Hcie-wlan v1.0 Lab Guide

Huawei WLAN Certification Training
HCIE-WLAN Certification Training

Lab Guide
ISSUE:1.0
HUAWEI TECHNOLOGIES CO., LTD.
1
Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co.,Ltd
HCIE-WLAN Certification Training Lab Guide Page 1
Huawei Certificate System
Huawei Certification follows the "platform + ecosystem" development strategy,

which is a new collaborative architecture of ICT infrastructure based on "Cloud-Pipe-
Terminal". Huawei has set up a complete certification system consisting of two
categories: ICT infrastructure, Cloud Service and Platform, and grants Huawei
certification the only all-range technical certification in the industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
HCIE-WLAN is designed for Huawei local offices, online engineers in representative

offices, and readers who want to understand Huawei WLAN products and technology.
HCIE-WLAN covers Huawei WLAN traditional technologies, advanced technologies, new
solutions, network planning and optimization, and troubleshooting.
The HCIE-WLAN certification system introduces you to the industry and market,
helps you in innovation, and enables you to stand atop the WLAN frontiers.
About This Document
Overview
This document is applicable to the candidates who are preparing for the HCIE-WLAN exam
and the readers who want to understand WLAN technologies, including Huawei WLAN
solution, WLAN advanced technologies, WLAN network planning and optimization, and
WLAN fault troubleshooting.
Description
This lab guide introduces the following eight lab designs, covering the common WLAN
networking, special networking, high reliability, roaming, radio resource management
(RRM), multicast, security, WLAN IPv6, CloudCampus, and WLAN planning and design.
⚫ Lab 1: WLAN networking. This lab provides instructions on complex networking
configuration and commissioning so that you can understand how to deploy Huawei
WLANs in various networking scenarios.
⚫ Lab 2: WLAN high reliability. This lab provides instructions on configuring VRRP HSB,
dual-link HSB, N+1 backup, wireless configuration synchronization, CAPWAP link
failover, and WAN authentication bypass so that you can understand how to deploy
WLAN high reliability solutions.
⚫ Lab 3: WLAN roaming and QoS. This lab provides instructions on deploying inter-
WAC Layer 3 roaming, fast roaming, smart roaming, and QoS so that you can
understand WLAN roaming and QoS solutions.
⚫ Lab 4: WLAN radio calibration and network optimization. This lab provides
instructions on optimizing the WLAN network, improving network quality, and
enhancing user experience so that you can understand the contents, standards, and
implementation methods of network optimization.
⚫ Lab 5: WLAN security. This lab provides instructions on deploying security features
such as RADIUS authentication, HWTACACS, WIDS, and WIPS so that you can
understand WLAN security solution deployment.
⚫ La 6: WLAN IPv6 campus network solution deployment. This lab provides instructions
on deploying dual-stack terminals, IPv6 802.1X authentication, and dual-stack APs so
that you can understand IPv6 technologies in the WLAN IPv6 campus network
solution.
⚫ Lab 7: CloudCampus solution deployment. This lab introduces CloudCampus VXLAN
and SDN networking scenarios, helping you understand the WLAN cloud
management network solution.
⚫ Lab 8: WLAN planning and optimization. This lab provides instructions on designing
a WLAN network so that you can understand how to use the network planning tool
and learn network planning details.
Background Knowledge Required

This course is for Huawei's certification. To complete this course, you need to:
⚫ Have advanced knowledge about WLAN and basic datacom knowledge.
⚫ Know how to configure Huawei software and hardware devices, including routers,
switches, WACs, and iMaster-NCE Campus.
⚫ Be familiar with the WLAN project operation process and common tools.
Common Icons
Experiment Environment Overview

Networking Introduction
This experiment environment is prepared for WLAN engineers who are preparing for the
HCIE-WLAN exam.
Each suite of experiment environment includes 3 WACs, 6 APs, 1 core switch, and 3 access
switches, and 1 physical server. Each suite of experiment environment is applicable to one
group of candidates.
Device Introduction
The following table lists devices recommended for HCIE-WLAN experiments and the
mappings between the device name, model, and software version.
Device Name Model Software Version
CloudEngine S5731-
Core switch S5700 V200R020C00SPC300
H24P4XC
Device Name Model Software Version
AirEngine 9700
WAC AirEngine 9700-M
V200R020C00SPC200
AirEngine 5700
AP AirEngine 5760-51
V200R020C00SPC200
RADIUS server and

iMaster NCE-Campus iMaster NCE-Campus V300R020C00
NMS
Experiment Environment Preparation

Checking Whether All Devices Are Available
Before carrying out labs, make sure that all required devices are ready and allow for proper
logins. The following table lists the devices.
Device Name Quantity Remarks
iMaster NCE-Campus 1 Shared by all groups
iMaster NCE-CampusInsight 1 Shared by all groups
Core switch 4 Shared by all groups
AirEngine 9700-M 3 for each group
AirEngine 5760-51 6 for each group
Laptop 3 for each group

Experiment Topology
Contents
About This Document .......................................................................................................................... 3

Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 4
Common Icons .................................................................................................................................................................................. 4
Experiment Environment Overview .......................................................................................................................................... 4
Experiment Environment Preparation ...................................................................................................................................... 5
1 WLAN Networking Lab .................................................................................................................. 11
1.1 Introduction ..............................................................................................................................................................................11
1.1.1 About This Lab .....................................................................................................................................................................11
1.1.2 Objectives ..............................................................................................................................................................................11
1.1.3 Networking and Service Description ............................................................................................................................12
1.1.4 Networking Design .............................................................................................................................................................12
1.2 Configuration Procedure ......................................................................................................................................................15
1.2.1 Configuration Roadmap ...................................................................................................................................................15
1.2.2 Configuration Steps............................................................................................................................................................15
1.3 Reference Configuration ......................................................................................................................................................36
1.3.1 Core-SW Configuration .....................................................................................................................................................36
1.3.2 Agg1 Configuration ............................................................................................................................................................37
1.3.4 WAC1 Configuration ..........................................................................................................................................................38
1.3.5 AR1 Configuration ..............................................................................................................................................................41
1.3.7 SW4 Configuration .............................................................................................................................................................42
2 WLAN High Reliability Solution Lab ........................................................................................... 44
2.1 Introduction ..............................................................................................................................................................................44
2.1.1 About This Lab .....................................................................................................................................................................44
2.1.2 Objectives ..............................................................................................................................................................................44
2.3 Verification ................................................................................................................................................................................66
2.3.1 Simulating a Fault on WAC1 ..........................................................................................................................................66

2.3.2 Simulating a Fault on WAC2 ..........................................................................................................................................66
2.4 Reference Configuration ......................................................................................................................................................67
2.4.1 Core-SW Configuration .....................................................................................................................................................67
3 WLAN Roaming & QoS Solution Lab ......................................................................................... 78
3.1 Introduction ..............................................................................................................................................................................78
3.1.1 About This Lab .....................................................................................................................................................................78
1.1.1 Objectives ..............................................................................................................................................................................78
3.3 Reference Configuration ................................................................................................................................................... 101
3.3.1 Core-SW Configuration .................................................................................................................................................. 101
3.3.2 AR1 Configuration ........................................................................................................................................................... 103
3.3.3 WAC1 Configuration ....................................................................................................................................................... 103
3.3.5 Agg1 Configuration ......................................................................................................................................................... 107
4 WLAN Optimization Lab ............................................................................................................. 109
4.1 Introduction ........................................................................................................................................................................... 109
4.1.1 About This Lab .................................................................................................................................................................. 109
4.1.2 Objectives ........................................................................................................................................................................... 109
4.1.3 Networking and Service Description ......................................................................................................................... 110
4.1.4 Networking Design .......................................................................................................................................................... 110
4.2 Configuration Procedure ................................................................................................................................................... 112
4.2.1 Configuration Roadmap ................................................................................................................................................ 112
4.2.2 Configuration Steps......................................................................................................................................................... 112
4.3 Configuration Verification ................................................................................................................................................ 127
4.3.1 Checking the Configuration of the 2G Radio Profile .......................................................................................... 127
4.3.2 Checking the Configuration of the 5G Radio Profile .......................................................................................... 128
4.3.3 Checking RRM Profile Information ............................................................................................................................ 129

5 WLAN Security Lab ....................................................................................................................... 137
5.1 Introduction ........................................................................................................................................................................... 137
5.1.1 About This Lab .................................................................................................................................................................. 137
5.1.2 Objectives ........................................................................................................................................................................... 137
6 WLAN IPv6 Solution Lab ............................................................................................................. 192
6.1 Introduction ........................................................................................................................................................................... 192
6.1.1 About This Lab .................................................................................................................................................................. 192
6.1.2 Objectives ........................................................................................................................................................................... 192
6.3.1 STAs Can Access the Egress Device After Connecting to the WLAN ............................................................ 212

7 WLAN CloudCampus Solution Deployment Lab .................................................................. 224
7.1 Introduction ........................................................................................................................................................................... 224
7.1.1 About This Lab .................................................................................................................................................................. 224
7.1.2 Objectives ........................................................................................................................................................................... 224
7.3.1 Verifying Portal Authentication .................................................................................................................................. 261
7.3.2 Verifying 802.1X Authentication ................................................................................................................................. 266
8 WLAN Network Planning and Design Lab ............................................................................. 269
8.1 Introduction ........................................................................................................................................................................... 269
8.1.1 About This Lab .................................................................................................................................................................. 269
8.1.2 Objectives ........................................................................................................................................................................... 269
8.3.1 Network Planning Report ............................................................................................................................................. 310
8.3.2 Bill of Materials ................................................................................................................................................................ 310
1 WLAN Networking Lab
1.1 Introduction
1.1.1 About This Lab
This lab provides instructions on configuring and commissioning comprehensive WLAN
scenarios so that you can understand how to deploy Huawei WLANs in different
networking scenarios.
1.1.2 Objectives
Upon completion of this task, you will be able to:
⚫ Understand Huawei WLAN networking scenarios.
⚫ Understand the WLAN Layer 3 networking configuration.
⚫ Understand the WLAN mesh networking configuration.
⚫ Master how to remotely bring APs online.
1.1.3 Networking and Service Description
Figure 1-1 WLAN networking topology
1.1.4 Networking Design

In the lab, Agg1, Agg2, and SW4 are PoE switches, Core-SW is the core switch, and AR1 is
the egress router that connects to another campus network.
AP3, AP4, and AP5 form a mesh network. PC2 can access another campus network through
AP5.
WAC1 remotely manages AP6.
Table 1-1 VLAN port types and parameters
Device Port Port Type VLAN Settings
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, 12, 13, and 14
Core-SW
PVID: 1
GE0/0/2 Trunk
PVID: 1
GE0/0/3 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk
Allow-pass: VLAN 10
PVID: 1
GE0/0/1 Trunk
PVID: 10
Agg1 GE0/0/2 Trunk
PVID: 10
GE0/0/3 Trunk
PVID: 1
GE0/0/1 Trunk
Agg2
PVID: 10
GE0/0/2 Trunk
GE0/0/1 Access PVID: 200
SW4
PVID: 100
GE0/0/2 Trunk
Allow-pass: VLAN 100 110 120
Table 1-2 IP address plan
Device Interface IP Address
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
Core-SW
VLANIF 12 10.1.12.1/24
VLANIF 13 10.1.13.1/24
VLANIF 14 10.1.14.1/24
VLANIF 99 10.1.99.1/30
VLANIF 10 10.1.10.254/24
WAC1 Loopback 0 10.10.10.10/32
Tunnel0/0/0 192.168.12.1/24
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30
GE0/0/1 20.1.1.2/30
AR2 GE0/0/2 10.1.200.1/30
Tunnel0/0/0 192.168.12.2/24
VLANIF 200 10.1.200.2/30
VLANIF 100 192.168.100.1/24

SW4
VLANIF 110 192.168.110.1/24
VLANIF 120 192.168.120.1/24
Table 1-3 WLAN service parameter design
WLAN Service Parameter
Forwarding mode Direct forwarding
Management VLAN 10
VLAN pool: HCIE-Lab, containing VLANs 11 and 12

Service VLAN
VLAN pool: HCIE-Interview, containing VLANs 13 and 14
WAC's source interface 10.10.10.10
HCIE
AP group
HCIE-Mesh
HCIE-Lab
VAP profile
HCIE-Interview
HCIE-Lab
Security profile
HCIE-Interview
HCIE-Lab
SSID profile
HCIE-Interview
1.2 Configuration Procedure

1.2.1 Configuration Roadmap
⚫ Configure basic network connectivity to ensure Layer 2 and Layer 3 connectivity
between devices.
⚫ Configure the APs at the HQ to go online.
⚫ Configure the mesh network at the HQ.
⚫ Configure WLAN service parameters.
⚫ Test WLAN services at the HQ.
⚫ Configure the branch to communicate with the HQ.
⚫ Configure APs at the branch to go online on the WAC at the HQ.
⚫ Test WLAN services at the branch.
1.2.2 Configuration Steps

Step 1 Configure the Layer 2 network.
Configure switches, create VLANs, and configure switch interfaces.
# Create VLANs 10 to 14 and VLAN 99 on Core-SW.
<Huawei>sys
[Huawei] sysname Core-SW
[Core-SW] vlan batch 10 to 14 99
# Configure the types for Core-SW's interfaces and the VLANs to which these interfaces
belong.
[Core-SW] interface GigabitEthernet 0/0/1

[Core-SW-GigabitEthernet0/0/1] port link-type trunk
[Core-SW-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 to 14
[Core-SW-GigabitEthernet0/0/1] quit
#
#
#
[Core-SW-GigabitEthernet0/0/7] port link-type access
[Core-SW-GigabitEthernet0/0/7] port default vlan 99
# Create VLANs on Agg1, and configure interface types and VLANs to which the interfaces
belong.
[Huawei] sysname Agg1

[Agg1] vlan batch 10 to 14
[Agg1] interface GigabitEthernet 0/0/1
[Agg1-GigabitEthernet0/0/1] port link-type trunk
[Agg1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 to 14
[Agg1-GigabitEthernet0/0/1] quit
#
[Agg1-GigabitEthernet0/0/2] port trunk pvid vlan 10
#
belong.


#
# Create VLANs on SW4, and configure interface types and VLANs to which the interfaces
belong.
[Huawei] sysname SW4

[SW4] vlan batch 100 110 120 200
[SW4] interface GigabitEthernet 0/0/1
[SW4-GigabitEthernet0/0/1] port link-type access
[SW4-GigabitEthernet0/0/1] port default vlan 200
[SW4-GigabitEthernet0/0/1] quit
#
[SW4] interface GigabitEthernet 0/0/2
[SW4-GigabitEthernet0/0/2] port link-type trunk
[SW4-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SW4-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 110 120
[SW4-GigabitEthernet0/0/2] quit
# Create a VLAN on WAC1, and configure the type of its uplink interface and the VLAN to
which the interface belongs.
[Huawei] sysname WAC1

[WAC1] vlan 10
[WAC1] interface GigabitEthernet 0/0/1
[WAC1-GigabitEthernet0/0/1] port link-type trunk
[WAC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[WAC1-GigabitEthernet0/0/1] quit
Step 2 Configure IP addresses.

Configure IP addresses for devices.
# Configure IP addresses for interfaces on Core-SW.
[Core-SW] interface Vlanif 10

[Core-SW-Vlanif10] ip address 10.1.10.1 24
[Core-SW-Vlanif10] quit
#
#
#

#
#
# Check the IP addresses on Core-SW.
[Core-SW] display ip interface brief

*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
The number of interface that is UP in Physical is 7
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 7
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol

Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif13 10.1.13.1/24 up up
Vlanif14 10.1.14.1/24 up up
Vlanif99 10.1.99.1/30 up up
[Core-SW]
# Configure IP addresses for interfaces on WAC1.
[WAC1] interface Vlanif 10

[WAC1-Vlanif10] ip address 10.1.10.254 24
[WAC1-Vlanif10] quit
#
[WAC1] interface LoopBack 0
[WAC1-LoopBack0] ip address 10.10.10.10 32
[WAC1-LoopBack0] quit
# Check the IP addresses on WAC1.
<WAC1>display ip interface brief

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down


LoopBack0 10.10.10.10/32 up up(s)
Vlanif10 10.1.10.254/24 up up
<WAC1>
# Configure IP addresses for interfaces on AR1.
[AR1] interface GigabitEthernet 0/0/1

[AR1-GigabitEthernet0/0/1] undo portswitch
[AR1-GigabitEthernet0/0/1] ip address 10.1.99.2 30
[AR1-GigabitEthernet0/0/1] quit
#
# Check the IP addresses on AR1.
<AR1> display ip interface brief

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

GigabitEthernet0/0/1 10.1.99.2/30 up up
<AR1>

#
# Check the IP addresses on AR2.

<AR2> display ip interface brief

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

<AR2>
# Configure IP addresses for interfaces on SW4.
[SW4] interface Vlanif 200

[SW4-Vlanif200] ip address 10.1.200.2 30
[SW4-Vlanif200] quit
#
#
#
# Check the IP addresses on SW4.
[SW4] display ip interface brief

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

Vlanif100 192.168.100.1/24 up up
Vlanif110 192.168.110.1/24 up up
Vlanif120 192.168.120.1/24 up up
Vlanif200 10.1.200.2/30 up up
[SW4]
Step 3 Configure routes.

Configure a dynamic routing protocol to implement intranet connectivity. This solution
uses the OSPF protocol.
# Configure OSPF on Core-SW to advertise local network segments.
[Core-SW] ospf 1
[Core-SW-ospf-1] area 0
[Core-SW-ospf-1-area-0.0.0.0] network 10.1.10.1 0.0.0.0
[Core-SW-ospf-1-area-0.0.0.0] return
<Core-SW>
# Configure OSPF on WAC1 to advertise the local network segment.
[WAC1] ospf 1
[WAC1-ospf-1] area 0
[WAC1-ospf-1-area-0.0.0.0] network 10.10.10.10 0.0.0.0
[WAC1-ospf-1-area-0.0.0.0] return
<WAC1>
# Configure OSPF on AR1 to advertise the local network segment.
[AR1] ospf 1
[AR1-ospf-1] area 0
[AR1-ospf-1-area-0.0.0.0] network 10.1.99.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0] return
<AR1>
Deliver the default route so that intranet terminals can access the Internet.
# Deliver the default route on AR1.
[AR1-ospf-1] default-route-advertise always

[AR1-ospf-1] quit
[AR1]
Step 4 Check the routing tables on WAC1 and Core-SW.

Check the routing tables on the devices to ensure that the devices have learned the default
routes and that intranet terminals can access the extranet through the gateway.
# Check the routing table on WAC1.
<WAC1>display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------------------
Routing Tables: Public
Destinations: 17 Routes: 17
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.1.10.1 Vlanif10

10.1.10.0/24 Direct 0 0 D 10.1.10.254 Vlanif10
10.1.10.254/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.10.255/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.11.0/24 OSPF 10 2 D 10.1.10.1 Vlanif10
10.1.12.0/24 OSPF 10 2 D 10.1.10.1 Vlanif10
10.1.13.0/24 OSPF 10 2 D 10.1.10.1 Vlanif10
10.1.14.0/24 OSPF 10 2 D 10.1.10.1 Vlanif10
10.1.99.0/30 OSPF 10 2 D 10.1.10.1 Vlanif10
10.10.10.10/32 Direct 0 0 D 127.0.0.1 LoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
<WAC1>
# Check the routing table on Core-SW.
<Core-SW>display ip routing-table
Route Flags: R - relay, D - download to fib
-------------------------------------------------------------------------------------------
Routing Tables: Public
Destinations: 16 Routes: 16
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.1.100.2 Vlanif100

10.1.10.0/24 Direct 0 0 D 10.1.10.1 Vlanif10
10.1.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.11.0/24 Direct 0 0 D 10.1.11.1 Vlanif11
10.1.11.1/32 Direct 0 0 D 127.0.0.1 Vlanif11
10.1.12.0/24 Direct 0 0 D 10.1.12.1 Vlanif12
10.1.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif12
10.1.13.0/24 Direct 0 0 D 10.1.13.1 Vlanif13
10.1.13.1/32 Direct 0 0 D 127.0.0.1 Vlanif13
10.1.14.0/24 Direct 0 0 D 10.1.14.1 Vlanif14
10.1.14.1/32 Direct 0 0 D 127.0.0.1 Vlanif14
10.1.99.0/30 Direct 0 0 D 10.1.99.1 Vlanif100
10.1.99.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.10.10.10/32 OSPF 10 1 D 10.1.10.254 Vlanif10
<Core-SW>
Step 5 Configure the APs at the HQ to go online.

Create DHCP address pools.
# Create a DHCP address pool for APs on Core-SW.
[Core-SW] dhcp enable

[Core-SW] ip pool AP
[Core-SW-ip-pool-ap] network 10.1.10.0 mask 24
[Core-SW-ip-pool-ap] gateway-list 10.1.10.1
[Core-SW-ip-pool-ap] excluded-ip-address 10.1.10.254
[Core-SW-ip-pool-ap] option 43 sub-option 3 ascii 10.10.10.10
[Core-SW-ip-pool-ap] quit
# Create DHCP address pools for HCIE-Lab on Core-SW.
[Core-SW] ip pool lab1

[Core-SW-ip-pool-lab1] network 10.1.11.0 mask 24
[Core-SW-ip-pool-lab1] gateway-list 10.1.11.1
[Core-SW-ip-pool-lab1] quit
#
# Create DHCP address pools for HCIE-Interview on Core-SW.
[Core-SW] ip pool interview1

[Core-SW-ip-pool-interview1] network 10.1.13.0 mask 24
[Core-SW-ip-pool-interview1] gateway-list 10.1.13.1
[Core-SW-ip-pool-interview1] quit
#
# Enable Core-SW's interfaces to use the global address pool.

[Core-SW-Vlanif10] dhcp select global
<Core-SW>
#
<Core-SW>
#
<Core-SW>
#
<Core-SW>
#

<Core-SW>
# Check information about DHCP address pools.
[Core-SW] display ip pool

-------------------------------------------------------------------------------------
Pool-name : AP
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Position : Local
Status : Unlocked
Gateway-0 : 10.1.10.1
Network : 10.1.10.0
Mask : 255.255.255.0
VPN instance : --
Conflicted address recycle interval: -
Address Statistic: Total : 253 Used : 0
Idle: 152 Expired :0
Conflict: 0 Disabled : 101
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :1
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total : 253 Used :0
Idle : 253 Expired :0
Conflict : 0 Disabled :0
-------------------------------------------------------------------------------------
Pool-name : lab2
Pool-No :2
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Idle : 253 Expired : 0
Conflict :0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-name : interview1
Pool-No :3
Position : Local
Status : Unlocked
Gateway-0 : 10.1.13.1
Network : 10.1.13.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-No :4
Position : Local
Status : Unlocked
Gateway-0 : 10.1.14.1
Network : 10.1.14.0
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total : 1265
Used :0 Idle : 1164
Expired :0 Conflict :0 Disabled: 101
[Core-SW]
Configure VLAN pools.

# Create a VLAN pool for HCIE-Lab on WAC1.
[WAC1] vlan pool lab

[WAC1-vlan-pool-lab] vlan 11 12
[WAC1-vlan-pool-lab] quit
# Create a VLAN pool for HCIE-Interview on WAC1.
[WAC1] vlan pool interview

[WAC1-vlan-pool-interview] vlan 13 14
[WAC1-vlan-pool-interview] quit
Configure profiles and parameters for APs to go online.

# Configure the CAPWAP source address on WAC1.
[WAC1] capwap source interface LoopBack 0

# Create a regulatory domain profile on WAC1. The default country code is China. (If the
device is located outside China, change the country code accordingly.)
[WAC1-wlan-view] regulatory-domain-profile name HCIE

[WAC1-wlan-regulate-domain-HCIE] country-code CN
[WAC1-wlan-regulate-domain-HCIE] quit
# Create an AP group on WAC1 and apply the regulatory domain profile to the AP group.
[WAC1-wlan-view] ap-group name HCIE

[WAC1-wlan-ap-group-HCIE] regulatory-domain-profile HCIE
[WAC1-wlan-ap-group-HCIE] quit
# Add APs' MAC addresses on WAC1. (Use MAC addresses of the APs in the actual
environment.)
[WAC1-wlan-view] ap-mac 30fd-65f8-fd40

[WAC1-wlan-ap-0] ap-name ap1
[WAC1-wlan-ap-0] ap-group HCIE
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurations of the radio, whether to continue? [Y/N]: y
Info: This operation may take a few seconds. Please wait for a moment... Done.
[WAC1-wlan-ap-0] quit
#
[WAC1-wlan-view] ap-mac f4de-af36-b300
#
[WAC1-wlan-view] ap-mac f02f-a75e-5740
[WAC1-wlan-view]
Check the AP status.
<WAC1> display ap all

Total AP information:
nor : normal [3]
ExtraInfo: Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
----------------------------------------------------------------------------------------------------------------------
0 30fd-65f8-fd40 ap1 HCIE 10.1.10.62 AP7060DN nor 0 14S -
1 f4de-af36-b300 ap2 HCIE 10.1.10.114 AirEngine5760-10 nor 0 12S -
2 f02f-a75e-5740 ap3 HCIE 10.1.10.196 AP4030DN nor 0 9S -
----------------------------------------------------------------------------------------------------------------------
Total: 3
<WAC1>
Step 6 Configure service parameters for APs at the HQ.

Create security profiles and set different passwords for HCIE-Lab and HCIE-Interview.
# Create the HCIE-Lab security profile on WAC1.
[WAC1-wlan-view] security-profile name HCIE-Lab

[WAC1-wlan-sec-prof-HCIE-Lab] security wpa2 psk pass-phrase HCIE-Lab aes
[WAC1-wlan-sec-prof-HCIE-Lab] quit
# Create the HCIE-Interview security profile on WAC1.
[WAC1-wlan-view] security-profile name HCIE-Interview

[WAC1-wlan-sec-prof-HCIE-Interview] security wpa2 psk pass-phrase HCIE-Interview aes
[WAC1-wlan-sec-prof-HCIE-Interview] quit
Create SSID profiles HCIE-Lab and HCIE-Interview.

# Create the HCIE-Lab SSID profile on WAC1.
[WAC1-wlan-view] ssid-profile name HCIE-Lab

[WAC1-wlan-ssid-prof-HCIE-Lab] ssid HCIE-Lab
Info: This operation may take a few seconds, please wait.done.
[WAC1-wlan-ssid-prof-HCIE-Lab] quit
[WAC1-wlan-view]
# Create the HCIE-Interview SSID profile on WAC1.
[WAC1-wlan-view] ssid-profile name HCIE-Interview

[WAC1-wlan-ssid-prof-HCIE-Interview] ssid HCIE-Interview
[WAC1-wlan-ssid-prof-HCIE-Interview] quit
[WAC1-wlan-view]
Create VAP profiles HCIE-Lab and HCIE-Interview.

# Create the HCIE-Lab VAP profile on WAC1.
[WAC1-wlan-view] vap-profile name HCIE-Lab

[WAC1-wlan-vap-prof-HCIE-Lab] forward-mode direct-forward
[WAC1-wlan-vap-prof-HCIE-Lab] service-vlan vlan-pool lab
[WAC1-wlan-vap-prof-HCIE-Lab] security-profile HCIE-Lab
[WAC1-wlan-vap-prof-HCIE-Lab] ssid-profile HCIE-Lab
[WAC1-wlan-vap-prof-HCIE-Lab] quit
#
# Create the HCIE-Interview VAP profile on WAC1.
[WAC1-wlan-view] vap-profile name HCIE-Interview

[WAC1-wlan-vap-prof-HCIE-Interview] forward-mode direct-forward
[WAC1-wlan-vap-prof-HCIE-Interview] service-vlan vlan-pool interview
[WAC1-wlan-vap-prof-HCIE-Interview] security-profile HCIE-Interview

[WAC1-wlan-vap-prof-HCIE-Interview] ssid-profile HCIE-Interview
[WAC1-wlan-vap-prof-HCIE-Interview] quit
#
Apply VAP profiles to the AP group.

Apply VAP profiles HCIE-Lab and HCIE-Interview on WAC1.

[WAC1-wlan-ap-group-HCIE] vap-profile HCIE-Lab wlan 1 radio all
[WAC1-wlan-ap-group-HCIE] vap-profile HCIE-Interview wlan 2 radio all
[WAC1-wlan-view]
Check VAP radio information.

# Check VAP radio information on WAC1.
[WAC1-wlan-view] display vap all

Info: This operation may take a few seconds, please wait.
WID: WLAN ID
---------------------------------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
---------------------------------------------------------------------------------------------------------
0 ap1 0 1 30FD-65F8-FD40 ON WPA2-PSK 0 HCIE-Lab
0 ap1 0 2 30FD-65F8-FD41 ON WPA2-PSK 0 HCIE-Interview
1 ap2 0 1 F4DE-AF36-B300 ON WPA2-PSK 0 HCIE-Lab
1 ap2 0 2 F4DE-AF36-B301 ON WPA2-PSK 0 HCIE-Interview
2 ap3 0 1 F02F-A75E-5740 ON WPA2-PSK 0 HCIE-Lab
2 ap3 0 2 F02F-A75E-5741 ON WPA2-PSK 0 HCIE-Interview
----------------------------------------------------------------------------------------------------------
Total: 12
[WAC1-wlan-view]
Step 7 Configure the mesh network.

Create an AP group for the mesh network.
# Create the AP group HCIE-Mesh on WAC1.
[WAC1-wlan-view] ap-group name HCIE-Mesh

Info: This operation may take a few seconds. Please wait for a moment.done.
[WAC1-wlan-ap-group-HCIE-Mesh] regulatory-domain-profile HCIE
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continue? [Y/N]: Y
[WAC1-wlan-ap-group-HCIE-Mesh] quit
[WAC1-wlan-view]
# Add AP4 and AP5 to the AP group HCIE-Mesh.

[WAC1-wlan-view] ap-mac 28a6-dbe1-c300

[WAC1-wlan-ap-3] ap-group HCIE-Mesh
and antenna gain configurations of the radio, whether to continue? [Y/N]: Y
Info: This operation may take a few seconds. Please wait for a moment... done.
#
[WAC1-wlan-view] ap-mac f02f-a75e-5dc0
[WAC1-wlan-ap-4] ap-group HCIE-Mesh
Info: This operation may take a few seconds. Please wait for a moment... done.
#
Configure mesh service parameters.

# Configure radio parameters for mesh nodes. Radio 1 of APs is used as an example. The
parameter coverage distance indicates the radio coverage distance, which is 3 (unit: 100
m) by default. This example sets coverage distance to 1. You can configure the parameter
based on site requirements.
[WAC1-wlan-view]ap-group name HCIE

[WAC1-wlan-ap-group-HCIE] radio 1
[WAC1-wlan-group-radio-HCIE/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue? [Y/N] y
[WAC1-wlan-group-radio-HCIE/1] coverage distance 1
[WAC1-wlan-group-radio-HCIE/1] quit
[WAC1-wlan-ap-group-HCIE]

[WAC1-wlan-ap-group-HCIE-Mesh] radio 1
[WAC1-wlan-group-radio-HCIE-Mesh/1] channel 40mhz-plus 157
[WAC1-wlan-group-radio-HCIE-Mesh/1] coverage distance 1
[WAC1-wlan-group-radio-HCIE-Mesh/1] return
<WAC1>
# Configure a mesh whitelist.
[WAC1-wlan-view] mesh-whitelist-profile name HCIE-Mesh

[WAC1-wlan-mesh-whitelist-HCIE-Mesh] peer-ap mac f02f-a75e-5740
[WAC1-wlan-mesh-whitelist-HCIE-Mesh] peer-ap mac 28a6-dbe1-c300
[WAC1-wlan-mesh-whitelist-HCIE-Mesh] peer-ap mac f02f-a75e-5dc0
[WAC1-wlan-mesh-whitelist-HCIE-Mesh] quit
[WAC1-wlan-view]
# Bind the mesh whitelist profile to the AP radio.

[WAC1-wlan-group-radio-HCIE/1] mesh-whitelist-profile HCIE-Mesh
[WAC1-wlan-group-radio-HCIE/1] quit
#
[WAC1-wlan-ap-group-HCIE-Mesh] radio 1
[WAC1-wlan-group-radio-HCIE-Mesh/1] mesh-whitelist-profile HCIE-Mesh
[WAC1-wlan-group-radio-HCIE-Mesh/1] quit
[WAC1-wlan-view]
# Configure a security profile for mesh links.
[WAC1-wlan-view] security-profile name HCIE-Mesh

[WAC1-wlan-sec-prof-HCIE-Mesh] security wpa2 psk pass-phrase HCIE-Mesh aes
[WAC1-wlan-sec-prof-HCIE-Mesh] quit
[WAC1-wlan-view]
# Configure a mesh profile. Set the mesh network ID to HCIE-Mesh and aging time of
mesh links to 30s. Bind the security profile and mesh whitelist to the mesh profile.
[WAC1-wlan-view] mesh-profile name HCIE-Mesh

[WAC1-wlan-mesh-prof-HCIE-Mesh] mesh-id HCIE-Mesh
[WAC1-wlan-mesh-prof-HCIE-Mesh] link-aging-time 30
[WAC1-wlan-mesh-prof-HCIE-Mesh] security-profile HCIE-Mesh
[WAC1-wlan-mesh-prof-HCIE-Mesh] quit
[WAC1-wlan-view]
# Configure mesh roles. Set the mesh role of AP3 to mesh-portal, and retain the default
mesh role mesh-node for AP4 and AP5. Mesh roles are configured through the AP system
profile.
[WAC1-wlan-view] ap-system-profile name HCIE-Mesh

[WAC1-wlan-ap-system-prof-HCIE-Mesh] mesh-role mesh-portal
[WAC1-wlan-ap-system-prof-HCIE-Mesh] quit
[WAC1-wlan-view]
Bind required profiles to the AP group to make mesh services take effect.
# Bind the AP system profile HCIE-Mesh to the AP group HCIE.
[AC-wlan-view] ap-group name HCIE

[AC-wlan-ap-group-HCIE] ap-system-profile HCIE-Mesh
Warning: This action may cause service interruption. Continue? [Y/N] Y
# Bind the mesh profile to the AP group HCIE to make mesh services take effect.
[AC-wlan-ap-group-HCIE] mesh-profile HCIE-Mesh radio 1

[AC-wlan-ap-group-HCIE] quit
#
[AC-wlan-view] ap-group name HCIE-Mesh
[AC-wlan-ap-group-HCIE-Mesh] mesh-profile HCIE-Mesh radio 1
[AC-wlan-ap-group-HCIE-Mesh] quit
[AC-wlan-view]
Verify the mesh service configuration.

# After mesh services take effect, run the display mesh vap all command to check
information about all mesh VAPs.
[WAC1] display mesh vap all

WID: WLAN ID
---------------------------------------------------------------------------------------------------------
AP ID AP name RfID WID Mesh ID BSSID Auth type Mesh links
---------------------------------------------------------------------------------------------------------
2 ap3 1 16 HCIE-Mesh F02F-A75E-575F WPA2-PSK 2
3 ap4 1 16 HCIE-Mesh 60F1-8A9C-2B5F WPA2-PSK 2
4 ap5 1 16 HCIE-Mesh F898-EF7F-B41F WPA2-PSK 2
----------------------------------------------------------------------------------------------------------
Total: 3
# After mesh services take effect, run the display wlan mesh link all command to check
mesh link information.
[WAC1] display wlan mesh link all

Rf : radio ID Dis: coverage distance (100m)
Ch : channel per: drop percent (%)
TSNR: total SNR (dB) P- : peer
Mesh: Mesh mode Re : retry ratio (%)
RSSI: RSSI (dBm) MaxR: max RSSI (dBm)
--------------------------------------------------------------------------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TSNR SNR (Ch0~3: dB)
--------------------------------------------------------------------------------------------------------------------
ap3 ap4 60f1-8a9c-2b40 1 1 149 portal normal -13 -13 0 1 74
72/69/-/-
ap3 ap5 f898-ef7f-b400 1 1 149 portal normal -13 -13 0 1 74 72/69/-/-
ap4 ap5 f898-ef7f-b400 1 1 149 node normal -10 -2 06 66 64/63/-/-
ap4 ap3 f02f-a75e-5740 1 1 149 node normal -27 -27 0 2 66 64/63/-/-
ap5 ap4 60f1-8a9c-2b40 1 1 149 node normal -11 -2 03 73 68/71/-/-
ap5 ap3 f02f-a75e-5740 1 1 149 node normal -30 -4 00 73 68/71/-/-
--------------------------------------------------------------------------------------------------------------------
Total: 6
[WAC1]
Step 8 Configure a GRE tunnel between the branch and HQ to achieve communication
between them.
Configure routes to enable network connectivity between WAC1 and AR2.

# Configure a static route on AR1.
[AR1] ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
# Configure a static route on AR2.
[AR2] ip route-static 10.1.10.0 255.255.255.0 20.1.1.1

Verify that WAC1 and AR2 can communicate with each other.
<WAC1> ping 10.1.200.1

PING 10.1.200.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.200.1: bytes=56 Sequence=1 ttl=253 time=2 ms
--- 10.1.200.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/5 ms
<WAC1>
[AR2] ping 10.1.10.254


0.00% packet loss
# Route connectivity is achieved between the local and peer ends of a tunnel to be
established.
Configure GRE tunnel interfaces.
# Configure a tunnel interface on WAC1.
[WAC1] interface Tunnel 0/0/0

[WAC1-Tunnel0/0/0] ip address 192.168.2.1 255.255.255.0
[WAC1-Tunnel0/0/0] tunnel-protocol gre
[WAC1-Tunnel0/0/0] source 10.1.10.254
[WAC1-Tunnel0/0/0] destination 10.1.200.1
[WAC1-Tunnel0/0/0]
# Configure a tunnel interface on AR2.
[AR2] interface Tunnel 0/0/0

[AR2-Tunnel0/0/0] ip address 192.168.2.2 255.255.255.0
[AR2-Tunnel0/0/0] tunnel-protocol gre
[AR2-Tunnel0/0/0] source 10.1.200.1
[AR2-Tunnel0/0/0] destination 10.1.10.254
[AR2-Tunnel0/0/0]
Verify that the GRE tunnel is established successfully.

# Check the status of Tunnel 0/0/0 on WAC1 and verify that the two ends of the tunnel
can communicate with each other. Therefore, the GRE tunnel is successfully established.
<WAC1> display ip interface brief

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down
...

LoopBack0 10.10.10.10/32 up up(s)
Tunnel0/0/0 192.168.2.1/24 up up
Vlanif10 10.1.10.254/24 up up
<WAC1>
<WAC1> ping 192.168.2.2


0.00% packet loss
<WAC1>
# Configure a static route for the tunnel interface on WAC1.
[WAC1] ip route-static 192.168.100.0 255.255.255.0 tunnel0/0/0

# Configure a static route for the tunnel interface on AR2.
[AR2] ip route-static 10.10.10.10 255.255.255.255 tunnel 0/0/0
Step 9 Configure APs at the branch to go online on the WAC at the HQ.
Create DHCP address pools on SW4.
# Create DHCP address pools for APs and services at the branch on SW4.
[SW4] ip pool ap
[SW4-ip-pool-ap] gateway-list 192.168.100.1
[SW4-ip-pool-ap] network 192.168.100.0 mask 255.255.255.0
[SW4-ip-pool-ap] option 43 sub-option 3 ascii 10.10.10.10

[SW4-ip-pool-ap] quit
#
[SW4] ip pool HCIE-Lab
[SW4-ip-pool-HCIE-Lab] gateway-list 192.168.110.1
[SW4-ip-pool-HCIE-Lab] network 192.168.110.0 mask 255.255.255.0
[SW4-ip-pool-HCIE-Lab] quit
#
[SW4] ip pool HCIE-Interview
[SW4-ip-pool-HCIE-Interview] gateway-list 192.168.120.1
[SW4-ip-pool-HCIE-Interview] network 192.168.120.0 mask 255.255.255.0
[SW4-ip-pool-HCIE-Interview] quit
#
[SW4] dhcp enable
#
[SW4-Vlanif100] dhcp select global
#
#
#
Verify that APs have obtained IP addresses.

# Check IP address allocation in the DHCP address pool on SW4. The command output
shows that AP6 has obtained an IP address.
[SW4] display ip pool name ap used

Pool-name : ap
Pool-No :0
Domain-name :-
Option-code : 43
Option-subcode :3
Option-type : ascii
Option-value : 10.10.10.10
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 192.168.100.1
Network : 192.168.100.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Address Statistic: Total: 253 Used : 1
-------------------------------------------------------------------------------------------------------
Network section
Start End Total Used Idle (Expired) Conflict Disabled
-------------------------------------------------------------------------------------------------------
192.168.100.1 192.168.100.254 253 1 252(0) 0 0
-------------------------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP: mac-address PPPoE : mac-address
IPSec: user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN: user-id/session-id
-----------------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
------------------------------------------------------------------------------------------------
139 192.168.100.72 f4de-af36-b3c0 DHCP 86302 Used
-------------------------------------------------------------------------------------------------
[SW4]
# Create the AP group HCIE-Bran on WAC1 and add AP6 to the group.
# [WAC1-wlan-view] ap-group name HCIE-Bran

[WAC1-wlan-ap-group-HCIE-Bran] regulatory-domain-profile HCIE
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continue? [Y/N]: Y
[WAC1-wlan-ap-group-HCIE-Bran] quit
[WAC1-wlan-view]
#
[WAC1-wlan-view] ap-mac f4de-af36-ace0
[WAC1-wlan-ap-5] ap-group HCIE-Bran
[WAC1-wlan-view]
Check the AP status. The AP is online.
[WAC1] display ap all

Idle: idle [1]
Nor: normal [5]
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
0 30fd-65f8-fd40 ap1 HCIE 10.1.10.62 AP7060DN nor 0 19M:24S -
1 f4de-af36-b300 ap2 HCIE 10.1.10.114 AirEngine5760 nor 0 15H:22M:42S -
2 f02f-a75e-5740 ap3 HCIE 10.1.10.196 AP4030DN nor 0 15H:22M:33S -
3 28a6-dbe1-c300 ap4 HCIE-Mesh 10.1.10.240 AP4030DN nor 0 15H:20M:17S -
4 f02f-a75e-5dc0 ap5 HCIE-Mesh 10.1.10.198 AP4030DN nor 0 15H:19M:54S -
5 f4de-af36-ace0 ap6 HCIE-Bran 192.168.100.72AirEngine5760 nor 0 00H:01M:51S -
----------------------------------------------------------------------------------------------------------------------
Total: 6
[WAC1]
----End
1.3 Reference Configuration

1.3.1 Core-SW Configuration
#
sysname Core-SW
#
vlan batch 10 to 14 99
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.254
option 43 sub-option 3 ascii 10.10.10.10
#
ip pool lab1
network 10.1.11.0 mask 255.255.255.0
#
ip pool lab2
network 10.1.12.0 mask 255.255.255.0
#
ip pool interview1
network 10.1.13.0 mask 255.255.255.0
#
ip pool interview2
network 10.1.14.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.1 255.255.255.0
dhcp select global
#
interface Vlanif99
ip address 10.1.99.1 255.255.255.252
#
interface MEth0/0/1
ip address 172.21.59.1 255.255.128.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14
#
undo port trunk allow-pass vlan 1
#
#
#
port link-type access
port default vlan 99
#
ospf 1 router-id 10.1.10.1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.13.1 0.0.0.0
network 10.1.14.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
[Core-SW]
1.3.2 Agg1 Configuration

#
sysname Agg1
#
vlan batch 10 to 14
#
interface MEth0/0/1
ip address 172.21.59.4 255.255.128.0
#
#
port trunk pvid vlan 10
#
#
return
<Agg1>

#
sysname Agg2
#
vlan batch 10 to 14
#
interface MEth0/0/1
ip address 172.21.59.5 255.255.128.0
#
#
#
return
<Agg2>
1.3.4 WAC1 Configuration

#
<WAC1>display current-configuration
Software Version V200R010C00SPC700
#
sysname WAC1
#
vlan batch 10 to 14
#
vlan pool lab
vlan 11 to 12
vlan pool interview
vlan 13 to 14
#
interface Vlanif10
ip address 10.1.10.254 255.255.255.0
#
#
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
interface Tunnel0/0/0
ip address 192.168.2.1 255.255.255.0
tunnel-protocol gre
source 10.1.10.254
destination 10.1.200.1
#
area 0.0.0.0
network 10.1.10.254 0.0.0.0
network 10.10.10.10 0.0.0.0
#
ip route-static 192.168.100.0 255.255.255.0 Tunnel0/0/0
#
capwap source ip-address 10.10.10.10
#
wlan
security-profile name HCIE-Lab
security wpa2 psk pass-phrase Huawei@123 aes
security-profile name HCIE-Mesh
security-profile name HCIE-Interview
ssid-profile name HCIE-Lab
ssid HCIE-Lab
ssid-profile name HCIE-Interview
ssid HCIE-Interview
vap-profile name HCIE-Lab
service-vlan vlan-pool lab
ssid-profile HCIE-Lab
security-profile HCIE-Lab
vap-profile name HCIE-Interview
service-vlan vlan-pool interview
ssid-profile HCIE-Interview
security-profile HCIE-Interview
mesh-whitelist-profile name HCIE
mesh-whitelist-profile name HCIE-Mesh
peer-ap mac f02f-a75e-5740

peer-ap mac 60f1-8a9c-2b40
peer-ap mac f898-ef7f-b400
mesh-profile name HCIE-Mesh
security-profile HCIE-Mesh
mesh-id HCIE-Mesh
link-aging-time 30
regulatory-domain-profile name HCIE
ap-system-profile name HCIE-Mesh
mesh-role mesh-portal
ap-group name HCIE
ap-system-profile HCIE-Mesh
regulatory-domain-profile HCIE
radio 0
vap-profile HCIE-Lab wlan 1
vap-profile HCIE-Interview wlan 2
radio 1
mesh-profile HCIE-Mesh
mesh-whitelist-profile HCIE-Mesh
channel 40mhz-plus 149
coverage distance 1
radio 2
ap-group name HCIE-Mesh
radio 1
coverage distance 1
ap-group name HCIE-Bran
ap-id 0 type-id 100 ap-mac 30fd-65f8-fd40 ap-sn 2102351TYR10L4004310
ap-name ap1
ap-group HCIE
ap-id 1 type-id 115 ap-mac f4de-af36-b300 ap-sn 2102352UBR10L6001295
ap-name ap2
ap-group HCIE
ap-id 2 type-id 43 ap-mac f02f-a75e-5740 ap-sn 21500826412SH1906275
ap-name ap3
ap-group HCIE
ap-id 3 type-id 75 ap-mac 60f1-8a9c-2b40 ap-sn 21500831023GJ9022622
ap-name ap4
ap-group HCIE-Mesh
ap-id 4 type-id 75 ap-mac f898-ef7f-b400 ap-sn 21500831023GJ3001187
ap-name ap5
ap-group HCIE-Mesh
ap-id 5 ap-mac f4de-af36-b3c0
ap-name ap6
ap-group HCIE-Bran
provision-ap
#
return
<WAC1>
1.3.5 AR1 Configuration

#
sysname AR1
#
#
undo portswitch
ip address 10.1.99.2 255.255.255.252
#
undo portswitch
ip address 20.1.1.1 255.255.255.252
#
ospf 1
default-route-advertise always
area 0.0.0.0
network 10.1.99.2 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
#
return
<AR1>

#
sysname AR2
#
undo portswitch
ip address 20.1.1.2 255.255.255.252
#
undo portswitch
ip address 10.1.200.1 255.255.255.252
#
interface Tunnel0/0/0
ip address 192.168.2.2 255.255.255.0
tunnel-protocol gre
source 10.1.200.1
destination 10.1.10.254
#
ospf 1
area 0.0.0.0
network 10.1.200.1 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.1

#
return
<AR2>
1.3.7 SW4 Configuration

sysname SW4
#
vlan batch 100 110 120 200
#
ip pool ap
network 192.168.100.0 mask 255.255.255.0
#
ip pool HCIE-Lab
network 192.168.110.0 mask 255.255.255.0
#
ip pool HCIE-Interview
network 10.1.120.0 mask 255.255.255.0
#
ip pool test
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100 10.1.10.254
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
dhcp select global
#
interface Vlanif110
ip address 192.168.110.1 255.255.255.0
dhcp select global
#
interface Vlanif120
ip address 192.168.120.1 255.255.255.0
dhcp select global
#
interface Vlanif200
ip address 10.1.200.2 255.255.255.252
#
interface MEth0/0/1
ip address 172.21.59.6 255.255.128.0
#

#
port trunk allow-pass vlan 100 110 120
#
ospf 1
area 0.0.0.0
network 10.1.200.2 0.0.0.0
network 192.168.100.1 0.0.0.0
network 192.168.110.1 0.0.0.0
network 192.168.120.1 0.0.0.0
#
return
2 WLAN High Reliability Solution Lab
2.1 Introduction
This lab provides instructions on configuring and commissioning WLAN high-reliability
networking so that you can understand how to deploy Huawei WLAN high-reliability
networking solutions.
2.1.2 Objectives
⚫ Understand Huawei WLAN high-reliability networking.
⚫ Master how to configure WLAN VRRP HSB networking.
⚫ Master how to configure WLAN N+1 backup networking.
⚫ Master how to configure WLAN link failover.
Figure 2-1 WLAN high-reliability lab topology

In the lab, Agg1 and Agg2 are PoE switches, WAC1 and WAC2 are added to a VRRP group
in HSB mode, and WAC3 functions as the backup WAC to provide N+1 backup for WAC1
and WAC2.
PVID: 1
GE0/0/1 Trunk
PVID: 1
GE0/0/2 Trunk
PVID: 1
GE0/0/3 Trunk
Core-SW
PVID: 1
GE0/0/4 Trunk
PVID: 1
GE0/0/5 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk
PVID: 1
WAC2 GE0/0/1 Trunk
PVID: 1
WAC3 GE0/0/1 Trunk
PVID: 1
GE0/0/1 Trunk
PVID: 10
Agg1 GE0/0/2 Trunk
PVID: 10
GE0/0/3 Trunk
PVID: 1
Agg2 GE0/0/1 Trunk
PVID: 10
GE0/0/2 Trunk
Device Interface IP address
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
VLANIF 12 10.1.12.1/24
Core-SW
VLANIF 13 10.1.13.1/24
VLANIF 14 10.1.14.1/24
GE0/0/7 10.1.99.1/30
WAC1 VLANIF 10 10.1.10.254/24
WAC2 VLANIF 10 10.1.10.253/24
WAC3 VLANIF 10 10.1.10.252/24
GE0/0/1 10.1.99.2/24
AR1
GE0/0/2 20.1.1.1/30
GE0/0/1 20.1.1.2/30
AR2
GE0/0/2 172.16.1.1/24
Table 2-3 WLAN service parameter design
Forwarding mode Direct forwarding

Management VLAN 10
VLAN pool: HCIE-Lab, containing VLANs 11 and 12

Service VLAN
VLAN pool: HCIE-Interview, containing VLANs 13 and 14
WAC's source interface 10.10.10.10
HCIE
AP group
HCIE-Mesh
HCIE-Lab
VAP profile
HCIE-Interview
HCIE-Lab
Security profile
HCIE-Interview
HCIE-Lab
SSID profile
HCIE-Interview

between devices.
⚫ Configure VRRP HSB on WAC1 and WAC2.
⚫ Configure WLAN services at the HQ.
⚫ Test HSB and WLAN services.
⚫ Configure dual-link HSB on WAC3.
⚫ Configure WLAN services.
⚫ Test WLAN services.

<Huawei>sys
belong.

#
#
#
#
#
belong.

#
#
belong.

#
# Create VLANs on WACs, and configure interface types and VLANs to which the interfaces
belong.
[WAC1] vlan batch 10 to 14

[WAC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 to 14
#
#
#


#
#
#
#
#
# Check the IP addresses on Core-SW.

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif13 10.1.13.1/24 up up
Vlanif14 10.1.14.1/24 up up
Vlanif99 10.1.99.1/30 up up
[Core-SW]
# Configure an IP address for an interface on WAC1.



# Configure the IP addresses for interfaces on AR1.

#

# Configure the OSPF on Core-SW to advertise local network segments.
[Core-SW] ospf 1
<Core-SW>
[WAC1] ospf 1
<WAC1>
[WAC2] ospf 1
<WAC2>
[WAC3] ospf 1
<WAC3>
[AR1] ospf 1
[AR1-ospf-1] area 0
<AR1>

[AR1-ospf-1] quit
[AR1]
Step 4 Create DHCP address pools and VLAN pools.


[Core-SW] ip pool AP
[Core-SW-ip-pool-ap] excluded-ip-address 10.1.10.250 10.1.10.254
# Create DHCP address pools for HCIE-Lab on Core-SW.

#
# Create DHCP address pools for HCIE-Interview on Core-SW.


#

<Core-SW>
#
<Core-SW>
#
<Core-SW>
#
<Core-SW>
#
<Core-SW>

-------------------------------------------------------------------------------------
Pool-name : ap
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.10.1
Network : 10.1.10.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total: 253 Used :3
Idle: 245 Expired : 0
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :1
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
Address Statistic: Total: 253 Used :0
Idle: 253 Expired : 0
-------------------------------------------------------------------------------------
Pool-name : lab2
Pool-No :2
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
Conflict : 0 Disabled : 0
-------------------------------------------------------------------------------------
Pool-No :3
Position : Local
Status : Unlocked
Gateway-0 : 10.1.13.1
Network : 10.1.13.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-No :4
Position : Local
Status : Unlocked
Gateway-0 : 10.1.14.1
Network : 10.1.14.0
Mask : 255.255.255.0
VPN instance : --

Total: 1265
Used :0 Idle: 1164
Expired :0 Conflict: 0 Disabled: 101
[Core-SW]
Configure VLAN pools.

# Create a VLAN pool for HCIE-Lab on WAC1.
[WAC1] vlan pool lab

[WAC1-vlan-pool-lab] vlan 11 12
[WAC1-vlan-pool-lab] quit
# Create a VLAN pool for HCIE-Interview on WAC1.
[WAC1] vlan pool interview

[WAC1-vlan-pool-interview] vlan 13 14
[WAC1-vlan-pool-interview] quit
Step 5 Configure HSB on WAC1 and WAC2.

Configure VRRP HSB on WAC1.
# Create a management VRRP group on WAC1. Set the priority of WAC1 in the
management VRRP group to 120 and the preemption delay to 180 seconds.
[WAC1] interface vlanif 10

[WAC1-Vlanif10] vrrp vrid 1 virtual-ip 10.1.10.250
[WAC1-Vlanif10] vrrp vrid 1 priority 120
[WAC1-Vlanif10] vrrp vrid 1 preempt-mode timer delay 180
[WAC1-Vlanif10] admin-vrrp vrid 1
# Create HSB service 0 on WAC1 and configure the IP addresses and port numbers for the
active and standby channels. Set the retransmission time and interval of HSB service 0.
[WAC1] hsb-service 0
[WAC1-hsb-service-0] service-ip-port local-ip 10.1.10.254 peer-ip 10.1.10.253 local-data-port 10241
peer-data-port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC1-hsb-service-0] quit
# Create HSB group 0 on WAC1, and bind HSB service 0 and the management VRRP group
to HSB group 0.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 10
[WAC1-hsb-group-0] quit
# Bind the NAC service to the HSB group.
[WAC1] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[WAC1] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.
[WAC1] hsb-service-type dhcp hsb-group 0
# Enable the HSB function.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
Configure VRRP HSB on WAC2.

# Create a management VRRP group on WAC2.
[WAC2] interface vlanif 10

# Create HSB service 0 on WAC2 and configure the IP addresses and port numbers for the
active and standby channels. Set the retransmission time and interval of HSB service 0.
[WAC2-hsb-service-0] service-ip-port local-ip 10.1.10.253 peer-ip 10.1.10.254 local-data-port 10241
peer-data-port 10241
# Create HSB group 0 on WAC2, and bind HSB service 0 and the management VRRP group
to HSB group 0.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 10
# Bind the NAC service to the HSB group.
# Bind the WLAN service to the HSB group.

# Bind the DHCP service to the HSB group.
Step 6 Configure system parameters of WAC1.

# Configure the CAPWAP source address (virtual IP address of the VRRP group) on WAC1.
[WAC1] capwap source ip-address 10.1.10.250
[WAC1] wlan

environment.)

#
#
[WAC1-wlan-view]

nor : normal [3]
ExtraInfo : Extra information
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
0 30fd-65f8-fd40 ap1 HCIE 10.1.10.62 AP7060DN nor 0 14S P
----------------------------------------------------------------------------------------------------------------------
Total: 3
<WAC1>
Step 7 Configure WLAN service parameters on WAC1.

Create security profiles and set different passwords for HCIE-Lab and HCIE-Interview.

[WAC1-wlan-sec-prof-HCIE-Lab] security wpa2 psk pass-phrase HCIE-Lab aes

[WAC1-wlan-sec-prof-HCIE-Interview] security wpa2 psk pass-phrase HCIE-Interview aes


[WAC1-wlan-view]

[WAC1-wlan-view]


[WAC1-wlan-vap-prof-HCIE-Lab] service-vlan vlan-pool lab
#

[WAC1-wlan-vap-prof-HCIE-Interview] service-vlan vlan-pool interview
#

# Apply VAP profiles HCIE-Lab and HCIE-Interview on WAC1.

[WAC1-wlan-view]


WID : WLAN ID
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
Total: 12
[WAC1-wlan-view]
Step 8 Configure wireless configuration synchronization between WAC1 and WAC2.

# Configure wireless configuration synchronization on WAC1.
[WAC1] wlan
[WAC1-wlan-view] master controller
[WAC1-master-controller] master-redundancy peer-ip ip-address 10.1.10.253 local-ip ip-address
10.1.10.254 psk Huawei@123
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 10
[WAC1-master-controller] quit
[WAC1-wlan-view] quit
# Configure wireless configuration synchronization on WAC2.
[WAC2] wlan
[WAC2-master-controller] master-redundancy peer-ip ip-address 10.1.10.254 local-ip ip-address
10.1.10.253 psk Huawei@123
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 10
[WAC2-wlan-view] quit
# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The Status field is displayed as cfg-mismatch. Manually trigger
wireless configuration synchronization from the master WAC to the backup master WAC.
Wait until the backup master WAC is restarted.
[WAC1-wlan-view] display sync-configuration status

Controller role: Master/Backup/Local
----------------------------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------------------------
10.1.10.253 Backup AC6508 V200R010C00SPC700B cfg-mismatch (config check fail) -
----------------------------------------------------------------------------------------------------------------------
Total: 1
[WAC1-wlan-view]
#
[WAC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]: y
# Run the display sync-configuration status command to check the wireless configuration
synchronization status. If the Status field is displayed as up, the configurations of WAC1
and WAC2 have been synchronized.
<WAC1> display sync-configuration status

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
10.1.10.253 Backup AC6508 V200R010C00SPC700 up 2021-03-31/11:12:08
----------------------------------------------------------------------------------------------------------------
Total: 1
<WAC1>
Enable HSB on WAC2.

# Enable the HSB function.
[WAC2] hsb-group 0
Step 9 Verify the VRRP HSB configuration.
<WAC1> display vrrp brief

Total: 1 Master: 1 Backup: 0 Non-active: 0
VRID State Interface Type Virtual IP
----------------------------------------------------------------------------------
1 Master Vlanif10 Admin 10.1.10.250
<WAC1>
#
<WAC2> display vrrp brief
Total: 1 Master: 0 Backup: 1 Non-active: 0
VRID State Interface Type Virtual IP
----------------------------------------------------------------------------------
1 Backup Vlanif10 Admin 10.1.10.250
<WAC1>
#
[WAC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.1.10.254
Peer IP Address : 10.1.10.253
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval :6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[WAC1]
#
[WAC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif10
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6508

Peer Group Software Version : V200R010C00SPC700B715
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[WAC1]
Step 10 Configure WAC3 to provide dual-link cold backup for WAC1 and WAC2.
# Configure IP addresses for the primary and backup WACs in the AP system profile on
WAC1.
[WAC1] wlan
[WAC1-wlan-view] ap-system-profile name HCIE
[WAC1-wlan-ap-system-prof-HCIE] mesh-role mesh-portal
[WAC1-wlan-ap-system-prof-HCIE] primary-access ip-address 10.1.10.250
Warning: This action will take effect after resetting AP.
[WAC1-wlan-ap-system-prof-HCIE] backup-access ip-address 10.1.10.252
[WAC1-wlan-ap-system-prof-HCIE] quit
[WAC1-wlan-view]
#
[WAC1]wlan
[WAC1-wlan-ap-system-prof-HCIE-Mesh] mesh-role mesh-node
[WAC1-wlan-ap-system-prof-HCIE-Mesh] primary-access ip-address 10.1.10.250
[WAC1-wlan-ap-system-prof-HCIE-Mesh] backup-access ip-address 10.1.10.252
#
# Bind the AP system profile to the AP groups.

[WAC1-wlan-ap-group-HCIE] ap-system-profile HCIE
#
[WAC1-wlan-ap-group-HCIE-Mesh] ap-system-profile HCIE-Mesh
# Enable global revertive switching. By default, global revertive switching is enabled.
[WAC1-wlan-view] undo ac protect restore disable

Info: Protect restore has already enabled.
Enable dual-link HSB globally and disable N+1 backup.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] undo hsb enable
[WAC1-hsb-group-0] undo bind-service 0
[WAC1] undo hsb-service-type ap

[WAC1] hsb-group 0
[WAC1-hsb-group-0] wlan
[WAC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue? [Y/N]: y
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
[WAC1-wlan-view]
# Configure IP addresses for the primary and backup WACs in the AP system profile on
WAC3.
[WAC3] wlan
[WAC3-wlan-ap-system-prof-HCIE] mesh-role mesh-portal
[WAC3-wlan-ap-system-prof-HCIE] primary-access ip-address 10.1.10.250
[WAC3-wlan-ap-system-prof-HCIE] backup-access ip-address 10.1.10.252
[WAC3-wlan-ap-system-prof-HCIE] quit
[WAC3-wlan-view]
#
[WAC3] wlan
[WAC3-wlan-ap-system-prof-HCIE-Mesh] mesh-role mesh-node
[WAC3-wlan-ap-system-prof-HCIE-Mesh] primary-access ip-address 10.1.10.250
[WAC3-wlan-ap-system-prof-HCIE-Mesh] backup-access ip-address 10.1.10.252
# Bind the AP system profile to the AP groups.

[WAC3-wlan-ap-group-HCIE] ap-system-profile HCIE
#
[WAC3-wlan-ap-group-HCIE-Mesh] ap-system-profile HCIE-Mesh
# Enable global revertive switching. By default, global revertive switching is enabled.
[WAC3-wlan-view] undo ac protect restore disable

Info: Protect restore has already enabled.
Enable dual-link HSB globally and disable N+1 backup.
[WAC3-wlan-view] ac protect enable

Warning: This operation maybe cause AP reset, continue? [Y/N]: y
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
[WAC3-wlan-view]
Step 11 Check the dual-link backup status on WAC3.

# Check the AP status on WAC3.

idle : idle [1]
stdby : standby [5]
----------------------------------------------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------------------------------------------
---
0 30fd-65f8-fd40 ap1 HCIE 10.1.10.62 AP7060DN stdby 0 - -
1 f4de-af36-b300 ap2 HCIE 10.1.10.114 AirEngine5760 stdby 0 - -
2 f02f-a75e-5740 ap3 HCIE 10.1.10.196 AP4030DN stdby 0 - -
3 60f1-8a9c-2b40 ap4 HCIE-Mesh 10.1.10.240 AP4050DN stdby 0 - -
4 f898-ef7f-b400 ap5 HCIE-Mesh 10.1.10.198 AP4050DN stdby 0 - -
5 f4de-af36-b3c0 ap6 HCIE-Bran 192.168.100.140 AP4050DN stdby 0 - -
----------------------------------------------------------------------------------------------------------------------
---
Total: 6
<WAC3>
Step 12 Configure service holding upon CAPWAP link disconnection.

Configure service holding upon CAPWAP link disconnection on WACs.
# Enable service holding upon CAPWAP link disconnection on WAC1.

[WAC1-wlan-ap-system-prof-HCIE] keep-service enable
[WAC1-wlan-ap-system-prof-HCIE-Mesh] keep-service enable
# Enable the function of allowing new user access upon CAPWAP link disconnection on
WAC1.

[WAC1-wlan-ap-system-prof-HCIE] keep-service enable allow new-access
[WAC1-wlan-ap-system-prof-HCIE-Mesh] keep-service enable allow new-access
# Enable service holding upon CAPWAP link disconnection on WAC3.

[WAC3-wlan-ap-system-prof-HCIE] keep-service enable
[WAC3-wlan-ap-system-prof-HCIE-Mesh] keep-service enable
# Enable the function of allowing new user access upon CAPWAP link disconnection on
WAC3.

[WAC3-wlan-ap-system-prof-HCIE] keep-service enable allow new-access
[WAC3-wlan-ap-system-prof-HCIE-Mesh] keep-service enable allow new-access
----End
2.3 Verification
2.3.1 Simulating a Fault on WAC1
Simulate a fault on WAC1 and check the impact of WAC switchover on services.
# Ping the IP address 20.1.1.1 of AR1 from PC1 for a long time to simulate Internet access.
Shut down GE0/0/1 on WAC1 and check whether services are affected.
C:\Users\admin>ping 20.1.1.1 -t
Pinging 20.1.1.1 with 32 bytes of data:

Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
# Shut down GE0/0/1 on WAC1.

[WAC1-GigabitEthernet0/0/1] shutdown
[WAC1-GigabitEthernet0/0/1]
# Check the ping packets. The packet loss rate is 0.

Ping statistics for 20.1.1.1:

Packets: Sent = 73, Received = 73, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 1ms
2.3.2 Simulating a Fault on WAC2

Simulate a fault on WAC2 and check the impact of WAC switchover on services.
# Shut down GE0/0/1 on WAC2. The ping packets are still normal.
C:\Users\admin>ping 20.1.1.1 -t



#
sysname Core-SW
#
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool lab1
network 10.1.11.0 mask 255.255.255.0
#
ip pool lab2
network 10.1.12.0 mask 255.255.255.0
#
ip pool interview1
network 10.1.13.0 mask 255.255.255.0
#
ip pool interview2
network 10.1.14.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0

dhcp select global
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.1 255.255.255.0
dhcp select global
#
interface Vlanif99
ip address 10.1.99.1 255.255.255.252
#
interface MEth0/0/1
ip address 172.21.59.1 255.255.128.0
#
#
#
#
#
#
#
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.13.1 0.0.0.0
network 10.1.14.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
<Core-SW>

#
sysname Agg1
#
vlan batch 10 to 14
#
interface MEth0/0/1
ip address 172.21.59.4 255.255.128.0
#
#
#
#
return
<Agg1>

#
sysname Agg2
#
vlan batch 10 to 14
#
interface MEth0/0/1
ip address 172.21.59.5 255.255.128.0
#

#
#
return
<Agg2>

#
sysname WAC1
#
vlan batch 10 to 14
#
vlan pool lab
vlan 11 to 12
vlan pool interview
vlan 13 to 14
#
interface Vlanif10
ip address 10.1.10.254 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.250
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 180
#
#
area 0.0.0.0
network 10.1.10.254 0.0.0.0
network 10.10.10.10 0.0.0.0
#
cpu-defend policy tesrt
packet-type snmp rate-limit 96 wired
#
#
hsb-service 0
service-ip-port local-ip 10.1.10.254 peer-ip 10.1.10.253 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif10
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0

#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ac protect enable
security wpa2 psk pass-phrase %^%#m&~&E'fKMRKx&!E3V:N3<y"ICeeB#8xkJk1}z/q-%^%# aes
security wpa2 psk pass-phrase %^%#$c*vBe@=)K$du<Eu]13Y+~%V.sShwLejR05^&AF#%^%# aes
security wpa2 psk pass-phrase %^%#TCar3U["k2h-6*3S/{uLd9A72%RT%Wq|kZ6JMNz7%^%# aes
ssid HCIE-Lab
ssid HCIE-Interview
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
mesh-id HCIE-Mesh
link-aging-time 30
ap-system-profile name HCIE
keep-service enable allow new-access
primary-access ip-address 10.1.10.250
backup-access ip-address 10.1.10.252
ap-group name HCIE
ap-system-profile HCIE
radio 0
radio 1
coverage distance 1
radio 2
ap-group name Mesh
radio 1
coverage distance 1
ap-group name default
ap-group name HCIE-Mesh
radio 1
coverage distance 1
ap-group name HCIE-Branch
ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
ap-name ap3
ap-group HCIE
ap-name ap4
ap-group HCIE-Mesh
ap-name ap5
ap-group HCIE-Mesh
provision-ap
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif10
master-redundancy peer-ip ip-address 10.1.10.253 local-ip ip-address 10.1.10.254 psk Huawei@123
#
return
<WAC1>

#
sysname WAC2
#
vlan batch 10 to 14
#
vlan pool lab
vlan 11 to 12
vlan pool interview
vlan 13 to 14
#
interface Vlanif1
ip address dhcp-alloc unicast
#
interface Vlanif10
ip address 10.1.10.253 255.255.255.0
admin-vrrp vrid 1
#
interface Ethernet0/0/47
#
#
ospf 1
area 0.0.0.0
network 10.1.10.253 0.0.0.0
#
#
hsb-service 0
service-ip-port local-ip 10.1.10.253 peer-ip 10.1.10.254 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
ac protect enable
security wpa2 psk pass-phrase %^%#m&~&E'fKMRKx&!E3V:N3<y"ICeeB#8xkJk1}z/q-%^%# aes
security wpa2 psk pass-phrase %^%#$c*vBe@=)K$du<Eu]13Y+~%V.sShwLejR05^&AF#%^%# aes
security-profile name default-wds
security wpa2 psk pass-phrase %^%#qNfI(V#y8:b/W|/(mY81#Z\D8~!8Y*#IO1RwV);+%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#o[7"I"t]\4xd-e7_BV:3&kdR~nCGO!El4DSuB>~E%^%# aes
security wpa2 psk pass-phrase %^%#TCar3U["k2h-6*3S/{uLd9A72%RT%Wq|kZ6JMNz7%^%# aes
ssid-profile name default

ssid HCIE-Lab
ssid HCIE-Interview
mesh-id HCIE-Mesh
link-aging-time 30
ap-group name HCIE
radio 0
radio 1
coverage distance 1
radio 2
ap-group name Mesh
radio 1
coverage distance 1

ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
ap-name ap3
ap-group HCIE
ap-name ap4
ap-group HCIE-Mesh
ap-name ap5
ap-group HCIE-Mesh
provision-ap
master controller
master-redundancy peer-ip ip-address 10.1.10.254 local-ip ip-address 10.1.10.253 psk Huawei@123
#
return
<WAC2>

#
sysname WAC3
#
vlan batch 10 to 14
#
interface Vlanif10
ip address 10.1.10.252 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 10.1.10.252 0.0.0.0
#
#
wlan
ac protect enable
security wpa2 psk pass-phrase %^%#YmTn9meNQ3HTK#Oqr]CVa|"POmBC8FS3>+D=XW%D%^%#
aes
security wpa2 psk pass-phrase %^%#`'yTUV23F/V@x10s@=oA]5cP1o$-|,LL3'HH-xLX%^%# aes

security wpa2 psk pass-phrase %^%#YB\kYxf;r%XE4/H*K|y'1JM+.E#nM2~Sa^*O:":B%^%# aes
ssid HCIE-Lab
ssid HCIE-Interview
mesh-id HCIE-Mesh
link-aging-time 30
ap-group name HCIE
radio 0
radio 1
coverage distance 1
radio 2
ap-group name Mesh
radio 1
coverage distance 1
ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
ap-name ap3
ap-group HCIE
ap-name ap4
ap-group HCIE-Mesh
ap-name ap5
ap-group HCIE-Mesh
provision-ap
#
return
<WAC3>

#
sysname AR1
#
undo portswitch
ip address 10.1.99.2 255.255.255.252
#
undo portswitch
ip address 20.1.1.1 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.99.2 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
#
return
<AR1>
3 WLAN Roaming & QoS Solution Lab
3.1 Introduction
This lab activity provides instructions on configuring and commissioning inter-WAC Layer
3 roaming so that you can understand how to deploy Huawei WLAN roaming.
1.1.1 Objectives
⚫ Understand the inter-WAC Layer 3 roaming network configuration.
⚫ Understand how to configure fast roaming.
⚫ Understand how to configure smart roaming.
⚫ Understand how to configure QoS for the WLAN network.
Figure 3-1 Network topology for the WLAN roaming & QoS lab

In the lab, Agg1 and Agg2 are PoE switches, Core-SW is the core switch, WAC1 and WAC2
are Layer 3 mobility group members, WAC1 manages AP1 and AP2, and WAC2 manages
AP3.
When PC1 moves from AP1 to AP2, intra-WAC Layer 2 roaming is implemented. When PC1
moves from AP2 to AP3, inter-WAC Layer 3 roaming is implemented.
After PC1 is connected to the HCIE-Lab network, the user has a poor voice and video service
experience. The administrator expects voice and video service traffic to be preferentially
forwarded, so as to improve users' voice and video service experience. This also improves
the overall user experience because multiple users can be assigned equal bandwidth
occupation time.
PC2 accesses the HCIE-Interview network. To prevent STAs from maliciously occupying
network resources and reduce network congestion, the administrator wants to limit the
uplink rate of each STA on AP3 to 2 Mbit/s and the total uplink rate of all STAs on the VAP
to 30 Mbit/s.
PVID: 1
GE0/0/1 Trunk
Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/2 Trunk
Core-SW PVID: 1
GE0/0/3 Trunk
PVID: 1
GE0/0/5 Trunk
PVID: 1
GE0/0/1 Trunk
PVID: 10
Agg1 GE0/0/2 Trunk
PVID: 10
GE0/0/3 Trunk
PVID: 1
GE0/0/1 Trunk
Agg2
PVID: 100
GE0/0/2 Trunk
WAC1 GE0/0/1 Trunk PVID: 1

Allow-pass: VLAN 10
PVID: 1
WAC2 GE0/0/1 Trunk
Allow-pass: VLAN 100
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
VLANIF 12 10.1.12.1/24
Core-SW VLANIF 99 10.1.99.1/30
VLANIF 100 10.1.100.1/24
VLANIF 110 10.1.110.1/24
VLANIF 120 10.1.120.1/24
VLANIF 10 10.1.10.100/24
WAC1
Loopback 0 10.10.10.10/32
VLANIF 100 10.1.100.100/24

WAC2
Loopback 0 100.100.100.100/32
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30

between devices.
⚫ Configure AP1 and AP2 to go online on WAC1.
⚫ Configure AP3 to go online on WAC3.
⚫ Configure inter-WAC Layer 3 roaming.
⚫ Configure 802.11r roaming.
⚫ Configure the Wi-Fi Multimedia (WMM) function so that voice and video services
can preferentially use wireless network bandwidth.
⚫ Configure priority mapping to ensure that voice and video services have higher
priorities and preferentially use network bandwidth.

<Huawei>sys
[Core-SW] vlan batch 10 to 12 99 100 110 120
belong.

#
[Core-SW-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 110 120
#
#
[Core-SW-Gigabit Ethernet0/0/4] port link-type trunk
[Core-SW-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 110 120
#
belong.

#
#
belong.

[Agg2] vlan batch 100 110 120
[Agg2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
#
# Create VLANs on WACs, and configure interface types and VLANs to which the interfaces
belong.

#
[WAC2] vlan batch 100 110 120

[WAC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
#

Configure IP addresses for the devices.

#
#
#
#
#
#
#
# Check interface IP addresses of Core-SW.

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

MEth0/0/1 172.21.59.1/17 up up
Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif99 10.1.99.1/30 up up
Vlanif100 10.1.100.1/24 up up
Vlanif110 10.1.110.1/24 up up
Vlanif120 10.1.120.1/24 up up
[Core-SW]

#

#

#

[Core-SW] ospf 1

<Core-SW>
[WAC1] ospf 1
<WAC1>
[WAC2] ospf 1
<WAC2>
[AR1] ospf 1
[AR1-ospf-1] area 0
<AR1>

[AR1-ospf-1] quit
[AR1]
Step 4 Create DHCP address pools.

# Create DHCP address pools for APs on Core-SW.

[Core-SW] ip pool ap1
[Core-SW-ip-pool-ap1] network 10.1.10.0 mask 24
[Core-SW-ip-pool-ap1] gateway-list 10.1.10.1
[Core-SW-ip-pool-ap1] excluded-ip-address 10.1.10.100
[Core-SW-ip-pool-ap1] option 43 sub-option 3 ascii 10.10.10.10
[Core-SW-ip-pool-ap1] quit
#

[Core-SW-ip-pool-ap2] excluded-ip-address 10.1.100.100
# Create the HCIE-Lab DHCP address pool for WAC1 on Core-SW.

# Create the HCIE-Interview DHCP address pool for WAC1 on Core-SW.

# Create the HCIE-Lab DHCP address pool for WAC2 on Core-SW.

# Create the HCIE-Interview DHCP address pool for WAC2 on Core-SW.


#
#
#
<Core-SW>
#

<Core-SW>
#
<Core-SW>

-------------------------------------------------------------------------------------
Pool-name : ap1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.10.1
Network : 10.1.10.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-name : ap2
Pool-No :1
Position : Local
Status : Unlocked
Gateway-0 : 10.1.100.1
Network : 10.1.100.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :2
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-No :3
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-name : lab2
Pool-No :4
Position : Local
Status : Unlocked
Gateway-0 : 10.1.110.1
Network : 10.1.110.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-No :5
Position : Local
Status : Unlocked
Gateway-0 : 10.1.120.1
Network : 10.1.120.0
Mask : 255.255.255.0
VPN instance : --
Total : 1518
Used :3 Idle : 1513
Expired :0 Conflict :0 Disabled : 2
[Core-SW]
Step 5 Configure the APs to go online.

[WAC1] wlan

environment.)

#
[WAC1-wlan-ap-1] return
Check AP status on WAC1.

Nor : normal [2]
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
Total: 2
<WAC1>

Create security profiles HCIE-Lab and HCIE-Interview, and set different passwords for them.

[WAC1-wlan-sec-prof-HCIE-Lab] security wpa2 psk pass-phrase HCIE@LAB aes

[WAC1-wlan-sec-prof-HCIE-Interview] security wpa2 psk pass-phrase HCIE@INTERVIEW aes


[WAC1-wlan-view]

[WAC1-wlan-view]


[WAC1-wlan-vap-prof-HCIE-Lab] service-vlan vlan-id 11
#

[WAC1-wlan-vap-prof-HCIE-Interview] service-vlan vlan-id 12
#


[WAC1-wlan-view]


WID: WLAN ID
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
Total: 8
[WAC1-wlan-view]
Step 7 Configure system parameters of WAC2.



environment.)

[WAC2-wlan-view]

nor : normal [1]
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
Total: 1
<WAC1>





[WAC1-wlan-view]


[WAC1-wlan-view]


#

#


[WAC2-wlan-view]

[WAC2-wlan-ap-group-HCIE] display vap all

WID: WLAN ID
--------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
Total: 4
[WAC2-wlan-ap-group-HCIE]
Step 9 Configure inter-WAC Layer 3 roaming.

Configure WLAN roaming on WAC1.

# Create a mobility group and configure WAC1 and WAC2 as members of the group. The
IP addresses of the WACs added here are their source IP addresses.
[WAC1-wlan-view] mobility-group name HCIE

[WAC1-mc-mg-HCIE] member ip-address 10.10.10.10
[WAC1-mc-mg-HCIE] quit
Configure WLAN roaming on WAC2.

# Create a mobility group and configure WAC1 and WAC2 as members of the group. The
IP addresses of the WACs added here are their source IP addresses.
[WAC2-wlan-view] mobility-group name HCIE

Step 10 Verify the configuration of inter-WAC Layer 3 roaming.

On WAC1, check the status of WAC1 and WAC2. If the value of State is normal, WAC1 and
WAC2 are working properly.
[WAC2-mc-mg-HCIE] display mobility-group name HCIE

--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.10.10.10 -
normal 100.100.100.100 -
--------------------------------------------------------------------------------
Total: 2
Step 11 Configure 802.11r roaming.

Enable 802.11r on WAC1.
[WAC1] wlan
[WAC1-wlan-ssid-prof-HCIE-Lab] dot11r enable
#
[WAC1-wlan-ssid-prof-HCIE-Interview] dot11r enable
Enable 802.11r on WAC2.
[WAC2] wlan
[WAC2-wlan-ssid-prof-HCIE-Lab] dot11r enable

#
[WAC2-wlan-ssid-prof-HCIE-Interview] dot11r enable
Step 12 Configure the WMM function.

Configure the WMM function on WAC1 so that voice and video services can preferentially
use wireless network bandwidth.
# Create a 2.4 GHz radio profile, and configure Enhanced Distributed Channel Access
(EDCA) parameters for APs so that voice and video services can preferentially use network
bandwidth.
[WAC1-wlan-view] radio-2g-profile name HCIE-2.4GHz

[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0 ack-policy normal
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] quit
[WAC1-wlan-view]
[WAC1-wlan-ap-group-HCIE] radio-2g-profile HCIE-2.4GHz radio 0
[WAC1-wlan-view]
# Create a 5 GHz radio profile, and configure EDCA parameters for APs so that voice and
video services can preferentially use network bandwidth.
[WAC1-wlan-view] radio-5g-profile name HCIE-5GHz

[WAC1-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] quit
[WAC1-wlan-view]
[WAC1-wlan-ap-group-HCIE] radio-5g-profile HCIE-5GHz radio 1
[WAC1-wlan-view]
# In the SSID profile, configure EDCA parameters for STAs so that voice and video services
can preferentially use network bandwidth.

[WAC1-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
txoplimit 0
[WAC1-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
txoplimit 0
Configure the WMM function on WAC2 so that voice and video services can preferentially
use wireless network bandwidth.
# Create a 2.4 GHz radio profile, and configure EDCA parameters for APs so that voice and

[WAC2-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
[WAC2-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
[WAC2-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
[WAC2-wlan-radio-2g-prof-HCIE-2.4GHz] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
[WAC2-wlan-view]
[WAC2-wlan-ap-group-HCIE] radio-2g-profile HCIE-2.4GHz radio 0
[WAC2-wlan-view]
# Create a 5 GHz radio profile, and configure EDCA parameters for APs so that voice and

[WAC2-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
[WAC2-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
[WAC2-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
[WAC2-wlan-radio-5g-prof-HCIE-5GHz] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4

[WAC2-wlan-view]
[WAC2-wlan-view]
# In the SSID profile, configure EDCA parameters for STAs so that voice and video services
can preferentially use network bandwidth.

[WAC2-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Lab] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10
txoplimit 0
[WAC2-wlan-ssid-prof-HCIE-Interview] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10
txoplimit 0
[WAC2-wlan-view]
Step 13 Configure priority mapping.

This example requires that video and voice packets have the highest priority so that they
can be preferentially transmitted. By default, the uplink and downlink priority mapping
modes on the air interface are 802.11e and DSCP, respectively, ensuring that voice and
video packets have the highest tunnel DSCP priorities. Therefore, you do not need to modify
default priority mapping.
# Create the traffic profile wlan-traffic and configure priority mapping in the profile.
[WAC1-wlan-view] traffic-profile name HCIE

[WAC1-wlan-traffic-prof-wlan-HCIE] priority-map downstream trust dscp
[WAC1-wlan-traffic-prof-wlan-HCIE] priority-map downstream dscp 48 to 55 dot11e 4
[WAC1-wlan-traffic-prof-wlan-HCIE] priority-map tunnel-upstream trust dot11e
[WAC1-wlan-traffic-prof-wlan-HCIE] priority-map tunnel-upstream dot11e 6 dscp 32
[WAC1-wlan-traffic-prof-wlan-HCIE] quit
# Bind the traffic profile to the VAP profile.

[WAC1-wlan-vap-prof-HCIE-lab] traffic-profile HCIE
Warning: This action may cause service interruption. Continue? [Y/N]y
Info: This operation may take a few seconds, please wait.......done.
[WAC1-wlan-vap-prof-HCIE-lab] quit
#
[WAC1-wlan-vap-prof-HCIE-Interview] traffic-profile HCIE
Info: This operation may take a few seconds, please wait.......done.
The configuration on WAC2 is the same as that on WAC1.
Step 14 Verify the WMM and priority mapping configurations.

Check EDCA parameter settings for APs in the 2G radio profile. The command output shows
that the priorities of AC_VI and AC_VO packets are higher than those of AC_BE and AC_BK
packets. Therefore, video and voice services can preferentially use wireless channels.
[WAC1-wlan-view] display radio-2g-profile name HCIE-2.4GHz

---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit (32us) Ack-Policy
AC_VO 4 2 2 0 normal
AC_VI 5 3 5 0 normal
AC_BE 10 6 12 0 normal
AC_BK 10 8 12 0 normal
----------------------------------------------------------------------------------------------
[WAC1-wlan-view]
Check EDCA parameter settings for STAs in the SSID profile. The command output shows
that the priorities of AC_VI and AC_VO packets are higher than those of AC_BE and AC_BK
packets. Therefore, video and voice services can preferentially use wireless channels.
[WAC1-wlan-view] display ssid-profile name HCIE

-------------------------------------------------------------------------
...
-------------------------------------------------------------------------
WMM EDCA client parameters:
------------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit (32us)
AC_VO 4 2 2 0
AC_VI 5 3 5 0
AC_BE 10 6 12 0
AC_BK 10 8 12 0
Check the priority mapping configuration in the traffic profile. The command output shows
that the mapped DSCP values of AC_VI and AC_VO packets are higher than those of AC_BE
and AC_BK packets. Therefore, video and voice services are preferentially transmitted.
[WAC1-wlan-view] display traffic-profile name HCIE

----------------------------------------------------
...
CAPWAP priority upstream map mode: 802.11e map DSCP
0 map 0
1 map 8
2 map 16
3 map 24
6 map 32
7 map 40
4 map 48
5 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
48-55 map 4
56-63 map 5
32-39 map 6
40-47 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
......
Step 15 Configure traffic policing.

Configure traffic policing on WAC2 based on the network administrator's requirements:
The uplink rate limit for each STA on AP3 is 4 Mbit/s and the total uplink rate limit for all
STAs on the VAP is 100 Mbit/s.
[WAC2-wlan-view] traffic-profile name HCIE

[WAC2-wlan-traffic-prof-HCIE] rate-limit client up 4000
[WAC2-wlan-traffic-prof-HCIE] rate-limit vap up 100000
[WAC2-wlan-traffic-prof-HCIE] quit
# Check the rate limit configuration in the traffic profile. The command output shows that
the uplink rate limit of a single STA is 4000 kbit/s (4 Mbit/s) and the total uplink rate limit
of all STAs on the VAP is 100000 kbit/s (100 Mbit/s).
[WAC2-wlan-vap-prof-HCIE-Lab] display traffic-profile name HCIE

---------------------------------------------------------------------------------------------
Profile ID :1
Priority map downstream trust : DSCP
User isolate mode : disable
Rate limit client up (Kbps) : 4000
Rate limit client down (Kbps) : 4294967295
Rate limit VAP up (Kbps) : 100000
Rate limit VAP down (Kbps) : 4294967295
Rate limit client dynamic switch : enable
Rate limit client dynamic (Mbps) : 16
----End

#
sysname Core-SW
#
vlan batch 10 to 12 99 to 100 110 120
#
ip pool ap1
network 10.1.10.0 mask 255.255.255.0
#
ip pool ap2
network 10.1.100.0 mask 255.255.255.0
#
ip pool lab1
network 10.1.11.0 mask 255.255.255.0
#
ip pool interview1
network 10.1.12.0 mask 255.255.255.0
#
ip pool lab2
network 10.1.110.0 mask 255.255.255.0

#
ip pool interview2
network 10.1.120.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
dhcp select global
#
interface Vlanif99
ip address 10.1.99.1 255.255.255.252
#
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
dhcp select global
#
interface Vlanif110
ip address 10.1.110.1 255.255.255.0
dhcp select global
#
interface Vlanif120
ip address 10.1.120.1 255.255.255.0
dhcp select global
#
interface MEth0/0/1
ip address 172.21.59.1 255.255.128.0
#
#
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.99.1 0.0.0.0
network 10.1.100.1 0.0.0.0
network 10.1.110.1 0.0.0.0
network 10.1.120.1 0.0.0.0
#
return
<Core-SW>

#
sysname AR1
#
undo portswitch
ip address 10.1.99.2 255.255.255.252
#
undo portswitch
ip address 20.1.1.1 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.99.2 0.0.0.0
return
<AR1>

#
sysname WAC1
#
vlan batch 10 to 12
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
#
#
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.10.100 0.0.0.0

network 10.10.10.10 0.0.0.0
#
#
wlan
traffic-profile name HCIE
priority-map downstream dscp 48 to 55 dot11e 4
priority-map tunnel-upstream dot11e 6 dscp 32
security wpa2 psk pass-phrase %^%#Lr$}63&fr*y/m(BAY{[0"4dR7^Ab6G(Ps+MYth11%^%# aes
security wpa2 psk pass-phrase %^%#=!hhSVcyBMqVk$TQV]xSx3e%38U4N&"#oWCI\#UV%^%#
aes
ssid HCIE-Lab
wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
dot11r enable
ssid HCIE-Interview
dot11r enable
service-vlan vlan-id 11
traffic-profile HCIE
radio-2g-profile name HCIE-2.4GHz
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy normal
radio-5g-profile name default
radio-5g-profile name HCIE-5GHz
mobility-group name HCIE

member ip-address 10.10.10.10
ap-group name HCIE
radio 0
radio-2g-profile HCIE-2.4GHz
radio 1
radio-5g-profile HCIE-5GHz
radio 2
ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
provision-ap
#
return
<WAC1>
#
sysname WAC2
#
vlan batch 100 110 120
#
interface Vlanif100
ip address 10.1.100.100 255.255.255.0
#
#
interface LoopBack0
ip address 100.100.100.100 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.100.100 0.0.0.0
network 100.100.100.100 0.0.0.0
#
#
wlan
traffic-profile name HCIE
rate-limit client up 4000
rate-limit vap up 100000
security wpa2 psk pass-phrase %^%#Kr9[0/=3^'p6%v3_~J9<zYiJ*;'H&3.\;,Q1,z\.%^%# aes
security wpa2 psk pass-phrase %^%#rd3!Fln.^,d8$:2&p}C"ysW/%4wsNTiT&`X|$ZHJ%^%# aes
ssid HCIE-Lab
dot11r enable
ssid HCIE-Interview
dot11r enable
vap-profile name default
mobility-group name HCIE
ap-group name HCIE
radio 0
radio 1
radio 2
ap-name ap3
ap-group HCIE
provision-ap
#
return
<WAC2>

#
sysname Agg1
#
vlan batch 10 to 12
#
#
#
#
return
<Agg1>

#
sysname Agg2
#
#
#
#
return
<Agg2>
4 WLAN Optimization Lab
4.1 Introduction
This lab activity provides instructions on adjusting WLAN parameters and ranges so that
you can understand how to configure Huawei WLAN optimization.
4.1.2 Objectives
⚫ Understand WLAN radio resources management.
⚫ Understand the WLAN band steering function.
Figure 4-1 Networking topology for the WLAN optimization lab

In the lab, Agg1 and Agg2 are PoE switches; AP1 and AP2 are deployed in the conference
room and load balancing needs to be configured for them; the channels and powers of APs
1 to 5 are automatically adjusted.
On the 2.4 GHz band, the non-overlapping channels are 1, 5, 9, and 13. The channel
bandwidth of the 5 GHz band is 40 MHz, and the non-overlapping channels are 36–64 and
149–165. The APs on the entire network need to be configured to automatically disconnect
terminals whose signal strength is lower than –75 dBm.
Dynamic EDCA parameter adjustment allows APs to adjust EDCA parameters flexibly by
detecting the number of STAs to reduce the possibility of collision and improve throughput,
thereby enhancing user experience.
PVID: 1
GE0/0/1 Trunk
PVID: 1
GE0/0/2 Trunk
Core-SW
PVID: 1
GE0/0/3 Trunk
PVID: 1
GE0/0/1 Trunk
PVID: 10
Agg1 GE0/0/2 Trunk
PVID: 10
GE0/0/3 Trunk
PVID: 1
GE0/0/1 Trunk
Agg2
PVID: 10
GE0/0/2 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk
VLANIF 10 10.1.10.1/24
Core-SW
VLANIF 11 10.1.11.1/24
VLANIF 12 10.1.12.1/24
VLANIF 99 10.1.99.1/30
VLANIF 10 10.1.10.100/24
WAC1
Loopback 0 10.10.10.10/32
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30

between devices.
⚫ Configure the APs to go online.
⚫ Configure the automatic calibration range for channels and frequencies.
⚫ Configure load balancing.
⚫ Configure APs to automatically disconnect STAs with weak signals.
⚫ Configure other radio resources management functions.
⚫ Configure spectrum analysis.

<Huawei>sys
belong.

#
#
#
belong.

#
#
belong.

#

# Create VLANs on WAC1, and configure interface types and VLANs to which the interfaces
belong.


Configure IP addresses for the devices.

#
#
#
# Check interface IP addresses of Core-SW.

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif99 10.1.99.1/30 up up
[Core-SW]

#

#

[Core-SW] ospf 1
<Core-SW>
[WAC1] ospf 1
<WAC1>
[AR1] ospf 1
[AR1-ospf-1] area 0
<AR1>

[AR1-ospf-1] quit
[AR1]


[Core-SW] ip pool ap
#
# Create a DHCP address pool for HCIE-Lab on Core-SW.
[Core-SW] ip pool lab

[Core-SW-ip-pool-lab] network 10.1.11.0 mask 24
[Core-SW-ip-pool-lab] gateway-list 10.1.11.1
[Core-SW-ip-pool-lab] quit
# Create a DHCP address pool for HCIE-Interview on Core-SW.
[Core-SW] ip pool interview

[Core-SW-ip-pool-interview] network 10.1.12.0 mask 24
[Core-SW-ip-pool-interview] gateway-list 10.1.12.1
[Core-SW-ip-pool-interview] quit

#
#

-------------------------------------------------------------------------------------
Pool-name : ap
Pool-No :0

Position : Local
Status : Unlocked
Gateway-0 : 10.1.10.1
Network : 10.1.10.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-name : lab
Pool-No :1
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-name : interview
Pool-No :2
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --

[WAC1] wlan

environment.)

#
#
Check AP status on WAC1.

nor : normal [3]
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
Total: 3
<WAC1>





[WAC1-wlan-view]

[WAC1-wlan-view]


#

#


[WAC1-wlan-view]


WID: WLAN ID
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
Total: 12
[WAC1-wlan-view]
Step 7 Enable interference detection.

# Set the alarm thresholds for 2.4 GHz co-channel interference, adjacent-channel
interference, and STA interference to 60%, 60%, and 25, respectively.

[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] interference detect-enable
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] interference co-channel threshold 60
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] interference adjacent-channel threshold 60
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] interference station threshold 25
[WAC1-wlan-ap-group-HCIE]radio-2g-profile HCIE-2.4GHz radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
Warning: After configuration synchronization is enabled, an exception of the local or backup
controller may lead to a configuration synchronization failure.
# Set the alarm thresholds for 5 GHz co-channel interference, adjacent-channel

interference, and STA interference to 60%, 60%, and 25, respectively.

[WAC1-wlan-radio-5g-prof-HCIE-5GHz] interference detect-enable
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] interference co-channel threshold 60
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] interference adjacent-channel threshold 60
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] interference station threshold 25
Warning: This action may cause service interruption. Continue?[Y/N]y
Warning: After configuration synchronization is enabled, an exception of the local or backup
controller may lead to a configuration synchronization failure.
[WAC1-wlan-view]
Step 8 Configure radio calibration.

The radio calibration function can dynamically adjust the channels, bandwidth, and
transmit power of APs, enabling the APs managed by the same WAC to work at the optimal
performance.

[WAC1-wlan-group-radio-HCIE/0] calibrate auto-channel-select enable
[WAC1-wlan-group-radio-HCIE/0] calibrate auto-txpower-select enable
# Enable dynamic bandwidth selection on the 5 GHz band. (Dynamic bandwidth selection
cannot be enabled on the 2.4 GHz band.)
[WAC1-wlan-group-radio-HCIE/1] calibrate auto-channel-select enable
[WAC1-wlan-group-radio-HCIE/1] calibrate auto-txpower-select enable
[WAC1-wlan-group-radio-HCIE/1] calibrate auto-bandwidth-select enable
Configure the dynamic frequency selection (DFS), noise floor threshold, and transmit power
control (TPC) functions for APs.
[WAC1-wlan-view] rrm-profile name HCIE

[WAC1-wlan-rrm-prof-HCIE] undo dfs smart-selection disable
[WAC1-wlan-rrm-prof-HCIE] dfs recover-delay 10
[WAC1-wlan-rrm-prof-HCIE] calibrate noise-floor-threshold -73
[WAC1-wlan-rrm-prof-HCIE] calibrate tpc threshold -61
[WAC1-wlan-rrm-prof-HCIE] calibrate max-tx-power 127
[WAC1-wlan-rrm-prof-HCIE] calibrate min-tx-power radio-5g 127
[WAC1-wlan-rrm-prof-HCIE] calibrate retransmission-rate-threshold 55
[WAC1-wlan-rrm-prof-HCIE] calibrate retransmission-rate-check interval 1 traffic-threshold 1500
[WAC1-wlan-rrm-prof-HCIE] quit
#
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] rrm-profile HCIE
#
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] rrm-profile HCIE
# Set radio calibration mode to auto, the radio calibration interval to 1200 minutes, and
the start time for radio calibration to 03:00:00.
[WAC1-wlan-view] calibrate enable auto interval 1200 start-time 03:00:00
# Create a radio calibration policy. If the noise floor threshold for triggering radio
calibration is configured in the RRM profile, the radio calibration policy must be set to
noise-floor. Otherwise, the radio calibration function does not take effect.
[WAC1-wlan-view] calibrate policy noise-floor
# Configure the radio calibration sensitivity.
[WAC1-wlan-view] calibrate sensitivity high
# Configure the calibration bandwidth and calibration channel set.

[WAC1-wlan-regulate-domain-HCIE] dca-channel 5g bandwidth 40mhz
[WAC1-wlan-regulate-domain-HCIE] dca-channel 2.4g channel-set 1,5,9,13
[WAC1-wlan-regulate-domain-HCIE] dca-channel 5g channel-set
36,40,44,48,52,56,60,64,149,153,157,161,165
# Set the default blacklist threshold for the number of times the channel environment
deteriorates to 7.
[WAC1-wlan-view] calibrate environment-deterioration-blacklist threshold 7
Step 9 Configure the air scan function for radio calibration.

The configured air scan profile takes effect for the radio calibration function.
[WAC1-wlan-view] air-scan-profile name HCIE

[WAC1-wlan-air-scan-prof-HCIE] undo scan-channel-set
[WAC1-wlan-air-scan-prof-HCIE] undo scan-disable
[WAC1-wlan-air-scan-prof-HCIE] scan-channel-set country-channel
[WAC1-wlan-air-scan-prof-HCIE] scan-interval 12000
[WAC1-wlan-air-scan-prof-HCIE] scan-period 80
[WAC1-wlan-air-scan-prof-HCIE] quit
# Bind the air scan profile to the 2G or 5G radio profile.

[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] air-scan-profile HCIE
#
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] air-scan-profile HCIE
Step 10 Verify the radio calibration configuration.

Check the calibration channels and bandwidth that have taken effect.
[WAC1] display wlan calibrate channel-set ap-group name HCIE

AP group : HCIE
Country code: CN
----------------------------------------------------------------------------------------
Radio band Bandwidth Channel Set
----------------------------------------------------------------------------------------
2.4G 20MHz 1,5,9,13
5G 40MHz 36-40,44-48,52-56,60-64,149-153,157-161
----------------------------------------------------------------------------------------
[WAC1]
Check whether automatic channel selection and automatic transmit power selection are
enabled for APs.
[WAC1] display ap config-info ap-id 0

---------------------------------------------------------------------------------------
AP MAC : 30fd-65f8-fd40
AP SN : 2102351TYR10L4004310
AP type : AP7060DN
AP name : ap1
AP group : HCIE
AP branch group :
Country code : CN
---------------------------------------------------------------------------------------
Radio 0 configurations:
Radio enable : yes
Work mode : normal
WDS mode :-
Mesh mode :-
Radio band : 2.4G
Radio type : 11ax
Flexible radio switch : on
Config channel/bandwidth : -/20M
Actual channel/bandwidth : 6/20M
Config EIRP : 127
Actual EIRP :9
Maximum EIRP : 28
VAP configurations:
WLAN ID 1:
SSID : HCIE-Lab
Forward mode : direct-forward
Authen mode : WPA2-PSK
Encrypt mode : AES
Service vlan : 11
WLAN ID 2:
SSID : HCIE-Interview
Encrypt mode : AES
Service vlan : 12
---------------------------------------------------------------------------------------
Radio 1 configurations:
Radio enable : yes
Work mode : normal
WDS mode :-
Mesh mode :-
Radio band : 5G
Radio type : 11ax
Config channel/bandwidth : -/20M
Actual channel/bandwidth : 161/20M
Config EIRP : 127
Actual EIRP : 10
Maximum EIRP : 29
VAP configurations:
WLAN ID 1:
SSID : HCIE-Lab
Encrypt mode : AES
Service vlan : 11
WLAN ID 2:
SSID : HCIE-Interview
Encrypt mode : AES
Service vlan : 12
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
AP system profile : default
Regulatory domain profile : HCIE
WIDS profile : default
Radio 0
Radio 2.4G profile : HCIE-2.4GHz
Radio 5G profile :
VAP profile
WLAN 1 : HCIE-Lab
WLAN 2 : HCIE-Interview
Mesh profile :
WDS profile :
Mesh whitelist profile :
WDS whitelist profile :
Location profile :
Radio switch : enable
Channel : -
Channel bandwidth : 20mhz
EIRP(dBm) : 127
Antenna gain(dB) : -
Coverage distance(100 m) : 3
Work mode : normal
Radio frequency : 2.4G
Spectrum analysis : disable
WIDS device detect : disable

WIDS attack detect : wpa-psk wpa2-psk wapi-psk wep-share-key
WIDS contain switch : disable
Auto channel select : enable
Auto bandwidth select : enable
Auto transmit power select : enable
Reference data-analysis : enable
Radio 1
Radio 5G profile : HCIE-5GHz
VAP profile
WLAN 1 : HCIE-Lab
WLAN 2 : HCIE-Interview
Mesh profile :
WDS profile :
Mesh whitelist profile :
WDS whitelist profile :
Location profile :
Radio switch : enable
Channel : -
Channel bandwidth : 20mhz
EIRP(dBm) : 127
Antenna gain(dB) : -
Coverage distance(100 m) : 3
Work mode : normal
Radio frequency : 5G
Spectrum analysis : disable
---------------------------------------------------------------------------------------
[WAC1]
Step 11 Configure load balancing for AP1 and AP2.

Enable dynamic load balancing, set the start threshold for load balancing to 20 STAs, set
the difference threshold for the number of STAs among members in the dynamic load
balancing group to 5 STAs, set the RSSI threshold of members in the dynamic load
balancing group to -68 dBm, and set the RSSI difference threshold to 10 dB.

[WAC1-wlan-rrm-prof-HCIE] undo sta-load-balance dynamic disable
[WAC1-wlan-rrm-prof-HCIE] sta-load-balance dynamic sta-number start-threshold 20
[WAC1-wlan-rrm-prof-HCIE] sta-load-balance dynamic sta-number gap-threshold number 5
[WAC1-wlan-rrm-prof-HCIE] sta-load-balance dynamic rssi-threshold -68
[WAC1-wlan-rrm-prof-HCIE] sta-load-balance dynamic rssi-diff-gap 10
[WAC1-wlan-rrm-prof-HCIE]
Because the RRM profile has been bound, you do not need to bind it again.
Step 12 Configure smart roaming.

Enable smart roaming. Set the trigger mode for smart roaming to SNR check, the SNR
threshold to 20 dB, the upper SNR difference threshold for triggering STA roaming to 15
dB, and the lower SNR difference threshold for triggering STA roaming to 5 dB.

[WAC1-wlan-rrm-prof-HCIE] undo smart-roam disable
[WAC1-wlan-rrm-prof-HCIE] smart-roam roam-threshold check-snr
[WAC1-wlan-rrm-prof-HCIE] smart-roam roam-threshold snr 20
[WAC1-wlan-rrm-prof-HCIE] smart-roam snr-margin high-level-margin 15 low-level-margin 5
[WAC1-wlan-view]
Step 13 Configure APs to disconnect STAs with weak signals.

Enable the function of quickly disconnecting STAs, set the trigger mode to SNR check, set
the SNR threshold to 15 dB, and set the interval for checking the SNR to determine whether
to quickly disconnect STAs to 300 ms.

[WAC1-wlan-rrm-prof-HCIE] undo smart-roam quick-kickoff-threshold disable
[WAC1-wlan-rrm-prof-HCIE] smart-roam quick-kickoff-threshold check-snr
[WAC1-wlan-rrm-prof-HCIE] smart-roam quick-kickoff-threshold snr 15
[WAC1-wlan-rrm-prof-HCIE] smart-roam quick-kickoff-snr check-interval 300
[WAC1-wlan-view]
Step 14 Configure the user call admission control (CAC).

Configure the system to deny access of new STAs when the number of STAs connected to
a single AP reaches 40.

[WAC1-wlan-rrm-prof-HCIE] uac client-number enable
[WAC1-wlan-rrm-prof-HCIE] uac client-number threshold access 40 roam 40
Step 15 Configuring dynamic EDCA parameter adjustment.

Enable dynamic EDCA parameter adjustment, and set the EDCA Best-Effort service
threshold.

[WAC1-wlan-rrm-prof-HCIE] dynamic-edca enable
[WAC1-wlan-rrm-prof-HCIE] dynamic-edca threshold be-service 20
Step 16 Configure the per-packet power adjustment and smart antenna functions.
Enable per-packet power adjustment for APs in the 2G and 5G radio profile views.

[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] power auto-adjust enable
#
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] power auto-adjust enable
Configure the smart antenna function.

[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] smart-antenna enable
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] smart-antenna valid-per-scope high-per-threshold 90
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] smart-antenna valid-per-scope low-per-threshold 20
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] smart-antenna training-interval auto
[WAC1-wlan-radio-2g-prof-HCIE-2.4GHz] smart-antenna training-mpdu-number 480
#
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] smart-antenna enable
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] smart-antenna valid-per-scope high-per-threshold 90
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] smart-antenna valid-per-scope low-per-threshold 20
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] smart-antenna training-interval auto
[WAC1-wlan-radio-5g-prof-HCIE-5GHz] smart-antenna training-mpdu-number 480
[WAC1-wlan-view]
----End
4.3 Configuration Verification

4.3.1 Checking the Configuration of the 2G Radio Profile
# Check the configuration and reference information about the 2G radio profile.
[WAC1-wlan-view] display radio-2g-profile name HCIE-2.4GHz

--------------------------------------------------------------------
Radio type : 802.11ax
Power auto adjust : enable
Beacon interval (TUs) : 100
Beamforming switch : disable
Support short preamble : support
Fragmentation threshold (Byte) : 2346
Channel switch announcement : enable
Channel switch mode : continue
Guard interval mode : short
802.11ax Guard interval mode : dot8
A-MPDU switch : enable
HT A-MPDU length limit :3
A-MSDU switch : auto
RTS-CTS-mode : rts-cts
RTS-CTS-threshold : 1400
802.11bg basic rate :12
802.11bg support rate : 1 2 5 6 9 11 12 18 24 36 48 54
Multicast rate 2.4G : auto adapt
Interference detect switch : enable
Co-channel frequency interference threshold (%) : 60
Adjacent-channel frequency interference threshold (%) : 60
Station interference threshold : 25
WMM switch : enable
Mandatory switch : disable

Auto-off start time :-
Auto-off end time :-
Auto-off time-range :-
Wifi-light mode : signal-strength
Utmost power switch : auto
Rrm-profile : HCIE
Air-scan-profile : HCIE
Smart-antenna : enable
Agile-antenna-polarization : disable
CCA threshold (dBm) :-
High PER threshold (%) : 90
Low PER threshold (%) : 20
Training interval(s) : auto
Training mpdu num : 480
Throughput trigger training threshold (%) : 10
Autonavigation roam optimize beacon interval (TUs): 60
VIP user bandwidth reservation ratio (%) : 20
---------------------------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
[WAC1-wlan-view]
4.3.2 Checking the Configuration of the 5G Radio Profile

[WAC1-wlan-view] display radio-5g-profile name HCIE-5GHz
--------------------------------------------------------------------
Radio type : 802.11ax
Power auto adjust : enable
Beacon interval (TUs) : 100
Beamforming switch : disable
Fragmentation threshold (Byte) : 2346
Channel switch announcement : enable
Channel switch mode : continue
Guard interval mode : short
802.11ax guard interval mode : dot8
A-MPDU switch : enable
HT A-MPDU length limit :3
VHT A-MPDU length limit :7
A-MSDU switch : auto
VHT A-MSDU Max frame number :2
RTS-CTS-mode : RTS-CTS
RTS-CTS-threshold : 1400
802.11a basic rate : 6 12 24
802.11a support rate : 6 9 12 18 24 36 48 54
Multicast rate 5G : auto adapt
VHT mcs :99999999
Interference detect switch : enable
Co-channel frequency interference threshold (%) : 60

Adjacent-channel frequency interference threshold (%) : 60
Station interference threshold : 25
WMM switch : enable
Mandatory switch : disable
Auto-off start time :-
Auto-off end time :-
Auto-off time-range :-
WiFi-light mode : signal-strength
Utmost power switch : auto
Rrm-profile : HCIE
Air-scan-profile : HCIE
Smart-antenna : enable
Agile-antenna-polarization : disable
CCA threshold (dBm) :-
High PER threshold (%) : 90
Low PER threshold (%) : 20
Training interval(s) : auto
Training mpdu num : 480
Throughput trigger training threshold (%) : 10
Autonavigation roam optimize beacon interval (TUs) : 60
VIP user bandwidth reservation ratio (%) : 20
---------------------------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
[WAC1-wlan-view]
4.3.3 Checking RRM Profile Information

<WAC1> display rrm-profile name HCIE
--------------------------------------------------------------------
Retransmission rate threshold for trigger channel/power select (%) : 55
Noise-floor threshold for trigger channel/power select (dBm) : -73
Calibrate tpc threshold (dBm) : -61
Maximum 2.4G calibration TX power (dBm) : 127
Maximum 5G calibration TX power (dBm) : 127
Minimum 2.4G calibration TX power (dBm) : 127
Minimum 5G calibration TX power (dBm) : 127
Calibrate retransmission rate check interval (min) :1
Calibrate retransmission rate check traffic threshold (kbps) : 1500
Airtime fairness schedule : disable
Dynamic adjust EDCA parameter : enable
Dynamic EDCA be-service threshold : 20
UAC check client's SNR : disable
UAC client's SNR threshold (dB) : 15
UAC check client number : enable
UAC client number access threshold : 40
UAC client number roam threshold : 40
Action upon reaching the UAC threshold : SSID broadcast

Band steer deny threshold :0
Band steer SNR threshold (dB) : 20
Band balance start threshold : 100
Band balance gap threshold (%) : 90
Client's band expire based on continuous probe counts : 35
Station load balance : enable
Station load balance mode : sta-number
Station load balance RSSI threshold (dBm) : -68
Station load balance RSSI-diff-gap threshold (dBm) : 10
Station load balance sta-number start threshold : 20
Station load balance sta-number gap threshold (percentage) :-
Station load balance sta-number gap threshold (number) :5
Station load balance deauth fail times :0
Station load balance BTM fail times :5
Station load balance steer-restrict restrict time(s) :5
Station load balance steer-restrict probe threshold :5
Station load balance steer-restrict auth threshold :0
Station load balance probe-report interval(s) : 120
BSS color switch : enable
Spatial reuse switch : enable
Smart-roam : enable
Smart-roam quick kickoff : enable
Smart-roam check SNR : enable
Smart-roam quick kickoff check SNR : enable
Smart-roam check rate : disable
Smart-roam quick kickoff check rate : disable
Smart-roam standing SNR threshold (dB) : 25
Smart-roam SNR quick-kickoff-threshold (dB) : 15
Smart-roam rate threshold (%) : 20
Smart-roam rate quick-kickoff-threshold (%) : 20
Smart-roam high level SNR margin (dB) : 15
Smart-roam low level SNR margin (dB) :5
Smart-roam SNR check interval(s) :3
Smart-roam unable roam client expire time (min) : 120
Smart-roam quick-kickoff SNR check interval (ms) : 300
Smart-roam quick-kickoff SNR P-N observe time :6
Smart-roam quick-kickoff SNR P-N qualify time :4
Smart-roam advanced scan : enable
Smart-roam quick-kickoff back off time : 60
AMC policy : auto-balance
High density AMC optimize : disable
SFN roam check high threshold (dBm) : -55
SFN roam check low threshold (dBm) : -60
SFN roam check interval (ms) : 700
SFN roam report interval (ms) : 400
SFN roam check rssi-accumulate threshold (dB) :8
SFN roam check sta-holding times :3
SFN roam check gap-rssi (dB) :6
SFN roam check better-times :2
DFS smart select : enable
DFS recover delay time (min) : 10
Multimedia air optimize : disable
Multimedia air optimize threshold
Voice : 30
Video : 100
--------------------------------------------------------------------------------------------------------
<WAC1>

#
sysname WAC1
#
vlan batch 10 to 12
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
#
interface Ethernet0/0/47
#
#
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.10.100 0.0.0.0
network 10.10.10.10 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
#
wlan
calibrate enable auto interval 1200
calibrate policy noise-floor
calibrate sensitivity high
calibrate environment-deterioration-blacklist threshold 7
security wpa2 psk pass-phrase %^%#jG+:CA\fnW/n/0"&MN]7^OhO-tEx^VORnNAW~hFC%^%# aes
security wpa2 psk pass-phrase %^%#&t1v*1v2_Ha%)3QR3Y+'z5cS0XIl3'1S%p<VPaj+%^%# aes
ssid HCIE-Lab
ssid HCIE-Interview
dca-channel 2.4g channel-set 1,5,9,13
dca-channel 5g bandwidth 40mhz
air-scan-profile name HCIE
scan-period 80
scan-interval 12000
rrm-profile name HCIE
calibrate retransmission-rate-threshold 55
calibrate noise-floor-threshold -73
calibrate tpc threshold -61
calibrate min-tx-power 127
calibrate min-tx-power radio-5g 127
calibrate retransmission-rate-check interval 1 traffic-threshold 1500
smart-roam roam-threshold snr 25
smart-roam snr-margin high-level-margin 15 low-level-margin 5
smart-roam quick-kickoff-snr check-interval 300
uac client-number enable
uac client-number threshold access 40 roam 40
dynamic-edca enable
sta-load-balance dynamic rssi-threshold -68
sta-load-balance dynamic sta-number start-threshold 20
sta-load-balance dynamic sta-number gap-threshold number 5
dfs recover-delay 10
dynamic-edca threshold be-service 20
sta-load-balance dynamic rssi-diff-gap 10
power auto-adjust enable
interference detect-enable
interference co-channel threshold 60
interference adjacent-channel threshold 60
rrm-profile HCIE
air-scan-profile HCIE
interference station threshold 25
smart-antenna enable
smart-antenna valid-per-scope high-per-threshold 90
smart-antenna training-mpdu-number 480
power auto-adjust enable
interference detect-enable
interference co-channel threshold 60
interference adjacent-channel threshold 60
rrm-profile HCIE
air-scan-profile HCIE
interference station threshold 25
smart-antenna enable
smart-antenna valid-per-scope high-per-threshold 90
smart-antenna training-mpdu-number 480
ap-group name HCIE
radio 0

calibrate auto-bandwidth-select enable
radio 1
calibrate auto-bandwidth-select enable
radio 2
ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
ap-name ap3
ap-group HCIE
provision-ap
#
return
<WAC1>

#
sysname Core-SW
#
#
ip pool ap1
network 10.1.10.0 mask 255.255.255.0
#
ip pool ap2
network 10.1.100.0 mask 255.255.255.0
#
ip pool lab1
network 10.1.11.0 mask 255.255.255.0
#
ip pool interview1
network 10.1.12.0 mask 255.255.255.0
#
ip pool lab2
network 10.1.110.0 mask 255.255.255.0

#
ip pool interview2
network 10.1.120.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
dhcp select global
#
interface Vlanif99
ip address 10.1.99.1 255.255.255.252
#
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
<Core-SW>

#
sysname Agg1
#
vlan batch 10 to 12
#
#
#
#
return
<Agg1>

#
sysname Agg2
#
vlan batch 10 to 12
#
#
#
return
<Agg2>

#
sysname AR1
#
undo portswitch
ip address 10.1.99.2 255.255.255.252
#
undo portswitch
ip address 20.1.1.1 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.99.2 0.0.0.0
#
return
<AR1>
5 WLAN Security Lab
5.1 Introduction
This lab activity provides instructions on configuring different WLAN security policies so
that you can understand how to deploy Huawei WLAN security networking.
5.1.2 Objectives
⚫ Understand how to configure WLAN 802.1X authentication.
⚫ Understand how to configure WLAN Portal authentication.
⚫ Understand how to configure WLAN Navi AC authentication.
Figure 5-1 WLAN security lab topology

In the lab, Agg1 and Agg2 are PoE switches, and iMaster NCE-Campus functions as the
RADIUS server. 802.1X authentication is required for PCs to access the SSID HCIE-Lab, and
MAC address-prioritized Portal authentication for PCs to access the SSID HCIE-Interview.
Rogue APs are present on the network, so security measures need to be taken to prevent
the rogue APs from affecting the WLAN. AP3 functions as a monitor AP and provides the
WIPS/WIDS function.
In addition, to enhance administrator account management, HWTACACS is used to grant
different administrators with varying permissions.
PVID: 1
GE0/0/1 Trunk
PVID: 1
GE0/0/2 Trunk
PVID: 1
GE0/0/3 Trunk
Core-SW Allow-pass: VLANs 10, 11, and 12
PVID: 1
GE0/0/5 Trunk
PVID: 1
GE0/0/1 Trunk
PVID: 10
Agg1 GE0/0/2 Trunk
PVID: 10
GE0/0/3 Trunk
PVID: 1
GE0/0/1 Trunk
Agg2
PVID: 10
GE0/0/2 Trunk
PVID: 10
WAC1 GE0/0/1 Trunk
PVID: 10
WAC2 GE0/0/1 Trunk
VLANIF 10 10.1.10.1/24
VLANIF 11 10.1.11.1/24
Core-SW VLANIF 12 10.1.12.1/24
VLANIF 99 10.1.99.1/30
VLANIF 4090 192.168.9.1/24
VLANIF 10 10.1.10.100/24
WAC1
Loopback 0 10.10.10.10/32
VLANIF 10 10.1.10.99/24
WAC2 (Navi AC)
Loopback 0 100.100.100.100/32
GE0/0/1 10.1.99.2/30
AR1
GE0/0/2 20.1.1.1/30

between devices.
⚫ Configure APs to go online.
⚫ Configure 802.1X authentication.
⚫ Configure Portal authentication.
⚫ Configure MAC address authentication.
⚫ Configure the Navi AC function.
⚫ Configure the authentication bypass function.
⚫ Configure WIDS.
⚫ Configure WIPS.

<Huawei>sys
belong.

#
#
#
#
belong.

#

#
belong.

#
# Create VLANs on WAC1, and configure the interface type and VLANs to which the
interface belongs.

# Create VLANs on WAC2, and configure the interface type and VLANs to which the
interface belongs.



#

#
#
#
# Check the IP addresses of interfaces on Core-SW.

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif99 10.1.99.1/30 up up
Vlanif4090 192.168.9.1/24 up up
[Core-SW]

#

#


#

[Core-SW] ospf 1
<Core-SW>
# Configure OSPF on WAC1 to advertise local network segments.
[WAC1] ospf 1
<WAC1>
[WAC2] ospf 1
<WAC2>
[AR1] ospf 1
[AR1-ospf-1] area 0
<AR1>

[AR1-ospf-1] quit
[AR1]

# Create DHCP address pools for APs on Core-SW.

[Core-SW-ip-pool-ap1] excluded-ip-address 10.1.10.99 10.1.10.100
# Create the HCIE-Lab DHCP address pool on Core-SW.

# Create the HCIE-Interview DHCP address pool on Core-SW.

# Enable DHCP globally on the interfaces of Core-SW.

#
#
#

-------------------------------------------------------------------------------------
Pool-name : ap1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.10.1
Network : 10.1.10.0
Mask : 255.255.255.0
VPN instance : --
Conflict :0 Disabled :1
-------------------------------------------------------------------------------------
Pool-name : lab1
Pool-No :2
Position : Local
Status : Unlocked
Gateway-0 : 10.1.11.1
Network : 10.1.11.0
Mask : 255.255.255.0
VPN instance : --
-------------------------------------------------------------------------------------
Pool-No :3
Position : Local
Status : Unlocked
Gateway-0 : 10.1.12.1
Network : 10.1.12.0
Mask : 255.255.255.0
VPN instance : --
[Core-SW]

[WAC1] wlan

environment.)

#
#
Check the AP status on WAC1.

nor : normal [3]
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
Total: 3
<WAC1>

Create a security profile and configure different authentication modes for HCIE-Lab and
HCIE-Interview.
# Create the security profile HCIE-Lab on WAC1 and set the authentication mode to dot1x.

[WAC1-wlan-sec-prof-HCIE-Lab] security wpa2 dot1x aes
# Create the security profile HCIE-Interview on WAC1 and set the authentication mode to
open-system authentication if Portal authentication is used.

[WAC1-wlan-sec-prof-HCIE-Interview] security open


[WAC1-wlan-view]

[WAC1-wlan-view]




# Apply VAP profiles HCIE-Lab and HCIE-Interview on WAC1.

[WAC1-wlan-view]

<WAC1> display vap all

WID: WLAN ID
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
0 ap1 0 1 30FD-65F8-FD40 ON WPA2+802.1X 0 HCIE-Lab
0 ap1 0 2 30FD-65F8-FD41 ON Open+Portal 0 HCIE-Interview
0 ap1 1 2 30FD-65F8-FD51 ON Open+Portal 0 HCIE-Interview
1 ap2 0 1 F4DE-AF36-B300 ON WPA2+802.1X 0 HCIE-Lab
1 ap2 0 2 F4DE-AF36-B301 ON Open+Portal 0 HCIE-Interview
1 ap2 1 2 F4DE-AF36-B311 ON Open+Portal 0 HCIE-Interview
2 ap3 0 1 F02F-A75E-5740 ON WPA2+802.1X 0 HCIE-Lab
2 ap3 0 2 F02F-A75E-5741 ON Open+Portal 0 HCIE-Interview
2 ap3 1 2 F02F-A75E-5751 ON Open+Portal 1 HCIE-Interview
--------------------------------------------------------------------------------------------------------------------
Total: 12
<WAC1>
Step 7 Configure 802.1X authentication.

Configure RADIUS authentication parameters.
# Configure a RADIUS server template.
[WAC1] radius-server template HCIE

[WAC1-radius-HCIE] radius-server shared-key cipher Huawei@123
[WAC1-radius-HCIE] radius-server authentication 172.21.59.102 1812
[WAC1-radius-HCIE] radius-server accounting 172.21.59.102 1813
[WAC1-radius-HCIE] quit
# Configure a RADIUS authentication scheme.
[WAC1] aaa
[WAC1-aaa] authentication-scheme HCIE
[WAC1-aaa-authen-HCIE] authentication-mode radius
[WAC1-aaa-authen-HCIE] quit
#
[WAC1-aaa] accounting-scheme HCIE
[WAC1-aaa-accounting-HCIE] accounting-mode radius
[WAC1-aaa-accounting-HCIE] quit
[WAC1-aaa] quit
Configure an 802.1X access profile to manage 802.1X access control parameters.

# Create the 802.1X access profile HCIE and set the authentication mode to EAP relay.
[WAC1] dot1x-access-profile name HCIE

[WAC1-dot1x-access-profile-HCIE] dot1x authentication-method eap
[WAC1-dot1x-access-profile-HCIE] quit
[WAC1]
Create the authentication profile HCIE-Lab, and bind the 802.1X access profile,
authentication and accounting schemes, and RADIUS server template to the authentication
profile.
[WAC1] authentication-profile name HCIE-Lab

[WAC1-authentication-profile-HCIE-Lab] dot1x-access-profile HCIE
[WAC1-authentication-profile-HCIE-Lab] authentication-scheme HCIE
[WAC1-authentication-profile-HCIE-Lab] accounting-scheme HCIE
[WAC1-authentication-profile-HCIE-Lab] radius-server HCIE
[WAC1-authentication-profile-HCIE-Lab] quit
Bind the authentication profile to the VAP profile.
[WAC1] wlan
[WAC1-wlan-vap-prof-HCIE-Lab] authentication-profile HCIE-Lab
Step 8 Configure Portal authentication parameters.

# Configure a URL template.
[WAC1] url-template name HCIE

[WAC1-url-template-HCIE] url https://172.21.59.102:19008/portal
[WAC1-url-template-HCIE] url-parameter device-mac lsw-mac redirect-url redirect-url ssid ssid user-
ipaddress uaddress user-mac umac
[WAC1-url-template-HCIE] quit
# Create a Portal server template.
[WAC1]web-auth-server HCIE
[WAC1-web-auth-server-HCIE] server-ip 172.21.59.102
[WAC1-web-auth-server-HCIE] port 50200
[WAC1-web-auth-server-HCIE] shared-key cipher Huawei@123
[WAC1-web-auth-server-HCIE] url https://172.21.59.102:19008/portal
[WAC1-web-auth-server-HCIE] url-template HCIE
[WAC1-web-auth-server-HCIE] quit
# Configure an authentication-free profile.
[WAC1] free-rule-template name HCIE

[WAC1-free-rule-HCIE] free-rule 1 destination ip 10.1.11.0 mask 255.255.255.0
[WAC1-free-rule-HCIE] quit
# Configure a Portal access profile.
[WAC1] portal-access-profile name HCIE

[WAC1-portal-access-profile-HCIE] web-auth-server HCIE direct
[WAC1-portal-access-profile-HCIE] quit
# Create the authentication profile HCIE-Interview, and bind the Portal access profile,
authentication and accounting schemes, authentication-free profile, and RADIUS server
template to the authentication profile.
[WAC1] authentication-profile name HCIE-Interview

[WAC1-authentication-profile-HCIE-Interview] portal-access-profile HCIE
[WAC1-authentication-profile-HCIE-Interview] authentication-scheme HCIE
[WAC1-authentication-profile-HCIE-Interview] accounting-scheme HCIE
[WAC1-authentication-profile-HCIE-Interview] free-rule-template HCIE
[WAC1-authentication-profile-HCIE-Interview] radius-server HCIE
[WAC1-authentication-profile-HCIE-Interview] quit
Bind the authentication profile to the VAP profile.
[WAC1] wlan
[WAC1-wlan-vap-prof- HCIE-Interview] authentication-profile HCIE-Interview
[WAC1-wlan-vap-prof- HCIE-Interview] quit
Step 9 Create a user account.

iMaster-NCE Campus functions as the RADIUS server. As only the RADIUS server function
is required, you need to configure the access control function using a tenant account.
# Enter the user name and password of the tenant and click Log In.
# Choose Admission > Admission Resources > User Management from the main menu.
# Choose User Management > User from the main menu. Click to add a user group
named HCIE-WLAN.
# Select the created user group and click Create to add users (each for HCIE-Lab and HCIE-
Interview) to the user group.
# When creating a user, you are advised to bind an email address or phone number to the
user so that the user can reset the password when necessary. In this lab environment, there
is no SMS or email gateway. Therefore, you do not need to set the email address or phone
number.
# Create a user for HCIE-Interview.

# Display information about the created users.
# Choose Admission > Admission Resources > User Management > Role Management from
the main menu.
# Click Create to create a role.
# Enter the role name and click Add.

# In the Select Account dialog box, select a desired user account, and click to associate
the role with the user account.
# Click OK.
# Create another role.

# Click OK.
# View the created roles.

Step 10 Configure the admission device.

When the built-in server of iMaster-NCE-Campus is used for authentication, you need to
add an admission device to the admission device group.
# Choose Admission > Admission Resources > Admission Device > Admission Device
Management from the main menu.
# Select the created admission device group, click the Admission device tab, and click
Create to add an admission device.
# Set WAC1 as the admission device, enable RADIUS authentication parameters, and set
RADIUS authentication parameters.
# Ensure that the authentication, accounting, and authorization keys, and accounting
interval are the same as those configured on WAC1.
# Enable Portal authentication parameter and set Portal authentication parameters.
Step 11 Create authentication rules.

# Choose Admission > Admission Policy > Authentication and Authorization >
Authentication Rules from the main menu. Click Create and configure an authentication
rule. Set the authentication mode to User access authentication.
# Select the items to be matched in the authentication rule. All items are optional, and all
the selected ones need to be matched to pass the authentication.
# Create an authentication rule for HCIE-Lab.
# Create another authentication rule and set the authentication rule parameters for HCIE-
Interview.
# Check the created authentication rules.
Step 12 Configure authorization results.

# Choose Admission > Admission Policy > Authentication and Authorization > Authorization
Result from the main menu.
# Click Create and configure an authorization result. The authorization result parameters
supported vary with devices. For details, see the GUI description.
# Create an authorization result for users to access the HCIE-Lab network and select an
ACL to grant different permissions to the users.
# Click Create to add ACL rules.
# Configure an ACL to allow HCIE-Lab users to access only lab resources.

# Select the created ACL.
# Click OK.
# Create an authorization result for users to access the HCIE-Interview network.

# Set ACL parameters.
# Select the created ACL.

# Click OK.
# Check the created authorization results.
Step 13 Create authorization rules.

# Choose Admission > Admission Policy > Authentication and Authorization > Authorization
Rules from the main menu.
# Click Create and configure an authorization rule. Set the authentication mode to User
access authentication.
# Configure an authorization rule for HCIE-Lab.
# Click Create to configure another authorization rule.

# Configure an authorization rule for HCIE-Interview.

# Check the created authorization rules.

Step 14 Test whether 802.1X authentication is normal.

Before the test, you need to set the 802.1X parameters of the PC. This lab describes how
to set the 802.1X parameters of the PC running the Windows 10 operating system.
# Choose Control Panel > Network and Internet > Network and Sharing Center. (Network
and Internet is displayed when you select Category from View by list on Control Panel.).
# Click Set up a new connection or network.
# In the dialog box that is displayed, double-click Manually connect to a wireless network.
# Enter a network name, set Security type and Encryption type, click Start this connection
automatically, and click Next.
# Click Next, and click Change connection settings.
# On the Security tab page, select Microsoft: Protected EAP (PEAP) from the drop-down
list below Choose a network authentication method and click Settings.
# Deselect Verify the server's identity by validating the certificate, select Secured password
(EAP-MSCHAP v2) from the drop-down list below Select Authentication Method, and click
Configure.
# On the Security tab page, click Advanced settings.

# On the 802.1X settings tab page, select User authentication from the drop-down list
below Specify authentication mode and click OK.
# Click OK.
# Double-click the SSID to start 802.1X authentication.

# Enter the correct user name and password.
# After the connection is normal, check the obtained IP address. Normally, the IP address
is on the network segment 10.1.11.0/24.
# Check RADIUS logs. A log shows that the terminal goes online normally and matches the
preset authentication and authorization rules.
Step 15 Customize a Portal page.

# Choose Admission > Admission Resources > Page Management > Page Customization
from the main menu.
# On the Page Customization tab page, click to create a customized template.

Step 16 Check whether Portal authentication is normal.

# Connect the test PC to the HCIE-Interview network.
# Open a browser and enter an IP address in the address box.
# Press Enter. The Portal page is displayed. Click Advanced, and then click Proceed to
xxx.xx.xx.xxx (unsafe).
Step 17 Configure the Navi AC.

# Configure WLAN parameters for the Navi AC. Change the service data forwarding mode
to tunnel.

#
#
[WAC2-wlan-sec-prof-HCIE-Interview] security open
#
[WAC2-wlan-vap-prof-HCIE-Interview] forward-mode tunnel
# Enable the Navi AC function and configure Navi AC parameters.
[WAC2-wlan-view] navi-ac enable
# Specify the IP address of a local WAC and bind the VAP profile to the local WAC.
[WAC2-wlan-view] navi-ac
[WAC2-wlan-view-navi-ac] local-ac ac-id 1 ip-address 10.10.10.10 description localAC

[WAC2-wlan-view-navi-local-ac-1] vap-profile HCIE-Interview wlan 1
[WAC2-wlan-view-navi-local-ac-1] quit
[WAC2-wlan-view-navi-ac]
Configure the local AC.

# Specify the Navi WAC IP address.
[WAC1-wlan-view] navi-ac ac-id 1 ip-address 100.100.100.100 description NaviAC
# Set Navi AC parameters in the VAP profile.

[WAC1-wlan-vap-prof-HCIE-Interview] type service-navi navi-ac-id 1 navi-wlan-id 1
Step 18 Check whether the Navi AC takes effect.
[WAC1] display navi-ac run-status all

Current role: local
---------------------------------------------------------------------------------------------
AC ID AC IP Mac Role Status STA Description
---------------------------------------------------------------------------------------------
1 100.100.100.100 642c-ac86-7dd6 navi normal 0 NaviAC
---------------------------------------------------------------------------------------------
Total: 1
[WAC1]
----End

#
sysname WAC1
#
http secure-server ssl-policy HCIE
http server enable
http secure-server server-source -i Vlanif1
#
vlan batch 10 to 12
#
authentication-profile name HCIE-Interview

portal-access-profile HCIE
free-rule-template HCIE
authentication-scheme HCIE
accounting-scheme HCIE
radius-server HCIE
authentication-profile name HCIE-Lab
dot1x-access-profile HCIE
radius-server HCIE
#
web-auth-server version v2
portal web-authen-server https ssl-policy HCIE
#
#
radius-server template HCIE
radius-server shared-key cipher %^%#Zp~iG^%Z5N0\4=QIan2BA$zqAMZb^'uN{-,Pmr5F%^%#
radius-server authentication 172.21.59.102 1812 weight 80
radius-server accounting 172.21.59.102 1813 weight 80
called-station-id wlan-user-format ac-mac include-ssid
radius-server authorization 172.21.59.102 shared-key
cipher %^%#E/3,SBB}4Z/>NN!C\#A!gcE0%B3#.13\1*2v#,VK%^%#
#
pki realm default
certificate-check none
#
ssl policy default_policy type server
pki-realm default
version tls1.2
ciphersuite ecdhe_rsa_aes128_gcm_sha256 ecdhe_rsa_aes256_gcm_sha384
ssl policy HCIE type server
pki-realm default
version tls1.2
ciphersuite ecdhe_rsa_aes128_gcm_sha256 ecdhe_rsa_aes256_gcm_sha384
#
free-rule-template name HCIE
free-rule 1 destination ip 10.1.11.0 mask 255.255.255.0
#
free-rule-template name default_free_rule
#
url-template name HCIE
url https://172.21.59.102:19008/portal
url-parameter device-mac lsw-mac redirect-url redirect-url ssid ssid user-ipaddress uaddress user-
mac umac
#
#
web-auth-server HCIE
server-ip 172.21.59.102
port 50200
shared-key cipher %^%#+]QFX~,o$W\(2PERNLc$)&@2W)8%S5\QVoUVy"'B%^%#
url https://172.21.59.102:19008/portal
url-template HCIE
#
portal-access-profile name HCIE
web-auth-server HCIE direct
#
portal-access-profile name portal_access_profile
#
aaa
authentication-mode radius
accounting-mode radius
accounting realtime 1
local-aaa-user password policy administrator
domain default
radius-server HCIE
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
#
#
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.10.100 0.0.0.0
network 10.10.10.10 0.0.0.0
#
#
wlan
security wpa2 dot1x aes
ssid HCIE-Lab
ssid HCIE-Interview
forward-mode tunnel
authentication-profile HCIE-Lab
forward-mode tunnel
authentication-profile HCIE-Interview

ap-group name HCIE
radio 0
radio 1
radio 2
navi-ac ac-id 1 ip-address 100.100.100.100 description NaviAC
ap-name ap1
ap-group HCIE
ap-name ap3
ap-group HCIE
provision-ap
#
device-profile profile-name @default_device_profile
device-type default_type_phone
enable
rule 0 user-agent sub-match Android
rule 1 user-agent sub-match iPhone
rule 2 user-agent sub-match iPad
if-match rule 0 or rule 1 or rule 2
#
dot1x-access-profile name HCIE
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name HCIE
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
return
[WAC1]

#
sysname WAC2
#
vlan batch 10 12
#
interface Vlanif10
ip address 10.1.10.99 255.255.255.0
#
port trunk allow-pass vlan 10 12 100 110 120

#
interface LoopBack0
ip address 100.100.100.100 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.10.99 0.0.0.0
network 100.100.100.100 0.0.0.0
#
#
wlan
security open
ssid HCIE-Interview
vap-profile name default
forward-mode tunnel
navi-ac enable
navi-ac
local-ac ac-id 1 ip-address 10.10.10.10 description localAC
#
return
<WAC2>

#
sysname Core-SW
#
dns resolve
#
vlan batch 10 to 12 99 4090
#
dhcp enable
#
ip pool ap1
network 10.1.10.0 mask 255.255.255.0
#
ip pool lab1
network 10.1.11.0 mask 255.255.255.0
#
ip pool interview1
network 10.1.12.0 mask 255.255.255.0

#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
dhcp select global
#
interface Vlanif99
ip address 10.1.99.1 255.255.255.252
#
interface Vlanif4090
ip address 192.168.9.1 255.255.255.0
#
#
#
#
description Navi AC
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
[Core-SW]

#
sysname Agg1
#
vlan batch 10 to 12
#
interface MEth0/0/1
ip address 192.168.1.253 255.255.255.0
#
#
#
#
return
<Agg1>

#
sysname Agg2
#
vlan batch 10 to 12
#
#
#
#
return
<Agg2>

#
sysname AR1
#
undo portswitch
ip address 10.1.99.2 255.255.255.252
#
undo portswitch
ip address 20.1.1.1 255.255.255.252
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.99.2 0.0.0.0
#
return
<AR1>
6 WLAN IPv6 Solution Lab
6.1 Introduction
This lab provides guidance on configuring and commissioning WLAN IPv6 networking so
that you can understand how to deploy Huawei WLAN IPv6 networks.
6.1.2 Objectives
⚫ Understand WLAN IPv6 networking scenarios.
⚫ Understand the WLAN IPv6 dual-stack configuration.
⚫ Understand how to deploy WLAN IPv6 HSB.
Figure 6-1 WLAN IPv6 networking topology

WAC1 and WAC2 are dual-stack WACs. They are configured to work in VRRP HSB mode
and manage AP1 to AP3.
AP1 and AP2 are IPv4 APs, and AP3 is an IPv6 AP. PC1 and PC2 can use IPv4 or IPv6
addresses and access the network after successful local 802.1X authentication.
PVID: 1
GE0/0/1 Trunk
PVID: 1
GE0/0/2 Trunk
PVID: 1
Core-SW GE0/0/3 Trunk Allow-pass: VLANs 10, 11, 12, and
100
PVID: 1
GE0/0/5 Trunk Allow-pass: VLANs 10, 11, 12, and
100
PVID: 1
GE0/0/1 Trunk
PVID: 10
Agg1 GE0/0/2 Trunk
PVID: 10
GE0/0/3 Trunk
PVID: 1
GE0/0/1 Trunk
Agg2
PVID: 100
GE0/0/2 Trunk
PVID: 1
WAC1 GE0/0/1 Trunk Allow-pass: VLANs 10, 11, 12, and
100
PVID: 1
WAC2 GE0/0/1 Trunk Allow-pass: VLANs 10, 11, 12, and
100
VLANIF 10 10.1.10.1/24
10.1.11.1/24
VLANIF 11
FC01:110::1/64
10.1.12.1/24
VLANIF 12
Core-SW FC01:120::1/64
VLANIF 99 10.1.99.1/30
VLANIF 100 FC01:100::1/64
VLANIF 4090 192.168.9.1/24
VLANIF 10 10.1.10.100/24
IPv4 Virtual-IP 10.1.10.254/24

WAC1
VLANIF 100 FC01:100::100/64
IPv6 Virtual-IP FC01:100::254/64
VLANIF 10 10.1.10.101/24
IPv4 Virtual-IP 10.1.10.254/24

WAC2
VLANIF 100 FC01:100::101/64
IPv6 Virtual-IP FC01:100::254/64
GE0/0/1 10.1.99.2/30
AR1 Loopback 1 10.1.1.1/32
Loopback 2 FC01:2::1/64

between devices.
⚫ Configure IPv4/IPv6 DHCP address pools.
⚫ Configure VRRP HSB for dual-stack WACs.
⚫ Configure wireless configuration synchronization.
⚫ Configure IPv4 and IPv6 APs to go online.
⚫ Configure IPv6 802.1X authentication.

# Create VLANs on Core-SW according to the VLAN plan.
<Huawei> system-view
[Core-SW] vlan batch 10 to 12 99 100
# Configure the types for Core-SW's interfaces and the VLANs to which these
interfaces belong.

#
[Core-SW-GigabitEthernet0/0/2] port trunk allow-pass vlan 11 to 12 100
#
#
#
#
# Create VLANs on Agg1, and configure interface types and VLANs to which the
interfaces belong.

#
#
# Create VLANs on Agg2, and configure interface types and VLANs to which the
interfaces belong.

[Agg2] vlan batch 100 110 120
#
# Create VLANs on WAC1, and configure the type of its uplink interface and VLANs
to which the interface belongs.
[WAC1] vlan batch 10 100

[WAC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100
# Create VLANs on WAC2, and configure the type of its uplink interface and VLANs
to which the interface belongs.
[WAC2] vlan batch 10 100

[WAC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100

Configure IPv4 addresses for the devices.
# Configure IPv4 addresses for interfaces on Core-SW.

#
#
#
#
# Check the IPv4 addresses on Core-SW.

^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down

Vlanif10 10.1.10.1/24 up up
Vlanif11 10.1.11.1/24 up up
Vlanif12 10.1.12.1/24 up up
Vlanif99 10.1.99.1/30 up up
Vlanif4090 192.168.9.1/24 up up
[Core-SW]
# Configure an IPv4 address for an interface on WAC1.

#
# Configure IPv4 address for interfaces on WAC2.

#

#
Configure IPv6 addresses for devices.

# Configure IPv6 addresses for interfaces on Core-SW.
[Core-SW] ipv6
[Core-SW-Vlanif99] ipv6 enable
[Core-SW-Vlanif99] ipv6 address FC01:99::1/64
#
#
[Core-SW] interface VLAN 11
#
[Core-SW] interface VLAN 12
# Check the IPv6 addresses on Core-SW.
<Core-SW> display ipv6 int brief


(l): loopback
(s): spoofing
Interface Physical Protocol
Vlanif11 up up
[IPv6 Address] FC01:110::1
Vlanif12 up up
Vlanif99 up up
Vlanif100 up up
[Core-SW]
[WAC1] ipv6
[WAC1-Vlanif100] ipv6 enable
[WAC1-Vlanif100] ipv6 address FC01:100::100/64
[WAC2] ipv6
[WAC2-Vlanif100] ipv6 enable
[WAC2-Vlanif100] ipv6 address FC01:100::101/64
# Configure an IPv6 address for an interface on AR1.
[AR1] ipv6
[AR1-GigabitEthernet0/0/1] ipv6 enable
[AR1-GigabitEthernet0/0/1] ip address FC01:99::2/64

Configure an IPv4 dynamic routing protocol to implement intranet connectivity. This
solution uses the OSPF protocol.
[Core-SW] ospf 1
<Core-SW>
[WAC1] ospf 1
<WAC1>
[WAC2] ospf 1
<WAC2>
[AR1] ospf 1
[AR1-ospf-1] area 0
<AR1>

[AR1-ospf-1] quit
Configure an IPv6 dynamic routing protocol to implement intranet connectivity. This

solution uses the OSPFv3 protocol.
# Configure OSPFv3 on Core-SW to advertise local network segments.
[Core-SW] ospfv3 1
[Core-SW-ospfv3-1] router-id 10.1.10.1
[Core-SW-ospfv3-1] quit
#
[Core-SW] int vlan 99
[Core-SW-Vlanif99] ospfv3 1 area 0
[Core-SW]
#
#
#

[Core-SW]
# Configure OSPFv3 on WAC1 to advertise the local network segment.
[WAC1] ospfv3
[WAC1-ospfv3-1] router-id 10.1.10.100
[WAC1-ospfv3-1] quit
#
[WAC1-Vlanif100] ospfv3 1 area 0
#
# Configure OSPFv3 on WAC2 to advertise the local network segment.
[WAC2] ospfv3
[WAC2-ospfv3-1] router-id 10.1.10.101
[WAC2-ospfv3-1] quit
#
[WAC2-Vlanif100] ospfv3 1 area 0
# Configure OSPFv3 on AR1 to advertise the local network segment.
[AR1] ospfv3
[AR1-ospfv3-1] router-id 10.1.99.2
[AR1-ospfv3-1] quit
#
[AR1] interface Vlanif 99
[AR1-Vlanif99] ospfv3 1 area 0
[AR1-Vlanif99] quit
[AR1] ospfv3
[AR1-ospfv3-1] default-route-advertise always
[AR1-ospfv3-1] quit
Check OSPF neighbor information on Core-SW.
<Core-SW>display ospf peer brief
OSPF Process 1 with Router ID 10.1.10.1

Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 Vlanif10 10.1.10.100 Full
0.0.0.0 Vlanif10 10.1.10.101 Full
0.0.0.0 Vlanif99 10.1.99.2 Full
----------------------------------------------------------------------------
Total Peer(s): 3
<Core-SW>
#
<Core-SW>display ospfv3 peer
OSPFv3 Process (1)
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
10.1.99.2 1 Full/Backup 00:00:36 Vlanif99 0
10.1.10.100 1 Full/DROther 00:00:32 Vlanif100 0
10.1.10.101 1 Full/Backup 00:00:33 Vlanif100 0
<Core-SW>
Step 4 Configure VRRP HSB for dual-stack WACs.

Configure the master WAC.

[WAC1-Vlanif10] vrrp vrid 1 priority 120
[WAC1-Vlanif10] vrrp vrid 1 preempt-mode timer delay 180
[WAC1-Vlanif10] vrrp vrid 1 track interface GigabitEthernet 0/0/1
# Create a management VRRP6 group on WAC1.

[WAC1-Vlanif100] undo ipv6 nd ra halt
[WAC1-Vlanif100] ipv6 nd autoconfig managed-address-flag
[WAC1-Vlanif100] ipv6 nd autoconfig other-flag
[WAC1-Vlanif100] vrrp6 vrid 2 virtual-ip Fe80::254 link-local
[WAC1-Vlanif100] vrrp6 vrid 2 virtual-ip FC01:100::254
[WAC1-Vlanif100] vrrp6 vrid 2 priority 120
[WAC1-Vlanif100] vrrp6 vrid 2 preempt-mode timer delay 180
[WAC1-Vlanif100] vrrp6 vrid 2 track admin-vrrp interface Vlanif 10 vrid 1 unflowdown
Configure the dual-link HSB function.

# Create HSB service 0 on WAC1 and configure the IP addresses and port numbers for
the active and standby channels.
[WAC1-hsb-service-0] service-ip-port local-ip FC01:100::100 peer-ip FC01:100::101 local-data-port
10241 peer-data-port 10241
# Create HSB group 0 on WAC1.
[WAC1] hsb-group 0
#
#
[WAC1] hsb-group 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface Vlanif 10
Configure the backup WAC.


# Create a management VRRP6 group on WAC2.

[WAC2-Vlanif100] undo ipv6 nd ra halt
[WAC2-Vlanif100] ipv6 nd autoconfig managed-address-flag
[WAC2-Vlanif100] ipv6 nd autoconfig other-flag
[WAC2-Vlanif100] vrrp6 vrid 2 virtual-ip Fe80::254 link-local
[WAC2-Vlanif100] vrrp6 vrid 2 virtual-ip FC01:100::254
[WAC2-Vlanif100] vrrp6 vrid 2 track admin-vrrp interface Vlanif 10 vrid 1 unflowdown
Configure the dual-link HSB function.

# Create HSB service 0 on WAC2 and configure the IP addresses and port numbers for
the active and standby channels.
[WAC2-hsb-service-0] service-ip-port local-ip FC01:100::101 peer-ip FC01:100::100 local-data-port
10241 peer-data-port 10241
# Create HSB group 0 on WAC2.
[WAC2] hsb-group 0
#
#
[WAC2] hsb-group 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface Vlanif 10

Check the WAC HSB status. WAC1 is used as an example.

# Check the VRRP status.
<WAC1> display vrrp

Vlanif10 | Virtual Router 1
State: Master
Virtual IP: 10.1.10.254
Master IP: 10.1.10.100
PriorityRun: 120
PriorityConfig: 120
MasterPriority: 120
Preempt: YES Delay Time: 180 s
TimerRun: 2 s
TimerConfig: 2 s
Auth type: NONE
Virtual MAC: 0000-5e00-0101
Check TTL: YES
Config type: admin-vrrp
Backup-forward: disabled
Track IF: GigabitEthernet0/0/1 Priority reduced: 10
IF state: UP
Track SysHealth Priority reduced: 254
SysHealth state: UP
Create time: 2021-04-20 09:55:57
Last change time: 2021-04-20 09:56:03
# Check the HSB status.
[WAC1] display hsb-service 0

Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : FC01:100::100
Peer IP Address : FC01:100::101
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval :6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[WAC1]
#
[WAC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif10
Service Index :0
Group Vrrp Status : Master
Group Status : Active

Group Backup Process : Realtime
Backup Start Time :-
Peer Group Device Name : AC6508
Peer Group Software Version: V200R020C00SPC200B201
Group Backup Modules : AP
Access-user
DHCP
----------------------------------------------------------
[WAC1]
Step 5 Configure the CAPWAP source address.

[WAC1] capwap ipv6 enable

[WAC1] capwap double-stack enable
[WAC1] capwap source ipv6-address FC01:100::254
[WAC2] capwap ipv6 enable

[WAC2] capwap double-stack enable
[WAC2] capwap source ipv6-address FC01:100::254
Step 6 Configure configuration synchronization between the master and backup WACs.
# On WAC1, configure WAC1 as the master AC and specify the IP address of the local
WAC.
[WAC1] wlan
[WAC1-master-controller] master-redundancy peer-ip ipv6-address FC01:100::101 local-ip ipv6-
address FC01:100::100 psk Huawei@123
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 10
# On WAC2, configure WAC2 as the local AC and specify the IP address of the master
WAC.
[WAC2] wlan
[WAC2-master-controller] master-redundancy peer-ip ipv6-address FC01:100::100 local-ip ipv6-
address FC01:100::101 PSK Huawei@123
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 10
Check the configuration synchronization between the master and local WACs.
[WAC1-wlan-view] display sync-configuration status


----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
FC01:100::101 Backup AC6508 V200R020C00SPC200B201 cfg-mismatch(config check fail) -
----------------------------------------------------------------------------------------------------------------------
Total: 1
[WAC1-wlan-view]
Manually trigger configuration synchronization. After configuration synchronization is

triggered, WAC2 automatically restarts and then starts configuration synchronization.
[WAC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]: y
# After WAC2 restarts, check the configuration synchronization status on WAC1.
<WAC1> display sync-configuration status

--------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
FC01:100::101 Backup AC6508 V200R020C00SPC200B201 up XXXXXXXX
---------------------------------------------------------------------------------------------------------------------
Total: 1
<WAC1>

Create IPv4 address pools.
# Create a DHCP address pool for IPv4 APs on Core-SW.

[Core-SW] ip pool ap
[Core-SW-ip-pool-ap] excluded-ip-address 10.1.10.100 10.1.10.101
# Create a DHCP address pool for HCIE-Lab on Core-SW.

# Create a DHCP address pool for HCIE-Interview on Core-SW.



#
#
#
Create IPv6 address pools.
[Core-SW] dhcpv6 pool ap

[Core-SW-dhcpv6-pool-ap] address prefix FC01:100::/64
[Core-SW-dhcpv6-pool-ap] quit
#
[Core-SW] dhcpv6 pool lab
[Core-SW-dhcpv6-pool-lab] address prefix FC01:110::/64
[Core-SW-dhcpv6-pool-lab] quit
#
[Core-SW] dhcpv6 pool interview
[Core-SW-dhcpv6-pool-interview] address prefix FC01:120::/64
[Core-SW-dhcpv6-pool-interview] quit
#
[Core-SW-Vlanif100] description for ipv6_ap
[Core-SW-Vlanif100] undo ipv6 nd ra halt
[Core-SW-Vlanif100] ipv6 nd autoconfig managed-address-flag
[Core-SW-Vlanif100] ipv6 nd autoconfig other-flag
[Core-SW-Vlanif100] dhcpv6 server ap
#
[Core-SW-Vlanif11] dhcpv6 server lab
#
[Core-SW-Vlanif12] dhcpv6 server interview

# Create a regulatory domain profile on WAC1. The default country code is China. (If
the device is located outside China, change the country code accordingly.)
[WAC1] wlan

environment.)

#
#
Check the AP status on WAC1. The IPv4 and IPv6 APs go online normally.
[WAC1-wlan-view] display ap all

nor : normal [3]
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
1 f4de-af36-b300 ap2 HCIE 10.1.10.93 AirEngine5760-10 nor 0 45S P

2 f02f-a75e-5740 ap3 HCIE FC01:100::3 AP4030DN no 0 40S -
----------------------------------------------------------------------------------------------------------------------
Total: 3
[WAC1-wlan-view]

Create security profiles and configure 802.1X authentication for both HCIE-Lab and
HCIE-Interview.
# Create a security profile on WAC1 and set the authentication mode to 802.1X.
[WAC1-wlan-view] security-profile name HCIE

[WAC1-wlan-sec-prof-HCIE] security wpa2 dot1x aes
[WAC1-wlan-sec-prof-HCIE] quit


[WAC1-wlan-view]

[WAC1-wlan-view]

# Create VAP profiles on WAC1.

[WAC1-wlan-vap-prof-HCIE-Lab] security-profile HCIE
#
[WAC1-wlan-vap-prof-HCIE-Interview] security-profile HCIE
# Apply VAP profiles to the AP group.


[WAC1-wlan-view]


WID : WLAN ID
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
0 ap1 0 1 30FD-65F8-FD40 ON WPA2+802.1X 0 HCIE-Interview
0 ap1 1 1 30FD-65F8-FD50 ON WPA2+802.1X 0 HCIE-Interview
1 ap2 0 1 F4DE-AF36-B300 ON WPA2+802.1X 0 HCIE-Interview
1 ap2 1 1 F4DE-AF36-B310 ON WPA2+802.1X 0 HCIE-Interview
2 ap3 0 1 F02F-A75E-5740 ON WPA2+802.1X 0 HCIE-Interview
2 ap3 1 1 F02F-A75E-5750 ON WPA2+802.1X 0 HCIE-Interview
----------------------------------------------------------------------------------------------------------------------
Total: 12
[WAC1-wlan-view]
# Enable the function of processing STA IPv6 services. If this function is not enabled,
STAs cannot obtain IPv6 addresses.
[WAC1-wlan-view] sta-ipv6-service enable
Step 10 Configure local 802.1X authentication.

# Create an 802.1X profile.
[WAC1] dot1x-access-profile name HCIE

[WAC1-dot1x-access-profile-HCIE] quit
# Configure local authentication.
[WAC1] aaa
[WAC1-aaa] authentication-scheme HCIE
[WAC1-aaa-authen-HCIE] authentication-mode local
[WAC1-aaa-authen-HCIE] quit
# Configure an EAP server template.
[WAC1] eap-server-template name hcie

[WAC1-eap-server-template-hcie] local-eap-server authentication method eap-peap
[WAC1-eap-server-template-hcie] local-eap-server authentication eap-phase-one enable
# Enable the EAP server template.
[WAC1] local-eap-server authentication eap-server-template hcie

[WAC1] local-eap-server configuration reload
# Configure an authentication profile.
[WAC1] authentication-profile name HCIE

[WAC1-authentication-profile-HCIE] dot1x-access-profile HCIE
[WAC1-authentication-profile-HCIE] authentication-scheme HCIE
[WAC1-authentication-profile-HCIE] quit
# Bind the authentication profile to VAP profiles.

[WAC1-wlan-vap-HCIE-Lab] authentication-profile HCIE
#
[WAC1-wlan-vap-HCIE- Interview] authentication-profile HCIE
# Create a login account.
[WAC1] aaa
[WAC1-aaa] local-user hcie-wlan-lab password cipher Huawei@123
[WAC1-aaa] local-user hcie-wlan-lab privilege level 0
[WAC1-aaa] local-user hcie-wlan-lab service-type 8021x
[WAC1-aaa] quit
----End

6.3.1 STAs Can Access the Egress Device After Connecting to the
WLAN
# Connect a test PC to the SSID HCIE-Lab.
After the PC connects to the WLAN, check IP addresses obtained by the PC. The
command output shows that the PC has obtained both IPv4 and IPv6 addresses.
Verify that the PC can access the egress device and services are normal.

#
sysname Core-SW
#
ipv6
#
vlan batch 10 to 12 99 to 100 4090
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool lab
network 10.1.11.0 mask 255.255.255.0
#
ip pool interview
network 10.1.12.0 mask 255.255.255.0
#
dhcpv6 pool ap
address prefix FC01:100::/64
#
dhcpv6 pool lab
#
dhcpv6 pool interview
#
ospfv3 1
router-id 10.1.10.1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
ipv6 enable
ip address 10.1.11.1 255.255.255.0
ipv6 address FC01:110::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
ospfv3 1 area 0.0.0.0
dhcp select global
dhcpv6 server lab
#
interface Vlanif12
ipv6 enable
ip address 10.1.12.1 255.255.255.0

dhcp select global
dhcpv6 server interview
#
interface Vlanif99
ipv6 enable
ip address 10.1.99.1 255.255.255.252
#
interface Vlanif100
description for ipv6_ap
ipv6 enable
dhcpv6 server ap
#
ip address 192.168.9.1 255.255.255.0
#
#
port trunk allow-pass vlan 11 to 12 100
#
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.1 0.0.0.0
network 10.1.11.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.99.1 0.0.0.0
#
return
[Core-SW]

#
sysname Agg1
#
vlan batch 10 to 12
#
interface MEth0/0/1
#
#
#
#
return
<Agg1>

#
sysname Agg2
#
#
#
#
return
<Agg2>

#
sysname WAC1
#
eap-server-template name hcie
local-eap-server authentication method eap-peap
local-eap-server authentication eap-phase-one enable
#
local-eap-server authentication eap-server-template hcie
#
ipv6
#
vrrp recover-delay 20
#
vlan batch 10 to 12 100 110 120
#
authentication-profile name HCIE
dot1x-access-profile HCIE
#
aaa
authentication-mode local
accounting-scheme default
accounting-mode none
local-aaa-user password policy administrator
domain default
accounting-scheme default
radius-server default
local-user hcie-wlan-lab password cipher Huawei@123
local-user hcie-wlan-lab privilege level 0
local-user hcie-wlan-lab service-type 8021x
#
ospfv3 1
router-id 10.1.10.100
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 180
vrrp vrid 1 track interface GigabitEthernet0/0/1
#
interface Vlanif100
ipv6 enable

vrrp6 vrid 2 virtual-ip FE80::254 link-local
vrrp6 vrid 2 virtual-ip FC01:100::254
vrrp6 vrid 2 priority 120
vrrp6 vrid 2 preempt-mode timer delay 180
vrrp6 vrid 2 track admin-vrrp interface Vlanif10 vrid 1 unflowdown
#
#
area 0.0.0.0
network 10.1.10.100 0.0.0.0
#
capwap double-stack enable
capwap source ipv6-address FC01:100::254
#
hsb-service 0
service-ip-port local-ip FC01:100::100 peer-ip FC01:100::101 local-data-port 10241 peer-data-port
10241
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
sta-ipv6-service enable
security-profile name HCIE
security wpa2 psk pass-phrase %^%#1$W#"Tm*[4}45xJ//8QQCtHHC>tI-&s!Ko:'1]T*%^%# aes
ssid HCIE-Lab
ssid HCIE-Interview
security-profile HCIE
authentication-profile HCIE
authentication-profile HCIE
ap-group name HCIE
radio 0
radio 1
radio 2
ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
ap-name ap3
ap-group HCIE
provision-ap
master controller
master-redundancy peer-ip ipv6-address FC01:100::101 local-ip ipv6-address FC01:100::100
psk %^%#Wd3B8m1P'/sm.S~SvI;4DsL(E"Wm0)Z\cILGEV3@%^%#
#
dot1x-access-profile name HCIE
#
return
<WAC1>

#
sysname WAC2
#
ipv6
#
vlan batch 10 to 12 100 4090
#
ospfv3 1
router-id 10.1.10.101
#
interface Vlanif10
ip address 10.1.10.101 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif100
ipv6 enable

vrrp6 vrid 2 virtual-ip FE80::254 link-local
vrrp6 vrid 2 virtual-ip FC01:100::254
vrrp6 vrid 2 track admin-vrrp interface Vlanif10 vrid 1 unflowdown
#
ip address 172.21.59.13 255.255.128.0
#
#
#
area 0.0.0.0
network 10.1.10.101 0.0.0.0
#
capwap double-stack enable
capwap source ipv6-address FC01:100::254
#
hsb-service 0
service-ip-port local-ip FC01:100::101 peer-ip FC01:100::100 local-data-port 10241 peer-data-port
10241
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
sta-ipv6-service enable
security-profile name HCIE
security wpa2 psk pass-phrase %^%#1$W#"Tm*[4}45xJ//8QQCtHHC>tI-&s!Ko:'1]T*%^%# aes
ssid HCIE-Lab
ssid HCIE-Interview

ap-group name HCIE
radio 0
radio 1
radio 2
ap-name ap1
ap-group HCIE
ap-name ap2
ap-group HCIE
ap-name ap3
ap-group HCIE
provision-ap
master controller
master-redundancy peer-ip ipv6-address FC01:100::100 local-ip ipv6-address FC01:100::101
psk %^%#hP-.2"kE78hLNm%h0.q9*L%1P<>^x3An@uLRWNU&%^%#
#
return
<WAC2>

#
sysname AR1
#
ipv6
#
ospfv3 1
router-id 10.1.99.2
#
undo portswitch
ipv6 enable
ip address 10.1.99.2 255.255.255.252
#
undo portswitch
ip address 20.1.1.1 255.255.255.252

#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.99.2 0.0.0.0
#
return
<AR1>
7 WLAN CloudCampus Solution

Deployment Lab
7.1 Introduction
With technology advances and industry digitalization, chain stores and small enterprise
branches alike require IT systems featuring high levels of information integration. However,
they generally lack professional IT maintenance personnel, so HQ personnel have to travel
to maintain IT systems onsite, resulting in high costs. For this reason, cloud management
has become a trend for small- and medium-sized campus networks. By deploying cloud-
managed APs, routers, switches, and firewalls, enterprises can quickly deploy and provision
services while reducing O&M costs and greatly improving management efficiency.
This lab provides instructions on configuring and commissioning CloudCampus networking
so that you can understand how to deploy Huawei WLAN CloudCampus solution (on-
premises).
7.1.2 Objectives
⚫ Understand Huawei WLAN CloudCampus networking scenarios.
⚫ Understand the process of creating sites and onboarding devices.
⚫ Master how to deliver the IP address of iMaster NCE-Campus through DHCP Option
148.
⚫ Know how to configure AR services on the web pages of iMaster NCE-Campus.
⚫ Grasp how to configure AP services on the web pages of iMaster NCE-Campus.
⚫ Understand the WLAN CloudCampus networking configuration.
Figure 7-1 WLAN CloudCampus Solution deployment topology

As shown in the figure, the network consists of two parts: HQ and branch.
The HQ consists of AR1, Core-SW, Agg1, Agg2, WAC1, WAC2, and three APs (AP1, AP2,
and AP3). AR1 functions as the campus egress, and WAC1 and WAC2 work in HSB mode.
The three APs are online on the WAC. iMaster NCE-Campus needs to manage all devices
in the HQ in a unified manner.
The branch consists of AR2, SW4, and AP6. AR2 functions as the campus egress, and AP6
is directly connected to a Layer 2 interface on SW4. AR2 allocates IP addresses through
DHCP and also implements NAT for access to the external network. AP6 works in cloud
management mode. All devices at the branch register with iMaster NCE-Campus for unified
management.
In this lab, the gateway IP address of iMaster-NCE Campus is 192.168.9.253. To enable
iMaster-NCE Campus to manage network devices, you can configure a DHCP address pool
to allow other devices to obtain IP addresses and use Option 148 to notify the devices of
the IP address of iMaster-NCE Campus. This IP address can also be manually specified.
This lab only introduces how to manually specify network devices to be managed by
iMaster-NCE Campus.

⚫ Configure devices to communicate with iMaster NCE-Campus.
⚫ Create a site for the HQ on iMaster NCE-Campus and add all devices at the HQ to
the site. AP1, AP2, and AP3 are online on the WAC, so you only need to add the WAC
to iMaster NCE-Campus but does not need to add APs.
⚫ Create a site for the branch on iMaster NCE-Campus and add all devices at the
branch to the site.
⚫ On AR2, configure the DHCP address pool, VLAN on the LAN interface, and NAT on
the WAN interface. In this way, AP6 can obtain its IP address and the IP address of
iMaster NCE-Campus as well as communicate with iMaster NCE-Campus through
AR2.
⚫ On iMaster NCE-Campus, add AP6. After AP6 goes online, configure wireless services,
including creating an SSID (iMaster_NCE_Demo) with Portal authentication for
guests, an SSID (Employee) with 802.1X authentication for employees, and an
account used for authentication.
⚫ Connect STAs to the SSID and verify the authentication result.

7.2.2.1 Onboarding Devices at the HQ
Onboard AR1 and Core-SW on iMaster-NCE Campus.
Step 1 Configure network connectivity and ensure that all devices can communicate with
iMaster-NCE Campus.
# Configure Core-SW to communicate with iMaster-NCE Campus.
[Core-SW] netconf
[Core-SW-netconf] management-vlan 4090
[Core-SW-netconf] controller ip-address 172.21.59.102 port 10020
# Configure Agg1 to communicate with iMaster-NCE Campus.
[Agg1] netconf
[Agg1-netconf] management-vlan 4090
[Agg1-netconf] controller ip-address 172.21.59.102 port 10020
# Configure Agg2 to communicate with iMaster-NCE Campus.
[Agg2] netconf
[Agg2-netconf] management-vlan 4090
[Agg2-netconf] controller ip-address 172.21.59.102 port 10020
# Configure AR1 to communicate with iMaster-NCE Campus.

[AR1] agile controller host 172.21.59.102 port 10020
# Configure WAC1 to communicate with iMaster-NCE Campus.
[WAC1] ac-mode cloud

Warning: This operation will switch the AC mode to cloud, Continue? [Y/N]y
This operation will take several minutes, please wait....
Warning: The authentication mode is switched to SN authentication. Ensure that the APs added
offline have SN information. Otherwise, configurations of these APs may be lost..
#
[WAC1] cloud-mng controller ip-address 172.21.59.102 port 10020
[WAC1] pnp startup-vlan receive enable
# Configure WAC2 to communicate with iMaster-NCE Campus.
[WAC2] ac-mode cloud

Warning: This operation will switch the AC mode to cloud, Continue? [Y/N] y
This operation will take several minutes, please wait....
Warning: The authentication mode is switched to SN authentication. Ensure that the APs added
offline have SN information. Otherwise, configurations of these APs may be lost.
#
[WAC2] cloud-mng controller ip-address 172.21.59.102 port 10020
[WAC2] pnp startup-vlan receive enable
Step 2 Check the ESNs of devices.

# Check the ESN of Core-SW.
[Core-SW] display esn

ESN of slot 0: 21980109384EL6000200
# Check the ESN of Agg1.
<Agg1>display esn
ESN of slot 0: 1019A0031371
# Check the ESN of Agg2.
<Agg2>display esn
ESN of slot 0: 210235859910H7000001
# Check the ESN of AR1.
<AR1> display esn

ESN of device: 1002352MQU19C0143513
# Check the ESN of WAC1.
<WAC1> display esn

ESN of device: 102060020916
# Check the ESN of WAC2.

[WAC2] display esn

ESN of device: 102060020925
Step 3 On iMaster NCE-Campus, create a site and add devices to the site.
Log in to the O&M plane of iMaster NCE-Campus using a tenant account, create a site
named HQs, and add Core-SW and AR1 to the site.
# Choose Design > Site Management and click Create.
Set Site Name to HQs, select AR, LSW, and WAC for Device type, click By ESN, and enter
the device names and ESNs.
The version of the electronic label on WACs used in this lab is 4.0. Therefore, you need to
add WACs by model. Click By Model, enter WAC product information, and click OK.
Set WAC names, enter the ESNs, and click OK.
Click the created site HQs.
Check the device status. It is found that the devices are onboarded and in normal state.
Step 4 Create a WAC group.

Choose Design > Site Agile Deployment > Device Management from the main menu.
# Click the site to be configured, click the Device Group tab, select WAC Group, and click
Create.
# Enter the WAC group name and click Add to add a WAC group member.
Select WAC1 and WAC2, click the icon, and click OK.
Click OK.
Step 5 Onboard APs.

Before the configuration, AP1, AP2, and AP3 are online on the WAC. You only need to
restore the AP status. Enter the WAC1 page to view the AP list, select AP1 to AP3, and click
Repair.
Select the HQs site and click OK.

After success results are displayed for all APs, click OK.
Check the AP status. It is found that AP1, AP2, and AP3 are in Unregistered state.
After 1 to 2 minutes, the AP status becomes Normal, and their MAC addresses and states
are displayed.
----End
7.2.2.2 Onboarding Devices at the Branch

Step 1 Check the ESNs of devices.
# Check the ESN of AR2.
<AR2>display esn
ESN of device: 1002352RLG1980065092
# Check the ESN of SW4.
<SW4>display esn
ESN of slot 0: 210235859910HA000031
Step 2 On iMaster NCE-Campus, create a site and add devices to the site.
Create a site named Branch and add devices.
# Choose Design > Site Management and click Create.
# Create a site named Branch.
Set Site Name to Branch, select AP, AR, and LSW for Device type, click By ESN, enter the
device names and ESNs, and click OK.
# On iMaster NCE-Campus, check the onboarding status of devices.
----End
7.2.2.3 Onboarding the AP at the Branch

Configure the DHCP function on AR2 to assign an IP address to AP6 and notify AP6 of the
IP address of iMaster NCE-Campus through DHCP Option 148. To ensure the IP connectivity
between AP6 and iMaster NCE-Campus, configure source NAT on AR2 so that AP6 can
access iMaster NCE-Campus through the IP address of the WAN interface on AR2.
Step 1 Create an IP address pool.

# Choose Site Configuration > Site, switch to the Branch site, and click AR.
# On the LAN tab page, select Local Internet access and click Create.
# Enter the subnet name, VLAN ID, IP address, and mask, and click Create after you enable
DHCP.
Expand Advanced. Select cloud platform address(148) in Option and click Value. In the
dialog box that is displayed, enter the IP address and port number of iMaster NCE-Campus.
Specifically, change the information highlighted in the red frame to the IP address of
iMaster NCE-Campus. In this lab, enter 172.21.59.102. The following figure shows the final
result.
The complete value of Option 148 is as follows, which is for your reference:
agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-
domain=192.168.4.104;agilemanage-port=10020;
# Click Submit and then OK.
# Log in to AR2 to check the configuration.
<AR2>display current-configuration interface vlanif1

[V300R019C10SPC300]
#
interface Vlanif1
ip address 192.168.10.1 255.255.255.0
zone trust
dhcp select interface
dhcp server dns-list 192.168.10.1
dhcp server option 148 ascii agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-
Check the configuration of VLANIF 1 on AR2. The command output shows that VLANIF 1
has been generated, its IP address is 192.168.10.1, interface-based DHCP has been enabled,
and Option 148 has been configured.
Step 2 Configure a LAN interface on AR2.

Configure the downlink interfaces of AR2, allow packets from VLAN 1 to pass through, and
change the PVID to 1, so that SW4 and AP6 can obtain their IP addresses and the IP address
of iMaster NCE-Campus through DHCP.
# On the Site Configuration tab page, choose AR > Interface > Customized.
# Click the downlink interface, which is GE0/0/2 in this lab.
# Set both Default VLAN and Allowed VLAN to 1, so that the AP can obtain the IP address
of VLANIF 1.
# Check the configuration of GE0/0/2 on AR2.
<AR2> display current-configuration interface GigabitEthernet 0/0/2

[V300R019C10SPC300]
#
By default, GE0/0/2 allows packets from VLAN 1 to pass through, and its PVID is VLAN 1.
# Check whether AP2 has obtained an IP address.
[AR2] display arp all | in 192.168.10

IP ADDRESS MAC ADDRESS EXPIRE (M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.10.1 b008-7536-7984 I - Vlanif1
192.168.10.112 f4de-af36-b3c0 8 D-0 GE0/0/2
192.168.10.154 f4de-af36-a360 8 D-0 GE0/0/2
192.168.10.92 f4de-af36-ace0 20 D-0 GE0/0/2
192.168.10.163 28b4-484d-c662 18 D-0 GE0/0/2
------------------------------------------------------------------------------
Total: 8 Dynamic: 5 Static: 0 Interface: 3
[AR2]
The command output shows that apart from a gateway IP entry, there is an ARP entry with
the interface being GE0/0/2, indicating that a downlink device has obtained an IP address.
Based on the AP's MAC address (f4de-af36-b3c0), it can be determined that AP6 has
obtained the IP address.
Step 3 Configure NAT on AR2.

AP6 has obtained its IP address and the IP address of iMaster NCE-Campus. However, AR1
does not have a route destined for 192.168.10.0/24. To ensure the IP reachability between
AP6 and iMaster NCE-Campus, you need to configure source NAT on AR2.
# Choose Design > Template Management > Policy Template, click ACL, and click Create
to create an ACL for AR2 to perform source NAT.
# Set ACL parameters. Click IPv4, enter the name, set the ACL type to Advanced, click Add,
and set Source IP Address to 192.168.10.0/24 (network segment where AP6 is located).
Click √ and then click OK.
Note that the ACL number must be greater than 3100.
# Choose Provision > Site Configuration.
Choose AR > Network. In the NAT configuration area, click Create to create a NAT rule.
# Configure the NAT rule parameters.
Select GE0/0/1 (WAN interface on AR2 in this lab) from the drop-down list box marked 1
and click the area marked 2. In the dialog box that is displayed, select the created ACL
template and click OK.
# Check the NAT configuration on AR2.
<AR2> display current-configuration interface gi0/0/1

[V300R019C00SPC300]
#
undo portswitch
nat outbound 3101
zone untrust
ip address dhcp-alloc
#
return
<AR2>
The command output shows that the source NAT configuration has been delivered to
GE0/0/1.
# Check the connectivity between 192.168.10.0/24 and iMaster NCE-Campus.
<AR2>ping -a 192.168.10.1 172.21.59.102

--- 172.21.59.102 ping statistics ---

0.00% packet loss
<AR2>
The command output shows that connectivity between 192.168.10.0/24 and iMaster NCE-
Campus is normal.
Step 4 Add AP6 to the Branch site on iMaster NCE-Campus.

Add AP6 to the Branch site using the ESN. The ESN can be obtained from the AP label or
can be obtained by logging in to the AP through SSH and run commands on the AP after
it is connected using the default wireless signal. For details, see the AP product
documentation.
The following figure shows AP product documentation where the Fat AP and cloud AP are
used as an example:
In this product documentation, choose Installation > Hardware Installation and
Maintenance Guide > Appendix > AP Login > AP First-Time Login to see how to log in to
an AP.
# Switch the AP mode.
<Huawei> system-view
[Huawei] ap-mode-switch cloud
If the AP works in non-cloud mode, you need to switch the AP to the cloud mode first.
After such switching, the AP restarts.
In this lab, the AirEngine 5760-50 works in cloud mode by default. You do not need to
switch the AP working mode.
# On iMaster NCE-Campus, add AP6 to the Branch site.
Choose Design > Device Management. On the page that is displayed, choose Branch > Add
Device > Add.
# Add AP6.
Set Protocol type to NETCONF protocol. For Huawei devices that adapt to the
CloudCampus solution, set Protocol type to NETCONF protocol. For other devices (or third-
party devices), set Protocol type to SNMP protocol. Then, add AP6 using the ESN by setting
Name to AP6.
# Check whether AP6 is online.
On the device management page, you can see that AP6 has gone online.
----End
7.2.2.4 Configuring Cloud AP Services

Create an ACL invoked by the portal free rule to permit DNS resolution traffic of users.
Configure wireless services for guests. Specifically, set the SSID to HCIE-Guest, forwarding
mode to Layer 2 forwarding, and user VLAN to VLAN 100. Also, enable Portal
authentication, configure user-based traffic limiting, and create a to-be-authenticated user
named huawei and set the password to Huawei@123.
Configure wireless services for employees. Specifically, set the SSID to HCIE-EM, forwarding
mode to Layer 2 forwarding, and user VLAN to VLAN 200. Also, enable 802.1X
authentication, configure user-based traffic limiting, and create a to-be-authenticated user

named dot1x and set the password to Huawei@123.
Step 1 Create a user ACL invoked by the portal free rule.

Create a user-defined ACL numbered 6001 to permit DNS resolution traffic of users. This
ensures that users can use the DNS protocol to resolve the IP address of the web server
and initiate HTTP access before authentication, so that the AP can perform TCP hijacking
and push the Portal authentication page.
# Create a user-defined ACL. Choose Design > Template Management > Policy Template,
click ACL, and click Create to create an ACL.
Set Name to DNS.

Set ACL number to 6001.
In the Rule list area, click Add, set Protocol to UDP, set Port to 53, and click √ to submit
the configuration.
Then, click OK.
Step 2 Create an SSID for guests.

Create an SSID named HCIE-Guest, enable Portal authentication, set the forwarding mode
to Layer 2 forwarding, and set the user VLAN ID to 100.
# Create an SSID. Choose Provision > Site Configuration, select the Branch site, click AP,
and click Create to create an SSID.
# Configure basic SSID parameters. Set SSID Name to HCIE-Guest, Effective radio to All,
and Network connection mode to Layer 2 forwarding. Set VLAN ID to 100.
Click Submit and then Next.
The VLAN ID configured here is the ID of the VLAN to which STAs belong, that is, the VLAN
specified by the service-vlan vlan-id command in the VAP profile on the WAC. In this lab,
the VLAN ID is set to 100. When STAs connect to AP6, AP6 adds a VLAN 100 tag to the
data frames of STAs and sends the tagged data frames through the uplink interface.
Therefore, you need to configure the LAN interface on AR2 (that is, GE0/0/1 in this lab) to
allow packets from VLAN 100 to pass through. In addition, a DHCP address pool is
configured on AR2 to assign IP addresses to STAs in VLAN 100.
# Configure SSID security authentication. Configure as follows:
Set Authentication mode to Open network. That is, use the Portal authentication mode.
Enable Push pages (Portal authentication). Then, new configuration items are displayed.
Set Page pushing mode to Built-in authentication by cloud platform.
Set Push page to Default User Name and Password Authentication Page.
Disable Self-registration. This means that users are not allowed to register new accounts
for authentication. Only existing accounts can be used for authentication.
Enable Portal authentication-free. That is, retain the default authentication-free validity
period.
In Default permit rule, select the created user ACL, that is, DNS.
Select Bypass policy and retain the default setting User access is allowed, without
authentication.
After the preceding configuration is complete, click Next.
# Configure SSID policy control. Configure as follows:

Enable Static terminal rate limiting, and set both the downlink and uplink traffic rates to
20 and 10, respectively.
Click OK and wait until the configuration is delivered to AP6.
Step 3 Verify the configuration.

The web page shows that the created SSID has been enabled on the radios of AP6.
# Verify the configuration using a STA.
On a STA, you can find the wireless signal with the SSID being HCIE-Guest sent by AP6.
Step 4 Configure an SSID for employees.

Create an SSID named HCIE-EM, enable 802.1X authentication, set the forwarding mode to
Layer 2 forwarding, and set the user VLAN ID to 200.
# Choose Provision > Site Configuration, select the Branch site, click AP, and click Create
to create an SSID.
# Configure basic SSID parameters. Set SSID Name to HCIE-EM. Retain the default settings
for Effective radio and Network connection mode (that is, Layer 2 forwarding).
Set VLAN ID to 200, click Submit, and click Next.
# Configure SSID security authentication. Configure as follows:

Set Authentication mode to Secure network.
Set Encryption mode to WPA2.
Set Encryption algorithm to AES.
Set RADIUS server to HCIE-WLAN and click Next.
# Configure SSID policy control. Configure as follows:

Enable Static terminal rate limiting, and set both the downlink and uplink traffic rates to
20 and 10, respectively.
Click OK and wait until the configuration is delivered to AP6.
# Verify the configuration. An SSID named HCIE-EM has been generated.

# On a STA, you can find the wireless signal with the SSID being HCIE-EM advertised by
AP6.
Step 5 Configure SW4.

To ensure that STAs can obtain IP addresses and access the external network, configure
the LAN interfaces of SW4 (GE0/0/1 and GE0/0/2 in this lab) to allow packets from VLANs
100 and 200 to pass through.
Verify that the configuration is delivered properly by SW4.
<SW4>display current-configuration interface GigabitEthernet 0/0/1

#
port trunk allow-pass vlan 100 200
trust dscp
#
<SW4>display current-configuration interface GigabitEthernet 0/0/2
#
trust dscp
<SW4>
Step 6 Configure AR2.

To ensure that STAs can obtain IP addresses and access the Internet, perform the following
configurations on AR2:
Configure the LAN interface on AR2 to allow packets from VLANs 100 and 200 to pass
through.
Create a DHCP address pool on AR2 to assign IP addresses to STAs on VLANIF 100 and
VLANIF 200.
Add the network segment of STAs to the ACL used for source NAT.
# Configure the LAN interface on AR2 to allow packets from VLANs 100 and 200 to pass
through.
# Choose Provision > Site Configuration, select the Branch site, choose AR > Interface >
Customized, select LAN interface 2, and add VLAN 100 and VLAN 200 to Allowed VLAN.
# Create a DHCP address pool named For_HCIE-Guest to assign IP addresses to STAs of

guests. Also, create a DHCP address pool named For_HCIE-EM to assign IP addresses to
STAs of employees.
Choose AR > Network, click LAN, and create a DHCP address pool. Set the parameters
according to the preceding figure. The VLAN IDs must be 100 and 200. The IP address and
mask can be customized. Then, click OK.
# Modify the ACL used for source NAT on AR2.

Choose Design > Template Management > Policy Template, click the created ACL NAT,
click the modification icon, and add an ACL rule. To add the ACL rule, you only need to set
the source IP address range to the address segment assigned to STAs. In this lab, the source
IP address range is 192.168.100.0/24 and 192.168.200.0/24. Then, click OK.
# Verify the configuration on AR2.
[AR2]display current-configuration interface

[V300R019C00SPC300]
#
interface Vlanif1
ip address 192.168.10.1 255.255.255.0
zone trust
dhcp server option 148 ascii agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
zone trust
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
zone trust
#
#
undo portswitch
nat outbound 3101
zone untrust
ip address dhcp-alloc
#
The command output shows that VLANIF 100 and VLANIF 200 are created, the interface-
based DHCP address pools are enabled, and LAN interface GE0/0/1 allows packets from
VLAN 100 and VLAN 200 to pass through.
[AR2] display acl 3101

Advanced ACL 3101, 3 rules
Acl's step is 5
rule 5 permit ip source 192.168.10.0 0.0.0.255 (12 matches)
rule 10 permit ip source 192.168.100.0 0.0.0.255 (1 matches)
rule 15 permit ip source 192.168.200.0 0.0.0.255
[AR2]
Step 7 Configure authentication.

In this lab, local authentication is used. That is, iMaster NCE-Campus functions as the Portal
server and RADIUS server. You need to create to-be-authenticated users and specify
authentication and authorization results on iMaster NCE-Campus.
# Create wireless user groups for authentication. Choose Admission > User Management,
click the icon marked 1 in the left pane, and create two user groups named Branch-Guest
and Branch-EM.
# Create a wireless user for Portal authentication. Click the newly created user group
Branch-Guest on the left, and then click Create on the right.
Create a user named huawei01 and set the password to Huawei@123. Then, deselect
Change password upon next login; otherwise, the user needs to manually change the
password after the first login. In this lab, the user uses a public account, which is only used
to demonstrate the Portal authentication effect. Therefore, you do not need to enable
Change password upon next login. In practice, if each user has an independent account,
you are advised to enable Change password upon next login.
# Create a wireless user for 802.1X authentication. Click the newly created user group
Branch-EM on the left, and then click Create on the right.
Create a user named huawei02 and set the password to Huawei@123. Then, disable
Change password upon next login.
# Modify an authorization rule.

Choose Admission > Authentication and Authorization, click the Authorization Rules tab,
modify the authorization rule Default, and change the authorization result of this authorization
rule to Permit Access.
----End

7.3.1 Verifying Portal Authentication
Connect a STA to the SSID HCIE-Guest of AP6. Open the browser and enter the IP address
1.1.1.1. On the Portal authentication page that is displayed, enter the account and
password to verify Portal authentication.
# Connect a PC to the SSID HCIE-Guest.
# Check the IP address obtained by the PC.

# Verify that the Portal authentication page is displayed normally.
Enter any IP address in the address box of the browser and verify that the Portal
authentication page can be displayed normally.
If a page similar to the following is displayed, the Portal authentication page is displayed
normally.
The URL in the browser is as follows (in this lab):

https://172.21.59.102:19008/portalpage/00000000-0000-0000-0000-
000000000000/username01/pc/authSuccess.html?apmac=f4deaf36b3c0&uaddress=192.16
8.100.245&umac=081f713ad717&authType=1&lang=zh_CN&ssid=SENJRS1HdWVzdA==&p
ushPageId=a7024b82-45ec-465f-b1b7-
6648ce0e8d40&chanFir=n&userInfo=huawei01&remainTime=&remainFlow=&validPeriod=
This URL shows that iMaster NCE-Campus provides services for the Portal authentication
page. This URL also carries the apmac and uaddress parameters, which indicate the MAC
address of the AP that the user accesses and the IP address of the user. These two
parameters are provided by the AP, and are carried in the URL and notified to the Portal
server for subsequent user identification and management.
Note: In this lab, the DNS server address for STAs is set to the IP address of the VLANIF
interface on AR2. Although the DNS proxy function is enabled on AR2, no external DNS
server is configured on AR2 and no DNS record is performed on AR2. Therefore, AR2 cannot
resolve or respond to the DNS request from a STA. To simulate the scenario where the
Portal authentication page is displayed when a user opens the browser and attempts to
access the network through the URL, you need to configure a static DNS resolution record
on AR2.
# Configure static DNS resolution on AR2.
[AR2] ip host www.HCIE-WLAN.com 1.1.1.1

Configure a static DNS resolution record to resolve the domain name www.HCIE-
WLAN.com to the IP address 1.1.1.1. This domain name is used only for testing Portal
authentication through the domain name in the browser.
# Test DNS resolution on a STA.
C:\Users\admin>nslookup www.HCIE-WLAN.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.100.1
DNS request timed out.

timeout was 2 seconds.
Name: www.HCIE-WLAN.com
Address: 1.1.1.1
C:\Users\admin>
In the cmd window of the STA, run the nslookup command to resolve the DNS address.
www.HCIE-WLAN.com can be resolved successfully.
# Verify the network connectivity of the STA before authentication.
C:\Users\admin>ping 20.1.1.1

Request timed out.
Request timed out.
Request timed out.
Request timed out.

C:\Users\admin>
#

Request timed out.
Request timed out.
Request timed out.
Request timed out.

C:\Users\admin>
The command output shows that the STA cannot communicate with the IP address 20.1.1.1
or its gateway (192.168.100.1). That is, the STA does not have the right to access the
network before authentication succeeds.
# Verify that the Portal authentication page can be displayed through the domain name
mode.
Enter www.HCIE-WLAN.com in the address box of the browser and press Enter.
On the page that is displayed, enter the user name (huawei01) and password
(Huawei@123).
Portal authentication succeeds.

# Verify the network connectivity of the STA again.


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
C:\Users\admin>
After Portal authentication succeeds, the STA can access the network
7.3.2 Verifying 802.1X Authentication

Use a STA to connect to the SSID HCIE-EM of AP2. Enter the user name dot1x and password
Huawei@123 when connecting to the SSID. Verify that 802.1X authentication of the STA
succeeds.
# Connect a STA to the SSID HCIE-EM.
# Check the IP address of the STA after successful connectivity.
C:\Users\admin>ipconfig
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . . . . . :

Link-local IPv6 Address . . . . . . . . : fe80::c5c4:b531:db4a:2937%21
IPv4 Address . . . . . . . . . . . . . . . . : 192.168.200.224
Subnet Mask . . . . . . . . . . . . . . . .: 255.255.255.0
Default Gateway . . . . . . . . . . . . . . . . . .: 192.168.200.1
C:\Users\admin>
The command output shows that the STA has obtained the IP address 192.168.200.224.
This IP address is assigned from the address pool on VLANIF 200.
# Test the connectivity of the STA with the external network.



C:\Users\admin>
The STA can successfully access the external network.

8 WLAN Network Planning and Design Lab
8.1 Introduction
This lab introduces the process and steps of WLAN planning and design so that you can
understand Huawei WLAN planning scenarios.
8.1.2 Objectives
⚫ Understand how to plan an indoor WLAN network.
⚫ Understand how to plan an outdoor WLAN network.
Figure 8-1 Building floor plan for WLAN planning

Figure 8-1 shows the building floor plan of a project, and the indoor areas require coverage.
Key coverage areas include office areas, meeting rooms, and activity area. Common
coverage areas include bathrooms, break rooms, equipment room, and utility room.
Elevators are not covered.
This floor has two office areas, each of which involves 100 users. Assume that each user in
the office areas has two terminals.
The number of users in the activity area does not exceed 100, with a concurrency rate of
60%. The maximum number of users in each meeting room does not exceed 30, with a
concurrency rate of 50%. Assume that each user in these areas has a single terminal.
The WLAN must comply with the 802.11ax standard. The activity area has an atrium design
and therefore does not support ceiling mounting.
Table 8-1 Service type analysis for a single user
Single-Service Baseline Rate (Mbps)

Service Type Percentage
Excellent Good
Web browsing 8 4 40%
Streaming media
16 12 13%
(1080p)
Streaming media (4K) 50 22.5 10%
VoIP (voice) 0.25 0.125 10%
Electronic whiteboard 32 16 5%
Email 32 16 5%
File transfer 32 16 5%
Instant messaging 0.5 0.25 12%
Table 8-2 WLAN site survey information collection
Item Result
Only one floor needs to be covered by the WLAN.

Key coverage areas: two office areas, four meeting rooms, and
Coverage area one activity area
description
Common coverage area: two break rooms, two bathrooms, one
equipment room, and one utility room
100 users in each office area, two terminals per user, 70%
concurrency rate
30 users in each meeting room, two terminals per user, 50%
Coverage concurrency rate
capacity
description 100 users in each activity area, one terminal per user, 60%
concurrency rate
6 users in each of other areas, one terminal per user, 50%
concurrency
The onsite building information is consistent with that on the floor

plan provided by the proprietor.
Building
Switches can be placed in the utility room or equipment rooms.
information
The floor height is 2.6 m. The activity area has an atrium of over
15 m high, and therefore does not support ceiling mounting.
External walls: 240 mm thick, concrete;

walls of bathrooms, external walls of the
Building
equipment room, and walls between
materials and Wall/door/window
meeting rooms: 240 mm thick, brick; walls
signal /ceiling
of office areas and doors: 12 mm thick,
attenuation
armored glass; doors of bathrooms: 40 mm
thick, solid wood door
There are two internal interference sources,

both on the desk, which have been marked
Interference Internal on the floor plan. They are 1 m high and
source interference source work at 21 dBm power @ 2.4 GHz and 24
dBm power @ 5 GHz, with an antenna gain
of 4 dBi.
Network cables between switches and APs

Cabling rules Cabling rules are routed above the ceiling. Hidden cabling
is required, and hole drilling is allowed.
One switch is installed in the equipment

room, and the other switch is installed in
Device installation the utility room. For details about AP
positions deployment positions, see the network
planning report exported from WLAN
Planner.
Power sockets are available near the switch

Power supply
Survey installation positions, and APs can use PoE
confirmation
description power supply.
The heights of desks and chairs are normal,

Internal building
with little interference to signals, which can
structure
be ignored.
Check whether upper-layer aggregation

Transmission
transmission resources are available at the
resources
switch installation positions.
Customer The SSIDs of employees and guests need to be separated, and

requirements bandwidth for guests is limited to 2 Mbps.
Installation
environment Property entry: Approved
preparation
Figure 8-2 Positions of WLAN interference sources

⚫ Select device models.
⚫ Calculate the number of APs.
⚫ Log in to WLAN Planner and import the building floor plan.
⚫ Set the environment and draw obstacles.
⚫ Deploy APs.
⚫ Adjust AP parameters and antenna angles.
⚫ Deploy switches.
⚫ Lay out cables.
⚫ Perform signal simulation.
⚫ Adjust the AP positions and repeatedly perform signal simulation until the signal
coverage is complete.
⚫ Export the network planning report.

Step 1 Collect WLAN project requirements.
Analyze per-user bandwidth.
# Calculate the average bandwidth required by each user based on the service type and
proportion of each user. After the per-user bandwidth requirement is obtained, the total
bandwidth of the WLAN can be calculated, facilitating AP model selection and AP quantity
calculation. Excellent and good criteria indicate user service experience at different
bandwidths.
In this project, user bandwidth planning for meeting rooms and office areas assumes
excellent user experience.
In this project, user bandwidth planning for other areas such as break rooms and activity
area assumes good user experience.
Per-user bandwidth requirement (excellent) ≈ 15.17 Mbps (8 x 40% + 16 x 13% + 50 x 10%
+ 0.25 x 10% + 32 x 5% + 32 x 5% + 32 x 5% + 0.5 x 12%)
Therefore, the per-user bandwidth can be planned as 16 Mbps.
Per-user bandwidth requirement (good) ≈ 7.85 Mbps (4 x 40% + 12 x 13% + 22.5 x 10% +
0.125 x 10% + 16 x 5% + 16 x 5% + 16 x 5% + 0.25 x 12%)
Therefore, the per-user bandwidth can be planned as 8 Mbps.
Optimize the WLAN project requirement collection table based on the per-user bandwidth.
Item Result
Restrictions of laws and

Country code: CN
regulations
Floor map JPEG scale floor plan (building length: 50 m)
Coverage mode Indoor settled
Single office area: a total of 200 STAs, 16 Mbps

bandwidth per STA, 70% concurrency
Bandwidth requirement
Meeting room: a total of 30 STAs, 16 Mbps bandwidth
per STA, 50% concurrency
Activity area: a total of 100 STAs, 8 Mbps bandwidth per

STA, 60% concurrency
Single bathroom, break room, and equipment room: a

total of 10 STAs, 4 Mbps bandwidth per STA, 40%
concurrency
Key coverage areas: office area, meeting room, and

activity area
Coverage areas
Common coverage areas: break room, bathroom, utility
room, and equipment room
Key coverage area: ≥ –65 dBm; common coverage area ≥

Field strength –80 dBm
requirements Edge field strength: ≤ –80 dBm; interference field
strength: –60 dBm; leakage field strength: no requirement
Networking mode AC off-path networking + direct forwarding
Power supply mode PoE switch for supplying power to APs
Common mobile phones and laptops, 2x2 MIMO, 40 MHz

STA type frequency bandwidth @ 2.4 GHz and 80 MHz frequency
bandwidth @ 5 GHz
Employee authentication mode: 802.1X; guest

Security policy
authentication mode: Portal
Positions and PoE power supply distance of uplink

Switch positions
switches meet the requirements.
Acceptance items and

No special requirement
standards
Step 2 Select WLAN device models and calculate the number of APs.
The customer requires 802.11ax compliance and the per-user bandwidth of 16 Mbps.
Assume that the number of users in an office area is 100, each user has two terminals (one
terminal per user in the activity area), and the concurrency rate is 70%. In this case, the
number of terminals in an office area is calculated as follows:
Total number of terminals in an office area = 100 x 2 x 70% = 140
On the premise that the per-user bandwidth requirement is 16 Mbps, a maximum of 14

concurrent terminals are supported on a Huawei's dual-radio Wi-Fi 6 AP and a maximum
of 23 concurrent triple-band terminals are supported on a Huawei's triple-radio Wi-Fi 6 AP.
That is, a single office area requires around 10 dual-radio APs (140/14) or 7 triple-radio
APs (140/23). Considering the cost and scenario, the triple-radio AirEngine 5760-51 is used,
saving the budget and reducing the number of required APs. (Note that the RTU license
needs to be loaded for the AP to support eight spatial streams.)
Due to the onsite environment and obstacles, it is preliminarily planned that 7 to 10 APs
can be deployed in a single office area and 2 APs in each meeting room. Because the
activity area is a narrow area and does not support ceiling mounting, it is estimated that 3
to 6 APs can be deployed.
The number of managed APs does not exceed 50. Therefore, an AirEngine 9700S-S is
applicable to this scenario.
PoE switches are required to supply power to APs. Only indoor APs are required, so the
switches only need to support PoE. In this case, use the CloudEngine S5731-H24P4XC, and
purchase PoE power modules.
Step 3 Log in to WLAN Planner.

Any user can apply for and use WLAN Planner on the enterprise service tool cloud platform
at https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/#/toolsummary?entityId=d59de9ac-e4ef-409e-bbdc-
eff3d0346b42.
# Click Running.
# Read the security management regulations on customer network data and click Confirm.
Step 4 Create floors and import floor plans.

# Create a floor and import the floor plan. This project is a WLAN indoor scenario. Set Type
to Indoor and enter the name. Click Select File to import the corresponding floor plan.
# Select a WLAN scenario. For this project, select Office and click Next.
# You can specify a built-in network construction standard as required. For this project,
select Other and click OK.
# Select the floor plan file and click OK.
Step 5 Set the environment and obstacles.

Set the environment and regions based on the customer requirement collection table and
site survey information.
# Set the scale.
# The floor plan width is 50 m. Select any position on the floor plan and draw a line from
left to right.
Set up the environment.

# Draw obstacles.
# Set parameters for interference source 1.

# Set parameters for interference source 2.

Step 6 Set regions.

Draw the areas to be covered.
Set key coverage areas.

# Set office area 1.
# Set the activity area.

# Set office area 2.

Set VIP coverage areas.

# Set basic properties for conference rooms.
#
Set other coverage areas.

# Set the basic properties for the break rooms, equipment room, and bathrooms.
Check the regions after the basic properties are set.

Step 7 Deploy APs and adjust AP parameters.

# You can manually deploy APs one by one or configure automatic deployment and then
manually adjust the number and positions of APs.
# Because only one floor is involved in this project, select Current Floor and click Next.
# Select the required AP model. This project uses the AirEngine 5760-51.
# Set channels.
# Set the power.

# Manually adjust the number and positions of APs.

Adjust AP parameters.
# Right-click an AP in the activity area and choose Property from the shortcut menu. (You
can drag-select all APs and right-click them for the setting). The AP Attributes page is
displayed.
# Set AP parameters. In the activity area, APs cannot be deployed on the ceiling. Instead,
they are mounted on the wall at a height of 2.4 m. Configure the APs to work in triple-
radio mode with the RTU license loaded. Retain the default values for other parameters.
The configurations of other APs in the activity area are the same and are not mentioned
here.
# Right-click APs in other areas and choose Property from the shortcut menu. (You can
drag-select all APs and right-click them for the setting). The AP Attributes page is displayed.
Set AP parameters. APs in other areas are mounted on the T-rails of the ceiling at a height
of 3 m. Configure the APs to work in triple-radio mode with the RTU license loaded. Retain
the default values for other parameters. The configurations of other APs are the same and
are not mentioned here.
Step 8 Deploy switches.

# Select a switch model. This project uses the S5731-S24P4X switch.
# Deploy the switches at the planned positions. Based on site survey information, the
switches can be deployed in the equipment room or utility room. To shorten cables, deploy
one switch in the equipment room and the other in the utility room.
Step 9 Lay out cables.

Network cables can be routed above the ceilings to directly connect APs and switches.
Step 10 Perform signal simulation.

# Check the coverage in the areas requiring the signal strength of –60 dBm. If any area
has no color, the signal strength is lower than –60 dBm.
# Focus on the signal coverage in the meeting rooms.

# Check the signal strength in key coverage areas, that is, areas requiring the signal
strength of higher than –65 dBm. If any area has no color, the signal strength is lower than
–65 dBm.
# Focus on the signal coverage in the office areas and activity area.
# Check the signal strength in common coverage areas, that is, areas requiring the signal
strength of higher than –70 dBm. If any area has no color, the signal strength is lower than
–70 dBm.
# Focus on the signal coverage in the break rooms and bathrooms.

If the signal coverage is poor, adjust the number and positions of repeatedly to ensure
normal signal simulation.
Check whether there are areas with poor signal coverage.
The signal coverage in most areas is good.
Step 11 Export the network planning report.

Before exporting the network planning report, you can check the network planning.
# Check whether there is any problem. Confirm any warning items. If there is no problem,
export the network planning report.
# Export the network planning report.
# Save the report to the local host.

# Check the saved network planning report.
----End

8.3.1 Network Planning Report
WLAN Planning
Report_HCIE-WLAN .docx
8.3.2 Bill of Materials
Bill of
Materials_HCIE-WLAN .xls

Hcie-wlan v1.0 Lab Guide

Uploaded by

Copyright:

Available Formats

You might also like

Hcie-wlan v1.0 Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hcie-wlan v1.0 Lab Guide

Uploaded by

Copyright:

Available Formats

Huawei WLAN Certification Training

HCIE-WLAN Certification Training

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential

Huawei Certificate System

Huawei Certification follows the "platform + ecosystem" development strategy,

HCIE-WLAN is designed for Huawei local offices, online engineers in representative

About This Document

Background Knowledge Required

Experiment Environment Overview

Device Name Model Software Version

Device Name Model Software Version

RADIUS server and

Experiment Environment Preparation

Device Name Quantity Remarks

iMaster NCE-Campus 1 Shared by all groups

iMaster NCE-CampusInsight 1 Shared by all groups

Core switch 4 Shared by all groups

AirEngine 9700-M 3 for each group

AirEngine 5760-51 6 for each group

Laptop 3 for each group

About This Document .......................................................................................................................... 3

2.3.1 Simulating a Fault on WAC1 ..........................................................................................................................................66

4.4 Reference Configuration ................................................................................................................................................... 131

6.4.6 AR1 Configuration ........................................................................................................................................................... 222

1 WLAN Networking Lab

1.1.3 Networking and Service Description

Figure 1-1 WLAN networking topology

1.1.4 Networking Design

Table 1-1 VLAN port types and parameters

Device Port Port Type VLAN Settings

Device Port Port Type VLAN Settings

GE0/0/1 Access PVID: 200

Table 1-2 IP address plan

Device Interface IP Address

Device Interface IP Address

WAC1 Loopback 0 10.10.10.10/32

AR2 GE0/0/2 10.1.200.1/30

VLANIF 200 10.1.200.2/30

VLANIF 100 192.168.100.1/24

VLANIF 120 192.168.120.1/24

Table 1-3 WLAN service parameter design

WLAN Service Parameter

Forwarding mode Direct forwarding

VLAN pool: HCIE-Lab, containing VLANs 11 and 12

WLAN Service Parameter

WAC's source interface 10.10.10.10

1.2 Configuration Procedure

1.2.2 Configuration Steps

[Core-SW] interface GigabitEthernet 0/0/1

[Huawei] sysname Agg1

[Huawei] sysname Agg2

[Agg2] interface GigabitEthernet 0/0/1

[Huawei] sysname SW4

[Huawei] sysname WAC1

Step 2 Configure IP addresses.

[Core-SW] interface Vlanif 10