Professional Documents
Culture Documents
01-03 Wireless Network Deployment and Configuration Suggestions
01-03 Wireless Network Deployment and Configuration Suggestions
Configuring VLANs
In practice, the management VLAN and service VLAN must be configured for
management packets and service data packets.
● Management VLAN: transmits packets that are forwarded through CAPWAP
tunnels, including management packets and service data packets forwarded
through CAPWAP tunnels.
● It is recommended that you use different VLANs for the management VLAN and service
VLAN.
● You are not advised to use VLAN 1 as the management VLAN or service VLAN.
● In tunnel forwarding mode, the management VLAN and service VLAN must be different. The
network between the AC and AP can only permit packets with management VLAN tags to
pass through, and cannot permit packets with service VLAN tags to pass through.
● When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface
allows packets from all VLANs but no VLAN is created by default. VLANs are automatically
created or deleted based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s
and VLAN s' represent service VLANs.
● When an AP connects to an AC through a Layer 2 network, VLAN m is the
same as VLAN m', and VLAN s is the same as VLAN s'.
● When an AP connects to an AC through a Layer 3 network, VLAN m is
different from VLAN m', and VLAN s is different from VLAN s'.
● Figure 3-1 shows the process of forwarding management packets through
CAPWAP tunnels.
Management packet
In Figure 3-1:
– In the uplink direction (from the AP to the AC): When receiving
management packets, the AP encapsulates the packets in CAPWAP
packets. The switch tags the packets with VLAN m. The AC decapsulates
the CAPWAP packets and removes the tag VLAN m'.
Internet
802.11 Payload
STA
Payload
Data packet
In Figure 3-2, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and forwards the packets to the destination.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets in 802.3 format reach the AP (the
packets are tagged with VLAN s' by upstream devices), the AP converts
the 802.3 packets into 802.11 packets and forwards them to the STA.
● Figure 3-3 shows the process of forwarding service data packets through
CAPWAP tunnels.
Internet
802.11 Payload
STA
Payload
In Figure 3-3, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and encapsulates them in CAPWAP packets. The upstream switch
tags the packets with VLAN m. The AC decapsulates the CAPWAP packets
and removes the tag VLAN m' from the packets.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets reach the AC, the AC encapsulates the
packets in CAPWAP packets, allows the packets carrying VLAN s to pass
through, and tags the packets with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets, removes
VLAN s, converts the 802.3 packets into 802.11 packets, and forwards
them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated
packets. The intermediate devices between the AC and AP can only
transparently transmit packets carrying VLAN m and cannot be configured
with VLAN s encapsulated in the CAPWAP packets.
When the STP topology changes, the device sends Topology Change (TC) packets
to instruct other devices to update their forwarding tables. If network flapping
occurs, the devices will receive a large number of TC packets in a short period of
time, and update MAC address or ARP entries frequently. As a result, the devices
are heavily burdened, threatening network stability.
The STP TC protection function is enabled by default. After enabling the TC
protection function, you can set the number of times a switching device processes
TC packets within a given time. If the number of TC packets received by the
switching device within the given time exceeds the specified threshold, the
switching device processes TC packets only for the specified number of times. For
the TC packets exceeding the threshold, the switching device processes them
together after the timer expires. In this way, the switching device is prevented
from frequently deleting its MAC address and ARP entries, and therefore relieved
from the ensuing burdens.
# If you need to understand how the switching device processes TC packets,
enable the TC protection alarm function.
<HUAWEI> system-view
[HUAWEI] stp tc-protection
Optimized ARP reply enabled globally or on a specified VLANIF does not take
effect if any of the following commands is executed:
● arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-
collision function.
● arp ip-conflict-detect enable: enables IP address conflict detection.
● arp anti-attack check user-bind enable: enables dynamic ARP inspection.
● dhcp snooping arp security enable: enables egress ARP inspection.
● arp over-vpls enable: enables ARP proxy on the device located on a VPLS
network.
● arp-proxy enable: configures the routed ARP proxy function.
After the optimized ARP reply function is enabled, the following functions become
invalid:
● ARP rate limiting based on source MAC addresses (configured using the arp
speed-limit source-mac command)
● ARP rate limiting based on source IP addresses (configured using the arp
speed-limit source-ip command)
● Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP rate
limiting on interfaces (configured using the arp anti-attack rate-limit
enable command)
Reliability Configuration
ACs use cluster switch system (CSS) technology for networking, and access
switches are connected to different members in the CSS through Eth-Trunks. If one
AC is faulty, the network can be restored rapidly.
AC_1 AC_2
CSS Link
Eth-Trunk
proxy function be disabled when the AC serves as the gateway, unless otherwise
required.
If STAs of multiple types exist, you can configure different authentication and
encryption modes. Hybrid encryption is recommended.
# Configure WPA-WPA2 authentication (802.1X authentication and hybrid
encryption).
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
In wireless city scenarios, you are advised to reduce the association aging time of
STAs. One minute is recommended.
# Set the association aging time of STAs to 1 minute in the SSID profile ssid1.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ssid-profile name ssid1
[HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
The STA blacklist and whitelist increase the burden on the AC and degrade AC
performance. Therefore, the blacklist and whitelist are not recommended, unless
otherwise required.
Only iOS 6 and later versions support 802.11r. STAs that do not support 802.11r
cannot associate with 802.11r-enabled WLANs. It is recommended that 802.11r be
disabled when multiple types of STAs exist on a WLAN.
Reporting Information about STA Traffic and Online Duration on APs Is Not
Recommended
You can enable an AC to report information about STA traffic and online duration
on APs to eSight. After this function is enabled, the AC collects and reports the
information to eSight through Syslog when STAs get offline or roam within the
AC, which facilitates data query on eSight.
Frequent information reporting degrades AC performance, especially in scenarios
with a large number of STAs. Therefore, it is recommended that this function be
disabled no matter whether eSight is deployed on a WLAN. This function is
disabled by default.
# Disable the AC from reporting information about STA traffic and online duration
on APs.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-info enable
Different suggestions are provided for X series cards and non-X series cards of ACs.
● The user-level rate limiting function is recommended for X series cards and is
enabled by default. Supported packet types include ARP Request, ARP Reply,
ND, DHCP Request, DHCPv6 Request, and 802.1X. By default, the user-level
rate limit is 10 pps. You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c
to 20 pps.
<HUAWEI> system-view
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20
● The attack source tracing function is recommended for non-X series cards and
is enabled by default. If the number of protocol packets of normal services
exceeds the specified checking threshold and an attack source punishment
action is configured, the attack source tracing function may affect these
normal services. You can attempt to disable the attack source tracing function
or disable this function for corresponding protocols to restore the services.
# Configure the device to discard packets from the identified source every 10
seconds.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
# Delete IGMP and TTL-expired packets from the list of traced packets.
<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
# Configure an air scan channel set that contains all calibration channels.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name huawei
[HUAWEI-wlan-air-scan-prof-huawei] scan-channel-set dca-channel
1: channel
2.412: center
frequency (GHz)
AP2 AP2
Channel 6 Channel 6
AP1 AP1
Channel 1 Channel 1
AP4 AP4
AP3 Channel 6 AP3 Channel 11
Channel 11 Channel 6
# Set the radio calibration mode to schedule and set the time for scheduled radio
calibration to 20:30:00.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable schedule time 20:30:00
Most STAs support both the 5 GHz and 2.4 GHz frequency bands, and usually
associate with the 2.4 GHz frequency band by default when connecting to the
Internet through APs. To associate STAs with the 5 GHz frequency band, you need
to manually select the 5 GHz frequency band. The band steering function
addresses this issue.
After the band steering function is enabled for a specified SSID on the AC, the AP
preferentially associates the STAs connected to the SSID with the 5 GHz frequency
band. After the 5 GHz frequency band is fully loaded, the AP steers the STAs to
the 2.4 GHz frequency band.
If both radios of an AP use the same VAP profile, the band steering function takes
effect on both the radios as long as the function is enabled for an SSID on one
radio of the AP. For example, if the band steering function is enabled for the SSID
huawei on the 2.4 GHz radio but not on the 5 GHz radio, the AP preferentially
steers STAs associated with the SSID to the 5 GHz radio.
The band steering function is enabled by default. Single-radio APs do not support
the band steering function.