Professional Documents
Culture Documents
Hcie-wlan v1.0 Lab Guide
Hcie-wlan v1.0 Lab Guide
Hcie-wlan v1.0 Lab Guide
ISSUE:1.0
1
Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.
The HCIE-WLAN certification system introduces you to the industry and market,
helps you in innovation, and enables you to stand atop the WLAN frontiers.
HCIE-WLAN Certification Training Lab Guide Page 2
HCIE-WLAN Certification Training Lab Guide Page 3
Overview
This document is applicable to the candidates who are preparing for the HCIE-WLAN exam
and the readers who want to understand WLAN technologies, including Huawei WLAN
solution, WLAN advanced technologies, WLAN network planning and optimization, and
WLAN fault troubleshooting.
Description
This lab guide introduces the following eight lab designs, covering the common WLAN
networking, special networking, high reliability, roaming, radio resource management
(RRM), multicast, security, WLAN IPv6, CloudCampus, and WLAN planning and design.
⚫ Lab 1: WLAN networking. This lab provides instructions on complex networking
configuration and commissioning so that you can understand how to deploy Huawei
WLANs in various networking scenarios.
⚫ Lab 2: WLAN high reliability. This lab provides instructions on configuring VRRP HSB,
dual-link HSB, N+1 backup, wireless configuration synchronization, CAPWAP link
failover, and WAN authentication bypass so that you can understand how to deploy
WLAN high reliability solutions.
⚫ Lab 3: WLAN roaming and QoS. This lab provides instructions on deploying inter-
WAC Layer 3 roaming, fast roaming, smart roaming, and QoS so that you can
understand WLAN roaming and QoS solutions.
⚫ Lab 4: WLAN radio calibration and network optimization. This lab provides
instructions on optimizing the WLAN network, improving network quality, and
enhancing user experience so that you can understand the contents, standards, and
implementation methods of network optimization.
⚫ Lab 5: WLAN security. This lab provides instructions on deploying security features
such as RADIUS authentication, HWTACACS, WIDS, and WIPS so that you can
understand WLAN security solution deployment.
⚫ La 6: WLAN IPv6 campus network solution deployment. This lab provides instructions
on deploying dual-stack terminals, IPv6 802.1X authentication, and dual-stack APs so
that you can understand IPv6 technologies in the WLAN IPv6 campus network
solution.
⚫ Lab 7: CloudCampus solution deployment. This lab introduces CloudCampus VXLAN
and SDN networking scenarios, helping you understand the WLAN cloud
management network solution.
⚫ Lab 8: WLAN planning and optimization. This lab provides instructions on designing
a WLAN network so that you can understand how to use the network planning tool
and learn network planning details.
HCIE-WLAN Certification Training Lab Guide Page 4
Common Icons
Device Introduction
The following table lists devices recommended for HCIE-WLAN experiments and the
mappings between the device name, model, and software version.
CloudEngine S5731-
Core switch S5700 V200R020C00SPC300
H24P4XC
HCIE-WLAN Certification Training Lab Guide Page 5
AirEngine 9700
WAC AirEngine 9700-M
V200R020C00SPC200
AirEngine 5700
AP AirEngine 5760-51
V200R020C00SPC200
Experiment Topology
HCIE-WLAN Certification Training Lab Guide Page 7
Contents
1.1 Introduction
1.1.1 About This Lab
This lab provides instructions on configuring and commissioning comprehensive WLAN
scenarios so that you can understand how to deploy Huawei WLANs in different
networking scenarios.
1.1.2 Objectives
Upon completion of this task, you will be able to:
⚫ Understand Huawei WLAN networking scenarios.
⚫ Understand the WLAN Layer 3 networking configuration.
⚫ Understand the WLAN mesh networking configuration.
⚫ Master how to remotely bring APs online.
HCIE-WLAN Certification Training Lab Guide Page 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
Core-SW
PVID: 1
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
HCIE-WLAN Certification Training Lab Guide Page 13
PVID: 1
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLAN 10
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 10
Agg1 GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 10
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
Agg2
PVID: 10
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
SW4
PVID: 100
GE0/0/2 Trunk
Allow-pass: VLAN 100 110 120
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
Core-SW
VLANIF 12 10.1.12.1/24
VLANIF 13 10.1.13.1/24
HCIE-WLAN Certification Training Lab Guide Page 14
VLANIF 14 10.1.14.1/24
VLANIF 99 10.1.99.1/30
VLANIF 10 10.1.10.254/24
Tunnel0/0/0 192.168.12.1/24
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30
GE0/0/1 20.1.1.2/30
Tunnel0/0/0 192.168.12.2/24
Management VLAN 10
HCIE
AP group
HCIE-Mesh
HCIE-Lab
VAP profile
HCIE-Interview
HCIE-Lab
Security profile
HCIE-Interview
HCIE-Lab
SSID profile
HCIE-Interview
<Huawei>sys
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 14 99
# Configure the types for Core-SW's interfaces and the VLANs to which these interfaces
belong.
# Create VLANs on Agg1, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on Agg2, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on SW4, and configure interface types and VLANs to which the interfaces
belong.
# Create a VLAN on WAC1, and configure the type of its uplink interface and the VLAN to
which the interface belongs.
[Core-SW]
<WAC1>
<AR1>
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.11.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.12.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.13.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.14.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.99.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] return
<Core-SW>
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.10.10.10 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] network 10.1.10.254 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
<WAC1>display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------------------
Routing Tables: Public
Destinations: 17 Routes: 17
HCIE-WLAN Certification Training Lab Guide Page 22
<WAC1>
<Core-SW>display ip routing-table
Route Flags: R - relay, D - download to fib
-------------------------------------------------------------------------------------------
Routing Tables: Public
Destinations: 16 Routes: 16
<Core-SW>
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :1
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired :0
Conflict : 0 Disabled :0
-------------------------------------------------------------------------------------
Pool-name : lab2
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict :0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview1
HCIE-WLAN Certification Training Lab Guide Page 25
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.13.1
Network : 10.1.13.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired :0
Conflict : 0 Disabled :0
-------------------------------------------------------------------------------------
Pool-name : interview2
Pool-No :4
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.14.1
Network : 10.1.14.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict :0 Disabled : 0
IP address Statistic
Total : 1265
Used :0 Idle : 1164
Expired :0 Conflict :0 Disabled: 101
[Core-SW]
# Create a regulatory domain profile on WAC1. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
----------------------------------------------------------------------------------------------------------------------
Total: 3
<WAC1>
[WAC1-wlan-group-radio-HCIE/1] quit
[WAC1-wlan-ap-group-HCIE] quit
#
[WAC1-wlan-view] ap-group name HCIE-Mesh
[WAC1-wlan-ap-group-HCIE-Mesh] radio 1
[WAC1-wlan-group-radio-HCIE-Mesh/1] mesh-whitelist-profile HCIE-Mesh
[WAC1-wlan-group-radio-HCIE-Mesh/1] quit
[WAC1-wlan-ap-group-HCIE-Mesh] quit
[WAC1-wlan-view]
# Configure a mesh profile. Set the mesh network ID to HCIE-Mesh and aging time of
mesh links to 30s. Bind the security profile and mesh whitelist to the mesh profile.
# Configure mesh roles. Set the mesh role of AP3 to mesh-portal, and retain the default
mesh role mesh-node for AP4 and AP5. Mesh roles are configured through the AP system
profile.
Bind required profiles to the AP group to make mesh services take effect.
# Bind the AP system profile HCIE-Mesh to the AP group HCIE.
# Bind the mesh profile to the AP group HCIE to make mesh services take effect.
[AC-wlan-view]
# After mesh services take effect, run the display wlan mesh link all command to check
mesh link information.
Step 8 Configure a GRE tunnel between the branch and HQ to achieve communication
between them.
Verify that WAC1 and AR2 can communicate with each other.
<WAC1>
# Route connectivity is achieved between the local and peer ends of a tunnel to be
established.
Configure GRE tunnel interfaces.
# Configure a tunnel interface on WAC1.
<WAC1>
<WAC1>
Step 9 Configure APs at the branch to go online on the WAC at the HQ.
Create DHCP address pools on SW4.
# Create DHCP address pools for APs and services at the branch on SW4.
[SW4] ip pool ap
[SW4-ip-pool-ap] gateway-list 192.168.100.1
[SW4-ip-pool-ap] network 192.168.100.0 mask 255.255.255.0
HCIE-WLAN Certification Training Lab Guide Page 34
Conflict :0 Disabled : 0
-------------------------------------------------------------------------------------------------------
Network section
Start End Total Used Idle (Expired) Conflict Disabled
-------------------------------------------------------------------------------------------------------
192.168.100.1 192.168.100.254 253 1 252(0) 0 0
-------------------------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP: mac-address PPPoE : mac-address
IPSec: user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN: user-id/session-id
-----------------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
------------------------------------------------------------------------------------------------
139 192.168.100.72 f4de-af36-b3c0 DHCP 86302 Used
-------------------------------------------------------------------------------------------------
[SW4]
# Create the AP group HCIE-Bran on WAC1 and add AP6 to the group.
----------------------------------------------------------------------------------------------------------------------
Total: 6
[WAC1]
----End
#
interface Vlanif14
ip address 10.1.14.1 255.255.255.0
dhcp select global
#
interface Vlanif99
ip address 10.1.99.1 255.255.255.252
#
interface MEth0/0/1
ip address 172.21.59.1 255.255.128.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14
#
interface GigabitEthernet0/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14
#
interface GigabitEthernet0/0/5
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 99
#
ospf 1 router-id 10.1.10.1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.13.1 0.0.0.0
network 10.1.14.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
[Core-SW]
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14
#
return
<Agg1>
vlan batch 10 to 14
#
vlan pool lab
vlan 11 to 12
vlan pool interview
vlan 13 to 14
#
interface Vlanif10
ip address 10.1.10.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14
#
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
interface Tunnel0/0/0
ip address 192.168.2.1 255.255.255.0
tunnel-protocol gre
source 10.1.10.254
destination 10.1.200.1
#
ospf 1 router-id 10.1.10.254
area 0.0.0.0
network 10.1.10.254 0.0.0.0
network 10.10.10.10 0.0.0.0
#
ip route-static 192.168.100.0 255.255.255.0 Tunnel0/0/0
ip route-static 192.168.110.0 255.255.255.0 Tunnel0/0/0
ip route-static 192.168.120.0 255.255.255.0 Tunnel0/0/0
#
capwap source ip-address 10.10.10.10
#
wlan
security-profile name HCIE-Lab
security wpa2 psk pass-phrase Huawei@123 aes
security-profile name HCIE-Mesh
security wpa2 psk pass-phrase Huawei@123 aes
security-profile name HCIE-Interview
security wpa2 psk pass-phrase Huawei@123 aes
ssid-profile name HCIE-Lab
ssid HCIE-Lab
ssid-profile name HCIE-Interview
ssid HCIE-Interview
vap-profile name HCIE-Lab
service-vlan vlan-pool lab
ssid-profile HCIE-Lab
security-profile HCIE-Lab
vap-profile name HCIE-Interview
service-vlan vlan-pool interview
ssid-profile HCIE-Interview
security-profile HCIE-Interview
mesh-whitelist-profile name HCIE
mesh-whitelist-profile name HCIE-Mesh
HCIE-WLAN Certification Training Lab Guide Page 40
return
<WAC1>
2.1 Introduction
2.1.1 About This Lab
This lab provides instructions on configuring and commissioning WLAN high-reliability
networking so that you can understand how to deploy Huawei WLAN high-reliability
networking solutions.
2.1.2 Objectives
⚫ Understand Huawei WLAN high-reliability networking.
⚫ Master how to configure WLAN VRRP HSB networking.
⚫ Master how to configure WLAN N+1 backup networking.
⚫ Master how to configure WLAN link failover.
HCIE-WLAN Certification Training Lab Guide Page 45
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
Core-SW
PVID: 1
GE0/0/4 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
GE0/0/5 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
WAC2 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
WAC3 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 10
Agg1 GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 10
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
PVID: 1
Agg2 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
HCIE-WLAN Certification Training Lab Guide Page 47
PVID: 10
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
VLANIF 12 10.1.12.1/24
Core-SW
VLANIF 13 10.1.13.1/24
VLANIF 14 10.1.14.1/24
GE0/0/7 10.1.99.1/30
GE0/0/1 10.1.99.2/24
AR1
GE0/0/2 20.1.1.1/30
GE0/0/1 20.1.1.2/30
AR2
GE0/0/2 172.16.1.1/24
Management VLAN 10
HCIE
AP group
HCIE-Mesh
HCIE-Lab
VAP profile
HCIE-Interview
HCIE-Lab
Security profile
HCIE-Interview
HCIE-Lab
SSID profile
HCIE-Interview
<Huawei>sys
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 14 99
# Configure the types for Core-SW's interfaces and the VLANs to which these interfaces
belong.
# Create VLANs on Agg1, and configure interface types and VLANs to which the interfaces
belong.
#
[Agg1] interface GigabitEthernet 0/0/2
[Agg1-GigabitEthernet0/0/2] port link-type trunk
[Agg1-GigabitEthernet0/0/2] port trunk pvid vlan 10
[Agg1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 to 14
[Agg1-GigabitEthernet0/0/2] quit
#
[Agg1] interface GigabitEthernet 0/0/3
[Agg1-GigabitEthernet0/0/3] port link-type trunk
[Agg1-GigabitEthernet0/0/3] port trunk pvid vlan 10
[Agg1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 to 14
[Agg1-GigabitEthernet0/0/3] quit
# Create VLANs on Agg2, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on WACs, and configure interface types and VLANs to which the interfaces
belong.
[Core-SW]
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.11.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.12.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.13.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.14.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.99.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] return
<Core-SW>
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.1.10.254 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
[WAC2] ospf 1
[WAC2-ospf-1] area 0
[WAC2-ospf-1-area-0.0.0.0] network 10.1.10.253 0.0.0.0
[WAC2-ospf-1-area-0.0.0.0] return
HCIE-WLAN Certification Training Lab Guide Page 53
<WAC2>
[WAC3] ospf 1
[WAC3-ospf-1] area 0
[WAC3-ospf-1-area-0.0.0.0] network 10.1.10.252 0.0.0.0
[WAC3-ospf-1-area-0.0.0.0] return
<WAC3>
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
-------------------------------------------------------------------------------------
HCIE-WLAN Certification Training Lab Guide Page 55
Pool-name : lab1
Pool-No :1
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total: 253 Used :0
Idle: 253 Expired : 0
Conflict: 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : lab2
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview1
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.13.1
Network : 10.1.13.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview2
Pool-No :4
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.14.1
Network : 10.1.14.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
HCIE-WLAN Certification Training Lab Guide Page 56
IP address Statistic
Total: 1265
Used :0 Idle: 1164
Expired :0 Conflict: 0 Disabled: 101
[Core-SW]
# Create HSB service 0 on WAC1 and configure the IP addresses and port numbers for the
active and standby channels. Set the retransmission time and interval of HSB service 0.
[WAC1] hsb-service 0
[WAC1-hsb-service-0] service-ip-port local-ip 10.1.10.254 peer-ip 10.1.10.253 local-data-port 10241
peer-data-port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC1-hsb-service-0] quit
# Create HSB group 0 on WAC1, and bind HSB service 0 and the management VRRP group
to HSB group 0.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 10
HCIE-WLAN Certification Training Lab Guide Page 57
[WAC1-hsb-group-0] quit
[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
[WAC1-hsb-group-0] quit
# Create HSB service 0 on WAC2 and configure the IP addresses and port numbers for the
active and standby channels. Set the retransmission time and interval of HSB service 0.
[WAC2] hsb-service 0
[WAC2-hsb-service-0] service-ip-port local-ip 10.1.10.253 peer-ip 10.1.10.254 local-data-port 10241
peer-data-port 10241
[WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC2-hsb-service-0] quit
# Create HSB group 0 on WAC2, and bind HSB service 0 and the management VRRP group
to HSB group 0.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] bind-service 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 10
[WAC2-hsb-group-0] quit
# Create a regulatory domain profile on WAC1. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name HCIE
[WAC1-wlan-regulate-domain-HCIE] country-code CN
[WAC1-wlan-regulate-domain-HCIE] quit
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
[WAC1] wlan
[WAC1-wlan-view] master controller
[WAC1-master-controller] master-redundancy peer-ip ip-address 10.1.10.253 local-ip ip-address
10.1.10.254 psk Huawei@123
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 10
[WAC1-master-controller] quit
[WAC1-wlan-view] quit
[WAC2] wlan
[WAC2-wlan-view] master controller
[WAC2-master-controller] master-redundancy peer-ip ip-address 10.1.10.254 local-ip ip-address
10.1.10.253 psk Huawei@123
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 10
[WAC2-master-controller] quit
[WAC2-wlan-view] quit
# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The Status field is displayed as cfg-mismatch. Manually trigger
wireless configuration synchronization from the master WAC to the backup master WAC.
Wait until the backup master WAC is restarted.
# Run the display sync-configuration status command to check the wireless configuration
synchronization status. If the Status field is displayed as up, the configurations of WAC1
and WAC2 have been synchronized.
---------------------------------------------------------------------------------------------------------------
10.1.10.253 Backup AC6508 V200R010C00SPC700 up 2021-03-31/11:12:08
----------------------------------------------------------------------------------------------------------------
Total: 1
<WAC1>
[WAC2] hsb-group 0
[WAC2-hsb-group-0] hsb enable
[WAC2-hsb-group-0] quit
Step 10 Configure WAC3 to provide dual-link cold backup for WAC1 and WAC2.
# Configure IP addresses for the primary and backup WACs in the AP system profile on
WAC1.
[WAC1] wlan
[WAC1-wlan-view] ap-system-profile name HCIE
[WAC1-wlan-ap-system-prof-HCIE] mesh-role mesh-portal
[WAC1-wlan-ap-system-prof-HCIE] primary-access ip-address 10.1.10.250
Warning: This action will take effect after resetting AP.
[WAC1-wlan-ap-system-prof-HCIE] backup-access ip-address 10.1.10.252
Warning: This action will take effect after resetting AP.
[WAC1-wlan-ap-system-prof-HCIE] quit
[WAC1-wlan-view]
#
[WAC1]wlan
[WAC1-wlan-view] ap-system-profile name HCIE-Mesh
[WAC1-wlan-ap-system-prof-HCIE-Mesh] mesh-role mesh-node
[WAC1-wlan-ap-system-prof-HCIE-Mesh] primary-access ip-address 10.1.10.250
Warning: This action will take effect after resetting AP.
[WAC1-wlan-ap-system-prof-HCIE-Mesh] backup-access ip-address 10.1.10.252
Warning: This action will take effect after resetting AP.
[WAC1-wlan-ap-system-prof-HCIE-Mesh] quit
#
[WAC1] hsb-group 0
[WAC1-hsb-group-0] undo hsb enable
[WAC1-hsb-group-0] undo bind-service 0
[WAC1-hsb-group-0] quit
HCIE-WLAN Certification Training Lab Guide Page 64
# Configure IP addresses for the primary and backup WACs in the AP system profile on
WAC3.
[WAC3] wlan
[WAC3-wlan-view] ap-system-profile name HCIE
[WAC3-wlan-ap-system-prof-HCIE] mesh-role mesh-portal
[WAC3-wlan-ap-system-prof-HCIE] primary-access ip-address 10.1.10.250
Warning: This action will take effect after resetting AP.
[WAC3-wlan-ap-system-prof-HCIE] backup-access ip-address 10.1.10.252
Warning: This action will take effect after resetting AP.
[WAC3-wlan-ap-system-prof-HCIE] quit
[WAC3-wlan-view]
#
[WAC3] wlan
[WAC3-wlan-view] ap-system-profile name HCIE-Mesh
[WAC3-wlan-ap-system-prof-HCIE-Mesh] mesh-role mesh-node
[WAC3-wlan-ap-system-prof-HCIE-Mesh] primary-access ip-address 10.1.10.250
Warning: This action will take effect after resetting AP.
[WAC3-wlan-ap-system-prof-HCIE-Mesh] backup-access ip-address 10.1.10.252
Warning: This action will take effect after resetting AP.
[WAC3-wlan-ap-system-prof-HCIE-Mesh] quit
[WAC3-wlan-view]
# Enable the function of allowing new user access upon CAPWAP link disconnection on
WAC1.
# Enable the function of allowing new user access upon CAPWAP link disconnection on
WAC3.
----End
2.3 Verification
2.3.1 Simulating a Fault on WAC1
Simulate a fault on WAC1 and check the impact of WAC switchover on services.
# Ping the IP address 20.1.1.1 of AR1 from PC1 for a long time to simulate Internet access.
Shut down GE0/0/1 on WAC1 and check whether services are affected.
C:\Users\admin>ping 20.1.1.1 -t
# Shut down GE0/0/1 on WAC2. The ping packets are still normal.
C:\Users\admin>ping 20.1.1.1 -t
#
ip pool lab1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
#
ip pool lab2
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
ip pool interview1
network 10.1.13.0 mask 255.255.255.0
#
ip pool interview2
gateway-list 10.1.14.1
network 10.1.14.0 mask 255.255.255.0
#
interface Vlanif10
HCIE-WLAN Certification Training Lab Guide Page 68
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.13.1 0.0.0.0
network 10.1.14.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
<Core-SW>
mesh-whitelist-profile HCIE-Mesh
channel 40mhz-plus 149
coverage distance 1
radio 2
vap-profile HCIE-Lab wlan 1
ap-group name Mesh
ap-system-profile HCIE-Mesh
regulatory-domain-profile HCIE
radio 1
mesh-profile HCIE-Mesh
mesh-whitelist-profile HCIE-Mesh
channel 40mhz-plus 149
coverage distance 1
ap-group name default
ap-group name HCIE-Bran
regulatory-domain-profile HCIE
ap-group name HCIE-Mesh
ap-system-profile HCIE-Mesh
regulatory-domain-profile HCIE
radio 1
mesh-profile HCIE-Mesh
mesh-whitelist-profile HCIE-Mesh
channel 40mhz-plus 157
coverage distance 1
ap-group name HCIE-Branch
regulatory-domain-profile HCIE
ap-id 0 type-id 100 ap-mac 30fd-65f8-fd40 ap-sn 2102351TYR10L4004310
ap-name ap1
ap-group HCIE
ap-id 1 type-id 115 ap-mac f4de-af36-b300 ap-sn 2102352UBR10L6001295
ap-name ap2
ap-group HCIE
ap-id 2 type-id 43 ap-mac f02f-a75e-5740 ap-sn 21500826412SH1906275
ap-name ap3
ap-group HCIE
ap-id 3 type-id 75 ap-mac 60f1-8a9c-2b40 ap-sn 21500831023GJ9022622
ap-name ap4
ap-group HCIE-Mesh
ap-id 4 type-id 75 ap-mac f898-ef7f-b400 ap-sn 21500831023GJ3001187
ap-name ap5
ap-group HCIE-Mesh
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif10
master-redundancy peer-ip ip-address 10.1.10.253 local-ip ip-address 10.1.10.254 psk Huawei@123
#
return
<WAC1>
vlan batch 10 to 14
#
vlan pool lab
vlan 11 to 12
vlan pool interview
vlan 13 to 14
#
interface Vlanif1
ip address dhcp-alloc unicast
#
interface Vlanif10
ip address 10.1.10.253 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.250
admin-vrrp vrid 1
#
interface Ethernet0/0/47
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14
#
ospf 1
area 0.0.0.0
network 10.1.10.253 0.0.0.0
#
capwap source ip-address 10.1.10.250
#
hsb-service 0
service-ip-port local-ip 10.1.10.253 peer-ip 10.1.10.254 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif10
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ac protect enable
security-profile name HCIE-Lab
security wpa2 psk pass-phrase %^%#m&~&E'fKMRKx&!E3V:N3<y"ICeeB#8xkJk1}z/q-%^%# aes
security-profile name HCIE-Mesh
security wpa2 psk pass-phrase %^%#$c*vBe@=)K$du<Eu]13Y+~%V.sShwLejR05^&AF#%^%# aes
security-profile name default-wds
security wpa2 psk pass-phrase %^%#qNfI(V#y8:b/W|/(mY81#Z\D8~!8Y*#IO1RwV);+%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#o[7"I"t]\4xd-e7_BV:3&kdR~nCGO!El4DSuB>~E%^%# aes
security-profile name HCIE-Interview
security wpa2 psk pass-phrase %^%#TCar3U["k2h-6*3S/{uLd9A72%RT%Wq|kZ6JMNz7%^%# aes
ssid-profile name default
HCIE-WLAN Certification Training Lab Guide Page 74
mesh-whitelist-profile HCIE-Mesh
channel 40mhz-plus 149
coverage distance 1
ap-group name default
ap-group name HCIE-Bran
regulatory-domain-profile HCIE
ap-id 0 type-id 100 ap-mac 30fd-65f8-fd40 ap-sn 2102351TYR10L4004310
ap-name ap1
ap-group HCIE
ap-id 1 type-id 115 ap-mac f4de-af36-b300 ap-sn 2102352UBR10L6001295
ap-name ap2
ap-group HCIE
ap-id 2 type-id 43 ap-mac f02f-a75e-5740 ap-sn 21500826412SH1906275
ap-name ap3
ap-group HCIE
ap-id 3 type-id 75 ap-mac 60f1-8a9c-2b40 ap-sn 21500831023GJ9022622
ap-name ap4
ap-group HCIE-Mesh
ap-id 4 type-id 75 ap-mac f898-ef7f-b400 ap-sn 21500831023GJ3001187
ap-name ap5
ap-group HCIE-Mesh
provision-ap
#
return
<WAC3>
3.1 Introduction
3.1.1 About This Lab
This lab activity provides instructions on configuring and commissioning inter-WAC Layer
3 roaming so that you can understand how to deploy Huawei WLAN roaming.
1.1.1 Objectives
⚫ Understand the inter-WAC Layer 3 roaming network configuration.
⚫ Understand how to configure fast roaming.
⚫ Understand how to configure smart roaming.
⚫ Understand how to configure QoS for the WLAN network.
HCIE-WLAN Certification Training Lab Guide Page 79
Figure 3-1 Network topology for the WLAN roaming & QoS lab
forwarded, so as to improve users' voice and video service experience. This also improves
the overall user experience because multiple users can be assigned equal bandwidth
occupation time.
PC2 accesses the HCIE-Interview network. To prevent STAs from maliciously occupying
network resources and reduce network congestion, the administrator wants to limit the
uplink rate of each STA on AP3 to 2 Mbit/s and the total uplink rate of all STAs on the VAP
to 30 Mbit/s.
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/2 Trunk
Allow-pass: VLANs 100, 110, and 120
Core-SW PVID: 1
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/5 Trunk
Allow-pass: VLANs 100, 110, and 120
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
Agg1 GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 100, 110, and 120
Agg2
PVID: 100
GE0/0/2 Trunk
Allow-pass: VLANs 100, 110, and 120
Allow-pass: VLAN 10
PVID: 1
WAC2 GE0/0/1 Trunk
Allow-pass: VLAN 100
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
VLANIF 12 10.1.12.1/24
VLANIF 10 10.1.10.100/24
WAC1
Loopback 0 10.10.10.10/32
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30
HCIE-WLAN Certification Training Lab Guide Page 82
<Huawei>sys
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 12 99 100 110 120
# Configure the types for Core-SW's interfaces and the VLANs to which these interfaces
belong.
#
[Core-SW] interface GigabitEthernet 0/0/7
[Core-SW-GigabitEthernet0/0/7] port link-type access
[Core-SW-GigabitEthernet0/0/7] port default vlan 99
[Core-SW-GigabitEthernet0/0/7] quit
# Create VLANs on Agg1, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on Agg2, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on WACs, and configure interface types and VLANs to which the interfaces
belong.
MEth0/0/1 172.21.59.1/17 up up
Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif99 10.1.99.1/30 up up
Vlanif100 10.1.100.1/24 up up
Vlanif110 10.1.110.1/24 up up
Vlanif120 10.1.120.1/24 up up
[Core-SW]
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.11.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.12.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.99.1 0.0.0.0
HCIE-WLAN Certification Training Lab Guide Page 86
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.1.10.100 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] network 10.10.10.10 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
[WAC2] ospf 1
[WAC2-ospf-1] area 0
[WAC2-ospf-1-area-0.0.0.0] network 10.1.100.100 0.0.0.0
[WAC2-ospf-1-area-0.0.0.0] network 100.100.100.100 0.0.0.0
[WAC2-ospf-1-area-0.0.0.0] return
<WAC2>
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
-------------------------------------------------------------------------------------
Pool-name : ap2
Pool-No :1
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.100.1
Network : 10.1.100.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :1
Idle : 251 Expired : 0
Conflict : 0 Disabled : 1
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
HCIE-WLAN Certification Training Lab Guide Page 89
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview1
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : lab2
Pool-No :4
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.110.1
Network : 10.1.110.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview2
Pool-No :5
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.120.1
Network : 10.1.120.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
IP address Statistic
Total : 1518
Used :3 Idle : 1513
Expired :0 Conflict :0 Disabled : 2
[Core-SW]
# Configure the CAPWAP source address (virtual IP address of the VRRP group) on WAC1.
# Create a regulatory domain profile on WAC1. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name HCIE
[WAC1-wlan-regulate-domain-HCIE] country-code CN
[WAC1-wlan-regulate-domain-HCIE] quit
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
# Create a regulatory domain profile on WAC2. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
# Create an AP group on WAC2 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC2. (Use MAC addresses of the APs in the actual
environment.)
HCIE-WLAN Certification Training Lab Guide Page 93
[WAC1] wlan
[WAC1-wlan-view] ssid-profile name HCIE-Lab
[WAC1-wlan-ssid-prof-HCIE-Lab] dot11r enable
Warning: This action may cause service interruption. Continue? [Y/N] y
[WAC1-wlan-ssid-prof-HCIE-Lab] quit
#
[WAC1-wlan-view] ssid-profile name HCIE-Interview
[WAC1-wlan-ssid-prof-HCIE-Interview] dot11r enable
Warning: This action may cause service interruption. Continue? [Y/N] y
[WAC1-wlan-ssid-prof-HCIE-Interview] quit
[WAC2] wlan
[WAC2-wlan-view] ssid-profile name HCIE-Lab
HCIE-WLAN Certification Training Lab Guide Page 96
# Create a 5 GHz radio profile, and configure EDCA parameters for APs so that voice and
video services can preferentially use network bandwidth.
# In the SSID profile, configure EDCA parameters for STAs so that voice and video services
can preferentially use network bandwidth.
Configure the WMM function on WAC2 so that voice and video services can preferentially
use wireless network bandwidth.
# Create a 2.4 GHz radio profile, and configure EDCA parameters for APs so that voice and
video services can preferentially use network bandwidth.
# Create a 5 GHz radio profile, and configure EDCA parameters for APs so that voice and
video services can preferentially use network bandwidth.
# In the SSID profile, configure EDCA parameters for STAs so that voice and video services
can preferentially use network bandwidth.
---------------------------------------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit (32us) Ack-Policy
AC_VO 4 2 2 0 normal
AC_VI 5 3 5 0 normal
AC_BE 10 6 12 0 normal
AC_BK 10 8 12 0 normal
----------------------------------------------------------------------------------------------
[WAC1-wlan-view]
Check EDCA parameter settings for STAs in the SSID profile. The command output shows
that the priorities of AC_VI and AC_VO packets are higher than those of AC_BE and AC_BK
packets. Therefore, video and voice services can preferentially use wireless channels.
Check the priority mapping configuration in the traffic profile. The command output shows
that the mapped DSCP values of AC_VI and AC_VO packets are higher than those of AC_BE
and AC_BK packets. Therefore, video and voice services are preferentially transmitted.
[WAC2-wlan-traffic-prof-HCIE] quit
# Check the rate limit configuration in the traffic profile. The command output shows that
the uplink rate limit of a single STA is 4000 kbit/s (4 Mbit/s) and the total uplink rate limit
of all STAs on the VAP is 100000 kbit/s (100 Mbit/s).
----End
#
ospf 1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.99.1 0.0.0.0
network 10.1.100.1 0.0.0.0
network 10.1.110.1 0.0.0.0
network 10.1.120.1 0.0.0.0
#
return
<Core-SW>
#
sysname WAC2
#
vlan batch 100 110 120
#
interface Vlanif100
ip address 10.1.100.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 110 120
#
interface LoopBack0
ip address 100.100.100.100 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.100.100 0.0.0.0
network 100.100.100.100 0.0.0.0
#
capwap source ip-address 100.100.100.100
HCIE-WLAN Certification Training Lab Guide Page 106
#
wlan
traffic-profile name HCIE
rate-limit client up 4000
rate-limit vap up 100000
priority-map downstream dscp 48 to 55 dot11e 4
priority-map downstream dscp 56 to 63 dot11e 5
priority-map downstream dscp 32 to 39 dot11e 6
priority-map downstream dscp 40 to 47 dot11e 7
priority-map tunnel-upstream dot11e 6 dscp 32
priority-map tunnel-upstream dot11e 7 dscp 40
priority-map tunnel-upstream dot11e 4 dscp 48
priority-map tunnel-upstream dot11e 5 dscp 56
security-profile name HCIE-Lab
security wpa2 psk pass-phrase %^%#Kr9[0/=3^'p6%v3_~J9<zYiJ*;'H&3.\;,Q1,z\.%^%# aes
security-profile name default-wds
security wpa2 psk pass-phrase %^%#qNfI(V#y8:b/W|/(mY81#Z\D8~!8Y*#IO1RwV);+%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#o[7"I"t]\4xd-e7_BV:3&kdR~nCGO!El4DSuB>~E%^%# aes
security-profile name HCIE-Interview
security wpa2 psk pass-phrase %^%#rd3!Fln.^,d8$:2&p}C"ysW/%4wsNTiT&`X|$ZHJ%^%# aes
ssid-profile name HCIE-Lab
ssid HCIE-Lab
wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
dot11r enable
ssid-profile name HCIE-Interview
ssid HCIE-Interview
wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
dot11r enable
vap-profile name default
vap-profile name HCIE-Lab
service-vlan vlan-id 110
ssid-profile HCIE-Lab
security-profile HCIE-Lab
traffic-profile HCIE
vap-profile name HCIE-Interview
service-vlan vlan-id 120
ssid-profile HCIE-Interview
security-profile HCIE-Interview
traffic-profile HCIE
regulatory-domain-profile name HCIE
radio-2g-profile name HCIE-2.4GHz
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy normal
radio-5g-profile name HCIE-5GHz
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy normal
HCIE-WLAN Certification Training Lab Guide Page 107
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy normal
mobility-group name HCIE
member ip-address 10.10.10.10
member ip-address 100.100.100.100
ap-group name HCIE
regulatory-domain-profile HCIE
radio 0
radio-2g-profile HCIE-2.4GHz
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
radio 1
radio-5g-profile HCIE-5GHz
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
radio 2
radio-5g-profile HCIE-5GHz
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
ap-group name default
ap-id 0 type-id 43 ap-mac f02f-a75e-5740 ap-sn 21500826412SH1906275
ap-name ap3
ap-group HCIE
provision-ap
#
return
<WAC2>
4.1 Introduction
4.1.1 About This Lab
This lab activity provides instructions on adjusting WLAN parameters and ranges so that
you can understand how to configure Huawei WLAN optimization.
4.1.2 Objectives
⚫ Understand WLAN radio resources management.
⚫ Understand the WLAN band steering function.
HCIE-WLAN Certification Training Lab Guide Page 110
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
Core-SW
PVID: 1
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
Agg1 GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
Agg2
PVID: 10
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
VLANIF 10 10.1.10.1/24
Core-SW
VLANIF 11 10.1.11.1/24
HCIE-WLAN Certification Training Lab Guide Page 112
VLANIF 12 10.1.12.1/24
VLANIF 99 10.1.99.1/30
VLANIF 10 10.1.10.100/24
WAC1
Loopback 0 10.10.10.10/32
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30
<Huawei>sys
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 12 99
# Configure the types for Core-SW's interfaces and the VLANs to which these interfaces
belong.
HCIE-WLAN Certification Training Lab Guide Page 113
# Create VLANs on Agg1, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on Agg2, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on WAC1, and configure interface types and VLANs to which the interfaces
belong.
[Core-SW]
HCIE-WLAN Certification Training Lab Guide Page 115
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.11.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.12.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.99.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] return
<Core-SW>
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.1.10.100 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
HCIE-WLAN Certification Training Lab Guide Page 116
-------------------------------------------------------------------------------------
Pool-name : lab
Pool-No :1
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :0
Idle : 253 Expired : 0
Conflict : 0 Disabled : 0
# Create a regulatory domain profile on WAC1. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name HCIE
[WAC1-wlan-regulate-domain-HCIE] country-code CN
HCIE-WLAN Certification Training Lab Guide Page 118
[WAC1-wlan-regulate-domain-HCIE] quit
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
Create security profiles HCIE-Lab and HCIE-Interview, and set different passwords for them.
# Create the HCIE-Lab security profile on WAC1.
# Enable dynamic bandwidth selection on the 5 GHz band. (Dynamic bandwidth selection
cannot be enabled on the 2.4 GHz band.)
[WAC1-wlan-ap-group-HCIE] radio 1
[WAC1-wlan-group-radio-HCIE/1] calibrate auto-channel-select enable
[WAC1-wlan-group-radio-HCIE/1] calibrate auto-txpower-select enable
[WAC1-wlan-group-radio-HCIE/1] calibrate auto-bandwidth-select enable
Configure the dynamic frequency selection (DFS), noise floor threshold, and transmit power
control (TPC) functions for APs.
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] quit
# Set radio calibration mode to auto, the radio calibration interval to 1200 minutes, and
the start time for radio calibration to 03:00:00.
# Create a radio calibration policy. If the noise floor threshold for triggering radio
calibration is configured in the RRM profile, the radio calibration policy must be set to
noise-floor. Otherwise, the radio calibration function does not take effect.
# Set the default blacklist threshold for the number of times the channel environment
deteriorates to 7.
Check whether automatic channel selection and automatic transmit power selection are
enabled for APs.
VAP configurations:
WLAN ID 1:
SSID : HCIE-Lab
Forward mode : direct-forward
Authen mode : WPA2-PSK
Encrypt mode : AES
Service vlan : 11
WLAN ID 2:
SSID : HCIE-Interview
Forward mode : direct-forward
Authen mode : WPA2-PSK
Encrypt mode : AES
Service vlan : 12
HCIE-WLAN Certification Training Lab Guide Page 124
---------------------------------------------------------------------------------------
Radio 1 configurations:
Radio enable : yes
Work mode : normal
WDS mode :-
Mesh mode :-
Radio band : 5G
Radio type : 11ax
Flexible radio switch : on
Config channel/bandwidth : -/20M
Actual channel/bandwidth : 161/20M
Config EIRP : 127
Actual EIRP : 10
Maximum EIRP : 29
VAP configurations:
WLAN ID 1:
SSID : HCIE-Lab
Forward mode : direct-forward
Authen mode : WPA2-PSK
Encrypt mode : AES
Service vlan : 11
WLAN ID 2:
SSID : HCIE-Interview
Forward mode : direct-forward
Authen mode : WPA2-PSK
Encrypt mode : AES
Service vlan : 12
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
AP system profile : default
Regulatory domain profile : HCIE
WIDS profile : default
Radio 0
Radio 2.4G profile : HCIE-2.4GHz
Radio 5G profile :
VAP profile
WLAN 1 : HCIE-Lab
WLAN 2 : HCIE-Interview
Mesh profile :
WDS profile :
Mesh whitelist profile :
WDS whitelist profile :
Location profile :
Radio switch : enable
Channel : -
Channel bandwidth : 20mhz
EIRP(dBm) : 127
Antenna gain(dB) : -
Coverage distance(100 m) : 3
Work mode : normal
Flexible radio switch : on
Radio frequency : 2.4G
Spectrum analysis : disable
HCIE-WLAN Certification Training Lab Guide Page 125
---------------------------------------------------------------------------------------
[WAC1]
Because the RRM profile has been bound, you do not need to bind it again.
Step 16 Configure the per-packet power adjustment and smart antenna functions.
Enable per-packet power adjustment for APs in the 2G and 5G radio profile views.
----End
Video : 100
--------------------------------------------------------------------------------------------------------
<WAC1>
service-vlan vlan-id 12
ssid-profile HCIE-Interview
security-profile HCIE-Interview
regulatory-domain-profile name HCIE
dca-channel 2.4g channel-set 1,5,9,13
dca-channel 5g bandwidth 40mhz
air-scan-profile name HCIE
scan-period 80
scan-interval 12000
rrm-profile name HCIE
calibrate retransmission-rate-threshold 55
calibrate noise-floor-threshold -73
calibrate tpc threshold -61
calibrate min-tx-power 127
calibrate min-tx-power radio-5g 127
calibrate retransmission-rate-check interval 1 traffic-threshold 1500
smart-roam roam-threshold snr 25
smart-roam snr-margin high-level-margin 15 low-level-margin 5
smart-roam quick-kickoff-snr check-interval 300
uac client-number enable
uac client-number threshold access 40 roam 40
dynamic-edca enable
sta-load-balance dynamic rssi-threshold -68
sta-load-balance dynamic sta-number start-threshold 20
sta-load-balance dynamic sta-number gap-threshold number 5
dfs recover-delay 10
dynamic-edca threshold be-service 20
sta-load-balance dynamic rssi-diff-gap 10
radio-2g-profile name HCIE-2.4GHz
power auto-adjust enable
interference detect-enable
interference co-channel threshold 60
interference adjacent-channel threshold 60
rrm-profile HCIE
air-scan-profile HCIE
interference station threshold 25
smart-antenna enable
smart-antenna valid-per-scope high-per-threshold 90
smart-antenna training-mpdu-number 480
radio-5g-profile name HCIE-5GHz
power auto-adjust enable
interference detect-enable
interference co-channel threshold 60
interference adjacent-channel threshold 60
rrm-profile HCIE
air-scan-profile HCIE
interference station threshold 25
smart-antenna enable
smart-antenna valid-per-scope high-per-threshold 90
smart-antenna training-mpdu-number 480
ap-group name HCIE
regulatory-domain-profile HCIE
radio 0
radio-2g-profile HCIE-2.4GHz
vap-profile HCIE-Lab wlan 1
HCIE-WLAN Certification Training Lab Guide Page 133
#
vlan batch 10 to 12
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 12
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 12
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 12
#
return
<Agg1>
area 0.0.0.0
network 10.1.99.2 0.0.0.0
#
return
<AR1>
HCIE-WLAN Certification Training Lab Guide Page 137
5.1 Introduction
5.1.1 About This Lab
This lab activity provides instructions on configuring different WLAN security policies so
that you can understand how to deploy Huawei WLAN security networking.
5.1.2 Objectives
⚫ Understand how to configure WLAN 802.1X authentication.
⚫ Understand how to configure WLAN Portal authentication.
⚫ Understand how to configure WLAN Navi AC authentication.
HCIE-WLAN Certification Training Lab Guide Page 138
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/3 Trunk
Core-SW Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/5 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
Agg1 GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
Agg2
PVID: 10
GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
WAC1 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
WAC2 GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
HCIE-WLAN Certification Training Lab Guide Page 140
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
VLANIF 99 10.1.99.1/30
VLANIF 10 10.1.10.100/24
WAC1
Loopback 0 10.10.10.10/32
VLANIF 10 10.1.10.99/24
WAC2 (Navi AC)
Loopback 0 100.100.100.100/32
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30
⚫ Configure WIPS.
<Huawei>sys
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 12 99
# Configure the types for Core-SW's interfaces and the VLANs to which these interfaces
belong.
# Create VLANs on Agg1, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on Agg2, and configure interface types and VLANs to which the interfaces
belong.
# Create VLANs on WAC1, and configure the interface type and VLANs to which the
interface belongs.
# Create VLANs on WAC2, and configure the interface type and VLANs to which the
interface belongs.
[Core-SW]
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.11.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.12.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.99.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] return
<Core-SW>
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.1.10.100 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] network 10.10.10.10 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
[WAC2] ospf 1
[WAC2-ospf-1] area 0
[WAC2-ospf-1-area-0.0.0.0] network 10.1.10.99 0.0.0.0
[WAC2-ospf-1-area-0.0.0.0] network 100.100.100.100 0.0.0.0
[WAC2-ospf-1-area-0.0.0.0] return
<WAC2>
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
HCIE-WLAN Certification Training Lab Guide Page 145
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
-------------------------------------------------------------------------------------
Pool-name : ap1
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.10.1
Network : 10.1.10.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :3
Idle : 249 Expired :0
Conflict :0 Disabled :1
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :2
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :1
Idle : 252 Expired :0
Conflict :0 Disabled :0
-------------------------------------------------------------------------------------
Pool-name : interview1
Pool-No :3
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used :4
Idle : 249 Expired :1
Conflict :0 Disabled :0
[Core-SW]
# Create a regulatory domain profile on WAC1. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
HCIE-WLAN Certification Training Lab Guide Page 147
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name HCIE
[WAC1-wlan-regulate-domain-HCIE] country-code CN
[WAC1-wlan-regulate-domain-HCIE] quit
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
# Create the security profile HCIE-Interview on WAC1 and set the authentication mode to
open-system authentication if Portal authentication is used.
[WAC1-wlan-vap-prof-HCIE-Interview] quit
[WAC1] aaa
[WAC1-aaa] authentication-scheme HCIE
[WAC1-aaa-authen-HCIE] authentication-mode radius
HCIE-WLAN Certification Training Lab Guide Page 150
[WAC1-aaa-authen-HCIE] quit
#
[WAC1-aaa] accounting-scheme HCIE
[WAC1-aaa-accounting-HCIE] accounting-mode radius
[WAC1-aaa-accounting-HCIE] quit
[WAC1-aaa] quit
Create the authentication profile HCIE-Lab, and bind the 802.1X access profile,
authentication and accounting schemes, and RADIUS server template to the authentication
profile.
[WAC1] wlan
[WAC1-wlan-view] vap-profile name HCIE-Lab
[WAC1-wlan-vap-prof-HCIE-Lab] authentication-profile HCIE-Lab
[WAC1-wlan-vap-prof-HCIE-Lab] quit
[WAC1]web-auth-server HCIE
[WAC1-web-auth-server-HCIE] server-ip 172.21.59.102
[WAC1-web-auth-server-HCIE] port 50200
[WAC1-web-auth-server-HCIE] shared-key cipher Huawei@123
[WAC1-web-auth-server-HCIE] url https://172.21.59.102:19008/portal
[WAC1-web-auth-server-HCIE] url-template HCIE
[WAC1-web-auth-server-HCIE] quit
HCIE-WLAN Certification Training Lab Guide Page 151
# Create the authentication profile HCIE-Interview, and bind the Portal access profile,
authentication and accounting schemes, authentication-free profile, and RADIUS server
template to the authentication profile.
[WAC1] wlan
[WAC1-wlan-view] vap-profile name HCIE-Interview
[WAC1-wlan-vap-prof- HCIE-Interview] authentication-profile HCIE-Interview
[WAC1-wlan-vap-prof- HCIE-Interview] quit
# Choose Admission > Admission Resources > User Management from the main menu.
# Choose User Management > User from the main menu. Click to add a user group
named HCIE-WLAN.
HCIE-WLAN Certification Training Lab Guide Page 153
# Select the created user group and click Create to add users (each for HCIE-Lab and HCIE-
Interview) to the user group.
# When creating a user, you are advised to bind an email address or phone number to the
user so that the user can reset the password when necessary. In this lab environment, there
is no SMS or email gateway. Therefore, you do not need to set the email address or phone
number.
HCIE-WLAN Certification Training Lab Guide Page 154
# Choose Admission > Admission Resources > User Management > Role Management from
the main menu.
# Click Create to create a role.
# In the Select Account dialog box, select a desired user account, and click to associate
the role with the user account.
# Click OK.
# Click OK.
# Select the created admission device group, click the Admission device tab, and click
Create to add an admission device.
# Set WAC1 as the admission device, enable RADIUS authentication parameters, and set
RADIUS authentication parameters.
# Ensure that the authentication, accounting, and authorization keys, and accounting
interval are the same as those configured on WAC1.
HCIE-WLAN Certification Training Lab Guide Page 159
# Choose Admission > Admission Policy > Authentication and Authorization >
Authentication Rules from the main menu. Click Create and configure an authentication
rule. Set the authentication mode to User access authentication.
# Select the items to be matched in the authentication rule. All items are optional, and all
the selected ones need to be matched to pass the authentication.
# Create an authentication rule for HCIE-Lab.
HCIE-WLAN Certification Training Lab Guide Page 161
# Create another authentication rule and set the authentication rule parameters for HCIE-
Interview.
HCIE-WLAN Certification Training Lab Guide Page 162
# Create an authorization result for users to access the HCIE-Lab network and select an
ACL to grant different permissions to the users.
HCIE-WLAN Certification Training Lab Guide Page 163
# Click OK.
# Click OK.
# In the dialog box that is displayed, double-click Manually connect to a wireless network.
HCIE-WLAN Certification Training Lab Guide Page 171
# Enter a network name, set Security type and Encryption type, click Start this connection
automatically, and click Next.
HCIE-WLAN Certification Training Lab Guide Page 172
# On the Security tab page, select Microsoft: Protected EAP (PEAP) from the drop-down
list below Choose a network authentication method and click Settings.
HCIE-WLAN Certification Training Lab Guide Page 173
# Deselect Verify the server's identity by validating the certificate, select Secured password
(EAP-MSCHAP v2) from the drop-down list below Select Authentication Method, and click
Configure.
HCIE-WLAN Certification Training Lab Guide Page 174
# On the 802.1X settings tab page, select User authentication from the drop-down list
below Specify authentication mode and click OK.
# Click OK.
# After the connection is normal, check the obtained IP address. Normally, the IP address
is on the network segment 10.1.11.0/24.
HCIE-WLAN Certification Training Lab Guide Page 177
# Check RADIUS logs. A log shows that the terminal goes online normally and matches the
preset authentication and authorization rules.
# Press Enter. The Portal page is displayed. Click Advanced, and then click Proceed to
xxx.xx.xx.xxx (unsafe).
HCIE-WLAN Certification Training Lab Guide Page 181
HCIE-WLAN Certification Training Lab Guide Page 182
HCIE-WLAN Certification Training Lab Guide Page 183
# Specify the IP address of a local WAC and bind the VAP profile to the local WAC.
[WAC2-wlan-view] navi-ac
----End
#
portal-access-profile name HCIE
web-auth-server HCIE direct
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme HCIE
authentication-mode radius
accounting-scheme HCIE
accounting-mode radius
accounting realtime 1
local-aaa-user password policy administrator
domain default
authentication-scheme HCIE
accounting-scheme HCIE
radius-server HCIE
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 12
#
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.10.100 0.0.0.0
network 10.10.10.10 0.0.0.0
#
capwap source ip-address 10.10.10.10
#
wlan
security-profile name HCIE-Lab
security wpa2 dot1x aes
security-profile name HCIE-Interview
ssid-profile name HCIE-Lab
ssid HCIE-Lab
ssid-profile name HCIE-Interview
ssid HCIE-Interview
vap-profile name HCIE-Lab
forward-mode tunnel
service-vlan vlan-id 11
ssid-profile HCIE-Lab
security-profile HCIE-Lab
authentication-profile HCIE-Lab
vap-profile name HCIE-Interview
forward-mode tunnel
service-vlan vlan-id 12
ssid-profile HCIE-Interview
security-profile HCIE-Interview
authentication-profile HCIE-Interview
HCIE-WLAN Certification Training Lab Guide Page 187
return
[Core-SW]
6.1 Introduction
6.1.1 About This Lab
This lab provides guidance on configuring and commissioning WLAN IPv6 networking so
that you can understand how to deploy Huawei WLAN IPv6 networks.
6.1.2 Objectives
⚫ Understand WLAN IPv6 networking scenarios.
⚫ Understand the WLAN IPv6 dual-stack configuration.
⚫ Understand how to deploy WLAN IPv6 HSB.
HCIE-WLAN Certification Training Lab Guide Page 193
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/2 Trunk
Allow-pass: VLANs 100, 11, and 12
PVID: 1
Core-SW GE0/0/3 Trunk Allow-pass: VLANs 10, 11, 12, and
100
PVID: 1
GE0/0/5 Trunk Allow-pass: VLANs 10, 11, 12, and
100
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
Agg1 GE0/0/2 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 10
GE0/0/3 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 100, 11, and 12
Agg2
PVID: 100
GE0/0/2 Trunk
Allow-pass: VLANs 100, 11, and 12
PVID: 1
WAC1 GE0/0/1 Trunk Allow-pass: VLANs 10, 11, 12, and
100
PVID: 1
WAC2 GE0/0/1 Trunk Allow-pass: VLANs 10, 11, 12, and
100
HCIE-WLAN Certification Training Lab Guide Page 195
VLANIF 10 10.1.10.1/24
10.1.11.1/24
VLANIF 11
FC01:110::1/64
10.1.12.1/24
VLANIF 12
Core-SW FC01:120::1/64
VLANIF 99 10.1.99.1/30
VLANIF 10 10.1.10.100/24
VLANIF 10 10.1.10.101/24
GE0/0/1 10.1.99.2/30
Loopback 2 FC01:2::1/64
HCIE-WLAN Certification Training Lab Guide Page 196
<Huawei> system-view
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 12 99 100
# Configure the types for Core-SW's interfaces and the VLANs to which these
interfaces belong.
#
[Core-SW] interface GigabitEthernet 0/0/7
[Core-SW-GigabitEthernet0/0/7] port link-type access
[Core-SW-GigabitEthernet0/0/7] port default vlan 99
[Core-SW-GigabitEthernet0/0/7] quit
# Create VLANs on Agg1, and configure interface types and VLANs to which the
interfaces belong.
# Create VLANs on Agg2, and configure interface types and VLANs to which the
interfaces belong.
# Create VLANs on WAC1, and configure the type of its uplink interface and VLANs
to which the interface belongs.
# Create VLANs on WAC2, and configure the type of its uplink interface and VLANs
to which the interface belongs.
[Core-SW]
[Core-SW] ipv6
[Core-SW] interface Vlanif 99
[Core-SW-Vlanif99] ipv6 enable
[Core-SW-Vlanif99] ipv6 address FC01:99::1/64
[Core-SW-Vlanif99] quit
#
[Core-SW] interface Vlanif 100
[Core-SW-Vlanif100] ipv6 enable
[Core-SW-Vlanif100] ipv6 address FC01:100::1/64
[Core-SW-Vlanif100] quit
#
[Core-SW] interface VLAN 11
[Core-SW-Vlanif11] ipv6 enable
[Core-SW-Vlanif11] ipv6 address FC01:110::1/64
[Core-SW-Vlanif11] quit
#
[Core-SW] interface VLAN 12
[Core-SW-Vlanif12] ipv6 enable
[Core-SW-Vlanif12] ipv6 address FC01:120::1/64
[Core-SW-Vlanif120] quit
[WAC1] ipv6
[WAC1] interface Vlanif 100
[WAC1-Vlanif100] ipv6 enable
[WAC1-Vlanif100] ipv6 address FC01:100::100/64
[WAC1-Vlanif100] quit
[WAC2] ipv6
[WAC2] interface Vlanif 100
[WAC2-Vlanif100] ipv6 enable
[WAC2-Vlanif100] ipv6 address FC01:100::101/64
[WAC2-Vlanif100] quit
[AR1] ipv6
[AR1] interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1] ipv6 enable
[AR1-GigabitEthernet0/0/1] ip address FC01:99::2/64
[AR1-GigabitEthernet0/0/1] quit
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.11.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.12.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.99.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] return
<Core-SW>
HCIE-WLAN Certification Training Lab Guide Page 201
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.1.10.100 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
[WAC2] ospf 1
[WAC2-ospf-1] area 0
[WAC2-ospf-1-area-0.0.0.0] network 10.1.10.101 0.0.0.0
[WAC2-ospf-1-area-0.0.0.0] return
<WAC2>
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
[Core-SW] ospfv3 1
[Core-SW-ospfv3-1] router-id 10.1.10.1
[Core-SW-ospfv3-1] quit
#
[Core-SW] int vlan 99
[Core-SW-Vlanif99] ospfv3 1 area 0
[Core-SW-Vlanif99] quit
[Core-SW]
#
[Core-SW] interface Vlanif 100
[Core-SW-Vlanif100] ospfv3 1 area 0
[Core-SW-Vlanif100] quit
#
[Core-SW] int vlan 11
[Core-SW-Vlanif11] ospfv3 1 area 0
[Core-SW-Vlanif11] quit
#
[Core-SW] int vlan 12
HCIE-WLAN Certification Training Lab Guide Page 202
[WAC1] ospfv3
[WAC1-ospfv3-1] router-id 10.1.10.100
[WAC1-ospfv3-1] quit
#
[WAC1] interface Vlanif 100
[WAC1-Vlanif100] ospfv3 1 area 0
[WAC1-Vlanif100] quit
#
[WAC2] ospfv3
[WAC2-ospfv3-1] router-id 10.1.10.101
[WAC2-ospfv3-1] quit
#
[WAC2] interface Vlanif 100
[WAC2-Vlanif100] ospfv3 1 area 0
[WAC2-Vlanif100] quit
[AR1] ospfv3
[AR1-ospfv3-1] router-id 10.1.99.2
[AR1-ospfv3-1] quit
#
[AR1] interface Vlanif 99
[AR1-Vlanif99] ospfv3 1 area 0
[AR1-Vlanif99] quit
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
[AR1] ospfv3
[AR1-ospfv3-1] default-route-advertise always
[AR1-ospfv3-1] quit
----------------------------------------------------------------------------
Total Peer(s): 3
<Core-SW>
#
<Core-SW>display ospfv3 peer
OSPFv3 Process (1)
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
10.1.99.2 1 Full/Backup 00:00:36 Vlanif99 0
10.1.10.100 1 Full/DROther 00:00:32 Vlanif100 0
10.1.10.101 1 Full/Backup 00:00:33 Vlanif100 0
<Core-SW>
[WAC1] hsb-service 0
[WAC1-hsb-service-0] service-ip-port local-ip FC01:100::100 peer-ip FC01:100::101 local-data-port
10241 peer-data-port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC1-hsb-service-0] quit
[WAC1] hsb-group 0
HCIE-WLAN Certification Training Lab Guide Page 204
[WAC1-hsb-group-0] quit
#
[WAC1] hsb-service-type ap hsb-group 0
[WAC1] hsb-service-type access-user hsb-group 0
[WAC1] hsb-service-type dhcp hsb-group 0
#
[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
[WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface Vlanif 10
[WAC1-hsb-group-0] quit
[WAC2] hsb-service 0
[WAC2-hsb-service-0] service-ip-port local-ip FC01:100::101 peer-ip FC01:100::100 local-data-port
10241 peer-data-port 10241
[WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC2-hsb-service-0] quit
[WAC2] hsb-group 0
[WAC2-hsb-group-0] quit
#
[WAC2] hsb-service-type ap hsb-group 0
[WAC2] hsb-service-type access-user hsb-group 0
[WAC2] hsb-service-type dhcp hsb-group 0
#
[WAC2] hsb-group 0
[WAC2-hsb-group-0] hsb enable
[WAC2-hsb-group-0] bind-service 0
HCIE-WLAN Certification Training Lab Guide Page 205
Step 6 Configure configuration synchronization between the master and backup WACs.
# On WAC1, configure WAC1 as the master AC and specify the IP address of the local
WAC.
[WAC1] wlan
[WAC1-wlan-view] master controller
[WAC1-master-controller] master-redundancy peer-ip ipv6-address FC01:100::101 local-ip ipv6-
address FC01:100::100 psk Huawei@123
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 10
[WAC1-master-controller] quit
# On WAC2, configure WAC2 as the local AC and specify the IP address of the master
WAC.
[WAC2] wlan
[WAC2-wlan-view] master controller
[WAC2-master-controller] master-redundancy peer-ip ipv6-address FC01:100::100 local-ip ipv6-
address FC01:100::101 PSK Huawei@123
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 10
[WAC2-master-controller] quit
Check the configuration synchronization between the master and local WACs.
[WAC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]: y
[WAC1] wlan
[WAC1-wlan-view] regulatory-domain-profile name HCIE
[WAC1-wlan-regulate-domain-HCIE] country-code CN
[WAC1-wlan-regulate-domain-HCIE] quit
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
Check the AP status on WAC1. The IPv4 and IPv6 APs go online normally.
# Enable the function of processing STA IPv6 services. If this function is not enabled,
STAs cannot obtain IPv6 addresses.
[WAC1] aaa
[WAC1-aaa] authentication-scheme HCIE
[WAC1-aaa-authen-HCIE] authentication-mode local
[WAC1-aaa-authen-HCIE] quit
HCIE-WLAN Certification Training Lab Guide Page 212
[WAC1] aaa
[WAC1-aaa] local-user hcie-wlan-lab password cipher Huawei@123
[WAC1-aaa] local-user hcie-wlan-lab privilege level 0
[WAC1-aaa] local-user hcie-wlan-lab service-type 8021x
[WAC1-aaa] quit
----End
After the PC connects to the WLAN, check IP addresses obtained by the PC. The
command output shows that the PC has obtained both IPv4 and IPv6 addresses.
HCIE-WLAN Certification Training Lab Guide Page 214
Verify that the PC can access the egress device and services are normal.
HCIE-WLAN Certification Training Lab Guide Page 215
#
ospf 1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
[Core-SW]
#
return
<Agg2>
authentication-profile HCIE
regulatory-domain-profile name HCIE
ap-group name HCIE
regulatory-domain-profile HCIE
radio 0
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
radio 1
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
radio 2
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
ap-id 0 type-id 100 ap-mac 30fd-65f8-fd40 ap-sn 2102351TYR10L4004310
ap-name ap1
ap-group HCIE
ap-id 1 type-id 115 ap-mac f4de-af36-b300 ap-sn 2102352UBR10L6001295
ap-name ap2
ap-group HCIE
ap-id 2 type-id 43 ap-mac f02f-a75e-5740 ap-sn 21500826412SH1906275
ap-name ap3
ap-group HCIE
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif10
master-redundancy peer-ip ipv6-address FC01:100::101 local-ip ipv6-address FC01:100::100
psk %^%#Wd3B8m1P'/sm.S~SvI;4DsL(E"Wm0)Z\cILGEV3@%^%#
#
dot1x-access-profile name HCIE
#
return
<WAC1>
7.1 Introduction
7.1.1 About This Lab
With technology advances and industry digitalization, chain stores and small enterprise
branches alike require IT systems featuring high levels of information integration. However,
they generally lack professional IT maintenance personnel, so HQ personnel have to travel
to maintain IT systems onsite, resulting in high costs. For this reason, cloud management
has become a trend for small- and medium-sized campus networks. By deploying cloud-
managed APs, routers, switches, and firewalls, enterprises can quickly deploy and provision
services while reducing O&M costs and greatly improving management efficiency.
This lab provides instructions on configuring and commissioning CloudCampus networking
so that you can understand how to deploy Huawei WLAN CloudCampus solution (on-
premises).
7.1.2 Objectives
⚫ Understand Huawei WLAN CloudCampus networking scenarios.
⚫ Understand the process of creating sites and onboarding devices.
⚫ Master how to deliver the IP address of iMaster NCE-Campus through DHCP Option
148.
⚫ Know how to configure AR services on the web pages of iMaster NCE-Campus.
⚫ Grasp how to configure AP services on the web pages of iMaster NCE-Campus.
⚫ Understand the WLAN CloudCampus networking configuration.
HCIE-WLAN Certification Training Lab Guide Page 225
Step 1 Configure network connectivity and ensure that all devices can communicate with
iMaster-NCE Campus.
[Core-SW] netconf
[Core-SW-netconf] management-vlan 4090
[Core-SW-netconf] controller ip-address 172.21.59.102 port 10020
[Agg1] netconf
[Agg1-netconf] management-vlan 4090
[Agg1-netconf] controller ip-address 172.21.59.102 port 10020
[Agg2] netconf
[Agg2-netconf] management-vlan 4090
[Agg2-netconf] controller ip-address 172.21.59.102 port 10020
<Agg1>display esn
ESN of slot 0: 1019A0031371
<Agg2>display esn
ESN of slot 0: 210235859910H7000001
Step 3 On iMaster NCE-Campus, create a site and add devices to the site.
Log in to the O&M plane of iMaster NCE-Campus using a tenant account, create a site
named HQs, and add Core-SW and AR1 to the site.
# Choose Design > Site Management and click Create.
Set Site Name to HQs, select AR, LSW, and WAC for Device type, click By ESN, and enter
the device names and ESNs.
The version of the electronic label on WACs used in this lab is 4.0. Therefore, you need to
add WACs by model. Click By Model, enter WAC product information, and click OK.
HCIE-WLAN Certification Training Lab Guide Page 229
Check the device status. It is found that the devices are onboarded and in normal state.
# Click the site to be configured, click the Device Group tab, select WAC Group, and click
Create.
# Enter the WAC group name and click Add to add a WAC group member.
Select WAC1 and WAC2, click the icon, and click OK.
Click OK.
HCIE-WLAN Certification Training Lab Guide Page 231
After 1 to 2 minutes, the AP status becomes Normal, and their MAC addresses and states
are displayed.
----End
HCIE-WLAN Certification Training Lab Guide Page 232
<AR2>display esn
ESN of device: 1002352RLG1980065092
<SW4>display esn
ESN of slot 0: 210235859910HA000031
Step 2 On iMaster NCE-Campus, create a site and add devices to the site.
Create a site named Branch and add devices.
# Choose Design > Site Management and click Create.
Set Site Name to Branch, select AP, AR, and LSW for Device type, click By ESN, enter the
device names and ESNs, and click OK.
# On iMaster NCE-Campus, check the onboarding status of devices.
HCIE-WLAN Certification Training Lab Guide Page 233
----End
# On the LAN tab page, select Local Internet access and click Create.
HCIE-WLAN Certification Training Lab Guide Page 234
# Enter the subnet name, VLAN ID, IP address, and mask, and click Create after you enable
DHCP.
HCIE-WLAN Certification Training Lab Guide Page 235
Expand Advanced. Select cloud platform address(148) in Option and click Value. In the
dialog box that is displayed, enter the IP address and port number of iMaster NCE-Campus.
Specifically, change the information highlighted in the red frame to the IP address of
iMaster NCE-Campus. In this lab, enter 172.21.59.102. The following figure shows the final
result.
HCIE-WLAN Certification Training Lab Guide Page 236
The complete value of Option 148 is as follows, which is for your reference:
agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-
domain=192.168.4.104;agilemanage-port=10020;
# Click Submit and then OK.
# Log in to AR2 to check the configuration.
Check the configuration of VLANIF 1 on AR2. The command output shows that VLANIF 1
has been generated, its IP address is 192.168.10.1, interface-based DHCP has been enabled,
and Option 148 has been configured.
HCIE-WLAN Certification Training Lab Guide Page 237
# Set both Default VLAN and Allowed VLAN to 1, so that the AP can obtain the IP address
of VLANIF 1.
By default, GE0/0/2 allows packets from VLAN 1 to pass through, and its PVID is VLAN 1.
The command output shows that apart from a gateway IP entry, there is an ARP entry with
the interface being GE0/0/2, indicating that a downlink device has obtained an IP address.
Based on the AP's MAC address (f4de-af36-b3c0), it can be determined that AP6 has
obtained the IP address.
# Set ACL parameters. Click IPv4, enter the name, set the ACL type to Advanced, click Add,
and set Source IP Address to 192.168.10.0/24 (network segment where AP6 is located).
Click √ and then click OK.
Note that the ACL number must be greater than 3100.
Choose AR > Network. In the NAT configuration area, click Create to create a NAT rule.
HCIE-WLAN Certification Training Lab Guide Page 240
Select GE0/0/1 (WAN interface on AR2 in this lab) from the drop-down list box marked 1
and click the area marked 2. In the dialog box that is displayed, select the created ACL
template and click OK.
HCIE-WLAN Certification Training Lab Guide Page 241
The command output shows that the source NAT configuration has been delivered to
GE0/0/1.
# Check the connectivity between 192.168.10.0/24 and iMaster NCE-Campus.
<AR2>
HCIE-WLAN Certification Training Lab Guide Page 242
The command output shows that connectivity between 192.168.10.0/24 and iMaster NCE-
Campus is normal.
<Huawei> system-view
[Huawei] ap-mode-switch cloud
If the AP works in non-cloud mode, you need to switch the AP to the cloud mode first.
After such switching, the AP restarts.
In this lab, the AirEngine 5760-50 works in cloud mode by default. You do not need to
switch the AP working mode.
# On iMaster NCE-Campus, add AP6 to the Branch site.
Choose Design > Device Management. On the page that is displayed, choose Branch > Add
Device > Add.
HCIE-WLAN Certification Training Lab Guide Page 243
# Add AP6.
Set Protocol type to NETCONF protocol. For Huawei devices that adapt to the
CloudCampus solution, set Protocol type to NETCONF protocol. For other devices (or third-
party devices), set Protocol type to SNMP protocol. Then, add AP6 using the ESN by setting
Name to AP6.
# Check whether AP6 is online.
On the device management page, you can see that AP6 has gone online.
----End
# Configure basic SSID parameters. Set SSID Name to HCIE-Guest, Effective radio to All,
and Network connection mode to Layer 2 forwarding. Set VLAN ID to 100.
Click Submit and then Next.
The VLAN ID configured here is the ID of the VLAN to which STAs belong, that is, the VLAN
specified by the service-vlan vlan-id command in the VAP profile on the WAC. In this lab,
the VLAN ID is set to 100. When STAs connect to AP6, AP6 adds a VLAN 100 tag to the
data frames of STAs and sends the tagged data frames through the uplink interface.
Therefore, you need to configure the LAN interface on AR2 (that is, GE0/0/1 in this lab) to
allow packets from VLAN 100 to pass through. In addition, a DHCP address pool is
configured on AR2 to assign IP addresses to STAs in VLAN 100.
# Configure SSID security authentication. Configure as follows:
Set Authentication mode to Open network. That is, use the Portal authentication mode.
Enable Push pages (Portal authentication). Then, new configuration items are displayed.
Set Page pushing mode to Built-in authentication by cloud platform.
Set Push page to Default User Name and Password Authentication Page.
HCIE-WLAN Certification Training Lab Guide Page 246
Disable Self-registration. This means that users are not allowed to register new accounts
for authentication. Only existing accounts can be used for authentication.
Enable Portal authentication-free. That is, retain the default authentication-free validity
period.
In Default permit rule, select the created user ACL, that is, DNS.
Select Bypass policy and retain the default setting User access is allowed, without
authentication.
After the preceding configuration is complete, click Next.
HCIE-WLAN Certification Training Lab Guide Page 247
The web page shows that the created SSID has been enabled on the radios of AP6.
# Verify the configuration using a STA.
On a STA, you can find the wireless signal with the SSID being HCIE-Guest sent by AP6.
# Configure basic SSID parameters. Set SSID Name to HCIE-EM. Retain the default settings
for Effective radio and Network connection mode (that is, Layer 2 forwarding).
# On a STA, you can find the wireless signal with the SSID being HCIE-EM advertised by
AP6.
# Configure the LAN interface on AR2 to allow packets from VLANs 100 and 200 to pass
through.
# Choose Provision > Site Configuration, select the Branch site, choose AR > Interface >
Customized, select LAN interface 2, and add VLAN 100 and VLAN 200 to Allowed VLAN.
Choose AR > Network, click LAN, and create a DHCP address pool. Set the parameters
according to the preceding figure. The VLAN IDs must be 100 and 200. The IP address and
mask can be customized. Then, click OK.
HCIE-WLAN Certification Training Lab Guide Page 255
Choose Design > Template Management > Policy Template, click the created ACL NAT,
click the modification icon, and add an ACL rule. To add the ACL rule, you only need to set
the source IP address range to the address segment assigned to STAs. In this lab, the source
IP address range is 192.168.100.0/24 and 192.168.200.0/24. Then, click OK.
# Verify the configuration on AR2.
undo portswitch
nat outbound 3101
zone untrust
ip address dhcp-alloc
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
The command output shows that VLANIF 100 and VLANIF 200 are created, the interface-
based DHCP address pools are enabled, and LAN interface GE0/0/1 allows packets from
VLAN 100 and VLAN 200 to pass through.
[AR2]
# Create a wireless user for Portal authentication. Click the newly created user group
Branch-Guest on the left, and then click Create on the right.
HCIE-WLAN Certification Training Lab Guide Page 259
Create a user named huawei01 and set the password to Huawei@123. Then, deselect
Change password upon next login; otherwise, the user needs to manually change the
password after the first login. In this lab, the user uses a public account, which is only used
to demonstrate the Portal authentication effect. Therefore, you do not need to enable
Change password upon next login. In practice, if each user has an independent account,
you are advised to enable Change password upon next login.
# Create a wireless user for 802.1X authentication. Click the newly created user group
Branch-EM on the left, and then click Create on the right.
HCIE-WLAN Certification Training Lab Guide Page 260
Create a user named huawei02 and set the password to Huawei@123. Then, disable
Change password upon next login.
Enter any IP address in the address box of the browser and verify that the Portal
authentication page can be displayed normally.
If a page similar to the following is displayed, the Portal authentication page is displayed
normally.
HCIE-WLAN Certification Training Lab Guide Page 263
Configure a static DNS resolution record to resolve the domain name www.HCIE-
WLAN.com to the IP address 1.1.1.1. This domain name is used only for testing Portal
authentication through the domain name in the browser.
# Test DNS resolution on a STA.
C:\Users\admin>nslookup www.HCIE-WLAN.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.100.1
C:\Users\admin>
In the cmd window of the STA, run the nslookup command to resolve the DNS address.
www.HCIE-WLAN.com can be resolved successfully.
# Verify the network connectivity of the STA before authentication.
C:\Users\admin>ping 20.1.1.1
C:\Users\admin>
#
C:\Users\admin>ping 192.168.100.1
C:\Users\admin>
The command output shows that the STA cannot communicate with the IP address 20.1.1.1
or its gateway (192.168.100.1). That is, the STA does not have the right to access the
network before authentication succeeds.
HCIE-WLAN Certification Training Lab Guide Page 265
# Verify that the Portal authentication page can be displayed through the domain name
mode.
Enter www.HCIE-WLAN.com in the address box of the browser and press Enter.
On the page that is displayed, enter the user name (huawei01) and password
(Huawei@123).
C:\Users\admin>ping 20.1.1.1
C:\Users\admin>
After Portal authentication succeeds, the STA can access the network
C:\Users\admin>ipconfig
The command output shows that the STA has obtained the IP address 192.168.200.224.
This IP address is assigned from the address pool on VLANIF 200.
# Test the connectivity of the STA with the external network.
C:\Users\admin>ping 20.1.1.1
C:\Users\admin>
8.1 Introduction
8.1.1 About This Lab
This lab introduces the process and steps of WLAN planning and design so that you can
understand Huawei WLAN planning scenarios.
8.1.2 Objectives
⚫ Understand how to plan an indoor WLAN network.
⚫ Understand how to plan an outdoor WLAN network.
HCIE-WLAN Certification Training Lab Guide Page 270
Streaming media
16 12 13%
(1080p)
Electronic whiteboard 32 16 5%
Email 32 16 5%
File transfer 32 16 5%
Item Result
100 users in each office area, two terminals per user, 70%
concurrency rate
30 users in each meeting room, two terminals per user, 50%
Coverage concurrency rate
capacity
description 100 users in each activity area, one terminal per user, 60%
concurrency rate
6 users in each of other areas, one terminal per user, 50%
concurrency
HCIE-WLAN Certification Training Lab Guide Page 272
Building
Switches can be placed in the utility room or equipment rooms.
information
The floor height is 2.6 m. The activity area has an atrium of over
15 m high, and therefore does not support ceiling mounting.
Installation
environment Property entry: Approved
preparation
⚫ Deploy switches.
⚫ Lay out cables.
⚫ Perform signal simulation.
⚫ Adjust the AP positions and repeatedly perform signal simulation until the signal
coverage is complete.
⚫ Export the network planning report.
Item Result
Step 2 Select WLAN device models and calculate the number of APs.
The customer requires 802.11ax compliance and the per-user bandwidth of 16 Mbps.
Assume that the number of users in an office area is 100, each user has two terminals (one
terminal per user in the activity area), and the concurrency rate is 70%. In this case, the
number of terminals in an office area is calculated as follows:
Total number of terminals in an office area = 100 x 2 x 70% = 140
HCIE-WLAN Certification Training Lab Guide Page 276
# Read the security management regulations on customer network data and click Confirm.
HCIE-WLAN Certification Training Lab Guide Page 277
# Select a WLAN scenario. For this project, select Office and click Next.
# You can specify a built-in network construction standard as required. For this project,
select Other and click OK.
HCIE-WLAN Certification Training Lab Guide Page 279
Set the environment and regions based on the customer requirement collection table and
site survey information.
# Set the scale.
# The floor plan width is 50 m. Select any position on the floor plan and draw a line from
left to right.
HCIE-WLAN Certification Training Lab Guide Page 281
#
HCIE-WLAN Certification Training Lab Guide Page 290
# Because only one floor is involved in this project, select Current Floor and click Next.
HCIE-WLAN Certification Training Lab Guide Page 295
# Select the required AP model. This project uses the AirEngine 5760-51.
# Set channels.
HCIE-WLAN Certification Training Lab Guide Page 296
Adjust AP parameters.
# Right-click an AP in the activity area and choose Property from the shortcut menu. (You
can drag-select all APs and right-click them for the setting). The AP Attributes page is
displayed.
HCIE-WLAN Certification Training Lab Guide Page 299
# Set AP parameters. In the activity area, APs cannot be deployed on the ceiling. Instead,
they are mounted on the wall at a height of 2.4 m. Configure the APs to work in triple-
radio mode with the RTU license loaded. Retain the default values for other parameters.
The configurations of other APs in the activity area are the same and are not mentioned
here.
HCIE-WLAN Certification Training Lab Guide Page 300
# Right-click APs in other areas and choose Property from the shortcut menu. (You can
drag-select all APs and right-click them for the setting). The AP Attributes page is displayed.
Set AP parameters. APs in other areas are mounted on the T-rails of the ceiling at a height
of 3 m. Configure the APs to work in triple-radio mode with the RTU license loaded. Retain
the default values for other parameters. The configurations of other APs are the same and
are not mentioned here.
# Deploy the switches at the planned positions. Based on site survey information, the
switches can be deployed in the equipment room or utility room. To shorten cables, deploy
one switch in the equipment room and the other in the utility room.
HCIE-WLAN Certification Training Lab Guide Page 301
# Check the signal strength in key coverage areas, that is, areas requiring the signal
strength of higher than –65 dBm. If any area has no color, the signal strength is lower than
–65 dBm.
HCIE-WLAN Certification Training Lab Guide Page 304
# Focus on the signal coverage in the office areas and activity area.
HCIE-WLAN Certification Training Lab Guide Page 305
# Check the signal strength in common coverage areas, that is, areas requiring the signal
strength of higher than –70 dBm. If any area has no color, the signal strength is lower than
–70 dBm.
HCIE-WLAN Certification Training Lab Guide Page 306
If the signal coverage is poor, adjust the number and positions of repeatedly to ensure
normal signal simulation.
Check whether there are areas with poor signal coverage.
HCIE-WLAN Certification Training Lab Guide Page 308
# Check whether there is any problem. Confirm any warning items. If there is no problem,
export the network planning report.
----End
HCIE-WLAN Certification Training Lab Guide Page 310
WLAN Planning
Report_HCIE-WLAN .docx
Bill of
Materials_HCIE-WLAN .xls