01-03 Wireless Network Deployment and Configuration Suggestions

S7700 and S9700 Series Switches 3 Wireless Network Deployment and Configuration
Configuration Guide - WLAN-AC Suggestions
3 Wireless Network Deployment and

Configuration Suggestions
3.1 Network Design Suggestion
Enabling STP Edge Ports Connected to APs

To improve network stability and prevent network loops caused by incorrect
connections, the Spanning Tree Protocol (STP) is enabled on the device by default.
When an STP-enabled port on the device is connected to another device that does
not support STP, the port is blocked for 30 seconds. It is recommended that switch
ports connected to APs be configured as STP edge ports, so that the APs can
rapidly connect to the network.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] stp edged-port enable
Enabling LLDP on the PoE Ports Connected to APs

After the Link Layer Discovery Protocol (LLDP) is configured, the device can
analyze powered devices (PDs). When LLDP is disabled, the device can detect and
classify PDs only by analyzing the current and resistance between the device and
PDs. Compared with current and resistance analysis, the LLDP function provides
more comprehensive and accurate analysis.
Enable LLDP globally. After LLDP is enabled globally, the LLDP function is enabled
on all ports by default.
[HUAWEI] lldp enable
Configuring VLANs
In practice, the management VLAN and service VLAN must be configured for
management packets and service data packets.
● Management VLAN: transmits packets that are forwarded through CAPWAP
tunnels, including management packets and service data packets forwarded
through CAPWAP tunnels.
Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 3

● Service VLAN: transmits service data packets.

NOTE
● It is recommended that you use different VLANs for the management VLAN and service
VLAN.
● You are not advised to use VLAN 1 as the management VLAN or service VLAN.
● In tunnel forwarding mode, the management VLAN and service VLAN must be different. The
network between the AC and AP can only permit packets with management VLAN tags to
pass through, and cannot permit packets with service VLAN tags to pass through.
● When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface
allows packets from all VLANs but no VLAN is created by default. VLANs are automatically
created or deleted based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s
and VLAN s' represent service VLANs.
● When an AP connects to an AC through a Layer 2 network, VLAN m is the
same as VLAN m', and VLAN s is the same as VLAN s'.
● When an AP connects to an AC through a Layer 3 network, VLAN m is
different from VLAN m', and VLAN s is different from VLAN s'.
● Figure 3-1 shows the process of forwarding management packets through
CAPWAP tunnels.
Figure 3-1 Forwarding management packets through CAPWAP tunnels
802.3 UDP/IP CAPWAP Payload

AC
VLAN m’ 802.3 UDP/IP CAPWAP Payload
VLAN m’ 802.3 UDP/IP CAPWAP Payload

Switch
VLAN m 802.3 UDP/IP CAPWAP Payload
AP 802.3 UDP/IP CAPWAP Payload
VLAN m、VLAN m’：management VLAN
Management packet
In Figure 3-1:
– In the uplink direction (from the AP to the AC): When receiving
management packets, the AP encapsulates the packets in CAPWAP
packets. The switch tags the packets with VLAN m. The AC decapsulates
the CAPWAP packets and removes the tag VLAN m'.

– In the downlink direction (from the AC to the AP): When receiving

downstream management packets, the AC encapsulates the packets in
CAPWAP packets and tags them with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets.
● Figure 3-2 shows the process of directly forwarding service data packets.
Figure 3-2 Forwarding service data packet directly
Internet
VLAN s’ 802.3 Payload

Switch
VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN s, VLAN s’: service VLAN
Data packet
In Figure 3-2, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and forwards the packets to the destination.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets in 802.3 format reach the AP (the
packets are tagged with VLAN s' by upstream devices), the AP converts
the 802.3 packets into 802.11 packets and forwards them to the STA.
● Figure 3-3 shows the process of forwarding service data packets through
CAPWAP tunnels.

Figure 3-3 Forwarding service data packets through CAPWAP tunnels
Internet

AC
VLAN m’ 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload
VLAN m’ 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

Switch
VLAN m 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload
802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN m, VLAN m’: management VLAN

VLAN s: service VLAN
Data packet
In Figure 3-3, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and encapsulates them in CAPWAP packets. The upstream switch
tags the packets with VLAN m. The AC decapsulates the CAPWAP packets
and removes the tag VLAN m' from the packets.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets reach the AC, the AC encapsulates the
packets in CAPWAP packets, allows the packets carrying VLAN s to pass
through, and tags the packets with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets, removes
VLAN s, converts the 802.3 packets into 802.11 packets, and forwards
them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated
packets. The intermediate devices between the AC and AP can only
transparently transmit packets carrying VLAN m and cannot be configured
with VLAN s encapsulated in the CAPWAP packets.
Enabling the STP TC Protection Function

The STP function is enabled on an AC by default. STP can prevent network loops
caused by incorrect connections or required by link backup.
When the STP topology changes, the device sends Topology Change (TC) packets
to instruct other devices to update their forwarding tables. If network flapping

occurs, the devices will receive a large number of TC packets in a short period of
time, and update MAC address or ARP entries frequently. As a result, the devices
are heavily burdened, threatening network stability.
The STP TC protection function is enabled by default. After enabling the TC
protection function, you can set the number of times a switching device processes
TC packets within a given time. If the number of TC packets received by the
switching device within the given time exceeds the specified threshold, the
switching device processes TC packets only for the specified number of times. For
the TC packets exceeding the threshold, the switching device processes them
together after the timer expires. In this way, the switching device is prevented
from frequently deleting its MAC address and ARP entries, and therefore relieved
from the ensuing burdens.
# If you need to understand how the switching device processes TC packets,
enable the TC protection alarm function.
[HUAWEI] stp tc-protection
Disabling an AC from Responding to TC Packets, Enabling MAC-ARP

Association, and Disabling IP Traffic Forwarding at Layer 2 During Link
Switching on a Ring Network When the AC Functions As a Gateway
In normal cases, when STP detects network topology changes, the device sends TC
packets to instruct its ARP module to age out or delete ARP entries. In this case,
the device needs to learn ARP entries again to obtain the latest ARP entry
information. However, if the network topology changes frequently or network
devices on the network have a large number of ARP entries, ARP learning will
increase the number of ARP packets. These ARP packets will occupy excessive
system resources and affect running of other services.
To prevent this situation, you can disable ARP tables from responding to TC
packets. In this way, ARP entries of network devices on the network are not aged
out or deleted even if the network topology changes. In addition, you can enable
MAC address-triggered ARP entry update to prevent user service interruption even
if ARP entries are not updated in a timely manner. In wireless scenarios, IP traffic
forwarding at Layer 2 is not supported when links are switched on a ring network.
Therefore, it is recommended that this function be disabled.
# Disable the device from aging out or deleting ARP entries upon network
topology changes.
[HUAWEI] arp topology-change disable
# Enable MAC address-triggered ARP entry update.

[HUAWEI] mac-address update arp
# Disable IP traffic forwarding at Layer 2 when links are switched on a ring

network.
[HUAWEI] ip forwarding converge normal
Configuring Port Isolation on Ports Connected to APs

In wireless application scenarios, APs typically do not need to access each other at
Layer 2 or exchange broadcast packets. Therefore, you can configure port isolation

on switch ports connected to APs. This function improves user communication

security and prevents invalid broadcast packet data from being sent to the APs,
ensuring the APs' forwarding performance and user services. In addition, port
isolation needs to be configured for Layer 2 network devices connected to the AP
gateway. For example, port isolation needs to be configured on the ports of
aggregation switches connected to APs on the same Layer 2 network.
# Configure port isolation on GE1/0/1.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 1
User Isolation Is Recommended in Accounting Scenarios

In a traffic profile, user isolation prevents Layer 2 packets of all users from being
forwarded to each other. That is, the users cannot communicate with each other
after user isolation is enabled. This improves user communication security and
enables the gateway to centrally forward user traffic, facilitating user accounting
and management.
# Configure traffic profile traffic1 and Layer 2 wireless user isolation in the
profile.
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name traffic1
[HUAWEI-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y
Enabling Optimized ARP Reply

A gateway may receive a large number of ARP Request packets that request the
device to reply with its local interface MAC address. If all these ARP Request
packets are sent to the control board for processing, the gateway's CPU is busy
with these ARP Request packets and cannot process other services.
To address the preceding problem, enable optimized ARP reply, which improves
the switch's capability of defending against ARP flood attack. After this function is
enabled, the switch performs the following operations:
● When receiving an ARP Request packet of which the destination IP address is
the local interface address, the LPU directly returns an ARP Reply packet.
● When a switch receives an ARP Request packet of which the destination IP
address is not the local interface address and intra-VLAN proxy ARP is enabled
on the switch, the LPU checks whether the ARP Request packet meets the
proxy condition. If so, the LPU returns an ARP Reply packet. If not, the LPU
discards the packet.
The optimized ARP reply function is applicable to the device with multiple LPUs
configured.
By default, the optimized ARP reply function is enabled. After a device receives an
ARP Request packet, the device checks whether an ARP entry corresponding to the
source IP address of the ARP Request packet exists.
● If the corresponding ARP entry exists, the switch performs optimized ARP
reply to this ARP Request packet.
● If the corresponding ARP entry does not exist, the switch does not perform
optimized ARP reply to this ARP Request packet.

Optimized ARP reply enabled globally or on a specified VLANIF does not take
effect if any of the following commands is executed:
● arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-
collision function.
● arp ip-conflict-detect enable: enables IP address conflict detection.
● arp anti-attack check user-bind enable: enables dynamic ARP inspection.
● dhcp snooping arp security enable: enables egress ARP inspection.
● arp over-vpls enable: enables ARP proxy on the device located on a VPLS
network.
● arp-proxy enable: configures the routed ARP proxy function.
After the optimized ARP reply function is enabled, the following functions become
invalid:
● ARP rate limiting based on source MAC addresses (configured using the arp
speed-limit source-mac command)
● ARP rate limiting based on source IP addresses (configured using the arp
speed-limit source-ip command)
● Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP rate
limiting on interfaces (configured using the arp anti-attack rate-limit
enable command)
Reliability Configuration
ACs use cluster switch system (CSS) technology for networking, and access
switches are connected to different members in the CSS through Eth-Trunks. If one
AC is faulty, the network can be restored rapidly.
Figure 3-4 Reliability configuration
AC_1 AC_2
Switch Switch Switch Switch
CSS Link
Eth-Trunk
ARP Proxy Is Not Recommended When the AC Serves as a Gateway

The ARP proxy function increases the burden on the gateway, reducing the
number of wireless users supported by the AC. It is recommended that the ARP

proxy function be disabled when the AC serves as the gateway, unless otherwise
required.
The AC Is Not Recommended as a DHCP Server

Wireless users roam, causing DHCP lease renewal (a short lease). This poses high
requirements for the performance of the DHCP server. When the AC serves as a
DHCP server, AC system performance is consumed, reducing the number of
wireless users supported by the AC. Therefore, it is not recommended that the AC
serve as both the gateway and DHCP server, unless otherwise required.
Properly Deploying eSight

If eSight is deployed, it periodically collects system data from the AC. In this case,
you need to deploy Performance Management (PM) and set the collection interval
to 30 minutes or longer.
PM is a technology used to collect and measure various system performance
indicators. The following uses the collection interval of 30 minutes as an example.
[HUAWEI] pm
[HUAWEI-pm] statistics-task task1
[HUAWEI-pm-statistics-task1] sample-interval 30
PM technology periodically collects system data and consumes system resources. If

eSight is not deployed, it is recommended that PM be disabled.
3.2 WLAN Service Configuration Suggestion
Configuring WPA2 + 802.1X Authentication

In commercial use environments, secure authentication and encryption modes are
required. WPA2-AES encryption is recommended. High-security 802.1X
authentication together with AES encryption is more suitable for closed enterprise
networks.
# Configure WPA2 authentication (802.1X authentication and AES encryption).
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 dot1x aes
If STAs of multiple types exist, you can configure different authentication and
encryption modes. Hybrid encryption is recommended.
# Configure WPA-WPA2 authentication (802.1X authentication and hybrid
encryption).
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
Configuring the Retransmission Timeout Interval for RADIUS Request

Packets
For a large-scale or busy network, configure the shortest retransmission timeout
interval for RADIUS request packets. When a long retransmission timeout interval

is set, retransmission occupies system resources. A short retransmission timeout

interval can improve the AC's packet processing capability.
The default retransmission timeout interval for wireless users is 5 seconds, which is
suitable for most wireless user authentication scenarios. When IP addresses of
more than eight authentication servers are configured in a RADIUS server
template, or 802.1X authentication is used, it is recommended that the
retransmission timeout interval be set to 1 second to improve network processing
efficiency.
# Set the retransmission timeout interval of RADIUS request packets to 1 second.
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server timeout 1
Configuring the Timeout Interval for Sending 802.1X Authentication

Requests
By default, the timeout interval for an AC to send 802.1X authentication requests
is 30 seconds, and the maximum number of retransmission times is 2. In some
scenarios, you can adjust these values properly to optimize network deployment.
If one-time passwords (OTPs) are used, for example, access passwords are sent by
network maintenance departments to STAs through short messages, users send
requests for applying for passwords, and receive the applied passwords, and enter
the passwords for authentication. This process may take more than 30 seconds. In
this case, set a longer timeout interval for sending 802.1X authentication requests.
If the network environment is poor (for example, wireless interference is severe)
and many packets are lost, you are advised to set a short timeout interval for
sending 802.1X authentication requests and a large number of retransmission
times to improve network convergence performance.
# Set the timeout interval for sending 802.1X authentication requests to 20
seconds, and the maximum number of retransmission times to 4.
[HUAWEI] dot1x timer tx-period 20
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x retry 4
Reducing the Number of SSIDs

SSIDs identify different wireless networks. When you search for available wireless
networks on a STA, the displayed wireless network names are SSIDs.
It is recommended that a limited number of SSIDs be configured on an AC. A
maximum of 16 SSIDs can be configured for each AP. Too many SSIDs occupy AC
system resources.
Reducing the Association Aging Time of STAs

STAs in stadiums move frequently, and a large number of STAs associate with APs
deployed at stadium entrances in a short period of time. As a result, no new STA
can associate with the APs after the number of associated STAs reaches the upper
limit.
Many STAs will leave the coverage area of the APs. Therefore, you are advised to
set the association aging time of STAs to 1 minute.

In wireless city scenarios, you are advised to reduce the association aging time of
STAs. One minute is recommended.
# Set the association aging time of STAs to 1 minute in the SSID profile ssid1.
[HUAWEI] wlan
[HUAWEI-wlan-view] ssid-profile name ssid1
[HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
STA Blacklist and Whitelist Are Not Recommended

On a WLAN, the blacklist or whitelist can be configured to filter access from STAs
based on specified rules. The blacklist or whitelist allows authorized STAs to
connect to the WLAN and rejects access from unauthorized STAs.
The STA blacklist and whitelist increase the burden on the AC and degrade AC
performance. Therefore, the blacklist and whitelist are not recommended, unless
otherwise required.
802.11r Is Not Recommended

802.11r is an IEEE protocol that defines fast roaming. Before associating with
target APs, STAs complete handshakes for initial identity authentication. By
default, 802.11r is disabled.
Only iOS 6 and later versions support 802.11r. STAs that do not support 802.11r
cannot associate with 802.11r-enabled WLANs. It is recommended that 802.11r be
disabled when multiple types of STAs exist on a WLAN.
AP Load Balancing Is Not Recommended

After AP load balancing is configured, APs in the load balancing group forward
received Probe packets to the AC. The AC then determines the APs from which
STAs can access the WLAN. Too many Probe packets may degrade AC
performance. Therefore, it is recommended that the AP load balancing function be
disabled, unless otherwise required.
The Function of Recording Successful STA Associations in the Log Is Not

Recommended
After the function of recording successful STA associations in the log is enabled,
information about successfully associated STAs is recorded in the log, so that the
administrator can view information about successful STA associations. Recording
successful STA associations in the log degrades AC performance, especially in
scenarios with a large number of STAs. Therefore, it is recommended that this
function be disabled. This function is disabled by default.
# Disable the function of recording successful STA associations in the log.

[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-assoc enable

Reporting Information about STA Traffic and Online Duration on APs Is Not
Recommended
You can enable an AC to report information about STA traffic and online duration
on APs to eSight. After this function is enabled, the AC collects and reports the
information to eSight through Syslog when STAs get offline or roam within the
AC, which facilitates data query on eSight.
Frequent information reporting degrades AC performance, especially in scenarios
with a large number of STAs. Therefore, it is recommended that this function be
disabled no matter whether eSight is deployed on a WLAN. This function is
disabled by default.
# Disable the AC from reporting information about STA traffic and online duration
on APs.
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-info enable
Enabling the Function of Disconnecting Weak-Signal STAs

This function is recommended in high-density stadium and higher education
scenarios, but not recommended in wireless city scenarios.
3.3 Security Configuration Suggestion
Network Security Suggestion

To protect network devices' CPU against attacks and ensure that users can use
network resources properly, user control traffic and data traffic need to be limited.
It is recommended that the traffic be limited on network edges, that is, on APs.
● Control traffic limiting: ARP, ND, and IGMP flood attack detection is enabled
on an AP by default. The rate thresholds for ARP, ND, and IGMP flood attack
detection are 5 pps, 16 pps, and 4 pps, respectively. You are not advised to
change the default values. When service traffic is heavy on a network, the
values can be increased properly. However, it is recommended that the values
be increased by no more than 100%.
# Set the rate threshold for ARP flood attack detection to 10 pps. (This
function is supported only by V200R010.)
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack arp-flood sta-rate-threshold 10
● Data traffic limiting: The rate limit of upstream and downstream packets for
each STA or all STAs associated with a VAP is configured in a traffic profile on
an AP.
# Set the rate limit of upstream packets to 1 Mbit/s for each STA associated
with the VAP that has the traffic profile p1.
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name p1
[HUAWEI-wlan-traffic-prof-p1] rate-limit client up 1024
Different suggestions are provided for X series cards and non-X series cards of ACs.

● The user-level rate limiting function is recommended for X series cards and is
enabled by default. Supported packet types include ARP Request, ARP Reply,
ND, DHCP Request, DHCPv6 Request, and 802.1X. By default, the user-level
rate limit is 10 pps. You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c
to 20 pps.
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20
● The attack source tracing function is recommended for non-X series cards and
is enabled by default. If the number of protocol packets of normal services
exceeds the specified checking threshold and an attack source punishment
action is configured, the attack source tracing function may affect these
normal services. You can attempt to disable the attack source tracing function
or disable this function for corresponding protocols to restore the services.
# Configure the device to discard packets from the identified source every 10
seconds.
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
# Delete IGMP and TTL-expired packets from the list of traced packets.
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
ICMP Fast Reply Is Recommended

Ping is a common method for checking network connectivity. However, a large
number of ICMP packets affect device performance, reducing the number of
wireless users supported by the AC. The ICMP fast reply function is enabled on a
switch by default. Keep this function enabled, unless otherwise required.
CAPWAP Tunnel Encryption Is Not Recommended

The parent and an AS transmit management packets through a Control and
Provisioning of Wireless Access Points (CAPWAP) tunnel. To ensure tunnel
confidentiality and security, you can use Datagram Transport Layer Security
(DTLS) to encrypt packets transmitted in the CAPWAP tunnel. DTLS encryption,
however, degrades AC performance. It is recommended that DTLS encryption be
disabled in scenarios without high security requirements or special customer
requirements.
3.4 Radio Configuration Suggestion
WIDS Is Not Recommended

Wireless Intrusion Detection System (WIDS) enables monitoring APs to
periodically detect wireless signals. In this manner, the AC can obtain information
about devices on the wireless network and take measures to prevent access from
unauthorized devices. Frequent monitoring and data reporting, however, degrade
AC performance. Therefore, it is recommended that WIDS be disabled, unless
otherwise required.

Scanning Channels of Unauthorized Devices

If the WIDS function is enabled, an AP scans all channels supported by the
corresponding country code by default. Frequent channel scanning degrades AC
performance. It is recommended that only calibration channels be scanned.
# Configure an air scan channel set that contains all calibration channels.
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name huawei
[HUAWEI-wlan-air-scan-prof-huawei] scan-channel-set dca-channel
Configuring a Proper Interval for Reporting Information About Unauthorized

Devices
If WIDS is enabled, a monitoring AP caches information about detected wireless
devices at the interval at which an AP incrementally reports wireless device
information. When the interval is reached, the monitoring AP reports the
information to the AC and then clears the reported information.
By default, an AP incrementally reports wireless device information to an AC at an

interval of 300 seconds. You are not advised to change the default value. When a
short interval is set, suspicious devices can be rapidly detected. If the interval is
too short, however, information about unauthorized devices that exist
instantaneously may be incorrectly reported. As a result, the reported information
may be incorrect, and information reporting occupies unnecessary AC and AP
resources.
# Set the interval at which an AP incrementally reports wireless device information

to an AC to 120 seconds.
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name huawei
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids device detect enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name office
[HUAWEI-wlan-wids-prof-office] device report-interval 120
Properly Configuring Radio Calibration

On a WLAN, operating status of APs is affected by the radio environment. In this
case, you can configure radio calibration. The radio calibration function can
dynamically adjust channels and power of APs managed by the same AC to ensure
that the APs work at the optimal performance.
Figure 3-5 Channels in the 2.4 GHz frequency band

1 3 5 7 9 11 13
2.412 2.422 2.432 2.442 2.452 2.462 2.472
2 4 6 8 10 12 14
2.417 2.427 2.437 2.447 2.457 2.467 2.484
1: channel
2.412: center
frequency (GHz)

Frequent radio calibration degrades AC performance. Because radio signals are

centralized in high-density stadiums, radio calibration is triggered frequently to
prevent signal overlapping and interference. Therefore, it is recommended that
radio calibration be disabled in high-density stadiums, and manual or scheduled
calibration be used.
Figure 3-6 Channel adjustment principle

Before channel After channel
adjustment adjustment
AP2 AP2
Channel 6 Channel 6
AP1 AP1
Channel 1 Channel 1
AP4 AP4
AP3 Channel 6 AP3 Channel 11
Channel 11 Channel 6
Note: A circle represents an AP's coverage area

Channel X indicates an AP's working
channel
# Set the radio calibration mode to manual.

[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable manual
# Set the radio calibration mode to schedule and set the time for scheduled radio
calibration to 20:30:00.
[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable schedule time 20:30:00
Properly Configuring Band Steering

Compared with the 2.4 GHz frequency band, the 5 GHz frequency band has fewer
interference sources and more available channels, and provides higher access
capability.
Most STAs support both the 5 GHz and 2.4 GHz frequency bands, and usually
associate with the 2.4 GHz frequency band by default when connecting to the
Internet through APs. To associate STAs with the 5 GHz frequency band, you need
to manually select the 5 GHz frequency band. The band steering function
addresses this issue.
After the band steering function is enabled for a specified SSID on the AC, the AP
preferentially associates the STAs connected to the SSID with the 5 GHz frequency

band. After the 5 GHz frequency band is fully loaded, the AP steers the STAs to
the 2.4 GHz frequency band.
If both radios of an AP use the same VAP profile, the band steering function takes
effect on both the radios as long as the function is enabled for an SSID on one
radio of the AP. For example, if the band steering function is enabled for the SSID
huawei on the 2.4 GHz radio but not on the 5 GHz radio, the AP preferentially
steers STAs associated with the SSID to the 5 GHz radio.
The band steering function is enabled by default. Single-radio APs do not support
the band steering function.
Enabling Smart Roaming Based on Scenarios

On a traditional WLAN, when a STA is moving away from an AP, the STA's access
rate becomes lower, but the STA still associates with the AP instead of re-initiating
a connection with the AP or roaming to another AP. This degrades user experience.
The smart roaming function can address this issue. When detecting that the
signal-to-noise ratio (SNR) or access rate of a STA is lower than the specified
threshold, the AP sends a Disassociation packet to the STA so that the STA can
reconnect to the AP or roam to another AP.
This function applies to high-density static scenarios, for example, lecture halls.
This function is not recommended in scenarios where STAs move frequently, such
as wireless cities. If this function is enabled, you are advised to retain the default
roaming threshold.
If a high roaming threshold is configured, STAs may go offline frequently. If a
small roaming threshold is configured, STAs cannot roam to APs with better
signals in a timely manner.
# Enable smart roaming.
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name huawei
[HUAWEI-wlan-rrm-prof-huawei] smart-roam enable
Dynamic EDCA Parameter Adjustment Is Recommended

A WLAN has only three non-overlapping channels on the 2.4 GHz frequency band.
When APs are densely deployed in high-density indoor scenarios of universities,
multiple APs have to work on the same channel. As a result, co-channel
interference is caused and degrades network performance.
The dynamic EDCA parameter adjustment function allows APs to adjust EDCA
parameters flexibly by detecting the number of STAs to reduce the possibility of
collision, improve the throughput, and enhance user experience.
# Enable dynamic EDCA parameter adjustment.
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name huawei
[HUAWEI-wlan-rrm-prof-huawei] dynamic-edca enable
Enabling the Short GI

In high-density indoor scenarios of universities, you are advised to enable the
short GI to improve the transmission rate of 802.11n and 802.11ac packets.

# Set the GI mode to short.

[HUAWEI] wlan
[HUAWEI-wlan-view] radio-2g-profile name default
[HUAWEI-wlan-radio-2g-prof-default] guard-interval-mode short
Setting the RTS-CTS Operation Mode in a Radio Profile

The Request To Send/Clear To Send (RTS/CTS) handshake protocol prevents data
transmission failures caused by channel conflicts. If STAs perform RTS/CTS
handshakes before sending data each time, RTS frames consume high channel
bandwidth. In high-density indoor scenarios of universities, you are advised to use
the RTS/CTS mode.
# Set the RTS-CTS operation mode to rts-cts in a radio profile.
[HUAWEI] wlan
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-2g-prof-default] quit
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-5g-prof-default] quit
Disconnecting Weak-Signal STAs

If the uplink signal strength of a STA received by an AP is low, the STA is far away
from the AP. If the STA continues to connect to the AP, a large number of packets
are retransmitted and air interface resources are wasted. To prevent the STA from
reducing the throughput of the entire AP, you are advised to force the STA to go
offline so that the STA can associate with an AP with better signal quality.
NOTE
If a large signal strength threshold is set, STAs may go offline easily. Set a proper threshold
based on the actual situation.
# Enable the function of disconnecting weak-signal STAs (V200R011C00 and

earlier versions).
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] smart-roam enable
[HUAWEI-wlan-rrm-prof-default] smart-roam roam-threshold check-snr
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
# Enable the function of disconnecting weak-signal STAs (V200R011C10 and later

versions).
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] undo smart-roam quick-kickoff-threshold disable
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold check-snr
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20

01-03 Wireless Network Deployment and Configuration Suggestions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-03 Wireless Network Deployment and Configuration Suggestions

Uploaded by

Copyright:

Available Formats

S7700 and S9700 Series Switches 3 Wireless Network Deployment and Configuration

Configuration Guide - WLAN-AC Suggestions

3 Wireless Network Deployment and

3.1 Network Design Suggestion

Enabling STP Edge Ports Connected to APs

Enabling LLDP on the PoE Ports Connected to APs

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 3

● Service VLAN: transmits service data packets.

Figure 3-1 Forwarding management packets through CAPWAP tunnels

802.3 UDP/IP CAPWAP Payload

VLAN m’ 802.3 UDP/IP CAPWAP Payload

AP 802.3 UDP/IP CAPWAP Payload

VLAN m、VLAN m’：management VLAN

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 4

– In the downlink direction (from the AC to the AP): When receiving

Figure 3-2 Forwarding service data packet directly

VLAN s’ 802.3 Payload

VLAN s 802.3 Payload

VLAN s, VLAN s’: service VLAN

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 5

Figure 3-3 Forwarding service data packets through CAPWAP tunnels

VLAN s 802.3 Payload

VLAN m’ 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

VLAN m, VLAN m’: management VLAN

Enabling the STP TC Protection Function

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 6

Disabling an AC from Responding to TC Packets, Enabling MAC-ARP

# Enable MAC address-triggered ARP entry update.

# Disable IP traffic forwarding at Layer 2 when links are switched on a ring

Configuring Port Isolation on Ports Connected to APs

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 7

on switch ports connected to APs. This function improves user communication

User Isolation Is Recommended in Accounting Scenarios

Enabling Optimized ARP Reply

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 8

Figure 3-4 Reliability configuration

Switch Switch Switch Switch

ARP Proxy Is Not Recommended When the AC Serves as a Gateway

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 9

The AC Is Not Recommended as a DHCP Server

Properly Deploying eSight

PM technology periodically collects system data and consumes system resources. If

3.2 WLAN Service Configuration Suggestion

Configuring WPA2 + 802.1X Authentication

Configuring the Retransmission Timeout Interval for RADIUS Request

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 10

is set, retransmission occupies system resources. A short retransmission timeout

Configuring the Timeout Interval for Sending 802.1X Authentication

Reducing the Number of SSIDs

Reducing the Association Aging Time of STAs

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 11

STA Blacklist and Whitelist Are Not Recommended

802.11r Is Not Recommended

AP Load Balancing Is Not Recommended

The Function of Recording Successful STA Associations in the Log Is Not

# Disable the function of recording successful STA associations in the log.

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 12

Enabling the Function of Disconnecting Weak-Signal STAs

3.3 Security Configuration Suggestion

Network Security Suggestion

Issue 13 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 13

ICMP Fast Reply Is Recommended

CAPWAP Tunnel Encryption Is Not Recommended