] calibrate auto-txpower-select disable
[AC-wlan-radio-1/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] eirp 127
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 6-2 Products and minimum version supporting the WLAN service
Series Product Model Minimum Version
Required
You are advised to configure AP online parameters for a large number of APs in the AP
provisioning view or for a single AP in the AP view. In this case, configure AP online
parameters in the AP provisioning view.
Context
By default, no online parameter is configured in the AP provisioning view, namely, APs do
not change default online parameter configurations. You can run the display provision-ap
parameter-list command to view online parameter configurations in the AP provisioning
view.
l After configurations are delivered to APs using the commit { ap-name ap-name | ap-
mac ap-mac-address | ap-id ap-id | ap-group ap-group-name | all } command, the
parameters displayed as - in the command output retain the default settings,
l and the other parameters use the configured values.
Procedure
Step 1 Run system-view
NOTE
Step 6 Run the address-mode { dhcp | static } command to configure the method used by an AP to
obtain an IPv4 address.
Step 7 (Optional) Run the ip-address ip-address { mask-length | mask } [ gateway gateway ]
command to configure a static IPv4 address and gateway for an AP.
By default, no static IPv4 address and gateway are configured for an AP.
NOTE
Step 8 Run the ac-list ipv4-address &<1-4> command to configure an AC IPv4 address list for an
AP.
----End
Context
Configurations in the AP provisioning view are not automatically delivered to APs. You have
to manually deliver them to APs.
After the configuration is committed, the AP receives the configuration and compares the
configuration with its local configuration.
l If they are consistent, the AP does not process the received configuration.
l If they are different, the AP saves the committed configuration and automatically
restarts, and the received configuration takes effect.
NOTE
If the name or static IP address of an AP is specified in the AP provisioning view, the configuration is
delivered only to the AP by specifying the AP name or MAC address, but cannot be delivered to APs in the
specified AP group.
If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive
the configurations. In this case, you are advised to commit the configurations again.
Procedure
Step 1 Run system-view
Step 4 Run commit { ap-name ap-name | ap-mac ap-mac-address | ap-id ap-id | ap-group ap-
group-name | all }
----End
Context
Before re-configuring online parameters of APs in the AP provisioning view, clear existing
configurations. The cleared configurations cannot be restored. Exercise caution when you run
the following command.
Procedure
Step 1 Run system-view
----End
Context
By default, no online parameters are configured on APs in the AP view. If AP online
parameters are configured in the AP view, run the display ap provision command to display
the configurations.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-id ap-id, ap-mac ap-mac, or ap-name ap-name
The AP view is displayed.
Step 4 Run ap-name ap-new-name
A name is configured for an AP.
By default, no AP name is configured for an AP.
NOTE
By default, no static IPv4 address and gateway are configured for an AP.
NOTE
----End
Context
When an AP name conflicts with another AP name or you need to change an AP name to a
more suitable name, you can modify the AP name.
You can also modify AP names in the AP provisioning view. For details, see 6.2.1
Configuring AP Online Parameters.
Procedure
Step 1 Run system-view
Step 3 Run ap-rename { ap-name name | ap-mac ap-mac-address | ap-id ap-id } new-name ap-
new-name
NOTE
----End
Context
If the current AP group is not applicable to an AP or the AP is added to an incorrect AP
group, you can modify configurations to add the AP to a new AP group.
NOTICE
Modifying the AP group results in AP restart and service interruption. Exercise caution when
performing this operation.
You can also modify AP groups in the AP provisioning view. For details, see 6.2.1
Configuring AP Online Parameters.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-regroup { ap-name ap-name | ap-id ap-id } new-group new-group-name
An AP is added to a new AP group.
NOTE
The AP group to which an AP is added must have been created using the ap-group name group-name
command.
----End
Procedure
l Configure the default domain name suffix for an AP in the AP view.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
----End
Context
To upgrade the functions or versions of an existing WLAN, perform an in-service upgrade on
APs on the WLAN.
In an in-service upgrade, an AP is already online. If the AP finds that its version is different
from the version of the AP upgrade file specified on the AC, the AP starts to upgrade its
version.
In an in-service upgrade, APs support the upgrade modes of single AP upgrade, upgrade
based on the AP type and upgrade based on the AP group.
l Upgrade of a single AP: allows you to upgrade a single AP to check whether the upgrade
version can function properly. If the upgrade is successful, upgrade other APs in batches.
l AP upgrade based on the AP type: allows you to upgrade APs of the same type.
l AP upgrade based on the AP group: allows you to upgrade APs in the same AP group.
NOTE
l In an in-service upgrade, if APs fail to load the upgrade file and are reset, APs are upgraded
automatically.
l Upgrading multiple APs in AC mode takes a long period of time. To reduce the service interruption
time, you are advised to use the FTP or SFTP mode.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run system-view
An external FTP server can be used, which is recommended. The AC can also function as the FTP
server.
n When an external FTP server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the FTP server, a maximum of five APs can be upgraded simultaneously
even if the specified number is larger than five.
When the AC functions as the FTP server, run the ap update ftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If the configured number of APs to be upgraded simultaneously is larger than five, an error
message will be displayed after the first five APs are upgraded. The remaining APs cannot
be automatically upgraded. You have to repeat the command until all APs are upgraded.
When the AC functions as an FTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
l SFTP mode
a. Run ap update mode sftp-mode
The AP upgrade mode is set to SFTP mode.
The default upgrade mode is ac-mode.
An external sftp server can be used, which is recommended. The AC can also function as the sftp
server.
n When an external sftp server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the SFTP server, a maximum of five APs can be upgraded
simultaneously even if the specified number is larger than five.
When the AC functions as the SFTP server, run the ap update sftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If max-connect-number is set larger than 5, an error message will be displayed after the first
five APs are upgraded. The remaining APs cannot be automatically upgraded. You have to
repeat the command until all APs are upgraded.
When the AC functions as an SFTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
----End
Context
You can configure a scheduled AP upgrade task to upgrade APs in a specified time period,
such as off-peak hours.
Similar to in-service upgrades, scheduled upgrades do not affect services. APs can properly
work during the upgrade file download. Different from in-service upgrades, scheduled
upgrade tasks can be pre-configured so that APs are upgraded at the specified time, without
the need to manually configure commands.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run the following commands as required.
l AC mode
Run ap update mode ac-mode
The AP upgrade mode is set to AC mode.
The default upgrade mode is ac-mode.
l FTP mode
a. Run ap update mode ftp-mode
The AP upgrade mode is set to FTP mode.
The default upgrade mode is ac-mode.
b. Run ap update ftp-server ip-address server-ip-address ftp-username ftp-
username ftp-password cipher ftp-password
Basic FTP information is configured.
By default, no FTP server IP address is configured, the FTP server user name is
anonymous, the FTP server password is anonymous@huawei.com.
An external FTP server can be used, which is recommended. The AC can also function as the FTP
server.
n When an external FTP server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the FTP server, a maximum of five APs can be upgraded simultaneously
even if the specified number is larger than five.
When the AC functions as the FTP server, run the ap update ftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If the configured number of APs to be upgraded simultaneously is larger than five, an error
message will be displayed after the first five APs are upgraded. The remaining APs cannot
be automatically upgraded. You have to repeat the command until all APs are upgraded.
When the AC functions as an FTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
l SFTP mode
a. Run ap update mode sftp-mode
The AP upgrade mode is set to SFTP mode.
The default upgrade mode is ac-mode.
b. Run ap update sftp-server ip-address server-ip-address sftp-username sftp-
username sftp-password cipher sftp-password
Basic SFTP information is configured.
By default, no SFTP server IP address is configured, the SFTP server user name is
anonymous, the SFTP server password is anonymous@huawei.com.
c. Run ap update sftp-server max-connect-number max-connect-number
The maximum number of APs to be upgraded simultaneously is configured.
By default, a maximum of 50 APs can be upgraded simultaneously in SFTP mode.
NOTE
An external sftp server can be used, which is recommended. The AC can also function as the sftp
server.
n When an external sftp server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the SFTP server, a maximum of five APs can be upgraded
simultaneously even if the specified number is larger than five.
When the AC functions as the SFTP server, run the ap update sftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If max-connect-number is set larger than 5, an error message will be displayed after the first
five APs are upgraded. The remaining APs cannot be automatically upgraded. You have to
repeat the command until all APs are upgraded.
When the AC functions as an SFTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
NOTE
l For scheduled AP upgrade tasks with the same start time, the task with a smaller task-id task-id is
executed preferentially.
l During the scheduled AP upgrade, if the time for task B is reached before task A is completed, task B
waits until task A is completed. Subsequent scheduled AP upgrade tasks wait in sequence until the
previous task is completed.
l When the time specified by stop-time stop-time stop-date is reached, ongoing upgrade tasks continue
until the upgrade is completed and those tasks waiting in queues stop.
l After APs in a scheduled upgrade task are all upgraded, the APs automatically restart. The APs that fail
the upgrade do not restart.
l After a scheduled AP upgrade task is configured, if the AP group or all APs are deleted, the task fails to
be executed, which is not recorded as upgrade failure information.
l If an AP is performing the automatic upgrade when you configure a scheduled AP upgrade task, the
upgrade continues until the upgrade is completed. APs that have not started the automatic upgrade will
not execute the automatic upgrade.
----End
Context
The working mode of an AP is configured on the AC and delivers to the AP. After a restart,
the AP will switch the working mode accordingly.
However, an AP cannot change its working mode through scheduled upgrade.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run the following commands as required.
l AC mode
Run ap update mode ac-mode
The AP upgrade mode is set to AC mode.
The default upgrade mode is ac-mode.
l FTP mode
a. Run ap update mode ftp-mode
The AP upgrade mode is set to FTP mode.
The default upgrade mode is ac-mode.
b. Run ap update ftp-server ip-address server-ip-address ftp-username ftp-
username ftp-password cipher ftp-password
Basic FTP information is configured.
By default, no FTP server IP address is configured, the FTP server user name is
anonymous, the FTP server password is anonymous@huawei.com.
c. Run ap update ftp-server max-connect-number max-connect-number
The maximum number of APs to be upgraded simultaneously is configured.
By default, a maximum of 50 APs can be upgraded simultaneously in FTP mode.
NOTE
An external FTP server can be used, which is recommended. The AC can also function as the FTP
server.
n When an external FTP server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the FTP server, a maximum of five APs can be upgraded simultaneously
even if the specified number is larger than five.
When the AC functions as the FTP server, run the ap update ftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If the configured number of APs to be upgraded simultaneously is larger than five, an error
message will be displayed after the first five APs are upgraded. The remaining APs cannot
be automatically upgraded. You have to repeat the command until all APs are upgraded.
When the AC functions as an FTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
l SFTP mode
a. Run ap update mode sftp-mode
The AP upgrade mode is set to SFTP mode.
The default upgrade mode is ac-mode.
b. Run ap update sftp-server ip-address server-ip-address sftp-username sftp-
username sftp-password cipher sftp-password
Basic SFTP information is configured.
By default, no SFTP server IP address is configured, the SFTP server user name is
anonymous, the SFTP server password is anonymous@huawei.com.
c. Run ap update sftp-server max-connect-number max-connect-number
The maximum number of APs to be upgraded simultaneously is configured.
By default, a maximum of 50 APs can be upgraded simultaneously in SFTP mode.
NOTE
An external sftp server can be used, which is recommended. The AC can also function as the sftp
server.
n When an external sftp server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the SFTP server, a maximum of five APs can be upgraded
simultaneously even if the specified number is larger than five.
When the AC functions as the SFTP server, run the ap update sftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If max-connect-number is set larger than 5, an error message will be displayed after the first
five APs are upgraded. The remaining APs cannot be automatically upgraded. You have to
repeat the command until all APs are upgraded.
When the AC functions as an SFTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
----End
6.4.7 Resetting an AP
Context
If an AP cannot work properly after being upgraded, reset the AP. You can run the display ap
all command to check the AP State field to determine whether an AP is working properly. If
the State field displays name-conflicted, ver-mismatch, config, config-failed, committing,
or commit-failed, an AP fails to work properly.
NOTICE
Exercise caution when resetting an AP because services on the AP will be interrupted.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group |
ap-type { type type-name | type-id type-id } }
APs are reset.
----End
Context
You can delete the current and historical user configurations and restore the factory settings of
APs.
When the configuration on an AP is incorrect or deleted, you can restore the factory settings
of the AP.
NOTICE
Restoring the factory settings of an AP will reset the AP and restore all the AP configurations
to factory settings.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap manufacturer-config { ap-name ap-name | ap-mac ap-mac | ap-id ap-id }
The factory settings of the specified AP are restored.
----End
6.4.9 Deleting an AP
Context
To disconnect an AP from the current AC or enable an AP to go online on another AC, you
can delete the AP from the current AC.
NOTICE
Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution when
you delete an AP.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run undo ap { ap-name ap-name | ap-id ap-id | ap-mac ap-mac | ap-group group-name |
all }
An AP is deleted.
----End
Context
You can enable an AC to report information about STA traffic statistics and online duration on
APs to the eSight. After the function is enabled, the AC collects and reports the information to
the eSight when STAs get offline or roam within the AC, which facilitates data query on the
eSight.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run report-sta-info enable
An AC is enabled to report information about STA traffic statistics and online duration on
APs.
By default, an AC is disabled from reporting information about STA traffic statistics and
online duration on APs.
----End
Context
The longitude and latitude of an AP enables you to quickly view the AP location.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-id ap-id, or ap-mac ap-mac, or ap-name ap-name
The AP view is displayed.
Step 4 Run coordinate longitude { e | w } longitude-value latitude { s | n } latitude-value
The longitude and latitude of the AP are set.
----End
Procedure
l Run the display ap { all | ap-group ap-group } command to check AP information.
l Run the display ap update configuration command to check the AP upgrade
configuration.
l Run the display ap update status { all | downloading | failed | succeed | ap-name ap-
name | ap-id ap-id } command to check the AP upgrade progress.
l Run the display ap update schedule-task command to view information about
scheduled AP upgrade tasks.
l Run the display ap-type { all | id type-id | type ap-type } command to check
information about AP types.
l Run the display ap version { all | { ap-group ap-group-name | version-name version-
name } * } command to check information about AP versions.
l Run the display ap coordinate { all | ap-group ap-group-name } command to check
longitudes and latitudes of APs.
----End
Context
You can log in to an AP through the console port, STelnet, SFTP, or Telnet in wired mode.
When an AP does not need to be logged in, the login modes are disabled to ensure AP
security, preventing unauthorized users from using these modes to log in. To log in to the AP,
enable one or more login modes.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, the user name is admin and password is admin@huawei.com.
Step 4 (Optional) Configure AP login password policies.
1. Run the ap password policy command to enable the password policy function and enter
the AP password policy view.
By default, the AP login password policy function is disabled.
2. Run the password expire days command to set the password expiration time.
By default, the password validity period is 90 days.
3. Run the password alert before-expire days command to set the password expiration
prompt days.
By default, the number of password expiration prompt days is 30 days.
4. Run the password alert original command to enable the device to prompt users to
change initial passwords.
By default, a maximum of five historical passwords are recorded for each user.
6. Run the quit command to return to the WLAN view.
----End
Context
In addition to logging in through a wired interface, you can log in to an AP through Telnet
over WLANs. Currently, only the Telnet login mode is supported in wireless mode. To log in
to an AP through Telnet in wireless mode, set the VAP type to management AP, change the
STA's IP address to 169.254.2.x/24 (except 169.254.2.1, 169.254.2.100 is recommended), and
set telnet to the IP address of the AP.
NOTE
l If the type of a VAP is set to service, STAs connected to the VAP can only access network resources but
not APs. Service VAPs are used in regular WLAN deployment scenarios.
l If the type of a VAP is set to ap-management, STAs connected to the VAP can only access APs but not
network resources. AP management VAPs are used in STA access and AP management scenarios.
l If the type of a VAP is set to service-backup ap-offline, STAs can access the network through the
backup service VAP after the AP goes offline. For example, on a headquarters-branch network, when
APs at branches connect to the AC at the headquarters through a WAN, APs may go offline due to the
WAN instability. You can configure a backup service VAP to allow new STAs to access the network if
the AP goes offline.
l If the type of a VAP is set to service-backup auth-server-down, the VAP is automatically enabled to
allow network access of associated STAs when the authentication server is not accessible. When the
authentication server recovers, this VAP is not automatically disabled. You can manually disable it if
needed. If the authentication server is accessible but rejects user access, this VAP is not automatically
enabled. You can manually enable it if needed. To enable or disable this VAP, run the vap-service-
backup auth-server-down command.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, the user name is admin and password is admin@huawei.com.
Step 4 (Optional) Configure AP login password policies.
1. Run the ap password policy command to enable the password policy function and enter
the AP password policy view.
NOTE
The VAP profile in which the VAP type is set to management AP can only be applied to one radio of an AP.
----End
Context
l APs are often installed in hidden places or at high positions. When an AP becomes
faulty, it is inconvenient to connect to the AP through a console port or network cable to
troubleshoot faults.
After the offline management VAP function is configured, if an AP goes offline
unexpectedly, maintenance personnel only need to set the IP address of a STA to
169.254.2.x/24 (except 169.254.2.1, 169.254.2.100 is recommended). After the STA
associates with the offline management VAP, maintenance personnel can connect the
STA to the AP in Telnet or STelnet mode to locate and rectify faults, saving the need to
connect to the AP through the console port or a network cable.
l During WDS/Mesh network deployment, you can configure antenna alignment VAPs for
WDS/Mesh nodes to facilitate antenna alignment between neighboring APs. During
onsite commissioning, you can use a mobile STA to access an antenna alignment VAP
and enable the WiFi Go app to obtain information such as RSSI of the peer AP radio.
Based on this information, you can easily complete antenna alignment. The SSID of the
generated antenna alignment VAP is hidden and will be automatically deleted 24 hours
after being created.
After the offline management VAP and antenna alignment VAP functions are configured, the
VAP generated when an AP goes offline is an offline management VAP. When the AP works
properly, the VAP generated in WDS/Mesh scenarios is an antenna alignment VAP.
Configure an offline management VAP and an antenna alignment VAP using either of the
following methods:
l Configure the default offline management VAP and antenna alignment VAP: After the
offline management VAP and antenna alignment VAP functions are enabled, the AP
automatically creates an offline management VAP when it goes offline unexpectedly.
When the AP works properly, the AP automatically creates an antenna alignment VAP in
WDS/Mesh scenarios. The default SSID and password of the antenna alignment VAP are
hw_manage_xxxx and hw_manage respectively. xxxx indicates the last four bits of the
AP's MAC address. For security purposes, you are advised to change the password of the
default SSID (hw_manage_xxxx) of the offline management VAP and antenna
alignment VAP.
l Create a new offline management VAP and a new antenna alignment VAP: If any
wireless user can use the default SSID and password to log in to an AP, leading to high
security risks. To improve security of the offline management VAP and antenna
alignment VAP, bind a security profile of a high security level to a VAP profile, set new
SSIDs and passwords, and configure the VAPs generated in the VAP profile as the
offline management VAP and antenna alignment VAP. In this case, the default offline
management VAP and antenna alignment VAP will not be created.
The procedure for configuring an offline management VAP is the same as that for configuring
an antenna alignment VAP.
Procedure
l Configure the default offline management VAP and antenna alignment VAP.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-system-profile name profile-name command to create an AP system
profile and enter the AP system profile view.
By default, offline management VAP and antenna alignment VAP functions are
enabled.
e. (Optional) Run the temporary-management psk command to change the password
for the default SSID (hw_manage_xxxx) of the offline management VAP and
antenna alignment VAP.
The offline management VAP and antenna alignment VAP support only the WEP or WPA/
WPA2 PSK authentication mode. You can run the security wep share-key and wep key
key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value commands to
configure WEP authentication.
iii. Run the quit command to return to the WLAN view.
d. Configure an SSID profile.
i. Run the ssid-profile name profile-name command to create an SSID profile
and enter the SSID profile view.
By default, the system provides the SSID profile default.
ii. Run the ssid ssid command to configure an SSID name.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
iii. Run the quit command to return to the WLAN view.
e. Configure a VAP profile, and bind it to the SSID profile and the security profile.
i. Run the vap-profile name profile-name command to create a VAP profile and
enter the VAP profile view.
By default, the system provides the VAP profile default.
l VAPs 1 to 12 and VAP 15 are used for the offline management VAP and antenna alignment
VAP configuration. Before using these VAPs, ensure that they are not used by other WLAN
services.
l VAPs 13 and 14 are used for the WDS service. Before using these VAPs, ensure that they are
not used by other WLAN services.
l VAP 16 is used for the Mesh service. Before using this VAP, ensure that it is not used by other
WLAN services.
n Bind the VAP profile to an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to an AP.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to radios of an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
----End
Context
Different states of AP indicators reflect different meanings, thereby facilitating installation
and management. Configuring meanings reflected by blinking of the Wireless indicator on
APs helps installation personnel to know the current signal strength or traffic status in real
time. However, blinking indicators of indoor APs deployed in hospitals and hotels may affect
people's nighttime rest. Therefore, you can turn off AP indicators after APs are installed and
run properly.
Procedure
Step 1 Run system-view
AP indicators are configured to turn off or turn off during the specified time range.
By default, the system provides the 2G radio profile default and 5G radio profile default.
By default,
l If the Mesh function is enabled on the AP, the blinking frequency of the Wireless LED
reflects the weakest signal strength of all neighboring APs.
l If WDS is enabled on an AP, the blinking frequency of the Wireless LED reflects the
strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED reflects
the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED reflects
the weakest signal strength of middle APs.
l If the WDS and Mesh functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
On a WDS network, you need to adjust AP locations and antenna directions to obtain strong
signals between WDS-capable APs. The blinking frequency of the Wireless LED shows the
signal strength.
NOTE
This command takes effect only when the AP has the WDS or Mesh function enabled. If the WDS and Mesh
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
Only APs having Wireless LEDs support this command.
----End
Context
When users need to save or transfer files using the USB interface provided on some APs, the
USB function can be enabled using the usb enable command. When the USB function is
enabled, the power consumption of the AP will increase, which may affect other functions.
You are advised to run the undo usb enable command to disable the USB function after using
it.
Procedure
Step 1 Run system-view
The system view is displayed.
The USB function is supported only by the R250D-E, R251D-E, AP2051DN, AP2051DN-E, AP2050DN,
AP2050DN-E, AP4050DN-E, AP4051DN, AP4151DN, AP6052DN, AP7052DN, AP7152DN, AP7052DE,
AP6050DN, AP6150DN, AP7050DE, and AP7050DN-E.
The affected AP functions are restored after the USB function is disabled.
----End
Context
In scenarios where indoor and outdoor boundaries are unclear, such as subway and train
platforms, it is recommended that outdoor APs be deployed. When a large volume of data is
transmitted, outdoor APs in outdoor channel mode have no sufficient channels to meet data
transmission requirements. In this case, you can run the channel-load-mode indoor
command to set the channel mode of the APs to indoor mode, so that data can be transmitted
on more channels.
NOTE
This function is supported only by the AP8030DN, AP8130DN, AP8050DN, AP8050DN-S, AP8150DN,
AP8130DN-W, AP8050TN-HD, AP8082DN, and AP8182DN.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created, and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 4 Run channel-load-mode indoor
The AP channel mode is set to indoor mode.
The default channel mode of an AP is outdoor mode.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the regulatory domain profile to an AP group or AP.
l Binding the regulatory domain profile to an AP group
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the regulatory-domain-profile profile-name command to bind the regulatory
domain profile to the AP group.
By default, the regulatory domain profile default is bound to an AP group.
l Binding the regulatory domain profile to an AP
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the regulatory-domain-profile profile-name command to bind the regulatory
domain profile to the AP.
By default, no regulatory domain profile is bound to an AP.
----End
Context
In practice, the PVID of an AP wired interface is usually set to the management VLAN ID.
For details, see 5.5 Configuration Limitations for WLAN. When management packets from
the AP or data packets forwarded in tunnel mode reach the access device through the
CAPWAP tunnel, the access device tags the packets with the PVID.
If the PVID of the access device has been used for other purposes (for example, as the default
VLAN ID of wired users), the PVID cannot be configured as the management VLAN ID on
the access device interface. In this case, configure CAPWAP packets sent from an AP wired
interface to carry the management VLAN tag. The AP then adds the management VLAN ID
to the CAPWAP packets sent to the AC. You only need to configure the access device to
allow the packets carrying the management VLAN ID to pass.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run management-vlan vlan-id
CAPWAP packets sent from the AP wired interface are configured to carry a management
VLAN tag.
By default, CAPWAP packets sent from an AP wired interface do not carry a management
VLAN tag.
NOTE
On a Mesh network, ensure that CAPWAP packets sent from all APs carry the same management VLAN.
Otherwise, MPs cannot go online.
The configuration takes effect only after the AP is restarted.
----End
Context
A large number of broadcast or multicast packets on a device occupy many network
resources, affecting network services. To ensure normal running of network services, you can
limit the rate of broadcast and multicast packets on APs with a proper range.
The following table lists the method for limiting the rate of broadcast and multicast packets.
Table 6-3 Method for limiting the rate of broadcast and multicast packets
Granular Description Configuration
ity
AP-based Limit the rate of downlink traffic on the 6.8.5 Configuring the Rate Limit
AP's wired interface and CAPWAP for Broadcast and Multicast
tunnel. Packets of APs
STA- Limit the rate of uplink traffic on the air 11.8.5 Configuring Flood Attack
based interface from STAs. Detection
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run traffic-optimize broadcast-suppression { all | arp | igmp | nd | other } disable
Rate limit for broadcast and multicast packets is enabled.
By default, rate limit for broadcast and multicast packets is enabled on an AP.
Step 5 (Optional) Run traffic-optimize broadcast-suppression { arp | igmp | nd | other } rate-
threshold threshold-value
The rate threshold is configured for broadcast and multicast packets on an AP.
The default rate threshold for ARP broadcast packets, ND broadcast packets, IGMP multicast
packets, and other types of broadcast packets is 256 pps.
After you run the traffic-optimize broadcast-suppression rate-threshold command to
configure a rate threshold for broadcast and multicast packets on an AP, the configured
threshold will override the default rate threshold. The actual rate of broadcast and multicast
packets will not exceed the configured rate threshold. If a large rate threshold is set, the
expected network protection effect is not achieved. If a small rate threshold is set, broadcast
and multicast packets may be lost. In most cases, use the default rate threshold unless
otherwise specified.
Step 6 Run quit
Return to the WLAN view.
Step 7 Bind an AP system profile to an AP group or AP.
l Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP group.
By default, the AP system profile default is bound to an AP group.
l Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP.
By default, no AP system profile is bound to an AP.
----End
Context
You can configure terminal attributes for the VTY user interface, including the timeout
disconnection function and the number of lines on each terminal screen.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run user-interface vty ui-number idle-timeout minutes [ seconds ]
----End
NOTE
l The user interface supports basic ACLs (2000-2999) and advanced ACLs (3000-3999).
l ACL rule:
l When permit is used in the ACL rule:
l If the ACL is applied in the inbound direction, other devices that match the ACL rule
can access the local device.
l If the ACL is applied in the outbound direction, the local device can access other devices
that match the ACL rule.
l When deny is used in the ACL rule:
l If the ACL is applied in the inbound direction, other devices that match the ACL rule
cannot access the local device.
l If the ACL is applied in the outbound direction, the local device cannot access other
devices that match the ACL rule.
l When the ACL rule is configured but packets from other devices do not match the rule:
l If the ACL is applied in the inbound direction, other devices cannot access the local
device.
l If the ACL is applied in the outbound direction, the local device cannot access other
devices.
l When the ACL contains no rule:
l If the ACL is applied in the inbound direction, any other devices can access the local
device.
l If the ACL is applied in the outbound direction, the local device can access any other
devices.
l For details on how to configure the ACL, see "ACL Configuration" in the S1720, S2700, S5700, and
S6720 V200R012C00 Configuration Guide - Security.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run user-interface vty ui-number acl acl-number { inbound | outbound }
ACL restrictions on VTY login permissions are configured.
By default, login rights are not restricted.
l To restrict users at a specified address or address segment from logging in to the device,
use the inbound parameter.
l To restrict users who have log in to a device from logging in to other devices, use the
outbound parameter.
Step 5 Run user-interface vty ui-number screen-length screen-length
The number of lines on each terminal screen is set.
----End
Context
l You can configure alarm thresholds on an AP to monitor the AP in real time. When the
configured thresholds are exceeded, the AP generates alarms or logs to notify the AC of
AP status.
The default alarm thresholds are recommended.
l If a STA cannot go online due to security type mismatch, UAC, or access user upper
limit exceeding, the STA will automatically re-connect to the AP. During this period, the
AP sends a large number of STA association failure alarms to the AC, which degrades
the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
Procedure
Step 1 Run system-view
R230D/R240D 40
AD9431DN-24X/AD9430DN-24 71
AP7110SN-GN 76
AP4050DN-HD 79
AP6510DN-AGN-US 81
AP8050DN/AP8050DN-S/AP8150DN/ 83
AP9330DN/AP7030DE
AP9131DN/AP9132DN/AP8130DN-W 84
AP6010SN-GN 85
AP8030DN/AP6050DN/AP6150DN 86
AP4030TN/AP5030DN/AP5130DN 87
AP8130DN/AP7050DE/AP7052DN/ 88
AP7152DN/AP6052DN/AP4051TN/
AP6510DN-AGN
AP7050DN-E/AP7110DN-AGN 89
AP8082DN/AP8182DN/AP8050TN-HD/ 91
AD9430DN-12
AP4050DN-E 92
AP6310SN-GN 94
AP7052DE/R251D/R251D-E 95
AP4050DN/AP1050DN-S/R450D 96
AP6610DN-AGN-US 100
R250D/R250D-E/AP6010DN-AGN 102
AP6610DN-AGN 104
NOTE
R230D/R240D 0
AD9430DN-24/AD9431DN-24X/R250D/ -3
R250D-E/R251D/R251D-E
AP5130DN/AP5030DN/AP6150DN/ -13
AP4050DN-HD/AP4050DN-E/AP4030TN/
AP4050DN/AP1050DN-S/AP7052DN/
AP7152DN/AP7052DE/AP6052DN/
AP4051TN/AD9430DN-12/AP6050DN/
AP7050DE/AP7050DN-E/R450D/
AP6010DN-AGN/AP6010SN-GN/
AP6310SN-GN/AP7110SN-GN/
AP7110DN-AGN/AP9330DN
AP7030DE -23
AP8030DN/AP8050DN/AP8150DN/ -43
AP8050DN-S/AP8130DN/AP9131DN/
AP9132DN/AP8082DN/AP8182DN/
AP8050TN-HD/AP8130DN-W/
AP6510DN-AGN/AP6510DN-AGN-US/
AP6610DN-AGN/AP6610DN-AGN-US
NOTE
2. Run the undo alarm-restriction disable command to enable the alarm suppression
function on an AP.
By default, alarm suppression is enabled for an AP.
Step 9 Run quit
Return to the WLAN view.
Step 10 Bind an AP system profile to an AP group or AP.
l Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP group.
By default, the AP system profile default is bound to an AP group.
l Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP.
By default, no AP system profile is bound to an AP.
----End
Context
l Logs record user operations and system running information. After logs are backed up to
a server, network administrators can summarize and analyze AP logs to learn the
operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is configured,
logs generated by an AP are automatically sent to the log server.
l If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC in a
short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a user
to the AC within the log suppression period.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run access-user syslog-restrain period period
The period of system log suppression is configured.
By default, the period of system log suppression is 300s.
Step 6 Run log-record-level { alert | critical | debug | emergency | error | info | notice | warning }
By default, the log server IP address is not configured in an AP system profile and log backup
is disabled on an AP.
----End
Context
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local system
status information to directly connected neighbors and parse LLDP packets received from
neighbors.
To enable an AP to discover neighbors, enable LLDP on the AP and access device to which
the AP directly connects.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap lldp enable
LLDP is enabled in the WLAN view.
By default, LLDP is enabled in the WLAN view.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view and the AP
wired port link profile view.
Step 4 (Optional) Configure LLDP in the AP wired port link profile view.
1. Run the port-link-profile name profile-name command to create an AP wired port link
profile and enter the AP wired port link profile view.
By default, the system provides the AP wired port link profile default.
2. Run the lldp enable command to enable LLDP on an AP wired port.
By default, LLDP is enabled on AP wired interfaces.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view and the
AP wired port link profile view.
3. Run the lldp tlv-enable basic-tlv { all | management-address | port-description |
system-capability | system-description | system-name } command to specify the types
of TLVs that can be advertised from an AP's wired port.
By default, an AP wired interface advertises all types of TLVs.
4. Run the quit to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to create an AP wired port
profile and enter the AP wired port profile view.
By default, the system provides the AP wired port profile default.
6. Run the port-link-profile profile-name command to bind the AP wired port link profile
to an AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port profile.
7. Run the quit to return to the WLAN view.
Step 5 Configure LLDP in the WLAN view.
Step 6 Bind the AP system profile and AP wired port profile to an AP group or AP.
l Binding the AP system profile and AP wired port profile to an AP group
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP group.
By default, the AP system profile default is bound to an AP group.
c. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to the AP group.
By default, the AP wired port profile default is bound to an AP group.
l Binding the AP system profile and AP wired port profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP.
By default, no AP system profile is bound to an AP.
c. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to the AP.
By default, no AP wired port profile is bound to an AP.
----End
Context
After the AP discovers a neighbor, the AP sends neighbor information to the AC. The NMS
then obtains AP's LLDP information from the AC to learn the network topology.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run lldp report enable
The AP is enabled to report information about its LLDP neighbors.
By default, an AP does not report information about its LLDP neighbors.
Step 5 (Optional) Run lldp report-interval interval-time
The interval at which the AP reports neighbor information to an AC is configured.
By default, an AP reports LLDP neighbor information to an AC at an interval of 30 seconds.
Step 6 Run quit
Return to the WLAN view.
Step 7 Bind an AP system profile to an AP group or AP.
l Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP group.
By default, the AP system profile default is bound to an AP group.
l Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP.
By default, no AP system profile is bound to an AP.
----End
Context
Within each sampling interval, an AP collects desired statistics based on APs, radios, and
STAs (when the AP collects data based on STAs, it collects only data displayed by the
display command). Within each statistics collection interval, the AP computes the average of
sampled values and reports results to the AC. You can view all statistics collected by the AP
on the AC.
Procedure
Step 1 Run system-view
----End
Context
To mitigate impact of link disconnections on users in direct forwarding mode and improve
service reliability, you can configure the function of service holding upon CAPWAP link
disconnection. To allow new users to access APs after CAPWAP link disconnection, you can
configure the function of user access upon CAPWAP link disconnection. After the
disconnected CAPWAP link is restored, the AP forces all the STAs that went online during
CAPWAP link disconnection to go offline. The AP then reassociates with these STAs and
reports STA information through logs. For Portal or MAC address authentication STAs, after
the broken CAPWAP link is restored, the AP forces all these STAs to go offline and reports
STA information through logs.
NOTE
l Service holding upon CAPWAP link disconnection is only applicable to the direct forwarding mode.
l User access upon CAPWAP link disconnection can be configured only when direct forwarding is used
and open system, Portal, MAC address, WEP, or WPA/WPA2-PSK authentication is used.
l WDS networks do not support service holding and user access upon CAPWAP link disconnection.
l The offline management VAP function and service holding upon CAPWAP link disconnection are
mutually exclusive. When the two functions are configured at the same time, the offline management
VAP function cannot take effect.
l When rogue device containment and service holding upon CAPWAP link disconnection are both
configured, service holding upon CAPWAP link disconnection does not take effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run keep-service enable
Service holding upon CAPWAP link disconnection is enabled. After that, the AP can still
provide data services when the CAPWAP link is disconnected.
By default, all services on the AP are interrupted after the CAPWAP link between the AP and
AC is disconnected.
Step 5 Run keep-service enable allow new-access [ no-auth ]
User access upon CAPWAP link disconnection is enabled. After that, the AP can still allow
new users to access when the CAPWAP link is disconnected.
By default, the APs in fault state are disabled from allowing access of new STAs.
----End
Context
This task is to configure an AP to directly respond to association requests of STAs and
configure the MTU of Ethernet port in the AP system profile and the Extensible
Authentication Protocol (EAP) packet conversion function.
Procedure
Step 1 Run system-view
By default, the MTU value of the management VLANIF and CAPWAP on an AP is 1500
bytes.
The size of data packets is limited at the network layer. When a network layer device receives
an IP packet, it determines the outbound interface and obtains the MTU configured on the
interface.
The device then compares the MTU with the IP packet length. If the IP packet length is longer
than the MTU, the device fragments the IP packet. Each fragment has the smaller or equal
size as the MTU.
NOTE
If the MTU value is smaller than the DHCP packet length, the AP may be disconnected. In this case, restart
the AP.
----End
Procedure
l Run the display ap-system-profile { all | name profile-name } command to check
configuration and reference information about an AP system profile.
l Run the display references ap-system-profile name profile-name command to check
reference information about an AP system profile.
----End
Context
Managing an AP's wired interface includes configuring AP wired interface parameters and
link layer parameters.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wired-port-profile name profile-name
An AP wired port profile is created, and the AP wired port profile view is displayed.
By default, the system provides the AP wired port profile default.
Step 4 Configure parameters for an AP's wired interface. Run the following commands as required.
l Run the eth-trunk trunk-id command to add an AP's wired interface to an Eth-Trunk.
By default, an AP interface is not added to any Eth-Trunk.
To improve the connection reliability and increase the bandwidth, you can run this
command to bind multiple interfaces into an Eth-Trunk.
NOTE
APs that have only one physical uplink network interface do not support this command.
The physical interface to be added to an Eth-Trunk cannot have other configurations. Before adding a
physical interface to an Eth-Trunk, clear all configurations on it except the interface status, descriptions,
LLDP function, and alarm function for CRC errors.
l Run the stp enable command to enable STP on an AP's wired interface.
AC
NOTE
– The STP cost on Huawei switches (including ACs) complies with 802.1t, while the STP cost on
Huawei APs complies with 802.1d. When a Huawei AP is connected to a Huawei switch or an AC
and STP is enabled on the AP, run the stp pathcost-standard dot1d-1998 command in the system
view of the switch or AC to set the correct STP cost. Incorrect STP cost may block the link between
the AP and AC.
l Run the mode { root | endpoint | middle } command to configure a working mode for
an AP's wired interface.
By default,
– On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in
endpoint mode, and Eth-Trunk interfaces in root mode.
– On a central AP: Its uplink GE interfaces in root mode and downlink GE interfaces
work in middle mode.
– On an R230D: Its Ethernet interface works in root mode.
– On an R240D: Its Ethernet interface works in endpoint mode and GE interface in
root mode.
– On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D, R251D-
E and AP2050DN-E: Their uplink GE interfaces work in root mode and downlink
GE interfaces in endpoint mode.
– On an R450D: Its GE interface works in root mode.
When working as an uplink interface to connect to an AC, an AP's wired interface must
work in root mode. In root mode, the AP's wired interface automatically joins service
VLANs and user-specific VLANs (for example, VLANs assigned by the RADIUS
server).
When working as a downlink interface to connect to a wired terminal, the AP's wired
interface must work in endpoint mode. In endpoint mode, the AP's wired interface does
not join any VLAN by default.
NOTE
The AP's wired interface supports user isolation in endpoint mode, but not in root or middle mode.
l Run the dhcp trust port command to enable a DHCP trusted port on an AP's wired
interface.
By default, the DHCP trusted interface is disabled in the VAP profile view and enabled
on the AP's uplink interface in the AP wired port profile view.
This command takes effect only on the AP's uplink interface.
Before WLAN services are delivered to an AP, run the dhcp trust port command in the
AP wired port profile view. After the command is run, the AP receives the DHCP
OFFER, ACK, and NAK packets sent by the authorized DHCP server and forwards the
packets to STAs so that the STAs can obtain valid IP addresses and go online.
NOTE
If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses and
network configuration parameters and cannot communicate properly. After the dhcp trust port
command is executed in the VAP profile view, an AP discards the DHCP OFFER, ACK, and NAK
packets sent by the bogus DHCP server and reports to the AC about the IP address of the unauthorized
DHCP server. For details, see 11.8.3 Configuring Defense Against Bogus DHCP Server Attacks.
l Run the learn-client-address enable command to enable terminal address learning on
an AP's wired interface.
By default, the system provides the AP wired port link profile default.
2. Run the crc-alarm enable [ high-threshold high-threshold-value | low-threshold low-
threshold-value ]* command to configure the alarm function for CRC errors on an AP's
wired interface, and set the alarm threshold and clear alarm threshold.
By default, the alarm function for CRC errors is disabled on the AP wired interface. The
alarm threshold for CRC errors is 50 and the clear alarm threshold is 20.
3. Run the shutdown command to disable the AP's wired interface.
If malicious users launch attacks to the network through an AP's wired interface, the
administrator can deliver the shutdown command on the AC to shut down the interface.
The shutdown command takes effect only on AP's wired interfaces working in endpoint
or middle mode but not on those working in root mode.
4. Run the quit command to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to enter the AP wired port
profile view.
6. Run the port-link-profile profile-name command to bind the AP wired port link profile
to the AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port profile.
7. Run the quit command to return to the WLAN view.
Step 7 Bind the AP wired port profile to an AP group or AP.
l Bind the AP wired port profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to an AP group.
By default, the AP wired port profile default is bound to an AP group.
l Bind the AP wired port profile to to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to an AP.
By default, no AP wired port profile is bound to an AP.
----End
Definition
Power over Ethernet (PoE) provides power through the Ethernet. It is also called Power over
LAN (PoL) or active Ethernet.
Purpose
As IP phones, network video monitoring, and wireless Ethernet networks are widely applied,
the power supply requirements on the Ethernet become urgent. In most situations, access
point devices need DC power supply, but access point devices are often installed outdoors or
on the ceiling that has a long distance from the ground. The nearby proper power socket is
difficult to find. Even if the proper power socket is available, the network administrator finds
it hard to install the DC converter required by access point devices. On many large-scale
LANs, administrators need to manage multiple access point devices that require uniform
power supply and management. In this case, power supply management is difficult. The PoE
function addresses this problem.
The PoE technology is used on the wired Ethernet and is most widely used on local LANs.
The PoE function transmits power together with data to terminals over cables or transmits
power without data over idle lines. This technology provides power on the 2.5GE Base-T,
1000Base-T, 100Base-TX, or 10Base-T Ethernet at a distance of up to 100 m. PoE can be
used to effectively provide centralized power for terminals such as IP phones, Access Points
(APs), chargers of portable devices, POS machines, cameras, and data collection devices.
Terminals are provided with power when they access the network. Therefore, indoor cabling
of power supply is not required.
l Reliable: Multiple PDs are powered by one device, facilitating power backup.
l Easy to deploy: Network terminals can be powered over network cables, without a need
for external power sources.
l Standard: The PoE function complies with IEEE 802.3bt, IEEE 802.3af and 802.3at, and
all PoE devices use uniform power sources.
Benefits
l Saves the costs on the cabling of power supply and facilitates power module installation.
l Works with the Uninterruptible Power Supply (UPS) to provide backup power supply for
IP cameras, video servers, and IP phones, and prevents power-off.
AP7050DN-E The functions are not The USB function and PoE
restricted when the AP is out are not supported.
powered by 90 W 802.3bt. l The 2.4 GHz radio
l When the AP is powered supports 2x2 MIMO, and
by 90 W 802.3bt, the the maximum transmit
functions are not power of each spatial
restricted, and the stream is adjusted to 20
maximum power dBm.
supported by PoE out is l The 5 GHz radio
45 W. supports 3x3 MIMO, and
l When the AP is powered the maximum transmit
by 60 W 802.3bt, PoE power of each spatial
out is not supported. stream is adjusted to 25
dBm.
AP7052DN and AP7152DN The functions are not The USB function is not
restricted. supported. The radio power
is managed in self-adaptive
mode. The IoT card power
is restricted within 0.5 W.
When the AP is powered by
802.3at through an Ethernet
port, only this Ethernet port
is enabled while other ports
are shut down. When two
Ethernet ports are used to
power the AP, the two ports
are both enabled.
AP8082DN and AP8182DN l The functions are not PoE out is not supported.
restricted when the The 5GE and optical ports
PoE_OUT port has no can work only in Up state.
power output. The GE/POE_OUT port is
l When the PoE_OUT port shut down. The radio power
has power output, the is reduced. The 2.4G radio
5GE/PoE_IN port and works in 2T4R mode.
optical ports that go Up The 2T4R mode indicates
first can work. The radio that a radio transmits signals
power is reduced, and through two spatial streams
the 2.4 GHz and 5 GHz and receives signals through
radios work in 3T4R four spatial streams.
mode.
The 3T4R mode
indicates that a radio
transmits signals through
three spatial streams and
receives signals through
four spatial streams.
The AP9430DN-12 supports only DC power supply through the matching power adapter.
802.3at AP
802.3at APs support IEEE 802.3at and IEEE 802.3af. Table 6-7 compares the function
support by 802.3at APs in different power supply standards.
R250D-E and AP2050DN-E The USB function and 10 W The USB function is
PoE out are supported. disabled, and PoE out is not
supported.
AP8050DN, AP8150DN, The functions are not All radios are disabled.
AP8030DN, AP8130DN, restricted.
AP9131DN, and
AP9132DN
AP4030TN The functions are not The USB function and all
restricted. radios are disabled.
AP4050DN-E l When the AP has no IoT The USB function and all
card connected and does radios are disabled, and PoE
not use the USB port, the out is not supported.
maximum PoE out
power is 7 W.
l When the AP has an IoT
card connected and does
not use the USB port, the
maximum PoE out
power is 5.5 W.
l When the AP has two or
more IoT cards
connected or uses the
USB port, PoE out is
disabled.
AP6050DN, AP6150DN, l When the AP has a USB The USB function and all
and AP7050DE device connected, the 2.4 radios are disabled.
GHz radio supports 2x2
MIMO.
l When the AP has no
USB device connected,
the 2.4 GHz radio
supports 4x4 MIMO.
AP8050TN-HD The functions are not All the three radios transmit
restricted. signals through one spatial
stream and receives signals
through two spatial streams.
R251D-E, AP2051DN-E The PoE out and USB The USB function is
functions are mutually disabled, and PoE out is not
exclusive. The PoE out supported.
function is enabled by
default.
802.3af AP
802.3af APs support IEEE 802.3af, and their functions are not restricted.
All other APs support IEEE 802.3af except the 802.3bt and 802.3at APs listed in the
preceding table.
802.3at AP
Figure 6-3 shows the PoE working process of an 802.3at AP.
802.3at APs that support hardware detection include the AP4050DN-HD, R250D-E,
AP2050DN, AP2050DN-E, AP4051DN, and AP4151DN.
802.3at APs that do not support hardware detection include the AP8030DN, AP8130DN,
AP9131DN, AP9132DN, AP4030TN, AP4050DN-E, AP6050DN, AP6150DN, AP7050DE,
AP4051TN, AP8050DN-HD, AP8050DN, and AP8150DN.
802.3af AP
APs always work in 802.3af power supply mode after being started.
based on the importance of the PD connected to each port. When providing power nearly
at full capacity, the PSE provides power first for the PD connected to the port of Critical
priority and then provides power for the PD connected to the port of High priority. If
multiple PoE ports have the same priority, the system first supply power to the PDs
connected to the ports with smaller port numbers.
l Manual mode: You can manually power on or power off ports. In manual mode, the PSE
provides power for a port without considering the priority. Powering on or powering off
a single port does not affect the power supply status. When providing power nearly at
full capacity, the PSE cannot continue to power on a new PD.
Endpoint PSEs can work in Alternative A (line pair 1/2 and line pair 3/6) and Alternative B
(Line pair 4/5 and line pair 7/8) power supply modes according to different copper line pairs.
l Alternative A mode: Power is transmitted over pairs of lines that transmit data.
The PSE provides power for the PD over copper line pairs connected to pins 1 and 2 and
pins 3 and 6. Pins 1 and 2 use the positive voltage and pins 3 and 6 use the negative
voltage.
10Base-T and 100Base-TX ports use copper line pairs connected to pins 1 and 2 and pins
3 and 6 to transmit data, and 1000Base-T ports use four line pairs to transmit data. DC
power and data frequency are independent. Therefore, the power and data can be
transmitted in one pair of lines.
l Alternative B mode: Power is transmitted over idle pairs of lines.
The PSE provides power for the PD over copper line pairs connected to pins 4 and 5 and
pins 7 and 8. Pins 4 and 5 use the positive voltage and pins 7 and 8 use the negative
voltage.
Generally, a standard PD supports the two modes, whereas the PSE only needs to support one
mode. Huawei PSE supports only Alternative A.
PoE features supported by devices include: power management, power-on and power-off in
multiple modes, non-standard PD compatibility, and power-on and power-off management.
Feature Limitations
l When the PoE power supply standard of an AP changes from 802.3af to 802.3at or from
802.3at to 802.3bt, the AP will not restart. When the PoE power supply standard of an
AP changes from 802.3bt to 802.3at or from 802.3at to 802.3af, the AP may restart.
l When an 802.3at AP that does not support hardware detection is connected to a switch
whose power supply mode is 802.3af, the AP restarts repeatedly if the LLDP function is
disabled on the switch.
l When an 802.3at AP that supports hardware detection is connected to a Cisco switch
whose power supply mode is 802.3af, the AP restarts repeatedly if the LLDP function is
disabled on the switch.
l The AP8050DN and AP8150DN cannot be connected to a switch whose power supply
mode is 802.3af because the APs will restart repeatedly after their power consumption
exceeds the power allowed by 802.3af. When the AP8050DN and AP8150DN are
connected to a Cisco switch whose power supply mode is 802.3at, the APs will restart
repeatedly after their power consumption exceeds the power allowed by 802.3at if the
LLDP function is disabled on the switch.
l An 802.3bt AP cannot be connected to an 802.3af switch or a Cisco's 802.3at switch.
l If the interval for sending LLDP packets is longer than 90 seconds, LLDP negotiation
may time out, causing the device to incorrectly consider that the LLDP function is not
supported or disabled.
Context
Before using an AP to provide power for PDs connected to its interfaces, ensure that the PoE
function is enabled on the interfaces.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run the port-link-profile name profile-name command to create an AP wired port link
profile and enter the profile view.
By default, the system provides the AP wired port link profile default.
Step 4 Run the undo poe disable command to enable the PoE function on the AP's interfaces.
By default, the PoE function is enabled on an AP's interface.
----End
Context
You can configure the TLV in LLDP so that the device can classify PDs through the LLDP
function enabled on the device. The device that is not configured with the LLDP function
detects and classifies PDs through analyzing current and resistance between the device and
PDs. Compared with current and resistance analysis, the LLDP function provides a more
comprehensive and accurate analysis.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap lldp enable
LLDP is enabled in the WLAN view.
By default, LLDP is enabled in the WLAN view.
Step 4 Run the port-link-profile name profile-name command to create an AP wired port link
profile and enter the AP wired port link profile view.
By default, the system provides the AP wired port link profile default.
Step 5 Run the lldp enable command to enable LLDP on an AP wired port.
By default, LLDP is enabled on AP wired interfaces.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view and the AP
wired port link profile view.
----End
Procedure
l Configure the maximum output power of the AP.
If the power that the network provides for the PoE device is unstable, for example, the
mains voltage fluctuates, the power that the PoE device provides for PDs is affected and
begins to fluctuate. As a result, PDs are not provided with sufficient power and some
PDs are powered off. You can configure the maximum output power of the AP to ensure
power stability for a PD.
By default, the maximum output power of the AP is the total power that the PoE
power supply provides for PDs.
By default, the percentage of the reserved PoE power against the total PoE power
on an AP is 0%.
l Configure the alarm threshold of power consumption percentage.
When the power consumption increases sharply within a range, the reserved power can
satisfy the power requirement. However, if the power consumption exceeds the range,
some PDs are powered off. To solve this problem, configure the alarm threshold for the
power consumption percentage. When the power consumption exceeds the threshold, the
system generates an alarm so that administrators can take measures to reduce the power
consumption.
----End
Context
High inrush current is generated when a non-standard PD is powered on. In this case, the AP
cuts off the power of the PD to protect itself. If the AP is required to provide power to the PD,
the PSE must allow high inrush current.
NOTICE
If high inrush current is allowed, the self-protection function of the AP is disabled. This may
damage components of the PD.
Procedure
Step 1 Run system-view
Step 3 Run the ap-system-profile name profile-name command to create an AP system profile and
enter the profile view.
Step 4 Run the poe high-inrush enable command to configure the AP to allow high inrush current
during power-on.
This command takes effect only on the AP7052DN, AP7152DN, AP7050DN-E, AP4050DN-
E, AP4050DN-HD, AD9431DN-24X, AD9430DN-24, and AD9430DN-12.
----End
Context
PoE power-on and power-off management includes the following functions:
l Setting the power priority of PoE interfaces
l Setting power-on and power-off time ranges
l Configuring compatibility with non-standard PDs
l Setting a PoE standard
l Configuring forcible PoE power supply
Procedure
l Set the power priority of PoE interfaces on the AP.
You can configure power priorities for PoE interfaces: critical, high, and low. When the
available power is insufficient, the AP provides power first for the PDs connected to
high-priority interfaces.
By default, the system provides the AP wired port link profile default.
d. Run the poe priority { critical | high | low} command to set the power priority of
PoE interfaces on the AP.
By default, the system provides the AP wired port link profile default.
l Configure the device to be compatible with non-standard PDs
When a non-standard PD is connected to the AP, the AP cannot detect the proper
resistance and cannot identify the PD. When compatibility check is enabled, the AP can
detect and provide power for the PD that does not comply with the IEEE 802.3af or
IEEE 802.3at standard.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
By default, the system provides the AP wired port link profile default.
d. Run the poe legacy enable command to enable PD compatibility check on the AP.
The AP that supports IEEE 802.3at provides a maximum power of 30 W, and the AP that
supports IEEE 802.3af provides a maximum power of 15.4 W. The former AP provides
higher current than the latter AP when they power on PDs.
Some non-standard PDs cannot be powered on in high current. To power on these PDs,
configure the AP to provide power with low current in conformance to IEEE 802.3af.
NOTE
After running the poe af-inrush enable command, remove the non-IEEE 802.3at PDs and
then install them so that the PDs can be powered on.
l Power on PDs on an interface forcibly.
After this function is configured, an interface forcibly powers on the connected PD even
if the PSE cannot identify the PD. Before powering on the interface, ensure that the
system power is sufficient.
By default, the system provides the AP wired port link profile default.
d. Run the poe force-power command to enable PoE power supply on the AP's
interfaces.
----End
Context
After the configuration is complete, apply profiles to an AP group or AP so that the
configuration can be automatically delivered to specific APs and takes effect.
Procedure
Step 1 Run system-view
The AP wired port link profile is bound to the AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port profile.
----End
Prerequisites
After the working mode of an AP's wired interface and the PoE function of a PSE have been
configured, run the following commands to check the configuration:
Procedure
l Run the display wired-port-profile { all | name profile-name } command to check
configuration and reference information about an AP wired port profile.
l Run the display port-link-profile { all | name profile-name } command to check
configuration and reference information about an AP wired port link profile.
l Run the display ap-system-profile { all | name profile-name } command to check
configuration and reference information about an AP system profile.
l Run the display references wired-port-profile name profile-name command to check
reference information about an AP wired port profile.
l Run the display references port-link-profile name profile-name command to check
reference information about an AP wired port link profile.
l Run the display references ap-system-profile name profile-name command to check
reference information about an AP system profile.
----End
Context
Wi-Fi networks are open and shared, and work on free wireless frequency bands. Therefore,
co-channel interference may easily occur in wireless environments, causing Wi-Fi network
instability. These always-changing factors make post-event backtracking difficult. To improve
troubleshooting efficiency, configure APs to report key performance indicators (KPIs) to a
WLAN Maintaining Insight (WMI) server for possible fault cause analysis. In addition, data
statistics are centrally collected for observing device and network trends and identifying
potential device and network faults.
NOTE
Procedure
Step 1 Run system-view
The destination IP address and port number are configured for APs to report KPI information.
By default, no destination IP address or port number is configured for APs to report KPI
information.
Connection parameters between APs and the WMI server are set.
By default, the heartbeat interval is 3 minutes, the reconnection interval is 5 minutes, and the
number of reconnection attempts is 0.
The value 0 indicates that the server and APs always attempt to reconnect to each other.
The maximum data length of KPI information sent by APs to a WMI server is specified.
By default, the maximum data length of KPI information sent by APs to a WMI server is 5
KB.
The interval for APs to report KPI information to a WMI server is specified.
Step 8 (Optional) Run at least one of the following commands to configure whether APs report
collected data to the WMI server and set the data collection interval:
l collect-item device-data { interval interval1 | disable }
l collect-item interface-data { interval interval2 | disable }
l collect-item location-data { interval interval3 | disable }
By default, APs report all types of collected data to a WMI server. The data collection interval
varies depending on the data type, as listed in Table 1.
----End
Context
On wireless networks, wireless radio, as the transmission media, is easily interfered by
surroundings. The transmission quality of service data changes greatly depending on the
interference. Therefore, you must evaluate and check the transmission quality of wireless
links to ensure better service data transmission and efficient cooperation between densely
deployed wireless networks, and reduces signal interference.
Use the RF ping function and exchange data packets between APs and STAs to check the
transmission quality of wireless links. The link check result includes the signal strength, radio
interface rate, packet sending delay, which can comprehensively indicate the transmission
quality of wireless links.
Procedure
Step 1 Run system-view
Step 3 Run the rf-ping [ -m time | -c number ] * mac-address command to check wireless link
quality.
----End
Context
When a network fault occurs, use an AP to ping other network devices to check the
connectivity.
Procedure
Step 1 Run system-view
Step 3 Run the ap-ping { ap-name ap-name | ap-id ap-id } [ -c count | -s packetsize | -m time | -t
timeout ] * host command to ping a network device from an AP to check network connectivity
between them.
----End
Context
After AP online and management AP configurations are complete, run the following
commands in any view to check AP running statistics.
Procedure
l Run the display ap run-info { ap-name ap-name | ap-id ap-id } command to check AP
running information.
l Run the display ap performance statistics { ap-name ap-name | ap-id ap-id }
command to check AP performance statistics.
l Run the display radio { all | ap-group ap-group-name | ap-name ap-name | ap-id ap-
id } command to check AP radio information.
l Run the display ap asyn-message err-info { all | ap-name ap-name | ap-id ap-id }
command to check records about AP restart failures.
l Run the display ap uncontrol all command to check unauthorized APs.
l Run the display channel switch-record { all | ap-name ap-name radio radio-id | ap-id
ap-id radio radio-id | reason reason } command to check channel switching records.
l Run the display ap traffic statistics wireless { ap-name ap-name | ap-id ap-id } radio
radio-id [ ssid ssid ] command to check packet statistics on an AP radio.
l Run the display ap elabel { ap-name ap-name | ap-id ap-id } command to check AP
electronic label information.
l Run the display ap service-config acl { ap-name ap-name | ap-id ap-id } command to
check ACL configurations on an AP.
l Run the display ap port { all | ap-name ap-name | ap-id ap-id | ap-mac ap-mac }
command to check the AP port status and traffic information.
l Run the display distribute-ap { all | ap-id ap-id | ap-mac ap-mac | ap-name ap-name |
central-ap-id central-ap-id | central-ap-mac central-ap-mac | central-ap-name
central-ap-name } command to check RU information.
l Run the display ap statistics command to check statistics on the types of APs added to
an AC.
----End
Context
You can view neighbor information on a specified AP radio to determine the AP location and
neighbor relationship, helping locate rogue APs and plan the WLAN.
Procedure
Step 1 Run the display ap lldp neighbor { { ap-name ap-name | ap-id ap-id } [ interface interface-
type interface-number ] | brief } command to check LLDP neighbor information on an AP.
Step 2 Run the display ap neighbor { ap-name ap-name | ap-id ap-id } [ radio radio ] command to
check information about neighbors of a radio.
Step 3 Run the display ap around-ssid-list { ap-name ap-name | ap-id ap-id } command to check
SSIDs of an AP's neighbors.
----End
Networking Requirements
An enterprise deploys WLAN area A to provide WLAN services. As shown in Figure 6-4,
the AP is directly connected to the switch, service data is directly forwarded in AC bypass
deployment mode, and the switch connects to the Internet through the egress route. The
enterprise requires that data forwarding is not affected even when the AC is faulty to improve
data transmission reliability.
Figure 6-4 Networking diagram for configuring service holding upon CAPWAP link
disconnection
Network
Switch AC
GE0/0/2
GE0/0/1
GE0/0/1
l
ne
n
AP
tu
AP
W
Area A
AP
C
STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
Control packet
Data packet
Configuration Roadmap
1. Configure basic WLAN services.
2. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP function on the switch to allocate IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch-Vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.1.1.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the AP system profile wlan-system and configure the service holding function.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] keep-service enable
[AC-wlan-ap-system-prof-wlan-system] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the AP system profile and VAP profile to the AP group and apply the VAP profile to
radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.1.2
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode direct-forward
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain
ap-system-profile name wlan-system
keep-service enable
ap-group name ap-group1
ap-system-profile wlan-system
regulatory-domain-profile domain
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Fault Symptom
After the AP's uplink wired interface is configured to work in endpoint mode, the AP cannot
go online after a restart.
Procedure
1. Check whether the AP's uplink wired interface is configured to work in endpoint mode.
Error-prone configuration:
When working as an uplink interface to connect to an AC, an AP's wired interface must
work in root mode. In root mode, the AP's wired interface automatically joins service
VLANs and user-specific VLANs (for example, VLANs assigned by the RADIUS
server).
When working as a downlink interface to connect to a wired terminal, the AP's wired
interface must work in endpoint mode. In endpoint mode, the AP's wired interface does
not join any VLAN by default.
NOTE
This configuration takes effect only after the AP is restarted.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wired-port-profile name wired
[HUAWEI-wlan-wired-port-wired] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode
configuration will cause the AP to go out of management.
This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[HUAWEI-wlan-wired-port-wired] return
Suggestion:
– Hold down the Default button to restore factory settings of the AP.
– Log in to the AP and perform the following operations:
i. Configure a static ARP entry on the access switch.
<Switch> system-view
[Switch] arp static 169.254.1.1 a858-40dd-ef80 //The default IP
address of the AP is 169.254.1.1. The MAC address of the AP is
specified because devices on the network may have the same IP
address.
ii. Configure an IP address on the same network segment as that of the AP for the
switch.
[Switch] interface Vlanif1
[Switch-Vlanif1] ip address 169.254.1.100 255.255.255.0
[Switch-Vlanif1] quit
iii. Configure the PVID for the port connecting the switch directly to the AP.
[Switch] interface GigabitEthernet0/0/1
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 1
Purpose
RRRM helps reduce radio signal interference, adjust radio coverage, and enable a wireless
network to quickly adapt to changes in the radio environment. With the RRM function, the
wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization.
Overview
On a WLAN, the operating status of APs is affected by the radio environment. For example,
adjacent APs using the same working channel interfere with each other, and a large-power AP
can interfere with adjacent APs if they work on overlapping channels. Radio calibration can
dynamically adjust channels and power of APs managed by the same AC to ensure that the
APs work in a way that optimizes performance.
Channel Adjustment
On a WLAN, adjacent APs must work on non-overlapping channels to avoid radio
interference. For example, the 2.4 GHz frequency band is divided into 14 overlapping 20
MHz channels, as shown in Figure 7-1.
NOTE
For channels supported in different countries, see the Country Code & Channel Compliance Table. You can
obtain this table at Huawei technical support website.
l Enterprise technical support website: http://support.huawei.com/enterprise
l Carrier technical support website: http://support.huawei.com
1: channel
2.412: center frequency
(GHz)
The 5 GHz frequency band has even richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz channels,
as shown in Figure 7-2.
IEEE Channel#
100
104
108
120
124
128
132
136
140
149
153
157
161
165
112
116
36
40
44
48
52
56
60
64
20MHz
40MHz
80MHz
l Two neighboring 20 MHz channels are bundled into a 40 MHz channel. One of the two
20 MHz channels is the primary channel, and the other the auxiliary channel. The
primary channel is used for transmission of the management and control packets, and the
auxiliary channel for other packets, including the data packets.
l Two neighboring 40 MHz channels are bundled into an 80 MHz channel. In an 80 MHz
channel, one 20 MHz channel is selected as the primary channel. The other 20 MHz
channel making up the 40 MHz channel with the primary channel is called the auxiliary
20 MHz channel. The 40 MHz channel not containing the primary channel is called the
auxiliary 40 MHz channel.
Figure 7-3 shows an example of channel distribution before and after channel adjustment.
Before channel adjustment, both AP2 and AP4 use channel 6. After channel adjustment, AP4
uses channel 11 so that it does not interfere with AP2.
After channel adjustment, each AP is allocated an optimal channel to minimize or avoid
adjacent-channel or co-channel interference, ensuring reliable data transmission on the
network.
AP2 AP2
Channel 6 Channel 6
AP1 AP1
Channel 1 Channel 1
AP4 AP4
AP3 Channel 6 AP3 Channel 11
Channel 11 Channel 6
In addition to optimizing radio performance, channel adjustment can also be used for dynamic
frequency selection (DFS). In some regions, radar systems work in the 5 GHz frequency band,
which can interfere with radio signals of APs working in the 5 GHz frequency band. The DFS
function enables APs to automatically switch to other channels when they detect interference
on their current working channels.
Power Adjustment
An AP's transmit power determines its radio coverage area. APs with higher power have
larger coverage areas. A traditional method to control the radio power is to set the transmit
power to the maximum value to maximize the radio coverage area. However, a high transmit
power may cause interference with other wireless devices. Therefore, an optimal power is
required to balance the coverage area and signal quality.
The power adjustment function helps dynamically allocate proper power to APs according to
the real-time radio environment. Power adjustment works according to the following:
l When an AP is added to the network, the transmit power of neighboring APs decreases,
as shown in Figure 7-4. The area of the circle around an AP represents the AP's
coverage area after transmit power adjustment. When AP4 is added to the network, the
transmit power of each AP decreases automatically.
AP1 AP2
AP3
AC Switch
AP1 AP2
AP3 AP4
AC Switch
Redundant radios on a WLAN not only generate co-channel interference but also waste
network capacity. Therefore, the following policies are available to process redundant radios:
l Switched to 5G: If many 5 GHz channel resources are available, a redundant radio is
switched to the 5 GHz mode, increasing the maximum capacity of 5 GHz radios.
l Switched to monitor: If no more 5 GHz channel resources are available, a redundant
radio is switched to the monitor mode and used for scanning services.
l Disabled: Disabling a redundant radio decreases co-channel interference but does not
affect coverage.
Manually identifying, switching, or disabling redundant radios will greatly increase network
maintenance costs. To resolve this issue, Dynamic Frequency Assignment (DFA) is adopted to
automatically identify, switch, or disable redundant radios, reducing 2.4 GHz co-channel
interference and increasing system capacity.
Implementation
Radio calibration requires the following components for implementation:
l AP: actively or passively collects radio environment information and sends the
information to the AC. The AC then delivers the calibration results.
Request AP to start
1 neighbor probing.
Report probe
3 Allocate 2 results.
channels and
power to AP
based on Deliver calibration results
algorithms. 4 to AP.
Overview
Load balancing can evenly distribute AP traffic loads to ensure high bandwidth for each STA.
The load balancing function applies to wireless networks with high user densities to ensure
access of STAs. Two load balancing technologies are available: AP-based load balancing and
radio-based load balancing.
In Figure 7-8, AP_1 and AP_2 associate with an AC. Four users (STA_1 to STA_4) associate
with AP_1, and one user (STA_5) associates with AP_2. If too many users connect to the
Internet through AP_1, AP_1 will be overloaded, whereas resources on AP_2 are not used.
After load balancing is configured on an AC, the AC uses a load balancing algorithm to
determine whether a new STA (STA_6 in Figure 7-8) can associate with an AP. The load
balancing algorithm prevents new STAs from associating with heavily-loaded APs to reduce
loads on these APs.
NOTE
Load balancing can be implemented among APs only when the APs are connected to the same AC and all
these APs can be discovered by a STA.
Currently, the load balancing function is implemented in the STA access phase. In scenarios with complex
user service types and unstable traffic, the expected load balancing effect cannot be achieved. In this case,
you are not advised to enable load balancing based on the channel usage.
Internet
AC
Switch
AP_1 AP_2
STA_1 STA6
(a new STA)
STA_2
STA_3 STA_4 STA_5
Implementation
Depending on whether a load balancing group needs to be manually created, load balancing is
classified as either static or dynamic load balancing:
l Static load balancing: APs providing the same services are manually added to a load
balancing group. Each AP periodically reports STA association information to the AC,
and the AC distributes user traffic among APs based on received STA association
information. When a STA sends an association request, the AP uses a load balancing
algorithm to determine whether to accept the association request. Static load balancing
can be implemented when the following conditions are met:
– APs in Figure 7-8 are single-band APs that support only one frequency band. If
dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
– Each load balancing group supports a maximum of 16 APs.
l Dynamic load balancing: A STA sends broadcast Probe Request frames to scan available
APs. The APs that receive the Probe Request frames all report the received STA
information to the AC. The AC adds these APs to a load balancing group and then uses a
load balancing algorithm to determine whether to permit access from the STA. Static
load balancing supports a limited number of group members, and all members must be
manually added to the group and work on the same frequency band. Dynamic load
balancing overcomes these limitations.
Depending on the load balancing algorithm used, load balancing is classified as either traffic-
based load balancing or session-based load balancing:
The AC calculates the load percentage of each radio in a load balancing group using the
formula:
Load percentage of a radio = (Number of associated STAs on the radio/Maximum number of
STAs allowed on the radio) x 100%
The AC compares the load percentages of all of the radios in the load balancing group and
obtains the smallest load percentage value. When a STA requests to associate with an AP
radio, the AC calculates the difference between the radio's load percentage and the smallest
load percentage value and compares the load difference with a specified threshold.
If the load difference is smaller than the threshold, the AC allows the STA to associate with
the radio. If not, the AC rejects the association request of the STA. If the STA continues
sending association requests to this AP, the AC allows the STA to associate with the AP when
the number of consecutive association attempts of the STA exceeds the maximum number of
rejection times configured on the AC.
NOTE
In the formula, the value of Maximum number of STAs allowed on the radio depends on AP types,
which can be obtained using the display ap-type { id type-id | type ap-type } command. Maximum
number of STAs allowed on the radio refers to the value of the field Maximum station number in the
command output.
between this load percentage and the smallest value is 40% (50% - 10% = 40%), larger than
the load difference threshold (5%). Therefore, the AC determines that traffic is not evenly
distributed between the two APs and prevents STA_6 from associating with AP_1.
Overview
Most STAs support both 5 GHz and 2.4 GHz frequency bands but usually associate with the
2.4 GHz radio by default when connecting to the network. As a result, the 2.4 GHz frequency
band with fewer channels is congested, heavily-loaded, and has severe interference. The 5
GHz frequency band with more channels and less interference is not well used. When the 2.4
GHz frequency band has many users or severe interference, the 5 GHz frequency band can
provide better access service for wireless users. Users must manually select the 5 GHz radio
to connect to it.
The band steering function enables an AP to steer STAs to the 5 GHz radio first, which
reduces traffic load and interference on the 2.4 GHz radio and improves user experience.
NOTE
To implement band steering, an AP must have the same SSID and security policy on the 5 GHz and 2.4 GHz
radios.
Implementation
Figure 7-9 shows the implementation of band steering, involving two phases:
Internet
STA_1 AP Switch AC
2.4GHz
Radio
1. 5G-prior access
Before the number of access STAs on an AP exceeds the start threshold for load
balancing between radios, the AP preferentially connects a new STA to the 5 GHz radio.
As shown in the figure, when the AP receives a Probe Request frame from the STA
(STA_1), it checks the radio that receives the frame. If the Probe Request frame is
received by the 5 GHz radio, the AP returns a Probe Response frame. The STA then
associates with the 5 GHz radio, and the AC records the supported frequency band of the
STA as the 5 GHz frequency band.
If the 2.4 GHz radio continuously receives Probe Request frames but the 5 GHz radio
does not receive any, the AP returns a Probe Response frame through the 2.4 GHz radio.
The STA then associates with the 2.4 GHz radio, and the AC records the supported
frequency band of the STA as the 2.4 GHz frequency band.
When STA_1 associates with the AP again, the AP first checks the frequency band
supported by the STA. If STA_1 supports only the 2.4 GHz frequency band, the AP
immediately permits the STA to access the 2.4 GHz radio.
2. Load balancing between radios
After the number of access STAs on an AP exceeds the start threshold for load balancing
between radios, the AP determines the radio to which the STA connects based on the
difference between the number of access STAs on the 2.4 GHz radio and that on the 5
GHz radio.
For example, if a STA requests to associate with the AP on the 2.4 GHz radio but the number
of access STAs on the AP has exceeded the start threshold for load balancing between radios,
the AP implements load balancing between the 2.4 GHz and 5 GHz radios according to the
value computed based on the formula: (Number of access STAs on the 5 GHz radio –
Number of access STAs on the 2.4 GHz radio)/Number of access STAs on the 5 GHz radio x
100%. If the value is greater than the load difference threshold, the AP preferentially
associates with the STA on the 2.4 GHz radio; otherwise, the AP preferentially associates
with the STA on the 5 GHz radio.
Overview
Some terminals on networks have low roaming aggressiveness. As a result, they stick to the
initially connected APs regardless of whether they move far from the APs, and have weak
signals or low rates. The terminals fail to roam to neighboring APs with better signals. They
are called sticky terminals.
Smart roaming addresses the problems. After smart roaming is configured, the system
actively steers the terminals to neighboring APs with better signals.
Implementation
Figure 7-10 shows the implementation of smart roaming.
AC
1 1
1
2
AP_1 AP_2 AP_3
4
5
STA_1
In Figure 7-10, STA_1 moves from Area1 to Area2. AP_1 detects that the signal
strength of STA_1 is lower than the threshold in a specified period of time and considers
STA_1 a sticky STA.
3. After receiving the reported information, the AC selects the optimal neighboring AP of
STA_1 (AP_2) as the target AP to which STA_1 is to roam and delivers the target AP
information to AP_1.
The AC determines the target AP to which a sticky terminal is to roam as follows:
a. The AC checks the terminal neighbor table and selects neighboring APs whose
SNR exceeds that of the AP currently associated with the terminal based on the
specified threshold. The selected neighboring APs are candidate APs to which the
terminal is to roam.
b. Among all candidate APs, the AC selects the optimal AP based on the STA's SNR,
rate and load balancing information, and then triggers terminal roaming.
To prevent frequent terminal roamings due to terminal movements or signal fluctuations,
terminal roaming is triggered only when the terminal is detected a sticky terminal for
three consecutive times.
4. AP_1 forces STA_1 to roam to AP_2 based on the BSS transition mechanism defined in
the 802.11v protocol or the forced logout mode.
After roaming to AP_2, STA_1 is blacklisted on AP_1 to prevent it from connecting to
AP_1 again.
5. STA_1 roams to AP_2.
Due to individual differences, some terminals do not roam to APs with better signals but stick
to the initially associated APs even if they are disconnected forcibly. These terminals may not
initiate association requests if forced offline. The AC will record these terminals unable to
roam. When an "unable to roam" terminal is classified as a sticky terminal, the AP does not
trigger roaming of the terminal in a specified period to prevent service interruption.
CAC uses two types of thresholds to control access of new users and roaming users
respectively. When a new user connects to the AP, the AP checks whether the current channel
usage or the number of online users reaches the threshold set for new users. If so, the AP
denies the new user access and hides its SSID to prevent new users from accessing WLAN
services provided by the radio. To ensure that online users of another AP can roam to the
current AP, some resources are reserved for roaming users.
However, too many users roaming to the AP deteriorated online users' experience of the AP.
Therefore, a CAC threshold for roaming users is required. When a user roams to an AP, the
AP accepts them provided the number of users on the AP does not reach the CAC threshold
for roaming users.
l STA interference: If
there are many STAs
that are managed by
other APs around an
AP, services of the
STAs managed by the
local AP may be
affected.
Configure load balancing Load balancing can evenly 7.8 Configuring Load
distribute AP traffic loads Balancing
to ensure high bandwidth
for each STA. The load
balancing function applies
to wireless networks with
high user densities to
ensure proper access of
STAs.
l You can run the display ap-type all command to check the default AP types supported
by the device.
l When central APs and RUs are used, ensure that their versions are the same. For
example, if the central AP version is V200R007C10, the RU version must be
V200R007C10.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 7-3 Products and minimum version supporting the WLAN service
Series Product Model Minimum Version
Required
Feature Limitations
Configuring Radio Calibration
l Radio calibration does not take effect on radios enabled with WDS or Mesh functions.
l When configuring 40 MHz or 80 MHz calibration bandwidth, check whether channels of
the corresponding bandwidth exist under the country code.
l To ensure a good calibration effect, you are advised to configure at least three calibration
channels.
l When configuring a radio calibration set, avoid using radar channels.
l In high-density scenarios, directional antennas are mostly used. It is recommended that
the radio calibration function be disabled. If this function is enabled, the radio calibration
effect is affected.
Configuring Load Balancing
The load balancing function applies to scenarios where there is a high degree of overlap
between APs' coverage ranges. If APs engaged in load balancing are far from each other, a
STA may connect to a distant AP, which affects wireless experience of users.
When the load difference between APs reaches the load difference threshold, some STAs may
access the network slowly because the APs will reject access requests of STAs according to
the load balancing algorithm. If a STA continues sending association requests to an AP, the
AP allows the STA to associate when the number of consecutive association attempts of the
STA exceeds the maximum number of rejection times.
In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request
packet to an AC through an AP. The AC determines whether to permit access from the STA
according to a load balancing algorithm. The implementation of static load balancing must
meet the following conditions.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
When the number of STAs is higher than 3000, the dynamic load balancing function is not
recommended. If this function is enabled, AC performance is affected.
The smart roaming function applies to high-density scenarios, for example, lecture hall. This
function is not recommended in scenarios where STAs move frequently. If the smart roaming
function is enabled in such a scenario, it is recommended that the default roaming threshold
value.
If a high roaming threshold is configured, STAs may go offline frequently. If a small roaming
threshold is configured, STAs cannot roam to APs with better signals in a timely manner.
l To allow an STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
l Single-radio devices do not support the band steering function.
l The AP2010DN does not support the band steering function.
This function is recommended in high-density stadium and higher education scenarios, but
not recommended in wireless city scenarios.
Pre-configuration Tasks
Before configuring interference detection, perform the task of Configuring Basic WLAN
Services.
Procedure
Step 1 Run system-view
----End
In auto mode, the device continuously detects neighbors and updates neighbor information. When
a radio calibration interval is reached, global radio calibration is triggered. The auto mode applies
to coverage hole compensation, coverage hole compensation reversal, and partial radio calibration.
l Manual mode: The device does not proactively perform radio calibration. You need to
run the calibrate manual startup command to trigger global calibration.
l Schedule mode: The device triggers global radio calibration at a time specified by the
parameter time.
The three modes cannot be configured simultaneously. You can choose any of the modes as
required. Schedule mode is recommended, which can be specified using the calibrate enable
schedule time time-value command. You can configure the device to perform radio
calibration in off-peak hours, for example, between 00:00 am and 06:00 am.
Pre-configuration Tasks
Before configuring radio calibration, perform the task of 5 WLAN Service Configuration.
Configuration Notes
l Global radio calibration is implemented on all APs.
l Radio calibration does not take effect on radios enabled with WDS or Mesh functions.
l Radio calibration is not applicable to scenarios where APs cannot detect each other, for
example, APs use directional antennas, are far from each other, or have obstacles
between them.
l Radio calibration is not applicable to high-density, WDS/Mesh backhaul, rail
transportation, or external directional-antenna scenarios.
l Radios in monitoring mode do not participate in calibration.
l Some functions are dependent on channel scanning, for example, radio calibration, smart
roaming, and WIDS. After such a function is configured, a channel switchover during
the scanning increases the users service data delay, which may affect wireless service
experience.
Procedure
Step 1 Run system-view
Step 3 Configure automatic channel selection and automatic transmit power selection for APs.
Configuration based on the AP group
1. Run the ap-group name group-name command to enter the AP group view.
2. Run the radio radio-id command to enter the radio view.
3. Run the undo calibrate auto-channel-select disable command to enable automatic
channel selection.
1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
2. Run the radio radio-id command to enter the radio view.
3. Run the undo calibrate auto-channel-select disable command to enable automatic
channel selection.
By default, automatic channel selection is enabled.
4. Run the undo calibrate auto-txpower-select disable command to enable automatic
transmit power selection.
By default, automatic transmit power selection is enabled.
5. Run the quit command to return to the AP view.
Step 4 Run the quit command to return to the WLAN view.
Step 5 Configure the DFS smart selection, noise floor threshold, TPC for APs.
1. Run the rrm-profile name profile-name command to enter the RRM profile view.
2. (Optional) Run the dfs smart-selection disable command to disable the DFS smart
selection function.
By default, the DFS smart selection function is enabled.
3. (Optional) Run the dfs recover-delay delay-time command to set the delay in switching
back the DFS channel.
By default, the delay in switching back the DFS channel is 0 minutes. That is, the
channel is switched back to the manually planned channel when the legitimate aging
time (30 minutes) expires.
4. (Optional) Run the calibrate noise-floor-threshold threshold command to specify the
noise floor threshold for triggering radio calibration.
The default noise floor threshold for triggering radio calibration is -75 dBm.
5. (Optional) Run the calibrate tpc threshold threshold command to configure the TPC
coverage threshold.
The default TPC coverage threshold is –60 dBm.
6. (Optional) Run the calibrate max-tx-power power command to set the maximum
transmit power that can be adjusted through radio calibration.
By default, the maximum transmit power that can be adjusted through radio calibration is
127 dBm.
7. (Optional) Run the calibrate min-tx-power power command to set the minimum
transmit power that can be adjusted through radio calibration.
By default, the minimum transmit power that can be adjusted through radio calibration is
9 dBm.
8. (Optional) Run the calibrate error-rate-threshold error-rate-threshold command to set
the BER threshold.
By default, the BER threshold is 60%.
9. (Optional) Run the calibrate error-rate-check interval interval traffic-threshold
traffic-threshold command to set the interval and traffic threshold for checking the BER.
The default interval and traffic threshold for checking the BER are 1 minute and 1250
kbit/s, respectively.
Step 6 Run calibrate enable { auto [ interval interval-value [ start-time start-time ] ] | manual |
schedule time time-value }
By default, the radio calibration mode is auto, the radio calibration interval is 1440 minutes,
and the start time for radio calibration is 03:00:00.
By default, no radio calibration policy is created. Radio calibration policies can be used
together. You can run the command multiple times to configure different radio calibration
policies according to service requirements.
NOTE
If the noise floor threshold for radio calibration is configured in the RRM profile, select noise-floor in the
radio calibration policy. Otherwise, the function cannot take effect.
The noise floor, rogue AP and non-Wi-Fi policies take effect only in automatic radio calibration mode.
l Rogue AP policy: When rogue APs (out of control by an AC) exist on a network, set the
radio calibration policy to rogue-ap. The device then immediately takes actions to avoid
interference. This policy may lead to frequency channel switchovers. You are advised to
use this policy under the instruction of technical support personnel.
l Load policy: When this radio calibration policy is used, the AP traffic load difference is
considered for channel allocation. The device allocates channels with less interference to
APs with heavier loads. The AP load changes with times. You are advised to use this
policy under the instruction of technical support personnel.
l Non-Wi-Fi policy: When non-Wi-Fi interference occurs on a network, the device
immediately takes actions to avoid interference.
l Noise floor policy: When the noise floor of APs is high due to special external
interference, service experience may deteriorate. With this radio calibration policy, the
device takes actions to avoid interference. When detecting that the noise floor of the
current channel exceeds the threshold for three consecutive times, an AP notifies the AC
of the high noise floor. The AC then allocates another channel to the AP and does not
allocate the current channel to the AP in 30 minutes.
Step 9 (Optional) Configure the calibration bandwidth and calibration channel set.
NOTE
By default, an air scan channel set contains all channels supported by the corresponding
country code of an AP.
If the radio working mode is set to monitor, the AP scans all channels supported by the
country code.
4. Run the scan-interval scan-time command to set the air scan interval.
Step 12 Bind the radio profile and regulatory domain profile to an AP group or AP. For the detailed
procedure of binding a radio profile, see 5.11.1.5 Binding a Radio Profile.
Binding the radio profile and regulatory domain profile to an AP group
1. Run the ap-group name group-name command to enter the AP group view.
2. Run the regulatory-domain-profile profile-name command to bind the regulatory
domain profile to the AP group.
Binding the radio profile and regulatory domain profile to an AP
1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
2. Run the regulatory-domain-profile profile-name command to bind the regulatory
domain profile to the AP.
----End
Follow-up Procedure
In any mode, you can run the calibrate manual startup command to trigger the calibration.
In manual mode, the device implements radio calibration only after the calibrate manual
startup command is executed.
Configuration Procedure
You can configure static load balancing and dynamic load balancing as required:
Context
The load balancing function applies to scenarios where there is a high degree of overlap
between APs' coverage ranges. If APs engaged in load balancing are far from each other, a
STA may connect to a distant AP, which affects wireless experience of users.
When the load difference between APs reaches the load difference threshold, some STAs may
access the network slowly because the APs will reject access requests of STAs according to
the load balancing algorithm. If a STA continues sending association requests to an AP, the
AP allows the STA to associate when the number of consecutive association attempts of the
STA exceeds the maximum number of rejection times.
In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request
packet to an AC through an AP. The AC determines whether to permit access from the STA
according to a load balancing algorithm. The implementation of static load balancing must
meet the following conditions.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 APs.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
Procedure
Step 1 Run system-view
A static load balancing group is created and the static load balancing group view is displayed.
Step 4 Run member { { ap-name ap-name | ap-id ap-id } [ radio radio-id ] }&<1-8>
Step 5 (Optional) Configure the static load balancing mode and related parameters.
Configure static load balancing based on the number of users and channel usage.
1. Run the mode channel-utilization command to configure static load balancing based on
the channel usage.
By default, the start threshold for static load balancing based on the channel usage is
50%.
3. Run the channel-utilization gap-threshold gap-threshold command to set the channel
usage difference threshold for load balancing in a static load balancing group.
By default, the channel usage difference threshold for load balancing in a static load
balancing group is 20%.
Configure static load balancing based on the number of users.
1. Run the mode sta-number command to configure static load balancing based on the
number of users.
By default, static load balancing based on the number of users is used.
2. Run the sta-number start-threshold start-threshold-value command to set the start
threshold for static load balancing based on the number of users.
By default, the start threshold for load balancing in a static load balancing group is 10.
3. Run the sta-number gap-threshold { percentage percentage-value | number number-
value } command to set the load difference threshold for static load balancing based on
the number of users.
By default, the load difference threshold of a static load balancing group based on the
percentage of users is 20%.
Step 6 (Optional) Run deny-threshold deny-threshold
The maximum number of times an AP rejects association requests of a STA is configured for
the static load balancing group.
By default, the maximum number of times an AP rejects association requests of a STA is 3 for
a static load balancing group.
----End
In dynamic load balancing mode, a STA broadcasts Probe Request frames to scan available
APs. The APs that receive the Probe Request frames all report the STA information to the
AC. The AC adds these APs to a load balancing group and then uses a load balancing
algorithm to determine whether to permit access from the STA. If the RSSI threshold of
member devices in a dynamic load balancing group is set, an AP compares the RSSI of a STA
with the configured RSSI threshold after receiving the Probe Request packet sent by the STA.
If the STA's RSSI exceeds the configured RSSI threshold, the AP reports the STA information
to the AC, and the AP is added to the dynamic load balancing group. Otherwise, the AP
directly filters the STA information and does not report the information to the AC, and the AP
will not be added to the dynamic load balancing group.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run rrm-profile name profile-name
An RRM profile is created and the RRM profile view is displayed.
Step 4 Run sta-load-balance dynamic enable
Dynamic load balancing is enabled.
By default, the dynamic load balancing function is disabled.
Step 5 (Optional) Run sta-load-balance dynamic rssi-threshold rssi-threshold
An RSSI threshold is configured for member devices in the dynamic load balancing group.
By default, the RSSI threshold of member devices in a dynamic load balancing group is -70
dBm.
Step 6 (Optional) Configure the dynamic load balancing mode and related parameters.
Configure dynamic load balancing based on the number of users and channel usage.
Configure dynamic load balancing based on the channel usage.
1. Run the sta-load-balance mode channel-utilization command to configure dynamic
load balancing based on the channel usage.
By default, dynamic load balancing based on the number of users is used.
2. Run the sta-load-balance dynamic channel-utilization start-threshold start-threshold
command to set the start threshold for dynamic load balancing based on the channel
usage.
By default, the start threshold for dynamic load balancing based on the channel usage is
50%.
3. Run the sta-load-balance dynamic channel-utilization gap-threshold gap-threshold
command to set the channel usage difference threshold for load balancing in a dynamic
load balancing group.
By default, the channel utilization difference threshold for load balancing in a dynamic
load balancing group is 20%.
By default, the load difference threshold of a dynamic load balancing group based on the
percentage of users is 20%.
The maximum number of times an AP rejects association requests of a STA is configured for
dynamic load balancing
Step 10 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Background
NOTE
To allow a STA to preferentially associate with the 5 GHz radio and achieve a better access effect,
configure larger power for the 5 GHz radio than the 2.4 GHz radio.
Single-radio devices do not support the band steering function.
The AP2010DN does not support the band steering function.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
A VAP profile is created and the VAP profile view is displayed.
Step 4 Run undo band-steer disable
The band steering function is enabled.
By default, the band steering function is enabled.
Step 5 Run quit
Return to the WLAN view.
Step 6 (Optional) Configure band steering parameters.
1. Run the rrm-profile name profile-name command to create an RRM profile and enter
the RRM profile view.
2. Run the band-steer balance start-threshold start-threshold command to set the start
threshold for load balancing between radios.
By default, the start threshold for load balancing between radios is 100.
3. Run the band-steer balance gap-threshold gap-threshold command to set the load
difference threshold for load balancing between radios.
By default, the load difference threshold for load balancing between radios is 90%.
4. Run the band-steer snr-threshold snr-threshold command to configure a start SNR
threshold for triggering 5G-prior access.
The default start SNR threshold for triggering 5G-prior access is 20 dB.
5. Run the band-steer deny-threshold deny-threshold command to set the maximum
number of times an AP rejects association requests of a STA for band steering.
Only the band steering parameters configured in the 2G radio profile take effect in the system.
Step 9 Bind the radio profile and VAP profile to an AP group or a specific AP. See 5.11.1.5 Binding
a Radio Profile for the detailed procedure of binding a radio profile and 5.11.2.11 Binding
VAP Profiles for the detailed procedure of binding a VAP profile.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run rrm-profile name profile-name
The RRM profile view is displayed.
Step 4 Run undo smart-roam disable
Smart roaming is enabled.
By default, smart roaming is enabled.
Step 5 (Optional) Run undo smart-roam advanced-scan disable
The coordinated scanning function of smart roaming is enabled.
By default, the coordinated scanning function of smart roaming is enabled.
The maximum number of times is set for non-target APs to suppress probing of STAs during
STA steering.
By default, the maximum number of times non-target APs suppress probing of STAs during
migration of the STAs is 5.
The maximum number of times is set for non-target APs to suppress authentication of STAs
during STA steering.
By default, the maximum number of times non-target APs suppress authentication of STAs
during migration of the STAs is 0.
The duration within which non-target APs suppress association of STAs during STA steering
is set.
By default, the duration with which non-target APs suppress association of STAs during
migration of the STAs is 5 seconds.
Step 20 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Pre-configuration Tasks
Before configuring this function, complete the following task:
l Configure basic WLAN services.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run rrm-profile name profile-name
The RRM profile view is displayed.
Step 4 Run undo smart-roam quick-kickoff-threshold disable
The function of quickly disconnecting STAs is enabled.
By default, the function of quickly disconnecting STAs is enabled.
network quality deteriorates. To ensure network access experience of online users, configure
the user CAC function. The user CAC function allows an AP to control user access based on
the thresholds specified according to the radio channel usage, number of online users, or
terminal SNR, which enables provisioning of high-quality network access services.
Pre-configuration Tasks
Before configuring user CAC, perform the task of 5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
Step 4 Configure the CAC implementation mode and threshold, and enable CAC.
You can configure any of the preceding CAC implementation modes as required.
User CAC based on channel usage and user CAC based on the number of access users cannot
be configured simultaneously, but either of them can be configured together with user CAC
based on terminal SNR.
By default, the user CAC access and roaming thresholds based on the number of users are both
64.
l CAC based on channel usage
a. Run the uac channel-utilization enable command to enable CAC based on channel
usage.
By default, the user CAC access and roaming thresholds based on channel usage are both 80%.
l CAC based on terminal SNR
a. Run the uac client-snr enable command to enable CAC based on terminal SNR.
b. Run the uac client-snr threshold threshold command to configure the CAC
threshold based on terminal SNR.
NOTE
The AP is configured to automatically hide its SSID when the CAC threshold is reached.
By default, an AP does not hide its SSID when the CAC threshold is reached.
Step 8 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Pre-configuration Tasks
Before configuring dynamic EDCA parameter adjustment, perform the task of 5 WLAN
Service Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run rrm-profile name profile-name
An RRM profile is created and the RRM profile view is displayed.
Step 4 Run dynamic-edca enable
Dynamic EDCA parameter adjustment is enabled.
By default, dynamic EDCA parameter adjustment is disabled.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the RRM profile to a radio profile.
1. Run the radio-2g-profile name profile-name or radio-5g-profile name profile-name
command to enter the 2G or 5G radio profile view.
2. Run the rrm-profile profile-name command to bind the RRM profile to the 2G or 5G
radio profile.
3. Run the quit command to return to the WLAN view.
Step 7 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Radios need to adjust the AMC algorithm according to different scenarios to deliver the
optimal user experience. Three AMC algorithms are available:
l auto-balance: applicable to most wireless scenarios
l high-stability: applicable to scenarios with continuous interference.
l high-throughput: applicable to scenarios with good wireless signals and non-continuous
interference.
AMC Optimization in High-Density Scenarios
In typical high-density scenarios, a large number of hidden nodes exist, which interfere in
communication between APs and STAs and affect product performance. The AMC
optimization function can reduce such interference and improve the AMC algorithm
performance.
l It is recommended that this function be enabled in high-density scenarios where
directional antennas are used.
l This function is not applicable to scenarios where STAs move fast between APs.
Pre-configuration Tasks
Before configuring the adaptive modulation and coding (AMC) algorithm, perform the task of
5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run rrm-profile name profile-name
An RRM profile is created, and the RRM profile view is displayed.
Step 4 Run amc-policy { auto-balance | high-stability | high-throughput }
An AMC algorithm is configured for the radio.
By default, a radio uses the AMC algorithm auto-balance.
NOTE
This takes effect only on APs in compliance with 802.11n.
Step 8 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Pre-configuration Tasks
Before configuring automatic per packet power adjustment, perform the task of 5 WLAN
Service Configuration.
Procedure
Step 1 Run system-view
Step 6 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Context
After the smart antenna function is enabled, an AP can select a proper antenna array based on
STAs' locations, improving signal strength and user experience.
In the smart antenna algorithm, an AP uses different antenna combinations to send training
packets for antenna training. During smart antenna training, the transmit end (AP) sends
training packets to a receive end (STA). The receive end measures the PER and RSSI in the
received packets, and then sends the PER and RSSI to the transmit end. The transmit end
collects information about all antenna combinations and corresponding PERs and RSSIs to
determine the optimal antenna combination for the receiver.
Procedure
Step 1 Run system-view
By default, the smart antenna function is disabled for APs but enabled for the AP7052DE,
AP2051DN, AP2051DN-E, R251D and R251D-E.
Step 5 Configure smart antenna related parameters.
1. Run the smart-antenna valid-per-scope { high-per-threshold high-per-threshold | low-
per-threshold low-per-threshold } command to configure the upper and lower valid
PER thresholds in the smart antenna algorithm.
The default upper and lower valid PER thresholds are 80% and 20%, respectively.
The PER is a key basis for the smart antenna algorithm. After proper upper and lower
valid PER thresholds are configured, the smart antenna algorithm can select a proper
antenna combination to improve the coverage and anti-interference capability of a
WLAN in indoor coverage scenarios.
2. Run the smart-antenna throughput-triggered-training threshold threshold command
to configure a sudden performance change threshold that triggers antenna training.
The default sudden performance change threshold that triggers smart antenna training is
10%.
In a smart antenna system, the device monitors performance (throughput) of transmit
ends. If the detected throughput of a transmit end exceeds the sudden performance
change threshold specified using the smart-antenna throughput-triggered-training
command, a new round of antenna training is triggered.
– In a good air interface environment, set a high sudden performance change
threshold to prevent frequent antenna training from affecting user services.
– In a poor air interface environment, set a low sudden performance change threshold
to improve the WLAN's anti-interference capability.
3. Run the smart-antenna training-interval training-interval command to configure the
smart antenna training interval.
The default smart antenna training interval is auto, indicating that a smart antenna is
trained in self-adaptation mode.
Configure the smart antenna training interval based on actual situations.
– A short antenna training interval causes frequency antenna training and affects user
services.
– A long antenna training interval causes the device's failure to switch the antenna
combination in time to adapt to WLAN environment changes.
When the default smart antenna training interval is restored, that is, smart antennas are
trained in self-adaptation mode, the device adaptively calculates the antenna training
interval based on the number of concurrent STAs.
4. Run the smart-antenna training-mpdu-number training-mpdu-number command to
configure the number of MAC protocol data units (MPDUs) sent by an AP to a STA
during smart antenna training.
By default, 640 MPDUs are sent by an AP to a STA during smart antenna training.
If the traffic rate, bandwidth, and air interface rate of the STA are high, set a small value.
Otherwise, set a large value.
Step 6 Run quit
Return to the WLAN view.
Step 7 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Context
The CCA mechanism enables a WLAN chip to determine whether the channel is idle before
transmitting signals to the air interface. If so, the chip transmits signals. If not, the chip waits
until the channel is idle.
The CCA threshold is used by a WLAN chip to determine whether the channel is idle. If the
noise on the channel exceeds the threshold, the chip considers the channel busy. Otherwise,
the chip considers the channel idle.
When deploying a WLAN, set a proper CCA threshold to reduce signal interference and
improve the channel reuse rate.
l If APs densely are deployed, a high CCA threshold is recommended to narrow down the
coverage and skip remote weak signals.
l If APs are sparsely deployed, a low CCA threshold is recommended to maximize the
effective coverage of signals.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
The 2G or 5G radio profile view is displayed.
Step 4 Run cca-threshold cca-threshold
A CCA threshold is configured.
By default, no CCA threshold is specified. APs use the default CCA threshold of the chip.
NOTE
This command takes effect only on the AD9430DN-12 (including matching RUs), AD9430DN-24 (including
matching RUs), AD9431DN-24X (including matching RUs), AP1050DN-S, AP2030DN, AP2050DN,
AP2050DN-S, AP2050DN-E, AP2051DN, AP2051DN-E, AP3030DN, AP4030DN, AP4130DN,
AP4030DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4050DN, AP4050DN-S, AP4051DN,
AP4151DN, AP4051DN-S, AP4051TN, AP430-E, AP5030DN, AP5030DN-S, AP5130DN, AP6050DN,
AP6150DN, AP6052DN, AP7050DN-E, AP7050DE, AP7052DN, AP7152DN, AP7052DE, AP8030DN,
AP8130DN, AP8130DN-W, AP8050DN, AP8150DN, AP8050DN-S, AP8050TN-HD, AP8082DN,
AP8182DN, AP9131DN, AP9132DN, and AP9330DN.
Step 6 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Context
During radio calibration, run the following command to view radio calibration statistics.
Procedure
l Run the display wlan calibrate statistics { ap-name ap-name | ap-id ap-id } radio
radio-id command to check radio calibration statistics.
----End
Context
Before recollecting radio calibration statistics, run the following command to clear the
existing statistics.
NOTICE
The cleared radio calibration statistics cannot be restored. Exercise caution when you run the
command.
Procedure
Step 1 Run the reset wlan calibrate statistics { ap-name ap-name | ap-id ap-id } radio radio-id
command in the user view to clear radio calibration statistics.
----End
Context
After smart roaming is configured, you can check roam-incapable records of STAs.
Procedure
l Run the display station unsteerable command to check roam-incapable records of
STAs.
----End
Networking Requirements
As shown in Figure 7-11, a large number of APs are deployed in an office building. The APs
connect to the AC through Switch_A to provide wireless services for users.
It will be a heavy workload to manually configure radio parameters (such as the channel) for
the APs one by one. The enterprise IT department requires that the AC automatically allocate
channels to the APs based on radio environments to simplify network deployment.
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each other.
2. Configure the AC as a DHCP server to assign IP addresses to the APs and STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters for STAs to access the WLAN.
6. Configure radio calibration so that the AC can automatically allocate the optimal
working channels to the APs.
DHCP The AC functions as the DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure Switch_A and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on Switch_A to VLAN 100 (management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
[AC] vlan batch 101 102 200
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] quit
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24
[AC-Vlanif200] quit
Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta-ip-pool1
[Router-ip-pool-sta-ip-pool1] gateway-list 10.23.101.1
[Router-ip-pool-sta-ip-pool1] network 10.23.101.0 mask 24
[Router-ip-pool-sta-ip-pool1] quit
[Router] ip pool sta-ip-pool2
[Router-ip-pool-sta-ip-pool2] gateway-list 10.23.102.1
[Router-ip-pool-sta-ip-pool2] network 10.23.102.0 mask 24
[Router-ip-pool-sta-ip-pool2] quit
[Router] vlan batch 200
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.1 24
[Router-Vlanif200] dhcp select global
[Router-Vlanif200] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.200.2
[Router] ip route-static 10.23.102.0 24 10.23.200.2
# Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the VLAN
assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is not changed before, you do not need to run the assignment hash
command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses and interface address pools.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLANs, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Enable automatic channel selection and automatic transmit power selection. By default,
automatic channel selection and automatic transmit power selection are enabled.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/1] undo calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 2G radio profile.
# Create the 5G radio profile radio5g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration. By default, the radio
calibration mode is manual.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
l # Run the display radio all command on the AC to check radio calibration results.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
----------------------------------------------------------------------
AP ID Name RfID Band Type Status CH/BW CE/ME STA CU
----------------------------------------------------------------------
1 area_2 0 2.4G bgn on 1/20M 28/28 1 10%
1 area_2 1 5G an on 149/20M 29/29 0 15%
0 area_1 0 2.4G bgn on 6/20M 28/28 1 15%
0 area_1 1 5G an on 153/20M 29/29 0 49%
----------------------------------------------------------------------
Total:4
l # Radio calibration stops one hour after the radio calibration is manually triggered. The
following configuration steps are not provided in the configuration file. After that, you
can perform either of the following configurations:
– (Recommended) Set the radio calibration mode to scheduled. Configure the APs to
perform radio calibration in off-peak hours, for example, between 00:00 am and
06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
– Manually fix the working channels of APs: disable automatic channel selection and
automatic transmit power selection in the RRM profile. Manually trigger radio
calibration when new APs are added to the network.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
return
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 10.23.101.0 255.255.255.0 10.23.200.2
ip route-static 10.23.102.0 255.255.255.0 10.23.200.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102 200
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
air-scan-profile name wlan-airscan
scan-period 80
scan-interval 80000
rrm-profile name wlan-net
radio-2g-profile name radio2g
rrm-profile wlan-net
air-scan-profile wlan-airscan
radio-5g-profile name radio5g
rrm-profile wlan-net
air-scan-profile wlan-airscan
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio2g
vap-profile wlan-vap wlan 1
radio 1
radio-5g-profile radio5g
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Networking Requirements
As shown in Figure 7-12, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. The customer requires
that data traffic be balanced on AP radios to prevent one AP radio from being heavily loaded.
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each other.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters for STAs to access the WLAN.
6. Configure static load balancing to prevent one AP from being heavily loaded.
DHCP The AC functions as a DHCP server to assign IP addresses to the APs, the
server Router functions as a DHCP server to assign IP addresses to the STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure Switch_A and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on Switch_A to VLAN 100 (management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] port-isolate enable
[Switch_A-GigabitEthernet0/0/3] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
[AC] vlan batch 101 102 200
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] quit
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24
[AC-Vlanif200] quit
Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.200.1
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] dhcp select relay
[AC-Vlanif102] dhcp relay server-ip 10.23.200.1
[AC-Vlanif102] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta-ip-pool1
[Router-ip-pool-sta-ip-pool1] gateway-list 10.23.101.1
[Router-ip-pool-sta-ip-pool1] network 10.23.101.0 mask 24
[Router-ip-pool-sta-ip-pool1] quit
[Router] ip pool sta-ip-pool2
[Router-ip-pool-sta-ip-pool2] gateway-list 10.23.102.1
[Router-ip-pool-sta-ip-pool2] network 10.23.102.0 mask 24
[Router-ip-pool-sta-ip-pool2] quit
[Router] vlan batch 200
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.1 24
[Router-Vlanif200] dhcp select global
[Router-Vlanif200] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.200.2
[Router] ip route-static 10.23.102.0 24 10.23.200.2
# Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the VLAN
assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is not changed before, you do not need to run the assignment hash
command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses and interface address pools.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
# Create VAP profile wlan-vap, set the data forwarding mode and service VLANs, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Create the static load balancing group and set the start threshold for static load balancing to
15 and load difference threshold to 5%.
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] gap-threshold 5
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP with a light load based on the configured load
balancing group.
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102 200
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-ssid
security-profile wlan-security
sta-load-balance static-group name wlan-static
start-threshold 15
gap-threshold 5
member ap-name area_1
member ap-name area_2
regulatory-domain-profile name domain1
rrm-profile wlan-net
radio-2g-profile name radio2g
rrm-profile wlan-net
radio-5g-profile name radio5g
rrm-profile wlan-net ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio2g
vap-profile wlan-vap wlan 1
radio 1
radio-5g-profile radio5g
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 1 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 7-13, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
When a large number of STAs access the Internet through the same AP, the AP is heavily
loaded, lowering user experience. The enterprise requires that data traffic be balanced on AP
radios to prevent one AP radio from being heavily loaded.
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the APs, AC, and upper-layer devices to communicate with each other.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
DHCP The AC functions as a DHCP server to assign IP addresses to the APs, the
server Router functions as a DHCP server to assign IP addresses to the STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure Switch_A and the AC so that the AP and AC can transmit CAPWAP packets.
# Configure VLAN 101 (service VLAN), VLAN 102 (service VLAN) and VLANIF 102.
NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
[AC] vlan batch 101 102 200
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] quit
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24
[AC-Vlanif200] quit
Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.200.1
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] dhcp select relay
[AC-Vlanif102] dhcp relay server-ip 10.23.200.1
[AC-Vlanif102] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta-ip-pool1
[Router-ip-pool-sta-ip-pool1] gateway-list 10.23.101.1
[Router-ip-pool-sta-ip-pool1] network 10.23.101.0 mask 24
[Router-ip-pool-sta-ip-pool1] quit
[Router] ip pool sta-ip-pool2
[Router-ip-pool-sta-ip-pool2] gateway-list 10.23.102.1
[Router-ip-pool-sta-ip-pool2] network 10.23.102.0 mask 24
[Router-ip-pool-sta-ip-pool2] quit
[Router] vlan batch 200
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.1 24
[Router-Vlanif200] dhcp select global
[Router-Vlanif200] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.200.2
[Router] ip route-static 10.23.102.0 24 10.23.200.2
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is not changed before, you do not need to run the assignment hash
command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses and interface address pools.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLANs, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Create the 2G radio profile radio2g and bind the RRM profile loadbalance-dynamic to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile loadbalance-dynamic
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile loadbalance-dynamic to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] rrm-profile loadbalance-dynamic
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g
[AC-wlan-ap-group-ap-group1] quit
----------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN
IP address
------------------------------------------------------------------------------
----------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.254
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 102
10.23.102.254
------------------------------------------------------------------------------
----------
Total: 2 2.4G: 2 5G: 0
l When a new STA requests to connect to AP area_1, the AC uses a dynamic load
balancing algorithm to redirect the STA to the AP with a light load according to the
information reported by APs.
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102 200
#
vlan pool sta-pool
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
As shown in Figure 7-14, 2.4 GHz and 5 GHz wireless networks are deployed in the
conference hall. An AP works on dual frequency bands and directly connects to an AC. STAs
connected to the AP support both 2.4 GHz and 5 GHz frequency bands.
To improve user experience and reduce burden on the 2.4 GHz frequency band, the customer
requires that STAs preferentially connect to the 5 GHz frequency band.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, switch, and upper-layer devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to the STAs and AP.
3. Configure the AP to go online.
a. Create an AP group for unified configuration. The APs that require the same
configuration can be added to the group.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that the AP can
go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
5. Configure the band steering function and proper band steering parameters so that STAs
can preferentially access the 5 GHz frequency band.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
When band steering is enabled on one radio of an AP, the function takes effect on the SSID of the AP. If
different VAP profiles are applied to two radios of the AP, you only need to enable the band steering function
in the VAP profile of one radio.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] undo band-steer disable
[AC-wlan-vap-prof-wlan-vap] quit
# Create the RRM profile band-steer and configure load balancing between radios in the
profile to prevent heavy load on a single radio. The start threshold for load balancing between
radios is 15, and the load difference threshold is 25%.
[AC-wlan-view] rrm-profile name band-steer
[AC-wlan-rrm-prof-band-steer] band-steer balance start-threshold 15
[AC-wlan-rrm-prof-band-steer] band-steer balance gap-threshold 25
[AC-wlan-rrm-prof-band-steer] quit
# Create the 2G radio profile radio2g and bind the RRM profile band-steer to the 2G radio
profile.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile band-steer
[AC-wlan-radio-2g-prof-radio2g] quit
l Run the display vap-profile name wlan-vap command on the AC. The command
output shows that the band steering function is enabled in the VAP profile.
l Run the display rrm-profile name band-steer command on the AC to check the band
steering configuration.
[AC-wlan-view] display rrm-profile name band-steer
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : disable
Dynamic adjust EDCA parameter : enable
UAC check client's SNR : disable
UAC client's SNR threshold(dB) : 20
UAC check client number : disable
UAC client number access threshold : 64
UAC client number roam threshold : 64
UAC check channel utilization : disable
UAC channel utilization access threshold : 80
UAC channel utilization roam threshold : 80
UAC hide SSID : disable
Band steer deny threshold : 2
Band balance start threshold : 15
Band balance gap threshold(%) : 25
Client's band expire based on continuous probe counts : 35
Station load balance : disable
Station load balance start threshold : 10
Station load balance gap threshold(%) : 20
Station load balance deny threshold : 6
Smart-roam : disable
Smart-roam check SNR : enable
Smart-roam standing SNR threshold(dB) : 20
Smart-roam SNR quick-kickoff-threshold(dB) : 15
Smart-roam check rate : disable
AMC policy : auto-balance
Smart-roam rate threshold(%) : 20
Smart-roam rate quick-kickoff-threshold(%) : 20
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) : 6
l In the conference hall, most STAs connect to the 5 GHz frequency band, and users enjoy
good service experience.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
rrm-profile name band-steer
band-steer balance start-threshold 15
band-steer balance gap-threshold 25
Networking Requirements
Usually, a large number of APs are deployed on the stadium stand. The APs in Figure 7-15
connect to the AC through Switch_A to provide wireless services for users.
To ensure optimal user experience, the IT Dept of the stadium requires that users associate
with the nearest APs when moving on the stadium stand.
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
Data Planning
Configuration Roadmap
Configure smart roaming and proper smart roaming parameters to forcibly disconnect weak-
signal users (especially sticky terminals) so that the users can reconnect or roam to APs with
strong signals.
NOTE
Some terminals on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
terminals fail to roam to neighbor APs with better signals. They are called sticky terminals.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G
radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC-wlan-ap-group-ap-group1] quit
...
------------------------------------------------------------
# When a large number of users in the stadium access the WLAN, they can still enjoy good
Internet experience.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
smart-roam roam-threshold check-snr
smart-roam roam-threshold snr 15
radio-2g-profile name radio2g
rrm-profile wlan-rrm
radio-5g-profile name radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Related Topics
l 5.14.2 Example for Configuring WLAN Services on a Medium-Scale Network
Networking Requirements
As shown in Figure 7-16, a wireless network is deployed in the conference hall. The AC
connects to the upper-layer network.
To improve Internet experience of wireless users and prevent fierce competition for wireless
channels among too many access users, the customer requires that the number of access users
be controlled on each AP.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, switch, and upper-layer devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to the APs and STAs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
5. Configure user CAC and adjust CAC parameters to control the number of access users
on each AP.
DHCP The AC functions as a DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# In the RRM profile user-cac, enable user CAC based on the number of users and set the
CAC thresholds for new STAs and roaming STAs to 32; enable the function of rejecting
access from weak-signal STAs and set the RSSI threshold to 25 dB; enable the APs to
automatically hide SSIDs when the user count reaches the CAC threshold.
[AC-wlan-view] rrm-profile name user-cac
[AC-wlan-rrm-prof-user-cac] uac client-number enable
[AC-wlan-rrm-prof-user-cac] uac client-number threshold access 32 roam 32
[AC-wlan-rrm-prof-user-cac] uac client-snr enable
[AC-wlan-rrm-prof-user-cac] uac client-snr threshold 25
[AC-wlan-rrm-prof-user-cac] uac reach-access-threshold hide-ssid
[AC-wlan-rrm-prof-user-cac] quit
# Create the 2G radio profile radio2g and bind the RRM profile user-cac to the 2G radio
profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile user-cac
[AC-wlan-radio-2g-prof-radio2g] quit
l Run the display rrm-profile name user-cac command on the AC to check the user
CAC configuration.
[AC-wlan-view] display rrm-profile name user-cac
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : disable
Dynamic adjust EDCA parameter : enable
UAC check client's SNR : enable
UAC client's SNR threshold(dB) : 25
UAC check client number : enable
UAC client number access threshold : 32
UAC client number roam threshold : 32
UAC check channel utilization : disable
UAC channel utilization access threshold : 80
UAC channel utilization roam threshold : 80
UAC hide SSID : enable
Band steer deny threshold : 2
Band balance start threshold : 15
Band balance gap threshold(%) : 25
Client's band expire based on continuous probe counts : 35
Station load balance : disable
Station load balance start threshold : 10
Station load balance gap threshold(%) : 20
Station load balance deny threshold : 6
Smart-roam : disable
Smart-roam check SNR : enable
Smart-roam standing SNR threshold(dB) : 20
Smart-roam SNR quick-kickoff-threshold(dB) : 15
Smart-roam check rate : disable
AMC policy : auto-balance
Smart-roam rate threshold(%) : 20
Smart-roam rate quick-kickoff-threshold(%) : 20
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) : 6
Smart-roam SNR check interval(s) : 3
Smart-roam unable roam client expire time(m) : 120
------------------------------------------------------------
l When the number of users connected to an AP reaches 32 in the conference hall, new
users and roaming users cannot find the SSID wlan-net on their terminals.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
radio-2g-profile radio2g
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
have small interference on WLAN devices. This interference can be ignored during WLAN
planning.
8 Spectrum Analysis
Purpose
802.11 wireless technology has been widely used on home networks, SOHOs, and enterprise
networks. Users can easily access the Internet over WLANs. The 802.11 wireless technology
uses public spectrum resources which are also used by Bluetooth devices, cordless phones,
and many other wireless devices. Therefore, severe wireless signal conflict and interference
occur on wireless networks, resulting in poor user experience.
Spectrum analysis allows WLAN devices to identify and display the interference resources,
helping users locate the interference sources to eliminate interference and improve user
experience.
Interference Network
source
AP AC eSight
Interference
source
Principles
Spectrum analysis is implemented as follows:
1. The AP functions as the spectrum sampling engine to scan and sample the spectrum.
a. The AP periodically scans the wireless environment.
b. The AP obtains original spectrum sample data from channel scanning. Each
spectrum sample data contains a group of subcarriers used for interference
identification.
2. As a spectrum analyzer, the spectrum analysis module of the AP computes the sample
data based on a certain algorithm to identify the non-Wi-Fi devices.
A common algorithm includes pulse signal extraction, pulse signal combining, pulse
clustering, extraction of time signature, extraction of frequency characteristics, period
calculation, and duty cycle calculation.
After the AP computes the characteristics, it can compare one or more characteristics
with the interference source feature database to identify non-Wi-Fi devices.
Currently, the AC can identify baby monitors, Bluetooth devices, digital cordless phones
(at 2.4 GHz frequency band only), wireless audio transmitters, wireless game controllers,
and microwave ovens. Due to differences of individual devices, some of these non-Wi-Fi
devices may not be identified.
The AP records the identified devices into the non-Wi-Fi device list, which you can
query through command lines or on the web platform. If the type of an identified device
is not in the non-Wi-Fi device list, the AP reports an alarm. If the type of the identified
device is already in the list, the AP does not report an alarm. If the device ages, is
manually deleted, or is removed from the detected range, the AP reports a clear alarm.
3. The AP reports the data to the spectrum drawing server for interference visualization.
The AP can report the data to the spectrum drawing server directly or through the AC.
Currently, Huawei only supports the eSight as the spectrum drawing server.
graphs of typical non-Wi-Fi devices. When analyzing the spectrum graphs, users can identify
the interference source types based on the spectrum characteristics.
Typical non-Wi-Fi devices are classified into frequency-hopping devices and fixed-frequency
devices.
l Frequency-hopping devices
Frequency of frequency-hopping devices changes over time. Typical frequency-hopping
devices include cordless phones, Bluetooth devices, and game controllers. A Bluetooth
device is used as an example here. Figure 8-2 shows its spectrum graphs (the horizontal
axis indicates time whereas the vertical axis indicates frequency). Red squares indicate
signals of the Bluetooth device. The Bluetooth device works at the 2465M frequency
point at time point [6, 9] and at the 2475M frequency point at time point [9, 12].
l Fixed-frequency devices
The frequency of fixed-frequency devices remains unchanged. Fixed-frequency devices
include microwave ovens, wireless cameras, and wireless video and audio transmitters.
In terms of occupied bandwidth, fixed-frequency devices are classified into broadband
and narrowband devices.
– Broadband devices: occupy a large bandwidth, such as microwave ovens which
cover channels 11, 12, and 13. Figure 8-3 shows the realtime spectrum of a
microwave oven (the horizontal axis indicates time whereas the vertical axis
indicates frequency). In addition to bandwidth characteristics, the microwave oven
also has obvious frequency scanning features, that is, the center frequency point
drifts up and down.
Send sampled
Digital
data to the AC
cordless
phone
STA
Switch AC (has NMS(Interference
spectrum
visualization module)
analysis
enabled)
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 8-2 Products and minimum version supporting the WLAN service
Feature Limitations
Configuring Spectrum Analysis
NOTE
Pre-configuration Tasks
Before configuring spectrum analysis, perform the task of 5 WLAN Service Configuration.
Task Description
Configuration Procedure
Perform the following steps in the listed order.
Context
You can configure spectrum analysis on a WLAN with severe interference to determine
whether non-Wi-Fi interference exists on the WLAN.
Procedure
Step 1 Run system-view
Step 4 Run spectrum-analysis server ip-address ip-address port port-number [ via-ac ac-port ac-
port-number ]
NOTE
l If the AP uploads the collected data directly to the spectrum server, you do not need to configure the via-
ac ac-port ac-port-number command.
l If the AP uploads the collected data to the spectrum server via the AC, configure the via-ac ac-port ac-
port-number command.
l If no spectrum server is available, to view the spectrum in the web system, specify a valid IP address and
port number for the spectrum server (The specified values do not take effect.) and configure the via-ac
ac-port ac-port-number command.
The aging time of non-Wi-Fi devices on the AC during spectrum analysis is configured.
By default, an AC uses the IP address of the outbound interface on the matched route as the
source IP address of packets sent to a spectrum server.
NOTE
l Ensure that the AC IP address manually configured on the spectrum server is the same as that configured
using the spectrum-analysis source command.
l The source IP address must exist on the AC; otherwise, the configuration does not take effect.
l The configured source IP address and the IP address of the spectrum server must be routable to each
other.
You can bind the created air scan profile to the current radio profile bound to the AP. To bind the air
scan profile to a new radio profile, bind the radio profile to the radio of an AP group or a specific AP
first. For details, see 5.11.1.5 Binding a Radio Profile.
7. Run the air-scan-profile profile-name command to bind the air scan profile to the 2G or
5G radio profile.
By default, the air scan profile default is bound to a radio profile.
8. Run the quit command to return to the WLAN view.
Step 9 Run vap-profile name profile-name
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
Step 11 Bind the VAP profile to radios of an AP group or a specific AP as required to make the radios
properly work. For details, see 5.11.2.11 Binding VAP Profiles.
Step 13 Bind the radio profile and spectrum profile to an AP group or AP. For the detailed procedure
of binding a radio profile, see 5.11.1.5 Binding a Radio Profile.
Binding the radio profile and spectrum profile to an AP group
1. Run the ap-group name group-name command to enter the AP group view.
2. Run the ap-system-profile profile-name command to bind the specified AP system
profile to the AP group.
Binding the radio profile and spectrum profile to an AP
1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
2. Run the ap-system-profile profile-name command to bind the specified AP system
profile to the AP.
Step 16 (Optional) Run spectrum-report { ap-name ap-name | ap-id ap-id } radio radio-id
The function of reporting spectrum analysis data is enabled on an AP radio. The spectrum
server uses the reported data to analyze spectrum and draw spectrum graphs.
----End
Context
After spectrum analysis is enabled on the AC, you can view AP spectrum on the eSight
(V300R003C20) to learn interferences surrounding APs in deployment sites. This helps
identify and locate interference devices on the WLAN in a timely manner so that radio
calibration can be implemented on the WLAN.
NOTE
As for dual-band APs, you can view the 2.4 GHz or 5 GHz spectrum graph.
Spectrum graphs include real-time FFT, depth, channel quality, channel quality trend, and
device percentage charts.
Procedure
Step 1 Choose Business > WLAN Management > Region Monitor from the main menu.
Step 2 Use either of the following methods to access the region object manager.
l In the monitoring mode, right-click a region in Resource on the left pane, and select
Region Object Manager.
l In the 360 topology view, click a region name in the region list at the bottom of page to
display the object manager of the selected region.
NOTE
In the region object manager view, you can click to select other regions.
Step 3 Choose AP from the navigation tree of the Region Object Manager.
Step 4 In the AP list, click and select Spectrum Analysis in the Operation column.
Step 5 Click Index Configure, choose a spectrum graph type, and click Confirm to view the
spectrum graph of the selected AP.
----End
Prerequisites
The task of 8.6 Configuring Spectrum Analysis has been performed.
Procedure
l Run the display wlan non-wifi-device { all | { ap-name ap-name | ap-id ap-id } radio
radio-id } command to check information about the detected non-Wi-Fi devices.
l Run the display wlan non-wifi-device history { all | { ap-name ap-name | ap-id ap-id }
radio radio-id } command to check information about non-Wi-Fi devices in the
historical list.
----End
Context
Before recollecting information about non-Wi-Fi devices in a period on an AC, clear existing
information.
NOTICE
The cleared information cannot be restored. Exercise caution when you perform these
operations.
Procedure
l Run the reset wlan non-wifi-device { all | { ap-name ap-name | ap-id ap-id } radio
radio-id } command to clear information about non-Wi-Fi devices.
l Run the reset wlan non-wifi-device history { all | { ap-name ap-name | ap-id ap-id }
radio radio-id } command to clear information about non-Wi-Fi devices in the historical
list.
----End
Networking Requirements
As shown in Figure 8-6, an enterprise deploys basic WLAN services to enable mobile users
to connect to the enterprise network from anywhere at any time. The WLAN SSID is wlan-
net, and STAs automatically obtain IP addresses.
The enterprise is located in an open place and the WLAN is therefore easy to be interfered.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP, AC, switch, and upper-layer devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to the APs and STAs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
5. Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send
alarms to the AC.
DHCP The AC functions as a DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan interval and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the air scan profile wlan-airscan to the 2G
radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the air scan profile wlan-airscan to the 5G
radio profile.
[AC-wlan-view] radio-5g-profile name radio5g
[AC-wlan-radio-5g-prof-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-radio5g] quit
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Bind the AP system profile spectrum01 to the AP group ap-group1 and enable spectrum
analysis in the AP group.
Sample time(s) : 30
Dynamic blacklist aging time(s): 600
MPP active reselection : disable
AP report to : AC
Server IP : 10.137.43.4
Server port : 55555
AC port : 5001
Device aging-time(minute) : 5
PoE max power : 380000
PoE power reserved(%) : 0
PoE power threshold(%) : 100
PoE af inrush : disable
PoE high inrush : disable
------------------------------------------------------------------------------
l Run the display wlan non-wifi-device all command on the AC to check the detected
non-Wi-Fi devices.
[AC-wlan-view] display wlan non-wifi-device all
----------------------------------------------------------------
Detect AP name : huawei
Detect AP radio ID : 1
Detect AP channel : 36
Non-Wi-Fi device type : 9
Non-Wi-Fi device name : Unknown fix freq device
Non-Wi-Fi device frequency type : Narrow bandwidth
Non-Wi-Fi device channel : 149,150
Non-Wi-Fi device RSSI : -62,-66
Non-Wi-Fi device detect time last : 2015-07-02/08:16:56
Non-Wi-Fi device center frequency(MHz) : 5749
Non-Wi-Fi device bandwidth(KHz) : 70
Non-Wi-Fi device duty(%) : 100
Non-Wi-Fi device interfere level : 3
----------------------------------------------------------------
Total: 1
In the region object manager view, you can click to select other regions.
c. Choose AP from the navigation tree of the Region Object Manager.
d. In the AP list, click and select Spectrum Analysis in the Operation column.
e. Click Index Configure, choose a spectrum graph type, and click Confirm to view
the spectrum graph of the selected AP.
f. The spectrum graphs show that the interference is mostly within the range of -80
dBm to -40 dBm and most serious on channel 11.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
9 Roaming Configuration
Internet
AC
AP_1 AP_2
STA
STA
WLAN roaming includes roaming between APs in the same service VLAN and roaming
between APs in different service VLANs:
l Roaming between APs in the same service VLAN: APs before and after STA roaming
belong to the same service VLAN.
l Roaming between APs in different service VLANs: APs before and after STA roaming
belong to different service VLANs. To prevent services of a user from being interrupted
during WLAN roaming, ensure that the service VLAN of the user remains unchanged
after the user roams between two APs.
Purpose
The biggest advantage of WLAN networks is that a STA can move within a WLAN network
regardless of physical media locations. WLAN roaming ensures that a STA moves within a
WLAN network without interrupting services. An ESS includes multiple APs. When a STA
moves from an AP to another AP, WLAN roaming ensures seamless transition of STA
services between APs.
Internet
AC
VLAN 10 VLAN 10
AP_1 AP_2
STA
STA
Roaming between APs in the same service VLAN is classified into fast and non-fast roaming.
Non-Fast Roaming
Non-fast roaming technology is used when a STA uses a non-WPA2-802.1X security policy.
If a STA uses WPA2-802.1X but does not support fast roaming, the STA still needs to
complete 802.1X authentication before roaming between two APs.
NOTE
If a STA needs to roam between two APs, the APs must have the same SSID and security policy profile.
The names of security profiles can be different but configurations in the security profiles must be the
same.
In Figure 9-2, the STA accesses the Internet through AP_1 and needs to roam from AP_1 to
AP_2. The STA roaming process is as follows:
1. The STA sends a Probe Request frame on each channel. After receiving this, the APs
send Probe Response frames to the STA. After AP_2 receives the Probe Request frame
on channel 6, it sends a Probe Response frame to the STA on channel 6. When the STA
receives Probe Response frames, it selects an AP to associate with according to signal
strength and quality. In this scenario, assume that the STA selects AP_2 to associate
with, as shown in Figure 9-2.
2. The STA sends AP_2 a Re-authentication Request packet on channel 6. After AP_2
authenticates the STA, it sends a Re-authentication Response packet to the STA.
3. The STA sends a Re-association Request packet to AP_2, which then sends the packet to
the AC. The AC sends a Re-association Response packet, allowing the STA to re-
associate with AP_2.
4. The STA re-associates with AP_2 and then disassociates from AP_1. To do so, the STA
sends a Disassociation frame to AP_1 on channel 1.
– If the STA uses the WEP security policy, the STA roaming process is complete.
– If the STA uses the WPA/WPA2-PSK or WPA/WPA2-802.1X security policies, the
STA needs to perform access authentication and key negotiation again. For details
about key negotiation, see Key Negotiation in 12.1.2 WPA/WPA2.
Fast Roaming
When STAs uses the WPA2-802.1X security policy and support fast roaming, they do not
need to perform 802.1X authentication again during roaming. They only need to perform key
negotiation. In this case, fast roaming reduces the roaming delay and improves WLAN
services.
Fast roaming is implemented using pairwise master key (PMK) caching. In Figure 9-2, the
fast roaming process is as follows:
1. The STA accesses the Internet through AP_1 for the first time. When the AC
authenticates the STA and a PMK is generated, the STA and AC save the PMK
information. Each PMK has a PMK-ID, which is calculated based on the PMK, SSID,
STA MAC address, and BSSID.
2. During roaming, the STA sends AP_2 a Re-association Request packet that carries the
PMK-ID.
3. After AP_2 receives this packet, it notifies the AC that the STA needs to roam from
AP_1 to AP_2.
4. The AC searches the PMK caching table for the PMK of the STA. It does so according to
the PMK-ID carried in the Re-association Request packet. If the AC finds a matching
PMK, the AC considers that 802.1X authentication has been performed on the STA and
uses the cached PMK for key negotiation.
floors belong to different VLANs, a user's services are interrupted when they roam between
those APs. Inter-VLAN Layer 3 roaming prevents service interruption in this case, improving
WLAN services.
In roaming between APs in different service VLANs, APs belong to different service VLANs
before and after roaming. To prevent a user's services from being interrupted during WLAN
roaming, ensure that their service VLAN remains unchanged after they roam between two
APs.
Internet
AC
VLAN10 VLAN20
AP_1 AP_2
STA
STA
Roaming between APs in different service VLANs includes fast and non-fast roaming,
depending on STA support fast roaming. For details on the implementation of fast and non-
fast roaming, see 9.2.1 Roaming Between APs in the Same Service VLAN. In Figure 9-3,
when the STA roams from AP_1 to AP_2 in different VLANs, the process of keeping the
service VLAN of the STA unchanged is as follows:.
1. When the STA accesses the Internet through AP_1 in VLAN 10, the AC determines that
the STA has done so for the first time. The AC then creates and saves STA service data,
including the service VLAN of the AP, AP name, radio, and VAP information.
2. The STA moves from AP_1 to AP_2 in VLAN 20 and re-associates with the AC through
AP_2. The AC determines that the STA is roaming based on user information, so it
updates the service database. It also updates the AP name, radio, and VAP information to
be consistent with AP_2 information, without changing the VLAN ID. The VLAN is still
the service VLAN to which AP_1 belongs.
3. The STA disassociates from AP_1. Although the STA resides on different subnets after
roaming between two APs, the AC still considers that the STA accesses the Internet from
the first VLAN (VLAN 10). This allows the STA to retain its IP address to ensure
nonstop service interruption.
Network Architecture
Figure 9-4 shows the inter-AC roaming network architecture. AC_1 and AC_2 manage APs
on the WLAN. AP_1 associates with AC_1, and AP_2 associates with AC_2. A STA roams
on the WLAN. During roaming, the STA associates with different APs. The roaming process
is as follows:
The STA moves from the coverage area of AP_1 to AP_2. Since AP_1 and AP_2 associate
with AC_1 and AC_2, respectively, the STA implements inter-AC roaming. AP_1 and AC_1
are the STA's home AP (HAP) and home AC (HAC), and AP_2 and AC_2 are the STA's
foreign AP (FAP) and foreign AC (FAC). AC_1 and AC_2 must belong to the same
mobility group. The STA can only roam between ACs in the same mobility group. ACs in a
mobility group synchronize data of each other and forward packets over the inter-AC tunnel.
l HAC: AC in a mobility group with which a STA associates for the first time, for
example, AC_1 in Figure 9-4
l HAP: AP in a mobility group with which a STA associates for the first time, for
example, AP_1 in Figure 9-4
l FAC: AC to which a STA roams, for example, AC_2 in Figure 9-4
l FAP: AP to which a STA roams, for example, AP_3 in Figure 9-4
l Inter-AC roaming: A STA roams between different ACs. As shown in Figure 9-4, the
STA roams between different ACs when roaming from AP_1 to AP_3.
l Mobility group: You can add ACs on a WLAN to different groups. STAs can roam
between ACs in the same group. This group is called mobility group.
l Inter-AC tunnel: Inter-AC roaming requires that ACs in a mobility group synchronize
STA and AP information with each other. To enable inter-AC roaming, the ACs set up a
tunnel to synchronize data and forward packets. An inter-AC tunnel is also a CAPWAP
tunnel. For example, AC_1 and AC_2 in Figure 9-4 set up a tunnel for data
synchronization and packet forwarding.
Layer 2 Roaming
As shown in Figure 9-4, after Layer 2 roaming, the STA remains in the same subnet. The
FAP/FAC processes packets of the Layer 2 roaming STA in the same way as it processes
packets of a common online STA. The FAP/FAP forwards the packets on the local network
but does not send the packets back to the HAP/HAC over the inter-AC tunnel.
1. The STA sends a service packet to the 1. The STA sends a service packet to the
HAP. FAP.
2. After receiving the service packet, the 2. After receiving the service packet, the
HAP sends it to the HAC. FAP sends it to the FAC.
3. The HAC forwards the service packet to 3. The FAC forwards the service packet to
the upper-layer network. the upper-layer network.
⑥ Roaming to AP_2
1. When a STA is connected to the Internet through AP_1 for the first time, the STA is
authenticated by AC and a PMK is generated.
a. The AC generates PMK-R0 (calculated based on the SSID, MDID, AC MAC
address, and STA MAC address) and PMK-R1 of each AP based on the PMK
(calculated based on the PMK-R0, AP MAC address, and STA MAC address), and
delivers the PMK-R1 to AP_1.
b. The STA and AC generate and install the pairwise transient key (PTK) and the
group temporal key (GTK) by performing the 4-way and 2-way handshakes.
NOTE
If open system authentication is used, no PMK is generated.
2. The STA initiates an 802.11 FT authentication request to AP_2 during roaming, and
delivers the PMK-R1 to AP_2.
3. After receiving the request, AP_2 generates and installs a PTK according to PMK-R1
and information contained in the request frame. At the same time, AP_2 starts the re-
association timer, and sends an 802.11 FT authentication response to the STA.
NOTE
If 802.1X authentication is used, the AP reports FT authentication information to the AC for processing
during FT authentication. If open system or PSK authentication is used, the AP does not report FT
authentication information.
4. After receiving the response, the STA generates and installs a PTK based on the
information contained in the response frame. The STA sends AP_2 a re-association
request.
5. After receiving the re-association request, AP_2 disables the re-association timer, and
then sends a re-association response to the STA.
NOTE
If a STA blacklist or whitelist is configured on the AC, the AP reports re-association responses to the
STA during FT re-association and then reports the STA's re-association request to the AC for
processing.
6. After the STA receives the response frame, the roaming is complete.
Overview
In healthcare scenarios, handheld healthcare terminals do not comply with the 802.11k,
802.11v, or 802.11r protocol. Therefore, roaming aggressiveness is poor during the services
such as ward round, infusion check, and vital sign recording. This may easily cause a high
packet loss ratio and long delay. Users will have to re-log in to the application software or
scan the terminal code. The network access service is interrupted, greatly affecting working
efficiency of doctors and nurses.
To address these issues, Huawei launches the agile distributed SFN roaming function. (SFN is
short for same-frequency network.) On an agile distributed WLAN network, all RUs
associated with a central AP are deployed on the same channel and communicate with STAs
using the public BSSID. Within the coverage of the SSID signal, freely moving STAs do not
perceive roaming, and services are not interrupted during the roaming.
Compared with traditional intra-central AP roaming, agile distributed SFN roaming
eliminates the impact of STA differences on the roaming effect. Additionally, this roaming
mode is smooth and fast, and significantly reduces the packet loss ratio, without the user
reassociation, authentication, and key negotiation processes.
Implementation
Figure 9-6 shows the implementation of agile distributed SFN roaming.
l STA access
a. All RUs broadcast Beacon frames to STAs using the public BSSID automatically
generated by the central AP based on the MAC address.
b. A STA sends a Probe Request frame. After receiving the Probe Request frame, all
RUs respond with a Probe Response frame using the public BSSID.
c. The STA sends an Auth Request frame. After receiving the Auth Request frame, all
RUs respond with an Auth Response frame using the public BSSID.
d. The STA sends an Assoc Request frame. After receiving the Assoc Request frame,
all RUs forward it to the central AP and notifies the central AP of the STA's signal-
to-noise ratio (SNR).
e. The central AP selects an RU with the optimal SNR to respond to the STA with an
Assoc Response. Within a specified period, the central AP discards Assoc Request
frames reported by other RUs. Subsequently, only the selected RU communicates
with the STA.
f. The central AP reports the Assoc Request frame of the STA to the AC. Then the AC
adds STA information to the STA association table.
g. The central AP, RU, and STA perform unicast and multicast key negotiation.
l Roaming switchover
a. The HAP (RU with which the STA first associates) periodically reports the STA
RSSI to the central AP. The FAP (RU to which the STA roams) periodically reports
the RSSI of neighbors to the central AP.
b. The central AP selects the optimal RU as the FAP using the roaming decision
algorithm, and synchronizes STA information to the FAP. The central AP checks the
following switchover conditions in sequence. If any of the conditions is met, a
roaming switchover occurs. If multiple RUs meet the following three conditions,
the RU with the highest RSSI is selected for the roaming switchover.
i. The cumulative RSSI change value of the STA reaches the specified threshold.
ii. The number of times the RSSI of surrounding RUs is higher than that of the
local RU reaches the specified value.
iii. The RSSI gap between the local RU and surrounding RUs reaches the
specified value.
Packet Processing
The following assumes that service data packets are forwarded in direct mode. Figure 9-7
shows how intranet and extranet data packets for agile distributed SFN roaming are
processed. In tunnel forwarding mode, intranet and extranet data packets are forwarded
between the central AP and RUs in the same way as that in direct forwarding mode.
1. The STA sends service packets to RU_1. 1. The STA sends service packets to RU_2.
2. After receiving the service packets, 2. After receiving the service packets,
RU_1 forwards them to the central AP. RU_2 forwards them to the central AP.
3. After receiving the service packets, the 3. After receiving the service packets, the
central AP forwards them to the upper- central AP forwards them to the upper-
layer network through the user gateway. layer network through the user gateway.
1. The STA sends service packets to RU_1. 1. The STA sends service packets to RU_2.
2. After receiving the service packets, 2. After receiving the service packets,
RU_1 sends them to the central AP. RU_2 sends them to the central AP.
3. After receiving the service packets, the 3. After receiving the service packets, the
central AP forwards them to the upper- central AP forwards them to the upper-
layer network through the user gateway layer network through the user gateway
and egress route. and egress route.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Client
l To implement the fast roaming feature, the client must support fast roaming technology.
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Run the learn client ip-address enable command in the service set view.
l IEEE 802.11r supports open system, WPA2-PSK, and 802.1X authentication.
l The 802.11r fast roaming and Protected Management Frame (PMF) functions are
mutually exclusive. If the 802.11r fast roaming function has been configured, the PMF
function cannot be configured.
l STAs that are not compatible with 802.11r cannot associate with WLANs on which the
802.11 fast roaming function is enabled. To guarantee normal network services for users,
replace the earlier STA model with the one that supports 802.11r, or create two VAPs
using the same SSID with one enabling 802.11r and the other disabling it, and retain
other configurations.
l When 802.1X authentication is used for 802.11r, some STAs may get offline and online
again during reauthentication due to compatibility issues if 802.1X reauthentication is
enabled.
l Pay attention to the following precautions when configuring agile distributed SFN
roaming:
– Network planning precautions:
n Agile distributed SFN roaming is supported only by the AD9430DN-12
(including matching RUs) and AD9430DN-24 (including matching RUs). RUs
support agile distributed SFN roaming in the following combination modes:
○ Between the R230D and R240D (Note: Only the 2.4 GHz radio of the
R230D and R240D supports agile distributed SFN roaming, and the 5
GHz radio does not support.)
○ Among the R250D, R250D-E, R251D, R251D-E, and R450D
n For the central AP, after agile distributed SFN roaming is enabled, the total
number of agile distributed SFN roaming STAs on a single frequency band
(2.4 GHz or 5 GHz) of all RUs does not exceed 128, and that of STAs
associated with other VAPs on the same band does not exceed 128.
n After agile distributed SFN roaming is enabled, configure all RUs to work on
the same channel. When agile distributed SFN roaming is enabled on the 5
GHz frequency band, configure non-radar channels.
n RUs involved in roaming must be associated with the same central AP but do
not support agile distributed SFN roaming between central APs.
n Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed
SFN roaming is not performed on Layer 3.
– Configuration precautions:
n When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5
GHz radios, it is recommended that different SSIDs be used. Otherwise, the
radio switchover may occur, affecting user experience.
n Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP
rate limit on all VAPs with agile distributed SFN roaming disabled be set to 5
Mbit/s.
n Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
n Agile distributed SFN roaming can be configured based only on AP groups but
not based on APs.
n RUs involved in agile distributed SFN roaming need to have the following
items configured the same:
○ SSID
○ VAP profile and VAP ID
○ Security policy. Agile distributed SFN roaming supports these encryption
modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA+802.1X
(EAP authentication), WPA2+802.1X (EAP authentication), WPA-
WPA2+802.1X (EAP authentication), and Portal+PSK.
l Pay attention to the following points when configuring inter-AC roaming:
– Inter-AC roaming is supported only in distributed VXLAN gateway scenarios, and
only Layer 2 inter-AC roaming is supported.
– ACs in the same mobility group must run the same system software of the C
version. Otherwise, inter-AC roaming may fail.
– The mobility group name and IP address for establishing an inter-AC tunnel must
be configured on each AC in the mobility group. ACs must be added to the mobility
group.
– The IP addresses used for establishing an inter-AC tunnel between ACs in a
mobility group must be the CAPWAP source IP addresses of the ACs. When
multiple CAPWAP source IP addresses are configured, only on CAPWAP source IP
address can be used to establish an inter-AC tunnel.
– The mobility group name must be the same on each AC.
– A maximum of 16 ACs can be added to a mobility group, and one AC can be added
only to one mobility group.
Pre-configuration Tasks
Before configuring roaming between APs in the same service VLAN, complete the following
tasks:
Configuration Procedure
You can perform the following operations in any sequence based on the site requirements:
----End
----End
After 802.11r fast roaming is enabled, the re-association timeout period is 1 second by
default.
----End
Procedure
l Run the display station roam-track sta-mac mac-address command to check the
specified STA roaming track.
l Run the display station sta-mac mac-address command to check the access information
about the specified STA and check whether the AP connected to the STA changes.
----End
Before configuring roaming between APs in different service VLANs, complete the following
tasks:
Context
The service VLANs of the APs before and after roaming are different. When roaming
between APs in different VLANs is implemented, the service VLAN of the STA must remain
the original one after the STA roams to another AP. Therefore, the VLAN configuration varies
depending on the forwarding mode. This topic uses a Layer 2 network between the APs and
AC as an example to describe different VLAN configurations.
l Direct forwarding mode
As shown in Figure 9-8, in direct forwarding mode, when a STA roams from AP_1 to
AP_2 and the data packets arrive at AP2, AP_2 tags the packets with VLAN101 and
forwards them to the upper-level network. When a STA roams from AP_2 to AP_1 and
the data packets arrive at AP_1, AP_1 tags the packets with VLAN102 and forwards
them to the upper-level network.
Figure 9-8 Networking diagram of roaming between APs in different service VLANs in
direct forwarding mode
AP_1 Switch1
STA
Internet
Roaming
AC
AP_2 Switch2
STA
Service VLAN: 102
SSID: test
Channel 6
Data packet
STA: 802.11 Payload
AP2: VLAN101 802.3 Payload
Switch2: VLAN101 802.3 Payload
AC: VLAN101 802.3 Payload
If the direct forwarding mode is used, configure the interfaces on Switch1 and Switch2
between the APs and AC and the AC interfaces (including the uplink, and downlink
interfaces) to permit packets from VLAN101 and VLAN102 to pass through.
NOTE
If no switch exists between the APs and AC, configure the AC interfaces (including the uplink, and
downlink interfaces) to permit packets from VLAN101 and VLAN102 to pass through.
l Tunnel forwarding mode
As shown in Figure 9-9, in tunnel forwarding mode, when a STA roams from AP_1 to
AP_2 and the data packets arrive at AP_2, AP_2 tags the packets with VLAN101,
encapsulates the packets in the CAPWAP tunnel, tags the packets with VLAN200, and
forwards them to the AC. When the packets arrive at the AC, the AC decapsulates the
CAPWAP packets, and forwards the packets to the upper-level network device. When a
STA roams from AP_2 to AP_1 and the data packets arrive at AP_1, AP_1 tags the
packets with VLAN102, encapsulates the packets in the CAPWAP tunnel, tags the
packets with VLAN100, and forwards them to the AC. When the packets arrive at the
AC, the AC decapsulates the CAPWAP packets, and forwards the packets to the upper-
level network device.
Figure 9-9 Networking diagram of roaming between APs in different service VLANs in
tunnel forwarding mode
SSID: test
AP_2 Switch2
Channel 6 STA
Service VLAN: 102
Management VLAN: 200
If the tunnel forwarding mode is used, configure the uplink interface on the AC to permit
packets from VLAN101 and VLAN102 to pass through.
Procedure
You can perform the following operations in any sequence based on the site requirements:
Procedure
Step 1 Configure non-fast roaming.
After basic service configurations are complete, the STAs can implement non-fast roaming.
----End
Procedure
Step 1 Configure fast roaming.
Before configuring PMK fast roaming, ensure that STAs support PMK fast roaming
technology and the security policy configured for each AP involved in roaming is
WPA2-802.1X. After basic service configurations are complete, the STAs can implement
PMK fast roaming.
----End
Procedure
Step 1 Run system-view
After 802.11r fast roaming is enabled, the re-association timeout period is 1 second by
default.
----End
Pre-configuration Tasks
Before configuring inter-AC roaming, complete the following tasks:
l Perform the task of 5 WLAN Service Configuration.
l Perform the following configurations on the APs:
– Associate the APs to different ACs.
– Configure the same security policy.
– Set the same SSID.
– If NAC is configured on ACs, ensure that all ACs engaged in roaming are
configured with the same authentication and authorization policies and deliver the
same authentication and authorization policies to all APs.
Configuration Procedure
through the discovery mechanism, the ACs enter the DTLS negotiation stage, in which the
ACs use DTLS to set up a tunnel and encrypt UDP packets forwarded in the tunnel. This
improves packet transmission security.
It is recommended that you configure the same PSK on the ACs at both ends before enabling
DTLS encryption. In this way, the ACs have the same PSK. If you enable DTLS encryption
first, and the ACs have different PSKs, DTLS negotiation fails. As a result, the tunnel cannot
be set up between the two ACs.
Procedure
Step 1 Run system-view
----End
Context
In inter-AC roaming scenarios, ACs may need to exchange sensitive information such as the
user name and password. The PSK is required to protect data transmitted between the ACs.
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run mobility-server local ip-address ipv4-address
A local IP address is configured for setting up links between ACs in a mobility group.
By default, no local IP address is configured for setting up links between ACs in a mobility
group.
Step 4 Run mobility-group name group-name
The mobility group view is displayed.
By default, no mobility group is created.
Step 5 Run member ip-address ipv4-address [ description description ]
A member AC is added to the mobility group.
By default, no member AC is added to a mobility group.
The IP address added in this step is the AC's source IP address.
----End
----End
Procedure
l Run the display mobility-group { name group-name | all } command to view
configurations of a mobility group.
----End
Pre-configuration Tasks
Before configuring agile distributed SFN roaming, complete the following tasks:
l Configure the central AP and RUs to go online.
l Configure STAs to go online.
l Configure all RUs to work on the same channel. For details, see 5.11.1.1 Configuring
Basic Radio Parameters.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
By default, the system provides the VAP profile default.
Step 4 Run sfn-roam enable
Agile distributed SFN roaming is enabled.
By default, agile distributed SFN roaming is disabled.
Step 5 Bind the VAP profile to an AP group. For details, see 5.11.2.11 Binding VAP Profiles.
Step 6 Run quit
Return to the WLAN view.
Step 7 (Optional) Configure agile distributed SFN roaming parameters.
1. Run the rrm-profile name profile-name command to create an RRM profile and enter
the RRM profile view.
By default, the system provides the RRM profile default.
2. Configure agile distributed SFN roaming decision parameters.
– Run the sfn-roam roam-check check-interval check-interval-value command to
set the decision period for agile distributed SFN roaming.
The default decision period for agile distributed SFN roaming is 700 milliseconds.
– Run the sfn-roam report-interval report-interval-value command to set the
interval for RUs to report STA RSSIs.
By default, RUs report STA RSSIs to the central AP at an interval of 400
milliseconds.
– Run the sfn-roam roam-check sta-holding times sta-holding-times command to
set the number of STA holding times for agile distributed SFN roaming.
By default, the number of STA holding times for agile distributed SFN roaming is
3.
– Configure parameters that affect criteria for determining the cumulative RSSI
change value of STAs.
n Run the sfn-roam roam-check rssi-accumulate threshold rssi-accumulate-
value command to set the cumulative RSSI change threshold for agile
distributed SFN roaming.
By default, the cumulative RSSI change threshold of agile distributed SFN
roaming STAs is 8 dB.
– Configure parameters that affect criteria for determining the RSSI gap.
n Run the sfn-roam roam-check gap-rssi gap-rssi command to set the RSSI
gap for agile distributed SFN roaming RUs.
The default RSSI gap for agile distributed SFN roaming RUs is 6 dB.
– Configure parameters that affect criteria for determining the higher RSSI of agile
distributed roaming RUs than that of the local RU.
n Run the sfn-roam roam-check better-times better-times command to set the
number of times the RSSI of agile distributed SFN roaming RUs is higher than
that of the local RU.
By default, the number of times the RSSI of agile distributed SFN roaming
RUs is higher than that of the local RU is 2.
n Run the sfn-roam roam-check high-threshold high-threshold-value
command to set the upper RSSI threshold for agile distributed SFN roaming.
By default, the upper RSSI threshold for agile distributed SFN roaming is -55
dBm.
n Run the sfn-roam roam-check low-threshold low-threshold-value command
to set the lower RSSI threshold for agile distributed SFN roaming.
By default, the lower RSSI threshold for agile distributed SFN roaming is -60
dBm.
3. Run the quit command to return to the WLAN view.
4. Enter the AP group radio view.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
5. Configure radio parameters related to agile distributed SFN roaming.
– Run the cts disable command to disable RUs from responding to STAs with CTS
packets.
By default, RUs are enabled to respond to STAs with CTS packets.
– Run the cts delay delay-time command to set a delay for RUs to respond to STAs
with CTS packets.
By default, RUs respond to STAs with CTS packets with no delay.
– Run the beacon disable command to disable RUs from sending Beacon frames.
By default, RUs are enabled to send Beacon frames.
6. Run the quit command to return to the AP group view.
7. Run the quit command to return to the WLAN view.
8. Run the radio-2g-profile name profile-name or radio-5g-profile name profile-name
command to enter the 2G or 5G radio profile view.
9. Run the rrm-profile profile-name command to bind the RRM profile to the 2G or 5G
radio profile.
10. Run the quit command to return to the WLAN view.
11. Bind the radio profile to an AP group. For details, see 5.11.1.5 Binding a Radio Profile.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 9-10, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. User data is forwarded through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 9-10 Networking diagram for configuring non-fast roaming between APs in the same
service VLAN
Internet
GE0/0/3
VLAN 101
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
VLAN 100 SwitchA VLAN 100
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. 452
AP1: AP2:
area_1 area_2
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 9 Roaming Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
2. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
3. Configure basic WLAN services to enable the STAs to connect to the WLAN.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the AC and Switch_A so that the APs and AC can transmit CAPWAP packets.
# Configure Switch_A: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management VLAN
100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] port-isolate enable
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] quit
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
[AC-wlan-view] display vap ssid wlan-net
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
1 area_2 0 1 60DE-4474-9640 ON WPA2-PSK 0 wlan-net
1 area_2 1 1 60DE-4474-9650 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
In the coverage area of AP1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on the AC. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage of AP1 to AP2, run the display station ssid wlan-
net command on the AC to check the STA access information. The STA is associated with
AP2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:huawei
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 9-11, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. The security policy WPA2-802.1X is used. User data is forwarded
through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 9-11 Networking diagram for configuring fast roaming between APs in the same
service VLAN
Internet
GE0/0/3
VLAN 101 RADIUS server
GE0/0/4 10.23.103.1:1812
VLAN 102
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
VLAN 100 Switch_A VLAN 100
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. 461
AP1: AP2:
area_1 area_2
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 9 Roaming Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. The security policy WPA2+802.1X+AES is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming between APs in
the same service VLAN to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the AC and Switch_A so that the APs and AC can transmit CAPWAP packets.
# Configure Switch_A: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management VLAN
100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] port-isolate enable
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] quit
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs, and configure
VLANIF 102 to allow the AC to communicate with the RADIUS server.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
If the domain name huawei.com is configured, you need to add the domain name when entering the user
name.
# Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
Step 7 Configure an 802.1X access profile to manage 802.1X access control parameters.
Step 8 Configure an authentication profile named wlan-authentication, apply the 802.1X access
profile, and configure a forcible authentication domain.
[AC] authentication-profile name wlan-authentication
[AC-authen-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authen-profile-wlan-authentication] access-domain huawei.com dot1x force
[AC-authen-profile-wlan-authentication] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLANs, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] authentication-profile wlan-authentication
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
When the STA moves from the coverage of AP1 to AP2, run the display station ssid wlan-
net command on the AC to check the STA access information. The STA is associated with
AP2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:huawei
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 9-12, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The default security policy (WEP open system authentication) is used. User
data is forwarded through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 9-12 Networking diagram for configuring non-fast roaming between APs in different
service VLANs
Internet
GE0/0/3
VLAN 101
VLAN 102
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
VLAN 100 SwitchA VLAN 100
AP1: AP2:
area_1 area_2
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
2. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
3. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
l Name: ap-group2
l Referenced profile: VAP profile wlan-vap2 and regulatory domain
profile domain1
l Name: wlan-vap2
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profile: SSID profile wlan-ssid and security profile wlan-
security
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the AC and Switch_A so that the APs and AC can transmit CAPWAP packets.
# Configure Switch_A: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management VLAN
100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] port-isolate enable
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] quit
Step 4 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Import APs offline on the AC and add AP1 to AP group ap-group1 and AP2 to AP group
ap-group2. Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name the AP area_1 if it is
deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group2 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, set the data forwarding mode and service
VLANs, and apply the security profile wlan-security and SSID profile wlan-ssid to the VAP
profiles.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] quit
# Bind VAP profile wlan-vap1 to AP group ap-group1, and VAP profile wlan-vap2 to AP
group ap-group2, and apply the VAP profiles to radio 0 and radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
[AC-wlan-view] display vap ssid wlan-net
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
1 area_2 0 1 60DE-4474-9640 ON WPA2-PSK 0 wlan-net
1 area_2 1 1 60DE-4474-9650 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
In the coverage area of AP1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on the AC. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage of AP1 to AP2, run the display station ssid wlan-
net command on the AC to check the STA access information. The STA is associated with
AP2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:huawei
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap1
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
vap-profile name wlan-vap2
forward-mode tunnel
service-vlan vlan-id 102
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap1 wlan 1
radio 1
vap-profile wlan-vap1 wlan 1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap2 wlan 1
radio 1
vap-profile wlan-vap2 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235554710CB000078
ap-name area_2
ap-group ap-group2
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 9-13, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The security policy WPA2+802.1X+AES is used. User data is forwarded
through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.
Figure 9-13 Networking diagram for configuring fast roaming between APs in different
service VLANs
Internet
GE0/0/3
VLAN 101
VLAN 102 GE0/0/4 RADIUS server
10.23.103.1:1812
VLAN 103
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. 482
VLAN 100 SwitchA VLAN 100
AP1: AP2:
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 9 Roaming Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. The security policy WPA2+802.1X+AES is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming between APs in
the same service VLAN to ensure nonstop service transmission during roaming.
2. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
APs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
5. Configure key negotiation between STAs and APs to shorten the roaming switchover
time.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
Item Data
l Name: ap-group2
l Referenced profile: VAP profile wlan-vap2 and regulatory domain
profile domain1
l Name: wlan-vap2
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profile: SSID profile wlan-ssid , security profile wlan-
security, and authentication profile wlan-authentication
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the AC and Switch_A so that the APs and AC can transmit CAPWAP packets.
# Configure Switch_A: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management VLAN
100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitethernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] port-isolate enable
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitethernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/3] quit
Step 4 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs,
and configure VLANIF 103 to allow the AC to communicate with the RADIUS server.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
If the domain name huawei.com is configured, you need to add the domain name when entering the user
name.
# Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
Step 6 Configure an 802.1X access profile to manage 802.1X access control parameters.
# Create the 802.1X access profile wlan-dot1x.
[AC] dot1x-access-profile name wlan-dot1x
Step 7 Configure an authentication profile named wlan-authentication, apply the 802.1X access
profile, and configure a forcible authentication domain.
[AC] authentication-profile name wlan-authentication
[AC-authen-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authen-profile-wlan-authentication] access-domain huawei.com dot1x force
[AC-authen-profile-wlan-authentication] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Import APs offline on the AC and add AP1 to AP group ap-group1 and AP2 to AP group
ap-group2. Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name the AP area_1 if it is
deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group2 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, set the data forwarding mode and service
VLANs, and apply the security profile wlan-security, SSID profile wlan-ssid, and
authentication profile wlan-authentication to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
# Bind VAP profile wlan-vap1 to AP group ap-group1, and VAP profile wlan-vap2 to AP
group ap-group2, and apply the VAP profiles to radio 0 and radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
After the configuration is complete, the STA can discover the WLAN with the SSID wlan-net
in the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name
and password. If the authentication succeeds, the STA can connect to the Internet. Configure
the STA according to the configured authentication mode PEAP.
l Configuration on the Windows XP operating system:
a. On the Association tab page of the Wireless network properties dialog box, add
SSID wlan-net, set the authentication mode to WPA2, encryption mode to CCMP,
and encryption algorithm to AES.
b. On the Authentication tab page, set EAP type to PEAP and click Properties. In
the Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
l Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
b. Click Change connection settings. On the Wireless Network Properties page that
is displayed, select the Security tab page and click Settings. On the Protected EAP
Properties page, deselect Validate server certificate and click Configure. On the
dialog box that is displayed, deselect Automatically use my Windows logon name
and password and click OK.
c. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication mode, set
the identity authentication mode to User authentication, and click OK.
In the coverage area of AP1, connect the STA to the wireless network with SSID wlan-net
and enter the password 123456. After the STA successfully associates with the network, run
the display station ssid wlan-net command on the AC. The command output shows that the
STA with MAC address e019-1dc7-1e08 has associated with AP1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage of AP1 to AP2, run the display station ssid wlan-
net command on the AC to check the STA access information. The STA is associated with
AP2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:huawei
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 103
#
authentication-profile name wlan-authentication
dot1x-access-profile wlan-dot1x
access-domain huawei.com dot1x force
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
#
return
Networking Requirements
Enterprise users expect to access the Internet through a WLAN to meet the basic mobile
office requirements. They also require that services be uninterrupted when roaming within the
coverage area of the WLAN.
l AC networking mode: AC_1 and AC_2 in the same mobility group
l DHCP deployment mode: Configure AC_1 as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Configuration Roadmap
1. Configure network connectivity between APs, ACs, and other network devices.
2. Configure the APs to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WLAN roaming on AC_1 and AC_2 to enable inter-AC Layer 2 roaming.
DHCP AC_1 functions as a DHCP server to assign IP addresses to APs and STAs.
server
Item Data
Roaming l AC_1
parameters – IP address for establishing an inter-AC tunnel in the mobility group:
10.23.100.1
– Mobility group name: mobility
– Mobility group members: AC_1 and AC_2
l AC_2
– IP address for establishing an inter-AC tunnel in the mobility group:
10.23.100.2
– Mobility group name: mobility
– Mobility group members: AC_1 and AC_2
Configuration Precautions
l Inter-AC roaming is supported only in distributed VXLAN gateway scenarios, and only
Layer 2 inter-AC roaming is supported.
l ACs in the same mobility group must run the same system software of the C version.
Otherwise, inter-AC roaming may fail.
l The mobility group name and IP address for establishing an inter-AC tunnel must be
configured on each AC in the mobility group. ACs must be added to the mobility group.
l The IP addresses used for establishing an inter-AC tunnel between ACs in a mobility
group must be the CAPWAP source IP addresses of the ACs. When multiple CAPWAP
source IP addresses are configured, only on CAPWAP source IP address can be used to
establish an inter-AC tunnel.
l The mobility group name must be the same on each AC.
l A maximum of 16 ACs can be added to a mobility group, and one AC can be added only
to one mobility group.
Procedure
Step 1 Set the NAC mode to unified on AC_1 and AC_2 so that STAs can connect to the WLAN.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the ACs.
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100 (default VLAN of GE0/0/1).
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on AC_2 to VLAN 100, and GE0/0/2 to VLAN 100 and VLAN 101.
[HUAWEI] sysname AC_2
[AC_2] vlan batch 100 101
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface gigabitethernet 0/0/2
[AC_2-GigabitEthernet0/0/2] port link-type trunk
[AC_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[AC_2-GigabitEthernet0/0/2] quit
[AC_2] interface vlanif 100
[AC_2-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC_2-Vlanif100] quit
[AC_2] interface vlanif 101
[AC_2-Vlanif101] ip address 10.23.101.2 255.255.255.0
[AC_2-Vlanif101] quit
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Create a regulatory domain profile, configure the country code for AC_1 in the profile, and
bind the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import an AP offline on AC_1 and add the AP to the AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you will know where the AP is deployed from its name. If the
AP with MAC address 60de-4476-e360 is in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and configure a security policy in the profile.
NOTE
The following example sets the security policy to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, configure the security policy based on service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the
security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP group, and apply configurations of VAP profile wlan-net to
radios 0 and 1 of the AP.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
Step 7 Configure APs to go online on AC_2 and set WLAN service parameters.
Configure APs on AC_2 to go online and set WLAN service parameters according to the
configuration process on AC_1. For details about the configurations, see the configuration file
of AC_2. The following lists configuration differences between AC_1 and AC_2:
l An AP5030DN with MAC address dcd2-fc04-b500 is configured to go online on AC_2
and the AP name is set to area_2.
# Create a mobility group, and add AC_1 and AC_2 to the mobility group.
[AC_1-wlan-view] mobility-group name mobility
[AC_1-mc-mg-mobility] member ip-address 10.23.100.1
[AC_1-mc-mg-mobility] member ip-address 10.23.100.2
[AC_1-mc-mg-mobility] quit
# Create a mobility group, and add AC_1 and AC_2 to the mobility group.
[AC_2-wlan-view] mobility-group name mobility
[AC_2-mc-mg-mobility] member ip-address 10.23.100.1
[AC_2-mc-mg-mobility] member ip-address 10.23.100.2
[AC_2-mc-mg-mobility] quit
# Run the display mobility-group name mobility command on AC_1 to check working
states of AC_1 and AC_2. If State displays normal, AC_1 and AC_2 work properly.
# In the coverage area of AP_1, connect a STA to the WLAN with SSID wlan-net and enter
the password a1234567. After the STA successfully associates with the WLAN, run the
display station ssid wlan-net command on AC_1 to check STA information. The command
output shows that the STA with MAC address e019-1dc7-1e08 is associated with AP_1.
[AC_1-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# After the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station assoc-info sta all command on AC_2 to check the STA's access information. The
command output shows that the STA is associated with AP_2.
[AC_2-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx: link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L2 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC_1 configuration file
#
sysname AC_1
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
mobility-server local ip-address 10.23.100.1
mobility-group name mobility
member ip-address 10.23.100.1
member ip-address 10.23.100.2
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
mobility-server local ip-address 10.23.100.2
mobility-group name mobility
member ip-address 10.23.100.1
member ip-address 10.23.100.2
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078
ap-name area_2
ap-group ap-group1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
A hospital wants to deploy an agile distributed WLAN to provide WLAN access to doctors
and nurses, meeting their basic office requirements. The administrator requires that STA
roaming within the coverage area be not perceived by STAs and do not interrupt services.
Internet
Router
GE1/0/0
SwitchA GE0/0/3
GE0/0/1 GE0/0/4 Information
AC
GE0/0/2 system
GE0/0/1
GE0/0/25
Central AP
GE0/0/1 GE0/0/2
ru_1 ru_2
Roam
STA STA
Configuration Roadmap
1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at Layer 2.
2. Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
3. Configure the central AP and RUs to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
5. Configure agile distributed SFN roaming.
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Agile Enabled
distributed
SFN
roaming
Configuration Notes
l Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12 (including
matching RUs) and AD9430DN-24 (including matching RUs). RUs support agile
distributed SFN roaming in the following combination modes:
n Between the R230D and R240D (Note: Only the 2.4 GHz radio of the R230D
and R240D supports agile distributed SFN roaming, and the 5 GHz radio does
not support.)
n Among the R250D, R250D-E, R251D, R251D-E and R450D
– For the central AP, after agile distributed SFN roaming is enabled, the total number
of agile distributed SFN roaming STAs on a single frequency band (2.4 GHz or 5
GHz) of all RUs does not exceed 128, and that of STAs associated with other VAPs
on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work on the
same channel. When agile distributed SFN roaming is enabled on the 5 GHz
frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but do not
support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed SFN
roaming is not performed on Layer 3.
l Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5 GHz
radios, it is recommended that different SSIDs be used. Otherwise, the radio
switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP rate
limit on all VAPs with agile distributed SFN roaming disabled be set to 5 Mbit/s.
– Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP groups but not
based on APs.
– RUs involved in agile distributed SFN roaming need to have the following items
configured the same:
n SSID
n VAP profile and VAP ID
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 4 Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to the central AP and RUs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] quit
The automatic channel and power calibration function is enabled for radios by default. When this function is
enabled, the manual calibration configuration does not take effect. The settings of the RU channel and power
in this example are for reference only. You need to configure the RU channel and power based on the actual
country code and network planning.
# Disable the automatic channel and power calibration function for radio 0 of RUs, and
configure the channel and power for for radio 0 of RUs.
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 0
[AC-wlan-radio-1/0] calibrate auto-channel-select disable
[AC-wlan-radio-1/0] calibrate auto-txpower-select disable
[AC-wlan-radio-1/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/0] eirp 127
[AC-wlan-radio-1/0] quit
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] calibrate auto-channel-select disable
[AC-wlan-radio-2/0] calibrate auto-txpower-select disable
[AC-wlan-radio-2/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/0] eirp 127
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] quit
# In the coverage area of ru_1, connect a STA to the WLAN with the SSID wlan-net and
enter the password a1234567 to associate with the WLAN. Run the display station ssid
wlan-net command on the AC. The command output shows that the STA has associated with
ru_1.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
# When the STA moves from the coverage area of ru_1 to that of ru_2, run the display
station ssid wlan-net command on the AC. The command output shows that the STA has
associated with ru_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 2 ru_2 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 101
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet1/0/0
ip address 10.23.101.2 255.255.255.0
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
sfn-roam enable
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 55 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
Purpose
Applications have differentiated network requirements. The traditional WLAN is typically
used to transmit data due to its low transmission rate. With the development of new WLAN
technologies, WLANs have been applied to media, financial, education, and enterprise
networks. In addition to data traffic, WLANs also transmit delay-sensitive multimedia data,
such as voice and video. By enforcing QoS policies on a WLAN, the network administrator
can properly plan and assign network resources based on service characteristics. The WLAN
then provides differentiated access services for applications, meeting customer requirements
and improving network use efficiency.
Background
It is vital to understand the 802.11 link layer transport mechanism before learning about
WMM.
The 802.11 MAC layer uses the coordination function to determine the data transmitting and
receiving methods used between STAs in a BSS. The 802.11 MAC layer consists of two sub-
layers:
l Distributed Coordination Function (DCF): uses the carrier sense multiple access with
collision avoidance (CSMA/CA) mechanism. STAs compete for channels to obtain the
authority to transmit data frames.
l Point Coordination Function (PCF): uses centralized control to authorize STAs to
transmit data frames in turn. This method prevents conflict.
NOTE
DIFS
Idle
STA A channel Frame
SIFS
STA B ACK
DIFS
CW
Wait
1. Before sending data to STA B, STA A detects the channel status. When detecting an idle
channel, STA A sends a data frame after Distributed Inter-Frame Space (DIFS) times out
and waits for a response from STA B. The data frame contains NAV information. After
receiving the data frame, STA B updates the NAV information, indicating that the
channel is busy and that data transmission will be delayed.
NOTE
According to the 802.11 protocol, the receiver must return an ACK frame each time it receives a
data frame.
2. STA B receives the data frame, waits until Short Interframe Space (SIFS) times out, and
sends an ACK frame to STA A. After the ACK frame is transmitted, the channel
becomes idle. After the DIFS times out, the STAs use the exponential backoff algorithm
to compete for channels. The STA of which the backoff counter is first reduced to 0
starts to send data frame.
Concepts
l InterFrame Space (IFS): According to the 802.11 protocol, after sending a data frame,
the STA must wait until the IFS times out to send the next data frame. The IFS length
depends on the data frame type. High-priority data frames are sent earlier than low-
priority data frames. There are three IFS types:
– Short IFS (SIFS): The time interval between a data frame and its ACK frame. SIFS
is used for high priority transmissions, such as ACK and CTS frame transmissions.
– PCF IFS (PIFS): PIFS length is SIFS plus slot time. PCF-enabled access points wait
for the duration of PIFS to occupy the wireless medium. If a STA accesses a
channel when the slot time starts, the other STAs in the BSS detect that the channel
is busy.
– DCF IFS (DIFS): DIFS length is PIFS plus slot time. Data frames and management
frames are transmitted at the DIFS interval.
l Contention window: backoff time. Backoff time is a multiple of slot time, and its length
depends on the physical layer technology. When multiple STAs need to transmit data but
detect that all channels are busy, the STAs use the backoff algorithm. The STAs wait for
a random number of slot times, and then transmit data. A STA detects channel status
during the slot time interval. When detecting an idle channel, the STA starts the backoff
timer. If all channels become busy, the STA freezes the remaining time in the backoff
timer. When a channel becomes idle, the STA waits until DIFS times out, and continues
the backoff timer. When the backoff timer is reduced to 0, the STA starts to send data
frames. Figure 10-2 shows the data frame transmission process.
Delay
STA D Frame
Delay
Delay
STA E Delay
a. STA C is occupying a channel to send data frames. STA D, STA E, and STA F also
need to send data frames. They detect that the channel is busy and wait.
b. After STA C finishes data frame transmission, the other STAs wait until DIFS times
out. When DIFS times out, the STAs generate a random backoff time and start their
backoff timers. For example, the backoff time of STA D is t1, the backoff time of
STA E is t1+t3, and the backoff time of STA F is t1+t2.
c. When t1 times out, the backoff timer of STA D is reduced to 0. STA D starts to send
data frames.
d. STA E and STA F detect that the channel is busy, so they freeze their backoff timers
and wait. After STA D completes data transmission, STA E and STA F wait until
DIFS times out, and continue their backoff timers.
e. When t2 times out, the backoff timer of STA F is reduced to 0. STA F starts to send
data frames.
Principles
Channel competition is based on DCF. To all STAs, the DIFS is fixed and backoff time is
random. Therefore, all the STAs fairly compete for channels. WMM enhances the 802.11
protocol, changing the channel competition mode.
l EDCA parameters
WMM defines a set of Enhanced Distributed Channel Access (EDCA) parameters,
which distinguishes high priority packets and enables these packets to preempt channels.
WMM classifies data packets into four access categories (ACs). Table 10-1 shows the
mappings between ACs and 802.11 user preferences (UPs). A large UP value indicates a
high priority.
7 AC_VO (Voice)
5 AC_VI (Video)
2 AC_BK (Background)
Each AC queue defines a set of EDCA parameters, which determines the capability of
occupying channels. These parameters ensure that high priority ACs have a higher
probability of preempting channels than low priority ones.
Table 10-2 describes the EDCA parameters.
Parameter Meaning
Arbitration Interframe Spacing The DIFS has a fixed value. WMM provides
Number (AIFSN) different DIFS values for different ACs. A large
AIFSN value means that the STA must wait for a
long time and has a low priority.
Exponent form of CWmin ECWmin specifies the minimum backoff time, and
(ECWmin) and exponent form ECWmax specifies the maximum backoff time.
of CWmax (ECWmax) Together, they determine the average backoff time.
Large ECWmin and ECWmax values mean a long
average backoff time for the STA and a low STA
priority.
Transmission Opportunity Limit After preempting a channel, the STA can occupy
(TXOPLimit) the channel within the period of TXOPLimit. A
large TXOPLimit value means that the STA can
occupy the channel for a long time. If the
TXOPLimit value is 0, the STA can only send one
data frame every time it preempts a channel.
As shown in Figure 10-3, the AIFSN (AIFSN[6]) and the backoff time of voice packets
are shorter than those of Best Effort packets. When both voice packets and Best Effort
packets need to be sent, voice packets preempt the channel.
Frame
Delay
Voice Frame Frame
Best Delay Delay Delay
Effort
: Backoff time
: Remaining backoff time
l ACK policy
WMM defines two ACK policies: normal ACK and no ACK.
– Normal ACK: The receiver must return an ACK frame each time it receives a
unicast packet.
– No ACK: The receiver does not need to return ACK frames after receiving packets.
This mode is applicable to environments with high communication quality and little
interference.
NOTE
Precedence Field
As defined in RFC 791, the 8-bit ToS field in an IP packet header contains a 3-bit IP
precedence field, as shown in Figure 10-5.
0 1 2 3 4 5 6 7
Precedence D T R C
IP Precedence
DSCP
DSCP Field
RFC 1349 initially defined the ToS field in IP packets and added bit C. Bit C indicates the
monetary cost. Later, the IETF DiffServ Working Group redefined bits 0 to 5 of a ToS field as
the DSCP field in RFC 2474. In RFC 2474, the field name is changed from ToS to
differentiated service (DS). Figure 10-5 shows the DSCP field in packets.
In the DS field, the first six bits (bits 0 to 5) are the DS Code Point (DSCP) and the last two
bits (bits 6 and 7) are reserved. The first three bits (bits 0 to 2) are the Class Selector Code
Point (CSCP), which represents the DSCP type. A DS node selects a Per-Hop Behavior
(PHB) based on the DSCP value.
802.1p Field
Layer 2 devices exchange Ethernet frames. As defined in IEEE 802.1Q, the PRI field (802.1p
field) in the Ethernet frame header identifies the Class of Service (CoS) requirement. Figure
10-6 shows the PRI field in Ethernet frames.
The 802.1Q header contains a 3-bit PRI field, representing eight service priorities 7, 6, 5, 4, 3,
2, 1 and 0 in descending order of priority.
CIR
CBS
NO
B≦Tc
YES
Packets (B)
Violate
Conform
In Figure 10-7, the bucket is called bucket C. Tc indicates the number of tokens within. A
single bucket at a single rate uses the following parameters:
l Committed Information Rate (CIR): indicates the rate at which tokens are put into bucket
C, that is, the average traffic rate permitted by bucket C.
l Committed burst size (CBS): indicates the capacity of bucket C, that is, maximum
volume of burst traffic allowed by bucket C each time.
The system places tokens into the bucket at the CIR. If Tc is smaller than the CBS, Tc
increases. If Tc is greater than or equal to the CBS, Tc remains unchanged.
B indicates the size of an arriving packet:
l If B is smaller than or equal to Tc, the packet is colored green, and Tc decreases by B.
l If B is greater than Tc, the packet is colored red, and Tc remains unchanged.
CIR
Overflow
CBS EBS
NO NO
B≦Tc B≦Te
YES YES
Packets (B)
As shown in Figure 10-8, the two buckets are called bucket C and bucket E. Tc indicates the
number of tokens in bucket C, and Te indicates the number of tokens in bucket E. Dual
buckets at a single rate use the following parameters:
l CIR: indicates the rate at which tokens are put into bucket C, that is, average traffic rate
permitted by bucket C.
l CBS: indicates the capacity of bucket C, that is, maximum volume of burst traffic
allowed by bucket C each time.
l Excess burst size (EBS): indicates the capacity of bucket E, that is, maximum volume of
excess burst traffic allowed by bucket E each time.
The system places tokens into the bucket at the CIR:
l If Tc is smaller than the CBS, Tc increases.
l If Tc is equal to the CBS and Te is smaller than the EBS, Te increases.
l If Tc is equal to the CBS and Te is equal to the EBS, Tc and Te do not increase.
B indicates the size of an arriving packet:
l If B is smaller than or equal to Tc, the packet is colored green, and Tc decreases by B.
l If B is larger than Tc and smaller than or equal to Te, the packet is colored yellow and Te
decreases by B.
l If B is larger than Te, the packet is colored red, and Tc and Te remain unchanged.
PIR CIR
PBS CBS
NO NO
B>Tp B>Tc
YES YES
Packets (B)
As shown in Figure 10-9, the two buckets are called bucket P and bucket C. Tp indicates the
number of tokens in bucket P, and Tc indicates the number of tokens in bucket C. Dual
buckets at dual rates use the following parameters:
l Peak information rate (PIR): indicates the rate at which tokens are put into bucket P, that
is, maximum traffic rate permitted by bucket P. The PIR must be greater than the CIR.
l CIR: indicates the rate at which tokens are put into bucket C, that is, average traffic rate
permitted by bucket C.
l Peak burst size (PBS): indicates the capacity of bucket P, that is, maximum volume of
burst traffic allowed by bucket P each time.
l CBS: indicates the capacity of bucket C, that is, maximum volume of burst traffic
allowed by bucket C each time.
The system places tokens into bucket P at the PIR and places tokens into bucket C at the CIR:
l If Tp is smaller than the PBS, Tp increases. If Tp is larger than or equal to the PBS, Tp
remains unchanged.
l If Tc is smaller than the CBS, Tc increases. If Tc is larger than or equal to the CBS, Tp
remains unchanged.
Result
Packet Packet
Meter Marker Action
Stream Stream
l Meter: measures the network traffic using the token bucket mechanism and sends the
measurement result to the marker.
l Marker: colors packets in green, yellow, or red based on the measurement result received
from the meter.
l Action: performs actions based on packet coloring results received from the marker. The
following actions are defined:
– Pass: forwards packets that meet network requirements.
– Remark + pass: changes the local priorities of packets and forwards them.
– Discard: drops packets that do not meet network requirements.
By default, green and yellow packets are forwarded, while red packets are discarded.
If the rate of a type of traffic exceeds the threshold, the device reduces the packet priority. It
then either forwards the packets or directly discards them, based on traffic policing
configuration. By default, the packets are discarded.
Overview
Airtime scheduling schedules channel resources based on the channel occupation time of
users connected to the same radio. Each user is assigned equal time to occupy the channel,
ensuring fairness in channel usage.
On a WLAN, the physical layer rates of users differ greatly. This is due to different radio
modes, supported by either the terminals or the radio environment where the terminals reside.
If users with lower physical layer rates occupy wireless channels for a long period, user
experience of the entire WLAN is affected. When airtime scheduling is enabled, users on the
WLAN occupy the wireless channel equally. This improves the overall user experience when
high- and low-speed users are connected at the same time.
Principles
After airtime scheduling is enabled, the device does the following:
l Collects statistics on the time within which each user occupies a wireless channel to send
packets on the same radio.
l Calculates the total sum of time that each user occupies the wireless channel.
l Sequences the STAs in ascending order of channel occupation time.
Compared with traditional scheduling modes, airtime scheduling provides the following
additional functions:
l Inserts new users to specified positions according to their wireless channel occupation
time. In traditional scheduling modes, new users are placed at the end of the user queue.
l Checks whether a user continues to send data after they finish sending the first queue of
data. If yes, they are inserted into the queue according to their wireless channel
occupation time. The device preferentially schedules channel resources for the user with
the shortest channel occupation time. If the user does not continue to send data, the
device directly schedules channel resources for the second user.
There are four users on a radio waiting to transmit data. They have occupied the channel for a
time of 3, 4, 6, and 7 respectively, and require a corresponding time of 2, 4, 6, and 7 for a
round of data transmission.
1. After airtime scheduling is enabled, the device collects the channel occupation time of
the four users. The channel occupation times of User1, User2, User3, and User4 become
3, 4, 6, and 7 respectively. User1 occupies the channel for the shortest time. Therefore,
the device allocates channel resources to User1 first.
2. It takes a time of 2 for User1 to finish a round of data transmission. The channel
occupation time of User1 increases to 5. The channel occupation times of User1, User2,
User3, and User4 become 5, 4, 6, and 7 respectively. User2 occupies the channel for the
shortest time. Therefore, the data of User2 is preferentially transmitted.
3. It takes a time of 4 for User2 to finish a round of data transmission. The channel
occupation time of User2 increases to 8. The channel occupation times of User1, User2,
User3, and User4 become 5, 8, 6, and 7 respectively. User1 occupies the channel for the
shortest time. Therefore, the device preferentially schedules channel resources for User1.
4. If User1 finishes all data transmissions, the device only collects the channel occupation
time of the remaining users. The channel occupation times of User2, User3, and User 4
are 8, 6, and 7 respectively. User3 occupies the channel for the shortest time. Therefore,
the data of User3 is preferentially transmitted.
5. It takes a time of 6 for User3 to finish a round of data transmission. The channel
occupation time of User3 increases to 12. Channel occupation time of User2, User3, and
User4 becomes 8, 12, and 7 respectively. User4 occupies the channel for the shortest
time. Therefore, channel resources are preferentially scheduled for User4.
The device preferentially schedules channel resources for the user that occupies the channel
for the shortest time. In this way, each user is assigned equal time to occupy the channel,
ensuring fairness in channel usage.
To prevent that the first access users fail to occupy the wireless channels to transmit data, the
device periodically clears all users' wireless channel occupation time. In this way, all access
users have the same occupation weight.
After WMM is enabled on the device and terminals, user packets are scheduled based on
different types (service types include VI, VO, BE, and BK). For example, voice packets are
only scheduled with other voice packets, and video packets with other video packets.
NOTE
If the packets of multiple users are of different types, airtime scheduling does not take effect. For example, if
one user transmits voice packets and the other transmits video packets, airtime scheduling is not performed.
SDN Manager (LSM for short) to notify the network controller of the Lync session content
through HTTP or HTTPS. The network controller can identify Lync packets, and then
processes Lync packets based on priorities.
On a network, a switch can replace the network controller to interwork with the LSM and
obtain information about Lync packets. The switch delivers a rule for increasing the priority
of Lync packets based on the Lync session. When Lync packets are forwarded on the network,
the priority is increased and QoS guarantee is achieved, thereby improving user experience.
SwitchA SwitchB
Network devices
Access switch
Access Access
switch switch
Lync
LSM LDL
server
AP AP
In Figure 10-12, the entities and their functions are described as follows:
l Lync client: wireless terminal that has the Lync client software installed.
l Lync server: provides services including Lync voice, video, desktop sharing, and file
transfer.
l Lync Dialog Listener (LDL): monitors signaling of Lync clients and sends information
such as session setup and deletion to the LSM.
l LSM: collects session information about the LDL and sends information such as session
setup and deletion to SwitchA and SwitchB.
l SwitchA and SwitchB: functions as the AC and replaces the network controller to
monitor flow information of the LSM and deliver it to the local device.
l Access switch: provides the priority service.
When Lync clients communicate with each other, the procedure for increasing the priority of
Lync packets is as follows:
1. SwitchA and SwitchB establish HTTP or HTTPS sessions with the LSM.
2. The LDL detects signaling sent by Lync clients. After a Lync client sends a service
request to the server, the LDL detects session establishment.
3. The LDL notifies the LSM that the Lync session is set up.
4. The LSM notifies SwitchA and SwitchB that the Lync session is set up.
5. SwitchA and SwitchB obtain Lync flow information from the LSM. The information
includes the application type (voice, video, desktop sharing, or file transfer) of Lync
flows and 5-tuple information (source IP address, destination IP address, source port
number, destination port number, and protocol). Then SwitchA and SwitchB deliver
Lync session entries based on priorities of the Lync flows.
After the procedure, the priority of the service flow is increased when service flows
exchanged between Lync clients pass through SwitchA and SwitchB.
After Lync clients complete communication, the sessions between Lync clients and the Lync
server will be deleted. The LDL detects the Lync SDN Manager that the Lync session is
deleted and notifies the LSM, and then the LSM notifies SwitchA and SwitchB that the Lync
session is deleted. The switches delete the corresponding Lync session entries.
WLAN devices are required as follows when transmitting SpectraLink Voice packets:
l The SpectraLink Voice packets are always in the header of the sending queue, so that
they can be sent preferentially.
l The air interface backoff time is 0.
Working Mechanism
After the SVP service is enabled, its working mechanism is as follows:
l When receiving packets, an air interface identifies Spectralink Voice packets and
modifies the priority of the Spectralink Voice packets.
In Spectralink Voice packets, the IP protocol number is 119. When receiving packets
with the IP protocol number of 119, a WLAN device marks the packets as Spectralink
Voice packets, and modifies the DSCP priority of the packets to 46 and 802.1p priority to
6.
l When the air interface sends packets, the WLAN device schedules Spectralink Voice
packets into the SVP-dedicated queue with the CWmin and CWmax of 0. The queue has
the same default transmit opportunity (TXOP) limit and ACK policy as the Video
Optimization (VO) queue.
HTTP
browse AP1
Internet
Voice
chat AC
HTTP
browse
AP2
Configure WMM You can configure radio profiles 10.7.1 Configuring WMM
and SSID profiles to provide
different capabilities for different
services on STAs or APs to
compete for channels to determine
the quality of services.
Configure Traffic You can configure traffic policing 10.7.3 Configuring Traffic
Policing to limit the STA transmission rate Policing
or AP forwarding rate, which
prevents network congestion.
Configure voice You can set WMM parameter l For all voice and video traffic:
and video service settings and priorities of voice and 10.7.9 Configuring
traffic video traffic to improve users' Multimedia Air Interface
optimization voice and video service Optimization
experience. l For SVP traffic:10.7.10
Configuring SVP Voice
Traffic Optimization
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 10-5 Products and minimum version supporting the WLAN service
Feature Limitations
Configuring WMM
By default, WMM is disabled on a terminal. To implement the WMM function, you must
enable WMM on terminals and devices concurrently.
The tunnel priority mapping is applicable to scenarios where data packets are transmitted in
tunnel forwarding mode.
The switch supports priority configuration for Lync packets since V200R010C00.
The switch can be interconnected to one server where Lync SDN Manager is installed. The
version of Lync SDN Manager must be 2.0.
WMM Enabled
Mapping of the priority of 802.11 For the default mapping from the user priority
packets to the DSCP priority of tunnel of 802.11 packets to the DSCP priority of
packets when packets are sent from an tunnel packets, see priority-map tunnel-
AP to an AC upstream dot11e dscp.
For the default mapping from the user priority
of 802.11 packets to the 802.1p priority of
tunnel packets, see priority-map tunnel-
upstream dot11e dot1p.
Mapping from the user priority of 802.11 The priority mapping from 802.11 packets to
packets to the 802.3 packet priority when 802.3 packets is 802.11.
packets are sent from an AP to an AC.
Mapping from the 802.3 packet priority For the default mapping from the DSCP
to the 802.11 packet priority when priority of 802.3 packets to the user priority of
packets are sent to an AP from upper- 802.11 packets, see priority-map downstream
layer devices. dscp.
For the default mapping from the 802.1p
priority of 802.3 packets to the user priority of
802.11 packets, see priority-map downstream
dot1p.
l Manual adjustment: You can manually adjust EDCA parameter settings and ACK
policies for APs and STAs.
l Automatic adjustment: After multimedia air interface optimization is enabled, the system
automatically adjusts EDCA parameter settings and ACK policies for APs and STAs.
For details about the configuration for automatic adjustment, see 10.7.9 Configuring
Multimedia Air Interface Optimization.
Pre-configuration Tasks
Before configuring WMM, perform the task of 5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
WMM is enabled.
NOTE
802.11n and 802.11ac STAs must support WMM. If the WMM function is disabled in a radio, 802.11n and
802.11ac cannot work and STAs can access the network only in 802.11a/b/g mode.
If the WMM function is disabled, the access of non-HT STAs fails to be denied.
STAs that do not support WMM are forbidden to connect to a WMM-enabled AP.
By default, STAs that do not support WMM are allowed to connect to a WMM-enabled AP.
On a WLAN, wireless channels are open and all STAs have an equal chance to occupy the
wireless channels. You can configure WMM to assign different priorities to packets and
enable high-priority packets to preferentially use wireless channel resources, meeting
differentiated service requirements. You can also disable STAs that do not support WMM
from connecting to a WMM-enabled AP, which prevents those STAs from preempting
channels of WMM-capable STAs.
Step 6 Run wmm edca-ap { ac-vo | ac-vi | ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value | ack-policy { normal |
noack } } *
Table 10-7 lists the default EDCA parameter settings and ACK policies for APs.
Table 10-7 Default EDCA parameter settings and ACK policies for APs
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
As shown in the table, queues of AC_VO, AC_VI, AC_BE, and AC_BK are in descending
order of priority.
NOTE
After the high-density function is enabled on an AP, the AP will optimize EDCA parameters of AC_BE
packets, for example, adjusting the contention window size. In this way, the probability of user collisions will
be reduced, and users can enjoy better service experience in high-density scenarios. If you configure EDCA
parameters in the WMM profile on the AP, the configuration does not take effect on AC_BE packets.
Step 9 Run wmm edca-client { ac-vo | ac-vi | ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } *
Table 10-8 lists the default EDCA parameter settings for STAs.
AC_VO 3 2 2 47
AC_VI 4 3 2 94
AC_BE 10 4 3 0
AC_BK 10 4 7 0
As shown in the table, queues of AC_VO, AC_VI, AC_BE, and AC_BK are in descending
order of priority.
----End
Pre-configuration Tasks
Before configuring priority mapping, perform the task of 5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run traffic-profile name profile-name
A traffic profile is created and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Configure priority mapping as required.
l Configure priority mapping for packets sent to an AP from upper-layer devices.
a. Run the priority-map downstream trust { dot1p | dscp } command to configure a
trusted priority type used in mapping from 802.3 packets to 802.11 packets when
packets are sent to an AP from upper-layer devices.
By default, the DSCP priority is used in mapping from 802.3 packets to 802.11
packets when packets are sent to an AP from upper-layer devices.
b. Configure priority mapping.
n When the DSCP priority is specified as the trusted priority type, perform the
following configuration:
Run the priority-map downstream dscp { dscp-value1 [ to dscp-value2 ] }
&<1-10> dot11e dot11e-value command to configure mapping from the DSCP
priority of 802.3 packets to the user priority of 802.11 packets.
Table 10-9 describes the default mapping from the DSCP priority of 802.3
packets to the user priority of 802.11 packets.
Table 10-9 Default mapping from the DSCP priority of 802.3 packets to the
user priority of 802.11 packets
DSCP UP
0-7 0
8-15 1
DSCP UP
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
n When the 802.1p priority is specified as the trusted priority type, perform the
following configuration:
Run the priority-map downstream dot1p { dot1p-value1 [ to dot1p-
value2 ] } &<1-7> dot11e dot11e-value command to configure mapping from
the 802.1p priority of 802.3 packets to the user priority of 802.11 packets when
packets are sent to an AP from upper-layer devices.
By default, 802.1p priority 0 of 802.3 packets maps to user priority 0 of 802.11
packets, 802.1p priority 1 to user priority 1, and similarly, 802.1p priority 7 to
user priority 7.
l Configure tunnel priority mapping when data packets are sent from APs to an AC.
NOTE
The tunnel priority mapping is applicable to scenarios where data packets are sent in tunnel forwarding
mode.
Table 10-10 Default mapping from the user priority of 802.11 packets to the
DSCP priority in the CAPWAP header
User Priority of 802.11 Packets DSCP Priority in the CAPWAP
Header
0 0
1 8
2 16
3 24
4 32
5 40
6 48
7 56
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
l Configure packet priority mapping when packets are sent to an AC from an AP.
Run the priority-map upstream trust { dot11e | dscp } command to configure mapping
from the 802.11 packet priority to the 802.3 packet priority when packets are sent to an
AC from an AP.
By default, the 802.11e priority is mapped from 802.11 packets to 802.3 packets when
packets are sent from an AP to upper-layer devices.
Currently, the priority mappings are fixed and described in the following table.
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
Table 10-13 Mapping from the user priority to the 802.1p and DSCP priorities
User Priority of 802.11 DSCP Priority of 802.3 802.1p Priority of 802.3
Packets Packets Packets
0 0 0
1 8 1
2 16 2
3 24 3
4 32 4
5 40 5
6 48 6
7 56 7
----End
SSID-based QoS CAR If the QoS CAR in an SSID qos car (SSID profile view)
profile is set to car-value,
the total bandwidth of all
the STAs associating with
all the VAPs with this SSID
profile bound does not
exceed car-value.
Rate limiting for a single If the rate limit in a traffic rate-limit vap { up |
VAP profile is set to limit, the down } rate-value
total bandwidth of all the
STAs associating with a
single VAP with this SSID
profile bound does not
exceed limit.
Rate limiting for a single l Static rate limiting: If l Static rate limiting: rate-
STA the rate limit in a traffic limit client { up |
profile is set to limit, the down } rate-value
bandwidth of a single l Dynamic rate limiting:
STA with a VAP with rate-limit client
this SSID profile bound dynamic disable and
does not exceed limit. rate-limit client
l Dynamic rate limiting: dynamic rate-value
After dynamic rate
limiting is enabled, the
device determines
whether to perform
three-phase rate limiting
for wireless users
depending on whether
the air interface is
congested. This
improves network
experience of wireless
users.
For the implementation
of dynamic rate limiting,
see Implementation of
Dynamic Rate
Limiting.
If static rate limiting has
been enabled, static rate
limiting takes precedence
over dynamic rate limiting.
The system calculates the channel usage periodically (every 2 seconds). Assume that the
lower limit in a traffic profile is set to limit, the three-phase rate limits are limit (phase-1 rate
limit), limit/2 (phase-2 rate limit), and 2×limit (phase-3 rate limit).
Check whether the air interface is congested as follows:
l If the channel usage is higher than 80% for five consecutive periods (10s), the air
interface is congested.
l If the channel usage is lower than 70% for 30 consecutive periods (1 minute), the
congestion of the air interface is eliminated.
The following figure illustrates transition of the three-phase rate limiting states.
Pre-configuration Tasks
Before configuring traffic policing, perform the task of 5 WLAN Service Configuration.
Procedure
l Configure traffic policing in a traffic profile.
a. Run system-view
The system view is displayed.
b. Run wlan
The WLAN view is displayed.
c. Run traffic-profile name profile-name
A traffic profile is created and the traffic profile view is displayed.
d. Run rate-limit { client | vap } { up | down } rate-value
The rate limit is configured for upstream and downstream traffic of all STAs or a
single STA on a VAP.
n By default, the rate limit for upstream and downstream traffic of all STAs on a
VAP is 4294967295 kbit/s.
n By default, the rate limit for upstream and downstream traffic of a single STA
on a VAP is 4294967295 kbit/s.
e. Run rate-limit client dynamic disable
The dynamic rate limit threshold is set for a single STA in a VAP.
By default, the dynamic rate limit threshold of a single STA in a VAP is 16 Mbit/s.
g. Run quit
QoS CAR parameters configured in an SSID profile are valid only when the service data
forwarding mode is set to tunnel forwarding.
----End
Context
Airtime fair scheduling computes wireless channel occupation time of users in the same VAP
and preferentially schedules users who occupy the channel for a relatively short time. In this
way, each user is assigned equal time to occupy the channel, ensuring fairness in channel
usage.
Pre-configuration Tasks
Before configuring airtime fair scheduling, perform the task of 5 WLAN Service
Configuration.
Procedure
Step 1 Run system-view
Step 7 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Pre-configuration Tasks
Before configuring ACL-based packet filtering, complete the following tasks:
l Perform the task of 5 WLAN Service Configuration.
l Create corresponding ACL rules.
The traffic-filter command can reference a numbered ACL that is not configured. You
can configure the referenced ACL after running this command.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run traffic-profile name profile-name
The traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Run traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name }
The ACL-based packet filtering in the traffic profile is configured.
By default, ACL-based packet filtering is not configured in a traffic profile.
You can only configure a maximum of eight ACL rules in the same direction. The sequence in
which ACL rules takes effect follows the sequence in which the rules are configured. To
change the current packet filtering rules, delete all the related configurations and reconfigure
the ACL-based packet filtering.
When multiple traffic-filter commands are configured for ACL-based packet filtering in the
same direction in the same traffic profile, packets are matched against the next rule in the
sequence in which the commands are configured. If packets match a rule, the device executes
the specified policy and stops the matching process. Otherwise, the device continues to match
packets against the next rule. If no rule is matched, the packets are allowed to pass through.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 7 Run traffic-profile profile-name
----End
Context
By configuring ACL-based priority remarking, the device remarks the priorities of wireless
packets matching ACL rules to provide differentiated services.
Pre-configuration Tasks
Before configuring ACL-based priority remarking, complete the following tasks:
Procedure
Step 1 Run system-view
Step 4 Run the traffic-remark { inbound | outbound } ipv4 acl { acl-number | name acl-name }
{ dot11e dot11e-value | dscp dscp-value } to configure ACL-based priority remarking in the
traffic profile.
The traffic-remark command can reference a numbered ACL rule that is not configured. You
can configure the referenced ACL rule after running this command.
You can only configure a maximum of eight ACL-based packet re-marking rules in the same
direction. The sequence in which ACL rules takes effect follows the rule configuration
sequence. To change the current packet re-marking rules, delete all the related configurations
and reconfigure the ACL-based packet re-marking.
----End
Context
In a traffic profile, user isolation prevents packets of users on a VAP from being forwarded to
each other. That is, users on a VAP cannot communicate with each other after user isolation is
enabled. This improves user communication security and enables the gateway to centrally
forward user traffic, facilitating user management.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run traffic-profile name profile-name
A traffic profile is created, and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Run user-isolate l2
The user isolation function is enabled.
By default, user isolation is disabled in a traffic profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 7 Run traffic-profile profile-name
The traffic profile is bound to the VAP profile.
By default, the traffic profile default is bound to a VAP profile.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run lync listener { http-port port-num | https-port port-num ssl-policy ssl-policy }
The switch is configured to communicate with the Lync server and the port number is
specified.
By default, the switch is not configured to communicate with the Lync server and the port
number is not specified.
NOTE
To prevent the impact on the exchange with the Lync server, you are advised to use the port number that
is not in use. You can run the display ip socket register-port command to check used port numbers.
NOTE
To ensure that the packet filtering function takes effect in time, create a basic or advanced ACL and
configure rules before you run this command.
----End
Context
Adjust WMM parameter settings as follows:
l Manual adjustment: You can manually adjust EDCA parameter settings and ACK
policies for APs and STAs.
l Automatic adjustment: After multimedia air interface optimization is enabled, the system
automatically adjusts EDCA parameter settings and ACK policies for APs and STAs.
After multimedia air interface optimization is enabled, the system dynamically adjusts EDCA
parameter settings and ACK policies based on the number of different types of access users,
improving user experience on voice and video applications.
The number of voice or video users is identified based on the user packet density threshold
configured using the multimedia-air-optimize threshold command. If the number of voice
or video packets sent by a user through the internal statistics queue of a radio with the unit
time (1 second) exceeds the threshold, the user is considered a voice or video user.
The multimedia air interface optimization and dynamic EDCA parameter adjustment
functions are mutually exclusive.
After the multimedia-air-optimize enable command is executed, the wmm edca-ap and
wmm edca-client (SSID profile view) commands do not take effect.
For details about the configuration for manual EDCA parameter adjustment, see 10.7.1
Configuring WMM.
Pre-configuration Tasks
Before configuring multimedia air interface optimization, complete the following tasks:
Procedure
Step 1 Run system-view
A radio resource management (RRM) profile is created, and the RRM profile view is
displayed.
The user packet density threshold is set for multimedia air interface optimization.
By default, the video user packet density threshold is 100 per second, and the default voice
user packet density threshold is 30 per second.
Step 8 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End
Pre-configuration Tasks
Before configuring Spectralink Voice Priority (SVP) voice traffic optimization, complete the
following task:
Procedure
Step 1 Run system-view
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 10-15, the AP is directly connected to the AC. An enterprise branch
needs to deploy basic WLAN services for mobile office so that branch users can access
internal network resources anywhere at any time.
Voice, video, and data services are transmitted within the coverage of the AP. Users expect
that video services are preferentially forwarded by the AP and AC and have the highest
priority to use wireless network resources.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that users can connect to the wireless network.
2. Configure parameters used by the AP so that video services have higher priorities over
voice and data services and preferentially use the bandwidth.
3. Configure priority mapping in the traffic profile so that video services have higher
priorities over voice and data services and preferentially use the bandwidth.
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vo ecw ecwmin 3 ecwmax 4
txoplimit 94
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vi ecw ecwmin 2 ecwmax 3
txoplimit 47
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# In the SSID profile wlan-ssid, configure the WMM function to enable video services to
preferentially use network bandwidth.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] wmm edca-client ac-vo ecw ecwmin 3 ecwmax 4
txoplimit 94
[AC-wlan-ssid-prof-wlan-ssid] wmm edca-client ac-vi ecw ecwmin 2 ecwmax 3
txoplimit 47
[AC-wlan-ssid-prof-wlan-ssid] quit
NOTE
By default, the user priority of voice packets is set to 6 or 7 on the terminal, and that of the video packets is
set to 4 or 5.
[AC-wlan-view] traffic-profile name traffic
[AC-wlan-traffic-prof-traffic] priority-map downstream trust dscp
[AC-wlan-traffic-prof-traffic] priority-map downstream dscp 48 to 55 dot11e 4
[AC-wlan-traffic-prof-traffic] priority-map downstream dscp 56 to 63 dot11e 5
[AC-wlan-traffic-prof-traffic] priority-map downstream dscp 32 to 39 dot11e 6
[AC-wlan-traffic-prof-traffic] priority-map downstream dscp 40 to 47 dot11e 7
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream trust dot11e
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream dot11e 6 dscp 32
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream dot11e 7 dscp 40
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream dot11e 4 dscp 48
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream dot11e 5 dscp 56
[AC-wlan-traffic-prof-traffic] quit
Smart-antenna : disable
------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 4 3 1 94
normal
AC_VI 3 2 1 47
normal
AC_BE 6 4 3 0
normal
AC_BK 10 4 7 0 normal
---------------------------------------------------
Run the display ssid-profile command on the AC to check the configuration of the SSID
profile.
[AC-wlan-view] display ssid-profile name wlan-ssid
-------------------------------------------------------------------
Profile ID : 1
SSID : wlan-net
SSID hide : disable
Association timeout(min) : 5
Max STA number : 64
Reach max STA SSID hide : enable
Legacy station : enable
DTIM interval : 1
Beacon 2.4G rate(Mbps) : 1
Beacon 5G rate(Mbps) : 6
Deny-broadcast-probe : disable
Probe-response-retry num : 1
QOS CAR inbound CIR(kbit/s) : -
QOS CAR inbound PIR(kbit/s) : -
QOS CAR inbound CBS(byte) : -
QOS CAR inbound PBS(byte) : -
U-APSD : disable
Active dull client : disable
MU-MIMO : disable
-------------------------------------------------------------------
WMM EDCA client parameters:
-------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit
AC_VO 4 3 2 94
AC_VI 3 2 2 47
AC_BE 10 4 3 0
AC_BK 10 4 7 0
-------------------------------------------------------------------
Run the display traffic-profile command on the AC to check the configuration of the traffic
profile.
[AC-wlan-view] display traffic-profile name traffic
----------------------------------------------------
Profile ID : 1
Priority map downstream trust : DSCP
User isolate mode : disable
Rate limit client up(Kbps) : 4294967295
Rate limit client down(Kbps) : 4294967295
Rate limit VAP up(Kbps) : 4294967295
Rate limit VAP down(Kbps) : 4294967295
IGMP snooping : disable
IGMP snooping report suppress : disable
IGMP snooping max bandwith(kbps) : -
IGMP snooping max user : -
Traffic optimize sta bridge forward : enable
Traffic optimize broadcast suppression(pps): -
Traffic optimize multicast suppression(pps): -
Traffic optimize unicast suppression(pps): -
Traffic optimize multicast to unicast: disable
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 10-16, the AP is directly connected to the AC. An enterprise branch
needs to deploy basic WLAN services for mobile office so that branch users can access
internal network resources anywhere at any time.
The enterprise network administrator needs to set the rate limit of upstream traffic on each
STA associated with the AP to 2 Mbit/s and the limit of total rates of upstream traffic on all
STAs associated with the VAP to 30 Mbit/s.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that users can connect to the wireless network.
2. Set the rate for upstream packets in the traffic profile used by the AP to implement traffic
policing on upstream packets on a specified STA and on all STAs associated with the
VAP.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
0 map 0
1 map 8
2 map 16
3 map 24
4 map 32
5 map 40
6 map 48
7 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
32-39 map 4
40-47 map 5
48-55 map 6
56-63 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
----------------------------------------------------------------------------------
-----------
Traffic Type Direction AppliedRecord
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 10-17, the AP is directly connected to the AC. An enterprise branch
needs to deploy basic WLAN services for mobile office so that branch users can access
internal network resources anywhere at any time.
The enterprise network administrator expects that users can be assigned equal bandwidth
occupation time so that the overall user experience can be improved.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that users can connect to the wireless network.
2. Enable airtime fair scheduling to ensure that users on the same radio have equal
bandwidth occupation time to improve user experience.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the RRM profile rrm and enable airtime fair scheduling.
[AC-wlan-view] rrm-profile name rrm
[AC-wlan-rrm-prof-rrm] airtime-fair-schedule enable
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-rrm-prof-rrm] quit
The channel and power configuration for the AP radios in this example is for reference only. In actual
scenarios, configure channels and power for AP radios based on country codes of APs and network planning
results.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 10-18, the AP is directly connected to the AC. An enterprise branch
needs to deploy basic WLAN services for mobile office so that branch users can access
internal network resources anywhere at any time.
The enterprise network administrator expects that an ACL can be configured to prohibit
packets with the source IP address 10.23.100.10 and destination IP address 10.23.100.11.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that users can connect to the wireless network.
2. Configure an ACL to filter packets.
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
acl number 3001
rule 5 deny ip source 10.23.100.10 0 destination 10.23.100.11 0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic
traffic-filter inbound ipv4 acl 3001
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
traffic-profile traffic
security-profile wlan-security
regulatory-domain-profile name domain1
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
In Figure 10-19, to ensure that employees of an enterprise can access network resources of
departments, the enterprise needs to deploy WLAN services to implement mobile office. To
facilitate instant communication of employees, wireless terminals need to perform voice and
video communication, desktop sharing, and file transfer through Lync software.
The enterprise network administrator wants to increase priorities of Lync packets so that Lync
packets are processed preferentially during forwarding.
GE0/0/2 GE0/0/2
VLAN 101 VLAN 201
AC GE AC1
1/0 /3
/3 1/0
GE0/0/1 Network devices GE GE0/0/1
VLAN 100 VLAN 200
GE0/0/2
GE0/0/2
VLAN 100 SwitchC VLAN 200
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLAN 100 VLAN 200
Lync server LSM LDL
AP AP1
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that users can connect to the wireless network.
2. Increase priorities of Lync packets so that Lync packets are processed preferentially
during forwarding.
Item Data
NOTE
According to the networking and data plan, the configuration of AC1 is similar to that of the AC and the
configuration of SwitchB is similar to that of SwitchA. The AC and SwitchA are used as an example.
The configurations of AC1 and SwitchB are not mentioned here.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
NOTE
Configure routes based on the actual networking to ensure that the AC can communicate with each
device on the network. The route configuration is not provided here.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
ucc-profile name lync-service
app-share remark 8021p 3
file-transfer remark 8021p 2
video remark 8021p 6
voice remark 8021p 5
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
lync listener http-port 2000
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#V,P<>[Alx9w#65(;}U1*:RPcYv`/L!$/Xk6Mv1f>%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
ucc-profile lync-service
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 200
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
return
l AC1 configuration file
#
sysname AC1
#
vlan batch 200 to 201
#
dhcp enable
#
ucc-profile name lync-service
app-share remark 8021p 3
file-transfer remark 8021p 2
video remark 8021p 6
voice remark 8021p 5
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select interface
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 201
#
lync listener http-port 2000
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#ms[7Zm;\N"2e3w/`NzNHlj)u/NX[+F*]U1Pv.tuG%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 201
ssid-profile wlan-ssid
security-profile wlan-security
ucc-profile lync-service
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 ap-mac 60de-4476-e550
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
10.9 FAQ
802.11e defines Quality of Service (QoS) for the wireless LAN, which provides the required
service quality for voice and multimedia applications and enhances network performance. Wi-
Fi Multimedia (WMM) defines four access categories, including voice, video, best effort, and
background to optimize network communication quality and ensure stable access of
corresponding applications to network resources. The WMM standard is a subset of IEEE
802.11e.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC in V200R8C00 and earlier versions and in traffic
profiles of the AC in versions later than V200R008C00.
2. Create the traffic behavior test, enable traffic statistics collection, and set the traffic rate
limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If
multicast services are available, you are advised to set the rate limit
according to the service traffic.
[SwitchA-behavior-test] quit
3. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
2. Create the traffic behavior test, enable traffic statistics collection, and set the traffic rate
limit.
[AC] traffic behavior test
[AC-behavior-test] statistic enable
[AC-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If
multicast services are available, you are advised to set the rate limit
according to the service traffic.
[AC-behavior-test] quit
3. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
Purpose
WLAN technology uses radio signals to transmit service data, meaning that service data can
easily be intercepted or tampered by attackers when being transmitted on the open wireless
channels. Ensuring WLAN security is crucial to building safe and effective wireless networks.
WLAN technology can provide the following mechanisms to guarantee data security for
wireless users:
l WIDS and WIPS mechanisms that detect and defend against intrusion from unauthorized
users
l Security policies for wireless users, including link authentication, access authentication,
and data encryption
l Security mechanisms for wireless services.
Monitor APs can be configured to prevent intrusion to the network. When configured, the
wireless intrusion detection system (WIDS) can detect unauthorized users and APs by
periodically listen on wireless signals. The AC obtains information about wireless devices and
can take countermeasures on unauthorized devices.
Before configuring WIDS on an AP, configure the working mode of the AP.
An AP can work in two modes:
l normal: indicates the normal mode.
– If the air scan function is disabled on a radio, including WIDS, spectrum analysis,
and terminal location, the radio is used to transmit common WLAN services.
– If the air scan function is enabled on a radio, the radio transmits common WLAN
services and also implements detection. Transmission of common WLAN services
may be affected.
l monitor: indicates the monitor mode.
In this mode, the radio can only transmit WLAN services scanned by the air interface but
cannot transmit common WLAN services.
Intrusion detection consists of two phases: wireless device identification and rogue device
identification.
Monitor APs can be deployed on a network to prevent intrusions to the network. When
configured with the Wireless Intrusion Detection System (WIDS) function, monitor APs
periodically listen on wireless signals. The AC can obtain information about wireless devices
from the monitor APs and take measures to prevent access from rogue devices.
Before configuring rogue device detection on an AP, configure the AP working mode.
An AP can work in two modes:
l normal: indicates the normal mode.
– If the air scan function is disabled on a radio, including WIDS, spectrum analysis,
and terminal location, the radio is used to transmit common WLAN services.
– If the air scan function is enabled on a radio, the radio transmits common WLAN
services and also implements detection. Transmission of common WLAN services
may be affected.
l monitor: indicates the monitor mode.
In this mode, the radio can only transmit WLAN services scanned by the air interface but
cannot transmit common WLAN services.
Rogue device detection involves two phases: wireless device detection and rogue device
identification.
An AP can identify the following device types: AP, STA, wireless bridge, and ad-hoc
device.
– Wireless bridge: a device serving as a wireless communication bridge between two
or more networks.
– Ad-hoc device: a device on an ad-hoc network. An ad-hoc network is a temporary
wireless network composed of several devices with wireless network adapters, as
shown in Figure 11-1.
STA STA
STA
NOTE
An AC can implement countermeasures on rogue devices to prevent them from accessing the network. For
details about countermeasures, see 11.2.2 Wireless Intrusion Prevention
l Deauthentication frames are used to terminate established wireless links. Either an AP or a STA can
send a Deauthentication frame to terminate the current link.
l Currently, an AC supports containment against rogue or interference APs that have the same or
similar SSIDs as authorized APs managed by the AC and open-authentication APs.
l Unauthorized or interference STA
After an AC identifies an unauthorized or interference STA, it sends information about
the unauthorized or interference STA to a monitor AP. The monitor AP uses the identity
information about the unauthorized or interference STA to unicast a Deauthentication
frame. After the AP with which the unauthorized or interference STA associates receives
the Deauthentication frame, the AP disassociates from the unauthorized or interference
STA. This countermeasure prevents APs from associating with unauthorized or
interference STAs.
l Ad-hoc device
After an AC identifies an ad-hoc device, it sends information about the ad-hoc device to
a monitor AP. The monitor AP uses the identity information about the ad-hoc device's
(BSSID and MAC address of the device) to unicast a Deauthentication frame. After the
STAs that associate with the ad-hoc device receive the Deauthentication frame, the STAs
disassociate from the ad-hoc device. This countermeasure prevents STAs from
associating with ad-hoc devices.
AC
LAN
AP
Attack
In Figure 11-2, the AP receives a large number of management packets or empty data packets
that have the same type and source MAC address within a short period. This is a flooding
attack. As a result, the system is busy processing these attack packets and cannot process
packets from authorized STAs.
Flooding attack detection allows an AP to monitor the traffic volume of each STA to prevent
flooding attacks. When the traffic of a STA exceeds the allowed threshold (for example, the
AP receives more than 100 packets from a STA within 1 second), the AP considers this STA
to be flooding packets and reports an alarm to the AC. If a dynamic blacklist is configured,
the AP adds the detected device to the dynamic blacklist and discards all of the packets from
the attack device until the dynamic blacklist expires.
An AP can detect flooding attacks of the following packets:
l Authentication Request
l Deauthentication
l Association Request
l Disassociation
l Reassociation Request
l Probe Request
l Action
l EAPOL Start
l EAPOL-Logoff
Weak IV Detection
AC
LAN
AP
Listen on
Account, and
password, and decrypt
user information
STA
Unauthorized STA
In Figure 11-3, when WEP encryption is used, a STA uses a 3-byte IV and a fixed shared key
to encrypt each packet to be sent so that the same shared key generates different encryption
effects. If the STA uses the weak IV (the first byte of the IV ranges from 3 to 15 and the
second byte is 255), attackers can easily decrypt the shared key and access network resources
because the IV of the packet sent by the STA is sent in plain text as one part of the header.
Weak IV detection identifies the IV of each WEP packet to prevent attackers from decrypting
the shared key. When the AP detects a packet carrying a weak IV, the AP sends an alarm to
the AC so that users can use other security policies to prevent STAs from using the weak IV
for encryption.
AC
LAN
Attack AP
AP
Normal data
communication is
Deassociation interupted
frame
STA
Internet
AC Switch
Monitor AP
Authorized AP Rogue AP
SSID: huawei SSID: huawei
STA dissociates
from rogue AP.
STA goes
online.
STA
Internet
AC
Flood attack
PSK brute
Authorized force attack
STA
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
AAA server
l Huawei servers such as the Policy Center and Agile Controller or third-party AAA
servers perform authentication, accounting, and authorization on users.
Portal server
l Huawei servers such as the Policy Center and Agile Controller or third-party Portal
servers, receive authentication requests from Portal clients, provide free Portal services
and a web authentication interface, and exchange authentication information of the
authentication clients with access devices. This component is required only in Portal
authentication mode.
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
WIDS/WIPS
l APs that have WDS or Mesh services configured cannot work in monitor mode.
l If WIDS, spectrum analysis, background neighbor probing, or terminal location is
enabled on a radio, the radio cannot be used to establish a WDS bridge or Mesh link.
l V200R006C00, V200R007C00, and V200R008C00: When an AP working in hybrid
mode periodically scans channels, services may be interrupted for a short time. The AP
can only perform containment on the channel used by WLAN services. To perform
containment on all channels, you need to configure the AP to work in monitor mode.
However, the WLAN services are unavailable in this mode.
l V200R009C00, V200R010C00 V200R011C00 and V200R011C10: When an AP
working in normal mode periodically scans channels, services may be interrupted for a
short time. The AP working in normal mode can only perform containment on the
channel used by WLAN services. To perform containment on all channels, you need to
configure the AP to work in monitor mode. However, WLAN services are unavailable in
this mode.
l V200R011C00, V200R011C10 and V200R012C00: When an AP working in normal
mode periodically scans channels, services may be interrupted for a short time. The AP
can perform containment on all channels.
l V200R006C00, V200R007C00, and V200R008C00: The configured WIDS or WIPS
takes effect on an AP only after a service set is bound to the AP on the AC and the AC
delivers the configurations to the AP.
l If the number of STAs is larger than 3K, you are advised to disable the WIDS function.
This function affects the AC performance and reduces CPU performance by about 10%.
Security Policy
l The AP7030DE and AP9330DN do not support WAPI.
WIDS WIDS profile WIDS profile default, which has referenced the following
profiles:
l No referenced WIDS confident profile
l No referenced WIDS spoof SSID profile
Task Description
Configuration Procedure
Perform the following steps in the listed order.
Context
In a WIDS profile, you can configure various WIDS and WIPS services. You can create
multiple WIDS profiles to carry different WIDS services and apply the profiles to different
APs as required.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wids-profile name profile-name
A WIDS profile is created and the WIDS profile view is displayed.
By default, the system provides the WIDS profile default.
----End
Context
Before configuring rogue device detection and containment, you need to configure the radio
working mode to determine whether a radio only transmits common WLAN services or both
transmits common WLAN services and performs the monitoring function.
An AP can work in two modes:
l normal: indicates the normal mode.
– If the air scan function is disabled on a radio, including WIDS, spectrum analysis,
and terminal location, the radio is used to transmit common WLAN services.
– If the air scan function is enabled on a radio, the radio transmits common WLAN
services and also implements detection. Transmission of common WLAN services
may be affected.
l monitor: indicates the monitor mode.
In this mode, the radio can only transmit WLAN services scanned by the air interface but
cannot transmit common WLAN services.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Set the working mode for radios in an AP group or for a specified radio.
You can set the radio working mode in the AP radio view or AP group radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
----End
Context
When the default air scan profile cannot meet user requirements, you can create a new one
and set air scan parameters as required, for example, air scan channel set, air scan period, and
air scan interval. The configured air scan profile applies to the radio calibration, smart
roaming, WLAN location, and WIDS functions.
Procedure
Step 1 Run system-view
Step 3 Run the air-scan-profile name profile-name command to create an air scan profile and enter
the air scan profile view.
By default, the system provides the air scan profile default.
Step 4 Run the undo scan-disable command to enable the air scan function.
NOTE
A longer air scan period indicates more collected data and a more accurate data analysis result. However, if
the air scan period is set too large, WLAN services are affected. You are advised to use the default value.
Step 7 (Optional) Run the scan-interval scan-time command to set the air scan interval.
By default, the air scan interval is 10000 ms.
NOTE
l The air scan interval also applies to radio calibration, smart roaming, WLAN location, and WIDS
functions.
l If the customer has high requirements on real-time data analysis, configure a small air scan interval using
the scan-interval command to improve the scan frequency; however, higher scan frequency indicates
much larger impact on the services.
You can bind the created air scan profile to the current radio profile bound to the AP. To bind the air scan
profile to a new radio profile, bind the radio profile to the radio of an AP group or a specific AP first. For
details, see 5.11.1.5 Binding a Radio Profile.
Step 10 Run the air-scan-profile profile-name command to apply the air scan profile.
By default, the air scan profile default is bound to a radio profile.
----End
Procedure
Step 1 Run system-view
You can enable device detection in the AP group radio view or AP radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
Step 4 (Optional) Set the intervals at which an AP reports the incremental detected wireless device
information.
1. Run the quit command to return to the WLAN view.
2. Run the wids-profile name profile-name command to enter the WIDS profile view.
3. Run the device report-interval interval command to set the interval at which an AP
reports the incremental detected wireless device information.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wids-spoof-profile name profile-name
A WIDS spoof SSID profile is created and the WIDS spoof SSID profile view is displayed.
By default, no WIDS spoof SSID profile exists in the system.
Step 4 Run spoof-ssid fuzzy-match regex regex-value
The fuzzy matching rule is configured for spoofing SSIDs.
By default, no fuzzy matching rule is configured for spoofing SSIDs.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run wids-profile name profile-name
The WIDS profile view is displayed.
Step 7 Run wids-spoof-profile profile-name
The WIDS spoof SSID profile is applied to the WIDS profile.
By default, no WIDS spoof SSID profile is bound to a WIDS profile.
----End
existing signal coverage areas. If these APs are contained, their services will be affected. To
prevent this situation, you can configure the WIDS whitelist profile to add these APs to a
WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list.
The device determines whether a detected AP is authorized as follows:
1. Check whether the AP's MAC address is in the authorized MAC address list.
– If so, the AP is an authorized AP.
– If not, go to step 2.
2. Check whether the AP's OUI and SSID are in the OUI and SSID lists.
– If only the SSID is configured, check whether the AP's SSID is in the authorized
SSID list.
n If so, the AP is an authorized AP.
n If not, the AP is an unauthorized AP.
– If only the OUI is configured, check whether the AP's OUI is in the authorized OUI
list.
n If so, the AP is an authorized AP.
n If not, the AP is an unauthorized AP.
– Check whether the AP's OUI and SSID are in the OUI and SSID lists.
n If so, the AP is an authorized AP.
n If neither or either of them is in the list, the AP is an unauthorized AP.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wids-whitelist-profile name profile-name
A WIDS whitelist profile is created and the WIDS whitelist profile view is displayed.
By default, no WIDS whitelist profile exists in the system.
Step 4 Run permit-ap { mac-address mac-address | oui oui | ssid ssid }
A WIDS whitelist is configured.
By default, no WIDS whitelist is configured.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run wids-profile name profile-name
The WIDS profile view is displayed.
Step 7 Run wids-whitelist-profile profile-name
The WIDS whitelist profile is applied to the WIDS profile.
----End
Context
After the AC identifies a rogue or interference device, you can configure the APs to contain
the rogue or interference device. After the containment mode is set, the APs periodically send
control frames to disconnect authorized users from the rogue or interference device or
disconnect unauthorized users.
You can run the wids manual-contain command in the WLAN view to manually contain a
specified rogue or interference device in a complicated environment.
Procedure
Step 1 Run system-view
You can enable rogue or interference device containment in the AP group radio view or AP
radio view. The configuration in the AP group radio view takes effect on all AP radios in an
AP group and that in the AP radio view takes effect only on a specified AP radio. The
configuration in the AP radio view has a higher priority than that in the AP group radio view.
----End
Context
WIDS services are implemented on APs, including WLAN device detection and containment,
attacking device detection, and dynamic blacklist; therefore, the WIDS profile carrying the
WIDS services must be applied to an AP group or a specific AP.
Procedure
Step 1 Run system-view
NOTE
This step is optional when a radio works in monitor mode. When a radio works in monitor mode, the device
automatically checks whether the radio has a VAP bound. If not, the device automatically creates a VAP and
binds it to the radio to ensure normal scanning.
When a VAP profile exists in the system, you can use the existing one or create a new one.
2. Run the quit command to return to the WLAN view.
3. Bind the VAP profile to radios of an AP group or a specific AP as required to make the
radios properly work. For details, see 5.11.2.11 Binding VAP Profiles.
4. Run the quit command to return to the WLAN view.
----End
Context
After the WIDS configuration is complete, you can check profiles on the device, including
their configuration and profile reference information.
Procedure
l Run the display wids-profile { all | name profile-name } command to check information
about the WIDS profile.
l Run the display wids-whitelist-profile { all | name profile-name } command to check
information about the WIDS confident profile.
l Run the display wids-spoof-profile { all | name profile-name } command to check
information about the WIDS spoof SSID profile.
l Run the display references wids-profile name profile-name command to check
reference information about the WIDS profile.
Pre-configuration Tasks
Task Description
Configuration Procedure
Perform the following steps in the listed order.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wids-profile name profile-name
A WIDS profile is created and the WIDS profile view is displayed.
By default, the system provides the WIDS profile default.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Set the working mode for radios in an AP group or for a specified radio.
You can set the radio working mode in the AP radio view or AP group radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
----End
Context
When the default air scan profile cannot meet user requirements, you can create a new one
and set air scan parameters as required, for example, air scan channel set, air scan period, and
air scan interval. The configured air scan profile applies to the radio calibration, smart
roaming, WLAN location, and WIDS functions.
Procedure
Step 1 Run system-view
Step 3 Run the air-scan-profile name profile-name command to create an air scan profile and enter
the air scan profile view.
By default, the system provides the air scan profile default.
Step 4 Run the undo scan-disable command to enable the air scan function.
NOTE
A longer air scan period indicates more collected data and a more accurate data analysis result. However, if
the air scan period is set too large, WLAN services are affected. You are advised to use the default value.
Step 7 (Optional) Run the scan-interval scan-time command to set the air scan interval.
By default, the air scan interval is 10000 ms.
NOTE
l The air scan interval also applies to radio calibration, smart roaming, WLAN location, and WIDS
functions.
l If the customer has high requirements on real-time data analysis, configure a small air scan interval using
the scan-interval command to improve the scan frequency; however, higher scan frequency indicates
much larger impact on the services.
You can bind the created air scan profile to the current radio profile bound to the AP. To bind the air scan
profile to a new radio profile, bind the radio profile to the radio of an AP group or a specific AP first. For
details, see 5.11.1.5 Binding a Radio Profile.
Step 10 Run the air-scan-profile profile-name command to apply the air scan profile.
By default, the air scan profile default is bound to a radio profile.
----End
function is enabled, the WLAN devices automatically add the attacking devices to a dynamic
blacklist and discard packets sent from the attacking devices.
Procedure
Step 1 Run system-view
You can enable attack detection in the AP group radio view or AP radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
Step 6 Configure parameters according to the attack detection type set in Step 3.
l Flood attack detection
a. Run the flood-detect interval interval command to set the flood attack detection
interval.
By default, the flood attack detection interval is 10 seconds.
b. Run the flood-detect threshold threshold command to set the flood attack detection
threshold.
By default, the flood attack detection threshold is 500.
c. Run the flood-detect quiet-time quiet-time-value command to set the quiet time for
an AP to report the detected flood attacks to the AC.
By default, the quiet time is 600 seconds for an AP to report the detected flood
attacks to the AC.
l Weak IV attack detection
a. Run the weak-iv-detect quiet-time quiet-time-value command to set the quiet time
for an AP to report the detected weak IV attacks to the AC.
By default, the quiet time is 600 seconds for an AP to report the detected weak IV
attacks to the AC.
l Spoofing attack detection
a. Run the spoof-detect quiet-time quiet-time-value command to set the quiet time for
an AP to report the detected spoofing attacks to the AC.
By default, the quiet time is 600 seconds for an AP to report the detected spoofing
attacks to the AC.
l Detection of brute force key cracking attacks
a. Run the brute-force-detect interval interval command to set the interval for
detecting brute force key cracking attacks.
By default, the interval for brute force key cracking detection is 60 seconds.
b. Run the brute-force-detect threshold threshold command to set the maximum
number of key negotiation failures allowed within the period of the detection of
brute force key cracking attacks.
By default, an AP allows a maximum of 20 key negotiation failures within a brute
force key cracking attack detection period.
c. Run the brute-force-detect quiet-time quiet-time-value command to set the quiet
time for an AP to report the detected brute force key cracking attacks to the AC.
By default, the quiet time for an AP to report brute force key attacks to an AC is
600 seconds.
NOTE
l The dynamic blacklist is saved on APs. After the dynamic blacklist function is enabled, the detected
attacking devices are added to the dynamic blacklist. Within the aging time of the dynamic blacklist, the
device discards packets sent from the blacklisted devices. You can run the dynamic-blacklist aging-time
command to set the aging time of the dynamic blacklist.
l When an AP is configured to work in monitor mode, the dynamic blacklist function does not take effect.
----End
Context
WIDS services are implemented on APs, including WLAN device detection and containment,
attacking device detection, and dynamic blacklist; therefore, the WIDS profile carrying the
WIDS services must be applied to an AP group or a specific AP.
Procedure
Step 1 Run system-view
When a VAP profile exists in the system, you can use the existing one or create a new one.
2. Run the quit command to return to the WLAN view.
3. Bind the VAP profile to radios of an AP group or a specific AP as required to make the
radios properly work. For details, see 5.11.2.11 Binding VAP Profiles.
4. Run the quit command to return to the WLAN view.
----End
Context
After the WIDS configuration is complete, you can check WIDS profiles on the device,
including their configuration and profile reference information, WIDS device attacking device
list and dynamic blacklist.
Procedure
l Run the display wids-profile { all | name profile-name } command to check information
about the WIDS profile.
l Run the display references wids-whitelist-profile name profile-name command to
check reference information about the WIDS whitelist profile.
l Run the display ap-system-profile { all | name profile-name } command to check the
configuration of the AP system profile.
----End
Configuration Procedure
To improve VAP and WLAN security, you can enable strict STA IP address learning through
DHCP, dynamic ARP inspection (DAI), and IP source guard (IPSG), and disable the DHCP
and ND trusted port on an AP.
You can perform the following tasks in any sequence.
Context
When a STA associates with an AP, the following situation occurs after strict STA IP address
learning through DHCP is enabled:
l If the STA obtains an IP address through DHCP, the AP will automatically report the IP
address to the AC. The STA IP address can be used to maintain the mapping entries
between STA IP addresses and MAC addresses.
l If the STA uses a static IP address, configure related parameters to control the
association of the STA with the AP.
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
l After strict STA IP address learning through DHCP is enabled, if the AC has learned the STA IP address
through DHCP or statically, the STA using a bogus IP address will not be added to the blacklist. In this
case, enable IPSG to prevent services from the bogus IP address from running.
l After strict STA IP address learning is enabled, it is recommended that you run the ip source check user-
bind enable and arp anti-attack check user-bind enable commands to enable IP source guard and
dynamic ARP inspection so that STAs cannot communicate with the network before obtaining an IP
address through DHCP.
----End
Context
After dynamic ARP inspection (DAI) is enabled, an AP detects the ARP request and reply
packets transmitted on the VAPs, discards invalid and attack ARP packets, and sends an alarm
to the connected AC. DAI prevents unauthorized users from connecting to external networks
through the AP and protects authorized users from interference and ARP spoofing attacks. In
addition, DAI protects the AP's CPU from ARP attacks, which, if not prevented, will cause
unavailability of some functions on the AP or even make the AP break down.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
----End
Context
If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses
and network configuration parameters, and cannot communicate properly. After the DHCP
trusted port is disabled on an AP, the AP considers that a bogus DHCP server is deployed at
the user side when receiving DHCP OFFER, ACK, and NAK packets. The AP discards the
packets and reports the IP address of the bogus DHCP server to the connected AC.
In most cases, you need to enable the DHCP trusted port in an AP wired port profile. When
receiving DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers, the AP
forwards the packets to STAs so that the STAs can obtain valid IP addresses and go online.
For the detailed configuration, see 6.9 Managing an AP's Wired Interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Run undo dhcp trust port
The DHCP trusted port is disabled on the AP.
By default, the DHCP trusted interface is disabled in the VAP profile view and enabled on the
AP's uplink interface in the AP wired port profile view.
----End
Context
To defend against IP address spoofing attacks, enable the IP source guard (IPSG) function to
check IP packets against a binding table. This function prevents unauthorized packets from
passing through an AP and ensures network security.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Run ip source check user-bind enable
The IPSG function is enabled on the AP.
By default, IP source guard is disabled on APs.
NOTE
After the IPSG function is enabled, run the undo learn-client-address ipv4 disable command to enable STA
address learning to make the IPSG function take effect.
----End
Context
A large number of broadcast or multicast packets on a device occupy many network
resources, affecting network services. To ensure normal running of network services, you can
limit the rate of broadcast and multicast packets on APs with a proper range.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Configure flood attack detection.
l Configure broadcast flood attack detection.
a. Run the undo anti-attack broadcast-flood disable command to enable flood
attack detection.
By default, the broadcast flood detection function is enabled.
b. Run the anti-attack broadcast-flood sta-rate-threshold sta-rate-threshold
command to set the rate threshold for broadcast flood attack detection.
By default, the broadcast flood threshold is 10 pps.
----End
Context
After WLAN network security is configured in a VAP profile, you need to bind the VAP
profile to an AP group, AP, AP radio, or AP group radio. After being delivered to APs, the
configuration in a VAP profile can take effect on the APs.
After a VAP profile is applied to an AP group or AP, the parameter settings in the profile take
effect on all radios of the AP group or AP. After a radio profile is applied in the AP group
radio or AP radio view, the parameter settings in the profile take effect on the specified AP
radio or radios in the AP group.
Procedure
l Bind a VAP profile to an AP group.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-group name group-name command to enter the AP group view.
d. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
command to bind the VAP profile to the radio.
----End
Prerequisites
WLAN network security has been configured in a VAP profile.
Procedure
l Run the display vap-profile { all | name profile-name } command to check
configuration and reference information about a VAP profile.
----End
Context
After configuring device detection and containment, you can check information about
detected WLAN devices, historical records of detected devices, and information about
contained devices.
Procedure
l Run the display wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ]
bridge | [ rogue ] client | adhoc | [ rogue ] ssid | mac-address mac-address | monitor-
ap { ap-name ap-name | ap-id ap-id } [ radio-id radio-id ] } command to check
information about the detected WLAN devices.
l Run the display wlan ids device-detected statistics, command to display statistics on all
wireless devices detected on a WLAN.
l Run the display wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid | mac-
address mac-address } command to check historical records of the detected devices.
l Run the display wlan ids contain { all | ap | adhoc | client | ssid | mac-address mac-
address | monitor-ap { ap-name ap-name | ap-id ap-id } [ radio-id radio-id ] }
command to check information about the contained devices.
----End
Context
After the WIDS configuration is complete, you can check WIDS profiles on the device,
including their configuration and profile reference information, WIDS device attacking device
list and dynamic blacklist.
Procedure
l Run the display wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv |
wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to check
information about the detected attacking devices.
l Run the display wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to check
historical records of the detected attacking devices.
l Run the display wlan ids attack-detected statistics command to check statistics on the
detected attacks.
l Run the { all | ap-id ap-id | ap-name ap-name | mac-address mac-address } command
to check attacking devices added to the dynamic blacklist.
l Run the display station dynamic-blacklist { ap-id ap-id | ap-name ap-name }
command to check the dynamic blacklist.
----End
Context
You can check air interface environment information about an AP radio to know the situation
of the radio's air interface quality.
After you run the display ap radio-environment { ap-name ap-name | ap-id ap-id } [ radio
radio-id ] command is executed, radio scanning of the AP is automatically enabled, and the
AP starts to scan the air interface environment of the radio. When you run this command for
the first time, no scanning result is displayed. To view the air interface environment scanning
result, run this command again.
Procedure
l Run display ap radio-environment { ap-name ap-name | ap-id ap-id } [ radio radio-
id ]
----End
Context
After the WLAN security configuration is complete, check the configuration results. If the
configuration results are unnecessary or you need to re-collect the configuration results, clear
the existing configuration results.
Procedure
l Run the reset wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to clear
information about the detected attacking devices.
l Run the reset wlan ids attack-detected statistics command to clear statistics on the
detected attacks.
l Run the reset wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to clear
historical records of the detected attacking devices.
l Run the reset wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ]
bridge | [ rogue ] client | adhoc | ssid [ ssid ] | mac-address mac-address } command to
clear the detected WLAN device list.
l Run the { ap-id ap-id | ap-name ap-name | mac-address mac-address | all } command
to clear information in the dynamic blacklist.
l Run the reset wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid [ ssid ] |
mac-address mac-address } command to clear historical records of the detected rogue
devices.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 11-7, an enterprise branch deploys WLAN basic services and provides a
WLAN with the SSID of wlan-net for employees to access enterprise network resources.
STAs automatically obtain IP addresses.
The branch locates in an open place, making the WLAN vulnerable to attacks. A rogue AP
(AP2) having the same SSID wlan-net is deployed on the WLAN and attempts to steal
enterprise business information by establishing connections with STAs. This rogue AP
threatens information security on the enterprise network. To prevent such attack, deploy a
monitor AP (AP3) and configure WIDS and WIPS functions to enable the AC to detect AP2
(neither managed by the local AC nor in the authorized AP list), preventing STAs from
associating with AP2.
IP Network
GE1/0/2
VLAN 101
GE0/0/1 AC
VLAN 100
GE0/0/2
SwitchA VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
STA STA
Management VLAN: 100
Service VLAN: 101
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure AP3 to work in monitor mode so that AP3 can detect and report information
about wireless devices to the AC.
3. Configure WIDS and WIPS so that the AC can contain the detected rogue APs (AP2 in
this example) and disconnect STAs from AP2.
NOTE
The following example configures WIDS and WIPS on the 2.4G radio of AP3. The configuration on the 5G
radio is similar.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
l Name: ap-group2
l Referenced profile: VAP profile wlan-vap2, regulatory domain profile
domain1, and WIDS profile wlan-wids
l Working mode of radio 0 in an AP group: monitor
l Device detection and rogue device containment on radio 0 in an AP
group: enabled.
Item Data
l Name: wlan-vap2
l Referenced profile: SSID profile wlan-ssid
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the SwitchA and AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 and GE0/0/3 that connects SwitchA to the AP to management VLAN 100 and
add GE0/0/2 that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP1 and AP3 to ap-group1 and ap-group2.
Assume that the AP1's MAC address is 60de-4476-e360 and the AP3's MAC address is dcd2-
fc04-b500..
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name AP1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name AP3
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 AP1 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 10S
1 dcd2-fc04-b500 AP3 ap-group2 10.23.100.254 AP6010DN-AGN nor 0 15S
--------------------------------------------------------------------------------
Total: 2
# Create the security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] quit
# Create the VAP profile wlan-vap2,and apply the SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] quit
# Create the WIDS profile wlan-wids and set the containment mode to containing rogue APs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 11-8, the AC and AP are connected through access switch SwitchA. The
enterprise branch has deployed WLAN services for mobile office applications. To protect the
network against flood attacks and PSK cracking, configure the attack detection and dynamic
blacklist functions and add the attacking devices to the blacklist. Packets from the attacking
devices are discarded to ensure network stability and security.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure detection of brute force key cracking attacks for WPA2-PSK authentication
and detection of flood attacks so that the device can detect information about the
attacking devices.
3. Configure the dynamic blacklist function and add devices that initiate attacks to the
dynamic blacklist so that packets from the devices are discarded during the configured
aging time.
NOTE
The following example configures attack detection on the 2.4G radio. The configuration on the 5G radio is
similar.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication,
the maximum number of key negotiation failures allowed within the detection period to 25,
and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70
[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to
350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
# Create the AP system profile wlan-system and set the aging time of dynamic blacklist to
200s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
# Bind the VAP profile wlan-vap, WIDS profile wlan-wids, and AP system profile wlan-
system to the AP group.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] quit
Run the display wlan dynamic-blacklist all command to check devices on the dynamic
blacklist.
[AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address Last detected time Reason #AP
-------------------------------------------------------------------------------
000b-c002-9c81 2014-11-20/16:15:53 pbr 1
0024-2376-03e9 2014-11-20/16:15:53 pbr 1
0046-4b74-691f 2014-11-20/16:15:53 act 1
-------------------------------------------------------------------------------
Total: 3, printed: 3
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#4R-.UpLuaWW`dGKS3R':Hg.h4g.hh:ygc7*P$q("%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-group name ap-group1
ap-system-profile wlan-system
regulatory-domain-profile domain1
wids-profile wlan-wids
radio 0
vap-profile wlan-vap wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
12.1.1 WEP
Wired Equivalent Privacy (WEP), defined in IEEE 802.11, is used to protect the data of
authorized users from tampering during transmission on a WLAN. WEP uses the RC4
algorithm to encrypt data using a 64-bit, 128-bit, or 152-bit encryption key. An encryption key
contains a 24-bit initialization vector (IV) generated by the system, so the length of key
configured on the WLAN server and client is 40-bit, 104-bit, or 128-bit. WEP uses a static
encryption key. That is, all STAs associating with the same SSID use the same key to connect
to the wireless network.
A WEP security policy defines a link authentication mechanism and a data encryption
mechanism.
Link authentication mechanisms include open system authentication and shared key
authentication. For details about link authentication, see "Link Authentication" in 5.2.6 STA
Access.
l If open system authentication is used, data is not encrypted during link authentication.
After a user goes online, service data can be encrypted by WEP or not, depending on the
configuration.
l If shared key authentication is used, the WLAN client and server complete key
negotiation during link authentication. After a user goes online, service data is encrypted
using the negotiated key.
12.1.2 WPA/WPA2
WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This
authentication method requires the same static key pre-configured on the server and client.
Both the encryption mechanism and encryption algorithm can bring security risks to the
network.
The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings
of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4
algorithm, but it uses an 802.1X authentication framework and supports Extensible
Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-
Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity
Protocol (TKIP) encryption algorithm.
Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP),
a more secure encryption algorithm than those used in WPA.
Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption
algorithms, ensuring better compatibility. The two protocols provide almost the same security
level and their difference lies in the protocol packet format.
Link Authentication
Link authentication can be completed in open system authentication or shared key
authentication mode. WPA and WPA2 support only open system authentication.For details,
see "Link Authentication" in 5.2.6 STA Access.
Access Authentication
WPA and WPA2 have an enterprise edition and a personal edition.
l The WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication) uses a
RADIUS server and the EAP protocol for authentication. Users provide authentication
information, including the user name and password, and are authenticated by an
authentication server (generally a RADIUS server).
Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.
NOTE
For details about 802.1X authentication, see Principles of 802.1X Authentication in the Configuration
Guide - User Access and Authentication Configuration Guide.
WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure
12-1 and Figure 12-2 show the EAP-TLS 802.1X authentication and EAP-PEAP 802.1X
authentication processes.
Open system
authentication
Association
EAP start
Open system
authentication
Association
EAP start
802.1X authentication can be used to authenticate wireless and wired users, whereas PSK
authentication is specific to wireless users.
PSK authentication requires that a STA and an AC be configured with the same PSK. The
STA and AC authenticate each other through key negotiation. During key negotiation, the
STA and AC use their PSKs to decrypt the message sent from each other. If the messages are
successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK
authentication is successful; otherwise, PSK authentication fails.
Key Negotiation
802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The
pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group
key hierarchy protects broadcast or multicast data exchanged between STAs and APs.
During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a
pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt
unicast packets, and the GTK is used to encrypt multicast and broadcast packets.
l In 802.1X authentication, a PMK is generated in the process shown in Figure 12-1.
l In PSK authentication, the method to generate a PMK varies according to the form of the
PSK, which is configured using a command:
– If the PSK is a hexadecimal numeral string, it is used as the PMK.
– If the PSK is a character string, the PMK is calculated using a hash algorithm based
on the PSK and service set identifier (SSID).
Key negotiation consists of unicast key negotiation and multicast key negotiation.
l Unicast key negotiation
Key negotiation is completed through a four-way handshake between a STA and an AC,
during which the STA and AC send EAPOL-Key frames to exchange information, as
shown in Figure 12-3.
STA AC
Generate a Generate a
random number random number
SNonce ANonce
① EAPOL-Key(ANonce)
Generate PTK
④ EAPOL-Key(MIC)
Install PTK
c. The AC sends an EAPOL-Key frame to the STA to request the STA to install the
PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC,
and encrypted GTK.
d. The STA sends an EAPOL-Key frame to the AC to notify the AC that the PTK has
been installed and will be used. The AC installs the PTK after receiving the
EAPOL-Key frame.
l Multicast key negotiation
Multicast key negotiation is completed through a two-way handshake. The two-way
handshake begins after the STA and AC generate and install a PTK through a four-way
handshake. Figure 12-4 shows the two-way handshake process.
STA AC
Generate a
random number
① EAPOL-Key(Gnonce, Key RSC, GNonce
MIC,GTK, IGTK)
② EAPOL-Key(Gnonce, MIC)
Data Encryption
WPA and WPA2 support the TKIP and CCMP encryption algorithms.
l TKIP
Unlike WEP, which uses a static shared key, TKIP uses a dynamic key negotiation and
management mechanism. Each user obtains an independent key through dynamic
negotiation. Each user obtains an independent key through dynamic negotiation. User
keys are calculated using the PTK generated in key negotiation, the MAC address of the
sender, and the packet sequence number.
TKIP uses MICs to ensure the integrity of frames received on the receiver and validity of
data sent by the sender and receiver. This mechanism protects information integrity. A
MIC is calculated using the MIC key generated during key negotiation, the destination
MAC address, source MAC address, and data frame.
l CCMP
While WEP and TKIP use a stream cipher algorithm, CCMP uses an Advanced
Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects
of the RC4 algorithm and provides a higher level of security.
12.1.3 WAPI
WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national standard for
WLANs, which was developed based on IEEE 802.11. WAPI provides higher security than
both WEP and WPA and consists of the following:
l WLAN Authentication Infrastructure (WAI): authenticates user identities and manages
keys.
l WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and provides
the encryption, data verification, and anti-replay functions.
WAPI uses the elliptic curve cryptography (ECC) algorithm, which is based on public key
cryptography and the block key algorithm based on symmetric-key cryptography. The ECC
algorithm is used for digital certificate authentication and key negotiation between wireless
devices. The block key algorithm is used to encrypt and decrypt data transmitted between
wireless devices. The two algorithms implement identity authentication, link authentication,
access control, and user information encryption.
WAPI has the following features:
l Bidirectional identity authentication
Bidirectional identity authentication prevents access from unauthorized STAs and
protects a WLAN against attacks from unauthorized WLAN devices.
l Digital certificate as identity information
A WAPI system has an independent certificate server. STAs and WLAN devices use
digital certificates to prove their identities, improving network security. When a STA
requests to join or leave a network, the administrator only needs to issue a certificate to
the STA or revoke the certificate of the STA.
l Well-developed authentication protocol
WAPI uses digital certificates to identify STAs and wireless devices. During identity
authentication, the elliptic curve digital signature algorithm is used to verify a digital
certificate. In addition, the secure message hash algorithm is used to ensure message
integrity, which prevents attackers from tampering or forging information transmitted
during identity authentication.
WAPI involves identity authentication and key negotiation, which begin after a STA
associates with an AC, as shown in Figure 12-5.
② Identity authentication
ASU
① STA associates with AC
Internet
STA AP AC
③ Key negotiation
Identity Authentication
WAPI provides two identity authentication modes: certificate-based mode (WAPI-CERT) and
pre-shared key-based mode (WAPI-PSK).
l WAPI-CERT: A STA and an AC authenticate each other's certificate. The certificates
must be loaded on the STA and AC and verified by an authentication service unit (ASU).
After certificate authentication is complete, the STA and AC use the temporal public key
and private key to generate a base key (BK) for key negotiation.
The WAPI-CERT mode is applicable to large-scale enterprise networks or carrier
networks that can deploy and maintain an expensive certificate system.
Figure 12-6 shows the WAPI certificate authentication process.
STA AC ASU
① Authentication
activation
② Access
authentication request
③ Certificate
authentication request
④ Certificate
authentication response
⑤ Access
authentication response
a. Authentication activation
When a STA requests to associate or re-associate with an AC, the AC checks
whether the user is a WAPI user. If the user is a WAPI user, the AC sends an
authentication activation packet to trigger the certificate authentication process.
b. Access authentication request
The STA sends an access authentication request carrying the STA's certificate and
the system time to the AC. The system time is the access authentication request
time.
c. Certificate authentication request
When the AC receives the access authentication request, it records the access
authentication request time and sends a certificate authentication request to the
ASU. The certificate authentication request carries the STA's certificate, access
authentication request time, the AC's certificate, and a signature generated using the
AC's private key and the preceding information.
d. Certificate authentication response
When the ASU receives the certificate authentication request, it authenticates the
AC's signature and certificate. If the AC's signature and certificate are invalid, the
authentication fails. If they are valid, the ASU authenticates the STA's certificate.
After the authentication is complete, the ASU constructs a certificate authentication
response with the STA's certificate authentication result, AC's certificate
authentication result, and a signature generated using the authentication results, and
sends the certificate authentication response to the AC.
e. Access authentication response
When the AC receives the certificate authentication response, it checks the
signature to obtain the STA's certificate authentication result, and controls access of
the STA based on the certificate authentication result. The AC then forwards the
certificate authentication response to the STA. The STA checks the signature
generated by the ASU to obtain the AC's certificate authentication result, and
determines whether to associate with the AC based on the result.
If the certificate authentication succeeds, the AC accepts the access request. If the
certificate authentication fails, the AC disassociates the STA from the network.
l WAPI-PSK: The STA and AC have the same PSK configured before authentication. The
PSK is converted into a BK during authentication.
The WAPI-PSK mode does not require an expensive certificate system, so it is applicable
to individual users or small-scale enterprise networks.
Key Negotiation
After the AC is authenticated by the ASU, the AC initiates key negotiation with the STA. Key
negotiation consists of two stages: unicast key negotiation and multicast key negotiation.
l Unicast key negotiation
The STA and AC obtain a unicast encryption key and unicast integrity key through
unicast key negotiation and use these keys to ensure the security of unicast data
exchanged between them.
During unicast key negotiation, the STA and AC use the KD-HMAC-SHA256 algorithm
to calculate a unicast session key (USK) based on the BK. In addition to the USK, the
STA and AC also negotiate the encryption key and identity key used to generate the
multicast key.
STA AC
① Unicast key
negotiation request
② Unicast key
negotiation response
③ Unicast key
negotiation ACK
Obtain or deliver
unicast key
WAPI allows the STA to directly send a unicast key negotiation response to the AC to
initiate a unicast key update.
ii. Checks whether the challenge of the AC is the same as the challenge that is
obtained in last unicast key negotiation and saved locally. If the two challenges
are different, the STA drops the unicast key negotiation request packet.
iii. Generates a random challenge, and then uses the KD-HMAC-SHA256
algorithm to calculate a USK and the AC's challenge used for the next unicast
key negotiation based on the BK, the AC's challenge, and the STA's challenge.
iv. Uses the message authentication key and HMAC-SHA256 algorithm to
calculate a message authentication code, and sends it to the AC with a unicast
key negotiation response packet.
c. Unicast key negotiation ACK
After the AC receives the unicast key negotiation response packet, it performs the
following steps:
i. Checks whether the AC's challenge is correct. If the AC's challenge is
incorrect, the AC drops the unicast key negotiation response packet.
ii. Uses the KD-HMAC-SHA256 algorithm to calculate a USK and the AC's
challenge used for the next unicast key negotiation based on the BK, AC's
STA AC
① Multicast key
advertisement
② Multicast key
response
Obtain or deliver
multicast key
Key Update
WAPI features a dynamic key negotiation mechanism, but there may still be security risks if a
STA uses the same encryption key for a long time. To enhance security, WAPI provides a
time-based key update mechanism.
Time-based key update: The unicast and multicast keys of a STA have an aging time
(configured using a command). When the aging time of the current unicast or multicast key
expires, the STA and AC negotiate a new unicast or multicast key.
As shown in Figure 12-9, a carrier WLAN network usually uses WEP (no authentication, no
encryption) and Portal authentication. When a STA attempts to connect to wireless network,
the AC pushes the Portal authentication web page to the user. The user must enter the user
name and password on the displayed web page. If the user is successfully authenticated by the
RADIUS server, the user can connect to the Internet wirelessly.
RADIUS Server
STA1
Internet
AC
AP
STA2 Portal Server
Before configuring security policy, perform the task of 5 WLAN Service Configuration.
Configuration Procedure
WLAN security policies are configured using profiles. Figure 12-10 shows the configuration
flowchart.
VAP profile
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 12 Security Policy Configuration
Context
WLAN security policies are configured in security profiles, and only one security policy can
be configured in a security profile. You can create multiple security profiles with different
security policies and apply the profiles to different VAPs as required.
Procedure
Step 1 Run system-view
By default, security profiles default, default-wds, and default-mesh are available in the
system.
----End
Context
The following table gives recommendations on configuring a WLAN security policy.For the
NAC configuration, see NAC Configuration (Unified Mode).
l External Portal
User Access Authentication Mode authentication
l MAC address authentication
Recommended Configuration
None
Scenario
Recommended Configuration
Individual or home networks
Scenario
Recommended Configuration
WAPI-PSK None
Scenario
Recommended Configuration
None
Scenario
Configuration Procedure
Choose one of the preceding security policies to configure.
Context
Open system authentication means no authentication and no encryption, and any one can
connect to the network without authentication. To ensure network security, you are advised to
configure open system authentication together with Portal authentication or MAC address
authentication. For configuration of Portal authentication and MAC address authentication,
see NAC Configuration (Unified Mode).
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
The security profile view is displayed.
Step 4 Run security open
The security policy is set to open system authentication.
By default, the security policy is open system.
----End
Context
WEP uses a shared key to authenticate users and encrypt service packets. Since the shared key
is easy to be deciphered, the WEP security policy is not recommended due to its low security.
When configuring WEP, you are advised to enable detection of brute force key cracking
attacks. For details, see 11.7.4 Configuring WIDS Attack Detection and a Dynamic
Blacklist.
Procedure
Step 1 Run system-view
When the share-key parameter is present, WEP uses the configured shared key to
authenticate wireless terminals and encrypt service packets. If the parameter is not present,
WEP only encrypts the service packets. A shared key is configured on the wireless terminals
regardless of whether the parameter is present.
Each AP can have at most four key indexes configured. The key indexes used by different
VAPs cannot be the same. That is, at most four VAPs can be configured on an AP using the
security wep [ share-key ] command.
Step 5 Run wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value
Four shared keys can be configured for WEP. You can run the command to make the key with
the specified index to take effect. The key index ID of the device starts from 0.
After an SSID of a WLAN is scanned, users cannot access the network by clicking or double-
clicking the SSID on some terminals due to default terminal settings. In this situation,
manually create a WLAN on the terminals, enter the SSID, identity authentication and
encryption modes, key, and key index configured on the device. After that, users can connect
to the WLAN through the terminals. The key index on some terminals starts from 1 and
ranges from 1 to 4. The key indexes configured on the terminal must map those configured on
the device in an ascending order. For example, if the key index 0 takes effect on the device,
the key index should be set to 1 on the terminal.
----End
Context
Both WPA and WPA2 support PSK authentication and TKIP or AES encryption algorithm.
The WPA and WPA2 protocols provide almost the same security level and their difference lies
in the protocol packet format.
The WPA/WPA2-PSK security policy applies to individual, home, and SOHO networks that
do not require high security. The implementation of the security policy does not require an
authentication server. If a wireless terminal supports only WEP encryption, the terminal can
implement PSK+TKIP without hardware upgrading, whereas the terminal may need to
upgrade its hardware to implement PSK+AES.
Wireless terminals vary and support different authentication and encryption modes. To enable
terminals of various types to access the network and facilitate network management, you can
configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-
WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the
WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports
TKIP or AES can implement service packet encryption.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
The security profile view is displayed.
Step 4 Run security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip |
aes-tkip }, or security wpa-wpa2 psk { pass-phrase | hex } key-value tkip aes
The security policy is set to WPA/WPA2-PSK.
Step 5 (Optional) Run wpa ptk-update enable
Periodic PTK update is enabled.
By default, periodic PTK update is disabled.
NOTE
When periodic PTK update is implemented, some terminals may go offline due to individual problems.
----End
Context
Both WPA and WPA2 support 802.1X authentication and TKIP or AES encryption algorithm.
The WPA and WPA2 protocols provide almost the same security level and their difference lies
in the protocol packet format.
WPA/WPA2-802.1X applies to enterprise networks that require high security. An independent
authentication server needs to be deployed. If customers' devices support only WEP
encryption, the devices can implement 802.1X+TKIP without hardware upgrading, whereas
the devices may need to upgrade their hardware to implement 802.1X+AES.
Wireless terminals vary and support different authentication and encryption modes. To enable
terminals of various types to access the network and facilitate network management, you can
configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-
WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the
WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports
TKIP or AES can implement service packet encryption.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
The security profile view is displayed.
Step 4 Run security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }, or security wpa-
wpa2 dot1x tkip aes
The security policy is set to WPA/WPA2-802.1X.
An authentication profile must be configured for 802.1X access authentication. For details,
see NAC Configuration (Unified Mode).
The authentication type in the security profile and authentication profile must both be set to
802.1X authentication. You can run the display wlan config-errors command to check
whether error messages are generated for authentication type mismatch between the security
profile and authentication profile.
Step 5 (Optional) Run wpa ptk-update enable
NOTE
When periodic PTK update is implemented, some terminals may go offline due to individual problems.
The authentication mode WPA2 and encryption mode AES are required.
----End
Context
WAPI allows only robust security network association (RSNA), providing higher security
than WEP or WPA/WPA2.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA
uses the same encryption key for a long time. Both the unicast session key (USK) and
multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its
lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
NOTE
Procedure
Step 1 Run system-view
----End
Context
WAPI allows only robust security network association (RSNA), providing higher security
than WEP or WPA/WPA2.
WAPI-PSK applies to large-scale enterprise networks or carrier networks that can deploy and
maintain an expensive certificate system.
WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format.
The X.509 V3 certificate file has the name extension .cer. Before importing a certificate for
WAPI, ensure that the certificate file is saved in the root directory of the storage medium.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA
uses the same encryption key for a long time. Both the unicast session key (USK) and
multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its
lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
The security profile view is displayed.
Step 4 Run security wapi certificate
The security policy is set to WAPI-certificate.
Step 5 Configure the certificate file and ASU server.
1. Run the wapi import certificate { ac | asu | issuer } format pkcs12 file-name file-
name password password or wapi import certificate { ac | asu | issuer } format pem
file-name file-name command to import the AC certificate file, certificate of the AC
certificate issuer, and ASU certificate file.
By default, the AC certificate file, certificate of the AC certificate issuer, and ASU
certificate file are not imported.
2. Run the wapi import private-key format pkcs12 file-name file-name password
password or wapi import private-key format pem file-name file-name command to
import the AC's private key file.
By default, no AC private key file is imported.
3. Run the wapi asu ip ip-address command to configure the ASU server's IP address.
By default, no IP address is specified for the ASU server.
4. (Optional) Run the wapi cert-retrans-count cert-count command to set the number of
retransmissions of certificate authentication packets.
By default, the number of retransmissions is 3.
Step 6 (Optional) Run the wapi source interface { vlanif vlan-id | loopback loopback-number }
command to configure a VLANIF interface or a loopback interface as the source interface for
the AC to communicate with the ASU server.
By default, no source interface is configured for an AC to communicate with an ASU server.
The IP address of the WAPI source interface on the AC must be on the same network segment
as the IP address of the ASU server. If no WAPI source interface is configured, the IP address
of the AC source interface is used as the source IP address for sending WAPI packets to the
WAPI server by default.
Step 7 (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }
The interval for updating a Base Key (BK) and the BK lifetime percentage are set.
The value obtained by multiplying the interval for updating a BK by the BK lifetime
percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is
less than 300s, the BK may be updated before negotiation is complete due to low STA
performance. In this case, some STAs may be forced offline or cannot go online.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
If a STA is not authenticated within the timeout period, no SA is established and the STA
cannot go online.
The interval for updating a USK, and number of retransmissions of USK negotiation packets
are set.
By default, the interval for updating a USK is 86400s; the number of retransmissions of USK
negotiation packets is 3.
The interval for updating an MSK, and number of retransmissions of MSK negotiation
packets are set.
By default, the interval for updating an MSK is 86400s; the number of retransmissions of
MSK negotiation packets is 3.
----End
Context
After a WLAN security policy is configured in a security profile, bind the security profile to a
VAP profile. Each VAP profile contains one security profile. Wireless terminals can connect
to the WLAN through an SSID only after they complete identity authentication according to
the security policy configured in the VAP profile.
Procedure
Step 1 Run system-view
----End
Context
After the WLAN security policy configuration is complete, check the security profiles on the
device, including their configuration and profile reference information, and content of the
certificate imported during WAPI-certificate authentication.
Procedure
l Run the display security-profile { all | name profile-name } command to check
information about a security profile.
l Run the display references security-profile name profile-name command to check
reference information about a security profile.
l Run the display wlan wapi certificate file-name file-name command to check the
content of the certificate imported during WAPI-certificate authentication.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-11, the AC and AP are connected through access switch SwitchA. A
residential community provides a WLAN with the SSID wlan-net so that residents can access
the network anywhere at any time. STAs automatically obtain IP addresses.
Because the WLAN is open to users, there are potential security risks. Users do not require
high security, so a WEP security policy using shared key authentication and WEP encryption
can be configured.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN.
2. Configure a WEP security policy using shared key authentication and WEP-128
encryption in a security profile to ensure data security.
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create the security profile wlan-security and set the security policy to WEP.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wep share-key
Warning: If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
configured, the function of denying access of legacy STAs cannot take effect.
[AC-wlan-sec-prof-wlan-security] wep key 0 wep-128 pass-phrase a123456781234567
[AC-wlan-sec-prof-wlan-security] wep default-key 0
[AC-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
NOTE
After the PC scans an SSID, if you double-click the SSID and enter the key, association may fail. You
need to add a WLAN on the PC.
l Configuration on the Windows XP operating system:
1. On the Association tab page of the Wireless network properties dialog box, add SSID wlan-
net, cancel the selection of The key is provided for me automatically, set the network
authentication mode to shared-key mode and encryption mode to WEP, and configure the
network key and corresponding key index.
l Configuration on the Windows 7 operating system:
1. Access the Manage wireless networks page, click Add, and select Manually create a
network profile. Add SSID wlan-net, set the encryption and authentication modes, and click
Next.
2. Click Change connection settings, click the Security tab, and set the key index on the
Security tab page.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wep share-key
wep key 0 wep-128 pass-phrase %^%#n}@bOmft:IG"|%Sq.Rs0GYm=Sc.iX4k<_b9mL^LT%^
%#
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
A residential community provides a WLAN with the SSID wlan-net so that residents can
access the network anywhere at any time. As shown in Figure 12-12, the AP deployed in a
resident's home is connected to the AC through access switch SwitchA. STAs automatically
obtain IP addresses.
Because the WLAN is open to users, there are potential security risks if no security policy is
configured on the WLAN. Users do not require high WLAN security, so no authentication
server is required. A WEP or WPA/WPA2 (pre-shared key) security policy can be configured.
STAs support WPA/WPA2, TKIP encryption, and AES encryption, so pre-shared key
authentication and AES encryption are used to secure data transmission. WEP security policy
that is easy to be deciphered is not used.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN.
2. Configure a WPA2 security policy using pre-shared key authentication and AES
encryption in a security profile to ensure data security.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-13, the enterprise's AC connects to the egress gateway (Router) and
RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID wlan-
net is available for employees to access network resources. The gateway also functions as a
DHCP server to provide IP addresses on the 10.23.101.0/24 network segment for STAs. The
AC controls and manages STAs.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no security policy is configured for the WLAN. The enterprise requires high
information security, so a WPA2 security policy using 802.1X authentication and AES
encryption can be configured. The RADIUS server authenticates STA identities. The AC must
be configured to function as an EAP relay, so the AC supports 802.1X authentication.
DNS Server
8.8.8.8
IP Network
Router
Gateway
GE2/0/0
RADIUS Server
GE0/0/2 10.23.103.1:1812
GE0/0/3
AC
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 12 Security Policy Configuration
Configuration Roadmap
1. Configure the AP, AC, and upper-layer devices to communicate with each other.
2. Configure the AC to assign an IP address to the AP and the Router to assign IP addresses
to STAs.
3. Configure RADIUS authentication parameters.
4. Configure an 802.1X access profile to manage 802.1X access control parameters.
5. Configure an authentication profile, apply the 802.1X access profile, and configure a
forcible authentication domain.
6. Configure the AP to go online.
7. Configure WLAN service parameters, set the security policy to WPA2-802.1X-AES, and
bind the security profile and authentication profile to the VAP profile to control access
from STAs.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are correct and consistent with
the RADIUS server. When the AC functions as an EAP relay, ensure that the RADIUS server supports
the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.
Item Data
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/3 that connects the AC to the RADIUS server to VLAN 103.
[AC] interface gigabitethernet 0/0/3
[AC-GigabitEthernet0/0/3] port link-type trunk
[AC-GigabitEthernet0/0/3] port trunk pvid vlan 103
[AC-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet0/0/3] quit
Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure the AC as a DHCP relay agent, and specify the DHCP server IP address on the
DHCP relay agent.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to assign IP addresses to STAs from a global
address pool. The egress gateway address of the DHCP client is 10.23.101.1, and the network
segment of the global address pool is 10.23.101.0/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] dns-list 8.8.8.8
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
[Router-Vlanif102] dhcp select global
[Router-Vlanif102] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.102.2
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
If the domain name huawei.com is configured, you need to add the domain name when entering the user
name.
# Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
Step 6 Configure an 802.1X access profile to manage 802.1X access control parameters.
# Create the 802.1X access profile wlan-dot1x.
[AC] dot1x-access-profile name wlan-dot1x
Step 7 Configure an authentication profile named wlan-authentication, apply the 802.1X access
profile, and configure a forcible authentication domain.
[AC] authentication-profile name wlan-authentication
[AC-authen-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authen-profile-wlan-authentication] access-domain huawei.com dot1x force
[AC-authen-profile-wlan-authentication] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] authentication-profile wlan-authentication
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 103
#
authentication-profile name wlan-authentication
dot1x-access-profile wlan-dot1x
access-domain huawei.com dot1x force
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.102.1
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 dot1x aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile wlan-authentication
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
dot1x-access-profile name wlan-dot1x
#
return
Networking Requirements
A residential community provides a WLAN with the SSID wlan-net so that residents can
access the network anywhere at any time. As shown in Figure 12-14, the AP deployed in a
resident's home is connected to the AC through access switch SwitchA. STAs automatically
obtain IP addresses.
Because the WLAN is open to users, there are potential security risks to service data. Users
do not require high WLAN security, so no extra authentication system is required. STAs
support WAPI, so a WAPI security policy using pre-shared key authentication can be
configured. Unicast and broadcast keys are updated based on time to secure data transmission.
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN.
2. Create a security profile and set the security policy to WAPI-PSK to meet security
requirements of users.
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wapi psk pass-phrase %^%#cWul9=qe~"#{UzRlWz["^Gzo<X/k8-21m37N4;n'%^
%#
wapi usk-update-interval 20000
wapi msk-update-interval 20000
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-15, the enterprise's AC connects to the egress gateway (Router) and
ASU certificate server, and connects to the AP through SwitchA. The WLAN with the SSID
wlan-net is available for employees to access network resources. The gateway also functions
as a DHCP server to provide IP addresses on the 10.23.101.0/24 network segment for STAs.
The AC controls and manages STAs.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no security policy is configured for the WLAN. To meet enterprise's high
information security requirement and implement bidirectional authentication between the
WLAN clients and server, configure a WAPI security policy. Compared with WPA/WPA2, an
ASU certificate server and WAPI encryption provide higher security for WLAN networks.
IP Network
Router
Gateway
GE2/0/0 ASU Certificate Server
GE1/0/2 10.23.103.1
AC GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN: 100
Service VLAN: 101
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN.
2. Configure a WAPI security policy using certificate authentication in a security profile
and import the obtained certificates to ensure data security.
Item Data
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/3 that connects the AC to the ASU server to VLAN 103.
[AC] interface gigabitethernet 0/0/3
[AC-GigabitEthernet0/0/3] port link-type trunk
[AC-GigabitEthernet0/0/3] port trunk pvid vlan 103
[AC-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet0/0/3] quit
Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Configure the AC as a DHCP relay agent, and specify the DHCP server IP address on the
DHCP relay agent.
[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to assign IP addresses to STAs from a global
address pool. The egress gateway address of the DHCP client is 10.23.101.1, and the network
segment of the global address pool is 10.23.101.0/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
[Router-Vlanif102] dhcp select global
[Router-Vlanif102] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.102.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
flash:/ae.cer
[AC-wlan-sec-prof-wlan-security] quit
NOTE
l Before configuring WAPI-certificate authentication, upload the certificate file to the flash memory of the
device.
l If the authentication system uses only two certificates, the issuer certificate is the same as the ASU
certificate, with the same file name. If the authentication system uses three certificates, the issuer
certificate and ASU certificate are different from each other and both must be imported.
l The certificates must be valid and correct.
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 103
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-16, an AC in an enterprise is connected to the AP through access
switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network
access for employees. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to wireless users.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no access control is configured for the WLAN. To meet the enterprise's security
requirements, configure MAC address authentication to authenticate dumb terminals such as
wireless network printers and wireless phones that cannot have an authentication client
installed. MAC addresses of terminals are used as user information and sent to the RADIUS
server for authentication. When users connect to the WLAN, authentication is not required.
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2
VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
area_1
STA STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a MAC access profile to manage MAC access control parameters.
4. Configure an authentication profile to manage NAC configuration.
5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Item Data
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authenticati l Name: p1
on profile l Bound profile: MAC access profile m1
l Forcible authentication domain: huawei.com
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address
pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF
101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
Step 5 Configure a route from the AC to the RADIUS server (Assume that the IP address of the
upper-layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name p1
mac-access-profile m1
access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.200.1 1812 weight 80
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0
10.23.101.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
mac-access-profile name m1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-16, an AC in an enterprise is connected to the AP through access
switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network
access for employees. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to wireless users.
As the WLAN is open to users, there are potential security risks to enterprise information if
no access control is configured for the WLAN. To provide network access only to specified
STAs, an enterprise needs to authenticate STAs and then users operating the STAs. The MAC
+ 802.1X authentication mode can meet this requirement by authenticating wireless users
through a RADIUS server.
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2
VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
area_1
STA STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
Configuration Roadmap
1. Configure basic WLAN services on the AC so that the AC can communicate with upper-
layer and lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authenticati l Name: p1
on profile l Bound profile: MAC access profile m1 and 802.1X access profile wlan-
dot1x
l •Forcible authentication domain: huawei.com
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address
pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF
101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
Step 5 Configure a route from the AC to the RADIUS server (Assume that the IP address of the
upper-layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
Step 9 Configure an 802.1X access profile to manage 802.1X access control parameters.
# Create the 802.1X access profile wlan-dot1x.
[AC] dot1x-access-profile name wlan-dot1x
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name p1
dot1x-access-profile wlan-dot1x
mac-access-profile m1
access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.200.1 1812 weight 80
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0
10.23.101.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 dot1x aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
dot1x-access-profile name
dot1x_access_profile
#
mac-access-profile name
m1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-18, there are a large number of STAs on an enterprise network. A
WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for guests. A WLAN with the SSID employee is deployed in office
areas to provide wireless access services for employees.
mobility feature of a large number of STAs, the administrator decides to configure Portal
authentication on the AC at Layer 3 network to control access.
Internet
Router
GE2/0/0
VLANIF 201: 10.67.201.1/24
Servers (Portal, RADIUS and DNS)
GE1/0/3 GE1/0/2 GE0/0/1
VLANIF 201: 10.67.201.2/24 VLANIF 200 VLANIF 200
10.45.200.2/24 10.45.200.1/24
Switch_B
GE1/0/1 AC
VLANIF 100: 10.23.100.1/24
VLANIF 101: 10.23.101.1/24
VLANIF 102: 10.23.102.1/24
Switch_A GE0/0/5
GE0/0/1 GE0/0/4
GE0/0/2
GE0/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a Portal server profile.
4. Configure a Portal access profile to manage access control parameters for Portal
authentication users.
5. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.
6. Configure an authentication profile to manage NAC configuration.
7. Configure WLAN service parameters for STAs to access the WLAN.
DHCP server The router functions as the DHCP server to assign IP addresses
to the STAs and APs.
Item Data
Name: employee
Bound profile: VAP profile employee and regulatory domain
profile domain1
Name: employee
SSID name: employee
Name: employee
l Forwarding mode: tunnel forwarding
l Service VLAN: VLANs in the VLAN pool
l Bound profile: SSID profile employee, security profile wlan-
security, and authentication profile p1
NOTE
l In this example, Switch_A is a Huawei modular switch, and Switch_B is a Huawei fixed switch.
l When a VLAN pool is used to provide service VLANs on a large network, many VLANs are usually
added to the VLAN pool, and interfaces of many devices need to be added to these VLANs. In this
situation, a lot of broadcast domains are created if you configure the direct forwarding mode. To
reduce the number of broadcast domains, set the data forwarding mode to tunnel forwarding.
l Configurations of RADIUS server parameters and Portal server parameters must be the same as the
configurations on the peer RADIUS server and Portal server. Configure the parameters as required.
l To ensure that the router and servers can communicate with each other, configure routes on the
RADIUS server and Portal server to the router.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
# Configure aggregation switch Switch_B. Add GE1/0/1 to VLAN 100, GE1/0/2 to VLANs
101, 102, and 200, and GE1/0/3 to VLAN 201.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101 102 200 201
[Switch_B] interface gigabitethernet 1/0/1
[Switch_B-GigabitEthernet1/0/1] port link-type trunk
# Create VLANIF interfaces VLANIF 100 to VLANIF 102, VLANIF 200, and VLANIF 201
on Switch_B and configure their IP addresses. VLANIF 100 works as the gateway of APs.
VLANIF 101 and VLANIF 102 are gateways of STAs. Switch_B uses VLANIF 200 to
communicate with the AC and VLANIF 201 to communicate with the router.
[Switch_B] interface vlanif 100
[Switch_B-Vlanif100] ip address 10.23.100.1 24
[Switch_B-Vlanif100] quit
[Switch_B] interface vlanif 101
[Switch_B-Vlanif101] ip address 10.23.101.1 24
[Switch_B-Vlanif101] quit
[Switch_B] interface vlanif 102
[Switch_B-Vlanif102] ip address 10.23.102.1 24
[Switch_B-Vlanif102] quit
[Switch_B] interface vlanif 200
[Switch_B-Vlanif200] ip address 10.45.200.2 24
[Switch_B-Vlanif200] quit
[Switch_B] interface vlanif 201
[Switch_B-Vlanif201] ip address 10.67.201.2 24
[Switch_B-Vlanif201] quit
# On the AC, add GE0/0/1 connected to Switch_B to VLAN 101, VLAN 102, and VLAN
200.
[HUAWEI] sysname AC
[AC] vlan batch 101 102 200
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.45.200.1 24
[AC-Vlanif200] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 101 102 200
[AC-GigabitEthernet0/0/1] quit
# Add GE2/0/0 on the router to VLAN 201 and configure an IP address for VLANIF 201 so
that the router can communicate with Switch_B.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 201
[Router] interface vlanif 201
[Router-Vlanif201] ip address 10.67.201.1 24
[Router-Vlanif201] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 201
[Router-GigabitEthernet2/0/0] quit
# Configure a default route on Switch_B with the outbound interface as the router's VLANIF
201.
[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
# Configure routes from the AC to APs with the next hop as Switch_B's VLANIF 200.
[AC] ip route-static 10.23.100.0 24 10.45.200.2
# Configure the router as a DHCP server to assign IP addresses to APs and STAs.
NOTE
In this example, the AP and AC are on different network segments. To notify the AP of the AC's IP address
so that the AP can go online at Layer 3, configure Option 43 in the address pool used by the AP.
[Router] dhcp enable
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1
[Router-ip-pool-ap] quit
[Router] ip pool sta1
[Router-ip-pool-sta1] network 10.23.101.0 mask 24
[Router-ip-pool-sta1] gateway-list 10.23.101.1
[Router-ip-pool-sta1] dns-list 172.16.1.2
[Router-ip-pool-sta1] quit
[Router] ip pool sta2
[Router-ip-pool-sta2] network 10.23.102.0 mask 24
[Router-ip-pool-sta2] gateway-list 10.23.102.1
[Router-ip-pool-sta2] dns-list 172.16.1.2
[Router-ip-pool-sta2] quit
[Router] interface vlanif 201
[Router-Vlanif201] dhcp select global
[Router-Vlanif201] quit
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is retained, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses on Switch_B, and configure interface address
pools on the router.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
[AC] wlan
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] quit
# Import the APs offline on the AC. Add APs deployed in the lobby to AP group guest and
APs in office areas to AP group employee. Configure names for the APs based on the APs'
deployment locations, so that you can know where the APs are deployed from their names.
For example, if the AP with MAC address 60de-4474-9640 is deployed in room 1 of the
second floor of the office building, name the AP office2-1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name lobby-1
[AC-wlan-ap-0] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name lobby-2
[AC-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name office2-1
[AC-wlan-ap-2] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 60de-4474-9660
[AC-wlan-ap-3] ap-name office2-2
[AC-wlan-ap-3] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] quit
# After an AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [4]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------
0 60de-4474-9640 office2-1 employee 10.23.100.253 AP5030DN nor 0 2H:
30M:1S -
1 60de-4474-9660 office2-2 employee 10.23.100.251 AP5030DN nor 0 2H:
35M:2S -
2 60de-4476-e360 lobby-1 guest 10.23.100.254 AP5030DN nor 0 2H:
29M:29S -
3 60de-4476-e380 lobby-2 guest 10.23.100.252 AP5030DN nor 0 2H:
34M:11S -
----------------------------------------------------------------------------------
------------------
Total: 4
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Create SSID profiles guest and employee, and set the SSID names to guest and employee,
respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the data forwarding mode and service
VLANs, and apply the security profiles and SSID profiles to the VAP profiles.
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-guest] security-profile wlan-security
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile p1
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-employee] security-profile wlan-security
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile p1
[AC-wlan-vap-prof-employee] quit
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio 0 and radio 1 of the
APs.
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio all
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-employee] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
dns-list 172.16.1.2
#
ip pool sta2
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
dns-list 172.16.1.2
#
interface Vlanif201
ip address 10.67.201.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 201
#
ip route-static 10.23.100.0 255.255.255.0 10.67.201.2
ip route-static 10.23.101.0 255.255.255.0 10.67.201.2
ip route-static 10.23.102.0 255.255.255.0 10.67.201.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 101 to 102 200
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
access-domain huawei.com portal force
#
vlan pool sta-pool
vlan 101 to 102
#
radius-server template
radius_huawei
#
web-auth-server
abc
server-ip
172.16.1.1
port
50200
#
portal-access-profile name
portal1
web-auth-server abc
layer3
#
aaa
authentication-scheme
radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif200
ip address 10.45.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 101 to 102 200
#
ip route-static 10.23.100.0 255.255.255.0 10.45.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-security
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile guest
security-profile wlan-security
authentication-profile p1
vap-profile name employee
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile employee
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name guest
regulatory-domain-profile domain1
radio 0
vap-profile guest wlan 1
radio 1
vap-profile guest wlan 1
ap-group name employee
regulatory-domain-profile domain1
radio 0
vap-profile employee wlan 1
radio 1
vap-profile employee wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name lobby-1
ap-group guest
ap-id 1 type-id 19 ap-mac 60de-4476-e380 ap-sn 210235419610D2000066
ap-name lobby-2
ap-group guest
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 12-19, an AC in an enterprise is connected to the AP through access
switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network
access for employees. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to wireless users.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no access control is configured for the WLAN. To meet the enterprise's security
requirements and save costs, configure built-in Portal authentication and use the RADIUS
server to authenticate identities of STAs.
Internet
GE0/0/2
VLAN 101 IP address of the built-in
AC Portal server: 10.1.1.1/24
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
area_1
STA STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a Portal access profile for the built-in Portal server to manage Portal access
control parameters.
4. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.
5. Configure an authentication profile to manage NAC configuration.
6. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Authenticati l Name: p1
on profile l Bound profile: Portal access profile portal1, and RADIUS
authentication scheme radius_huawei
l Forcible authentication domain: huawei.com
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address
pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF
101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit
Step 5 Configure a route from the AC to the RADIUS server (Assume that the IP address of the
upper-layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-import ap-mac 60de-4476-e360 ap-group ap-group1 ap-name area_1
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Create the Portal access profile portal1 and configure it to use the built-in Portal server.
[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] portal local-server enable
[AC-portal-access-profile-portal1] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
#
portal-access-profile name portal1
portal local-server enable
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server dns-list 10.23.200.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio 1
channel 20mhz 149
eirp 127
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
return
If the STA whitelist or blacklist function is enabled but the whitelist or blacklist is empty, all STAs can
connect to the WLAN.
Start
Is whitelist Yes
empty?
No
Is Is
No packet source packet source Yes
MAC address in MAC address in
whitelist? blacklist?
Yes No
Allow user
access
Reject user
access
STA1
STA2 Internet
AP AC
STA3
STA4
STA Blacklist
As shown in Figure 13-3, many STAs of local employees exist in an AP's coverage area on a
campus network. Guests or visiting employees sometimes bring their laptops to this AP's
coverage area. If only STAs of guests or visiting employees are not allowed to connect to the
wireless network, the enterprise can configure the blacklist function on the AC and add MAC
addresses of these STAs to the blacklist. In this example, STA4 is added to the blacklist. Then
STA4 cannot connect to the wireless network through the AP, and other STAs (STA1, STA2,
and STA3 in Figure 13-3) can connect to the wireless network.
STA1
STA2 Internet
AP AC
STA3
STA4
Procedure
STA blacklists and whitelists are configured using profiles. Figure 13-4 shows the
configuration flowchart.
AP group AP
In the same
profile, either the
STA whitelist
AP system profile or STA
VAP profile
profile blacklist profile
takes effect at one
time.
STA whitelist profile STA whitelist profile
Context
A STA whitelist profile contains MAC addresses of STAs allowed to connect to the WLAN.
To allow only some STAs to connect to the WLAN, configure a STA whitelist profile and
apply the STA whitelist profile to an AP system profile or a VAP profile.
The effective scope of the STA whitelist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA whitelist profile takes effect based on the AP. APs using the
AP system profile will use the STA whitelist. The STA whitelist profile takes effect on
all STAs connected to the APs (all VAPs).
l VAP profile: The STA whitelist profile takes effect based on the VAP. If the STA
whitelist profile is applied to an AP, the STA whitelist profile applies only to STAs
connected to the corresponding VAPs.
If the STA blacklist or whitelist profiles are configured in both an AP system profile and a
VAP profile, a STA can connect to the WLAN only when it is permitted by both the
configuration in the AP system profile and VAP profile.
NOTE
If a STA whitelist profile is empty, no STA can connect to the WLAN to access network resources.
Procedure
Step 1 Run system-view
A STA whitelist profile is created and the STA whitelist profile view is displayed.
Step 4 Add STAs to the whitelist using either or both of the following methods based on actual
situations:
l Run the sta-mac mac-address command to add the MAC address of a STA.
l Run the oui oui command to add the OUI of STAs.
MAC addresses and OUIs share specifications in the whitelist. A maximum of 3276 MAC
addresses or OUIs can be added to a STA whitelist.
By default, the MAC address or OUI of a STA is not added to the whitelist.
----End
Context
A STA blacklist profile contains MAC addresses of wireless terminals forbidden to connect to
the WLAN. To forbid some STAs to connect to the WLAN, configure a STA blacklist profile
and apply the STA blacklist profile to an AP system profile or a VAP profile.
The effective scope of the STA blacklist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA blacklist profile takes effect based on the AP. APs using the
AP system profile will use the STA blacklist profile. The STA blacklist profile takes
effect on all STAs connected to the APs (all VAPs).
l VAP profile: The STA blacklist profile takes effect based on the VAP. If the STA
blacklist profile is applied to an AP, the STA blacklist profile applies only to STAs
connected to the corresponding VAPs.
If the STA blacklist or whitelist profiles are configured in both an AP system profile and a
VAP profile, a STA can connect to the WLAN only when it is permitted by both the
configuration in the AP system profile and VAP profile.
Procedure
Step 1 Run system-view
A STA blacklist profile is created and the STA blacklist profile view is displayed.
A maximum of 3276 STA MAC addresses can be added to a STA blacklist profile.
----End
Context
You can configure multiple STA whitelist and blacklist profiles on the device and apply the
profiles to different VAP profiles or AP system profiles. In a VAP profile or AP system
profile, either the STA whitelist profile or STA blacklist profile takes effect at one time.
Procedure
Step 1 Run system-view
----End
Context
After the STA blacklist and whitelist configuration is complete, you can check STA whitelist
and blacklist profiles on the device, including their configuration and profile reference
information.
Procedure
l Run the display sta-whitelist-profile { all | name profile-name } command to check
information about the STA whitelist profile.
l Run the display sta-blacklist-profile { all | name profile-name } command to check
information about the STA blacklist profile.
l Run the display references sta-whitelist-profile name profile-name command to check
reference information about the STA whitelist profile.
l Run the display references sta-blacklist-profile name profile-name command to check
reference information about the STA blacklist profile.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 13-5, the AC and AP are connected through access switch SwitchA. An
enterprise provides a WLAN with the SSID wlan-net for management personnel to access the
enterprise network. STAs automatically obtain IP addresses.
The WLAN with a small number of management personnel can use the STA whitelist. MAC
addresses of management personnel's wireless terminals can be added to a STA whitelist,
preventing other employees from accessing the WLAN.
The management personnel found that some unauthorized STAs are online. To prevent this
situation, management personnel can add MAC addresses of the STAs to a blacklist to prevent
these STAs from accessing the WLAN. STAs that are not in the blacklist can access the
WLAN.
Figure 13-5 Networking diagram for configuring the STA blacklist and whitelist
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA1 STA3
0011-2233-4455 0011-2233-4477
STA2 STA4
0011-2233-4466 0011-2233-4488
Configuration Roadmap
1. Configure WLAN basic services so that STAs can access the WLAN.
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create the VAP profile wlan-vap and bind the STA whitelist profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] sta-access-mode whitelist sta-whitelist
[AC-wlan-vap-prof-wlan-vap] quit
# Create the AP system profile wlan-system and bind the STA blacklist profile to the AP
system profile.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] sta-access-mode blacklist sta-blacklist
[AC-wlan-ap-system-prof-wlan-system] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# In the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and bind the
security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap and AP system profile wlan-system to the AP group.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
14 WDS Configuration
Definition
A wireless distribution system (WDS) connects two or more wired or wireless LANs
wirelessly to establish a large network.
Purpose
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect
to a wired network through uplinks. To expand the coverage area of a wireless network, APs
need to be connected by switches. This deployment involves high costs and takes a long time.
In some places, such as subways, tunnels, and docks, it is difficult to connect APs to the
Internet through wired links. WDS technology can connect APs wirelessly in these places,
which reduces network deployment costs, makes the network easy to expand, and allows
flexible networking.
WDS Concepts
Internet
WDS network
STA
Switch
STA
Root wired
Switch interface
Endpoint STA
wired interface
LAN : Wireless virtual link
PC
On a WDS network, one wired interface must work in root mode to connect to the wired network.
WDS Implementation
l AP online process
After WDS is enabled on an AP, the AP automatically creates WDS VAPs (AP VAP and
STA VAP). The AP uses the WDS VAPs to set up WVLs with other APs. The AP
connects to the AC through the WVL and obtains configurations from the AC.
l Service intercommunication
On a WDS network, service data is transmitted over the WVLs. After an AP goes online,
it needs to set up service links through WVLs. Figure 14-2 shows how a service link is
set up between AP2 and AP3 on the WDS network shown in Figure 14-1.
Probe Request
①
Probe Response
②
Authentication Request
③
Authentication Response
④
Association Request
⑤
Association Response
⑥
Access authentication
⑦
Key negotiation
⑧
a. Probe request
AP3 broadcasts a Probe Request frame carrying a WDS-Name field (similar to
SSID in WLAN service).
b. Probe response
AP2 receives the Probe Request frame and sends AP3 a Probe Response frame.
c. Authentication request
After AP3 receives the Probe Response frame, it sends AP2 an Authentication
Request frame.
d. Authentication response
After AP2 receives the Authentication Request frame, it determines whether to
allow access from AP3, depending on the WDS whitelist configuration:
n If the WDS whitelist is not enabled, AP2 allows access from AP3 and sends an
Authentication Response frame to notify AP3 that the authentication has
succeeded.
n If the WDS whitelist is enabled, AP2 checks whether the MAC address of AP3
is included in the WDS whitelist.
○ If the MAC address of AP3 is included in the WDS whitelist, AP2 allows
access from AP3 and sends an Authentication Response frame to notify
AP3 that the authentication has succeeded.
○ If the MAC address of AP3 is not included in the WDS whitelist, AP2
sends an Authentication Response frame with an error code, indicating
that the authentication has failed. The process ends and the service
wireless virtual link (WVL) cannot be set up.
e. Association request
After AP3 receives the Authentication Response frame indicating successful
authentication, it sends an Association Request frame to AP2.
f. Association response
After AP2 receives the Association Request frame, it sends an Association
Response frame to request AP3 to start the access authentication.
g. Access authentication
On a WDS network, the access authentication method for a STA VAP must be
WPA2-PSK. Therefore, AP3 and AP2 use a pre-configured shared key for
negotiation. If they decrypt messages sent from each other using the shared key,
they have the same shared key and the access authentication is successful.
h. Key negotiation
AP3 and AP2 negotiate an encryption key to encrypt service packets.
NOTE
l After a service link is set up, APs periodically send link status messages to each other. If one AP does not
receive any from the other AP, it disconnects the service link and starts to set up a new one.
l If the AC delivers new WDS parameter settings to APs, the APs use them to set up service links.
AP1
STA Internet
AP2 Switch AC
STA
LAN
: Wireless virtual link
PC PC
l Point-to-multipoint deployment
As shown in Figure 14-4, AP1, AP2, and AP3 set up wireless virtual links with AP4.
Data from all STAs associating with AP1, AP2, and AP3 is forwarded by AP4.
LAN
STA
Internet
AP1
AC
STA
STA
AP2 AP4 Switch
STA
AP3
STA
PC
5G 2.4G
STA STA PC PC
: Wireless virtual link
NOTE
In the figure, AP2 on 2.4 GHz radio functions as a leaf node for AP1 and AP2 on 5 GHz radio functions
as a root node for AP3.
If the APs supporting dual 5G radios, such as the AP8130DN, are used as AP1 and AP2, you can set
radio 0 of the two APs to the 5G radio.
Internet
AC
Switch
PC
AP1
(root)
PC
AP2
(leaf)
AP3
(root)
NOTE
l Only when wired interfaces of the preceding APs are not bound to an Eth-trunk interface, an AC can
deliver STP configurations to the APs.
When deploying a WDS network, avoid network loops. In WDS networking, STP applies
only to scenarios where the WDS network forms a single loop with the wired network. Table
14-1 describes STP scenarios supported by a WDS network.
Scenario Description
Leaf
AC Root
GE 0/0/1
Switch
STP cannot be enabled on
GE0/0/1 of the AC. Leaf
Scenario Description
The WDS
network connects
to an AP with
dual network
ports. A loop
exists on the AP's
wired-side
interfaces and the
wired-side
interfaces are not
bound to an Eth-
trunk interface. To
prevent
transparent
forwarding of
STA packets to
the wireless side,
enable STP on the
AP.
In the figure, the
AC, SwitchA,
SwitchB, and root
node form a loop
(loop 1), and
SwitchC,
SwitchD, and the
leaf node form a
loop (loop 2). If
STP packets are
transparently
transmitted over
WDS links, STP
on loop 1
incorrectly
includes SwitchC
and SwitchD on
loop 2 into its
calculation.
To prevent
calculation errors,
enable STP on the
root node and leaf
AC node so that STP
packets from loop
1 and loop 2 will
not be
transparently
forwarded to the
wireless side. The
SwitchA Loop 1 SwitchB
root node
implements STP
calculation of
Issue 04 (2018-08-17) STP needs Copyright
to be © Huawei Technologies Co., Ltd. loop 1 and blocks 789
enabled on the root Root wired-side
AP's wired port. interfaces based
on the calculation
STP needs to be results. The leaf
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 14 WDS Configuration
When configuring WDS services, use the WDS profile with the following profiles:
l Security profile: After a security profile is bound to a WDS profile, parameters in the
security profile will be used for WDS link setup to ensure security of WDS links, The
WPA2+PSK+AES security policy is recommended for a WDS security profile.
l WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring
APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. In the WDS, only APs with radios working in root mode and middle
mode can have a whitelist configured. APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile
provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
l The AD9431DN-24X central AP (including the mapping RUs), AD9430DN-24 central
AP (including the mapping RUs), AD9430DN-12 central AP (including the mapping
RUs), AP2010DN, AP2030DN, AP2050DN, AP2050DN-E, AP7030DE, AP9330DN,
AP2051DN, AP2051DN-E, and AP6310SN-GN do not support the WDS function.
l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac
APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP1050DN-S, AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DN-
E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN, AP7052DN, AP7152DN,
AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or a later version.
l When planning a WDS network, pay attention to the following:
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node. Middle
nodes do not set up WDS links between each other.
– Each WDS link allows a maximum of three hops (a 3-hop WDS link includes a root
node, a middle node, and a leaf node).
access failures. You are advised to run the capwap echo times times-value command to
set the number of heartbeat packet transmissions to 6 or a larger value.
Configuration Procedure
Perform the following steps in the listed order.
14.8.1 Adding an AP
Context
You can add APs in any of the following modes:
l Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are
configured on an AC before APs go online. The AC starts to set up connections with the
APs if the MAC addresses or SNs of the APs match the configured ones.
l Configuring the AC to automatically discover an AP: The AP authentication mode is set
to no authentication; alternatively, the AP authentication mode is set to MAC or SN
authentication and the AP whitelist is configured on the AC. When an AP in the whitelist
connects to the AC, the AC discovers the AP, and the AP goes online.
l Manually confirming APs added to the list of unauthorized APs: The AP authentication
mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC.
When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of
unauthorized APs. After the AP identity is confirmed, the AP can go online.
Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode.
As shown in Figure 14-7, AP1 is a root node, AP2 is a middle node, and AP3 is a leaf node.
You can configure an AP's working mode based on actual situations.
Internet
AC
AP3 AP2 AP1
(leaf) (middle) (root)
STA Switch
LAN
Procedure
l Add an AP offline.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The non-authentication mode brings security risks. You are advised to set the
authentication mode to MAC address authentication or SN authentication, which is
more secure.
– Set the AP authentication mode to MAC address or SN authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add
the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the
AP with the specified MAC address to the whitelist if the AP
authentication mode is set to MAC address authentication.
By default, no MAC address is added to the AP whitelist.
○ Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with
the specified SN to the whitelist if the AP authentication mode is set to
SN authentication.
By default, no SN is added to the AP whitelist.
l Manually confirm the AP added to the list of unauthorized APs.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
----End
Context
WARNING
Before using the 4.9 GHz frequency band, ensure that you have obtained the 4.9 GHz license
from the local administrative department and use the band properly.
The 4.9 GHz frequency band is applicable to outdoor backhaul scenarios but not wireless
coverage services. It is mainly used by WDS and Mesh backhaul links. The 4.9 GHz
frequency band is out of the channel range reselected using DFS.
NOTE
The AP8130DN-W is sold only in regions outside China.
The following table lists channels and frequency distribution of the 4.9 GHz frequency band.
The 4.9 GHz frequency band supports channel bandwidths of 20 MHz and 40 MHz. Channels
184+188 or 192+196 can be bundled into a 40 MHz channel. Similar to the 5 GHz frequency
band, the 4.9 GHz frequency band complies with 802.11a/n/ac.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run regulatory-domain-profile name profile-name
The regulatory domain profile is displayed.
By default, the system provides the regulatory domain profile default.
Step 4 Run wideband enable
The wideband function, that is, the 4.9 GHz frequency band, of the regulatory domain profile
is enabled.
By default, the wideband function of the regulatory domain profile is disabled.
After the wideband function of the regulatory domain profile is enabled, APs bound to this
profile are automatically reset.
Only after the wideband function of the regulatory domain profile is enabled, you can
configure channels and bandwidth of the 4.9 GHz frequency band.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the regulatory domain profile to an AP group or AP.
l Binding the regulatory domain profile to an AP group
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the regulatory-domain-profile profile-name command to bind the regulatory
domain profile to the AP group.
By default, the regulatory domain profile default is bound to an AP group.
l Binding the regulatory domain profile to an AP
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the regulatory-domain-profile profile-name command to bind the regulatory
domain profile to the AP.
By default, no regulatory domain profile is bound to an AP.
----End
Context
To ensure that WDS links can be set up successfully on a WDS network, you need to
configure radio parameters for WDS links according to actual service requirements.
l On a WDS network, radios of APs must work on the same channel.
l You need to configure the radio coverage distance parameter based on distances between
APs. The APs automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter to set up WDS links correctly.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Enter the radio view.
Step 4 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel or channel
80+80mhz channel1 channel2.
The working bandwidth and channel are configured for the radio.
The 80 MHz, 160 MHz, and 80+80 MHz working bandwidths are only supported in the 5G
radio view.
802.11ac APs support the 80 MHz configuration, whereas four-spatial-stream 802.11ac APs
allow for the 160 MHz or 80+80 MHz configuration.
The AD9431DN-24X (including the mapping RUs), AD9430DN-24 (including the mapping
RUs), AD9430DN-12 (including the mapping RUs), AP6310SN-GN, AP2010DN,
AP7030DE, AP9330DN, AP2030DN, AP2050DN, AP2050DN-E, AP2051DN, and
AP2051DN-E do not support the WDS function.
Working channels of radios vary according to countries and regions. To conform to local laws
and regulations, you need to configure different working channels under different country
codes. You can run the display ap configurable channel { ap-name ap-name | ap-id ap-id }
command to check the channels supported by the specified AP.
To use the 4.9 GHz frequency band to configure backhaul links, see Usage Guide of
wideband enable for channels and bandwidth of the 4.9 GHz frequency band. Only radios
working on the 5 GHz frequency band can use the 4.9 GHz frequency band. For example,
radio 1 of the AP8130DN-W can use the 4.9 GHz frequency band. Radio 0 of the
AP8130DN-W can also use the 4.9 GHz frequency band after it is configured to work on the
5 GHz frequency band using the frequency 5g command.
By default, the radio coverage distance parameter is 3 (unit: 100 m) for all radios.
You can configure the radio coverage distance parameter based on distances between APs and
the APs automatically adjust the values of slottime, acktimeout, and ctstimeout based on the
configured distance parameter to improve data transmission efficiency.
The antenna gain is the ratio of the power density produced by an antenna to the power
density that should be obtained at the same point if the power accepted by the antenna were
radiated equally. It can measure the capability for an antenna to receive and send signals in a
specified direction, which is one of the most important parameters to select a BTS antenna. In
the same condition, if the antenna gain is high, the wave travels far.
The antenna gain of an AP radio configured using the command must be consistent with the
gain of the antenna connected to the AP.
The maximum antenna gain should comply with laws and regulations of the corresponding
country. For details, see the Country Code & Channel Compliance Table. You can obtain this
table at Huawei technical support website.
By default, the transmit power of a radio is 127 dBm. The transmit power that takes effect on
APs is related to the AP type, country code, channel, and channel bandwidth. It is the
maximum transmit power supported by the AP radio under the current configuration. Run the
display radio { ap-name ap-name | ap-id ap-id } command to check the maximum value.
You can configure the transmit power for a radio based on actual network environments,
enabling radios to provide the required signal strength and improving signal quality on
WLANs.
By default, radio 0 works on the 2.4 GHz frequency band, and radio 2 works on the 5 GHz
frequency band.
Among all WDS-capable APs, radio 0 of the AP8130DN and AP8130DN-W supports both
2.4G and 5G frequency bands but can only work on one frequency band at a time. After radio
0 of the AP8130DN and AP8130DN-W is configured to work on the 5G frequency band, the
AP8130DN and AP8130DN-W can work on dual 5G radios.
The blinking frequency of the Wireless indicator on the AP is configured to reflect the signal
strength.
By default,
l If the Mesh function is enabled on the AP, the blinking frequency of the Wireless LED
reflects the weakest signal strength of all neighboring APs.
l If WDS is enabled on an AP, the blinking frequency of the Wireless LED reflects the
strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED reflects
the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED reflects
the weakest signal strength of middle APs.
l If the WDS and Mesh functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
During installation and commissioning of an AP that has the WDS or Mesh function enabled,
you need to adjust AP locations and antenna directions to obtain strong signals. If the blinking
frequency of the Wireless LED shows the signal strength, onsite installation personnel can
know the signal strength in real time. The wifi-light command allows you to specify the
parameter reflected by the blinking frequency of the Wireless LED. For example, you can
specify the parameter to signal strength during installation and service traffic volume after
installation.
NOTE
This command takes effect only when the AP has the WDS or Mesh function enabled. If the WDS and Mesh
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
Step 13 (Optional) Configure the frame aggregation function and length of the aggregated frames.
The frame aggregation function can improve the channel resource usage efficiency and
overall WDS network performance.
l Configure the frame aggregation function for the 802.11n protocol.
a. Run the undo ht a-mpdu disable command to enable the frame aggregation
function for the 802.11n protocol.
By default, aggregation of MPDUs is enabled.
b. Run the ht a-mpdu max-length-exponent max-length-exponent-index command to
set the length of aggregated frames for the 802.11n protocol.
By default, the index for the maximum length of an A-MPDU is 3. The maximum
length of the A-MPDU is 65535 bytes.
l Configure the frame aggregation function for the 802.11ac protocol.
Run the vht a-mpdu max-length-exponent max-length-exponent-index command to set
the length of aggregated frames for the 802.11ac protocol.
By default, the index for the maximum length of an A-MPDU is 7. The maximum length
of the A-MPDU is 1048575 bytes.
NOTE
----End
Follow-up Procedure
In the AP group view or AP view, run the radio-2g-profile profile-name { radio { radio-id |
all } } or radio-5g-profile profile-name { radio { id | all } } command to bind the 2.4G or 5G
radio profile to the AP radio. Alternatively, you can run the radio-2g-profile profile-name or
radio-5g-profile profile-name command in the AP group radio view or AP radio view to bind
the 2.4G or 5G radio profile to the AP radio.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wired-port-profile name profile-name
An AP wired port profile is created and the AP wired port profile view is displayed.
By default, the system provides the AP wired port profile default.
Step 4 Set parameters for an AP wired interface.
l Configure a wired interface to work in root mode.
a. Run the mode root command to configure an AP's wired interface to work in root
mode.
By default,
n On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in
endpoint mode, and Eth-Trunk interfaces in root mode.
n On a central AP: Its uplink GE interfaces in root mode and downlink GE
interfaces work in middle mode.
n On an R230D: Its Ethernet interface works in root mode.
n On an R240D: Its Ethernet interface works in endpoint mode and GE interface
in root mode.
n On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D,
R251D-E and AP2050DN-E: Their uplink GE interfaces work in root mode
and downlink GE interfaces in endpoint mode.
n On an R450D: Its GE interface works in root mode.
l Configure a wired interface to work in endpoint mode.
a. Run the mode endpoint command to configure an AP's wired interface to work in
endpoint mode.
By default,
n On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in
endpoint mode, and Eth-Trunk interfaces in root mode.
n On a central AP: Its uplink GE interfaces in root mode and downlink GE
interfaces work in middle mode.
n On an R230D: Its Ethernet interface works in root mode.
n On an R240D: Its Ethernet interface works in endpoint mode and GE interface
in root mode.
n On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D,
R251D-E and AP2050DN-E: Their uplink GE interfaces work in root mode
and downlink GE interfaces in endpoint mode.
n On an R450D: Its GE interface works in root mode.
b. Run the vlan pvid vlan-id command to configure the PVID of an AP's wired
interface.
By default, no PVID is configured for an AP wired interface.
c. Run the vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10> command
to add an AP's wired interface to VLANs.
By default, an AP wired interface allows packets from all VLANs to pass. The
wired interface is added to VLAN 1 in untagged mode and to other VLANs in
tagged mode.
NOTE
----End
Follow-up Procedure
Run the wired-port-profile profile-name interface-type interface-number command in the AP
group view or AP view to bind the specified AP wired port profile to the AP's wired interface.
Context
You need to configure a security profile and a security policy for the WDS to ensure security.
The WPA2+PSK+AES security policy is recommended for a WDS security profile. For
details about WPA2, PSK, and AES, see 11 WLAN Security Configuration.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile
provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
Procedure
Step 1 Run system-view
By default, security profiles default, default-wds, and default-mesh are available in the
system.
----End
Context
A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS
links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with
MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS,
only APs with radios working in root mode and middle mode can have a whitelist configured.
APs in leaf mode require no whitelist.
NOTE
l WDS links can be set up only when neighboring APs with MAC addresses in the whitelist succeed
in authentication.
l If the AP uses no whitelist, all the neighboring APs can connect to the bridge.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wds-whitelist-profile name whitelist-name
A WDS whitelist profile is created, and the WDS whitelist profile view is displayed.
By default, no WDS whitelist profile is available in the system.
Step 4 Run peer-ap mac mac-address
MAC addresses of neighboring APs that are allowed to connect to an AP are added to the
WDS whitelist profile.
By default, no MAC address of a neighboring AP is added to a WDS whitelist profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Enter the radio view.
l Enter the AP group radio view.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
l Enter the AP radio view.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
Step 7 Run wds-whitelist-profile whitelist-name
The Mesh whitelist profile is bound to the AP radio.
By default, no WDS whitelist profile is bound to an AP radio.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run wds-profile name profile-name
A WDS profile is created and the WDS profile view is displayed.
By default, the system provides the WDS profile default.
Step 4 Run wds-name name
A WDS name is set for the WDS profile. WDS nodes use a WDS name to identify
connections between them.
By default, the WDS name of a WDS profile is HUAWEI-WLAN-WDS.
Step 5 Run wds-mode { root | middle | leaf }
The WDS mode is configured in the WDS profile.
By default, the WDS mode in a WDS profile is leaf.
Step 6 Run security-profile profile-name
A security profile is bound to the WDS profile.
By default, the security profile default-wds is bound to a WDS profile.
NOTE
By default, the system provides the WDS profile default. By default, the security profile default-wds
with the security policy WPA2+PSK+AES and the security key huawei_secwds is referenced by a WDS
profile regardless of whether the WDS profile is the default profile provided by the system or a WDS
profile created by users. If the default security profile default-wds is used, you are advised to change the
security key of the profile to ensure security.
NOTE
MU-MIMO is enabled.
APs support MU-MIMO starting from 802.11ac Wave 2. If WDS VAPs need to support MU-
MIMO, a WDS profile must be bound to 5 GHz radios of the AP.
In WDS scenarios, ensure that the number of spatial streams on STA VAPs is smaller than
that on AP VAPs. Otherwise, MU-MIMO cannot take effect. For example, if STA VAPs and
AP VAPs are both configured with three spatial streams, an AP VAP can communicate with
only one STA VAP even if MU-MIMO has been enabled.
NOTE
After a DHCP trusted port is enabled in a WDS profile and the WDS profile is applied to an AP, the AP
receives the DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers and forwards the
packets to STAs so that the STAs can obtain valid IP addresses and go online.
By default, the WDS air interface trusts the mapping from DSCP priorities to 802.11e user
priorities.
The WDS air interface to be configured to trust the mapping from DSCP priorities to 802.11e
user priorities.
Table 14-5 describes the mapping from DSCP priorities to 802.11e user priorities by default.
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
Step 14 Apply the WDS profile. You can use any of the following methods according to actual
situations:
l Bind the WDS profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the wds-profile profile-name radio { all | radio-id } command to bind the
WDS profile to the AP group.
By default, no WDS profile is bound to an AP group or AP.
NOTE
A WDS link uses the VAPs with the WLAN ID 13 and ID 14, which cannot be occupied by other
WLAN services.
l Bind the WDS profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the wds-profile profile-name radio { all | radio-id } command to bind the
WDS profile to the AP.
By default, no WDS profile is bound to an AP group or AP.
NOTE
A WDS link uses the VAPs with the WLAN ID 13 and ID 14, which cannot be occupied by other
WLAN services.
l Bind the WDS profile to AP group radios.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
c. Run the wds-profile profile-name command to bind the WDS profile to AP group
radios.
By default, no WDS profile is bound to an AP radio.
NOTE
A WDS link uses the VAPs with the WLAN ID 13 and ID 14, which cannot be occupied by other
WLAN services.
l Bind the WDS profile to an AP radio.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
c. Run the wds-profile profile-name command to bind the WDS profile to the AP
radio.
By default, no WDS profile is bound to an AP radio.
NOTE
A WDS link uses the VAPs with the WLAN ID 13 and ID 14, which cannot be occupied by other
WLAN services.
----End
Prerequisites
The WDS configuration is complete.
Procedure
l Run the display references wds-profile name profile-name command to check
reference information of a specified WDS profile.
l Run the display wds-profile { all | name profile-name } command to check information
of a WDS profile.
l Run the display references wds-whitelist-profile name whitelist-name command to
check reference information of a specified WDS whitelist profile.
l Run the display wds-whitelist-profile { all | name whitelist-name } command to check
information of a WDS whitelist profile.
----End
Procedure
l Run the display wds vap { ap-group ap-group-name | ap-id ap-id [ radio radio-id ] |
ap-name ap-name [ radio radio-id ] } [ wds-name wds-name ] command to check
information about WDS VAPs.
l Run the display wds vap { all | wds-name wds-name } command to check information
about WDS VAPs of a specified WDS name or all WDS names.
l Run the display wlan wds link { all | ap-id ap-id [ radio radio-id ] | ap-name ap-name
[ radio radio-id ] | wds-profile profile-name } command to check information about
WDS links.
----End
Context
During WDS network deployment, you can configure antenna alignment VAPs for WDS
nodes to facilitate antenna alignment between neighboring APs. When commissioning the
network onsite, connect a mobile terminal to an antenna alignment VAP and start the antenna
alignment program on the terminal to collect signal strength information of the peer AP radio.
The collected information boosts easy antenna alignment operations.
You can log in to Huawei technical support website and search for Probe Handset Unit to
download the Antenna Alignment program.
Procedure
l Configure the default antenna alignment VAP.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-system-profile name profile-name command to create an AP system
profile and enter the AP system profile view.
By default, offline management VAP and antenna alignment VAP functions are
enabled.
e. (Optional) Run the temporary-management psk command to change the password
for the default SSID (hw_manage_xxxx) of the antenna alignment VAP.
The antenna alignment VAP supports only the WEP or WPA/WPA2 PSK authentication
mode. You can run the security wep share-key and wep key key-id { wep-40 | wep-104 |
wep-128 } { pass-phrase | hex } key-value commands to configure WEP authentication.
iii. Run the quit command to return to the WLAN view.
d. Configure an SSID profile.
i. Run the ssid-profile name profile-name command to create an SSID profile
and enter the SSID profile view.
By default, the system provides the SSID profile default.
ii. Run the ssid ssid command to configure an SSID name.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
iii. Run the quit command to return to the WLAN view.
e. Configure a VAP profile, and bind it to the SSID profile and the security profile.
i. Run the vap-profile name profile-name command to create a VAP profile and
enter the VAP profile view.
By default, the system provides the VAP profile default.
ii. Run the temporary-management enable command to configure the VAPs as
an antenna alignment VAP.
By default, a VAP is a service VAP.
iii. Run the ssid-profile profile-name command to bind the SSID profile to the
VAP profile.
By default, the SSID profile default is bound to a VAP profile.
iv. Run the security-profile profile-name command to bind the security profile to
the VAP profile.
By default, the security profile default is bound to a VAP profile.
v. Run the quit command to return to the WLAN view.
f. Configure an AP system profile, and enable the antenna alignment VAP functions in
the AP system profile.
i. Run the ap-system-profile name profile-name command to create an AP
system profile and enter the AP system profile view.
By default, the system provides the AP system profile default.
ii. Run the undo temporary-management disable command to enable the
antenna alignment VAP functions.
By default, offline management VAP and antenna alignment VAP functions are
enabled.
iii. Run the quit command to return to the WLAN view.
l VAPs 1 to 12 and VAP 15 are used for the antenna alignment VAP configuration. Before
using these VAPs, ensure that they are not used by other WLAN services.
l VAPs 13 and 14 are used for the WDS service. Before using these VAPs, ensure that they are
not used by other WLAN services.
l VAP 16 is used for the Mesh service. Before using this VAP, ensure that it is not used by other
WLAN services.
n Bind the VAP profile to an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to an AP.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to radios of an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the radio radio-id command to enter the radio view.
3) Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to radios.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to an AP radio.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the radio radio-id command to enter the radio view.
3) Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to radios.
By default, no VAP profile is bound to a radio.
h. Run the quit command until you return to the WLAN view.
i. Apply the AP system profile using any of the following methods:
n Bind the AP system profile to an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the ap-system-profile profile-name command to bind the AP system
profile to an AP group.
By default, the AP system profile default is bound to an AP group, but no
AP system profile is bound to an AP.
n Bind the AP system profile to an AP.
Networking Requirements
An enterprise has three areas: Area A, Area B, and Area C. In the office environment, AP_1
in Area A can be connected to the AC through a network cable; AP_2 and AP_3 in Area B
can be connected through a cable but cannot be connected to the AC in wired mode; Area C is
near Area B but AP_4 in Area C cannot be connected to the AC through a network cable
either. The enterprise requires that APs be connected to each other in back-to-back WDS
mode and go online on the AC to provide network services for PCs in VLAN 101, as shown
in Figure 14-8:
GE0/0/2 GE0/0/3
AC Network
GE0/0/1
GE0/0/1 Switch_A
GE0/0/2
Switch_B
GE0/0/1
AP_1 Area A
(root)
AP_2 Area B
(leaf)
GE0/0/2
Switch_C
GE0/0/1
AP_3
(root)
AP_4
Area C
(leaf)
VLAN101 PC
Configuration Roadmap
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
NOTE
In this example, the access switches Switch_B and Switch_C and aggregation switch Switch_A are
Huawei products.
WDS l wds-net1 (WDS profile used by AP_1): WDS mode root, referenced
profile WDS whitelist wds-list1, permitting access only from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root, referenced
WDS whitelist wds-list2, permitting access only from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4): referencing no WDS
whitelist
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2 to communicate with AP_3.
# Configure the access switch Switch_B. Add GE0/0/1 of Switch_B to VLAN 100
(management VLAN) and set the PVID of the interface to VLAN 100. Configure GE0/0/1
and GE0/0/2 to allow packets from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 to 101
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from the service and management VLANs to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] quit
Step 2 Configure Switch_A to assign IP addresses to PCs and the AC to assign IP addresses to APs.
# Configure Switch_A as a DHCP server to assign IP addresses to PCs from an interface
address pool.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] quit
[AC-wlan-view] quit
# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group wds-root1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group wds-leaf1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group wds-root2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 60de-4476-e360
[AC-wlan-ap-4] ap-name AP_4
[AC-wlan-ap-4] ap-group wds-leaf2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-4] quit
# Configure the security profile wds-sec used by WDS links. The wds-sec uses the security
policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
# Configure the WDS profile wds-net2. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net2
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
[AC-wlan-wds-prof-wds-net2] wds-mode root
[AC-wlan-wds-prof-wds-net2] security-profile wds-sec
[AC-wlan-wds-prof-wds-net2] vlan tagged 101
[AC-wlan-wds-prof-wds-net2] quit
# Configure the WDS profile wds-net3. Set the WDS name to wds-net and WDS mode to
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net3
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
[AC-wlan-wds-prof-wds-net3] security-profile wds-sec
[AC-wlan-wds-prof-wds-net3] vlan tagged 101
[AC-wlan-wds-prof-wds-net3] quit
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. # Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
Step 5 Configure the wired port profile used by the wired interface of AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in untagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode
configuration will cause the AP to go out of management
. This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan untagged 101
[AC-wlan-wired-port-wired-port] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-root1] quit
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-root2] quit
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-leaf1] quit
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
NOTE
After referencing the AP wired port profile in endpoint mode, configure the AP to go online on the AC and
obtain the configuration. Then restart the AP to make the configuration effective.
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-wds-leaf2] quit
Uptime ExtraInfo
----------------------------------------------------------------------------------
-----------------
1 60de-4474-9640 AP_1 wds-root1 10.23.100.250 AP8130DN nor 0 20M:
16S -
4 60de-4476-e360 AP_4 wds-leaf2 10.23.100.251 AP8130DN nor 0
17S -
2 dcd2-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP8130DN nor 0 3M:
55S -
3 dcd2-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP8130DN nor 0 2M:
55S -
----------------------------------------------------------------------------------
---------------
Total: 4
Run the display wlan wds link all command to check information about the WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re
TS NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -44 -40 0 3
50 45/49/-/-
AP_2 AP_1 1 4 157 leaf normal -38 -36 0 49
57 36/31/57/-
AP_3 AP_4 1 4 149 root normal -11 -7 0 1
83 81/80/-/-
AP_4 AP_3 1 4 149 leaf normal -4 -4 0 0
91 90/85/-/-
----------------------------------------------------------------------------------
---------------
Total: 4
Verify that the AP goes online and restart AP_4 to make the working mode of the AP wired
port effective.
[AC-wlan-view] ap-reset ap-group wds-leaf2
Warning: Reset AP(s), continue?[Y/N]:y
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l Switch_B configuration file
#
sysname Switch_B
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l Switch_C configuration file
#
sysname Switch_C
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
coverage distance 4
ap-group name wds-
root1
regulatory-domain-profile
domain1
radio
1
wds-profile wds-
net1
wds-whitelist-profile wds-
list1
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
root2
regulatory-domain-profile
domain1
radio
1
wds-profile wds-
net2
wds-whitelist-profile wds-
list2
channel 40mhz-plus
149
coverage distance
4
ap-id 1 ap-mac 60de-4474-9640
ap-name
AP_1
ap-group wds-
root1
ap-id 2 ap-mac dcd2-fc04-b500
ap-name
AP_2
ap-group wds-
leaf1
ap-id 3 ap-mac dcd2-fcf6-76a0
ap-name
AP_3
ap-group wds-
root2
ap-id 4 ap-mac 60de-4476-e360
ap-name
AP_4
ap-group wds-
leaf2
#
return
15 Mesh Configuration
Definition
A wireless mesh network (WMN) is a communications network that consists of multiple
wirelessly connected APs in a mesh topology and connects to a wired network through a
portal node or two portal nodes.
Purpose
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect
to a wired network through uplinks. If no wired network is available before a WLAN is
constructed, it takes much time and money to construct a wired network. If positions of some
APs on a WLAN are adjusted, the wired network must be adjusted accordingly, increasing the
difficulty in network adjustment. A traditional WLAN requires a long construction period and
has a high cost and poor flexibility, so it does not apply to emergency communication,
wireless MANs, or areas that lack weak wired network infrastructure. The construction of a
WMN requires only APs to be installed, which greatly speeds up network construction.
A WMN allows APs to wirelessly connect to each other, solving the preceding problems. A
WMN has the following advantages:
l Fast deployment: Mesh nodes can be easily installed to construct a WMN in a short time,
much shorter than the construction period of a traditional WLAN.
l Dynamic coverage area expansion: As more mesh nodes are deployed on a WMN, the
WMN coverage area can be rapidly expanded.
l Robustness: A WMN is a peer network that will not be affected by the failure of a single
node. If a node fails, packets are forwarded to the destination node along the backup
path.
l Flexible networking: An AP can join or leave a WMN easily, allowing for flexible
networking.
l Various application scenarios: Besides traditional WLAN scenarios such as enterprise
networks, office networks, and campus networks, a WMN also applies to scenarios such
as large-scale warehouses, docks, MANs, metro lines, and emergency communications.
l Cost-effectiveness: Only MPPs need to connect to a wired network, which minimizes the
dependency of a WMN on wired devices and saves costs in wired device purchasing and
cable deployment.
Benefits
A WMN saves cables required between mesh nodes while providing path redundancy and
rerouting functions as a distributed network. Therefore,
l When a new AP is added to a WMN, the AP can automatically connect to the WMN and
determine the optimal multi-hop transmission path after being powered on.
l When an AP is moved from a WMN, the WMN can automatically discover the topology
change and adjust communication routes to obtain the optimal transmission path.
Concepts
AC
MP4 MP3
STA3
STA1 STA2
Mesh link
User access
Implementation
The establishment of a mesh link includes mesh neighbor discovery and mesh connection
management.
Mesh connection management involves two phases: mesh connection establishment and mesh
connection teardown. The two phases are implemented using three types of Mesh Action
frames: Mesh Peering Open, Mesh Peering Confirm, and Mesh Peering Close frames.
Mesh Routing
On a WMN, multiple mesh links are available between any source and destination, and the
transmission quality of these mesh links varies according to the surrounding environment.
Therefore, routing protocols are required on the WMN. The Hybrid Wireless Mesh Protocol
(HWMP) defined in the 802.11s standard can address routing issues.
The following route management frames are defined in HWMP:
l Root Announcement (RANN) frame: used to announce the presence of an MPP.
– An MPP periodically broadcasts a RANN frame.
– After an MP receives a RANN frame, the MP reduces the time to live (TTL) of the
frame by 1, updates the path metric, and broadcasts the frame. After an MP reads a
RANN frame, the MP checks whether the gateway specified in the RANN frame
exists in the local gateway list. If the gateway exists in the local gateway list, the
MP updates the gateway information in the gateway list according to the
information in the RANN frame. Otherwise, the MP adds gateway information to
the gateway list.
l Path Request (PREQ) and Path Reply (PREP) frames: In on-demand routing mode, the
source node broadcasts a PREQ frame to establish a route to the destination node. After
an MP receives the PREQ frame, the MP responds with a PREP frame.
A WMN supports two routing modes: on-demand routing and proactive routing.
l On-demand routing: The source node broadcasts a PREQ frame to establish a route to
the destination node. After receiving the PREQ frame, a transit node checks the frame. If
the PREQ frame contains a sequence number greater than or equal to the sequence
number of the previous frame but has a lower metric, the transit node creates and updates
the route to the source node. If the transit node has no route to the destination route, the
transit node continues forwarding the PREQ frame.
l Proactive routing: A root node periodically broadcasts a RANN frame. When a mesh
node receives a RANN frame and needs to create or update the route to the root node, the
mesh node unicasts a PREP frame to the root node and broadcasts the RANN frame.
Then, the root node creates a reverse path from the root node to the source node, and the
mesh node creates a forwarding path from the root node to the source node.
HWMP combines on-demand routing and proactive routing to ensure that data frames are
always transmitted on mesh links with the best transmission quality.
Huawei develops and optimizes the proprietary mesh routing protocol based on the 802.11s
standard to implement route load balancing. The mesh routing protocol has the following
characteristics:
l Reduces the number of times frames are forwarded during the wireless link
establishment.
l Constructs the forwarding topology based on the path with only a few hops from the
source node to the destination node.
2. Obtain an IP address
1. After MP1 is powered on, it exchanges Mesh Peering Open and Mesh Peering Confirm
frames with MP2, which has associated with the AC using information including the
default Mesh ID and pre-shared key. MP1 establishes a temporary insecure mesh
connection with MP2 and establishes a route to the MPP.
2. MP1 obtains an IP address and the IP address of the AC from the DHCP server through
the mesh connection.
3. MP1 discovers and associates with the AC through the mesh connection and establishes
a temporary CAPWAP tunnel to obtain the configuration from the AC.
4. After MP1 obtains the new configuration, it sends a Mesh Peering Close frame to tear
down the temporary insecure mesh connection.
5. MP1 exchanges Mesh Peering Open and Mesh Peering Confirm frames with MP2 using
the new mesh configuration for key negotiation. After MP1 and MP2 negotiate the key
for communication, the two MPs establish a formal secure mesh link.
6. MP1 re-establishes a secure CAPWAP tunnel with the AC using the new configuration.
7. When MP1 cannot establish a mesh link with MP2 within a long period of time, the
default configuration is restored. The whole process starts from step 1 until MP1
establishes a secure CAPWAP tunnel with the AC using the new configuration.
STA
AP1
STA
STA Internet
STA
AP3
Access Switch
Internet
AC
Switch
AP1
AP4 AP5
Mesh link
STA access
STA2 STA3
Area 1
AP2 AP3
AP6
AC Switch
AP7 AP8
Area 2
Mesh link
l Only when wired interfaces of the preceding APs are not bound to an Eth-trunk interface, an AC can
deliver STP configurations to the APs.
A Mesh network supports only transparent transmission of Spanning Tree Protocol (STP)
packets. An STP-enabled AP does not forward STP packets to the wireless side. STP takes
effect only on the AP's wired side.
When deploying a Mesh network, avoid network loops. In Mesh networking, STP applies
only to scenarios where the Mesh network forms a single loop with the wired network. Table
15-1 describes STP scenarios supported by a Mesh network.
Scenario Description
STP needs to be
enabled on the MPP
MPP’s wired port.
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. 836
MP2 MP1
STP needs to be
S5700 and S6720 Series Ethernet Switches
Configuration Guide - WLAN-AC 15 Mesh Configuration
NOTE
Mesh networks support Mesh link redundancy. To prevent loops, use Mesh routing to decide on the
forwarding path.
When configuring Mesh services, use the Mesh profile with the following profiles:
l Security profile: After a security profile is bound to a Mesh profile, parameters in the
security profile will be used for Mesh link setup to ensure security of Mesh links, The
WPA2+PSK+AES security policy is recommended for a Mesh security profile.
NOTE
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the Mesh function, configure the same channel for radios of Mesh APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.
l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
l The AD9431DN-24X central AP (including the mapping RUs), AD9430DN-24 central
AP (including the mapping RUs), AD9430DN-12 central AP (including the mapping
RUs), AP2010DN, AP2030DN, AP2050DN, AP2050DN-E, AP7030DE, AP9330DN,
AP2051DN, AP2051DN-E, and AP6310SN-GN do not support the Mesh function.
l Radio 0: 802.11n
AP9132DN N/A
l Radio 1: 802.11ac
l Radio 0: 802.11n
AP9131DN N/A
l Radio 1: 802.11ac
Mesh not
AP8050TN-HD 802.11ac
supported
AP8082DN 802.11ac NA
AP8182DN 802.11ac NA
l radio 0: 802.11n
AP7110SN-GN N/A
l radio 1: N/A
AP7052DE 802.11ac NA
AP7052DN 802.11ac NA
AP7152DN 802.11ac NA
AP6052DN 802.11ac NA
l radio 0: 802.11n
AP6010SN-GN N/A
l radio 1: N/A
l Radio 0: 802.11n
AP5130DN N/A
l Radio 1: 802.11ac
l Radio 0: 802.11n
AP5030DN N/A
l Radio 1: 802.11ac
l radio 0: 802.11n
AP5010SN-GN N/A
l radio 1: N/A
l Radio 0: 802.11n
AP4130DN N/A
l Radio 1: 802.11ac
l radio 0: 802.11n
AP4030DN N/A
l radio 1: 802.11ac
Pre-configuration Tasks
In AC+Fit AP networking, you can configure the Mesh function to easily deploy a WLAN in
complex environments. This configuration saves network deployment cost, facilitates network
expansion, and implements flexible networking.
Configuration Procedure
Perform the following steps in the listed order.
Internet
AC
Switch
MPP
MP4 MP3
STA STA
: Mesh link
You are not advised to configure access VAPs on an MPP to ensure a high throughput.
l mesh-node (MP): a node that provides both mesh service and user access service. All
nodes except MPPs on a WMN are MPs.
Procedure
l Add an AP offline.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
The non-authentication mode brings security risks. You are advised to set the
authentication mode to MAC address authentication or SN authentication, which is
more secure.
– Set the AP authentication mode to MAC address or SN authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add
the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the
AP with the specified MAC address to the whitelist if the AP
authentication mode is set to MAC address authentication.
By default, no MAC address is added to the AP whitelist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
----End
Context
WARNING
Before using the 4.9 GHz frequency band, ensure that you have obtained the 4.9 GHz license
from the local administrative department and use the band properly.
The 4.9 GHz frequency band is applicable to outdoor backhaul scenarios but not wireless
coverage services. It is mainly used by WDS and Mesh backhaul links. The 4.9 GHz
frequency band is out of the channel range reselected using DFS.
NOTE
The AP8130DN-W is sold only in regions outside China.
The following table lists channels and frequency distribution of the 4.9 GHz frequency band.
The 4.9 GHz frequency band supports channel bandwidths of 20 MHz and 40 MHz. Channels
184+188 or 192+196 can be bundled into a 40 MHz channel. Similar to the 5 GHz frequency
band, the 4.9 GHz frequency band complies with 802.11a/n/ac.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Context
To ensure that Mesh links can be set up successfully on a Mesh network, you need to
configure radio parameters for Mesh links according to actual service requirements.
l On a Mesh link, radios of adjacent Mesh APs must work on the same channel.
l You need to configure the radio coverage distance parameter based on distances between
APs. The APs automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter to set up Mesh links correctly.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Enter the radio view.
l Enter the AP group radio view.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
l Enter the AP radio view.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
Step 4 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel or channel
80+80mhz channel1 channel2.
The working bandwidth and channel are configured for the radio.
By default, the working bandwidth of a radio is 20 MHz, and no working channel is
configured for a radio.
On a Mesh link, radios of adjacent Mesh APs must work on the same channel.
The 80 MHz, 160 MHz, and 80+80 MHz working bandwidths are only supported in the 5G
radio view.
802.11ac APs support the 80 MHz configuration, whereas four-spatial-stream 802.11ac APs
allow for the 160 MHz or 80+80 MHz configuration.
The AD9431DN-24X (including the mapping RUs), AD9430DN-24 (including the mapping
RUs), AD9430DN-12 (including the mapping RUs), AP6310SN-GN, AP2010DN,
AP7030DE, AP9330DN, AP2030DN, AP2050DN, AP2050DN-E, AP2051DN, and
AP2051DN-E do not support the Mesh function.
Working channels of radios vary according to countries and regions. To conform to local laws
and regulations, you need to configure different working channels under different country
codes. You can run the display ap configurable channel { ap-name ap-name | ap-id ap-id }
command to check the channels supported by the specified AP.
To use the 4.9 GHz frequency band to configure backhaul links, see Usage Guide of
wideband enable for channels and bandwidth of the 4.9 GHz frequency band. Only radios
working on the 5 GHz frequency band can use the 4.9 GHz frequency band. For example,
radio 1 of the AP8130DN-W can use the 4.9 GHz frequency band. Radio 0 of the
AP8130DN-W can also use the 4.9 GHz frequency band after it is configured to work on the
5 GHz frequency band using the frequency 5g command.
The blinking frequency of the Wireless indicator on the AP is configured to reflect the signal
strength.
By default,
l If the Mesh function is enabled on the AP, the blinking frequency of the Wireless LED
reflects the weakest signal strength of all neighboring APs.
l If WDS is enabled on an AP, the blinking frequency of the Wireless LED reflects the
strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED reflects
the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED reflects
the weakest signal strength of middle APs.
l If the WDS and Mesh functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
During installation and commissioning of an AP that has the WDS or Mesh function enabled,
you need to adjust AP locations and antenna directions to obtain strong signals. If the blinking
frequency of the Wireless LED shows the signal strength, onsite installation personnel can
know the signal strength in real time. The wifi-light command allows you to specify the
parameter reflected by the blinking frequency of the Wireless LED. For example, you can
specify the parameter to signal strength during installation and service traffic volume after
installation.
NOTE
This command takes effect only when the AP has the WDS or Mesh function enabled. If the WDS and Mesh
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
Step 13 (Optional) Configure the frame aggregation function and length of the aggregated frames.
The frame aggregation function can improve the channel resource usage efficiency and
overall WDS network performance.
l Configure the frame aggregation function for the 802.11n protocol.
a. Run the undo ht a-mpdu disable command to enable the frame aggregation
function for the 802.11n protocol.
By default, aggregation of MPDUs is enabled.
b. Run the ht a-mpdu max-length-exponent max-length-exponent-index command to
set the length of aggregated frames for the 802.11n protocol.
By default, the index for the maximum length of an A-MPDU is 3. The maximum
length of the A-MPDU is 65535 bytes.
l Configure the frame aggregation function for the 802.11ac protocol.
----End
Follow-up Procedure
In the AP group view or AP view, run the radio-2g-profile profile-name { radio { radio-id |
all } } or radio-5g-profile profile-name { radio { id | all } } command to bind the 2.4G or 5G
radio profile to the AP radio. Alternatively, you can run the radio-2g-profile profile-name or
radio-5g-profile profile-name command in the AP group radio view or AP radio view to bind
the 2.4G or 5G radio profile to the AP radio.
Context
You can configure the wired interface on an MPP to connect to the AC or configure the wired
interface on an AP to deploy a Layer 2 network or directly associate with STAs.
On Mesh networks, an AP wired interface can work in the following modes:
l root mode: The wired interface that connects the MPP to the AC must work in root
mode.
l endpoint mode: When the wired interface of an AP works in endpoint mode, the AP's
wired interface can directly connect to a STA or be used to deploy Layer 2 networks.
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
After changing the working mode of an AP's wired interface, run the ap-reset command to reset the AP
for the configuration to take effect.
NOTE
----End
Follow-up Procedure
Run the wired-port-profile profile-name interface-type interface-number command in the AP
group view or AP view to bind the specified AP wired port profile to the AP's wired interface.
Context
You need to configure a security profile and a security policy for the Mesh to ensure security.
The WPA2+PSK+AES security policy is recommended for a Mesh security profile. For
details about WPA2, PSK, and AES, see 11 WLAN Security Configuration.
NOTE
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
A security profile is created, and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
Step 4 Run security wpa2 psk { pass-phrase | hex } key-value aes
A security policy is configured for the security profile.
----End
Context
A Mesh whitelist specifies the MAC addresses of neighboring APs that are allowed to
connect to an AP. After a Mesh whitelist is bound to a radio of an AP, only the neighboring
APs with the MAC addresses in the whitelist can connect to the AP, and other APs are denied
access.
If no Mesh whitelist is configured, APs may establish Mesh links with neighboring APs
randomly, wasting limited Mesh link resources. When the number of established Mesh links
reaches the maximum, the APs cannot establish more Mesh links with neighboring APs that
require Mesh links. In addition, because there may be rogue neighboring APs, potential
security risks exist if no Mesh whitelist is configured.
NOTE
In a scenario where ATs access a Mesh network, only ATs can connect to the MPP. You can allow all
neighboring ATs to access the MPP without configuring a Mesh whitelist. Alternatively, you can
configure a Mesh whitelist to allow only neighboring ATs whose MAC addresses are specified in the
Mesh whitelist to connect to the MPP. However, in other Mesh application scenarios, a Mesh profile
must have a Mesh whitelist profile bound, and the Mesh whitelist profile must have MAC addresses
configured.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run mesh-whitelist-profile name whitelist-name
A Mesh whitelist profile is created, and the Mesh whitelist profile view is displayed.
By default, no Mesh whitelist profile is available in the system.
Step 4 Run peer-ap mac mac-address
MAC addresses of neighboring APs that are allowed to connect to an AP are added to the
Mesh whitelist profile.
By default, no MAC address of a neighboring AP is added to a Mesh whitelist profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Enter the radio view.
l Enter the AP group radio view.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
l Enter the AP radio view.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
Step 7 Run mesh-whitelist-profile whitelist-name
The Mesh whitelist profile is bound to the AP radio.
By default, no Mesh whitelist profile is bound to an AP radio.
When the AT accesses the MPP through a Mesh link, the Mesh whitelist is optional. You can
determine whether to configure a Mesh whitelist to control AT access as required.
----End
Context
On a Mesh network shown in Figure 15-8, you need to deploy APs as MPPs or MPs based on
AP locations.
You are not advised to configure access VAPs on an MPP to ensure a high throughput.
l mesh-node (MP): a node that provides both mesh service and user access service. All
nodes except MPPs on a WMN are MPs.
Internet
AC
Switch
MPP
MP4 MP3
STA STA
: Mesh link
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
The AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run mesh-role { mesh-portal | mesh-node }
A Mesh role is configured.
By default, the Mesh role of an AP is mesh-node in the AP system profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run mesh-profile name profile-name
A Mesh profile is created, and the Mesh profile view is displayed.
By default, the system provides the Mesh profile default.
Step 7 Run mesh-id name
A Mesh ID is configured. Mesh nodes use a Mesh ID to identify connections between them.
By default, the Mesh ID of a Mesh profile is HUAWEI-WLAN-MESH.
Step 8 Run security-profile profile-name
A security profile is bound to the Mesh profile.
By default, the security profile default-mesh is bound to a Mesh profile.
NOTE
By default, the system provides the Mesh profile default. Both the default Mesh profile default and a
self-defined Mesh profile have the security profile default-mesh referenced by default. In the security
profile default-mesh, the security policy is set to WPA2+PSK+AES and the security key to
huawei_secmesh. If the default security profile default-mesh is used, you are advised to change the
security key of the profile to ensure security.
By default, a maximum of eight mesh links can be established between APs. After you enable
FWA for a mesh profile using the fwa enable command, a maximum of 32 mesh links can be
established between APs by default.
The RSSI threshold of a Mesh link is configured. When the minimum RSSI of all Mesh links
on the optimal route to the current MPP is lower than the RSSI threshold of a Mesh link, the
MP reselects Mesh links.
By default, the RSSI threshold of a mesh link is -75 dBm. After the FWA mode is enabled in
a Mesh profile, the RSSI threshold of a Mesh link is fixed as -90 dBm.
NOTE
After a DHCP trusted port is enabled in a Mesh profile and the Mesh profile is applied to an AP, the AP
receives the DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers and forwards the
packets to STAs so that the STAs can obtain valid IP addresses and go online.
By default, the Mesh air interface trusts the mapping from DSCP priorities to 802.11e user
priorities.
The Mesh air interface to be configured to trust the mapping from DSCP priorities to 802.11e
user priorities.
Table 15-6 describes the mapping from DSCP priorities to 802.11e user priorities by default.
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
Step 21 Apply the Mesh profile. You can use any of the following methods according to actual
situations:
l Bind the Mesh profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the mesh-profile profile-name radio { all | radio-id } command to bind the
Mesh profile to the AP group.
By default, no Mesh profile is bound to an AP group or AP.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
l Bind the Mesh profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the mesh-profile profile-name radio { all | radio-id } command to bind the
Mesh profile to the AP.
By default, no Mesh profile is bound to an AP group or AP.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
l Bind the Mesh profile to AP group radios.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
c. Run the mesh-profile profile-name command to bind the Mesh profile to AP group
radios.
By default, no Mesh profile is bound to an AP radio.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
l Bind the Mesh profile to an AP radio.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
c. Run the mesh-profile profile-name command to bind the Mesh profile to the AP
radio.
By default, no Mesh profile is bound to an AP radio.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
----End
You need to enable FWA only when ATs are connected to remote APs.
As shown in Figure 15-9, the outdoor AT needs to connect to the remote AP through a Mesh
link in wireless mode to provide network access for users connected to the outdoor AT. You
need to configure the Mesh service and enable FWA so that the AT can connect to the remote
AP.
Internet
STA PC
Mesh link
NOTE
Only the AP6510DN-AGN and AP6610DN-AGN can function as a remote AP to provide access to the AT.
An AT can connect only to one remote AP, and the remote AP must be an MPP.
This document provides the Mesh service configuration on the remote AP. For details about the Mesh service
configuration on the AT, see section AT Wireless Access Configuration in the Huawei Wireless Access
Terminal Configuration Guide.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run mesh-profile name profile-name
The Mesh profile view is displayed.
Step 4 Run fwa enable
FWA is enabled in the Mesh profile.
By default, FWA is disabled for a Mesh profile.
NOTE
FWA and vehicle-ground fast link handover are mutually exclusive in a Mesh profile.
After you enable FWA for a Mesh profile using the fwa enable command, the default value of link-num in the
max-link-number link-num command is 32, and the value ranges from 1 to 32.
After you enable FWA in a Mesh profile using the fwa enable command, the RSSI threshold of a Mesh link
is fixed as -90 dBm, and not changed by the link-rssi-threshold command.
After you enable FWA in a Mesh profile using the fwa enable command, you can complete Mesh service
configuration without the need to bind a Mesh whitelist profile to the Mesh profile.
After you enable FWA for a Mesh profile using the fwa enable command, the radio bound to the Mesh
profile allows access from only ATs. Do not enable FWA when ATs are not used to prevent a Mesh service
configuration failure.
AC_VO ECWmax 3
ECWmin 2
AIFSN 2
TXOPLimit 47
AC_VI ECWmax 4
ECWmin 3
AIFSN 2
TXOPLimit 94
AC_BE ECWmax 10
ECWmin 4
AIFSN 3
TXOPLimit 0
AC_BK ECWmax 10
ECWmin 4
AIFSN 7
TXOPLimit 0
You need to configure EDCA parameters according to actual scenarios. Table 15-8
shows the configuration of EDCA parameters in voice scenarios, and Table 15-9 shows
the configuration in voice and video hybrid scenarios.
AC_VO ECWmax 4
ECWmin 2
AIFSN 2
TXOPLimit 0
AC_VI ECWmax 5
ECWmin 3
AIFSN 5
TXOPLimit 0
AC_BE ECWmax 10
ECWmin 6
AIFSN 5
TXOPLimit 0
AC_BK ECWmax 10
ECWmin 8
AIFSN 12
TXOPLimit 0
Table 15-9 Recommended configuration of EDCA parameters in voice and video hybrid
scenarios
Packet Type Parameters Description
AC_VO ECWmax 4
ECWmin 2
AIFSN 2
TXOPLimit 0
AC_VI ECWmax 5
ECWmin 3
AIFSN 5
TXOPLimit 0
AC_BE ECWmax 10
ECWmin 6
AIFSN 12
TXOPLimit 0
AC_BK ECWmax 10
ECWmin 8
AIFSN 12
TXOPLimit 0
----End
Prerequisites
The Mesh configuration is complete.
Procedure
l Run the display references mesh-profile name profile-name command to check
reference information of a specified Mesh profile.
l Run the display mesh-profile { all | name profile-name } command to check
information about a Mesh profile.
l Run the display references mesh-whitelist-profile name whitelist-name command to
check reference information of a specified Mesh whitelist profile.
l Run the display mesh-whitelist-profile { all | name whitelist-name } command to check
information about a Mesh whitelist profile.
----End
Procedure
l Run the display mesh vap { ap-group ap-group-name | ap-id ap-id [ radio radio-id ] |
ap-name ap-name [ radio radio-id ] } [ mesh-id mesh-id ] command to check
information about Mesh VAPs.
l Run the display mesh vap { all | mesh-id mesh-id } command to check information
about Mesh VAPs of a specified Mesh ID or all Mesh IDs.
l Run the display wlan mesh link { all | ap-id ap-id [ radio radio-id ] | ap-name ap-
name [ radio radio-id ] | mesh-profile profile-name } command to check information
about Mesh links.
----End
Context
During Mesh network deployment, you can configure antenna alignment VAPs for Mesh
nodes to facilitate antenna alignment between neighboring APs. When commissioning the
network onsite, connect a mobile terminal to an antenna alignment VAP and start the antenna
alignment program on the terminal to collect signal strength information of the peer AP radio.
The collected information boosts easy antenna alignment operations.
You can log in to Huawei technical support website and search for Probe Handset Unit to
download the Antenna Alignment program.
Procedure
l Configure the default antenna alignment VAP.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. Run the ap-system-profile name profile-name command to create an AP system
profile and enter the AP system profile view.
By default, offline management VAP and antenna alignment VAP functions are
enabled.
e. (Optional) Run the temporary-management psk command to change the password
for the default SSID (hw_manage_xxxx) of the antenna alignment VAP.
The antenna alignment VAP supports only the WEP or WPA/WPA2 PSK authentication
mode. You can run the security wep share-key and wep key key-id { wep-40 | wep-104 |
wep-128 } { pass-phrase | hex } key-value commands to configure WEP authentication.
iii. Run the quit command to return to the WLAN view.
d. Configure an SSID profile.
i. Run the ssid-profile name profile-name command to create an SSID profile
and enter the SSID profile view.
By default, the system provides the SSID profile default.
ii. Run the ssid ssid command to configure an SSID name.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
iii. Run the quit command to return to the WLAN view.
e. Configure a VAP profile, and bind it to the SSID profile and the security profile.
i. Run the vap-profile name profile-name command to create a VAP profile and
enter the VAP profile view.
By default, the system provides the VAP profile default.
ii. Run the temporary-management enable command to configure the VAPs as
an antenna alignment VAP.
By default, a VAP is a service VAP.
iii. Run the ssid-profile profile-name command to bind the SSID profile to the
VAP profile.
By default, the SSID profile default is bound to a VAP profile.
iv. Run the security-profile profile-name command to bind the security profile to
the VAP profile.
By default, the security profile default is bound to a VAP profile.
l VAPs 1 to 12 and VAP 15 are used for the antenna alignment VAP configuration. Before
using these VAPs, ensure that they are not used by other WLAN services.
l VAPs 13 and 14 are used for the WDS service. Before using these VAPs, ensure that they are
not used by other WLAN services.
l VAP 16 is used for the Mesh service. Before using this VAP, ensure that it is not used by other
WLAN services.
n Bind the VAP profile to an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to an AP.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to radios of an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the radio radio-id command to enter the radio view.
3) Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to radios.
By default, no VAP profile is bound to a radio.
n Bind the VAP profile to an AP radio.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the radio radio-id command to enter the radio view.
3) Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to radios.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
An enterprise has three areas: Area A, Area B, and Area C. Restricted by geographical
locations, the AP in Area A can be deployed in wired mode, but wired deployment of APs is
costly in Area B and Area C. The enterprise requires that APs be deployed in Area B and
Area C at low cost.
As shown in Figure 15-10, a Mesh network is deployed to connect AP_2 and AP_3 to AP_1
through Mesh links, which can reduce network construction cost.
Network
Switch_B GE0/0/2
AP_3 AP_2 AP_1 GE0/0/1
GE0/0/1 AC
(MP) (MP) (MPP)
GE0/0/1 GE0/0/2
Switch_A
Area C Area B Area A
: Mesh link
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
NOTE
In this example, Switch_A (access switch) and Switch_B (aggregation switch) are Huawei products.
AP Type MAC
Item Data
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the AC to communicate with AP_1.
# Configure access switch Switch_A. Add GE0/0/1 to VLAN 100 (management VLAN) and
set the PVID of the interface to VLAN 100. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
# Configure GE0/0/1 that connects the AC to the aggregation switch to allow packets from
VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add AP_1 to the AP group mesh-mpp and AP_2 and AP_3 to the AP group mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4476-e360
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
# Set parameters for the APs' wired interfaces. This example assumes that the service VLAN
is VLAN 101. Wired interfaces of all Mesh nodes are therefore added to VLAN 101 in tagged
mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure Mesh roles. Set the Mesh role of AP_1 to mesh-portal. AP_2 and AP_3 use the
default Mesh role mesh-node. Mesh roles are configured through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 5 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_A through GE0.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] quit
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make the Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] quit
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
<AC> display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-
Status RSSI MaxR Per Re TSNR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
------------------------------------------------
AP_1 AP_2 60de-4476-e360 1 4 157 portal
normal -30 -27 0 12 67 62/65/-/-
AP_1 AP_3 dcd2-fcf6-76a0 1 4 157 portal
normal -26 -24 0 12 71 67/68/-/-
AP_3 AP_2 60de-4476-e360 1 4 157 node
normal -19 -3 0 5 77 66/76/-/-
AP_3 AP_1 60de-4474-9640 1 4 157 node
normal -32 -4 0 26 64 55/63/-/-
AP_2 AP_1 60de-4474-9640 1 4 157 node
normal -32 -4 0 12 64 62/61/-/-
AP_2 AP_3 dcd2-fcf6-76a0 1 4 157 node
normal -14 -12 0 4 82 71/82/-/-
----------------------------------------------------------------------------------
------------------------------------------------
Total: 6
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
An enterprise has two areas: Area A and Area B. Restricted by geographical locations, APs in
Area A can be deployed in wired mode, but wired deployment of APs is costly in Area B. The
enterprise requires that APs be deployed in Area B at low cost.
As shown in Figure 15-11, a dual-MPP Mesh network is deployed to connect AP_3 and
AP_4 in Area B to AP_1 and AP_2 through Mesh links, which improves network reliability
and loads balance traffic.
Network
Switch_B GE0/0/2
GE0/0/1
GE0/0/1
AC
GE0/0/3
Switch_A
GE0/0/1 GE0/0/2
: Mesh link
Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
NOTE
In this example, Switch_A (access switch) and Switch_B (aggregation switch) are Huawei products.
AP Type MAC
Item Data
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2.
# Configure access switch Switch_A. Add GE0/0/1 and GE0/0/2 to VLAN 100 (management
VLAN) and set the PVID of the interfaces to VLAN 100. Configure GE0/0/1, GE0/0/2, and
GE0/0/3 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] port-isolate enable
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
# Configure GE0/0/1 that connects the AC to the aggregation switch to allow packets from
VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add AP_1 and AP_2 to the AP group mesh-mpp and AP_3 and AP_4 to the AP group
mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 60de-4476-e360
[AC-wlan-ap-4] ap-name AP_4
[AC-wlan-ap-4] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-4] quit
# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. coverage distance indicates the radio coverage distance parameter, which is 3 (unit:
100 m) by default. This example sets the radio coverage distance parameter to 4. You can
configure the parameter according to your service needs.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
[AC-wlan-ap-group-mesh-mp] quit
# Set parameters for the APs' wired interfaces. This example assumes that the service VLAN
is VLAN 101. Wired interfaces of all Mesh nodes are therefore added to VLAN 101 in tagged
mode.
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure Mesh roles. Set Mesh roles of AP_1 and AP_2 to mesh-portal. AP_3 and AP_4
use the default Mesh role mesh-node. Mesh roles are configured through the AP system
profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 5 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_A through GE0.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] quit
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1 and AP_2.
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make the Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] quit
# After dual-MPP Mesh services take effect, run the display wlan mesh link all command to
check Mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-
Status RSSI MaxR Per Re TSNR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
------------------------------------------------
AP_1 AP_4 60de-4476-e360 1 4 157 portal
normal -28 -27 0 25 70 62/69/-/-
AP_1 AP_3 dcd2-fcf6-76a0 1 4 157 portal
normal -18 -2 0 0 78 73/77/-/-
AP_2 AP_4 60de-4476-e360 1 4 157 portal
normal -17 -16 0 52 80 57/49/80/-
AP_2 AP_3 dcd2-fcf6-76a0 1 4 157 portal
normal -24 -21 0 0 72 58/54/72/-
AP_4 AP_1 60de-4474-9640 1 4 157 node
normal -29 -29 0 0 65 64/58/-/-
AP_4 AP_2 dcd2-fc04-b500 1 4 157 node
normal -21 -19 0 10 76 76/64/-/-
# Run the display wlan mesh route all command to check Mesh routes on the Mesh network.
<AC> display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /60de-4476-e360/MP /1 AP_2 /dcd2-fc04-b500/MPP/1
AP_3 /dcd2-fcf6-76a0/MP /1 AP_4 /60de-4476-e360/MP /1
--------------------------------------------------------------------------
Total: 2
# When the link between AP_2 and AC is faulty, AP_2 automatically changes to an MP and
goes online through Mesh links. Run the display wlan mesh route all command. The
command output shows that AP_2, AP_3, and AP_4 go online on AP_1.
<AC> display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /60de-4476-e360/MP /1 AP_1 /60de-4474-9640/MPP/1
AP_2 /dcd2-fc04-b500/MP /1 AP_4 /60de-4476-e360/MP /1
AP_3 /dcd2-fcf6-76a0/MP /1 AP_1 /60de-4474-9640/MPP/1
--------------------------------------------------------------------------
Total: 3
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%#
aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac dcd2-fc04-b500
peer-ap mac dcd2-fcf6-76a0
peer-ap mac 60de-4476-e360
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-system-profile name mesh-sys
mesh-role mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name AP_1
ap-group mesh-mpp
Definition
Huawei's vehicle-ground fast link solution uses WLAN Mesh technology to implement the
seamless handover of Mesh links, ensuring high-quality data communications between a
moving train and the ground network.
Purpose
The vehicle-ground communication subsystem is an integral part of the Passenger Information
System (PIS). It provides data channels for transmitting information services between fast
moving trains and the ground network. Vehicle-ground communications mainly rely on
wireless communication technologies, and WLAN technology is the most widely used due to
its easy deployment and cost effectiveness.
Vehicle-ground fast link handover enables seamless Mesh link switching and provides
reliable, stable data links for high-speed terminals, allowing passengers to enjoy smooth
vehicle-mounted information services.
Benefits
Vehicle-ground fast link handover offers the following advantages:
l Low communication costs: Unlike other wireless communication technologies such as
3G and LTE, WLAN Mesh technology applied in vehicle-ground fast link handover
works on the Industrial, Scientific, Medical (ISM) spectrum. This can be used without
the need to apply for a license. In addition, vehicle-ground fast link handover incurs no
additional communication costs and can better integrate into the existing rail transit
network, which facilitates rail transit service expansion.
l High reliability: Vehicle-ground fast link handover inherits link redundancy features
from WLAN Mesh technology. In the forward direction of a train, a vehicle-mounted AP
sets up Mesh links with multiple trackside APs. When the quality of the active link
deteriorates, the vehicle-mounted AP chooses a better link as the active link to ensure
quality of vehicle-ground communications.
l High-quality data transmission: Seamless Mesh link switching ensures smooth
multimedia services. With larger bandwidth, WLAN technology provides faster data
services than other wireless technologies.
AC
Switch
Vehicle- Vehicle-
mounted AP mounted AP in
in the rear the front
Forward direction
l If only the vehicle-mounted AP in the rear of the train works, the antennas of trackside APs should tilt in
the forward direction of the train to achieve optimal signal coverage.
l If both the vehicle-mounted APs in the front and rear of the train work, use dual-band APs (such as
dual-5G AP8130DNs) as trackside APs. To achieve optimal signal coverage, install two directional
antennas on each trackside AP, with one antenna tilting in the forward direction of the train and the other
in the opposite direction.
Wind resistance in rail tunnels may affect coverage of AP antennas. When a train passes
through a tunnel at high speed, a turbulent airflow is induced. Strong turbulent airflows may
cause angle offset of antennas. Wind-resistant Yagi antennas with small cross-sectional areas
can solve this problem. Huawei's vehicle-ground communication network uses external Yagi
antennas on trackside APs and external Yagi or panel antennas on vehicle-mounted APs.
AC
Switch
Vehicle-mounted
Forward direction
AP in the rear
Signal coverage of
Vehicle-mounted
candidate MPP
AP in the front
Signal coverage of
active MPP
Trackside AP
Overlapping
coverage area
Implementation of vehicle-ground fast link handover includes Mesh link setup and teardown,
fast link handover, and multicast data guarantee.
number of Mesh links has not reached the maximum, the vehicle-mounted AP sets up a Mesh
link with the trackside AP according to the common Mesh link setup process. For details, see
Principle Description-Mesh Implementation in "Mesh Configuration."
The vehicle-mounted AP sets up Mesh links with multiple trackside APs and chooses one
qualified Mesh link as the active link to transmit data. Other links act as candidate links. As
the train moves forward, the vehicle-mounted AP chooses the candidate link of the best
quality as the active link to implement fast handover so that quality of vehicle-ground
communications is always at the optimal level.
If the RSSI of a Mesh link is smaller than N (N = Minimum RSSI threshold of a Mesh link - 5
dB) and the Mesh link is not the active link, the vehicle-mounted AP tears down the link so
that it can set up a better Mesh link with another trackside AP.
The RSSI range of a candidate area is from the minimum RSSI threshold to the maximum RSSI
threshold of the Mesh link. Candidate links with RSSI values in this range belong to the candidate
area.
– The serving time of the current active link is longer than or equal to the link holding
time.
NOTE
A holding time is specified for the active link to prevent frequent handovers. The serving time of
the active link must be longer than or equal to the specified holding time; otherwise, the vehicle-
mounted AP can only implement an emergency handover, not a common handover.
If multiple candidate links meet common handover conditions, the candidate link with
the highest RSSI is chosen as the active link.
In Figure 16-3, the RSSI of AP_4 (in the candidate area) is -20 dBm. The RSSI
difference between AP_4 (-20 dBm) and the active link (-80 dBm) is 60 dB, equal to the
RSSI threshold for a Mesh link handover. In addition, the serving time of the current
active link (20s) is longer than the link holding time (1s). All conditions for a common
handover are met; therefore, the vehicle-mounted AP switches the active link to AP_4.
AC
Switch
NOTE
If the current active link is disconnected due to a trackside AP fault or when the train leaves the
originating station, no active link is available. The vehicle-mounted AP then performs an emergency
handover. The vehicle-mounted AP selects the candidate link of the best quality as the active link from
the candidate area. If no candidate link in the candidate area meets the requirement, the vehicle-
mounted AP selects the candidate link with the highest RSSI in another area as the active link.
In Figure 16-4, the RSSI of trackside AP_3 decreases to -83 dBm, which is smaller than
the minimum RSSI threshold (-80 dBm) of a Mesh link. An emergency handover is
triggered, and the vehicle-mounted AP switches the active link to AP_4 with the highest
RSSI in the candidate area.
AC
Switch
If the RSSIs of AP_4 and AP_5 are -12 dBm and -15 dBm respectively, out of the range
from -80 dBm to -17 dBm, no candidate link qualifies as an active Mesh link. In this
case, the vehicle-mounted AP retains its connection with AP_3. If AP_3 becomes faulty,
the current active link is disconnected. The vehicle-mounted AP then switches the active
link to AP_4 (-12 dBm).
NOTE
An emergency handover may occur when the radio environment is unstable or a trackside AP fails. To
prevent back and forth handovers between trackside APs (ping-pong handovers), you can configure
penalty parameters for an emergency handover. The penalty parameters include the penalty period and
penalty level. When an emergency handover occurs, the vehicle-mounted AP disconnects the active link
from a trackside AP. If the RSSI of the trackside AP falls within the RSSI range of the candidate area
before the penalty period expires, the vehicle-mounted AP deducts the penalty level from the RSSI of
the trackside AP before comparing it with the RSSIs of other links.
AC
Switch
which then stops sending multicast data to the old trackside AP. This mechanism ensures
seamless switching of multicast data.
In Figure 16-6, vehicle-mounted multimedia devices on the train join the same multicast
group. IGMP snooping is enabled on the ground switch and vehicle-mounted AP. Before a
link handover occurs, AP_1 receives data from GE0/0/1 of the switch and forwards the data to
the vehicle-mounted AP. Before switching the active link to AP_2, the vehicle-mounted AP
sends a Report message to AP_2, which then forwards the message to the switch. After
receiving the message, the switch updates the multicast forwarding table and sends multicast
data to AP_2 from GE0/0/2. When receiving multicast data from AP_2, the vehicle-mounted
AP sends a Leave message to AP_1, which then forwards the message to the switch. The
switch stops sending multicast data to AP_1. Multicast data is therefore seamlessly switched
from AP_1 to AP_2.
AC
Switch
GE0/0/1 GE0/0/2
4 2
Trackside Trackside
1 3
AP_1 AP_2
4 2
Send a Leave Send a Report
message. Vehicle- message.
mounted AP
Forward direction
Ground network
AC
Switch Switch
……
Trackside Trackside Trackside Trackside Trackside Trackside
AP AP AP AP AP AP
Vehicle-mounted AP Vehicle-mounted AP
(in the rear) (in the front)
Forward direction
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C10
V200R005C20
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
Version Requirements
Table 16-1 Products and minimum version supporting the WLAN service
Series Product Model Minimum Version
Required
Feature Limitations
l The vehicle-ground fast link handover network is a single-hop Layer 2 Mesh network
composed of the AC, trackside APs, and vehicle-mounted APs.
– The AC is deployed on the ground network to manage and control trackside APs.
– Trackside APs are Fit APs deployed along the track. They function as MPPs and
communicate with the AC in wired mode at Layer 2.
– Vehicle-mounted APs: are Fat APs deployed in the front and rear of a train. They
function as MPs to set up Mesh links with trackside APs.
l Each vehicle-mounted AP can only use one radio for vehicle-ground communications at
one time.
l On a vehicle-ground fast link handover network, the AP9131DN (Fit AP) or AP9132DN
(Fit AP) is usually used as the trackside AP and the AP9131DN (Fat AP) or AP9132DN
(Fat AP) as the vehicle-mounted AP. If other AP models are used as the vehicle-mounted
and trackside APs, they must comply with the same 802.11 standards, for example, both
802.11ac APs or 802.11n APs.
Both of the scenarios above require the configuration for vehicle-mounted and trackside APs.
The differences between the configurations are listed in Table 16-3.
16.8.1 Configuring Mesh Configure the same channel In scenario 1, configure only
Radio Parameters and bandwidth for both the one working channel for
vehicle-mounted and radios on a vehicle-mounted
trackside APs. AP.
In scenario 2, configure
different working channels
for radios on a vehicle-
mounted AP, which map
working channels of
trackside APs on different
lines.
Configuration Procedure
Perform the following steps in the listed order.
Context
You can add APs in any of the following modes:
l Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are
configured on an AC before APs go online. The AC starts to set up connections with the
APs if the MAC addresses or SNs of the APs match the configured ones.
l Configuring the AC to automatically discover an AP: The AP authentication mode is set
to no authentication; alternatively, the AP authentication mode is set to MAC or SN
authentication and the AP whitelist is configured on the AC. When an AP in the whitelist
connects to the AC, the AC discovers the AP, and the AP goes online.
l Manually confirming APs added to the list of unauthorized APs: The AP authentication
mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC.
When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of
unauthorized APs. After the AP identity is confirmed, the AP can go online.
Procedure
l Add an AP offline.
a. Run the system-view command to enter the system view.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.
e. Run the ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn
ap-sn | ap-mac ap-mac ap-sn ap-sn } ] or ap-mac ap-mac [ type-id type-id | ap-
type ap-type ] [ ap-id ap-id ] [ ap-sn ap-sn ] command to import the AP offline and
enter the AP view.
f. Run the ap-name ap-name command to configure the AP name.
By default, no AP name is configured for an AP.
g. Run the ap-group group-name command to add the AP to an AP group.
By default, no AP group is configured.
l Configure the AC to automatically discover an AP.
NOTE
The non-authentication mode brings security risks. You are advised to set the
authentication mode to MAC address authentication or SN authentication, which is
more secure.
– Set the AP authentication mode to MAC address or SN authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add
the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the
AP with the specified MAC address to the whitelist if the AP
authentication mode is set to MAC address authentication.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Enter the radio view.
l Enter the AP group radio view.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
l Enter the AP radio view.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
Step 4 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel or channel
80+80mhz channel1 channel2.
The working bandwidth and channel are configured for the radio.
By default, the working bandwidth of a radio is 20 MHz, and no working channel is
configured for a radio.
Radios of different AP nodes on a Mesh link must be configured with the same channel and
bandwidth.
The 80 MHz, 160 MHz, and 80+80 MHz working bandwidths are only supported in the 5G
radio view.
802.11ac APs support the 80 MHz configuration, whereas four-spatial-stream 802.11ac APs
allow for the 160 MHz or 80+80 MHz configuration.
The AD9431DN-24X (including the mapping RUs), AD9430DN-24 (including the mapping
RUs), AD9430DN-12 (including the mapping RUs), AP6310SN-GN, AP2010DN,
AP7030DE, AP9330DN, AP2030DN, AP2050DN, AP2050DN-E, AP2051DN, and
AP2051DN-E do not support the Mesh function.
Working channels of radios vary according to countries and regions. To conform to local laws
and regulations, you need to configure different working channels under different country
codes. You can run the display ap configurable channel { ap-name ap-name | ap-id ap-id }
command to check the channels supported by the specified AP.
Step 5 Run coverage distance distance
The radio coverage distance parameter is specified.
By default, the radio coverage distance parameter is 3 (unit: 100 m) for all radios.
You can configure the radio coverage distance parameter based on distances between APs and
the APs automatically adjust the values of slottime, acktimeout, and ctstimeout based on the
configured distance parameter to improve data transmission efficiency.
Step 6 Run frequency 5g
Radio 0 is configured to work on the 5 GHz frequency band.
By default, radio 0 works on the 2.4 GHz frequency band, and radio 2 works on the 5 GHz
frequency band.
Among Mesh-capable APs, radio 0 of the AP8130DN and AP8130DN-W support 2.4 GHz
and 5 GHz frequency bands but can work on one frequency band at a time. If you configure
radio 0 of the AP8130DN and AP8130DN-W to work on the 5 GHz frequency band, the
AP8130DN and AP8130DN-W can then work in dual-5G mode.
Step 7 Run quit
Return to the AP group view or AP view.
Step 8 Run quit
Return to the WLAN view.
Step 9 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
The 2G or 5G radio profile view is displayed.
Step 10 Run wifi-light signal-strength
The blinking frequency of the Wireless indicator on the AP is configured to reflect the signal
strength.
By default,
l If the Mesh function is enabled on the AP, the blinking frequency of the Wireless LED
reflects the weakest signal strength of all neighboring APs.
l If WDS is enabled on an AP, the blinking frequency of the Wireless LED reflects the
strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED reflects
the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED reflects
the weakest signal strength of middle APs.
l If the WDS and Mesh functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
During installation and commissioning of an AP that has the WDS or Mesh function enabled,
you need to adjust AP locations and antenna directions to obtain strong signals. If the blinking
frequency of the Wireless LED shows the signal strength, onsite installation personnel can
know the signal strength in real time. The wifi-light command allows you to specify the
parameter reflected by the blinking frequency of the Wireless LED. For example, you can
specify the parameter to signal strength during installation and service traffic volume after
installation.
NOTE
This command takes effect only when the AP has the WDS or Mesh function enabled. If the WDS and Mesh
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
----End
Follow-up Procedure
In the AP group view or AP view, run the radio-2g-profile profile-name { radio { radio-id |
all } } or radio-5g-profile profile-name { radio { id | all } } command to bind the 2.4G or 5G
radio profile to the AP radio. Alternatively, you can run the radio-2g-profile profile-name or
radio-5g-profile profile-name command in the AP group radio view or AP radio view to bind
the 2.4G or 5G radio profile to the AP radio.
Context
You can configure the wired interface on an MPP to connect to the AC or configure the wired
interface on an AP to deploy a Layer 2 network or directly associate with STAs.
On Mesh networks, an AP wired interface can work in the following modes:
l root mode: The wired interface that connects the MPP to the AC must work in root
mode.
l endpoint mode: When the wired interface of an AP works in endpoint mode, the AP's
wired interface can directly connect to a STA or be used to deploy Layer 2 networks.
Procedure
Step 1 Run system-view
The system view is displayed.
An AP wired port profile is created and the AP wired port profile view is displayed.
By default,
l On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in endpoint
mode, and Eth-Trunk interfaces in root mode.
l On a central AP: Its uplink GE interfaces in root mode and downlink GE interfaces work
in middle mode.
l On an R230D: Its Ethernet interface works in root mode.
l On an R240D: Its Ethernet interface works in endpoint mode and GE interface in root
mode.
l On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D, R251D-E
and AP2050DN-E: Their uplink GE interfaces work in root mode and downlink GE
interfaces in endpoint mode.
l On an R450D: Its GE interface works in root mode.
NOTE
After changing the working mode of an AP's wired interface, run the ap-reset command to reset the AP
for the configuration to take effect.
By default, an AP wired interface allows packets from all VLANs to pass. The wired interface
is added to VLAN 1 in untagged mode and to other VLANs in tagged mode.
NOTE
----End
Follow-up Procedure
Run the wired-port-profile profile-name interface-type interface-number command in the AP
group view or AP view to bind the specified AP wired port profile to the AP's wired interface.
Context
You need to configure a security profile and a security policy for the Mesh to ensure security.
The WPA2+PSK+AES security policy is recommended for a Mesh security profile. For
details about WPA2, PSK, and AES, see 11 WLAN Security Configuration.
NOTE
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
Procedure
Step 1 Run system-view
By default, security profiles default, default-wds, and default-mesh are available in the
system.
----End
Context
To prevent a trackside AP from connecting to the vehicle-mounted AP along a different track
from the trackside AP, you need to add the MAC address of the vehicle-mounted AP along
the local track to Mesh whitelists of all trackside APs.
Procedure
Step 1 Run system-view
A Mesh whitelist profile is created, and the Mesh whitelist profile view is displayed.
MAC addresses of neighboring APs that are allowed to connect to an AP are added to the
Mesh whitelist profile.
NOTE
When configuring vehicle-ground fast link handover, add MAC addresses of vehicle-mounted APs allowed to
connect to a trackside AP to a whitelist.
----End
Context
A Mesh profile must have a Mesh handover profile referenced to provide the fast link
handover function.
NOTE
A Mesh handover profile and the FWA mode of a Mesh profile are mutually exclusive and cannot be
configured together.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run mesh-handover-profile name profile-name
A Mesh handover profile is created, and the Mesh handover profile view is displayed.
By default, the system provides the Mesh handover profile default.
Step 4 Run location-based-algorithm enable
The location-based enhanced link handover algorithm is enabled.
By default, the location-based enhanced link handover algorithm is disabled.
NOTE
After the location-based enhanced link handover algorithm is enabled, the vehicle-mounted AP will switch
the active link to the nearest trackside AP that meets handover requirements.
In vehicle-ground communication scenarios, signals of a trackside AP distant from a train may be temporarily
better than the trackside AP near the train due to radio environment changes. If an active link handover occurs
at this time, the active link may be incorrectly switched to the distant trackside AP. To prevent incorrect
handovers and improve vehicle-ground communication quality, you can use the location-based enhanced link
handover algorithm. This algorithm requires that trackside APs be named in ascending or descending order of
sequence numbers.
Trackside APs should be named in head-name_sequence-number format. head-name describes track line
information and can be different for trackside APs on the same track. It is recommended that you set the same
head-name for APs on a track to differentiate tracks. sequence-number of APs along a track must be in
descending or ascending order. The sequence numbers of trackside APs can be set with unequal steps. head-
name and sequence-number are separated using an underline (_), for example, L1_001, L1_002, L1_005,
L1_010.
----End
AC
Switch
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
The AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run mesh-role mesh-portal
The Mesh role of the trackside AP is set to MPP.
By default, the Mesh role of an AP is mesh-node in the AP system profile.
Step 5 Run antenna-output { split | combine }
The output mode of 2.4G/5G antennas is specified.
By default, a 2.4G/5G antenna uses split output.
Only the AP9132DN and AP8182DN support this function.
Step 6 Run quit
Return to the WLAN view.
Step 7 Run mesh-profile name profile-name
A Mesh profile is created, and the Mesh profile view is displayed.
By default, the system provides the Mesh profile default.
Step 8 Run mesh-id name
A Mesh ID is configured. Mesh nodes use a Mesh ID to identify connections between them.
By default, the Mesh ID of a Mesh profile is HUAWEI-WLAN-MESH.
Step 9 Run security-profile profile-name
A security profile is bound to the Mesh profile.
By default, the security profile default-mesh is bound to a Mesh profile.
NOTE
By default, the system provides the Mesh profile default. Both the default Mesh profile default and a
self-defined Mesh profile have the security profile default-mesh referenced by default. In the security
profile default-mesh, the security policy is set to WPA2+PSK+AES and the security key to
huawei_secmesh. If the default security profile default-mesh is used, you are advised to change the
security key of the profile to ensure security.
1. Run the beacon-2g-rate beacon-2g-rate command to set the transmit rate of 2.4 GHz
Beacon frames.
By default, the transmit rate of 2.4 GHz Beacon frames is 1 Mbit/s.
2. Run the beacon-5g-rate beacon-5g-rate command to set the transmit rate of 5 GHz
Beacon frames.
By default, the transmit rate of 5 GHz Beacon frames is 6 Mbit/s.
Step 11 (Optional) Run max-link-number link-num
The maximum number of Mesh links allowed on an AP is configured.
By default, a maximum of eight mesh links can be established between APs. After you enable
FWA for a mesh profile using the fwa enable command, a maximum of 32 mesh links can be
established between APs by default.
Step 12 (Optional) Run link-rssi-threshold threshold-value
The RSSI threshold of a Mesh link is configured. When the minimum RSSI of all Mesh links
on the optimal route to the current MPP is lower than the RSSI threshold of a Mesh link, the
MP reselects Mesh links.
By default, the RSSI threshold of a mesh link is -75 dBm. After the FWA mode is enabled in
a Mesh profile, the RSSI threshold of a Mesh link is fixed as -90 dBm.
Step 13 (Optional) Run link-report-interval report-interval
The interval at which an MP reports Mesh link information to an AC is specified.
By default, an MP reports Mesh link information to the AC at an interval of 30 seconds.
Step 14 (Optional) Run dhcp trust port
A DHCP trusted port is enabled in the Mesh profile.
By default, a DHCP trusted port is enabled in a Mesh profile.
NOTE
After a DHCP trusted port is enabled in a Mesh profile and the Mesh profile is applied to an AP, the AP
receives the DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers and forwards the
packets to STAs so that the STAs can obtain valid IP addresses and go online.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the mesh-profile profile-name radio { all | radio-id } command to bind the
Mesh profile to the AP.
By default, no Mesh profile is bound to an AP group or AP.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
l Bind the Mesh profile to AP group radios.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
c. Run the mesh-profile profile-name command to bind the Mesh profile to AP group
radios.
By default, no Mesh profile is bound to an AP radio.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
l Bind the Mesh profile to an AP radio.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the radio radio-id command to enter the radio view.
c. Run the mesh-profile profile-name command to bind the Mesh profile to the AP
radio.
By default, no Mesh profile is bound to an AP radio.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
----End
Context
Vehicle-mounted multimedia devices on moving trains deliver multimedia information
services to passengers in multicast mode. Reliable multicast data transmission ensures smooth
delivery of multimedia information services. All vehicle-mounted multimedia devices are
added to a multicast group. As the train moves ahead, the active link changes frequently. Only
the trackside AP and vehicle-mounted AP are aware of the link change. Other ground devices
such as switches connected to trackside APs cannot detect the change and fail to forward
multicast data. To resolve the problem, IGMP snooping is enabled on the vehicle-mounted AP
and ground devices to generate Layer 2 multicast forwarding entries. After switching the
active link to a new trackside AP, the vehicle-mounted AP sends a Report message to the
trackside AP. The trackside AP forwards the message to the ground device, which then
updates the multicast forwarding table accordingly. To prevent loss of multicast packets
during a link handover, the vehicle-mounted AP still receives multicast data from the old
trackside AP before the multicast flow is switched to the new trackside AP. After receiving
multicast data from the new trackside AP, the vehicle-mounted AP sends a Leave message to
the old trackside AP. The old trackside AP forwards the Leave message to the ground device,
which then stops sending multicast data to the old trackside AP. This mechanism ensures
seamless switching of multicast data.
NOTE
In vehicle-ground fast link handover scenarios, you need to configure multicast on all ground network
devices involved in multicast data forwarding according to actual network requirements. This section
assumes that the AC participates in Layer 2 multicast data forwarding and uses multicast configuration on the
AC as an example. To configure other network devices, see the corresponding configuration document.
Procedure
Step 1 Run system-view
The version of IGMP messages that IGMP snooping can process is specified.
By default, the device can process IGMPv1 and IGMPv2 messages but cannot process
IGMPv3 messages.
NOTE
If you set the version of IGMP messages that IGMP snooping can process to IGMPv3, the default Layer
2 multicast data forwarding mode cannot be changed on the device.
If trackside APs are directly connected to the device (each device interface maps one
trackside AP), enabling fast leave improves the quality of multicast services during link
handovers. If the trackside APs are not directly connected to the device, you cannot configure
the fast leave function because this function may interrupt multicast services during link
handovers.
NOTE
For methods of configuring other Layer 2 multicast parameters, see IGMP Snooping Configuration in the
S1720, S2700, S5700, and S6720 V200R012C00 Configuration Guide - IP Multicast.
----End
Prerequisites
The Mesh configuration is complete.
Procedure
l Run the display references mesh-profile name profile-name command to check
reference information of a specified Mesh profile.
l Run the display mesh-profile { all | name profile-name } command to check
information about a Mesh profile.
l Run the display references mesh-whitelist-profile name whitelist-name command to
check reference information of a specified Mesh whitelist profile.
l Run the display mesh-whitelist-profile { all | name whitelist-name } command to check
information about a Mesh whitelist profile.
l Run the display references mesh-handover-profile name profile-name command to
check information about Mesh profiles by which a specified Mesh handover profile is
referenced.
l Run the display mesh-handover-profile { all | name profile-name } command to check
configuration and reference information about a Mesh handover profile.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface wlan-radio wlan-radio-number
The radio interface view is displayed.
Step 3 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz } channel [ index index ]
The working bandwidth and channel are configured for a radio.
By default, the working bandwidth of a radio is 20 MHz, and no working channel is
configured for a radio.
The vehicle-mounted and trackside APs must be configured with the same channel and
bandwidth.
----End
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
A security profile is created, and the security profile view is displayed.
By default, security profiles default and default-mesh are available in the system.
Step 4 Run security wpa2 psk { pass-phrase | hex } key-value aes
A security policy is configured for the security profile.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
When configuring vehicle-ground fast link handover, add MAC addresses of trackside APs allowed to
connect to a vehicle-mounted AP to a whitelist.
----End
NOTE
Procedure
l Configure the Mesh handover mode.
a. Run system-view
A Mesh handover profile is created, and the Mesh handover profile view is
displayed.
The location-based enhanced fast link handover algorithm is enabled, and the
moving direction of the vehicle-mounted AP is configured.
NOTE
After the location-based enhanced link handover algorithm is enabled, the vehicle-mounted AP
will switch the active link to the nearest trackside AP that meets handover requirements.
In vehicle-ground communication scenarios, signals of a trackside AP distant from a train may be
temporarily better than the trackside AP near the train due to radio environment changes. If an
active link handover occurs at this time, the active link may be incorrectly switched to the distant
trackside AP. To prevent incorrect handovers and improve vehicle-ground communication quality,
you can use the location-based enhanced link handover algorithm. This algorithm requires that
trackside APs be named in ascending or descending order of sequence numbers.
Trackside APs should be named in head-name_sequence-number format. head-name describes
track line information and can be different for trackside APs on the same track. It is recommended
that you set the same head-name for APs on a track to differentiate tracks. sequence-number of
APs along a track must be in descending or ascending order. The sequence numbers of trackside
APs can be set with unequal steps. head-name and sequence-number are separated using an
underline (_), for example, L1_001, L1_002, L1_005, L1_010.
e. Run max-rssi-threshold value
By default, the maximum RSSI threshold of a Mesh link is -20 dBm in a Mesh
handover profile.
f. Run min-rssi-threshold value
By default, the minimum RSSI threshold of a Mesh link is -60 dBm in a Mesh
handover profile.
g. Run link-hold-period value
An air scan profile is created, and the air scan profile is displayed.
g. (Optional) Run scan-channel-set { country-channel | dca-channel | work-
channel }
By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
h. (Optional) Run scan-period scan-time
NOTE
A longer air scan period indicates more collected data and a more accurate data analysis result.
However, if the air scan period is set too large, WLAN services are affected. You are advised to
use the default value.
i. (Optional) Run scan-interval scan-time
NOTE
----End
AC
Switch
NOTE
After Mesh is enabled on a vehicle-mounted AP, the Mesh role of the AP is fixed as mesh-node (MP).
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run mesh-profile name profile-name
A Mesh profile is created, and the Mesh profile view is displayed.
By default, the system provides the Mesh profile default.
Step 4 Run mesh-id name
A Mesh ID is configured. Mesh nodes use a Mesh ID to identify connections between them.
By default, the Mesh ID of a Mesh profile is HUAWEI-WLAN-MESH.
Step 5 Run security-profile profile-name
A security profile is bound to the Mesh profile.
By default, the security profile default-mesh is bound to a Mesh profile.
NOTE
By default, the system provides the Mesh profile default. Both the default Mesh profile default and a
self-defined Mesh profile have the security profile default-mesh referenced by default. In the security
profile default-mesh, the security policy is set to WPA2+PSK+AES and the security key to
huawei_secmesh. If the default security profile default-mesh is used, you are advised to change the
security key of the profile to ensure security.
NOTE
After a DHCP trusted port is enabled in a Mesh profile and the Mesh profile is applied to an AP, the AP
receives the DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers and forwards the
packets to STAs so that the STAs can obtain valid IP addresses and go online.
----End
data transmission failure. To prevent this situation, you can configure proxied ground devices
on a vehicle-mounted AP so that the working vehicle-mounted AP can instruct the vehicle-
mounted network devices to update MAC forwarding entries after the train switches the
forward direction. In this way, data traffic from the vehicle-mounted network can be
forwarded to the working vehicle-mounted AP.
Procedure
Step 1 Run system-view
----End
Context
After the vehicle-mounted AP switches the active link to a new trackside AP, ground network
devices cannot detect the link handover and still forward data to the original trackside AP,
causing a data transmission failure. To prevent this situation, you can configure proxied
vehicle-mounted devices on the vehicle-mounted AP so that the vehicle-mounted AP can
instruct the ground network devices to update MAC forwarding entries on interfaces after the
active link is switched to a new trackside AP. In this way, data traffic from the ground
network can be forwarded to the trackside AP.
Procedure
Step 1 Run system-view
----End
Context
Vehicle-mounted multimedia devices on moving trains deliver multimedia information
services to passengers in multicast mode. Reliable multicast data transmission ensures smooth
delivery of multimedia information services. All vehicle-mounted multimedia devices are
added to a multicast group. As the train moves ahead, the active link changes frequently. Only
the trackside AP and vehicle-mounted AP are aware of the link change. Other ground devices
such as switches connected to trackside APs cannot detect the change and fail to forward
multicast data. To resolve the problem, IGMP snooping is enabled on the vehicle-mounted AP
and ground devices to generate Layer 2 multicast forwarding entries. After switching the
active link to a new trackside AP, the vehicle-mounted AP sends a Report message to the
trackside AP. The trackside AP forwards the message to the ground device, which then
updates the multicast forwarding table accordingly. To prevent loss of multicast packets
during a link handover, the vehicle-mounted AP still receives multicast data from the old
trackside AP before the multicast flow is switched to the new trackside AP. After receiving
multicast data from the new trackside AP, the vehicle-mounted AP sends a Leave message to
the old trackside AP. The old trackside AP forwards the Leave message to the ground device,
which then stops sending multicast data to the old trackside AP. This mechanism ensures
seamless switching of multicast data.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run igmp-snooping enable
IGMP snooping is enabled globally.
NOTE
After IGMP snooping is enabled globally, the device can process IGMPv1, IGMPv2, and IGMPv3 packets.
----End
Prerequisites
The vehicle-ground fast link handover configuration is complete.
Procedure
l Run the display references mesh-profile name profile-name command to check
reference information of a specified Mesh profile.
Figure 16-10 Networking diagram for configuring vehicle-ground fast link handover
Internet
Router
GE1/0/0
IP: 10.23.200.1/24
Vehicle-mounted Vehicle-mounted
AP AP
(in the rear) GE0/0/1 GE0/0/1 (in the front)
Forward direction
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9131DNs (Fit APs) as the trackside APs and AP9131DNs (Fat APs)
as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
AP Model MAC
……
……
Item Data
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.224.4-10.23.224.254/24
pool for
vehicle-
mounted
terminals
ID of l Trackside AP (L1_001): 1
trackside l Trackside AP (L1_003): 2
APs
l Trackside AP (L1_010): 3
l Trackside AP (L1_150): 101
l Trackside AP (L1_160): 102
l Trackside AP (L1_170): 103
Item Data
Multicast 225.1.1.1-225.1.1.3
group
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Configure the AC. Create VLAN 100, VLAN 101, and VLAN 200 on the AC, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1 and GE0/0/2 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 200
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitEthernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/2] quit
[AC] interface gigabitEthernet 0/0/3
[AC-GigabitEthernet0/0/3] port link-type trunk
[AC-GigabitEthernet0/0/3] port trunk pvid vlan 101
[AC-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/3] quit
[AC] interface gigabitEthernet 0/0/4
[AC-GigabitEthernet0/0/4] port link-type trunk
[AC-GigabitEthernet0/0/4] port trunk pvid vlan 101
[AC-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/4] quit
[AC] interface gigabitEthernet 0/0/5
[AC-GigabitEthernet0/0/5] port link-type trunk
[AC-GigabitEthernet0/0/5] port trunk pvid vlan 200
[AC-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[AC-GigabitEthernet0/0/5] quit
b. On the AC, configure an IP address for VLANIF 101 and enable the DHCP server
function to allocate IP addresses for vehicle-mounted devices.
[AC] dhcp enable
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.224.1 20
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[AC-Vlanif101] quit
c. On the AC, configure an IP address for VLANIF 100 and enable the DHCP server
function to allocate IP addresses to trackside APs.
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 20
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
e. Configure an IP address for GE1/0/0 on the router and configure routes to the
internal network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 20 10.23.200.2
[Router] ip route-static 10.23.100.0 20 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
f. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
NOTE
Configure other interfaces connected to trackside APs on Switch_B according to GE0/0/1: allow
packets from VLAN 100 and VLAN 101 to pass through and set their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, and configure GE0/0/2 and
GE0/0/1 to allow packets from VLAN 100 and VLAN 101 to pass through, and set
the PVID of GE0/0/1 to VLAN 100.
NOTE
Configure other interfaces connected to trackside APs on Switch_C according to GE0/0/1: allow
packets from VLAN 100 and VLAN 101 to pass through and set their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
NOTE
Complete multicast configuration on Switch_B and Switch_C according to the multicast
configuration procedure of AC.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac 0046-4b59-1d60
[AC-wlan-ap-103] ap-name L1_170
[AC-wlan-ap-103] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Create the Mesh whitelist whitelist01 and add MAC addresses of vehicle-
mounted APs to the Mesh whitelist.
[AC-wlan-view] mesh-whitelist name whitelist01
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e10
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e20
[AC-wlan-mesh-whitelist-whitelist01] quit
NOTE
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist whitelist01
according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The Mesh network
supports only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
# Configure the radio and channel used by trackside APs and apply the Mesh
whitelist, Mesh profile, and AP system profile.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile whitelist01
[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
For the configurations for the vehicle-mounted APs on the vehicle head and tail, see Configuration
Guide - Vehicle-Ground Fast Link Handover in Fat AP & Cloud AP Product Documentationor Fat
AP & Cloud AP V200R007C20 Product Documentation.
Total: 6
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
interface GigabitEthernet1/0/0
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.240.0 10.23.200.2
ip route-static 10.23.224.0 255.255.240.0 10.23.200.2
#
return
– Switch_B configuration file
#
sysname Switch_B
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
– Switch_C configuration file
#
sysname Switch_C
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
– AC configuration file
#
sysname AC
#
vlan batch 100 to 101 200
#
igmp-snooping enable
#
dhcp enable
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
#
interface Vlanif100
ip address 10.23.100.1 255.255.240.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.224.1 255.255.240.0
dhcp select interface
dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 200
port trunk allow-pass vlan 200
#
Purpose
After the Wi-Fi tag is deployed on targets such as assets and persons, Wi-Fi tag location
technology allows users to locate the Wi-Fi tag, helping users control key assets and ensure
security of persons.
Figure 17-1 Typical networking for the Wi-Fi Tag location system
Internet
Location server
AC
Switch
AP2
AP1 AP3
RFID
RFID Tag
Implementation
UDP encapsulation
RFID
Location
RFID Tag AP Switch AC server
The Wi-Fi tag only sends 802.11 frames periodically to provide location information and
does not need to connect to a WLAN.
To enable more APs to receive tag messages, the Wi-Fi tag sends a tag message in all
channels each time. A tag message usually contains location information required by a
location server, and the frame format of the tag message varies depending on the
vendor's tag device. A tag of AeroScout is used as an example here.
– The Address1 field indicates the destination address, which is a specified multicast
address. The AP identifies an 802.11 packet as a tag message through the multicast
address.
– The Address2 field indicates the source address, which is the MAC address of the
Wi-Fi tag. According to this field, the wireless location system collects information
about the same Wi-Fi tag that is received from different APs.
– The Address3 field indicates Wi-Fi tag information. The most important
information in this field is about the channel that transmits the tag message. The AP
determines whether the channel information in the received tag message matches its
working channel.
For details about the 802.11 MAC frame format, see 5.2.2 802.11 Standards.
2. The AP receives the tag message and forwards it to the location server.
a. When receiving a tag message frame, the AP records the location information such
as the received signal strength indicator (RSSI), timestamp, rate, and channel of the
frame. The RSSI is the most important information because the location server uses
it to determine the distance between a tag and an AP. To ensure that the RSSI is
accurate, the AP must filter out the tag messages received from adjacent channels.
For example, when working in channel 1, the AP may receive the frames sent from
a tag in channel 2. The RSSI is low because the AP and tag are located in different
channels. As a result, the location server incorrectly considers that the tag is far
away from the AP.
b. The AP encapsulates all location information obtained from tag message frames
into a UDP packet (tag report) and sends the packet to the location server directly or
through the AC.
The required location information and report mode vary depending on the vendor's
location server. For example, the Ekahau Location Server requires that the location
information should contain content of the tag message frames and the AP should
report tag message frames immediately when receiving them; the AeroScout
Location Server does not need content of the tag message frames and allows the AP
to periodically report collected location information.
The destination IP address and port number of a tag report packet are configured on
the AC. If the destination address is set to the IP address of the location server, the
tag report packet is directly sent to the location server. If the destination address is
set to the AC IP address, the tag report packet is sent to the AC and forwarded by
the AC to the location server. This configuration is used when the AP cannot be
directly connected to the location server.
3. The location server computes the location information.
To accurately determine the tag location, the location server must receive location
information about a tag from at least three APs. After receiving the tag information, the
location server uses the built-in computing algorithm to compute the tag location
according to information including the RSSI, SNR, radio mode, the imported map, and
AP locations. Then, the location server sends the location information to the graphical
interface of the third-party device for presentation.
Figure 17-3 Typical networking for the Wi-Fi tag location system
Internet
Location server
AC
Switch
AP2
AP1 AP3
RFID
RFID Tag
l When central APs and RUs are used, ensure that their versions are the same. For
example, if the central AP version is V200R007C10, the RU version must be
V200R007C10.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Location server
l Computes the RFID tag location using a location algorithm (for example, three-point
positioning) after receiving the location information and provides the computed data to
user systems, including the system management software and image software.
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
WLAN Location of AeroScout Tags and AeroScout MUs
l The AP9330DN does not support Tag location.
l The AP3010DN-AGN, AP6310SN-GN, and AP9330DN do not support AeroScout MU
location.
l When configuring the AC as the destination to which the AP reports location
information:
– Configure the port number used by the AC to communicate with the AeroScout
location server.
– Ensure that the port number configured on the AeroScout location server is the
same as that used by AC to communicate with the AeroScout location server.
l When configuring the AeroScout location server as the destination to which the AP
reports location information, ensure that the port number used by the AP to report
location information is the same as that configured on the AeroScout location server.
l The port number used by the AP to report location information cannot be the same as
that used by the AC to communicate with the location server.
l If the location server runs the Linux system and has URPF enabled, the server must be
able to successfully ping the source IP address that the AC uses to send packets.
WLAN Location of Ekahau Tags
l The AP9330DN does not support Tag location.
l When configuring the AC as the destination to which the AP reports location
information:
– Configure the port number used by the AC to communicate with the Ekahau
location server and the IP address of the Ekahau location server on the AC.
– Ensure that the port number configured on the Ekahau location server is the same as
that used by AC to communicate with the Ekahau location server.
l When configuring the Ekahau location server as the destination to which the AP reports
location information, ensure that the port number used by the AP to report location
information is the same as that configured on the Ekahau location server.
l The port number used by the AP to report location information cannot be the same as
that used by the AC to communicate with the location server.
l If the location server runs the Linux system and has URPF enabled, the server must be
able to successfully ping the source IP address that the AC uses to send packets.
Task Description
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run air-scan-profile name profile-name
An air scan profile is created and the air scan profile view is displayed.
By default, the system provides the air scan profile default.
Step 4 Run the undo scan-disable command to enable the air scan function.
By default, the air scan function is enabled.
Step 5 Run scan-channel-set { country-channel | dca-channel | work-channel }
An air scan channel set is configured.
By default, an air scan channel set contains all channels supported by the country code of an
AP.
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
Step 12 Bind the VAP profile to radios of an AP group or a specific AP as required to make the radios
properly work. For details, see 5.11.2.11 Binding VAP Profiles.
The destination to which and port number through which the AP reports the received
AeroScout tag information are configured.
By default, the destination to which and port number through which the AP reports tag
information are not configured.
AeroScout server adds APs and configures the APs' MAC addresses, port numbers, and IP
addresses, and configures the AC IP address if an AC is used. The AeroScout location server
actively initiates a connection with the AC and APs.
Step 17 (Optional) Run source ip-address ip-address
The source IP address from which the AC sends packets to the AeroScout Location Server is
configured.
By default, the source IP address from which the AC sends packets to the AeroScout Location
Server is not configured.
NOTE
l The tags must send signals on the AP's working or scanning channels.
l You need to run this command only when location information is forwarded to the location server via an
AC.
l To configure the AC as the destination to which the AP reports tag information:
– You must configure the number of the port through which the AC communicates with the
AeroScout Location Server.
– Ensure that the port number configured on the AeroScout Location Server is the same as the
number of the port through which the AC communicates with the AeroScout Location Server.
l To configure the AeroScout Location Server as the destination to which the AP reports tag information,
ensure that the port number configured on the AeroScout Location Server is the same as the number of
the port through which the AP reports tag information.
l The port number through which the AP reports tag information cannot be the same as the number of the
port through which the AC communicates with the AeroScout Location Server.
l If the location server uses the Linux system and has URPF enabled, the source IP address that the AC
uses to send packets to the location server must be pinged by the server.
NOTE
The AeroScout Tag Server and AC can both send the setting of the tag packet aggregation time to the
AP; however, the shorter aggregation time takes effect on the AP. For example, if the aggregation time is
set to 3600 seconds on the AeroScout Tag Server and 4800 seconds on the AC, the aggregation time of
3600 seconds takes effect on the AP.
l By default, the 5G radio profile default is bound to an AP group, but no 5G radio profile
is bound to an AP.
Step 22 Run location-profile profile-name radio { radio-id | all }
The location profile is bound to the specified radio on the AP.
By default, no location profile is bound to a radio.
Step 23 Run quit
Return to the WLAN view.
Step 24 (Optional) Run location source ip-address ip-address
The source IP address in packets sent by an AC to a location server is configured.
By default, the source IP address is not configured in packets sent by an AC to a location
server.
NOTE
In scenarios where the active and standby ACs are deployed, configure the source IP address on the standby
AC using the location source ip-address ip-address command. The source IP address configured on the
active AC using the source command cannot be synchronized to the standby AC. When source IP addresses
are configured on an AC using the location source and source commands at the same time, the source IP
address configured using the source command takes effect.
----End
NOTE
If APs are configured to report AeroScout tag and MU packets to the AeroScout location server directly but
not through an AC, the display wlan location statistics aeroscout command cannot display location
statistics, and all fields are displayed as "0".
Task Description
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run air-scan-profile name profile-name
An air scan profile is created and the air scan profile view is displayed.
By default, the system provides the air scan profile default.
Step 4 Run the undo scan-disable command to enable the air scan function.
By default, the air scan function is enabled.
Step 5 Run scan-channel-set { country-channel | dca-channel | work-channel }
An air scan channel set is configured.
By default, an air scan channel set contains all channels supported by the country code of an
AP.
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
The source IP address from which the AC sends packets to the Ekahau Location Server is
configured.
By default, the source IP address from which the AC sends packets to the Ekahau Location
Server is not configured.
NOTE
l The tags must send signals on the AP's working or scanning channels.
l You need to run this command only when location information is forwarded to the location server via an
AC.
l To configure the AC as the destination to which the AP reports tag information:
– You must configure the IP address of the Ekahau Location Server and port number for
communicating with the Ekahau Location Server.
– Ensure that the port number configured on the Ekahau Location Server is the same as the number of
the port through which the AC communicates with the Ekahau Location Server.
l To configure the Ekahau Location Server as the destination to which the AP reports tag information,
ensure that the port number configured on the Ekahau Location Server is the same as the number of the
port through which the AP reports tag information.
l The port number through which the AP reports tag information cannot be the same as the number of the
port through which the AC communicates with the Ekahau Location Server.
l If the location server uses the Linux system and has URPF enabled, the source IP address that the AC
uses to send packets to the location server must be pinged by the server.
NOTE
In scenarios where the active and standby ACs are deployed, configure the source IP address on the standby
AC using the location source ip-address ip-address command. The source IP address configured on the
active AC using the source command cannot be synchronized to the standby AC. When source IP addresses
are configured on an AC using the location source and source commands at the same time, the source IP
address configured using the source command takes effect.
----End
Context
After the AP that has WLAN location enabled successfully receives the configuration
information, it replies a response packet. You can run the display command to check
information about LBS statistics and APs that have successfully received tag information.
Procedure
l Run the display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-
name } command to check LSB information of the AP that has successfully received tag
information.
l Run the display wlan location statistics aeroscout command to check the LBS statistics
about AeroScout tags and MUs.
NOTE
If APs are configured to report AeroScout tag and MU packets to the AeroScout location server directly
but not through an AC, the display wlan location statistics aeroscout command cannot display
location statistics, and all fields are displayed as "0".
l Run the display wlan location device-info tag { all | ap-id ap-id | ap-name ap-name }
command to check tag location information on the AP.
----End
Procedure
l Run the reset wlan location device-info tag { all | ap-id ap-id | ap-name ap-name }
command to clear tag information received by all APs or specified APs on the AC.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
In Figure 17-4, the AC connects to the APs through a switch in a small warehouse.
The administrator requires that the APs collect tag information and report the information to
the AeroScout location server to compute tag locations so that users can obtain the locations
of all goods AeroScout Tags through maps, tables, or reports.
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
RFID
GE0/0/4
GE area_2 AeroScout tag
AeroScout AC SwitchA 0/0
/3
location server
area_3
Data preparation
Item Data
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
l Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
l Configure WLAN tag location so that APs can receive configuration information from
the AeroScout location server and send the collected tag information to the AeroScout
location server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the AeroScout location server.
Complete location configurations on the AeroScout location server. For details, see the related
document of the AeroScout location server.
Step 2 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
# Configure the access switch SwitchA. Add GE0/0/1, GE0/0/2, GE0/0/3 and GE0/0/4 on
SwitchA to VLAN 100 (management VLAN)
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit
# Add GE0/0/2 that connects the AC and the AeroScout Positioning Server to VLAN 100.
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/2] quit
Step 5 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure a name
for the AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc9d-0bb0
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name area_3
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 25S
1 dcd2-fc9d-0bb0 area_2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 20S
2 dcd2-fc04-b500 area_3 ap-group1 10.23.100.252 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 3
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Create a 2G radio profile named wlan-radio-2g and bind the air scan profile wlan-air-scan
to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Create a 5G radio profile named wlan-radio-5g and bind the air scan profile wlan-air-scan
to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
# When the location server has delivered the configuration information to the AP, run the
display wlan location device-info tag { ap-id ap-id | ap-name ap-name } command. The
command output shows the LBS information of the APs.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#_b"h2cpaO$9bZ-;`-_;CN5)k,_\UP3[!AJE6Vtg3%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
location-profile name wlan-location
aeroscout tag-enable
aeroscout server port 1144 via-ac ac-port 10001
source ip-address 10.23.100.1
regulatory-domain-profile name domain1
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
radio-5g-profile name wlan-radio-5g
air-scan-profile wlan-air-scan
ap-group name ap-group1
regulatory-domain-profile domain1
location-profile wlan-location radio all
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-vap wlan 1
radio 1
radio-5g-profile wlan-radio-5g
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac dcd2-fc9d-0bb0 ap-sn 210235555310CC000094
ap-name area_2
ap-group ap-group1
ap-id 2 type-id 19 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000042
ap-name area_3
ap-group ap-group1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
In Figure 17-5, the AC connects to the APs through a switch in a small warehouse.
The administrator requires that the APs collect tag information and report the information to
the Ekahau location server to compute tag locations so that users can obtain the locations of
all goods with Ekahau Tags through maps, tables, or reports.
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
RFID
GE0/0/4 GE
0/0 area_2
Ekahau AC SwitchA /3 Ekahau tag
location server
area_3
Data Preparation
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
l Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
l Configure WLAN tag location so that APs can receive configuration information from
the Ekahau location server and send the collected tag information to the Ekahau location
server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the Ekahau location server.
Complete location configurations on the Ekahau location server. For details, see the related
document of the Ekahau location server.
Step 2 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 4 Configure the connection between the AC and Ekahau Location Server.
# Add GE0/0/2 that connects the AC and the Ekahau Location Server to VLAN 100.
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/2] quit
Step 5 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure a name
for the AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc9d-0bb0
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name area_3
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 25S
1 dcd2-fc9d-0bb0 area_2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 20S
2 dcd2-fc04-b500 area_3 ap-group1 10.23.100.252 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 3
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Create an air scan profile named wlan-air-scan and configure an air scan channel set.
[AC-wlan-view] air-scan-profile name wlan-air-scan
[AC-wlan-air-scan-prof-wlan-air-scan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-air-scan] quit
# Create a 2G radio profile named wlan-radio-2g and bind the air scan profile wlan-air-scan
to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Create a 5G radio profile named wlan-radio-5g and bind the air scan profile wlan-air-scan
to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
# Create a location profile named wlan-location. Enable the location function based on
Ekahau Tags. Configure the IP address and port number to report the location information and
the source IP address used by the AC to send packets to the location server.
[AC-wlan-view] location-profile name wlan-location
[AC-wlan-location-prof-wlan-location] ekahau tag-enable
[AC-wlan-location-prof-wlan-location] ekahau server ip-address 10.23.100.2 port
8569 via-ac ac-port 10001
[AC-wlan-location-prof-wlan-location] source ip-address 10.23.100.1
[AC-wlan-location-prof-wlan-location] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 1 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
1 area_2 0 1 DCD2-FC9D-0BB0 ON WPA2-PSK 0 wlan-net
1 area_2 1 1 DCD2-FC9D-0BC0 ON WPA2-PSK 0 wlan-net
2 area_3 0 1 DCD2-FC04-B500 ON WPA2-PSK 0 wlan-net
2 area_3 1 1 DCD2-FC04-B510 ON WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 6
# Run the display wlan location device-info tag { ap-id ap-id | ap-name ap-name }
command. The command output displays tag location information of APs.
[AC-wlan-view] display wlan location device-info tag ap-name area_1
AP ID AP name Tag type Tag MAC Channel RSSI
------------------------------------------------------------------------------
0 area_1 Ekahau 1040-8002-6420 11 -50
------------------------------------------------------------------------------
Total: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#_b"h2cpaO$9bZ-;`-_;CN5)k,_\UP3[!AJE6Vtg3%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
location-profile name wlan-location
ekahau tag-enable
ekahau server ip-address 10.23.100.2 port 8569 via-ac ac-port 10001
source ip-address 10.23.100.1
regulatory-domain-profile name domain1
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
radio-5g-profile name wlan-radio-5g
air-scan-profile wlan-air-scan
ap-group name ap-group1
regulatory-domain-profile domain1
location-profile wlan-location radio all
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-vap wlan 1
radio 1
radio-5g-profile wlan-radio-5g
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac dcd2-fc9d-0bb0 ap-sn 210235555310CC000094
ap-name area_2
ap-group ap-group1
ap-id 2 type-id 19 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000042
ap-name area_3
ap-group ap-group1
#
return
Purpose
Terminal location technology allows users to locate devices such as Wi-Fi terminals and
rogue APs, helping users manage the network and control key assets.
Basic Concepts
As shown in Figure 18-1, the terminal location system includes at least three APs, one AC,
and one location server. Functions of each component are as follows:
l AP: The APs collect wireless signals. The APs periodically switch channels to collect
strength information about terminal signals in the surrounding environment on each
channel and report the collected information to the location server.
l AC: The AC delivers terminal location configurations to the APs. In addition, the AC
also classifies and filters the information received from the APs based on the device type
(such as authorized terminals and rogue APs).
l Location server: The location server functions as the location server and display terminal
in the location system. The location server computes the signal transmission model
according to locations of APs and obstacles, and calculates locations of terminals, rogue
APs, or Wi-Fi interference sources based on the RSSI information collected by each AP.
The display terminal draws maps and displays locations of the devices on the map.
Internet
Location
server
AC
Switch
AP2
AP1 AP3
Wi-Fi
Rogue APs
terminals
Implementation Principles
Terminal location technology locates terminals as follows:
1. APs collect strength information about radio signals and forwards the information to the
location server.
a. The APs periodically switch channels to collect frames sent from terminals in the
surrounding environment on each channel and record frame information including
RSSI information, timestamp, data rate, and channel information. RSSIs are
essential in determining whether a terminal is near or far from the APs.
b. The APs encapsulate the collected radio signal information into UDP packets and
report the data to the location server in the following two modes:
n APs report collected data to the AC. Then, the AC reports the data to the
location server.
When the network between the APs and the location server is not reachable,
the APs report data to the AC first. The AC then filters information about
terminals and rogue APs before reporting the data to the location server.
n The APs directly report the collected data to the location server.
If the network between the APs and the location server is reachable, and the
AC is not required to identify unauthorized APs, configure the APs to directly
send data to the location server, which decreases CPU usage of the AC and
reduces impacts of the location function on services.
2. The AC reports the information received from APs to the location server.
As shown in Figure 18-2, after receiving information from the APs, the AC processes
the information as follows:
a. Determine whether the data received from the APs is location data. If not, the data
is processed in other ways.
b. If the AC receives the location data, the AC processes the data in the following
way: if the data is about terminal locations, the AC reports the data directly to the
location server; if the data is about authorized AP locations, the AC discards the
data; if the data is about rogue AP locations, the AC reports the data to the location
server.
The AC receives
data from APs.
Yes
Yes Yes
differences among RSSIs of a STA in the grid to all APs based on the imported AP
location information, and stores the data into the database.
b. Online phase: At least three APs report terminal information to the location server
after receiving the terminal information. The location server compares the
information received from the APs with the information in the database to obtain
the location of the terminal.
Internet
Location
server
AC
Switch
AP2
AP1 AP3
Wi-Fi
Rogue APs
terminals
Implementation
UDP encapsulation
MU AP Switch AC Location
server
The protocol process of the AeroScout MU location system is similar to that of the AeroScout
tag location system. However, the two systems locate different devices. The AeroScout MU
location system locates mobile terminals while the AeroScout tag location system locates
tags.
Figure 18-4 shows the AeroScout MU location principle, which is similar to terminal
location.
1. After the AeroScout MU location function is enabled, APs receive MU messages and
forward them to the location server.
a. After receiving an MU Message frame, an AP records location information
contained in the frame such as the received signal strength indicator (RSSI), time
stamp, rate, and channel. The RSSI is the most important information because the
location server uses it to determine the distance between an MU and an AP.
b. The AP encapsulates all location information obtained from MU Message frames
into a UDP packet (MU Report) and sends the packet to the location server directly
or through the AC.
The destination IP address and port number of an MU Report packet are configured
on the AC.
n If the destination address is set to the IP address of the location server, the MU
Report packet is directly sent to the location server.
n If the destination address is set to the AC's IP address, the MU Report packet
is sent to the AC and forwarded by the AC to the location server. This
configuration is used when the AP cannot be directly connected to the location
server.
2. The location server computes the location information.
To accurately determine the MU location, the location server must receive location
information about an MU from at least three APs. After receiving the location
information, the location server computes the MU location according to information
including the RSSI, SNR, radio mode, the imported map, and AP locations. Then, the
location server sends the location information to the graphical interface of the third-party
device for presentation.
Internet
Location
server
AC
Switch
AP2
AP1 AP3
Wi-Fi
Rogue APs
terminals
l You can run the display ap-type all command to check the default AP types supported
by the device.
l When central APs and RUs are used, ensure that their versions are the same. For
example, if the central AP version is V200R007C10, the RU version must be
V200R007C10.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
eSight
l Functions as the location server and display terminal in the location system. The location
server computes the signal transmission model according to locations of APs and
obstacles, and calculates locations of terminals, rogue APs, or Wi-Fi interference sources
based on the RSSI information collected by each AP. The display terminal draws maps
and displays locations of the devices on the map.
l The Wi-Fi terminal location function is applicable to eSight in V300R005C00.
App server
l An app server obtains location results from a location server and pushes information to
Bluetooth terminals based on the location results.
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
Wi-Fi Terminal Location
l The AP3010DN-AGN, AP6310SN-GN, and AP9330DN do not support Wi-Fi terminal
location.
l Locating a terminal requires at least three APs to scan signals on the WLAN.
l To use the terminal location function to locate unauthorized STAs, rogue APs and
bridges, and ad-hoc devices, you need to enable WIDS. To use the terminal location
function to locate authorized STAs, you do not need to enable WIDS.
Pre-configuration Tasks
Before configuring the WLAN location function, perform the tasks listed in the following
table.
Task Description
Task Description
Task Description
Procedure
Step 1 Run system-view
An air scan profile is created and the air scan profile view is displayed.
Step 4 Run the undo scan-disable command to enable the air scan function.
By default, an air scan channel set contains all channels supported by the country code of an
AP.
The channel scan period applies to radio calibration, smart roaming, WLAN location, and
WIDS functions.
A shorter channel scan period means fewer location packets that the device can obtain, which
affects the location accuracy. A longer channel scan period has a much larger impact on
services.
The channel scan interval applies to radio calibration, smart roaming, WLAN location, and
WIDS functions.
NOTE
l If the customer has high requirements on real-time data analysis, configure a small air scan interval using
the scan-interval command to improve the scan frequency; however, higher scan frequency indicates
much larger impact on the services.
l If the customer has high requirements on real-time locating services, deploy the APs on the same channel
to scan channels.
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
Step 14 Bind the VAP profile to radios of an AP group or a specific AP as required to make the radios
properly work. For details, see 5.11.2.11 Binding VAP Profiles.
The destination to which and port number through which the AP reports the received
AeroScout MU information are configured.
By default, the destination to which and port number through which the AP reports MU
information are not configured.
The source IP address from which the AC sends packets to the AeroScout Location Server is
configured.
By default, the source IP address from which the AC sends packets to the AeroScout Location
Server is not configured.
NOTE
l You need to run this command only when location information is forwarded to the location server via an
AC.
l To configure the AC as the destination to which the AP reports tag information:
– You must configure the number of the port through which the AC communicates with the
AeroScout Location Server.
– Ensure that the port number configured on the AeroScout Location Server is the same as the
number of the port through which the AC communicates with the AeroScout Location Server.
l To configure the AeroScout Location Server as the destination to which the AP reports MU information,
ensure that the port number configured on the AeroScout Location Server is the same as the number of
the port through which the AP reports MU information.
l The port number through which the AP reports MU information cannot be the same as the number of the
port through which the AC communicates with the AeroScout Location Server.
l If the location server uses the Linux system and has URPF enabled, the source IP address that the AC
uses to send packets to the location server must be pinged by the server.
NOTE
The AeroScout Location Server and AC can both send the setting of the MU packet aggregation time to
the AP; however, the shorter aggregation time takes effect on the AP. For example, if the aggregation
time is set to 3600 seconds on the AeroScout Location Server and 4800 seconds on the AC, the
aggregation time of 3600 seconds takes effect on the AP.
l By default, the 2G radio profile default is bound to an AP group, but no 2G radio profile
is bound to an AP.
l By default, the 5G radio profile default is bound to an AP group, but no 5G radio profile
is bound to an AP.
NOTE
In scenarios where the active and standby ACs are deployed, configure the source IP address on the standby
AC using the location source ip-address ip-address command. The source IP address configured on the
active AC using the source command cannot be synchronized to the standby AC. When source IP addresses
are configured on an AC using the location source and source commands at the same time, the source IP
address configured using the source command takes effect.
----End
Pre-configuration Tasks
Before configuring Wi-Fi terminal location, perform the tasks listed in the following table.
Task Description
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Set the working mode for radios in an AP group or for a specified radio.
You can set the radio working mode in the AP radio view or AP group radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
l Set the working mode for all radios in an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the radio radio-id command to enter the radio view.
c. Run the work-mode { normal | monitor [ dual-band-scan enable ] } command to
set the working mode for radios in an AP group.
By default, radios in an AP group work in normal mode.
NOTE
l If the customer has high requirements on real-time data analysis, configure a small air scan interval using
the scan-interval command to improve the scan frequency; however, higher scan frequency indicates
much larger impact on the services.
l If the customer has high requirements on real-time locating services, deploy the APs on the same channel
to scan channels.
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
Follow-up Procedure
After Wi-Fi terminal location is configured on the AC, configure required WLAN location
parameters on the location server so that you can check Wi-Fi terminal location results on the
location server.
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
In Figure 18-6, the AC connects to the APs through a switch in a small warehouse.
The administrator requires that the APs collect tag information and report the information to
the AeroScout location server to compute tag locations so that users can obtain mobile
terminal locations shown in maps, tables, or reports.
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
GE0/0/4 GE
0/0 area_2 MU
AeroScout AC SwitchA /3
location server
area_3
Data preparation
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure WLAN MU location so that APs can receive configuration information from
the AeroScout Location Server and send the collected MU information to the AeroScout
Location Server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the AeroScout location server.
Complete location configurations on the AeroScout location server. For details, see the related
document of the AeroScout location server.
Step 2 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
# Configure the access switch SwitchA. Add GE0/0/1, GE0/0/2, GE0/0/3 and GE0/0/4 on
SwitchA to VLAN 100 (management VLAN)
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit
# Add GE0/0/2 that connects the AC and the AeroScout Positioning Server to VLAN 100.
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/2] quit
Step 5 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure a name
for the AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc9d-0bb0
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 25S
1 dcd2-fc9d-0bb0 area_2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 20S
2 dcd2-fc04-b500 area_3 ap-group1 10.23.100.252 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 3
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Create a 2G radio profile named wlan-radio-2g and bind the air scan profile wlan-air-scan
to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Create a 5G radio profile named wlan-radio-5g and bind the air scan profile wlan-air-scan
to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
# When the location server has delivered the configuration information to the AP, run the
display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-name } command.
The command output shows the LBS information of the APs.
[AC-wlan-view] display wlan location config-info aeroscout ap-name area_1
----------------------------------------------------------------
AP ID : 0
AP name : area_1
AP MAC address : 60de-4476-e360
Response IP address : -
Response port : 1144
AP tag mode : start
AP MU mode : start
Dilution factor : 1
Dilution timeout(s) : 1
Tags multicast address : 0180-c200-000e
Compounded message timeout(0.1s) : 65535
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration files
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
In Figure 18-7, the AC connects to the APs through a switch on an enterprise network.
The administrator requires that the APs collect Wi-Fi terminal information and report the
information to the location server to compute terminal locations so that users can obtain the
locations of the Wi-Fi terminals through maps, tables, or reports.
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
GE0/0/4 GE
0/0 area_2 Wi-Fi
Location AC SwitchA /3
server terminal
area_3
Data preparation
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
l Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
l Configure terminal location so that APs can periodically scan channels to collect radio
signals and report the collected information to the location server.
Procedure
Step 1 Configure the location server (details are not provided here).
Step 2 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit
Step 5 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure a name
for the AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc9d-0bb0
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name area_3
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 25S
1 dcd2-fc9d-0bb0 area_2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 20S
2 dcd2-fc04-b500 area_3 ap-group1 10.23.100.252 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 3
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Create a 2G radio profile named wlan-radio-2g and bind the air scan profile wlan-air-scan
to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Create a 5G radio profile named wlan-radio-5g and bind the air scan profile wlan-air-scan
to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
#
return
Purpose
l Bluetooth terminal location is used for self-location of users in shopping malls and
parking lots where BLE devices are deployed. APs scan BLE devices and upload
obtained information about the BLE devices to a location server through an AC. The
location server then returns location results to users. Store keepers can push promotion
information to users through the BLE devices.
l Bluetooth tag location is used to locate Bluetooth tags placed on target objects or
persons, so that users can easily locate and manage key assets or persons.
l Bluetooth data transparent transmission is configured to enable Bluetooth clients worn
by users to obtain their health data and send the data to a server. In this way, users' health
conditions can be easily monitored and analyzed.
Concepts
As shown in Figure 19-1, a Bluetooth terminal location system consists of multiple Bluetooth
terminals, BLE devices, APs with built-in Bluetooth modules, ACs, one location server, and
one app server.
Implementation
As shown in Figure 19-1, Bluetooth terminal location technology locates Bluetooth terminals
through the following steps:
1. An AP obtains information about BLE devices and Bluetooth terminals, such as UUIDs,
RSSI calibration values, and power.
– The AP's built-in Bluetooth module scans surrounding BLE devices and Bluetooth
terminals, and collects iBeacon broadcast frames sent by them. The iBeacon
broadcast frames carry device information such as UUIDs and RSSI calibration
values.
BLE devices and Bluetooth terminals periodically send iBeacon broadcast frames
without the need to access the WLAN. Figure 19-2 shows the format of an iBeacon
broadcast frame.
Data Length Local name Data Data Length Service Date Service UUID Battery volume
n Service Data: iBeacon protocol data format, indicating that the subsequent data
is a UUID
n Service UUID: universally unique identifier customized by device vendors for
identifying BLE devices or Bluetooth terminals
n Battery volume: battery power level ranging from 0 to 100 in decimal notation
that maps battery power from 0% to 100%.
2. The AP reports obtained information about BLE devices, such as UUIDs, RSSI
calibration values, and power, to the AC, and sends Bluetooth terminal location packets
to the AC or location server.
In scenarios where no independent BLE devices are deployed, the Bluetooth broadcast
function of APs' built-in Bluetooth modules can be enabled, so that APs can function as
BLE devices to send BLE broadcast frames. Then APs can directly report battery power,
UUIDs, and RSSI calibration values of built-in Bluetooth modules to an AC without the
need of scanning.
NOTE
Currently, only the AP4050DN-E supports the Bluetooth broadcast function.
3. The AC sends Bluetooth terminal location packets, and lower power and fault alarm
information about BLE devices to the location server.
4. On the location server, make floor plans and location map models, add BLE devices, set
their deployment locations, monitor their status, and calculate Bluetooth terminal
locations.
5. The app server obtains map information and BLE locations from the location server.
6. The app server sends map information and BLE device locations to Bluetooth locations.
7. Install a location app on a Bluetooth terminal (such as a mobile phone), start the app, and
perform the following operations:
a. Collect information about scanned BLE devices and their signal strengths.
b. Collect information about sensors of the mobile phone, such as speed sensors and
Gyroscopes.
c. Obtain map information from the location server.
d. Calculate and display BLE device locations on the Bluetooth terminal.
Implementation
As shown in Figure 19-4, Blue tag location technology is used to locate Blue tags by the
following procedure:
1. The built-in Blue module of an AP scans surrounding Blue tags and collects BLE
broadcast frames sent by Blue tags. A BLE broadcast frame contains Blue tag
information including the RSSI calibration value, battery power, and Blue tag
disconnection alarms.
Blue tags periodically send BLE broadcast frames and do not need to access a WLAN.
Figure 19-5 shows the format of a BLE broadcast frame.
Fields of a BLE broadcast frame are described from the left to the right as follows:
– Data Length: total length of the BLE Flags and Flag Data fields
– BLE Flags: field defined by the BLE protocol. For details, see Chapter 18.1 of Part
C in Volume 3 of Blue 4.0 Core Specification.
– Flag Data: field defined by the BLE protocol. For details, see Chapter 18.1 of Part
C in Volume 3 of Blue 4.0 Core Specification.
– Data Length: total length of the Company Manufacture Data, Company ID, BLE
Type, Battery volume, Current, Reference RSSI, and Reserved fields.
– Company Manufacture Data: vendor information.
– Company ID: company ID applied by Huawei from the Bluetooth Special Interest
Group (Bluetooth SIG).
– BLE Type: tag type. Currently, only 0x00 is supported, which indicates the
universal tag.
– Battery volume: battery power level ranging from 0 to 100 in decimal notation that
corresponds to battery power from 0% to 100%.
– Current: Bluetooth tag disconnection alarm. The value 0 indicates that a Bluetooth
tag is connected, while 1 indicates that a Bluetooth tag is disconnected. For devices
that do not support Blue tag disconnection alarms, the field value is fixed at 0.
– Reference RSSI: RSSI calibration value, which is measured 1 meter away from a
Blue tag. The distance between a Blue tag and an AP is calculated based on this
field.
– Reserved: field defined by tag vendors. The field length is less than or equal to 20
bytes.
2. The AP reports the obtained information about Blue tags to an AC.
3. The AC reports information about all Blue tags and Blue tag offline alarms to a location
server.
4. Make a floor plan and location map model on the location server. After APs with built-in
Blue modules are added to the location server, the location server can determine AP
installation locations, compute Blue tag locations, and monitor Blue tag status.
Implementation
As shown in Figure 19-6, Bluetooth data is transparently transmitted as follows:
1. The built-in Bluetooth module of an AP scans surrounding Bluetooth clients, and
collects BLE broadcast frames sent by the clients. BLE broadcast frames carry users'
health data, and MAC addresses and RSSIs of Bluetooth clients.
Bluetooth clients periodically send BLE broadcast frames and do not need to access a
WLAN.
2. The AP sends information obtained from Bluetooth clients to an AC or a server. The
information includes users' health data, and MAC addresses and RSSIs of Bluetooth
clients.
3. The AC sends information reported by APs to a server. The information includes users'
health data, MAC addresses and RSSIs of Bluetooth clients, and Bluetooth client offline
alarms.
4. The server parses and obtains users' health data carried in BLE broadcast frames for
analysis and management.
Users can use mobile phones to scan BLE devices and upload information about scanned BLE
devices to the location server to implement location and navigation through apps.
Shop owners can deploy BLE devices to push commodity information and promotion
information through apps to users who have scanned broadcast frames sent by the BLE
devices.
Location
App server
server
AC
AP
BLE BLE
BLE
Management Location
System Server
AC
AP AP AP
Bluetooth Bluetooth
Tag1 Tag2
Bluetooth Signal
Server
AC
AP
Bluetooth
Bluetooth
Clients
Signal
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R011C00 V200R007C20
V200R007C10
V200R010C00 V200R007C10
V200R009C00 -
Bluetooth device
l Bluetooth devices generate Bluetooth signals based on the BLE or iBeacon protocol.
They include BLE devices, Bluetooth tags, and Bluetooth clients (such as Bluetooth
thermometers, blood pressure monitors, and heart rate monitors).
– BLE devices are manufactured by BLE device vendors and generate Bluetooth
signals based on the iBeacon protocol. BLE devices periodically send BLE
broadcast frames. Currently, only BLE devices from Lanke Xuntong Technology
are supported.
– Bluetooth tags are manufactured by Bluetooth tag vendors and generate Bluetooth
signals based on the BLE protocol. Bluetooth tags periodically send BLE broadcast
frames.
– Bluetooth clients are manufactured by Bluetooth client vendors and generate
Bluetooth signals based on the BLE protocol. Bluetooth clients periodically send
BLE broadcast frames.
eSight
l Functions as the location server and display terminal in the location system. The location
server computes the signal transmission model according to locations of APs and
obstacles, and calculates locations of terminals, rogue APs, or Wi-Fi interference sources
based on the RSSI information collected by each AP. The display terminal draws maps
and displays locations of the devices on the map.
l The Bluetooth location function is supported by eSight V300R006C00.
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 19-1 Products and minimum version supporting the WLAN service
Feature Limitations
Bluetooth Terminal Location
l Only the R250D-E, R251D-E, AP2050DN-E, AP2051DN-E, AP4050DN-E,
AP8050DN, AP8050DN-S, AP8150DN, AP4051TN, AP6052DN, AP7052DN,
AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, and AP7050DE
support Bluetooth location, Bluetooth tag location and Bluetooth data transparent
transmission. Only the AP4050DN-E supports the Bluetooth broadcast function.
l Bluetooth terminals must support BLE 4.0 or later versions and can properly report
received RSSI information to the location server through apps.
l After the Bluetooth monitoring function is enabled, APs will obtain battery power
information about surrounding BLE devices at 02:00 of the AC system time, which is
off-peak hours of WLAN services. If the system time is different from the actual time,
obtaining battery power information may interrupt WLAN services. To prevent such an
issue, configure the system time correctly on the AC.
l After enabling the Bluetooth location function, you are advised to deploy APs in
channels 1, 6, and 11 on the 2.4 GHz frequency band.
l After the Bluetooth tag location function is enabled, at least three APs need to collect
location information about a Bluetooth tag to be located and send the information to the
location server. The location server matches the RSSIs received by the APs with
information in the database, and obtains the location of the Bluetooth tag.
l After enabling the Bluetooth location function, you are advised to deploy APs in
channels 1, 6, and 11 on the 2.4 GHz frequency band.
l Enabling both the Bluetooth scanning and broadcast functions of an AP affects the
efficiency for the AP's Bluetooth module to scan surrounding BLE devices. When an AP
does not serve as a Bluetooth base station, it is recommended that the broadcast function
of the AP be disabled.
Content of a BLE broadcast frame The UUID, Major, and Minor fields in a BLE
broadcast frame are null. The default RSSI
calibration value is -65 dBm.
Pre-configuration Tasks
Before configuring Bluetooth Terminal location, perform the tasks listed in the following
table.
Task Description
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ble-profile name profile-name
A BLE profile is created.
By default, no BLE profile is created.
Step 4 Run sniffer enable ibeacon-mode
By default, the Bluetooth function of an AP's built-in Bluetooth module is disabled.
Step 5 Configure the Bluetooth broadcast function for an AP's built-in Bluetooth module.
NOTE
The mode in which Bluetooth terminal location packets are sent is configured.
The destination IP address and port number to which an AP sends Bluetooth terminal
location packets are configured.
By default, the low power alarm threshold of BLE devices or Bluetooth tags is 20%.
A specified Bluetooth device is added to the monitoring list on the built-in Bluetooth module
of an AP
When no Bluetooth device is added to the monitoring list, all Bluetooth devices are
monitored. When any Bluetooth device is offline or has insufficient battery power, an alarm is
triggered on the AC accordingly. When Bluetooth devices are added to the monitoring list,
only the Bluetooth devices in the list are monitored. When a Bluetooth device in the
monitoring list is offline or has insufficient battery power, an alarm is triggered on the AC
accordingly.
----End
Follow-up Procedure
After configuring Bluetooth location, you need to perform the following operations to check
location results on a location server.
Pre-configuration Tasks
Before configuring the Bluetooth tag location function, complete the following tasks:
Task Description
Task Description
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ble-profile name profile-name
A BLE profile is created.
By default, no BLE profile is created.
When no Bluetooth device is added to the monitoring list, all Bluetooth devices are
monitored. When any Bluetooth device is offline or has insufficient battery power, an alarm is
triggered on the AC accordingly. When Bluetooth devices are added to the monitoring list,
only the Bluetooth devices in the list are monitored. When a Bluetooth device in the
monitoring list is offline or has insufficient battery power, an alarm is triggered on the AC
accordingly.
----End
Follow-up Procedure
After configuring the Bluetooth tag location function, configure related Bluetooth tag location
parameters on eSight so that you can view location results on eSight.
Pre-configuration Tasks
Before configuring Bluetooth data transparent transmission, complete the following tasks:
Task Description
Task Description
Procedure
Step 1 Run system-view
The mode of sending Bluetooth data packets for transparent transmission is configured.
Step 7 Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-num ] or
report-to-server domain domain port port-num
The destination IP address and port number are configured for an AP to send Bluetooth data
packets for transparent transmission.
By default, no destination IP address or port number is configured for APs to report Bluetooth
packets.
Specified Bluetooth clients are added to the monitoring list of an AP's built-in Bluetooth
module.
When no Bluetooth device is added to the monitoring list, all Bluetooth devices are
monitored. When any Bluetooth device is offline or has insufficient battery power, an alarm is
triggered on the AC accordingly. When Bluetooth devices are added to the monitoring list,
only the Bluetooth devices in the list are monitored. When a Bluetooth device in the
monitoring list is offline or has insufficient battery power, an alarm is triggered on the AC
accordingly. Bluetooth clients do not support low power alarms.
----End
Follow-up Procedure
After Bluetooth data transparent transmission is configured, servers need to collect data from
Bluetooth clients for effective Bluetooth data analysis.
Procedure
l Run the display wlan ble site-info { all | mac-address mac-address | host-ap { valid |
host-ap-id ap-id | host-ap-name ap-name } } command to check information about
BLE devices scanned and obtained by an AP's built-in Bluetooth module.
l Run the display wlan ble monitoring-list command to check BLE devices that have
been added to the monitoring list.
----End
Procedure
l Run the reset wlan ble site-info { all | mac-address mac-address } command to delete
information about BLE devices stored on the AC.
----End
Networking Requirements
As shown in Figure 19-10, an AC is connected to an AP through a switch on the network of a
shopping mall.
The administrator expects to use the AP to scan BLE broadcast frames sent by BLE devices to
obtain information about the BLE devices, such as universally unique identifiers (UUIDs) and
received signal strength indicator (RSSI) calibration values, and report the information to the
location server. When Bluetooth terminals of customers scan BLE devices and report obtained
information about the BLE devices to the location server, the location server implements
location algorithms for providing navigation services and pushing commodity sales
information to customers through apps.
Figure 19-10 Networking diagram for configuring basic Bluetooth location services
App server
Bluetooth
terminal
Bluetooth signal
BLE device
Data Plan
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
l Configure basic WLAN services so that users can access the WLAN of the shopping
mall and send information about scanned BLE devices to the location server.
l Configure the Bluetooth location function so that the AP can scan BLE devices and send
obtained information about the BLE devices to the location server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the location server.
Complete the location configuration on the location server. For details, see related documents
of the location server.
Step 2 Configure the switch and AC so that the AP and AC can exchange CAPWAP packets.
# Configure access switch SwitchA. Add GE0/0/1 and GE0/0/2 on SwitchA to management
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
# Create an AP group to which the APs with the same configuration are to be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure the AP
name based on the AP's deployment location so that you can know where the AP is deployed
by its name. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP as area_1.
NOTE
By default, MAC address authentication is configured using the ap auth-mode command. If the default
settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
# Power on the AP, and run the display ap all command to check the AP state. If the State
field is displayed as nor, the AP is online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0 25S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Create BLE profile wlan-ble and enable the Bluetooth monitoring function.
[AC-wlan-view] ble-profile name wlan-ble
[AC-wlan-ble-prof-wlan-ble] sniffer enable ibeacon-mode
[AC-wlan-ble-prof-wlan-ble] quit
# Add BLE devices within the AP's coverage area to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
The WLAN service configuration is automatically delivered to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on the AP
radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 1 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 2
# After the AP obtains information about BLE devices, run the display wlan ble site-info
{ all | mac-address mac-address } command to view the information about BLE devices.
[AC-wlan-view] display wlan ble site-info all
----------------------------------------------------------------------------------
----------------------------------
Index MAC Host AP ID Host AP name RSSI Power Type
DetachedFlag Aging-Timeout(m) Advertisement data
----------------------------------------------------------------------------------
----------------------------------
1 1234-1234-1000 0 area_1 -80 80% ibeacon
N 57
41-42-43-44-45-46-30-31-32-33-34-35-36-37-38-39-4d-41-4d-49-bf
2 1234-1234-1001 0 area_1 -85 60% ibeacon
N 57
41-42-43-44-45-46-30-31-32-33-34-35-36-37-38-39-4d-41-4d-49-bf
3 1234-1234-1002 0 area_1 -83 60% ibeacon
N 57
41-42-43-44-45-46-30-31-32-33-34-35-36-37-38-39-4d-41-4d-49-bf
----------------------------------------------------------------------------------
----------------------------------
Total: 3
After connecting to the WLAN of the shopping mall using a Bluetooth terminal enabled with
the Bluetooth function, a user can use a location app to download the shopping mall's map
and reports information about scanned BLE devices to the location server. The location server
then implements location algorithms and sends the location of the Bluetooth terminal to the
user. At the same time, the app server pushes commodity sales information to the user based
on the location of the Bluetooth terminal.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#_b"h2cpaO$9bZ-;`-_;CN5)k,_\UP3[!AJE6Vtg3%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ble-profile name wlan-ble
sniffer enable ibeacon-mode
ble monitoring-list mac 1234-1234-1000
ble monitoring-list mac 1234-1234-1001
ble monitoring-list mac 1234-1234-1002
ap-group name ap-group1
ble-profile wlan-ble
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 61 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
ap-name area_1
ap-group ap-group1
#
return
Purpose
Today's WLANs face usability problems and security vulnerabilities:
l Users need to manually connect their terminals to the WLAN, including opening WLAN
management UI on the wireless terminals, searching for SSIDs, selecting the SSID to
connect, and configuring identity authentication parameters.
l After associating with the AP, the wireless terminal needs to be further authenticated to
gain access to network services.
l Different WLANs provide inconsistent and limited security mechanisms.
Hotspot 2.0 solves the security and usability problems of WLANs. It provides users with
automatic and secure WLAN access. Wireless terminals can automatically discover Hotspot
2.0 networks, select and associate with the APs based on the network information provided by
APs, and finish identity authentication.
Benefits
Benefits to network service providers
l Data traffic can be transmitted on 2G/3G/4G networks or offloaded to Wi-Fi networks.
l Roaming access is supported.
l Users enjoy varied network access modes.
BOSS
Router
AAA
STA AP HLR
server
Network
AC
Support Hotspot 2.0
Support 802.1X
and WPA2-802.1X 802.1X relay
Hotspot 2.0 authentication
client
STA Wireless terminals that support Hotspot 2.0 and WPA2-802.1X client. STAs
function as the ANQP clients and can obtain Hotspot 2.0 network
information through ANQP.
AP Wireless access points that support Hotspot 2.0 and WAP2-802.1X access.
The APs function as the ANQP servers and can send Hotspot 2.0 network
information to STAs through ANQP.
HLR Home location register (HLR), a database that stores user information on
mobile communication networks, including the user registration information,
mobile station location information, MSISDNs, and IMSIs.
NE Description
BOSS The operation support platform provides end-to-end business flow support
for the carrier to handle routine tasks such as customer service, rating,
billing, settlement and dunning.
Concepts
Hotspot 2.0 is implemented based on IEEE 802.11u standards. IEEE 802.11u defines a
mechanism for terminals to obtain WLAN information. On home or roaming networks,
terminals can obtain WLAN information through Beacon or Probe frames or the generic
advertisement service (GAS). Based on the received WLAN information, the terminals
automatically select the optimal WLAN network to access, where the terminals will be
automatically authenticated.
WLAN information is transferred through GAS and ANQP.
l GAS: a mechanism defined by 802.11u through which the STA obtains network
information by exchanging Request and Response packets with the network side.
l Access Network Query Protocol (ANQP): a network information query protocol
encapsulated in GAS packets.
ANQP defines the network parameters that are used to identify networks, as shown in Table
20-2.
Operator Friendly Name Friendly operator name displayed on the user terminal.
IP Address Type Availability Available IP address types, for example, IPv4, IPv6,
Information and NAT.
Parameter Description
BOSS
Router
AAA
STA AP HLR
server
Network
AC
1
Beacon
Passive
scan
2 Probe Request
Active Probe Response
scan
Users are registered at their home service providers and configured with the USIM/SIM card,
certificate, user name and password, and organization identifier (OI) of the home service
provider. In scenarios where a STA accesses a roaming WLAN, the roaming WLAN must
have set up connections with the home network. Additionally, roaming consortium, and some
or all of the following information related to the home network must be configured on the
roaming WLAN, including roaming consortium list, cellular network information, and NAI
realm list.
1. STA passive scan or active scan
– STA passive scan
An AP sends a Beacon frame which contains information including the Hotspot 2.0
indication, BSS load, Internet connectivity flag, network type, and information of
service providers.
Upon receiving the Beacon frame, the STA checks whether the received Beacon
frame carries the Hotspot 2.0 indication. If so, the STA determines that the AP
supports Hotspot 2.0. The STA then parses the Roaming Consortium field included
in the received frame to obtain the OI of the WLAN service provider. In this way,
the STA determines whether it is allowed to access the WLAN. Before network
access, the STA can also learn the BSS load information and then select a lightly
loaded AP to access the WLAN.
– STA active scan
The STA sends to the home AP a Probe Request frame with access network type
information. After receiving the Probe Request frame, the AP checks whether the
network type contained in the frame matches the allowed network type configured
on the AP. If so, the AP responds with a Probe Response frame, which includes
Hotspot 2.0 indication, BSS load, Internet connectivity flag, network type, and
information of one to three service providers.
When receiving the Probe Response frame, the STA checks whether the received
frame carries the Hotspot 2.0 indication. If so, the STA determines that the AP
supports Hotspot 2.0. The STA then parses the Roaming Consortium field included
in the received frame to obtain the OI of the WLAN service provider. In this way,
the STA determines whether it is allowed to access the WLAN. Before network
access, the STA can also learn the BSS load information and then select a lightly
loaded AP to access the WLAN.
2. STA obtain network information in roaming scenarios
The STA sends a GAS Initial Request frame to obtain more WLAN information,
including a list of all available service providers, supported authentication types, hotspot
operators, IP addresses and ports, and traffic over the wired port. The AP replies a GAS
Initial Response frame, which carries ANQP network parameters.
3. STA association with the AP
The STA selects a WLAN to access based on the obtained WLAN information (such as
the realm name and authentication type), preset NAI, and access credential. Upon
determining a target WLAN, the STA sends an Association Request frame to the AP. The
Association Request frame carries the Hotspot 2.0 indication which indicates that AES
encryption and 802.1X authentication are used. The AP replies with an Association
Response frame.
4. STA identity authentication
The STA sends an 802.1X authentication request, and the AC forwards it to the AAA
server. The STA also reports NAI information. Based on the route information carried in
the NAI field, the home AAA server connects to the authentication server of the home
service provider for authentication of the STA. After passing the authentication, the STA
can access the WLAN.
BOSS
AAA
Server
Core network
Access AC
network
AP
Home
network
operator
STA
BOSS
AAA
AAA Server
Server
Core network Core network
Access AC Home
network
network
AP operator
Roaming
STA network operator
BOSS
AAA
Server
IP Network
AP AC
Local
STA network
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
l AP resource license-64AP for WLAN access controller
l AP resource license-128AP for WLAN access controller
l AP resource license-512AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 20-3 Products and minimum version supporting the WLAN service
Series Product Model Minimum Version
Required
Feature Limitations
l WPA2-802.1X authentication must be configured for Hotspot 2.0 services.
l In WPA2-802.1X authentication, an AP uses the same GTK to send broadcast packets to
different STAs, which brings security risks. Therefore, the AP is forbidden to forward
broadcast or multicast packets to STAs.
l To automatically select and access Hotspot 2.0 networks, wireless terminals must
support Hotspot 2.0 and 802.1X client, and be configured with identity credentials, such
as the SIM/USIM card acquired from the service provider; otherwise, users need to
manually search for SSIDs of the desired networks and enter identity authentication
information to access the networks.
Configuration Procedure
Hotspot 2.0 is configured using profiles. Figure 20-6 shows the configuration flowchart.
AP group AP
VAP profile
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. Configure downstream 1061
Traffic profile broadcast control on
APs
Context
Hotspot 2.0 requires use of the WAP2-802.1X security policy and AES encryption algorithm.
Therefore, you need to configure WPA2–802.1X authentication in the security profile and
authentication profile.
l See 12.4.2.4 Configuring WPA/WPA2-802.1X for the security profile configuration.
l See NAC Configuration (Unified Mode) for 802.1X authentication configuration, and
Configuring an 802.1X Access Profile for access mode configuration.
Context
Hotspot 2.0 networks are usually provided by network service providers who can set network
parameters in compliance with Hotspot 2.0 standards to identify the networks. Wireless
terminals can obtain network information and automatically select and access the desired
networks based on the preset identity credentials. The administrator needs to configure the
APs through Hotspot 2.0 profiles according to the parameters provided by the network service
providers so that the APs can provide Hotspot 2.0 network information to the wireless
terminals. After the Hotspot 2.0 profiles are applied to VAP profiles, the configuration takes
effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run hotspot2-profile name profile-name
A Hotspot 2.0 profile is created and the Hotspot 2.0 profile view is displayed.
By default, no Hotspot2.0 profile is available.
Step 4 Run network-type { emergency-service | personal-device | private | private-guest | public-
chargeable | public-free | test | wildcard } [ internet-access ]
The Hotspot 2.0 network type and Internet access status are configured.
By default, the network type is set to wildcard, and Internet access is not supported.
Step 5 (Optional) Run hessid mac-address
HESSID of the Hotspot 2.0 network is configured.
By default, no HESSID is configured.
Step 6 (Optional) Run venue-type group-code venue-group type-code type-code-value
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Configure parameter profiles.
l Cellular network profile
a. Run the cellular-network-profile name profile-name command to create a cellular
network profile and enter the cellular network profile view.
By default, no cellular network profile exists in the system.
b. Run the plmn-id plmn-id command to set the PLMN ID.
By default, no PLMN identifier is configured in the cellular network profile.
c. Run the quit command to return to the WLAN view.
l NAI realm profile
a. Run the nai-realm-profile name profile-name command to create an NAI realm
profile and enter the NAI realm profile view.
By default, no NAI realm profile is available in the system.
b. Run the nai-realm realm-name realm-name [ eap-method-type eap-method-type
[ eap-authen-id eap-authen-id eap-authen-para eap-authen-para ] ] command to
configure an NAI realm.
By default, no NAI realm is configured.
c. Run the quit command to return to the WLAN view.
l Roaming consortium profile
a. Run the roaming-consortium-profile name profile-name command to create a
roaming consortium profile and enter the roaming consortium profile view.
By default, no roaming consortium profile is created.
b. Run the roaming-consortium-oi oi-value [ in-beacon ] command to set the
roaming-consortium organization identifier (OI).
By default, no roaming consortium identifier is configured for the Hotspot2.0
network.
c. Run the quit command to return to the WLAN view.
l Connection capability profile
a. Run the connection-capability-profile name profile-name command to create a
connection capability profile and enter the connection capability profile view.
By default, no connection capability profile exists in the system.
b. Run the connection-capability { esp | icmp | tcp-ftp | tcp-http | tcp-pptp-vpn |
tcp-ssh | tcp-tls-vpn | tcp-voip | udp-ike2-4500 | udp-ike2-500 | udp-voip } { on |
off } command to set whether Hotspot 2.0 networks support common IP protocols
and ports.
By default, no supported protocol is specified in a connection capability profile.
Step 4 Run the hotspot2-profile name profile-name command to enter the Hotspot 2.0 profile view.
----End
Context
After the Hotspot 2.0 profile configuration is complete, apply the Hotspot 2.0 profile to a VAP
profile. Each VAP profile contains one Hotspot 2.0 profile. Hotspot 2.0-capable wireless
terminals that have obtained identity credentials from the service providers can obtain
network information from the connected APs, and automatically select and access the desired
networks.
Procedure
Step 1 Run system-view
----End
Context
After the Hotspot 2.0 configuration is complete, you can check profiles on the device,
including their configuration and reference information.
Procedure
l Checking profiles and their configuration information
– Run the display hotspot2-profile { all | name profile-name } command to check
information about the Hotspot 2.0 profile.
– Run the display cellular-network-profile { all | name profile-name } command to
check information about the cellular network profile.
– Run the display connection-capability-profile { all | name profile-name }
command to check information about the connection capability profile.
– Run the display nai-realm-profile { all | name profile-name } command to check
information about the NAI realm profile.
– Run the display operating-class-profile { all | name profile-name } command to
check information about the operating class profile.
– Run the display operator-domain-profile { all | name profile-name } command to
check information about the operator domain profile.
– Run the display operator-name-profile { all | name profile-name } command to
check information about the operator name profile.
– Run the display roaming-consortium-profile { all | name profile-name }
command to check information about the roaming consortium profile.
– Run the display venue-name-profile { all | name profile-name } command to
check information about the venue name profile.
l Checking profile reference information
– Run the display references hotspot2-profile name profile-name command to
check reference information about the Hotspot 2.0 profile.
– Run the display references cellular-network-profile name profile-name command
to check reference information about the cellular network profile.
– Run the display references connection-capability-profile name profile-name
command to check reference information about the connection capability profile.
– Run the display references nai-realm-profile name profile-name command to
check reference information about the NAI realm profile.
– Run the display references operating-class-profile name profile-name command
to check information about the operating class profile.
– Run the display references operator-domain-profile name profile-name
command to check reference information about the operator domain profile.
– Run the display references operator-name-profile name profile-name command
to check reference information about the operator name profile.
– Run the display references roaming-consortium-profile name profile-name
command to check reference information about the roaming consortium profile.
– Run the display references venue-name-profile name profile-name command to
check reference information about the venue name profile.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot 2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
RADIUS Server
IP
10.23.102.1/24
Network
Port:1812
Router
Management VLAN: 100 GE1/0/0
Service VLAN: 101 VLANIF101
10.23.101.2/24
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WPA2-802.1X authentication based on the operator's AAA server information
5. Configure Hotspot 2.0 services based on the operator's network information.
Configuration Notes
l For details about common WLAN configuration notes, see 2 General Precautions for
WLAN. For more deployment and configuration suggestions, see 3 Wireless Network
Deployment and Configuration Suggestions.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 4 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Configure an AAA authentication scheme and configure the device to use RADIUS
authentication preferentially.
[AC] aaa
[AC-aaa] authentication-scheme wlan-authen
[AC-aaa-authen-wlan-authen] authentication-mode radius local
[AC-aaa-authen-wlan-authen] quit
[AC-aaa] quit
# Create an AAA domain and configure the RADIUS server template and authentication
scheme for the domain.
[AC] aaa
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server wlan-radius
[AC-aaa-domain-huawei.com] authentication-scheme wlan-authen
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Configure an 802.1X access profile and configure EAP relay authentication for 802.1X
users.
# Configure an authentication profile and bind the 802.1X access profile to the authentication
profile, and configure a forcible authentication domain for users.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] access-domain huawei.com dot1x force
[AC-authentication-profile-wlan-net] quit
# Configure Hotspot 2.0 profile wlan-net based on the operator's network parameters. Ensure
that the WPA2-802.1X authentication profile has been bound to the VAP profile.
[AC] wlan
[AC-wlan-view] cellular-network-profile name wlan-net
[AC-wlan-cellular-net-wlan-net] plmn-id 46000
[AC-wlan-cellular-net-wlan-net] quit
[AC-wlan-view] connection-capability-profile name wlan-net
[AC-wlan-co-cap-prof-wlan-net] connection-capability tcp-http on
[AC-wlan-co-cap-prof-wlan-net] quit
[AC-wlan-view] operator-name-profile name wlan-net
[AC-wlan-wlan-op-name-prof-wlan-net] operator-friendly-name language-code eng
name mobileA
[AC-wlan-wlan-op-name-prof-wlan-net] quit
[AC-wlan-view] operating-class-profile name wlan-net
[AC-wlan-op-class-prof-wlan-net] operating-class-indication 81
[AC-wlan-op-class-prof-wlan-net] quit
[AC-wlan-view] operator-domain-profile name wlan-net
[AC-wlan-op-domain-prof-wlan-net] domain-name www.mobileA.com
[AC-wlan-op-domain-prof-wlan-net] quit
[AC-wlan-view] nai-realm-profile name wlan-net
[AC-wlan-nai-realm-prof-wlan-net] nai-realm realm-name www.mobileA.com
[AC-wlan-nai-realm-prof-wlan-net] quit
[AC-wlan-view] venue-name-profile name wlan-net
[AC-wlan-ve-na-prof-wlan-net] venue-name language-code eng name Coffee
[AC-wlan-ve-na-prof-wlan-net] quit
[AC-wlan-view] roaming-consortium-profile name wlan-net
[AC-wlan-ro-co-prof-wlan-net] roaming-consortium-oi 50-6f-9a in-beacon
[AC-wlan-ro-co-prof-wlan-net] quit
[AC-wlan-view] hotspot2-profile name wlan-net
[AC-wlan-hotspot2-prof-wlan-net] network-type public-free internet-access
[AC-wlan-hotspot2-prof-wlan-net] undo p2p-cross-connect disable
[AC-wlan-hotspot2-prof-wlan-net] venue-type group-code 1 type-code 13
[AC-wlan-hotspot2-prof-wlan-net] hessid 60de-4476-e360
[AC-wlan-hotspot2-prof-wlan-net] ipv4-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] network-authen-type acceptance
[AC-wlan-hotspot2-prof-wlan-net] cellular-network-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] connection-capability-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operating-class-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-domain-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] nai-realm-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] venue-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] roaming-consortium-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] quit
Step 10 Apply the authentication profile and Hotspot 2.0 profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-net] hotspot2-profile wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-net] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
access-domain huawei.com dot1x force
#
dhcp enable
#
radius-server template wlan-radius
radius-server shared-key cipher %^%#Qm'::9R&'!ybA{8_>U.,$+k!BxwPmY}YUA+Q$&@C
%^%#
radius-server authentication 10.23.102.1 1812 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme wlan-authen
authentication-mode radius local
domain huawei.com
authentication-scheme wlan-authen
radius-server wlan-radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
roaming-consortium-profile name wlan-net
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
Version Requirements
Table 21-2 Products and minimum version supporting WLAN air interface performance
Series Product Model Minimum Version
Required
Feature Limitations
l Multicast-to-unicast conversion depends on the IGMP snooping function. Before
configuring multicast-to-unicast conversion, enable IGMP snooping.
l Multicast CAC depends on the function of converting multicast packets into unicast
packets, but cannot be configured together with the adaptive function of converting
multicast packets into unicast packets.
Maximum None
volume of
multicast
traffic allowed
in a traffic
profile
Maximum None
volume of
unknown
unicast traffic
allowed in a
traffic profile
Function of Disabled
forbidding air
interfaces to
forward
packets to
bridging STAs
Function of Disabled
converting
multicast
packets into
unicast packets
Context
Traffic limit configuration in a traffic profile can reduce unnecessary packet forwarding and
improve air interface performance.
Pre-configuration Tasks
Before configuring traffic limit, perform the task of 5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
----End
Context
IGMP snooping is a basic Layer 2 multicast function that forwards and controls multicast
traffic at the data link layer. IGMP snooping runs on a Layer 2 device and analyzes IGMP
messages exchanged between a Layer 3 device and hosts to set up and maintain a Layer 2
multicast forwarding table. The Layer 2 device forwards multicast packets based on the Layer
2 multicast forwarding table.
Pre-configuration Tasks
Before configuring IGMP snooping, perform the task of 5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run traffic-profile name profile-name
A traffic profile is created, and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Run igmp-snooping enable
IGMP snooping is enabled in the traffic profile.
By default, IGMP snooping is disabled in a traffic profile.
Step 5 (Optional) Run igmp-snooping report-suppress
Suppression of IGMP Report and Leave messages is enabled in the traffic profile.
By default, IGMP Report and Leave message suppression is disabled in a traffic profile.
Step 6 Run quit
Return to the WLAN view.
Step 7 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 8 Run traffic-profile profile-name
The traffic profile is bound to the VAP profile.
By default, the traffic profile default is bound to a VAP profile.
----End
Context
You can enable the function of converting multicast packets to unicast packets in scenarios
that have high requirements on multicast stream transmission, such as a high-definition video
on-demand scenario.
After the function is enabled, an AP listens on Report and Leave packets to maintain
multicast-to-unicast entries. When sending multicast packets to the client, the AP converts the
multicast packets to unicast packets based on the multicast-to-unicast entries to improve
multicast stream transmission efficiency.
After adaptive multicast-to-unicast conversion is enabled, when the air interface performance
becomes a bottleneck during multicast-to-unicast conversion, an AP automatically switches
the multicast group containing the minimum number of STAs to the multicast mode. After the
air interface performance is improved and keeps being improved for a period of time, the AP
automatically switches the multicast group containing the maximum number of STAs to the
unicast mode. In this way, the air interface performance is automatically adjusted without
manual intervention, improving wireless user experience.
Pre-configuration Tasks
Before configuring multicast-to-unicast conversion, complete the following tasks:
l 5 WLAN Service Configuration
l Layer 2 multicast configuration
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run traffic-profile name profile-name
A traffic profile is created, and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Run traffic-optimize multicast-unicast enable
Multicast-to-unicast conversion is enabled in the traffic profile.
By default, the function of converting multicast packets to unicast packets is disabled in a
traffic profile.
Step 5 (Optional) Run undo traffic-optimize multicast-unicast dynamic-adaptive disable
Adaptive multicast-to-unicast conversion is enabled.
By default, adaptive multicast-to-unicast conversion is enabled in a traffic profile.
Step 6 Run quit
----End
Context
Multicast Call Admission Control (CAC) is a function that controls access of multicast users
based on various rules to ensure multicast service availability. You can configure CAC based
on multicast bandwidth or the number of multicast group memberships. These two CAC
modes are independent of each other and can be used independently or together.
l CAC based on multicast bandwidth
If the multicast bandwidth is insufficient, new users are prevented from joining multicast
groups.
l CAC based on the number of multicast group memberships
When the number of multicast group memberships reaches the maximum value, new
users are prevented from joining multicast groups.
Pre-configuration Tasks
Before configuring multicast CAC, complete the following tasks:
l 5 WLAN Service Configuration
l Multicast-to-unicast configuration. For details, see 21.5.2 Configuring Multicast-to-
Unicast Conversion.
Procedure
l Configure CAC based on multicast bandwidth.
a. Run system-view
The system view is displayed.
b. Run wlan
The WLAN view is displayed.
c. Run traffic-profile name profile-name
A profile profile is created and the profile profile view is displayed.
----End
Context
After configuring multicast CAC, run the following command to check multicast CAC
statistics.
Procedure
l Run the display wlan igmp-snooping vap-cac { ap-id ap-id | ap-name ap-name }
command to check the multicast CAC configuration and statistics on a VAP.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Context
As shown in Figure 21-1, enterprise users can access the Internet through the WLAN to meet
the basic requirement of mobile office.
Video conference multicast sources are deployed on the WLAN to specially provide video
conference services. The multicast source IP address ranges from 225.1.1.1 to 225.1.1.5. The
administrator wants to configure multicast connection admission control (CAC) based on
multicast bandwidth to deny access of employees when the multicast bandwidth reaches the
upper limit, ensuring access quality of video conferences.
Figure 21-1 Networking for configuring multicast CAC based on multicast bandwidth
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the multicast-to-unicast function to convert multicast data packets to unicast
data packets, improving multicast data transmission efficiency.
3. Configure multicast CAC based on the multicast bandwidth to control access of
multicast users.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
IP address 225.1.1.1-225.1.1.5
segment of
multicast
groups
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
# Create AP system profile ap-system and configure the bandwidth to 2048 kbit/s for the IP
address segment of multicast groups ranging from 225.1.1.1 to 225.1.1.5.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] igmp-snooping group-bandwidth start-group-
address 225.1.1.1 end-group-address 225.1.1.5 bandwidth 2048
[AC-wlan-ap-system-prof-ap-system] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 21-2, enterprise users can access the Internet through the WLAN to meet
the basic requirement of mobile office.
Video conference multicast sources are deployed on the WLAN to specially provide video
conference services. The multicast source IP address ranges from 225.1.1.1 to 225.1.1.5. The
administrator wants to configure multicast connection admission control (CAC) based on the
number of multicast group memberships to deny access of employees when the number of
multicast group memberships reaches the upper limit, ensuring access quality of video
conferences.
Figure 21-2 Networking for configuring multicast CAC based on the number of multicast
group memberships
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the multicast-to-unicast function to convert multicast data packets to unicast
data packets, improving multicast data transmission efficiency.
3. Configure multicast CAC based on the number of multicast group memberships to
control access of multicast users.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
# Disable automatic channel and power calibration functions of radio 1, and configure the
channel and power for radio 1.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
Step 9 Configure multicast CAC based on the number of multicast group memberships.
# Configure the maximum number of multicast group memberships to 20 for a VAP.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-user 20
[AC-wlan-traffic-prof-wlan-traffic] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
igmp-snooping enable
igmp-snooping max-user 20
traffic-optimize multicast-unicast enable
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
Purpose
Usually, an AC controls and manages massive APs and STAs on an AC + Fit AP network.
Once the CAPWAP link between the AC and AP is disconnected, the AC is unable to provide
services for STAs. Dual-link cold backup reduces the impact of a CAPWAP link failure on the
STAs, improving network reliability.
As shown in Figure 22-1, an active AC and a standby AC are deployed on the WLAN. The
AP establishes tunnels with the two ACs (CAPWAP Tunnel Setup), and periodically
exchanges CAPWAP packets with ACs to monitor link status. The active AC controls access
from STAs. If the AP detects a fault on the link between AP and active AC, the AP requests
the standby AC to trigger an Active/Standby Switchover. The standby AC then becomes the
active AC to control access of STAs. After the original active AC is restored, the AP requests
the active and standby ACs to perform Revertive Switchover. The restored AC becomes the
active AC again.
CA
Switch
l
ne
PW
tun
AP
up
pri
ck
ma
ba
ry
AP
tun
PW
ne
CA
l
AP
STA STA
The number of allowed APs is calculated using the following formula: Number of allowed
APs = Maximum number of access APs - Number of online APs.
The number of allowed STAs is calculated following the formula: Number of allowed STAs
= Maximum number of access STAs - Number of online STAs.
ii. If there is no primary AC, check backup ACs. If there is only one backup AC,
the AP selects this AC as the active AC. If there are multiple backup ACs, the
AP selects the AC with the lowest load as the active AC. If the loads are the
same, the AP selects the AC with the smallest IP address as the active AC.
iii. If there is no primary AC, compare AC priorities. The AP selects the AC with
the smaller priority value as the active AC.
iv. If the AC priorities are the same, the AP selects the AC with the lowest load as
the active AC.
v. When the loads are the same, compare the ACs' IP addresses, and select the
AC with the smaller IP address as the active AC.
2. Setting up the second tunnel with the other AC
To prevent repeated service configuration delivery, the AP starts to set up the second
tunnel only after the configuration of the first tunnel is complete.
a. The AP sends a Discovery Request message to the other AC in unicast mode.
b. The AC returns a Discovery Response message containing the IP addresses of
primary and backup ACs, dual-link backup flag, load, and priority to the AP.
c. The AP knows that the dual-link backup function is enabled after receiving the
Discovery Response message, and saves the priority of the AC.
NOTE
If the priority of this AC is higher than the priority of the other AC, the AP performs an active/
standby switchover only after the tunnel is set up.
d. The AP sends a Join Request message, notifying the AC that the configurations
have been delivered. After receiving the Join Request message, the AC sets up a
CAPWAP tunnel with the AP but does not deliver configurations to the AP.
e. After the second tunnel is set up, the AP selects the active and standby ACs again
based on the tunnel priorities.
Active/Standby Switchover
After setting up tunnels with the active and standby ACs, the AP sends Echo messages to
monitor tunnel status. The Echo messages contain the active/standby status of the tunnels.
When the AP detects that the primary tunnel has failed, it sends an Echo Request message
with the active flag to the standby AC. After receiving the Echo Request message, the standby
AC becomes the active AC, and the AP transfers STA data to this AC.
Revertive Switchover
The AP periodically sends Discovery Request messages to check whether the original primary
tunnel recovers. If the original primary tunnel has recovered, the AP switches STA data back
to this tunnel after a delay because this tunnel has a higher priority than the other one. To
prevent frequent switchovers caused by network flapping, the AP requests ACs to perform
revertive switchover after 20 Echo intervals, and then sends STA data to the new active AC.
AC1 AC2
Switch
AP1 AP2
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
l WLAN service configurations (for example, WMM profile, radio profile, radio, traffic
profile, security profile, and security policies) of the same AP must be consistent on the
active and standby ACs; otherwise, the AP cannot work properly after an active/standby
AC switchover.
l When an active/standby switchover is implemented between two ACs, STAs using open
system authentication remain connected to APs while STAs using other authentication
modes are disconnected and need to go online again.
Context
Dual-link cold backup can be configured using either of the following methods:
l Global configuration: The dual-link backup parameters are configured in the AC's
WLAN view and delivered to all APs except the specified APs. You can use this method
to batch enable dual-link backup.
l AP-specific configuration: The dual-link backup parameters are configured in the AC's
AP system profile view and apply to all APs using the AP system profile. The AP-
specific configuration takes precedence over global configuration on the AC.
The following configurations must be performed on both the active and standby ACs.
Pre-configuration Tasks
Before configuring dual-link cold backup, configure basic WLAN services on the active and
standby ACs (For details, see 5 WLAN Service Configuration). The WLAN service
configuration of the active and standby ACs must be consistent on the two ACs.
Procedure
l Global configuration
a. Run system-view
The system view is displayed.
b. (Optional) Run capwap echo { interval interval-value | times times-value } *
The CAPWAP heartbeat interval and number of CAPWAP heartbeat detections are
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection
interval is 25s and the number of CAPWAP heartbeat detections is 3.
NOTE
l To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat
interval to 25 seconds and set the number of heartbeat packet transmissions to at least 6.
If this configuration is not performed, the AC sends heartbeat packets 3 times at an
interval of 25 seconds by default. This may cause unstable WDS or mesh link status and
result in user access failures.
l If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat detections smaller than the default values, the CAPWAP link reliability is
degraded. Exercise caution when you set the values. The default values are
recommended.
c. Run wlan
The WLAN view is displayed.
d. Run ac protect protect-ac ip-address
The IP address of the standby AC is configured.
By default, no standby AC IP address is configured in the WLAN view.
e. Run ac protect priority priority
The priority of the local AC is configured.
By default, the AC priority in the WLAN view is 0.
NOTE
l The priority of the standby AC must be smaller than that of the active AC.
l A smaller value indicates a higher priority.
f. Run undo ac protect restore disable
Revertive switching is enabled.
By default, global revertive switching is enabled.
NOTE
If global revertive switching is disabled on the original active AC, traffic of an AP cannot be
switched back to the original active AC when the link between the original active AC and
the AP restores.
g. (Optional) Run ac protect cold-backup kickoff-station
STAs using open system authentication are configured to disconnect from APs
when an active/standby AC switchover is implemented.
By default, STAs using open system authentication remain connected to APs when
an active/standby AC switchover is implemented.
h. (Optional) Run ac protect alarm-restrain enable
AP fault alarm suppression is enabled.
By default, AP Fault alarm suppression is disabled.
i. Run ac protect enable
By default, dual-link backup is disabled.
j. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.
NOTE
l If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
l If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function take
effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.
l AP-specific configuration
a. Run system-view
The CAPWAP heartbeat interval and number of CAPWAP heartbeat detections are
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.
NOTE
l To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat
interval to 25 seconds and set the number of heartbeat packet transmissions to at least 6.
If this configuration is not performed, the AC sends heartbeat packets 3 times at an
interval of 25 seconds by default. This may cause unstable WDS or mesh link status and
result in user access failures.
l If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat detections smaller than the default values, the CAPWAP link reliability is
degraded. Exercise caution when you set the values. The default values are
recommended.
c. Run wlan
NOTE
l The priority of the standby AC must be smaller than that of the active AC.
l If priorities have been configured for the two ACs to which an AP connects, the AC with
higher priority becomes the active AC.
g. Run quit
Return to the WLAN view.
h. Run undo ac protect restore disable
Revertive switching is enabled.
By default, global revertive switching is enabled.
NOTE
If global revertive switching is disabled on the original active AC, traffic of an AP cannot be
switched back to the original active AC when the link between the original active AC and
the AP restores.
i. (Optional) Run ac protect cold-backup kickoff-station
STAs using open system authentication are configured to disconnect from APs
when an active/standby AC switchover is implemented.
By default, STAs using open system authentication remain connected to APs when
an active/standby AC switchover is implemented.
j. (Optional) Run ac protect alarm-restrain enable
AP fault alarm suppression is enabled.
By default, AP Fault alarm suppression is disabled.
k. Run ac protect enable
By default, dual-link backup is disabled.
l. The AP system profile is bound to an AP group.
n Binding an AP system profile to an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the ap-system-profile profile-name command to bind the AP system
profile to the AP group.
By default, the AP system profile default is bound to an AP group.
n Binding an AP system profile to an AP.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the ap-system-profile profile-name command to bind the AP system
profile to the AP.
By default, no AP system profile is bound to an AP.
m. Run quit
Return to the WLAN view.
n. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.
NOTE
l If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
l If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function take
effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.
----End
Context
Traditionally, dual-link cold backup is configured by specifying IP addresses of the active and
standby ACs on each other and configuring AC priorities. The active and standby ACs are
then determined based on the priority. To simplify configuration logic, the new configuration
method allows you to specify the same primary and backup ACs for APs on the active and
standby ACs. The active AC is specified as the primary AC, and the standby AC as the
backup AC.
The following configurations must be performed on both the active and standby ACs.
NOTE
You cannot configure dual-link cold backup in both the traditional and new methods. Otherwise, the dual-link
cold backup function cannot take effect.
Pre-configuration Tasks
Before configuring dual-link cold backup, configure basic WLAN services on the active and
standby ACs (For details, see 5 WLAN Service Configuration). The WLAN service
configuration of the active and standby ACs must be consistent on the two ACs.
Procedure
Step 1 Run system-view
NOTE
l To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat interval to 25
seconds and set the number of heartbeat packet transmissions to at least 6. If this configuration is not
performed, the AC sends heartbeat packets 3 times at an interval of 25 seconds by default. This may
cause unstable WDS or mesh link status and result in user access failures.
l If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat
detections smaller than the default values, the CAPWAP link reliability is degraded. Exercise
caution when you set the values. The default values are recommended.
NOTE
l If the dual-link backup function is disabled, running the ac protect enable command restarts online
APs. After the APs are restarted, the dual-link backup function takes effect.
l If the dual-link backup function is enabled, running the ac protect enable command does not restart
online APs. You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } } command to restart the APs and
make the dual-link backup function take effect. You can also manually restart the APs to make the
dual-link backup function take effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the AP.
----End
Context
In dual-link cold backup or hot standby scenarios, an AP simultaneously sets up active and
standby links with active and standby ACs, respectively. If the active link is faulty, the AP
switches service traffic to the standby link and goes online on the standby AC. When the
active link recovers, the AP detects that this link has a higher priority than the other one and
triggers a revertive switchover. After 20 Echo intervals, the AP switches service traffic back
to the active AC.
l To enable an AP to preferentially switch service traffic to the active link, set the active/
standby link switchover mode to the priority mode.
l To allow an AP to use a link with high network stabilization, set the active/standby link
switchover mode to the network stabilization mode. When the condition for triggering an
active/standby link switchover is met, the AP preferentially switches service traffic to the
link on a network with higher stabilization. In this case, whether an active/standby link
switchover is performed is only related to the network stabilization of links but not
related to the active and standby roles of links. You can run the ac protect link-switch
packet-loss { gap-threshold gap-threshold | start-threshold start-threshold } command
to configure the condition for triggering an active/standby link switchover.
In dual-link cold backup and hot standby scenarios, the network stabilization of active and
standby links is determined based on the Echo packet loss rate. The active/standby link
switchover is performed when the following conditions are met:
1. APs collect statistics about the specified number of Echo packets forwarded through the
link in use at each interval and find that the calculated packet loss rate is higher than the
packet loss rate start threshold.
2. The packet loss rate of the link in use is higher than that of the other link, and the
difference between the two links' packet loss rates is higher than the packet loss rate
difference threshold.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run ac protect link-switch mode { priority | network-stabilization }
The active/standby link switchover mode is configured.
By default, the active/standby link switchover mode is the priority mode.
Step 5 Run ac protect link-switch packet-loss echo-probe-time echo-probe-time
The number of Echo probe packets sent within a statistics collection interval is configured.
By default, the number of Echo packets sent within a statistics collection interval is 20.
This configuration is supported only when the active/standby link switchover mode is set to
the network stabilization mode using the ac protect link-switch mode network-stabilization
command.
Step 6 Run ac protect link-switch packet-loss { gap-threshold gap-threshold | start-threshold
start-threshold }
The packet loss rate start and difference thresholds for an active/standby link switchover are
configured.
By default, the packet loss rate start and difference thresholds for an active/standby link
switchover are 20% and 15%, respectively.
This configuration is supported only when the active/standby link switchover mode is set to
the network stabilization mode using the ac protect link-switch mode network-stabilization
command.
Step 7 Run quit
Return to the WLAN view.
Step 8 Bind the AP system profile to the AP group.
l Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP group.
By default, the AP system profile default is bound to an AP group.
l Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP.
By default, no AP system profile is bound to an AP.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
An enterprise deploys WLAN area A to provide WLAN services. As shown in Figure 22-3,
the AP in area A is directly connected to the switch, the enterprise deploys two ACs in bypass
mode, and the switch connects to the Internet through the egress route. The enterprise requires
that dual-link backup be used to improve data transmission reliability.
AC1
GE0/0/1
GE0/0/3
GE0/0/1
Internet
Area A
STA AP Switch
GE0/0/2
Management VLAN: VLAN 100
Service VLAN:VLAN 101
GE0/0/1
AC2
Configuration Roadmap
1. Set up connections between the AC1, AC2, and other network devices. Configure the
switch as a DHCP server to allocate IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to
pass. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and configure the
interfaces to allow packets of VLAN100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
Step 3 Configure the DHCP function on the switch to allocate IP addresses to APs and STAs.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1] country-code cn
[AC1-wlan-regulate-domain-domain1] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If
the State field displays nor, the AP has gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
# Create the security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-ssid
[AC1-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
l The AC priority configuration determines the active and standby ACs. One with higher priority functions
as the active AC, and the other functions as the standby AC. A smaller value indicates a higher priority.
When the AC priorities are the same, the AC with the maximum number of allowed APs is selected as the
active AC. When the numbers of allowed APs are the same, the AC with the maximum number of
allowed STAs is selected as the active AC. When the numbers of allowed APs and STAs are the same, the
AC with a smaller IP address is selected as the active AC.
l In this example, dual-link backup is configured using the AP-specific configuration method. You can also
use the global configuration method to configure dual-link backup in the WLAN view.
[AC1-wlan-view] ap-system-profile name ap-system1
[AC1-wlan-ap-system-prof-ap-system1] priority 0
Warning: This action will take effect after resetting AP.
[AC1-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
Warning: This action will take effect after resetting AP.
[AC1-wlan-ap-system-prof-ap-system1] quit
# On AC1, enable dual-link backup and revertive switchover globally, and restart all APs to
make the dual-link backup function take effect.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# On AC2, configure the AC2 priority and AC1 IP address in the AP system profile view to
implement dual-link backup.
[AC2-wlan-view] ap-system-profile name ap-system1
[AC2-wlan-ap-system-prof-ap-system1] priority 1
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC1 configuration file
#
sysname AC1
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
ac protect enable
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-system-profile name ap-system1
priority 0
protect-ac ip-address 10.23.100.3
ap-group name ap-group1
ap-system-profile ap-system1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC2 configuration file
#
sysname AC2
#
vlan batch 100 to 101
#
interface Vlanif100
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. As shown in
Figure 22-4, AP1 and AP2 in area A are directly connected to the switch, the enterprise
deploys two ACs in bypass mode, and the switch connects to the Internet through the egress
route. The enterprise requires that dual-link backup be used to improve data transmission
reliability.
Area A
AC1
GE GE0/0/1
STA1 0 /0/ GE0/0/3
AP1 1
/4 Internet
E0/0
G
Switch GE0/0/2
GE0/0/1
STA2 AP2
Management VLAN: VLAN 100
Service VLAN: VLAN 101 AC2
Configuration Roadmap
1. Set up connections between the AC1, AC2, and other network devices. Configure the
switch as a DHCP server to allocate IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Item Data
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that the switch function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN100 and
VLAN101 to pass. Set the link type of gigabitethernet0/0/2 and gigabitethernet0/0/3 on the
switch to trunk, and configure the interfaces to allow packets of VLAN100 to pass.
<Quidway> system-view
[Quidway] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
Step 3 Configure the DHCP function on the switch to allocate IP addresses to APs and STAs.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1] country-code cn
[AC1-wlan-regulate-domain-domain1] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1, the AP with MAC address 60de-4474-9640 is deployed in area 2, name the
AP area_2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC1-wlan-ap-1] ap-name area_2
[AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------
--------------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
5M:2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0
5M:4S -
------------------------------------------------------------------------------
--------------------
Total: 2
# Create the security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the APs.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
Warning: Operation successful. It will take effect after AP reset.
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
Protect AC : 10.23.100.3
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
[AC2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.2
Priority : 1
Protect restore : enable
...
------------------------------------------------------------
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
l Configuration file of the switch
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
return
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
ac protect enable protect-ac 10.23.100.3
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
l Configuration file of AC2
#
sysname AC2
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
ac protect enable protect-ac 10.23.100.2 priority 1
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
Purpose
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. It is common
for some large enterprises have branches in different areas. These enterprises deploy ACs in
each branch to manage APs, providing WLAN access and e-mail services. These services
require only low network reliability and allow for temporary service interruption.
In some cases, the existing network cannot provide reliable network services. If an AC fails,
services on the AC are interrupted. To improve network reliability, an additional AC is
required to provide backup services. The network administrator expects to use an AC as a
backup of all ACs to reduce costs.
In dual-link cold backup mode, each active AC has an independent standby AC. Unlike dual-
link cold backup, N+1 backup uses a standby AC to provide backup services for multiple
ACs, which reduces device purchase costs.
NOTE
The ACs of different models can work in N+1 backup mode, but the ACs must use the same software version.
A standby AC can serve multiple active ACs of different models.
Active/Standby AC Selection
The procedure for setting up a CAPWAP link in AC N+1 backup networking is similar to the
procedure for setting up a CAPWAP link in common scenarios, except that the AP needs to
select the AC with the highest priority as the active AC in Discovery phase. For details, see
CAPWAP Tunnel Establishment in 5.2.4 AP Online Process.
In Discovery phase, an AP sends a Discovery Request packet to find available ACs. After
receiving the packet, the AC return a Discovery Response packet containing the IP addresses
of primary and backup AC, N+1 backup flag, AC priorities, loads, and IP addresses. Based on
the information contained in the Discovery Response packet, the AP selects an active AC to
set up a CAPWAP link. The AP selects the active AC according to the following rules:
1. Check primary ACs on the AP. If there is only one primary AC, the AP selects it as the
active AC. If there are multiple primary ACs, the AP selects the AC with the lowest load
as the active AC. If the loads are the same, the AP selects the AC with the smallest IP
address as the active AC.
Compare AC loads, that is, numbers of access APs and STAs. The AP selects the AC
with the lowest load as the active AC. The number of allowed APs is compared ahead of
the number of allowed STAs. When the numbers of allowed APs are the same on ACs,
the AP selects the AC that can connect more STAs as the active AC.
NOTE
The number of allowed APs is calculated using the following formula: Number of allowed APs =
Maximum number of access APs - Number of online APs.
The number of allowed STAs is calculated following the formula: Number of allowed STAs =
Maximum number of access STAs - Number of online STAs.
2. If there is no primary AC, check backup ACs. If there is only one backup AC, the AP
selects this AC as the active AC. If there are multiple backup ACs, the AP selects the AC
with the lowest load as the active AC. If the loads are the same, the AP selects the AC
with the smallest IP address as the active AC.
3. If there is no backup AC, compare AC priorities and select the AC with a smaller
priority value as the active AC. A smaller priority value indicates a higher priority. For
details, see AC Priorities.
4. If the AC priorities are the same, the AP selects the AC with the lowest load as the active
AC.
5. Compare the ACs' IP addresses when the AC loads are the same, and select the AC with
the smallest IP address as the active AC.
NOTE
When planning an AC N+1 backup network, ensure that the active AC can be selected based on AC priorities
so that all APs can go online on the predefined active AC. Otherwise, the APs select the active AC based on
loads and IP addresses, and may not go online on the predefined active AC. Alternatively, ensure that a
specified primary AC or backup AC is selected as the active AC.
AC Priority
When receiving a Discovery Request packet from an AP, the AC checks whether an
individual priority has been specified for the AP. If not, the AC replies with a Discovery
Response packet carrying the global priority. If so, the AC replies with a Discovery Response
packet carrying the individual priority. It is recommended that the proper priorities be
configured on the active and standby ACs to control access of APs on the two ACs.
The following example illustrates the process of selecting an active AC. Assume that the APs
can discover all ACs in Figure 23-1.
Standby AC_3
Global priority: 5
... ...
If AC_1 or the CAPWAP link between AC_1 and AP_1 fails, and no standby AC is
designated, AP_1 sends new Discovery Request packets to obtain the priorities of the
remaining ACs. AC_2 returns global priority 6 and AC_3 returns global priority 5. AP_1
compares AC priorities and selects AC_3 with a higher priority as the standby AC to send an
association request.
Active/Standby Switchover
Normally, an AP sets up a CAPWAP link only with the active AC and periodically exchanges
heartbeat packets with the active AC to monitor the link status. When the AP detects a
heartbeat packet transmission timeout, it considers the link disconnected and sets up a
CAPWAP link with the standby AC. The AP sets up a CAPWAP link with the standby AC in
the following situations:
l If the IP address of the standby AC is configured on the active AC, the AP sets up a
CAWAP link with the standby AC directly.
l If the IP address of the standby AC is not configured on the active AC, the AP
broadcasts Discovery Request packets to discover ACs and selects the standby AC to
establish a CAPWAP link.
After the CAPWAP link is established, the standby AC delivers configurations to the AP
again. To ensure that active and standby ACs deliver the same WLAN service configurations
to an AP, perform the same configurations on both ACs. In an active/standby switchover, the
AP selects the standby AC to set up a CAPWAP link and get online, and the standby AC
delivers configurations to the AP.
To ensure that the AP works properly after an active/standby switchover, the following
conditions must be met:
l The number of online APs supported by the standby AC cannot be smaller than the
number of online APs on any of the active ACs.
Assume that the standby AC supports 500 online APs. If an active AC that has 600
online APs becomes faulty, only 500 APs can go online on the standby AC. The
remaining APs are forced to go offline, and are unable to provide services for STAs.
l The total number of online APs on all active ACs cannot exceed the configurable
number of APs on the standby AC.
The configurable number of APs refers to the maximum number of APs supported by the
AC. Assume that the configurable number of APs is 1000 on the standby AC. If there are
300 online APs on AC_1 and 400 online APs on AC_2, a new active AC allows a
maximum of 300 online APs. That is because the APs on all active ACs must be added
on the standby AC and have their corresponding services configured on the standby AC.
In this way, the standby AC can maintain original services for the APs of any faulty
active AC.
If multiple ACs become faulty concurrently, not all APs managed by these ACs can go online
on the standby AC after the active/standby switchover. In Figure 23-2, there are 300 online
APs (from AP_1 to AP_300) on AC_1 and 400 online APs (AP_301 to AP_700) on AC_2.
AC_3 works as the standby AC and allows a maximum of 500 online APs.
Standby AC_3
... ...
NOTE
l The value of N in N+1 backup depends on the configurable number of APs on the standby AC and the
number of APs managed by the N active ACs. The number of APs managed by the N active ACs cannot
exceed the configurable number of APs on the standby AC.
l The configurable number of APs refers to the maximum number of APs that can be added to the
AC.
l The number of APs managed by ACs refer to the actual number of online APs on the AC.
l The maximum number of online APs on the standby AC is determined by the license.
Revertive Switchover
After an AP sets up a CAPWAP link with the standby AC, the AP obtains the IP address of its
active AC from the standby AC and sends Primary Discovery Request packets at regular
intervals to detect the active AC status. After the active AC recovers, it returns a reply packet
to the AP. The packet carries the AC priority. When the AP receives the reply packet from the
active AC, the AP learns that the active AC has recovered and the active AC priority
contained in the packet is higher than the priority of the AC to which it is connected. If a
revertive switchover is enabled, a revertive switchover is triggered. To prevent frequent
switchovers caused by network flapping, the ACs perform a revertive switchover after a delay
time of 20 heartbeat intervals. As illustrated in Figure 23-3, the AP disconnects from the
current AC and sets up a new CAPWAP link with the active AC. At the same time, the AP
transfers STA data to the original active AC to release resources on the standby AC. The
standby AC then continues to provide backup services. During a revertive switchover, the AP
re-establishes a CAPWAP link with the active AC to get online, and the active AC delivers
configurations to the AP.
If a primary or backup AC is selected as the active AC, the active AC returns a reply packet to
the AP after it recovers. The AP then learns that the active AC has recovered from the reply
packet. If a revertive switchover is enabled, a revertive switchover is triggered.
... ...
Figure 23-4 N+1 backup networking (APs and ACs in different network segments)
Enterprise
headquarters Standby AC_3
30.1.1.1/24
Global priority: 5
DHCP server
Router_3
Internet
Router_1 Router_2
Active AC_1 Active AC_2
10.1.1.1/24 20.1.1.1/24
Global priority: 0 Global priority: 0
Switch_1 Switch_2
Enterprise Enterprise
branch 1 branch 2
AP_1 AP_2
STA_1 STA_2
and works as the standby AC of AP_1 and AP_2. When the network runs properly, AP_1 and
AP_2 sets up a CAPWAP link with AC_1 and AC_2 respectively. When the CAPWAP link
on AC_1 or AC_2 fails, AP_1 or AP_2 sets up a CAPWAP link with AC_3. AC_3 replaces
AC_1 or AC_2 to provide services for AP_1 or AP_2.
Each AP can establish a CAPWAP link with only one AC at one time.
Figure 23-5 N+1 backup networking (APs and ACs in the same network segment)
Standby AC_3
10.1.1.10/24
Global priority: 5
AP_1 AP_2
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Feature Limitations
l WLAN service configurations (for example, radio profile, radio, traffic profile, security
profile, and security policies) of the same AP must be consistent on the active and
standby ACs; otherwise, the AP cannot work properly after an active/standby AC
switchover.
l All WLAN service configurations on the active AC must also be performed on the
standby AC.
l N+1 backup cannot be configured concurrently with dual-link backup.
l If multiple source interfaces are specified on an AC to connect to different APs, AP-
specific configuration must be used.
AC global priority 0
Pre-configuration Tasks
Before configuring N+1 backup, configure basic WLAN services on the active and standby
ACs (For details, see 5 WLAN Service Configuration). The WLAN service configuration of
the active and standby ACs must be consistent on the two ACs.
Configuration Procedure
The following configuration tasks can be performed in any sequence. 23.7.8 Enabling N+1
Backup is performed after all configuration tasks are complete.
Context
If an AP and the ACs are located in different network segments, the AP cannot discover the
ACs through broadcast after it obtains an IP address from the DHCP server. To address this
problem, configure Option 43 on the DHCP server to advertise AC IP addresses to the AP.
After Option 43 is configured, the AP unicasts Discovery Request packets to the IP addresses
carried in Option 43. If the IP addresses specified by Option 43 do not respond, the AP
broadcasts Discovery Request packets to request IP addresses of the ACs in the local network
segment. Option 43 only needs to carry addresses of the active and standby ACs for the AP
and does not carry irrelevant active ACs' IP addresses; otherwise, the AP may not connect to
the correct AC.
Usually, an independent device is used as a DHCP server. Perform correct configurations on
the selected DHCP server. The following example uses a Huawei router as a DHCP server.
Procedure
Step 1 Run system-view
The system view is displayed.
Context
N+1 backup uses one standby AC to back up multiple active ACs. An AP determines AC
roles based on AC priorities. It selects the AC with a higher priority as the active AC and the
AC with a lower priority as the standby AC. The AP sets up a connection with the AC of the
specified IP address.
An AP can discover only two ACs. Therefore, you only need to configure a global priority for
each AC, so that the AP can determine the active and standby ACs by comparing their global
priorities.
Procedure
l Configure the active AC.
Perform the following configurations on the active AC:
a. Run system-view
The system view is displayed.
b. Run wlan
The WLAN view is displayed.
c. Run ac protect protect-ac ip-address
The standby AC's IP address is configured in the WLAN view.
By default, no standby AC IP address is configured in the WLAN view.
d. Run ac protect priority priority
The global priority of the active AC is configured in the WLAN view.
By default, the AC priority in the WLAN view is 0.
NOTE
The global priority of the standby AC must be lower than that of the active AC.
A smaller priority value indicates a higher priority.
l Configure the standby AC.
Perform the following configurations on the standby AC:
a. Run system-view
NOTE
The global priority of the standby AC must be lower than that of the active AC.
A smaller priority value indicates a higher priority.
d. Run ap-system-profile name profile-name
If multiple APs have the same active AC, configure the active AC's IP address for
the APs on the standby AC in the AP system profile, and bind the AP system
profile to an AP group.
f. Run quit
----End
Context
N+1 backup uses one standby AC to back up multiple active ACs. An AP determines AC
roles based on AC priorities. It selects the AC with a higher priority as the active AC and the
AC with a lower priority as the standby AC. The AP sets up a connection with the AC of the
specified IP address.
An AP may discover more than two ACs. In this case, if you only configure a global priority
for each AC, the AP selects the AC with the highest global priority as the active AC, and
therefore may select an incorrect active AC.
To ensure that the AP connects to the predefined active AC or standby AC, configure both the
global priority and individual priority on the active AC, and configure only the global priority
on the standby AC. Ensure that the ACs' priorities meet the following requirements: active
AC's individual priority > standby AC's global priority > active AC's global priority.
If a global priority and an individual priority are both configured for an AP on the AC, the AC
preferentially delivers the individual priority to the AP.
Procedure
l Configure the active AC.
a. Run system-view
NOTE
Ensure that the ACs' priorities meet the following requirements: active AC's individual priority >
standby AC's global priority > active AC's global priority.
A smaller priority value indicates a higher priority.
e. Run ap-system-profile name profile-name
NOTE
Ensure that the ACs' priorities meet the following requirements: active AC's individual
priority > standby AC's global priority > active AC's global priority.
After you configure the AC's individual priority in the AP system profile, bind the
AP system profile to an AP group.
g. Run quit
a. Run system-view
NOTE
Ensure that the ACs' priorities meet the following requirements: active AC's individual priority >
standby AC's global priority > active AC's global priority.
d. Run ap-system-profile name profile-name
If multiple APs have the same active AC, configure the active AC's IP address for
the APs on the standby AC in the AP system profile, and bind the AP system
profile to an AP group.
f. Run quit
Return to the WLAN view.
g. The AP system profile is bound to an AP group.
n Binding an AP system profile to an AP group.
1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the ap-system-profile profile-name command to bind the AP system
profile to the AP group.
By default, the AP system profile default is bound to an AP group.
n Binding an AP system profile to an AP.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
2) Run the ap-system-profile profile-name command to bind the AP system
profile to the AP.
By default, no AP system profile is bound to an AP.
----End
Context
Traditionally, N+1 backup is configured by specifying IP addresses of the active and standby
ACs on each other and configuring AC priorities. The active and standby ACs are then
determined based on the priority. To simplify configuration logic, the new configuration
method allows you to specify the same primary and backup ACs for APs on the active and
standby ACs. The active AC is specified as the primary AC, and the standby AC as the
backup AC.
More than two ACs may exist on the N+1 backup network. Each AP has only one active AC
and one standby AC planned. You only need to create the same AP system profile on the
active and standby ACs, and specify active and standby ACs as the primary and backup ACs
respectively in the AP system profile.
You are advised to create different AP system profiles on different active ACs. Otherwise, the
standby AC cannot identify AP system profile configurations, causing incorrect
configurations.
The following configurations must be performed on both the active and standby ACs.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
Step 9 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group |
ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.
NOTE
l If the dual-link backup function is disabled, running the ac protect enable command restarts online
APs. After the APs are restarted, the dual-link backup function takes effect.
l If the dual-link backup function is enabled, running the ac protect enable command does not restart
online APs. You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } } command to restart the APs and
make the dual-link backup function take effect. You can also manually restart the APs to make the
dual-link backup function take effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the AP.
----End
Context
After an active/standby AC switchover, the standby AC replaces the active AC and sets up a
CAPWAP link with the AP to provide services. The AP periodically sends Primary Discovery
Request packets to detect active AC status. If revertive switchover is enabled on the standby
AC, the AP triggers a revertive switchover when it detects that the active AC recovers. The
AP disconnects from the current AC and sets up a new CAPWAP link with the active AC.
Resources on the standby AC are released and the standby AC then continues to provide
backup services.
Procedure
Step 1 Run system-view
NOTE
If revertive switchover is disabled on the standby AC, traffic of an AP cannot be switched back to the
original active AC even when the link between the original active AC and the AP restores.
----End
Context
As defined by CAPWAP, an AP and AC periodically exchange packets to maintain
connectivity of the data channel and management channel. If the AP or AC does not receive
any response from each other after CAPWAP heartbeat packets are sent for the specified
number of times, the AP and AC consider the link between them disconnected.
Procedure
Step 1 Run system-view
The CAPWAP heartbeat detection interval and number of heartbeat packet transmissions are
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of CAPWAP
heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection interval is 25s
and the number of CAPWAP heartbeat detections is 3.
NOTE
If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat detections smaller
than the default values, the CAPWAP link reliability is degraded. Exercise caution when you set the values.
The default values are recommended.
----End
Context
In N+1 backup scenarios, APs set up links only with the primary ACs. When a link between
an AP and a primary AC fails, the AP sets up a link with the backup AC and goes online on
the backup AC. When the primary AC is recovered, a revertive switchover is triggered. The
AP switches the link back to the primary AC after 20 echo intervals.
l To enable an AP to preferentially switch service traffic to the active link, set the active/
standby link switchover mode to the priority mode.
l To allow an AP to use a link with high network stabilization, set the active/standby link
switchover mode to the network stabilization mode. When the condition for triggering an
active/standby link switchover is met, the AP preferentially switches service traffic to the
link on a network with higher network stabilization. In this case, whether an active/
standby link switchover is performed is only related to the network stabilization of links
but not related to the active and standby roles of links. You can run the ac protect link-
switch packet-loss { gap-threshold gap-threshold | start-threshold start-threshold }
command to configure the condition for triggering an active/standby link switchover.
In N+1 backup scenarios, the network stabilization of the link between an AP and the current
AC is determined by the Echo packet loss rate, and that of the link between the AP and
another AC is determined by the Primary Discovery packet loss rate. The active/standby link
switchover is performed when the following conditions are met:
1. APs collect statistics about Echo or Primary Discovery packets and find that the
calculated packet loss rate is higher than the packet loss rate start threshold.
2. The packet loss rate of the link in use is higher than that of the other link, and the
difference between the two links' packet loss rates is higher than the packet loss rate
difference threshold.
Procedure
Step 1 Run system-view
----End
Context
After all N+1 backup configurations are complete, enable N+1 backup and then restart all
APs to make the function take effect.
Procedure
Step 1 Run system-view
Step 4 (Optional) Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
All APs are restarted to make the N+1 backup function take effect.
NOTE
If N+1 backup is enabled, running the undo ac protect enable command does not restart online APs.
You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-
group | ap-type { type type-name | type-id type-id } } command to restart the APs and make the N+1
backup function take effect. You can also manually restart the APs to make the N+1 backup function
take effect.
If the N+1 backup function is disabled, running the undo ac protect enable command restarts online
APs. After the APs are restarted, the N+1 backup function starts to take effect.
If an AP goes online after N+1 backup is enabled, you do not need to restart the AP.
----End
Procedure
l Run the display ac protect command to check the N+1 backup status, AC revertive
switchover status, the AC's global priority, and the standby AC's IP address.
l Run the display ap-system-profile { all | name profile-name } command to check the
AC's individual priority for a specific AP and the standby AC's IP address.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to reduce cost. In this scenario, the enterprise can deploy a high
performance AC at the headquarters as a standby AC to provide backup services for active
ACs in the branches.
In Figure 23-6, AC_1 in branch 1 and AC_2 in branch 2 are both active ACs, and
respectively provide services for AP_1 and AP_2. AC_3 in the headquarters serves as the
standby AC of AC_1 and AC_2. AC_1 connects to the Network through Router_1 and
connects to AP_1 through Router_1 and Switch_1; AC_2 connects to the Network through
Router_2 and connects to AP_2 through Router_2 and Switch_2; AC_3 connects to the
Network through Router_3. All ACs belong to different network segments. APs and ACs are
also located in different network segments. Router_3 functions as a DHCP server to allocate
IP addresses to APs and STAs. When the CAPWAP link on AC_1 or AC_2 fails, AC_3 is
expected to replace AC_1 or AC_2 to continue serving the APs.
Eth2/0/1
Router_3
VLANIF 200:
10.23.200.1/24
Eth2/0/0
Network
Eth2/0/1 Eth2/0/1
GE1/0/1 GE1/0/1
Router_1 Router_2
Active AC_1 Eth2/0/0 Eth2/0/0 Active AC_2
VLANIF 201: GE0/0/2 GE0/0/2 VLANIF 202:
10.23.201.1/24 10.23.202.1/24
Global priority: 0 Global priority: 0
GE0/0/1 Switch_1 Switch_2 GE0/0/1
Enterprise Enterprise
branch 1 branch 2
AP_1 AP_2
STA_1 STA_2
Management Management
VLAN: 99 VLAN: 100
Service VLAN: 101 Service VLAN: 102
Configuration Roadmap
1. Set up connections between each AC and other network devices. Configure Router_3 as
a DHCP server to allocate IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
AP group AC_1:
l Name: ap-group1
l Country code: CN
AC_2:
l Name: ap-group2
l Country code: CN
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
Item Data
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
<HUAWEI> system-view
[HUAWEI] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101, VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
<HUAWEI> system-view
[HUAWEI] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.1 255.255.255.0
[AC_1-Vlanif201] quit
# On AC_2, create VLAN 102, VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN102, VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to AC_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to AC_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102. See Switch_1 for the detailed
configuration procedure.
# Configure reachable routes between AC_1 and AC_3, AP_1 and AC_3, AC_2 and AC_3,
and between AP_2 and AC_3. Perform the configurations according to networking
requirements. The configuration procedure is not provided here.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# Configure the route between AC_2 and AP_2 with the next hop as Router_2's VLANIF 202.
[AC_2] ip route-static 10.23.101.0 24 10.23.202.2
# Configure Router_3 as the DHCP server to allocate IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
allocate IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name domain1
[AC_1-wlan-regulate-domain-domain1] country-code cn
[AC_1-wlan-regulate-domain-domain1] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
--
ID MAC Name Group IP Type State STA
Uptime
------------------------------------------------------------------------------
--
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP6010DN-AGN nor 0
10S
------------------------------------------------------------------------------
--
Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-security
[AC_1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-vap
[AC_1-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC_1-wlan-vap-prof-wlan-vap] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-vap to radio 0
and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group2. In this
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit
# Create the security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_2-wlan-view] security-profile name wlan-security
[AC_2-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-security] quit
# Create the VAP profile wlan-vap1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-vap1
[AC_2-wlan-vap-prof-wlan-vap1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC_2-wlan-vap-prof-wlan-vap1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-vap1] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-vap1 to radio 0 and
radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name domain1
[AC_3-wlan-regulate-domain-domain1] country-code cn
[AC_3-wlan-regulate-domain-domain1] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit
# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
idle : idle [2]
------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
------------------------------------------------------------------------
Total: 2
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_3-wlan-view] security-profile name wlan-security
[AC_3-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit
# Create the SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create the AP system profile ap-system1 and configure the IP address of the standby
AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.201.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create the AP system profile ap-system2 and configure the IP address of the standby
AC.
[AC_3-wlan-view] ap-system-profile name ap-system2
[AC_3-wlan-ap-system-prof-ap-system2] protect-ac ip-address 10.23.202.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system2] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-vap
[AC_3-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC_3-wlan-vap-prof-wlan-vap] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-vap] quit
# Create the VAP profile wlan-vap1, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-vap1
[AC_3-wlan-vap-prof-wlan-vap1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC_3-wlan-vap-prof-wlan-vap1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-vap1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group1] quit
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
...
------------------------------------------------------------
# Run the display ac protect commands on AC_2 to check N+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.203.1
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.201.1
...
[AC_3-wlan-view] display ap-system-profile name ap-system2
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.202.1
...
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 99
port trunk allow-pass vlan 99 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 99 101
#
return
#
vlan batch 100 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
return
l AC_1 configuration file
#
sysname AC_1
#
vlan batch 101 201
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
capwap source interface Vlanif201
#
wlan
ac protect protect-ac 10.23.203.1
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#hgEp#@>security wpa2 psk pass-phrase %^
%#hgEp#@>
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 102 202
#
interface
Vlanif202
ip address 10.23.202.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
interface
Vlanif203
ip address 10.23.203.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
capwap source interface vlanif203
#
wlan
ac protect priority 5
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-security
vap-profile name wlan-vap1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-security
regulatory-domain-profile name domain1
ap-system-profile name ap-system1
protect-ac ip-address 10.23.201.1
ap-system-profile name ap-system2
protect-ac ip-address 10.23.202.1
ap-group name ap-group1
ap-system-profile ap-system1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-group name ap-group2
ap-system-profile ap-system2
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap1 wlan 1
radio 1
vap-profile wlan-vap1 wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
l Router_1 configuration file
#
sysname Router_1
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select
relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select
relay
dhcp relay server-ip 10.23.200.1
#
interface
Vlanif201
ip address 10.23.201.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type
trunk
port trunk allow-pass vlan 99 101
#
interface Ethernet2/0/1
port link-type
trunk
port trunk allow-pass vlan 201
#
return
l Router_2 configuration file
#
sysname Router_2
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select
relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select
relay
dhcp relay server-ip 10.23.200.1
#
interface
Vlanif202
ip address 10.23.202.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type
trunk
port trunk allow-pass vlan 100 102
#
interface Ethernet2/0/1
port link-type
trunk
port trunk allow-pass vlan 202
#
return
l Router_3 configuration file
#
sysname Router_3
#
dhcp enable
#
ip pool
ap_1_pool
gateway-list 10.23.99.1
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool
ap_2_pool
gateway-list
10.23.100.1
network 10.23.100.0 mask
255.255.255.0
option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
#
ip pool
sta_1_pool
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool
sta_2_pool
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
interface
Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type
trunk
port trunk allow-pass vlan 200
#
interface Ethernet2/0/1
port link-type
trunk
port trunk allow-pass vlan 203
#
return
Scenario Overview
In shopping malls, supermarkets, and other retail scenarios, many stores use printed shelf
labels to mark commodity prices. This mode has disadvantages as follows:
l Manual label maintenance has high costs and low efficiency.
l Manual label maintenance is prone to errors, which may lead to customer complaints.
To address these problems, Huawei offers the Smart Retail-Electronic Shelf Label (ESL)
Solution. In this solution, ESLs are used instead of printed labels, and ESL information is
maintained and updated in a background ESL management system.
Solution Benefits
This solution provides the following benefits:
l Reduces ESL maintenance and update costs, saves shelf label update costs, and increases
business profits.
l Implements automatic ESL management, and improves management and maintenance
efficiency.
l Minimizes the maintenance error rate and reduces customer complaints.
l Reuses a WLAN as an ESL network, reducing the ESL network deployment and
maintenance costs, and facilitating central network management by administrators.
Networking Architecture
As shown in Figure 24-1, the networking architecture of the ESL Solution consists of the
terminal, access, pipe, and service application layers.
ESL
management
ERP system
system
Service application
layer
AC Switch
Pipe layer
AP
Terminal layer
ESL
l Terminal layer
ESLs installed on shelves are deployed at this layer.
ESLs, typically made of electronic paper or liquid crystal displays (LCDs), display
commodity information. ESLs with built-in radio modules automatically obtain ESL
information over radios from the AP, and update information to be displayed.
l Access layer
ESL cards are deployed at this layer.
An ESL card is a type of Internet of Things (IoT) cards used in the ESL Solution. ESL
cards are used to receive and cache ESL update tasks delivered by the ESL management
system.
l Pipe layer
Network devices such as APs, ACs, and switches are deployed at this layer.
The pipe layer only forwards packets from ESLs and ensures interworking between the
ESL cards and ESL management system, but does not parse or handle the packets. APs
at the bottom of the pipe layer provide slots for ESL cards.
l Service application layer
The Enterprise Resource Planning (ERP) system and ESL management system are
deployed at this layer.
The ERP system is a business management software integrating physical resource
management (logistics), human resources management (HR flows), and financial
resource management (financial flows), and information resource management
(information flows). In scenarios where ESLs are used, an ERP system is typically used
to manage commodity prices.
An ESL management system consists of an ESL server and a system platform, and is
interconnected with an ERP system to synchronize data from the ERP system and deliver
ESL update tasks to ESL cards. The ESL server manages ESL cards, ESLs, and ESL
update plans, and provides a graphical user interface (GUI).
Involved Products
HQ Branch store
ERP
Router system Router
AC Switch
Switch
ESL
management
system
AP ESL AP
management
ESL card system ESL card
ESL ESL
Phase 1
In phase 1, ESL cards are initialized, ESLs are registered with the ESL management system,
and ESL IDs are associated with commodity codes.
The implementation mode of the ESL management system varies depending on vendors. The
following uses Century's ESL management system as an example.
1. The ESL management system is directly connected to ESL cards at Layer 2, and sends
broadcast requests. After receiving the broadcast requests, ESL cards reply with their
own IDs.
2. After the ESL management system receives the ESL card IDs, the administrator
configures IP addresses for the ESL cards on the GUI of the ESL management system.
3. The ESL management system then assigns the IP addresses to the ESL cards for
initialization.
4. ESLs proactively send registration requests to ESL cards. The ESL cards receive and
send the registration requests to the ESL management system.
5. After receiving the registration requests, the ESL management system allows the ESLs
to register.
After the ESLs are registered, the ESL management system learns the ESL IDs and the
IDs of the ESL cards that manage the ESLs. In this way, after the ESL IDs are associated
with commodity codes, the ESL management system can deliver ESL update tasks to
correct ESLs.
6. Use a handheld scanner to scan ESL IDs and commodity codes for association, or
manually associate them in the ESL management system.
Phase 2
ESL information is updated in phase 2. As shown in Figure 24-3.
1
HQ Branch store
ERP
Router system Router
AC Switch
Switch
1
ESL
2 2 management
system
AP ESL AP
management
ESL card system ESL card
3 3
ESL ESL
1. The ERP system at the headquarters is used to maintain and update commodity price
information. The ESL management system at the branch store sends data update requests
to the ERP system, and obtains updated commodity information such as the commodity
code and price.
2. After obtaining updated information, the ESL management system delivers ESL update
tasks to ESL cards as planned. ESL cards cache task data and wait for ESLs to initiate
ESL update requests.
3. To save energy and prolong the service life of batteries, ESLs' radio modules are
activated periodically. Within the activation period, ESLs proactively send requests to
ESL cards to query whether ESL update tasks are available. If so, the ESLs obtain data
and update information to be displayed. If not, the ESLs' radio modules keep their
sleeping state until the next activation period.
In the current ESL solution, ESLs and ESL cards exchange packets with each other using
2.4 GHz radio frequency identification (RFID) technology.
The ESL management system uses 2.4 GHz RFID technology on the wireless side, which
leads to interference with 2.4 GHz Wi-Fi signals. However, the ESL update service and
common WLAN services do not affect each other because they usually do not run at the same
time in actual scenarios.
l In most cases, ESL information is updated in non-business hours to prevent ESL
information update from affecting normal business and avoid customer complaints.
l ESL information update during business hours rarely happens. Such scenario may exist
only in small stores with only tens of ESLs and a small service data volume, such as
bakeries. ESL information update takes a short time, so the interference time is short.
Installing ESLs
Install ESLs according to related documents obtained from the ESL vendor. The detailed
operations are not described in this document.
After ESLs are installed, verify that the ESLs are intact and battery covers are secured. Read
the ESL user manual before using the ESLs.
Configure network
connectivity.
Configure interconnection
of components.
5. Associate ELS IDs with commodity codes to enable ESLs to uniquely identify
commodities.
6. Configure ELS services including management and update of commodity prices.
Configuring Interworking Between the ESL Cards and ESL Management System
Configure interworking of ESL cards, APs, and the ESL management system, so that the ESL
management system can connect to and exchange packets with ESL cards inserted into the
APs.
You can only configure Layer 2 interworking between the ESL cards and ESL management
system because the ESL management system can discover ESL cards only by sending Layer 2
network broadcast packets. For details on how to configure interworking between ESL cards
and APs, see 24.5.4.1 Configuring Interworking Between ESL Cards and APs. Configure
interworking between the ESL management system and APs based on the actual network
conditions.
Context
After network interworking is configured, configure the APs to go online on the AC, so that
the AC can deliver configurations to the APs, such as configurations for interworking
between ESL cards and APs, and wireless service coverage configurations.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Procedure
Step 1 Run system-view
A VLAN is created.
An IP address and a subnet mask are configured for the VLANIF interface.
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
A regulatory domain profile is created and the regulatory domain profile view is displayed.
----End
Context
The WLAN network and ESL network can be multiplexed and integrated into one network.
This reduces network deployment and maintenance costs, and helps administrators centrally
manage the networks.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure wireless coverage services.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Context
In smart retail scenarios where ESLs are used, the ESLs use 2.4 GHz RFID technology to
interwork with ESL cards, and the ESL cards interwork with APs through Ethernet interfaces.
ESLs exchange data with an ESL server through ESL cards, APs, and the upper-layer
network. Interworking between ESLs and ESL cards does not need to be configured on a
WLAN. Interworking between ESL cards and APs needs to be configured.
Perform the following configurations on an AC:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 (Optional) Set the connection type between IoT cards and APs to Ethernet.
Perform this configuration in either the AP system profile view or IoT card interface view.
The configuration has the highest priority in the IoT card interface view of an AP, a lower
priority in the IoT card interface view of an AP group, and the lowest priority in the AP
system profile view.
1. Run the ap-system-profile name profile-name command to create an AP system profile
and enter the AP system profile view.
By default, the system provides the AP system profile default.
2. Run the card connect-type ethernet command to set the connection type between IoT
cards and APs to Ethernet.
By default, IoT cards communicate with APs through serial interfaces.
3. Run the quit command to return to the WLAN view.
Step 4 Run wired-port-profile name profile-name
An AP wired port profile is created, and the AP wired port profile view is displayed.
By default, the system provides the AP wired port profile default.
By default, an AP wired interface allows packets from all VLANs to pass. The wired interface
is added to VLAN 1 in untagged mode and to other VLANs in tagged mode.
----End
Registering ESLs
After ESL cards are initialized, registration requests sent by ESLs are forwarded by ESL cards
to the ESL management system. After the ESL management system receives the registration
requests, register the ESLs in the ESL management system.
Register ELS according to related documents obtained from the ESL management system
vendor. The detailed operations are not described in this document.
To adjust prices or lower prices for promotion, administrators handle commodities and
commodity codes on the ESL management system, but do not directly handle ESLs. The
customer's ERP system does not contain ESL information. Therefore, before using the ESL
management system, associate ESL IDs with commodity codes, so that commodity price
update tasks can be delivered to correct ESLs.
Administrators can manually associate ESL IDs with commodity codes in the ESL
management system. However, this method is not suitable for associating a large number of
ESL IDs with commodity codes. For example, when a shopping mall deploys the ESL
management system for the first time, all ESL IDs need to be associated with commodity
codes. In this case, it is recommended that handheld scanners be used to scan ESL IDs and
commodity codes for association. Associate ESL IDs with commodity codes according to
related documents obtained from the ESL vendor. The detailed operations are not described in
this document.
Service Requirements
A supermarket wants to deploy a network to expand IoT applications while providing the
wireless network access service to display and manage commodity prices using ESLs.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
ERP
system
Router
ESL
management
AC Switch system
GE0/0/3
GE0/0/1
GE0/0/1 GE0/0/2
GE0
AP
Card
STA
ESL
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, AP, and switch.
2. Configure the AP to go online.
3. Configure WLAN service parameters.
4. Configure interworking between the ERP system and ESL management system.
5. Configure interworking between the ESL management system and ESLs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AP to communicate with the AC.
# Configure the access switch, and add GE0/0/1 and GE0/0/2 on the switch to VLAN 100
(management VLAN) and VLAN 101 (service VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Configure the AC, and add GE0/0/1 to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is located by its name. For example, if the AP with MAC address 60de-4476-e360 is deployed
in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create radio profile wlan-radio2g and configure the VAP to be disabled from 23:00 to 6:00.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] auto-off service start-time 23:00:00 end-
time 6:00:00
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP. Bind radio profile wlan-radio2g to the radios.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
Step 6 Configure interworking between the ERP system and ESL management system. The detailed
operations are not described here.
Step 7 Configure Layer 2 interworking between the ESL card and ESL management system.
# Add GE0/0/3 on the switch connected to the ESL management system to VLAN 102.
[Switch] vlan batch 102
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 102
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 102
[Switch-GigabitEthernet0/0/3] quit
# Set the connection type between the AP and ESL card to ethernet, and add the interface on
the AP connected to the ESL card to VLAN 102.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] card connect-type ethernet
[AC-wlan-ap-system-prof-ap-system] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode
configuration will cause the AP to go out of management
. This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[AC-wlan-wired-port-wired2] vlan pvid 102
[AC-wlan-wired-port-wired2] vlan untagged 102
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC-wlan-ap-group-ap-group1] card 1
[AC-wlan-group-card-ap-group1/1] wired-port-profile wired2
[AC-wlan-group-card-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
Step 8 Initialize the ESL card, register ESLs, associate ESL IDs with commodity codes, and
configure ESL services. For detailed operations, see the operation guides provided by
vendors, which are not described here.
Step 9 Verify the configuration.
# The WLAN service configuration is automatically delivered to the AP after it is completed.
Run the display vap ssid wlan-net command. If Status in the command output is displayed
as ON, the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 2
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
ap-name area_1
ap-group ap-group1
#
return
Scenario Overview
In healthcare scenarios, hospitals want to use technology means to implement infusion
management and infant abduction prevention to avoid major medical malpractice and security
accidents, improving hospitals' management capabilities and patient satisfaction.
Additionally, hospitals need to manage important medical assets. Manual asset management
and inventory are time-consuming, expensive, and difficult to locate assets. Hospitals also
want to leverage technology means for asset location and management to reduce management
costs and complexity.
To meet the requirements in such scenarios, Huawei offers the Smart Healthcare - Healthcare
IoT Solution to add people and things to the Internet of Things (IoT), implementing infant
abduction prevention, infusion management, and medical asset management.
Solution Benefits
The Healthcare IoT Solution brings benefits to customers based on the following advantages:
l Uses technology means to prevent major medical malpractice and security accidents,
improving hospitals' management capabilities and patient satisfaction.
l Uses technology means for asset location and management to monitor medical assets,
prevent asset loss, and save labor costs.
l Reuses a WLAN as a healthcare IoT, reducing the healthcare IoT deployment and
maintenance costs, and facilitating central network management by administrators.
Networking Architecture
As shown in Figure 25-1, the networking architecture of the Healthcare IoT Solution consists
of the terminal, access, pipe, and service application layers.
AC
Pipe layer
AP AP
Exit monitor
Access layer
RFID receiver 1 RFID receiver 2
Terminal
layer
Infusion Infant
RFID tag
alarm device security tag
l Terminal layer
Infusion alarm devices, radio frequency identification (RFID) tags, and infant security
tags are deployed at this layer and used for infusion management, asset management, and
infant abduction prevention scenarios.
l Access layer
RFID receivers and exit monitors are deployed at this layer. RFID receivers can be
embedded in APs as built-in cards, such as RFID receiver 1 in the preceding figure. They
can also be inserted into USB ports of APs as external USB modules or connected to
APs through USB extension cables, such as RFID receiver 2 in the preceding figure.
l Pipe layer
Network devices such as APs, ACs, and switches are deployed at this layer. The pipe
layer is used only for forwarding packets of healthcare IoT devices.
l Service application layer
Platform systems such as the infusion management system, infant protection system, and
asset management system are deployed at this layer. These systems can be deployed on
either the same server or different servers.
Involved Products
Mother-Baby Matching
Figure 25-2 shows how mother-baby matching is implemented.
Infant protection
5
system
AC Switch
Ward 1 6 Ward 2
Mobile app
RFID RFID
AP AP
1 3 receiver receiver
Infant 2
security tag
Exit monitor 1 Exit monitor 2
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit
1. Security tags are put on for infants after they are born, and information about the infants,
security tags, and mothers is recorded in the infant protection system.
2. Exit monitors in wards where mothers are located use a 125 kHz radio module to
broadcast their own information such as IDs. Infant security tags receive the information
through 125 kHz radio modules.
3. Through 433 MHz radio modules, infant security tags send tag information and received
exit monitor information to RFID receivers. The RFID receivers receive the information
through 433 MHz radio modules.
4. The RFID receivers forward the information to the infant protection system through APs
and Ethernet links.
5. The infant protection system matches mother and infant information.
6. Mothers use the mobile app provided by the hospital to obtain mother-baby matching
results from the infant protection system, and view current infant information on the app.
Mothers can also use the barcode scanning function of the app to scan QR codes on
infant security tags to obtain more precise matching information.
If multiple mothers are in a ward, the exit monitor can only locate infants in the ward.
Mothers need to scan QR codes to confirm infant identities.
Infant Location
Figure 25-3 shows how infant location is implemented.
Infant protection
4
system
AC Switch
Ward 1 Ward 2
Mobile app
RFID RFID
2 AP AP
receiver receiver
Infant
security tag 1
Exit monitor 1 Exit monitor 2
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit
1. When infants approach exit monitors at entrances/exits of the wards, 125 kHz radio
modules of infant security tags receive Beacon frames sent by the exit monitors.
2. Through 433 MHz radio modules, the infant security tags send information about exit
monitors such as IDs to RFID receivers.
3. The RFID receivers forward the information to the infant protection system through APs
and Ethernet links.
4. The infant protection system matches the received information about exit monitors such
as IDs with preset location information to locate infants and monitor infant locations in
real time.
Geo-Fencing
Figure 25-4 shows how geo-fencing is implemented for infant abduction prevention.
Infant protection
4 system
AC Switch
Ward 1 Ward 2
Mobile app
3
RFID RFID
AP AP
receiver receiver
3
1
2
Audible and
Exit monitor 3 visual alarm
device
: Entrance/Exit
1. When infants approach exit monitor 3 at the entrance/exit of the geo-fence, 125 kHz
radio modules of infant security tags receive Beacon frames sent by the exit monitor.
2. Through 433 MHz radio modules, the infant security tag then send information about the
exit monitor such as the ID to the 433 MHz radio module of the exit monitor.
3. After receiving the information, the exit monitor immediately triggers the audible and
visual alarm device to report an alarm, and sends alarm information to the infant
protection system through a wired Ethernet link.
AC
2 AP 3
1
Patient wrist : 433 MHz RFID radio signal
strap
1. Before an infusion, a patient puts on a wrist strap, and a nurse uses a handheld digital
terminal to scan the barcode on the wrist strap. In this way, the infusion management
system can obtain infusion information about the patient from the database and associate
infusion information with patient information.
2. The infusion sensor sends infusion parameters to the RFID receiver through the 433
MHz radio module.
3. The RFID receiver then forwards the received information to the infusion management
system through the AP and upstream Ethernet link.
4. The infusion management system performs computing based on the infusion parameters
and infusion sensor parameters, and displays the infusion computing result. In this way,
the system can monitor the entire infusion process and report alarms if necessary.
The infusion management process is as follows:
1. Infusion registration: When patients need infusions, nurses use barcode printers to print
barcodes and paste them on fluid bags. Nurses use handheld digital terminals to scan
barcodes on patients' wrist straps and fluid bags, and associate infusion information with
patient information.
2. Process monitoring: Infusion alarm devices send information about the fluid dripping
speed to the infusion management system in real time. The infusion management system
displays the real-time infusion status.
3. Infusion alarm reporting: When the fluid dripping speed is too high or low, or infusion is
complete, audible alarms are generated on the LCD at nurse workstations.
4. Infusion termination: When infusion is complete and no fluid is left, infusion alarm
devices automatically block infusion tubes to prevent blood backflow.
Context
After network interworking is configured, configure the APs to go online on the AC, so that
the AC can deliver configurations to the APs, such as configurations for interworking
between RFID receivers and APs, and wireless service coverage configurations.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is displayed.
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Return to the system view.
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
A regulatory domain profile is created and the regulatory domain profile view is displayed.
Step 14 Run ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn ap-sn | ap-
mac ap-mac ap-sn ap-sn } ] or ap-mac ap-mac [ type-id type-id | ap-type ap-type ] [ ap-id
ap-id ] [ ap-sn ap-sn ]
----End
Context
The WLAN and healthcare IoT can be multiplexed and integrated into one network. This
reduces network deployment and maintenance costs, and helps administrators centrally
manage the networks.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following configurations on an AC:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run wlan
The WLAN view is displayed.
Step 4 Run security-profile name profile-name
A security profile is created and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After the security profile is created, using the default security policy has security risks. You
are advised to configure a proper security policy according to actual service requirements. For
the detailed configuration, see 12.4 Configuring a WLAN Security Policy.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run ssid-profile name profile-name
An SSID profile is created, and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 7 Run ssid ssid
An SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
Step 8 Run quit
Return to the WLAN view.
----End
Context
An AP communicates with a healthcare management host computer bidirectionally.
l Before the AP reports data to the host computer, configure the domain name, IP address,
and port number for the host computer. If these parameters are not configured, serial port
data reported by the AP will be discarded.
l Before the AP receives configurations delivered by the host computer to IoT cards,
configure trusted hosts. In this way, only hosts with specified IP addresses can
communicate with the AP and deliver configurations, protecting the AP against attacks.
If no trusted host is configured, other hosts can also deliver IoT card configurations to
the AP.
To enhance communication security, you can configure a shared key for encrypting
communication data between the AP and host computers. The shared key must be the same on
the AP and host computers.
IoT card slots are identified by the UDP port number, which is the mandatory parameter for
communication between the AP and host computer.
Perform the following configurations on an AC:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run iot-profile name profile-name
An IoT profile is created and the IoT profile view is displayed.
By default, no IoT profile is created.
Step 4 Run type common
The IoT card type is set to common.
----End
Security tags are put on for infants after they are born, and information about the infants,
security tags, and mothers is recorded in the infant protection system.
Hospitals provide mothers with a mobile app, so that mothers can obtain information about
their babies from the infant protection system.
Mothers can perform operations according to related documents obtained from the infant
protection system vendor. The detailed operations are not described in this document.
Service Requirements
A hospital wants to deploy a network to expand IoT applications while providing the wireless
network access service to prevent infant abductions.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
STAs.
l Service data forwarding mode: direct forwarding
Figure 25-6 Networking diagram for configuring the Healthcare IoT Solution
Network
Infant protection
GE0/0/1 Switch system
GE0/0/1 GE0/0/4
AC
GE0/0/2 GE0/0/3
Ward 1 Ward 2
Mobile app
RFID RFID
AP AP
receiver receiver
Infant
security tag
Exit monitor 1 Exit monitor 2
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AP, switch, AC, and host computer (on which the
infant protection system is deployed).
2. Configure the AC as a DHCP server to assign an IP address to the AP.
3. Configure the AP to go online and configure WLAN services.
4. Configure parameters for the AP to communicate with RFID cards.
5. Configure parameters for the AP to communicate with the host computer.
6. Add the AP's IP address to the host computer and configure the same shared key as that
on the AP.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AP to communicate with the AC.
# Configure the access switch, and add GE0/0/1 through GE0/0/3 on the switch to VLAN 100
(management VLAN) and VLAN 101 (service VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/3] quit
# Configure the AC, and add GE0/0/1 to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is located by name. For example, if the AP with MAC address 60de-4476-e360 is deployed in
area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field in the command output displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
----------------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Step 7 Configure communication parameters between the AP and the RFID card, and configure
communication parameters between the AP and the host computer.
# Create IoT profile wlan-iot, configure the IP address and port number of the host computer,
and configure security communication parameters.
[AC-wlan-view] iot-profile name wlan-iot
[AC-wlan-iot-prof-wlan-iot] type common
[AC-wlan-iot-prof-wlan-iot] management-server server-ip 10.23.100.254 server-port
3000
[AC-wlan-iot-prof-wlan-iot] config-agent permit ip-address 10.23.102.253
255.255.255.0
[AC-wlan-iot-prof-wlan-iot] share-key aabb0011@11
[AC-wlan-iot-prof-wlan-iot] quit
Step 8 Add the AP's IP address to the host computer and configure the same shared key as that on the
AP.
Step 9 Configure exit monitors to connect to the network in wired mode and interwork with the
infant protection system. The detailed operations are not described here.
Step 10 Use the infant protection function according to operation methods of the infant protection
system. For details, see the operation guides provided by vendors.
Step 11 Verify the configuration.
The configuration is automatically delivered to the AP after it is completed. Run the display
vap ssid wlan-net command. If Status in the command output is displayed as ON, a VAP has
been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 2
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa2 psk pass-phrase %^%#cy>>Ce/KCZjbk%'(pjO'$d3L6xs\I(7R_~.ZfhCW%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name domain1
iot-profile name wlan-iot
config-agent permit ip-address 10.23.102.253 255.255.255.0
management-server server-ip 10.23.100.254 server-port 3000
share-key %^%#:}$U=mz%jCu.$K.XP>pC{(\_*]gOy5qZ)o*T}5SA%^%#
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
card 1
iot-profile wlan-iot config-agent udp-port 10000
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
provision-ap
address-mode static
ip-address 10.23.100.254 255.255.255.0 gateway 10.23.100.1
ac-list 10.23.100.1
#
return
Scenario Overview
At schools, students' health and safety always attract attention of the schools and parents.
Monitoring and query for students' health and safety information are strongly needed.
To meet these requirements, Huawei offers the Student Health and Safety Internet of Things
(IoT) Solution. This solution allows schools and parents to monitor and query health and
safety information about students, including the time when they enter and leave schools.
Solution Benefits
This solution brings the following benefits:
l It supports monitoring of students' physical health data and information such as heart
rate, pace, and duration of sleep through student wristbands. Student wristbands can also
record the time when they enter and leave schools. Big Data statistics and analytics can
then be performed on the data, so that effective measures can be taken in time against
abnormal situations.
l A WLAN can be reused as the student health and safety IoT network to achieve network
integration, reduce network deployment and maintenance costs, and help administrators
manage the network.
Network Architecture
As shown in Figure 26-1, the network architecture consists of the terminal layer, access layer,
network layer, and application layer.
Application
layer
AC Switch
Network
layer
AP AP
Terminal
layer
Student Student
wristband wristband
l Terminal layer
Student wristbands are deployed at this layer.
l Access layer
IoT APs and radio frequency identification (RFID) cards built in the IoT APs are
deployed at this layer.
l Network layer
Network devices such as ACs and switches are deployed at this layer.
l Application layer
A server is deployed at this layer for managing student health and safety information
("server" for short hereinafter).
Related Products
l Supports query for students' safety information. The time when students enter and leave
schools can be recorded, so that schools and parents can check whether students enter
and leave schools on schedule. Additionally, the information is also saved as attendance
data
The following shows the implementation principle of this solution.
Student Health
Figure 26-2 shows how the student health management solution is implemented.
AC Switch
AP
RFID
card
Student
wristband
1. A student wristband collects and buffers health data of a student, such as the heart rate,
pace, and duration of sleep.
2. When the amount of data buffered in the wristband reaches a specified threshold, the
wristband sends the data to the RFID card in the AP through the 433 MHz radio module.
3. The RFID card buffers the received data. When the amount of data buffered in the RFID
card reaches a specified threshold, the RFID card packages the data and sends it to the
upper-layer server through the AP and upstream Ethernet links.
NOTE
The server provided by Telpo can communicate with the RFID card using TCP.
4. The server parses the received data and sends the parsed data to the health platform in
real time.
Student Safety
Figure 26-3 shows how the student safety management solution is implemented.
AC Switch
AP outside AP inside
the school the school
Student Student
wristband wristband
1. APs with built-in RFID cards are deployed inside and outside a school to cover areas
inside and outside the school, respectively.
A student wristband inside the school sends its ID to the RFID card of the AP inside the
school through the 2.4 GHz radio module. When the student wristband is outside the
school, it sends its ID to the RFID card of the AP outside the school.
When the student wristband sends its ID to the RFID card of the AP outside the school
first and then to that inside the school, the student is considered entering the school.
Conversely, the student is considered leaving the school.
2. After receiving wristband information, the RFID card sends the information to the upper-
layer server through the AP and upstream Ethernet links.
3. The server parses the wristband ID, RFID card ID, and information report time to obtain
the time when the student enters or leaves the school.
NOTE
The health and safety information server is configured as the host computer of the APs. The host computer in
the following sections refers to the health and safety information server.
When students' arrival time and departure time need to be recorded, the 2.4 GHz radio of APs
works at the same frequency as Telpo's RFID cards. Therefore, during networking planning,
interference must be considered.
Installing a Server
To install a server for managing student health and safety information, contact the server
vendor to obtain related installation documents. The detailed operations are not described in
this document.
Student wristbands also need to report service packets. Therefore, ensure that student
wristbands can exchange packets with the upper-layer server.
Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is displayed.
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Return to the system view.
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
The WLAN view is displayed.
Step 8 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 9 Run country-code country-code
The country code is configured.
By default, the country code CN is configured.
----End
Context
A WLAN can be reused as the IoT network for student health and safety management,
reducing network deployment and maintenance costs and helping administrators to manage
the network.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Procedure
Step 1 Run system-view
A VLAN is created.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After the security profile is created, using the default security policy has security risks. You
are advised to configure a proper security policy according to actual service requirements. For
the detailed configuration, see 12.4 Configuring a WLAN Security Policy.
----End
Context
After receiving information reported by student wristbands, RFID cards sends the information
to the host computer through APs and upstream Ethernet links. To enable the RFID cards to
connect to the correct host computer and establish links, configure communication parameters
between the APs and host computer.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run iot-profile name profile-name
An IoT profile is created and the IoT profile view is displayed.
By default, no IoT profile is created.
Step 4 Run type common
The IoT card type is set to common.
The default type of an IoT card is common.
Step 5 Run management-server { domain domain-name | server-ip server-ip } server-port server-
port-num
The IP address and port number of a host computer is configured.
By default, no host computer is configured.
Step 6 (Optional) Run share-key key-value
A shared key is configured.
By default, no shared key is configured.
Step 7 Run quit
Return to the WLAN view.
Step 8 Apply configurations to an IoT card interface.
l Bind the IoT profile in the IoT card interface view of an AP group.
a. Run the ap-group name group-name command to enter the AP group view.
b. Run the card card-number command to enter the IoT card interface view.
c. Run the iot-profile profile-name config-agent tcp-port tcp-port command to bind
the IoT profile and configure the local port number mapping the IoT card interface.
By default, no IoT profile is bound to an IoT card interface.
NOTE
NOTE
----End
Service Requirements
A school pays much attention to health and safety of its students, and desires to use technical
methods to monitor and query students' health and safety information.
To meet these requirements, Huawei provides the Student Health and Safety IoT Solution that
reuses the existing WLAN.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 26-4 Networking for configuring the Student Health and Safety IoT Solution
Server
AC Switch AP
GE0/0/1 GE0/0/4
GE0/0/1 GE0/0/3
GE0/0/2 RFID
card
AP outside AP inside
the school the school
RFID RFID
card card
Student
wristband
Student Student
wristband wristband
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, switch, AC, and host computer.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services.
5. Configure communication parameters between the APs and host computer.
6. Add IP addresses of the APs to the host computer and configure the same shared key as
that on the APs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable APs to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100 (management
VLAN), and GE0/0/2 through GE0/0/4 to VLAN 100 and VLAN 101 (service VLANs).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import APs offline on the AC and add the APs to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, if an AP with MAC address 60de-4476-e360 is
deployed in a classroom, name the AP room_1. If the APs with MAC addresses 60de-4476-
e460 and 60de-4476-e560 are deployed inside and outside the school door, name the APs
door_1 and door_2.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name room_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e460
[AC-wlan-ap-1] ap-name door_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4476-e560
[AC-wlan-ap-2] ap-name door_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 room_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
51S -
1 60de-4476-e460 door_1 ap-group1 10.23.100.253 AP4050DN-E nor 0
45S -
2 60de-4476-e560 door_2 ap-group1 10.23.100.252 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
------------
Total: 3
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Step 7 Configure communication parameters between the APs and host computer.
[AC-wlan-view] iot-profile name wlan-iot
[AC-wlan-iot-prof-wlan-iot] management-server server-ip 10.23.200.1 server-port
3000
[AC-wlan-iot-prof-wlan-iot] config-agent permit ip-address 10.23.102.253
255.255.255.0
[AC-wlan-iot-prof-wlan-iot] share-key aabb0011@11
[AC-wlan-iot-prof-wlan-iot] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] card 1
[AC-wlan-group-card-ap-group1/1] iot-profile wlan-iot config-agent tcp-port 10000
[AC-wlan-group-card-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
Step 8 Add IP addresses of the APs to the host computer and configure the same shared key as that
on the APs.
Step 9 Verify the configuration.
# The WLAN service configuration is automatically delivered to the APs. After completing
the configuration, run the display vap ssid wlan-net command. If the Status field displays
ON, the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 room_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-net
0 room_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
0 door_1 0 1 60DE-4476-E460 ON WPA/WPA2-PSK 1 wlan-net
0 door_1 1 1 60DE-4476-E470 ON WPA/WPA2-PSK 0 wlan-net
0 door_2 0 1 60DE-4476-E560 ON WPA/WPA2-PSK 1 wlan-net
0 door_2 1 1 60DE-4476-E570 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 6
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#CU9SYQg[.Vxx;xH%>nwFA.WJ6i/Fm~me>&W
%`b/-%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
iot-profile name wlan-iot
config-agent permit ip-address 10.23.102.253 255.255.255.0
management-server server-ip 10.23.200.1 server-port 3000
share-key %^%#vj*JIT.]q%6Q6[VqoHMJHs(5Oss3g3*%@r9Vy%aW%^%#
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
card 1
iot-profile wlan-iot config-agent tcp-port 10000
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235419610D2000066
ap-name room_1
ap-group ap-group1
ap-id 1 ap-mac 60de-4476-e460 ap-sn 210235419610D2000067
ap-name door_1
ap-group ap-group1
ap-id 2 ap-mac 60de-4476-e560 ap-sn 210235419610D2000068
ap-name door_2
ap-group ap-group1
#
return
Scenario Overview
Energy consumption costs enterprises a lot of money and is not environment-friendly.
Enterprises want to use automatic means to achieve environmental protection, save energy,
and reduce energy costs.
To meet these requirements, Huawei provides an energy efficiency management IoT solution
to implement centralized monitoring and intelligent control over electrical appliances such as
lighting devices and air conditioners in buildings. In this way, the enterprises can collect
statistics on the overall energy consumption of the buildings in real time for analysis, and take
effective measures to adjust energy usage to prevent energy waste and improve economic
benefits.
Solution Benefits
This solution brings the following benefits:
l Enterprises can use automatic means to achieve environmental protection, save energy,
and reduce energy costs.
l A WLAN can be reused as an energy efficiency management IoT network to achieve
network integration, reduce network deployment and maintenance costs, and help
administrators centrally manage the network.
Network Architecture
As shown in Figure 27-1, the network architecture of the energy efficiency management IoT
solution consists of the terminal layer, access layer, network layer, and application layer.
BEMS
EEM
EBT Application
layer
IoT gateway Switch AC
Network
layer
AP AP
ZigBee ZigBee
card card Access
layer
Terminal
layer
Intelligent Sensor
switch
l Terminal layer
Sensors and smart switches are deployed at this layer. Common sensors include
temperature sensors, light sensors, infrared sensors, and airflow sensors.
l Access layer
ZigBee cards are located at this layer.
l Network layer
APs, IoT gateways, switches, and ACs are deployed at this layer.
l Application layer
The Building Energy Management System (BEMS), Enterprise Energy Module (EEM),
and EEM boost tools (EBT) are deployed at this layer/
Related Products
Figure 27-2 Network for the energy efficiency management IoT solution
1
BEMS
EEM
4
2
IoT gateway Switch AC
AP 3 AP
ZigBee ZigBee
card card
Sensor Sensor
1. Configure energy efficiency management policies on the BEMS and deliver them to the
EEM.
2. The EEM converts the energy efficiency management configurations into energy
efficiency management policies and distributes the policies to the IoT gateway.
3. Sensors send sensed data to ZigBee cards using 2.4 GHz radio signals. The ZigBee cards
then report the data to the IoT gateway. The IoT gateway matches received data based on
energy efficiency management policies, and sends matched policies to the function
execution modules of sensors for energy efficiency management and control.
For example, if the IoT gateway receives data indicating high temperature from a
temperature sensor, it matches the data based on energy efficiency management policies.
A matched policy is found, indicating the air conditioner should be switched on and
adjusted to 26°C. The IoT gateway sends the policy to the sensor, and then the sensor
function module executes the received policy.
4. The IoT gateway sends the data reported by sensors to the BEMS. The BEMS centrally
monitors environment parameters.
BEMS
EEM
EBT
Niagara 1
container
AP 2 AP
ZigBee ZigBee
card card
Sensor Sensor
l The first channel is established between an AP and the Niagara container loaded on the
IoT gateway. You can configure information such as a whitelist, card authentication
information, and encryption information.
l The second channel is an extended channel established between the AP and the EBT.
The EBT control platform can detect ZigBee cards and sensors managed by the ZigBee
cards. You can view the online status and versions of the ZigBee cards, as well as sensor
information, and upgrade the ZigBee cards using the EBT.
Perform the following operations at the terminal layer when deploying this solution on the
live network:
l Replace mechanical switches with smart wall switches, dimmer switches, or single-
controlled modules.
l Replace mechanical sockets with smart sockets.
l Install three-phase load switches to connect to and control air conditioners.
l Install brightness and motion sensors to sense human motions and monitor brightness
indoors.
l Install temperature and humidity sensors to monitor the temperature and humidity
indoors.
l It is recommended that the APs connected to the same host computer be added to the
same AP group.
Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is displayed.
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Return to the system view.
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
The WLAN view is displayed.
Step 8 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 9 Run country-code country-code
The country code is configured.
By default, the country code CN is configured.
Step 10 Run quit
Return to the WLAN view.
Step 11 Run ap-group name group-name
An AP group is created, and the AP group view is displayed.
Step 12 Run regulatory-domain-profile profile-name
The regulatory domain profile is bound to the AP group
----End
Context
A WLAN can be reused as an energy efficiency management IoT network, reducing network
deployment and maintenance costs and helping administrators centrally manage the network.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
----End
Context
On the network for the energy efficiency management solution, an AP needs to establish TCP
channels with two host computers: Niagara container and EBT.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run iot-profile name profile-name
An IoT profile is created and the IoT profile view is displayed.
By default, no IoT profile is created.
The Niagara container is the first host computer and its port number is fixed as 7002.
The EBT is the second host computer and its port number is the same as that on the EBT
configuration page.
In the energy efficiency management solution, host computers can connect to APs using only
TCP.
l Bind the IoT profile in the IoT card interface view of an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
b. Run the card card-number command to enter the IoT card interface view.
c. Run the iot-profile profile-name config-agent tcp-port tcp-port command to bind
the IoT profile and configure the local port number mapping the IoT card interface.
By default, no IoT profile is bound to an IoT card interface.
NOTE
In the energy efficiency management solution, host computers can connect to APs using only
TCP.
----End
l Configure energy efficiency management on the BEMS and deliver the configurations to
the EEM. The EEM converts the energy efficiency management configurations into
energy efficiency management policies and distributes the policies to the IoT gateway.
l Configure information such as a whitelist, card authentication information, and
encryption information on the Niagara container.
l View the online status and versions of the ZigBee cards, as well as sensor information on
the EBT. You can also upgrade the ZigBee cards.
For details about how to install and commission the Niagara container, see the installation and
commissioning guide in the Niagara container software installation package. For other
operations, contact the Niagara container vendor to obtain related documents. The detailed
operations are not described in this document.
Service Requirements
An enterprise needs to deploy wireless network office services. Because it attaches
importance to environmental protection and energy saving, it wants to use automatic methods
to save energy and reduce energy costs.
To meet these requirements, Huawei provides the energy efficiency management IoT solution
that reuses the existing WLAN.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
BEMS
EEM
EBT
AR Niagara Switch AC
GE0/0/1
GE0/0/1
GE0/0/2
AP
ZigBee
card
Sensor
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking between the AR, EEM, and BEMS. Configure APs to
communicate with the AR, Niagara container on the AR, EBT, and AC.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services.
5. Configure communication parameters between APs and host computers.
6. Configure APs' IP addresses on the host computers.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure network interworking between the AR, EEM, and BEMS. Configure APs to
communicate with the AR, Niagara container on the AR, EBT, and AC.
Step 3 Configure the switch and AC to enable APs to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100, and GE0/0/2 to
VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
Step 4 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
# Configure the DHCP server based on the address pool of a VLANIF interface.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Step 7 Configure communication parameters between APs and host computers. Configure the
mapped IP address of the Niagara container as the IP address of the host computer on the first
channel, and the EBT IP address as the IP address of the host computer on the extended
channel.
[AC-wlan-view] iot-profile name wlan-iot
[AC-wlan-iot-prof-wlan-iot] management-server server-ip 10.23.200.1 server-port
7002
[AC-wlan-iot-prof-wlan-iot] management-server server-ip 10.23.201.1 server-port
50023 ext-channel
[AC-wlan-iot-prof-wlan-iot] share-key aabb0011@11
[AC-wlan-iot-prof-wlan-iot] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] card 1
[AC-wlan-group-card-ap-group1/1] iot-profile wlan-iot config-agent tcp-port 10000
[AC-wlan-group-card-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
Step 8 Configure APs' IP addresses on the host computers and configure the same shared key as that
on the APs.
Step 9 Configure energy efficiency management policies on the BEMS and deliver them to the EEM.
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
Scenario Overview
In enterprises, meetings may be disturbed by someone who come to check whether meeting
rooms are available.
To address this issue, Huawei provides a smart meeting room solution. An electronic display
is installed at the entrance of a meeting room to show whether the meeting room is in use.
This prevents irrelevant personnel from disturbing meetings and improves meeting efficiency.
Solution Benefits
This solution brings the following benefits:
l Meetings will not be disturbed and the meeting efficiency is improved.
l A WLAN can be reused as a smart meeting room IoT network to achieve network
integration, reducing network deployment and maintenance costs and helping
administrators centrally manage the network.
Network Architecture
As shown in Figure 28-1, the network architecture of the smart meeting room IoT solution
consists of the terminal layer, access layer, pipe layer, and application layer.
Application
layer
AC Switch
Pipe layer
AP
Terminal
Electronic layer
display
l Terminal layer
Electronic displays are installed at the entrance of meeting rooms.
l Access layer
IoT cards are located at this layer.
l Pipe layer
Network devices such as APs, ACs, and switches are deployed at this layer.
l Application layer
The meeting room management system and IoT card management system are deployed
at this layer.
Related Products
Implementation
The implementation and configuration methods of the smart meeting room IoT solution are
similar to those of the electronic shelf label (ESL) solution. The differences are as follows:
l The smart meeting room IoT solution uses electronic displays to show meeting room
information, while the ESL solution uses ESLs to display commodity prices and
information.
l In the smart meeting room IoT solution, the meeting room management system updates
and delivers information to electronic displays. In the ESL solution, the ERP system
updates and delivers information to ESLs.
For details about the implementation and configuration of the smart meeting room solution,
see 24 Smart Retail IoT Solution - ESL.
Scenario Overview
In traditional shopping malls, shop assistants introduce commodity information or
recommend promotional commodities to customers. This mode has the following
shortcomings:
l The labor cost is high.
l The shopping malls cannot perform Big Data analytics on customers' behavior of
selecting commodities to analyze popularity of commodities.
l Some customers want to select commodities freely, but do not need recommendations
from shop assistants. Shopping experience of customers may degrade if they are
followed by shop assistants.
l When there are a large number of customers, shop assistants may not be able to
introduce commodity information to each of them. As a result, shopping experience of
customers is not good.
In this case, Huawei provides a smart shopping guide solution. When customers pick up
commodities, tablet kiosks can display commodity information to the customers.
Solution Benefits
This solution brings the following benefits:
l The number of shop assistants and labor costs are reduced.
l The smart shopping guide system can perform Big Data analytics on customers' behavior
of picking up commodities and analyze popularity of commodities. The analysis result
will help shopping malls make accurate marketing strategies and increase profits.
l Customers will not be annoyed by merchandising of shop assistants.
l Customers can directly view commodity information displayed on tablet kiosks without
waiting for shop assistants to introduce commodities.
Network architecture
As shown in Figure 29-1, the network architecture of the smart shopping guide solution
consists of the terminal layer, access layer, network layer, and application layer.
Smart shopping
guide server
Application
layer
AC Switch
Network
layer
AP AP
Access
layer
Terminal
Tablet kiosk layer
BLE label
: BLE signal
BLE label
Mobile app
l Terminal layer
Tablet kiosks, Bluetooth Low Energy (BLE) labels bound to commodities, and mobile
phones with the smart shopping guide app installed are deployed at this layer.
BLE is a new ultra-low-power wireless transmission technology that enables devices to
work at extremely low operating and standby power consumption.
l Access layer
APs are deployed at this layer.
l Network layer
Network devices such as ACs and switches are deployed at this layer.
l Application layer
A smart shopping guide server is deployed at this layer.
Related Products
Smart shopping guide server A server with the Intel Core Customer or Century
hardware i5-7400 CPU or higher, a
memory of more than 4 GB,
and an SSD hard disk is
recommended. The
Windows 7 or Windows 10
operating system is
supported.
Smart shopping
BLE label Tablet kiosk AP Switch guide server
AC
1. A BLE label is bound to a commodity. The mobile app is used to associate the BLE label
with the commodity and synchronize the association information to the smart shopping
guide server.
To associate a BLE label with a commodity, use the mobile phone camera to scan the
commodity barcode and the Bluetooth function of the mobile phone to receive BLE label
information.
2. When a customer picks up the commodity, the BLE label bound to the commodity
detects that the commodity is picked up by sensing the gravity change. The BLE label
then sends a BLE broadcast packet carrying the BLE label ID to the tablet kiosk.
3. After receiving the BLE broadcast packet, the tablet kiosk displays the commodity
information mapping the BLE label ID if its camera sees a person in front. At the same
time, the tablet kiosk sends the BLE label information to the smart shopping guide server
through Wi-Fi.
– The BLE broadcast packet sent by the BLE label may be received by multiple tablet
kiosks. If the camera of a tablet kiosk sees a person in front of itself, the tablet kiosk
displays commodity information; otherwise, it does not display commodity
information.
– The tablet kiosk has an app installed locally, and the app must have the smart
shopping guide server information configured and can cache information. If the
tablet kiosk has cached commodity information be displayed and the smart
shopping guide server verifies that the commodity information will not be updated,
the commodity information is displayed. If no commodity information is cached on
the tablet kiosk or the shopping guide server verifies that the commodity
information needs to be updated, new commodity information will be downloaded
from the tablet kiosk and then displayed.
– If a customer picks up multiple commodities concurrently, the app of the tablet
kiosk will provide a display sequence for the customer to select a commodity whose
information is to be displayed. For example, a customer picks up commodities A
and B concurrently and information about commodity A is displayed currently, the
customer can select commodity B. The tablet kiosk will then display information
about commodity B.
4. The smart shopping guide server performs Big Data analytics on the data sent by the
BLE label, and provides a visualized analysis result as reference for the shopping mall to
make timely and accurate marketing strategies.
Smart shopping
BLE label AP Switch guide server
AC
1. A BLE label is bound to a commodity. The mobile app is used to associate the BLE label
with the commodity and synchronize the association information to the smart shopping
guide server.
To associate a BLE label with a commodity, use the mobile phone camera to scan the
commodity barcode and the Bluetooth function of the mobile phone to receive BLE label
information.
2. When a customer picks up the commodity, the BLE label bound to the commodity
detects that the commodity is picked up by sensing the gravity change. The BLE label
then sends a BLE broadcast packet carrying the BLE label ID to the tablet kiosk.
3. The AP's Bluetooth module transmits BLE data transparently. After receiving a BLE
broadcast packet, the AP sends the packet to the smart shopping guide server based on
the IP address and port number of the host computer specified on the AP.
4. The smart shopping guide server performs Big Data analytics on the data sent by the
BLE label, and provides a visualized analysis result as reference for the shopping mall to
make timely and accurate marketing strategies.
NOTE
The smart shopping guide server functions as the host computer of APs. Therefore, the host computer in the
following sections refers to the smart shopping guide server.
Configuration Precautions
APs are configured to report Bluetooth packets immediately or at an interval of less than 5
seconds. This is because when a commodity is picked up multiple times within 5 seconds, the
BLE label bound to it is considered only being picked up once.
IPv6 addresses are not supported.
Installing APs
For details on how to install APs, see the AP Hardware Installation and Maintenance Guide.
In addition, regardless of whether tablet kiosks are installed, WLAN services must be
configured to ensure service packet exchange if WLAN access for customers or employees is
needed.
Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Procedure
Step 1 Run system-view
A VLAN is created.
An IP address and a subnet mask are configured for the VLANIF interface.
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
The WLAN view is displayed.
Step 8 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 9 Run country-code country-code
The country code is configured.
By default, the country code CN is configured.
Step 10 Run quit
Return to the WLAN view.
Step 11 Run ap-group name group-name
An AP group is created, and the AP group view is displayed.
Step 12 Run regulatory-domain-profile profile-name
The regulatory domain profile is bound to the AP group
By default, the regulatory domain profile default is bound to the AP group.
Step 13 Run quit
Return to the WLAN view.
Step 14 Run ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn ap-sn | ap-
mac ap-mac ap-sn ap-sn } ] or ap-mac ap-mac [ type-id type-id | ap-type ap-type ] [ ap-id
ap-id ] [ ap-sn ap-sn ]
The AP is imported in offline mode, and the AP view is displayed.
Step 15 Run ap-name ap-name
The AP name is configured.
By default, no AP name is configured for an AP.
Step 16 Run ap-group group-name
The AP is added to the AP group.
By default, no AP group is configured.
----End
Context
The smart shopping guide scenario is divided into sub-scenarios with tablet kiosks and
without tablet kiosks installed.
l When tablet kiosks are installed, they connect to APs through Wi-Fi and to the smart
shopping guide server through the Ethernet, and receive information from BLE labels
through Bluetooth. In such sub-scenario, configure the wireless coverage service to
allow the tablet kiosks to access APs.
l When no tablet kiosk is installed, BLE labels connect APs' Bluetooth modules by
sending BLE signals and to the smart shopping guide server through the Ethernet. In
such sub-scenario, you do not need to configure the wireless coverage service for the
BLE labels.
If wireless network access is required for customers or employees in the preceding sub-
scenarios, configure other SSIDs to provide wireless service coverage.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run wlan
The WLAN view is displayed.
Step 4 Run security-profile name profile-name
A security profile is created and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After the security profile is created, using the default security policy has security risks. You
are advised to configure a proper security policy according to actual service requirements. For
the detailed configuration, see 12.4 Configuring a WLAN Security Policy.
Step 5 Run quit
Return to the WLAN view.
Step 16 Run vap-profile profile-name wlan wlan-id radio { radio-id | all } [ service-vlan { vlan-id
vlan-id | vlan-pool pool-name } ]
----End
Context
In smart shopping guide sub-scenarios with no tablet kiosk installed, BLE broadcast packets
sent by BLE labels are received by built-in Bluetooth modules of APs and then sent to the
host computer through the Ethernet.
To ensure that APs can receive BLE broadcast packets sent by BLE labels and send the
packets to the host computer, enable the Bluetooth data transparent transmission function for
the APs, and configure the destination host computer and port number for the APs to report
Bluetooth data transparent transmission packets.
Procedure
Step 1 Run system-view
The Bluetooth data transparent transmission function is configured for the built-in Bluetooth
modules of APs.
The APs are enabled to report Bluetooth data transparent transmission packets.
APs are configured to report Bluetooth packets immediately or at an interval of less than 5
seconds. This is because when a commodity is picked up multiple times within 5 seconds, the
BLE label bound to it is considered only being picked up once.
Step 7 Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-num ]
The destination IP address and port number are configured for APs to report Bluetooth data
transparent transmission packets.
By default, no destination IP address or port number is configured for APs to report Bluetooth
packets.
----End
Service Requirements
A shopping mall wants to reduce the number of shop assistants to reuse labor costs. It also
wants to perform Big Data analytics on customers' actions of picking up commodities to
understand popularity of commodities, make proper marketing strategies, and improve sales
profits. Additionally, the shopping mall wants to provide wireless network access for its
customers.
To meet these requirements, Huawei provides the smart shopping guide solution with tablet
kiosks installed.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
Figure 29-4 Networking diagram for configuring the smart shopping guide solution
Smart shopping
guide server
BLE label Tablet kiosk AP Switch
GE0/0/2
GE0/0/1
GE0/0/1
RADIUS
server
STA AC
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, switch, AC, and host computer.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services to provide wireless access for tablet kiosks and wireless
network services for customers or employees.
5. Configure the Bluetooth data transparent transmission function.
6. Associate BLE labels with commodities.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AP to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100 (management
VLAN), and GE0/0/2 to VLAN 100, VLAN 101, and VLAN 102 (service VLANs).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 102
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 102
[Switch-GigabitEthernet0/0/2] quit
Step 3 Configure the AP to communicate with the host computer and RADIUS server.
Configure routes based on the actual networking situation to ensure network interworking
between the AP and host computer.
Step 4 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
# Configure the DHCP server based on the address pool of a VLANIF interface.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
------------
Total: 1
Step 6 Configure WLAN service parameters to provide wireless network services for customers or
employees.
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
Step 7 Configure WLAN service parameters to provide wireless access for tablet kiosks.
1. Configure RADIUS authentication parameters.
3. Create authentication profile wlan-ble, and bind the MAC access profile, authentication
scheme, and RADIUS server template to it.
[AC] authentication-profile name wlan-ble
[AC-authentication-profile-wlan-ble] mac-access-profile wlan-ble
[AC-authentication-profile-wlan-ble] authentication-scheme wlan-ble
[AC-authentication-profile-wlan-ble] radius-server wlan-ble
[AC-authentication-profile-wlan-ble] quit
# Create SSID profile wlan-ble and set the SSID name to wlan-ble.
[AC-wlan-view] ssid-profile name wlan-ble
[AC-wlan-ssid-prof-wlan-ble] ssid wlan-ble
[AC-wlan-ssid-prof-wlan-ble] quit
# Create VAP profile wlan-ble, configure the direct data forwarding mode and service
VLANs, and bind the security profile, authentication profile, and SSID profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-ble
[AC-wlan-vap-prof-wlan-ble] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-ble] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-ble] security-profile wlan-ble
[AC-wlan-vap-prof-wlan-ble] authentication-profile wlan-ble
[AC-wlan-vap-prof-wlan-ble] ssid-profile wlan-ble
[AC-wlan-vap-prof-wlan-ble] quit
# Bind the VAP profile to the AP group, and apply configurations of VAP profile wlan-
ble to radio 0 of APs in the AP group.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-ble wlan 2 radio 0
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
Step 8 Configure third-party server interconnection parameters. For details, see the corresponding
product manual.
Step 9 Configure the Bluetooth data transparent transmission function.
Configure the IP address of the host computer in the app of the tablet kiosk. Enable the
Bluetooth function of the tablet kiosk to allow it to receive BLE broadcast packets from the
BLE label. The detailed operations are not provided here.
Step 10 Associate BLE labels with commodities.
Use the mobile app to scan a commodity barcode and receive BLE label information through
Bluetooth to associate the BLE label with the commodity. The detailed operations are not
provided here.
Step 11 Verify the configuration.
# The WLAN service configuration is automatically delivered to the AP. After completing the
configuration, run the display vap ssid wlan-ble and display vap ssid wlan-net commands.
If the Status field displays ON, the VAP has been successfully created on the AP radios.
[AC] display vap ssid wlan-ble
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 2 60DE-4476-E361 ON OPEN 1 wlan-ble
----------------------------------------------------------------------------------
--
Total: 1
[AC] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 2
# When the commodity with the BLE label is picked up, information about the commodity is
displayed on the tablet kiosk.
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name wlan-ble
mac-access-profile wlan-ble
authentication-scheme wlan-ble
radius-server wlan-ble
#
dhcp enable
#
radius-server template wlan-ble
radius-server shared-key cipher %^%#sx$wASg6*AV+89@"5.H9}E>4LMJ:+/lj
$dR2I3F3%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-scheme wlan-ble
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
Service Requirements
A shopping mall wants to perform Big Data analytics on customers' actions of picking up
commodities, so that it can understand popularity of commodities, make proper marketing
strategies, and improve sales profits. Additionally, the shopping mall wants to provide
wireless network access for its customers.
To meet these requirements, Huawei provides the smart shopping guide solution with no
tablet kiosk installed.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 29-5 Networking diagram for configuring the smart shopping guide solution
Smart shopping
BLE label AP Switch guide server
GE0/0/2 GE0/0/1
GE0/0/1
AC
STA
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, switch, AC, and host computer.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN service parameters to provide wireless network services for customers
or employees.
5. Configure the Bluetooth data transparent transmission function.
6. Associate BLE labels with commodities.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure the switch and AC to enable the AP to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100 (management
VLAN), and GE0/0/2 to VLAN 100 and VLAN 101 (service VLANs).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
------------
Total: 1
Step 6 Configure WLAN service parameters to provide wireless network services for customers or
employees.
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create BLE profile wlan-ble. Enable the Bluetooth data transparent transmission function,
configure the destination IP address and port number to which Bluetooth data is transparently
transmitted, and configure the mode for the AP to transparently transmit Bluetooth data.
[AC-wlan-view] ble-profile name wlan-ble
[AC-wlan-ble-prof-wlan-ble] sniffer enable transparent-mode
[AC-wlan-ble-prof-wlan-ble] report enable
[AC-wlan-ble-prof-wlan-ble] report-to-server ip-address 10.23.102.1 port 10001
[AC-wlan-ble-prof-wlan-ble] report-mode periodic interval 3
[AC-wlan-ble-prof-wlan-ble] quit
# Add BLE clients within the AP's coverage area to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
# The WLAN service configuration is automatically delivered to the AP. After completing the
configuration, run the display vap ssid wlan-net command. If the Status field displays ON,
the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-
net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-
net
----------------------------------------------------------------------------------
--
Total: 2
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#;LgD%=-_`Sr(`u1]DT!Xg2/"/kXHs2/z>nGs-
yI1%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ble-profile name wlan-ble
sniffer enable transparent-mode
report-mode periodic interval 3
report-to-server ip-address 10.23.102.1 port 10001
report enable
ble monitoring-list mac 1234-1234-1000
ble monitoring-list mac 1234-1234-1001
ble monitoring-list mac 1234-1234-1002
ap-group name ap-group1
ble-profile wlan-ble
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235419610D2000066
ap-name area_1
ap-group ap-group1
#
return
Scenario Overview
Under fierce competition and affected by online consumption, large shopping malls and
comprehensive complexes have a slow growth in profits. They need to improve customers'
shopping experience and promote profit growth by providing personalized services.
To meet these requirements, Huawei provides the hotspot service and customer flow analysis
solution. The hotspot service allows customers to access Wi-Fi networks easily and securely
through Portal authentication. Customer flow analysis allows shopping malls to obtain useful
information such as consumption habits and occupations of customers according to their
moving tracks. Then the shopping malls can push customized advertisements to customers
through Wi-Fi networks.
Solution Benefits
This solution brings the following benefits:
l Customers can access Wi-Fi networks easily and securely, and enjoy good Internet
access experience.
l Shopping malls can accurately push customized advertisements to customers' mobile
phones, promoting user consumption and increasing sales.
l A WLAN can be reused as an IoT that provides the hotspot service and customer flow
analysis to achieve network integration, reduce network deployment and maintenance
costs, and help administrators centrally manage the network.
Network architecture
As shown in Figure 30-1, the network architecture consists of the terminal layer, access layer,
service layer, and application layer.
Customer flow
analysis server Application
layer
Policy
configuration
device
RADIUS
server Portal Service
server layer
Switch AC
AP AP AP
Access
layer
Terminal
STA layer
l Terminal layer
Smart terminals such as mobile phones are located at this layer.
l Access layer
APs, switches, and ACs are deployed at this layer.
l Service layer
A RADIUS server, a Portal server, and a policy configuration device are deployed at this
layer.
l Application layer
A customer flow analysis server is deployed at this layer
Related Products
NOTE
Connect switches to the Cloud4Wi server through eSight or Agile Controller-CloudCampus, instead of direct
connection.
Hotspot Service
The hotspot service solution provides the Portal authentication access mode. Customers can
use social accounts, email addresses, and phone numbers for authentication. Advertisements
can be embedded into the authentication page.
HTTP or HTTPS is used for Portal authentication. For details about Portal authentication,
choose Configuration Guide > User Access and Authentication Configuration Guide >
NAC Configuration > Principles > Portal Authentication in the S1720, S2700, S5700, and
S6720 V200R012C00 Product Documentation.
Customer flow
analysis server
3
Switch AC
2 2
2
AP AP AP
1 1 1
STA
1. APs collect STA information such as the MAC address, timestamp, and RSSI.
– When a STA is not associated with the WLAN, APs near the STA receive Probe
Request frames sent by the STA to obtain STA information such as the MAC
address, time stamp, and RSSI.
– When the STA is associated with the WLAN, surrounding APs obtain data required
for customer flow analysis from management frames and data frames sent by the
STA.
2. The APs send the collected information to the AC.
3. The AC directly sends the received data to the customer flow analysis server without
parsing the data.
4. The customer flow analysis server parses the STA's information such as the MAC
address, timestamp, and RSSI. According to the analysis of the customer's moving tracks
and other information such as the longest duration in a shop, the shopping mall can know
the customer's consumption habits and occupation. Graphical information will then be
displayed to instruct the shopping mall to push customized advertisements to customers.
Scenario Constraints
STAs that support random MAC addresses cannot be located before they are associated with a
Wi-Fi network. A random MAC address is a random virtual MAC address used by a STA in
the scanning phase. It is not a real MAC address.
Installing APs
For details on how to install APs, see the AP hardware installation and maintenance guide.
Installing Servers
Contact vendors of the RADIUS server, Portal server, policy configuration device, and
customer flow analysis server to obtain related installation documents. The detailed
operations are not described in this document.
Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is displayed.
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Return to the system view.
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
----End
Context
The hotspot service provides WLAN coverage for STAs after they succeed in Portal
authentication. For details on how to configure Portal authentication, choose Configuration
Guide > User Access and Authentication Configuration > NAC Configuration >
Configuring an Access Profile > Configuring a Portal Access Profile (for an External
Portal Server-HTTP/HTTPS Protocol) and Configuration Guide > User Access and
Authentication Configuration > NAC Configuration > Configuring an Authentication
Profile in the S1720, S2700, S5700, and S6720 V200R012C00 Product Documentation..
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run wlan
The WLAN view is displayed.
Step 4 Run security-profile name profile-name
A security profile is created and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
Step 5 Run security open
The security policy is set to open system authentication.
By default, the security policy is open system.
The security policy must be set to open system authentication for Portal authentication.
Step 6 Run quit
Return to the WLAN view.
Step 7 Run ssid-profile name profile-name
An SSID profile is created and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 8 Run ssid ssid
An SSID name is configured.
----End
Context
Customer flow analysis allows APs to obtain information about STAs (such as the MAC
address, time stamp, and RSSI) in a shopping mall through the WLAN terminal location
function. The APs then send the information to the customer flow analysis server for statistics
collection and analysis.
Procedure
Step 1 Run system-view
Step 3 Set the working mode for radios in an AP group or for a specified radio.
You can set the radio working mode in the AP radio view or AP group radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
NOTE
NOTE
l If the customer has high requirements on real-time data analysis, configure a small air scan interval using
the scan-interval command to improve the scan frequency; however, higher scan frequency indicates
much larger impact on the services.
l If the customer has high requirements on real-time locating services, deploy the APs on the same channel
to scan channels.
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
Step 22 (Optional) Run private report-protocol { udp | http | https ssl-policy ssl-policy }
Step 24 Run private server { ip-address ip-address | domain domain } port port-num [ via-ac ac-
port ac-port-num ]
The destination IP address and port number are configured for the AP to report STA location
data.
By default, no destination IP address or port number is configured for the AP to report STA
location data.
l By default, the 2G radio profile default is bound to an AP group, but no 2G radio profile
is bound to an AP.
l By default, the 5G radio profile default is bound to an AP group, but no 5G radio profile
is bound to an AP.
----End
To configure the customer flow analysis server, RADIUS server, Portal server, and policy
configuration device, contact server vendors to obtain related installation documents. The
detailed operations are not described in this document.
Service Requirements
To improve sales and increase profits, a shopping mall wants to promote consumption by
pushing customized advertisements to customers.
To meet these requirements, Huawei provides the hotspot service and customer flow analysis
solution. This solution provides secure and easy Wi-Fi access for customers and improves
user experience. Additionally, the shopping mall can analyze data to find shops that customers
are interested in and then push customized advertisements to their mobile phones, promoting
consumption.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 30-3 Network for configuring the hotspot service and customer flow analysis
Customer flow
analysis server
10.23.201.1
Policy configuration
RADIUS server device
10.23.200.1 10.23.200.4
STA
Data Planning
Item Data
Item Data
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1,
Item Data
Configuration Roadmap
1. Configure the AC to communicate with servers.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure Portal authentication.
5. Configure WLAN services.
6. Configure communication parameters between APs and the host computer.
7. Configure APs' IP addresses on the host computer.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Configure routes based on the actual networking to ensure network interworking between the
AC and servers.
Step 3 Configure the switch and AC to enable APs to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100, and GE0/0/2
through GE0/0/4 to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
Step 4 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
# Configure the DHCP server based on the address pool of a VLANIF interface.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create an AP group to which APs with the same configuration are to be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1. Add the APs to area_2 and area_3 in the same way.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
22S -
1 60de-4476-e380 area_2 ap-group1 10.23.100.253 AP4050DN-E nor 0
51S -
2 60de-4476-e3a0 area_3 ap-group1 10.23.100.252 AP4050DN-E nor 0
55S -
----------------------------------------------------------------------------------
------------
Total: 3
[AC-wlan-view] quit
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
radius_huawei and RADIUS server template radius_huawei to the domain.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and password
Huawei123 have been configured on the RADIUS server.
NOTE
The SSL policy configuration is not mentioned here. For details, see Web System Login Configuration
in the S1720, S2700, S5700, and S6720 V200R012C00 Configuration Guide - Basic Configuration.
# Configure the authentication profile p1, bind the Portal access profile portal1 to the
authentication profile, specify the domain huawei.com as the forcible authentication domain
in the authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile portal1
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100
[AC-authen-profile-p1] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile p1
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
# Enter the air scan profile wlan-air-scan and configure an air scan channel set. By default,
an air scan channel set contains all channels supported by the corresponding country code of
an AP.
[AC-wlan-view] air-scan-profile name wlan-air-scan
[AC-wlan-air-scan-prof-wlan-air-scan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-air-scan] quit
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Enter the 5G radio profile wlan-radio-5g and bind it to the air scan profile.
[AC-wlan-view] radio-5g-profile name wlan-radio-5g
[AC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile wlan-air-scan
[AC-wlan-radio-5g-prof-wlan-radio-5g] quit
# Create the location profile wlan-location, enable the Wi-Fi terminal location function, and
configure the destination IP address and port number for reporting location information.
[AC-wlan-view] location-profile name wlan-location
[AC-wlan-location-prof-wlan-location] private mu-enable
[AC-wlan-location-prof-wlan-location] private server ip-address 10.23.201.1 port
32180 via-ac ac-port 10001
[AC-wlan-location-prof-wlan-location] quit
Step 11 Add IP addresses of the APs to the host computer and configure the same shared key as that
on the APs.
# The WLAN service configuration is automatically delivered to the APs. After completing
the configuration, run the display vap ssid wlan-net command. If the Status field displays
ON, the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
1 area_2 0 1 60DE-4476-E380 ON WPA/WPA2-PSK 1 wlan-net
1 area_2 1 1 60DE-4476-E390 ON WPA/WPA2-PSK 0 wlan-net
2 area_3 0 1 60DE-4476-E3a0 ON WPA/WPA2-PSK 1 wlan-net
2 area_3 1 1 60DE-4476-E3b0 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 6
# STAs can discover the wireless network with SSID wlan-net and associate with it after
successful Portal authentication.
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name p1
portal-access-profile portal1
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#Y+{_U['QgLX705'xUi3H-cXD0\iPHM~}c<8*IHl.
%^%#
radius-server authentication 10.23.200.1 1812 weight 80
#
web-auth-server abc
port 50100
url https://10.23.200.2:8445/portal
protocol http password-encrypt uam
http-method post cmd-key cmd1
#
portal-access-profile name portal1
web-auth-server abc direct
#
aaa
authentication-scheme radius_huawei
authentication-mode radius
domain huawei.com
authentication-scheme radius_huawei
radius-server radius_huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
portal web-authen-server https ssl-policy https-pol
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^
%#*T~tI'mg@M*b6+.;NNq)`i[97LZlK~X_nSVeOEBO%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile p1
location-profile name wlan-location
private mu-enable
private server ip-address 10.23.201.1 port 32180 via-ac ac-port 10001
regulatory-domain-profile name default
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
radio-5g-profile name wlan-radio-5g
air-scan-profile wlan-air-scan
ap-group name ap-group1
location-profile wlan-location radio all
radio 0
radio-2g-profile wlan-radio-2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio-5g
vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235419610D2000066
ap-name area_1
ap-group ap-group1
ap-id 1 ap-mac 60de-4476-e380 ap-sn 210235419610D2000067
ap-name area_2
ap-group ap-group1
Scenario Overview
In large public places such as shopping malls with large areas and complicated environments,
it is difficult for customers to find shops or parked cars.
Huawei provides an intelligent indoor navigation solution that allows customers to quickly
find shops or parked cars following instructions of a mobile app.
This solution is applicable not only to shopping malls but also to airports, large exhibition
centers, and large libraries.
Solution Benefits
This solution brings the following benefits:
l Customers can quickly find shops or parked cars using a mobile app, improving
customer satisfaction with shopping malls and promoting customers' buying intention.
l A WLAN can be reused as an intelligent indoor navigation IoT network to achieve
network integration, reducing network deployment and maintenance costs and helping
administrators centrally manage the network.
Network Architecture
As shown in Figure 31-1, the network architecture of the intelligent indoor navigation IoT
solution consists of the terminal layer, access layer, network layer, and application layer.
Application
layer
Switch AC
Network layer
Terminal
STA layer
Bluetooth
signal
l Terminal layer
Smart terminals such as mobile phones and tablets are located at this layer.
l Access layer
APs are deployed at this layer.
l Network layer
ACs and switches are deployed at this layer.
l Application layer
The location server and app server are deployed at this layer.
Related Products
3 Switch AC
2
6
STA
7
Bluetooth
signal
1. The built-in Bluetooth module of an AP scans for Bluetooth broadcast frames in the
surrounding environment to obtain the universal unique identifiers (UUIDs) and RSSI
calibration values of surrounding BLE devices and Bluetooth terminals (mobile phones
and tablets with the Bluetooth function enabled). The AP sends requests to the BLE
devices and Bluetooth terminals to obtain BLE power information.
2. The AP reports obtained information such as UUIDs, RSSI calibration values, and BLE
power of BLE devices to the AC, and reports Bluetooth terminal location packets to the
AC or location server.
The Bluetooth broadcast function needs to be enabled for the built-in Bluetooth module
of the AP, so that the AP can function as a BLE device to send BLE broadcast frames. In
this case, the AP can directly report the UUID, RSSI calibration value, and power of the
built-in Bluetooth module to the AC without the need of scanning.
3. The AC reports Bluetooth terminal location packets, as well as low power alarm and
fault alarm information about BLE devices to the location server.
4. On the location server, make floor plans and location map models, add BLE devices, set
their deployment locations, monitor their status, and compute Bluetooth terminal
locations.
5. The app server obtains map information and BLE device location information from the
location server.
6. The app server sends map information and BLE device locations to Bluetooth terminals.
Bluetooth terminals must be able to access the Internet through a WLAN or cellular
network, so the indoor navigation app installed on the Bluetooth terminals can
communicate with the app server.
7. Enable the indoor navigation app on a Bluetooth terminal and perform the following
steps:
a. Collect information about scanned BLE devices and their signal strengths.
b. Collect information about sensors of mobile phones, such as speed sensors and
gyroscopes.
c. Obtain map information from the location server.
d. The Bluetooth terminal computes the location information and uses the computing
results for applications such as indoor navigation, card seeking, and shop seeking to
provide users with the navigation and car or shop seeking services.
Recommended Non-recommended
deployment mode deployment mode
BLE device
Constraints
To use the indoor navigation IoT function, you need to enable the Bluetooth function of
terminals such as mobile phones and tablets and install the indoor navigation app.
Installing APs
For details on how to install APs, see the AP hardware installation and maintenance guide.
Installing Servers
To install the location server and app server, contact the server vendors to obtain related
installation documents. The detailed operations are not described in this document.
Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is displayed.
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Return to the system view.
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
The WLAN view is displayed.
Step 8 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 9 Run country-code country-code
The country code is configured.
By default, the country code CN is configured.
----End
Context
A WLAN can be reused as an indoor navigation IoT network, reducing network deployment
and maintenance costs and helping administrators centrally manage the network.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run wlan
The WLAN view is displayed.
Step 4 Run security-profile name profile-name
A security profile is created and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After the security profile is created, using the default security policy has security risks. You
are advised to configure a proper security policy according to actual service requirements. For
the detailed configuration, see 12.4 Configuring a WLAN Security Policy.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run ssid-profile name profile-name
An SSID profile is created and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 7 Run ssid ssid
An SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
Step 8 Run quit
Return to the WLAN view.
Step 9 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 10 Run security-profile profile-name
The security profile is bound to the VAP profile.
By default, the security profile default is bound to a VAP profile.
Step 11 Run forward-mode { direct-forward | tunnel | softgre profile-name }
The data forwarding mode is configured in the VAP profile.
By default, the forwarding mode is direct-forward in the VAP profile.
Step 12 Run service-vlan { vlan-id vlan-id | vlan-pool pool-name }
A service VLAN is configured for a VAP.
Step 16 Run vap-profile profile-name wlan wlan-id radio { radio-id | all } [ service-vlan { vlan-id
vlan-id | vlan-pool pool-name } ]
----End
Context
Configure the Bluetooth location function for indoor navigation.
Procedure
Step 1 Run system-view
The UUID of BLE broadcast frames sent by an AP's built-in Bluetooth module is configured.
By default, the UUID of the BLE broadcast frames sent by an AP's built-in Bluetooth module
is null.
The mode in which Bluetooth terminal location packets are sent is configured.
The destination IP address and port number to which an AP sends Bluetooth terminal
location packets are configured.
By default, the low power alarm threshold of BLE devices or Bluetooth tags is 20%.
A specified Bluetooth device is added to the monitoring list on the built-in Bluetooth module
of an AP
When no Bluetooth device is added to the monitoring list, all Bluetooth devices are
monitored. When any Bluetooth device is offline or has insufficient battery power, an alarm is
triggered on the AC accordingly. When Bluetooth devices are added to the monitoring list,
only the Bluetooth devices in the list are monitored. When a Bluetooth device in the
monitoring list is offline or has insufficient battery power, an alarm is triggered on the AC
accordingly.
----End
Service Requirements
In a shopping mall with large areas and complex environment, it is difficult for customers to
find parked cars and shops. To help customers to easily find shops or parked cars, improve
customer satisfaction, and promote customers' buying intention, the shopping mall expects to
provide navigation services.
To meet these requirements of the shopping mall, Huawei provides the indoor navigation
solution. This solution provides customers with easy and secure Wi-Fi network access and
improves customers' network experience. Additionally, an indoor navigation app is provided
for customers to find shops or parked cars, improving customer satisfaction.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
STA
Bluetooth
signal
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking between the AC and location server, and between the
location server and app server.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services.
5. Configure the Bluetooth terminal location function.
6. Configure the location server.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure network interworking between the AC and location server, and between the
location server and app server.
Configure routes based on the actual networking to ensure network interworking.
Step 3 Configure the switch and AC to enable APs to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100, and GE0/0/2
through GE0/0/4 to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 to 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 4 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
# Configure the DHCP server based on the address pool of a VLANIF interface.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1. Add the APs to area_2 and area_3 in the same way.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
22S -
1 60de-4476-e380 area_2 ap-group1 10.23.100.253 AP4050DN-E nor 0
51S -
2 60de-4476-e3a0 area_3 ap-group1 10.23.100.252 AP4050DN-E nor 0
55S -
----------------------------------------------------------------------------------
------------
Total: 3
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Add the BLE devices within the AP's coverage area to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
01-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
2 1234-1234-1002 2 area_3 -32 55% ibeacon
N 57 10
03-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
Total: 3
# A Bluetooth terminal can discover the wireless network with the SSID wlan-net, and can
associate with it after successful authentication. After opening the indoor navigation app and
obtaining location information from the app server, you can use the car seeking and shop
seeking functions.
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#.s:$0fYX$<HdNy8PVSOXjJ
+o#IwB{Hd5toDo)`F$%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ble-profile name wlan-ble
broadcaster enable
sniffer enable ibeacon-mode
ble monitoring-list mac 1234-1234-1000
ble monitoring-list mac 1234-1234-1001
ble monitoring-list mac 1234-1234-1002
ap-group name ap-group1
ble-profile wlan-ble
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235419610D2000066
ap-name area_1
ap-group ap-group1
ap-id 1 ap-mac 60de-4476-e380 ap-sn 210235419610D2000067
ap-name area_2
ap-group ap-group1
ap-id 2 ap-mac 60de-4476-e3a0 ap-sn 210235419610D2000068
ap-name area_3
ap-group ap-group1
#
return
Scenario Overview
In places such as shopping malls, employees and assets need to be located accurately so that
the shopping malls can identify their locations and movements, facilitating management.
To meet requirements in these scenarios, Huawei provides the personnel and asset
management IoT solution that uses Bluetooth tags to accurately locate personnel and assets.
Solution Benefits
This solution brings the following benefits:
l Location information about personnel and assets can be graphically displayed, and
moving tracks of personnel and assets and asset reports can be queried. This facilitates
unified personnel and asset management and control.
l A WLAN can be reused as a personnel and asset management IoT network to achieve
network integration, reduce network deployment and maintenance costs, and help
administrators centrally manage the network.
Network Architecture
As shown in Figure 32-1, the network architecture of the personnel and asset management
IoT solution consists of the terminal layer, access layer, network layer, and application layer.
Location
server
Application
layer
Switch AC
Network
layer
AP AP AP
Access
layer
Terminal
layer
Bluetooth
Bluetooth
tag
signal
l Terminal layer
Bluetooth tags are deployed at this layer.
l Access layer
APs are deployed at this layer.
l Network layer
ACs and switches are deployed at this layer.
l Application layer
The location server is deployed at this layer.
Related Products
Figure 32-2 Network for the personnel and asset management IoT solution
Location
server
3
Switch AC
2 2 2
AP AP AP
1 1 1
Bluetooth
Bluetooth
tag
signal
1. Bind Bluetooth tags to personnel and assets. Built-in Bluetooth modules of APs scan for
Bluetooth tags in the surrounding environment and collect BLE broadcast frames sent by
Bluetooth tags. A BLE broadcast frame carries Bluetooth tag information such as the
RSSI calibration value, battery level, and device disconnection alarms.
Bluetooth tags periodically send BLE broadcast frames but do not need to connect to the
WLAN.
NOTE
Use a scanning terminal to associate or manually record mappings between Bluetooth tags and
personnel/assets, and synchronize the mappings to the location server so that the location server can
identify the personnel or assets based on the Bluetooth tags.
2. The APs report Bluetooth tag information to the AC, such as the RSSI calibration value,
power, and Bluetooth tag disconnection alarms.
3. The AC then reports all the Bluetooth tag information and Bluetooth tag disconnection
alarms to the location server.
4. Make a floor plan on the location server, create a location map model, add APs with
built-in Bluetooth modules, and determine the AP installation locations. Compute
locations of Bluetooth tags, and provide graphical location information and moving
tracks of personnel and assets, and generate asset reports. In addition, you can monitor
working status of the Bluetooth tags.
Installing APs
For details on how to install APs, see the AP hardware installation and maintenance guide.
Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is displayed.
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Return to the system view.
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
The WLAN view is displayed.
Step 8 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 9 Run country-code country-code
The country code is configured.
By default, the country code CN is configured.
Step 10 Run quit
Return to the WLAN view.
Step 11 Run ap-group name group-name
An AP group is created, and the AP group view is displayed.
Step 12 Run regulatory-domain-profile profile-name
The regulatory domain profile is bound to the AP group
By default, the regulatory domain profile default is bound to the AP group.
Step 13 Run quit
Return to the WLAN view.
Step 14 Run ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn ap-sn | ap-
mac ap-mac ap-sn ap-sn } ] or ap-mac ap-mac [ type-id type-id | ap-type ap-type ] [ ap-id
ap-id ] [ ap-sn ap-sn ]
The AP is imported in offline mode, and the AP view is displayed.
Step 15 Run ap-name ap-name
The AP name is configured.
By default, no AP name is configured for an AP.
Step 16 Run ap-group group-name
The AP is added to the AP group.
By default, no AP group is configured.
----End
Context
A WLAN can be reused as a personnel and asset management IoT network, reducing network
deployment and maintenance costs and helping administrators centrally manage the network.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run wlan
The WLAN view is displayed.
Step 4 Run security-profile name profile-name
A security profile is created and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After the security profile is created, using the default security policy has security risks. You
are advised to configure a proper security policy according to actual service requirements. For
the detailed configuration, see 12.4 Configuring a WLAN Security Policy.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run ssid-profile name profile-name
An SSID profile is created and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 7 Run ssid ssid
An SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
Step 8 Run quit
----End
Context
Enable the Bluetooth tag location function to locate personnel and assets.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ble-profile name profile-name
A BLE profile is created.
By default, no BLE profile is created.
Step 4 Run sniffer enable tag-mode
The Bluetooth tag location function is enabled for built-in Bluetooth modules of APs.
By default, the Bluetooth function of an AP's built-in Bluetooth module is disabled.
Step 5 Run report enable
An AP is enabled to report Bluetooth packets.
By default, an AP is disabled from sending Bluetooth packets.
Step 6 (Optional) Run report-mode { immediate | periodic [ interval interval ] }
The mode in which an AP reports Bluetooth packets is configured.
By default, an AP sends Bluetooth packets at an interval of 10 seconds.
Step 7 Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-num ] or
report-to-server domain domain port port-num
The domain name and port number of a destination server are configured for APs to report
Bluetooth tag location packets.
By default, no destination IP address or port number is configured for APs to report Bluetooth
packets.
Step 8 Run quit
Return to the WLAN view.
Step 9 The AP view or AP group view is displayed.
l Run the ap-group name group-name command to enter the AP group view.
l Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
Step 10 Run ble-profile profile-name
A BLE profile is bound to an AP group or an AP.
By default, no BLE profile is bound to an AP group or AP.
Step 11 Run quit
Return to the WLAN view.
Step 12 (Optional) Run ble report interval interval-value
The interval at which an AP reports Bluetooth device information is set.
By default, an AP reports Bluetooth device information at an interval of 10 minutes.
Step 13 (Optional) Run ble low-power-threshold low-power-threshold
A low power alarm threshold is set for BLE devices or Bluetooth tags.
By default, the low power alarm threshold of BLE devices or Bluetooth tags is 20%.
Step 14 (Optional) Run ble monitoring-list mac mac-address1 [ to mac-address2 ]
Specified BLE devices or Bluetooth tags are added to the monitoring list of an AP's built-in
Bluetooth module.
By default, no Bluetooth devices are added to the monitoring list.
When no Bluetooth device is added to the monitoring list, all Bluetooth devices are
monitored. When any Bluetooth device is offline or has insufficient battery power, an alarm is
triggered on the AC accordingly. When Bluetooth devices are added to the monitoring list,
only the Bluetooth devices in the list are monitored. When a Bluetooth device in the
monitoring list is offline or has insufficient battery power, an alarm is triggered on the AC
accordingly.
----End
Contact vendors to obtain related installation documents. The detailed operations are not
described in this document.
Service Requirements
A shopping mall often suffers from asset losses or fails to find assets. To reduce property loss
and facilitate asset management, the shopping mall wants to monitor the locations and moving
tracks of assets.
To meet these requirements, Huawei offers the personnel and asset management IoT solution.
Networking Requirements
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 32-3 Network for configuring the personnel and asset management IoT solution
Location
server
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
AP AP AP
Bluetooth
Bluetooth
tag
signal
Data Planning
Configuration Roadmap
1. Configure the AC to communicate with the location server.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
<HUAWEI> system-view
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 4 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
# Configure the DHCP server based on the address pool of a VLANIF interface.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
bind the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. Configure
an AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1. Add the APs to area_2 and area_3 in the same way.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP7052DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4476-e3a0
[AC-wlan-ap-2] ap-name area_3
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP7052DN nor 0
22S -
1 60de-4476-e380 area_2 ap-group1 10.23.100.253 AP7052DN nor 0
51S -
2 60de-4476-e3a0 area_3 ap-group1 10.23.100.252 AP7052DN nor 0
55S -
----------------------------------------------------------------------------------
------------
Total: 3
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Add all the Bluetooth tags within the AP coverage to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
# STAs can discover the wireless network with SSID wlan-net and associate with it after
successful authentication.
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#)P{x4pF\iPP'Wm!wy%.IZyh!,_S(OXV/k>'KvG
%%%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ble-profile name wlan-ble
sniffer enable tag-mode
report-to-server domain testabc.com port 10001
report enable
ble monitoring-list mac 1234-1234-1000
ble monitoring-list mac 1234-1234-1001
ble monitoring-list mac 1234-1234-1002
ap-group name ap-group1
ble-profile wlan-ble
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235419610D2000066
ap-name area_1
ap-group ap-group1
ap-id 1 ap-mac 60de-4476-e380 ap-sn 210235419610D2000067
ap-name area_2
ap-group ap-group1
ap-id 2 ap-mac 60de-4476-e3a0 ap-sn 210235419610D2000068
ap-name area_3
ap-group ap-group1
provision-ap
#
return