HCIE-WLAN V1.0 Training Material

• WAN authentication bypass typically applies to HQ-branch networks where
branch networks connect to the HQ network through the WAN. In traditional

solutions, most WLAN services are centrally processed by WACs, posing high
requirements for the WAN, for example, large bandwidth, low latency, and high
stability. However, in actual scenarios, enterprises lease carrier networks but do
not use private lines to connect the HQ with branches. The quality of the
intermediate network cannot be guaranteed, resulting in poor network security
and user experience. To address these problems, Huawei offers a new WLAN
solution. In the solution, branch AP groups are created at branches, and services
such as user access and access authentication are processed by APs. This solution
makes branch networks less dependent on the HQ network. In this way, users at
branches can still use the WLAN even if the branch networks are disconnected
from the HQ network.
• Based on the BSS coloring mechanism, wireless traffic is marked at the beginning
of transmission, which helps surrounding devices determine whether to the allow
wireless medium to be used at the same time. Even if the level of the detection
signal from the neighboring network exceeds the traditional signal detection
threshold, the wireless medium can be considered idle and new transmission is
allowed as long as the transmit power of the new transmission is lowered
appropriately. The BSS coloring mechanism aims to enable devices to distinguish
between the transmissions on the local and neighboring networks. Self-adaptive
power and sensitivity thresholds allow dynamic adjustment of the transmit power
and signal detection threshold to increase SR efficiency and minimize co-channel
interference as much as possible.
• If an 802.11ax AP detects an OBSS with the same color, the AP can change its
own BSS color to reduce co-channel interference. If two APs have the same BSS
color field, a BSS color collision occurs. If an 802.11ax AP hears different BSS
color fields from other APs or STAs connected to it, a color collision is detected.
• If a STA detects a color collision, it sends a color collision report to the associated
AP. In the report, the STA sends BSS coloring information about all OBSSs it can
monitor.
• Each generation of new Wi-Fi standards can extend the battery life of STAs by
supporting faster and longer transmission to lower their power consumption. Wi-
Fi 6 introduces target wakeup time (TWT), which allows an AP to inform a STA
of when to sleep and provide the STA with a scheduling table of when to wake
up. Even though the STA sleeps for a short period of time each time, multiple
sleeps significantly prolong the battery life of the STA.
• TWT wakes up the Wi-Fi function of STAs on demand, reducing the power
consumption of the STAs by 30%.
• TWT was first proposed in the 802.11ah standard. This mechanism is designed to
save energy for IoT devices, especially devices with low traffic volume such as
smart meters. TWT allows IoT devices to stay in the sleep state as long as
possible, reducing power consumption. After a TWT agreement is established, a
STA wakes up after a longer period of time, without the need of waiting for a
Beacon frame. The 802.11ax standard improves on TWT by defining rules for STA
behavior and implementing channel access control on the premise of meeting
energy saving requirements. TWT is classified into unicast TWT and broadcast
TWT.
• By referring to the security architecture defined in ITU-T X.805, Huawei divides
the network into the management plane, control plane, and forwarding plane
and divides each plane into the device layer, network layer, and application layer.
Based on this, Huawei provides a plane-based, layered network security
architecture model to guide a wide range of solutions to analyze network
security threats and develop security policies and schemes.
▫ Management plane: This plane focuses on the security of application and

service data for management users, that is, security of operation,
maintenance, and management information.
▫ Control plane: WLAN devices must run various protocols to transmit service
traffic. The services must be protected against attacks or spoofing.
▫ Forwarding plane: WLAN devices use the destination MAC and IP addresses
of packets to search for routes for forwarding the packets. Security
measures must be taken in the forwarding routes to prevent attacks on
WLAN devices and spreading of attack traffic over the IP network.
• By isolating the control, management, and forwarding planes, WLAN devices can
ensure that attacks on any of the planes do not affect other planes.
• Unified entry, facilitating expansion and reducing maintenance costs.
▫ Wi-Fi access service for daily office work.
▫ Built-in Bluetooth module, supporting RFID and ZigBee to expand IoT

services.
▫ Integrated Wi-Fi and IoT access network management, simplifying O&M.
• Unified management, reducing network construction costs.
▫ IoT and Wi-Fi services share the same backhaul network.
▫ Only one physical site needs to be managed and maintained.
▫ USB ports and standard Mini PCI Express (PCI-E) interfaces are available for
easy IoT service expansion.
• Application layer: carries LBS applications to develop the upper-layer application
platform or develop and display applications by invoking APIs in the customer's
existing systems such as the production management system and administrative
management system.
• Platform layer: consists of the positioning engine, iMaster NCE, and GIS/map
platform.
▫ Positioning engine: calculates the obtained initial positioning information,

such as the RSSI and time, to obtain the coordinates of located objects.
▫ iMaster NCE: manages, configures, and maintains network devices.
▫ GIS/Map platform: provides map information to the positioning engine.
• Network layer: deploys APs to provide Wi-Fi and Bluetooth signal coverage and
management. (Determine whether to deploy iBeacons based on site
requirements. In most cases, iBeacons are required in mobile phone navigation
scenarios.)
▫ An AP scans the RSSI data of Wi-Fi terminals and reports the data.
▫ The AP scans the RSSI data of Bluetooth terminals and reports the data.
▫ The AP can serve as a standard iBeacon to broadcast signals.
▫ The AP transparently transmits positioning packets through a PCIe card.
• Terminal layer: accommodates various terminals to be located.

• Fault Demarcation in Minutes.
▫ Proactive issue identification: proactively identifies 85% of potential

network issues using the AI algorithms that are continuously trained via
Huawei's 200,000+ terminals.
▫ Fault locating within minutes: uses the fault inference engine to locate
issues within minutes, identify root causes of the issues, and provide
effective fault rectification suggestions.
▫ Intelligent fault prediction: uses AI to learn historical data and dynamically

generate a baseline, and compares and analyzes real-time data against the
baseline to predict possible faults.
• Intelligent Network Optimization.
▫ Real-time simulation feedback: evaluates channel conflicts on wireless

networks in real time and provides optimization suggestions based on
neighbor and radio information about devices on each floor.
▫ Predictive optimization: identifies edge APs and predicts the load trend of
APs based on historical data analysis, performs predictive optimization on
wireless networks, and compares the gains before and after the
optimization. This practice improves the network-wide performance by
50%+ (certified by Tolly).
• The service process of a common network project includes requirement
clarification, high-level design, site survey, detailed design, installation and
commissioning, optimization, and acceptance.
• In high-density scenarios, network planning and optimization can be performed
based on network construction standards in high-density scenarios. Wi-Fi 6 triple-
radio APs (smart antennas) can be used to increase the number of STAs accessed
by a single AP. In addition, technologies such as radio resource management,
load balancing, and QoS can be used to ensure user experience.
• CD
• In scenarios with densely distributed rooms, such as dormitories, hotels, and
wards, a large number of packets will be sent to the WAC if the WAC + Fit AP
architecture (with one AP deployed in each room) is used. As a result, the WAC
may become a performance bottleneck on the network. To address the
performance bottleneck and signal coverage problems, we can deploy the APs on
a corridor and install antennas in each room to provide signal coverage.
However, this solution has restrictions on the coverage distance because the
signal attenuation increases with the distance. In addition, if multiple rooms
share one AP, the signal quality and performance are poor. To address this, the
agile distributed architecture is introduced.
• Customer benefits of the agile distributed architecture:
• Simple management: A WAC only needs to manage a small number of central
APs. For example, only 200 APs need to be managed by a WAC to provide
wireless coverage for about 10,000 rooms.
• Flexible deployment and full signal coverage without coverage holes: A central
AP connects to RUs through Ethernet cables, causing no wall penetration loss or
feeder loss and providing high-quality signal coverage. The RUs support various
mounting modes such as junction box-, wall-, and ceiling-mounting.
• Ultra-long coverage range: Different from traditional APs with antennas that
support only a 15 m coverage range, the central AP can connect to RUs through
Ethernet cables at a maximum distance of 100 m, expanding the network
deployment scope by several folds. If the central AP is deployed in a corridor, it
can provide long-distance coverage (> 100 m).
• Some micro and small enterprises need to build their own WLANs that are
managed independently due to lack of a cloud management architecture. If the
Fat AP architecture is used, APs cannot be managed and maintained in a unified
manner, and roaming experience for STAs may be affected. If the WAC + Fit AP
architecture is used, only a few APs are required because the target coverage
area is relatively small, which cannot accommodate so many STAs. Additionally,
the WAC and license costs are high in this architecture. If an AP can manage
other APs and provide unified O&M and continuous roaming capabilities, the
enterprises' requirements can be met. The leader AP architecture designed by
Huawei will work.
• Huawei's cloud management platform, iMaster NCE-Campus, functions as the
core component of Huawei's CloudCampus Solution and centrally manages
Huawei network devices, such as APs, ARs, switches, and firewalls. iMaster NCE-
Campus can implement unified multi-tenant management, allow plug-and-play
of network devices, support batch network service deployment, and provide
Application Programming Interfaces (APIs) to interconnect with 3rd-party
platforms for VASs.
• Compared with the traditional WAC + Fit AP architecture, the cloud management
architecture has the following advantages:
▫ Plug-and-play and automatic deployment of devices greatly reduce network

deployment costs.
▫ All cloud managed NEs are monitored and managed on the cloud
management platform.
▫ Cloud management solutions usually provide various tools on the cloud,

reducing OPEX. For example, Huawei's CloudCampus Solution provides end-
to-end cloud tools (such as CloudCampus APP).
• Local AC: manages and coordinates APs in a centralized manner, providing
functions such as STA access and AP configuration delivery.
• Navi AC: provides security, control, and management for STAs, implementing
identity authentication, authorization, and accounting.
• CAPWAP tunnel between a Local AC and the Navi AC: carries data packets from
the Local AC to the Navi AC for centralized forwarding.
• Demilitarized zone (DMZ): serves as a buffer zone between an insecure system

and a secure system. The DMZ is located between an internal network and an
external network and enables communication between them even when a
firewall is deployed. In this zone, you can place some open server facilities, such
as enterprise web servers and FTP servers. The DMZ effectively protects the
security of internal networks.
• In the Navi AC solution, STA roaming is allowed only between local ACs
connected to the same Navi AC.
• Networking requirements.
▫ There are reachable routes between the local AC and Navi AC.
▫ DHCP deployment mode: The Navi AC functions as a DHCP server to assign

IP addresses to guest STAs.
▫ Guest service data forwarding mode: Data is centralized to the Navi AC

through a CAPWAP tunnel.
• Configuration roadmap.
▫ On the Navi AC, create and configure a VAP profile, enable the Navi AC
function, specify a local AC address, and bind the VAP profile to the local
AC.
▫ On the local AC, specify the Navi AC address, create and configure a VAP
profile, and bind the VAP profile to the AP group. The VAP profile
configuration on the local AC must be the same as that on the Navi AC.
• You can associate a STA to the management SSID of a leader AP for
management, facilitating O&M. The management SSID has the following
features:
▫ Open system authentication is used by default, and no PSK is used.
▫ By default, the tunnel forwarding mode is used. After a STA connects to the
management SSID, it obtains an IP address from the leader AP. The default
gateway for STAs is deployed on the leader AP and has an IP address of
192.168.1.1.
▫ All APs advertise the management SSID. The default SSID name is
HUAWEI-Leader AP.
▫ The management SSID can only be hidden but cannot be deleted. A

network administrator can modify only the gateway address on the leader
AP but cannot change the name of the management SSID.
▫ The management SSID is used only for AP management. STAs associating

with this SSID cannot access network resources.
• By default, no authentication is required for Fit APs to go online a leader AP.
• Fit APs can connect to a leader AP in one of the following ways:
▫ An external DHCP server is used to allocate IP addresses to all APs. Ensure
that the leader AP and Fit APs are in the same VLAN so that the Fit APs can
discover the leader AP through CAPWAP broadcast.
▫ The leader AP functions as a DHCP server to allocate IP addresses to Fit
APs. In this case, it is recommended that the leader AP and Fit APs be in the
same VLAN.
▫ Fit APs can connect to the leader AP using static IP addresses. In this case, it
is recommended that the leader AP and Fit APs be in the same VLAN.
• To simplify configuration, the leader AP does not support manual configuration
of a CAPWAP interface. Instead, the CAPWAP interface is automatically created
by the leader AP.
• Layer 3 networking is supported between the leader AP and Fit APs.
▫ The static WAC list (containing the leader AP's IP address) can be
configured on Fit APs.
▫ Fit APs can obtain the IP address of the leader AP through DHCP Option 43.
• The leader AP supports DTLS encryption and decryption for the control plane and
forwarding plane.
• After Fit APs connect to the leader AP, MAC address or SN authentication can be
enabled to enhance security.
• Before deploying a leader AP, a network administrator needs to manually
configure an AP as the leader AP (default AP mode: Fit). The recommended
priority for electing a leader AP based on the AP model is as follows: AirEngine
9700D > AirEngine 8760 > AirEngine 6760 > AirEngine 5760.
• When the number of APs exceeds 24, you are advised to configure an external
gateway for STAs, such as the AR router in this example.
• On a traditional WLAN, APs exchange data with STAs using wireless channels
and connect to a wired network through uplinks. If no wired network is available
before a WLAN is constructed, it takes long time and high costs to construct a
wired network. If positions of some APs on a WLAN need to be adjusted in the
future, the wired network must be adjusted accordingly, increasing the difficulty
in network adjustment. Regarding the long construction period, high costs, and
poor flexibility, a traditional WLAN does not apply to emergency
communications, wireless MANs, or areas with weak wired network
infrastructure. The wireless mesh network is introduced to resolve these
problems. The construction of a wireless mesh network requires only APs to be
deployed, which greatly speeds up network construction.
• A wireless mesh network saves cables required between mesh nodes while
providing path redundancy and rerouting functions as a distributed network.
▫ When a new AP is deployed, the AP can automatically connect to the

wireless mesh network and determine the optimal multi-hop transmission
path after being powered on.
▫ When an AP leaves from a wireless mesh network, the network can

automatically discover the topology change and adjust communication
routes to achieve the optimal transmission path.
• Mesh link management involves two phases: mesh link setup and teardown. The
two phases are implemented using three types of Mesh Action frames: Mesh
Peering Open, Mesh Peering Confirm, and Mesh Peering Close.
• 802.11s defines the following types of route management frames:
▫ RANN frame: This frame is used to announce the presence of an MPP.
▪ An MPP periodically broadcasts a RANN frame.
▪ After receiving the RANN frame, an MP reduces the TTL of the frame
by 1, updates the path metric, and broadcasts the frame. After an MP
reads a RANN frame, the MP checks whether the gateway specified in
the RANN frame exists in the local gateway list. If so, the MP updates
the gateway list based on the information in the RANN frame. If not,
the MP adds a gateway information entry to the gateway list.
▫ PREQ and PREP frames: In on-demand routing mode, the source node
broadcasts a PREQ frame to establish a route to the destination node. After
receiving the PREQ frame, an MP responds with a PREP frame.
• A mesh network supports the on-demand and proactive routing modes.
▫ On-demand routing: The source node broadcasts a PREQ frame to establish
a route to the destination node. After receiving the PREQ frame, a middle
node checks the sequence number in the frame. If the sequence number in
the PREQ frame is greater than or equal to that in the previous frame but
the metric in this frame is lower, the middle node creates a route to the
source node or updates the existing one. If no route to the destination node
is available, the middle node continues forwarding the PREQ frame.
▫ Proactive routing: An MPP periodically broadcasts a RANN frame. When an
MP receives a RANN frame and needs to create or update the route to the
MPP, the MP unicasts a PREP frame to the MPP and broadcasts the RANN
frame. Then, the MPP creates a reverse path from the root node to the
source node, and the MP creates a forwarding path from the root node to
the source node.
• HWMP combines the previous two routing modes to ensure that data frames are
always transmitted on mesh links with the best transmission quality.
• Huawei develops and optimizes a proprietary mesh routing protocol based on the
802.11s standard. This mesh routing protocol has the following characteristics:
▫ 1. Reduces the number of times frames are forwarded during the wireless
link setup.
▫ 2. Constructs a forwarding topology based on the path with only a few
hops from the source node to the destination node.
• After MP1 is powered on, it exchanges Mesh Peering Open and Mesh Peering
Confirm frames with MP2, which has associated with the WAC using information
including the default mesh ID and PSK. MP1 sets up a temporary, insecure mesh
link with MP2 and further establishes a route to the MPP.
• MP1 obtains an IP address for itself and the IP address of the WAC from the
DHCP server through the mesh link.
• MP1 discovers and associates with the WAC through the mesh link and
establishes a temporary CAPWAP tunnel to obtain the configuration from the
WAC.
• After MP1 obtains the new configuration, it sends a Mesh Peering Close frame to
tear down the temporary mesh link.
• MP1 exchanges Mesh Peering Open and Mesh Peering Confirm frames with MP2
using the new mesh configuration for key negotiation. After MP1 and MP2
negotiate the key for communication, the two MPs set up a formal, secure mesh
link.
• MP1 re-establishes a secure CAPWAP tunnel with the WAC using the new
configuration.
• If MP1 cannot set up a mesh link with MP2 within a long period of time, the
default configuration is restored. The whole process starts from step 1 until MP1
establishes a secure CAPWAP tunnel with the WAC using the new configuration.
• Mesh wireless bridging applies to wireless signal coverage for small-sized squares
and can provide a larger coverage area by directly connecting remote MPs to an
MPP through mesh links.
• An MP can detect other MPs on a mesh network and establish mesh links with
them. This may generate redundant mesh links. Mesh routing can be configured
for such a network topology to selectively block redundant links and eliminate
loops. When a mesh link is faulty, a backup link is available to ensure reliability.
• After MPs establish mesh links with an MPP, they run on the same channel as
the MPP. If network coverage is required for different areas, configure multiple
MPPs and enable them to work on different channels. This prevents MPs
connected to the MPPs from preempting channels and thereby improves
coverage performance. Each MP can select an MPP with the minimum hops from
itself as the gateway to connect to the wired network.
• A mesh network supports only transparent transmission of STP BPDUs. An STP-
enabled AP does not forward STP BPDUs to the wireless side but forwards STP
BPDUs only to its wired side.
• In scenario 1, the switch forms a single loop with mesh links. To break the loop,
enable STP on the switch and ensure that STP is not enabled on GE0/0/1
connecting the WAC to the MPP.
• In scenario 2, the WAC, SW1, SW2, and MPP form loop 1, and SW3, SW4, and
MP3 form loop 2. If STP BPDUs can be transparently transmitted over mesh links,
SW3 and SW4 on loop 2 will be incorrectly calculated into loop 1. To prevent
miscalculations, enable STP on the MPP and MP3 so that STP BPDUs from loop 1
and loop 2 will not be transparently forwarded to the wireless side. The MPP
implements STP calculation for loop 1 and blocks wired-side interfaces based on
the calculation results. MP3 implements STP calculation for loop 2 and blocks
wired-side interfaces based on the calculation results.
• Mesh networks support mesh link redundancy. To prevent loops, use mesh
routing to decide on the forwarding path.
• A vehicle-ground fast link handover network is a single-hop Layer 2 mesh
network composed of the WAC, trackside APs, and vehicle-mounted APs.
▫ WAC: deployed on the ground network to manage and control trackside

APs.
▫ Trackside APs: Fit APs deployed along the track. They function as MPPs and
communicate with the WAC in wired mode at Layer 2.
▫ Vehicle-mounted APs: Fat APs deployed in the front and rear of a train.
They function as MPs to set up mesh links with trackside APs.
• Depending on the use of vehicle-mounted APs, vehicle-ground fast link handover

has three network models:
▫ The vehicle-mounted AP in the rear of a moving train does not need to

work while the vehicle-mounted AP in the front of the train is working.
Once the train arrives at the destination, it switches the forward direction
and the vehicle-mounted AP in the rear takes over services.
▫ The vehicle-mounted AP in the front of a moving train does not need to

work while the vehicle-mounted AP in the rear of the train is working. Once
the train arrives at the destination, it switches the forward direction and the
vehicle-mounted AP in the front takes over services.
▫ While a train is moving, the vehicle-mounted APs in the front and rear can
both work to load balance traffic. The two APs work on different channels
to communicate with trackside APs.
• Mesh link setup and teardown:
▫ To enable vehicle-ground communication, a vehicle-mounted AP sets up

mesh links with neighboring trackside APs. If the RSSI of a trackside AP is
greater than or equal to N (N = Minimum RSSI threshold of a mesh link – 5
dB) and the number of mesh links has not reached the maximum, the
vehicle-mounted AP sets up a mesh link with the trackside AP according to
the common mesh link setup process.
▫ The vehicle-mounted AP sets up mesh links with multiple trackside APs and
chooses one mesh link with the optimal quality as the active link to
transmit data. Other links act as candidate links. As the train moves
forward, the vehicle-mounted AP chooses the candidate link of the best
quality as the active link to implement fast handover so that quality of
vehicle-ground communications is always at the optimal level.
▫ If the RSSI of a mesh link is smaller than N (N = Minimum RSSI threshold

of a mesh link – 5 dB) and the mesh link is not the active link, the vehicle-
mounted AP tears down the link so that it can set up a better mesh link
with another trackside AP.
• Method of determining whether a candidate link is within the candidate area:
▫ The RSSI range of a candidate area is from the minimum RSSI threshold to
the maximum RSSI threshold of the mesh link. Candidate links with RSSI
values in this range are considered within the candidate area. Otherwise,
the candidate links are outside the candidate area.
• Serving time of the current active link ≥ link holding time:
▫ A holding time is specified for the active link to prevent frequent handovers.
The serving time of the active link must be longer than or equal to the
specified holding time. Otherwise, the vehicle-mounted AP can only
implement an emergency handover, not a common handover.
• If the current active link is disconnected due to a trackside AP fault or when the
train leaves the originating station, no active link is available. The vehicle-
mounted AP then performs an emergency handover. The vehicle-mounted AP
selects the candidate link with the best quality as the active link from the
candidate area. If no candidate link is available in the candidate area, the vehicle-
mounted AP selects the candidate link with the highest RSSI in other areas as the
active link.
• Multicast data guarantee
▫ Vehicle-mounted multimedia devices on a moving train deliver multimedia

information services to passengers in multicast mode. Reliable multicast
data transmission ensures smooth delivery of multimedia information
services. All vehicle-mounted multimedia devices are added to a multicast
group. As the train moves ahead, the active link changes frequently. Only
trackside APs and vehicle-mounted APs are aware of the link change. Other
ground devices, such as switches to which trackside APs are connected,
cannot detect the change and therefore fail to forward multicast data.
• Configuration precautions.
▫ Mesh functions are not supported by the following models: AP7060DN,

WA375DD-CE, AP5510-W-GP, AD9431DN-24X (including the matching
RUs), AD9430DN-24 (including the matching RUs), AD9430DN-12
(including the matching RUs), AP7030DE, AP9330DN, AP2030DN,
AP2050DN, AP2050DN-E, AP2050DN-S, AP2030DN-S, AP2051DN,
AP2051DN-S, AP2051DN-L-S, AirEngine 5760-10, AP2051DN-E.
▫ The 4.9 GHz frequency band is applicable to outdoor backhaul scenarios

but not wireless coverage services. It is mainly used by WDS and mesh
backhaul links. The 4.9 GHz frequency band is out of the channel range
reselected using DFS.
▫ After the mesh configuration is complete, APs can connect to a WAC

through mesh links. To use WLAN services, you still need to configure basic
WLAN services. For details, see WLAN Service Configuration.
▫ The WLAN mesh function and WLAN WDS function are mutually exclusive.
If the WLAN WDS function has been configured, the WLAN mesh function
cannot be configured.
▫ If WDS or mesh services are deployed on a radio, the radio can work only in
normal mode, even if it is configured to work in monitor mode.
▫ Avoid using radar channels to configure mesh links. It takes several minutes
or dozens of minutes longer to establish mesh links on radar channels than
longer than that to establish mesh links on non-radar channels.
• Configuration roadmap.
▫ Configure network connectivity and enable the AP (MPP) in AP1 to go

online on the WAC in wired mode.
▫ Configure mesh services to enable APs (MPs) in AP2 and AP3 to go online
on the WAC through mesh links.
• In this example, the AP8130DN that provides radios 0 and 1 is used.
• Radio 1 of the AP8130DN is used as an example. The parameter coverage
distance indicates the radio coverage distance, which is 3 (unit: 100 m) by
default. This example sets the radio coverage distance parameter to 4. You can
configure the parameter based on site requirements.
• After mesh services take effect, run the display wlan mesh link all command to
check mesh link information.
• GRE is easy to implement and increases only a few loads on devices on both ends
of a tunnel.
• GRE sets up tunnels over an IPv4 network to connect networks running different
protocols, leveraging the original network architecture and reducing costs.
• GRE enlarges the operation scope of network protocols that support limited hop
counts, allowing for flexible topologies on enterprise networks.
• Encapsulation:
▫ The ingress PE receives an X protocol packet from the interface connected

to the X network, and sends it to the X protocol.
▫ The X protocol checks the destination address in the packet header and
searches the routing table or the forwarding table for the outbound
interface. If the outbound interface is a GRE tunnel interface, the ingress PE
adds a GRE header to the packet.
▫ The ingress PE adds an IP header to the packet because the transport

network runs the IP protocol. The source address and destination address in
the IP header are the tunnel source and destination address, respectively.
▫ The ingress PE searches the IP routing table for the outbound interface
based on the destination address in the IP header (tunnel destination
address) and transmits the packet over the IP transport network.
• Decapsulation:
▫ The decapsulation process is opposite to the encapsulation process.
▪ After receiving the packet from the GRE tunnel interface, the egress
PE analyzes the IP header in the packet and finds that itself is the
destination of the packet. Then the egress PE removes the IP header
and delivers the packet to the GRE protocol for processing.
▪ The GRE protocol removes the GRE header and delivers the packet to
the X protocol.
• The Keepalive detection function is implemented as follows:
▫ After the Keepalive detection function is enabled on the source end of a

GRE tunnel, the source end starts a timer to periodically send and count
Keepalive probes. The number increases by 1 every time a Keepalive probe
is sent.
▫ The remote end sends a reply packet to the source end after receiving a
probe.
▫ If the source end receives a reply packet before the counter value reaches
the preset value, it considers the remote end reachable. If the source does
not receive any reply packet before the counter reaches the preset value,
specifically, the retry times, the source considers the peer unreachable and
resets the counter. Then, the source closes the tunnel connection. In this
case, the source interface still sends Keepalive probes to the remote
interface. When the remote interface becomes Up, the source interface
becomes Up too and sets up a tunnel with the remote interface.
• Note:
▫ The Keepalive detection function takes effect on one end of a tunnel,

regardless of whether it is configured on the other end. Once the remote
end receives a Keepalive message, it sends a response message to the
source end regardless of whether the Keepalive function is configured on
the remote end.
• EoGRE encapsulates Ethernet packets using GRE and transmits the encapsulated
packets over a network running another network layer protocol, such as IPv4. The
detailed working process is as follows:
▫ The user-side physical Ethernet interface GE0/0/2 on WAC1 receives an

Ethernet packet containing a VLAN tag from Network_1.
▫ WAC1 performs Layer 2 forwarding within the device based on the MAC
address and VLAN tag, and finds the outbound interface VE0/0/1.
▫ VE0/0/1 on WAC1 processes the Ethernet packet and forwards the packet
to Tunnel0/0/1 bound to itself. Tunnel0/0/1 encapsulates the Ethernet
packet using GRE (with the protocol code of 0x6558) and forwards the
encapsulated packet to WAC2 over a GRE tunnel.
▫ Tunnel0/0/1 on WAC2 decapsulates the received packet using GRE. When

finding that the protocol code is 0x6558, Tunnel0/0/1 forwards the
decapsulated Ethernet packet to VE0/0/1 bound to itself.
▫ After the decapsulated Ethernet packet reaches VE0/0/1 of WAC2, WAC2

performs Layer 2 forwarding within the device based on the MAC address
and VLAN tag, and finds the outbound interface GE0/0/2.
▫ WAC2 sends the Ethernet packet to Network_2 through the outbound

interface GE0/0/2.
• This example provides only the WAC-side EoGRE configuration. For the WLAN
configuration and AR's EoGRE configuration, see the corresponding configuration
document.
• IPsec VPN secures data transmission in VPN tunnels through IPsec.
• Leveraging encryption and authentication, IPsec secures service data transmission
over the Internet through: Data origin authentication: The receiver can
authenticate the sender's identity.
• Data encryption: The sender encrypts data packets and transmits them in
ciphertext on the Internet. The receiver decrypts or directly forwards the received
data packets.
• Data integrity: The receiver verifies the received data to determine whether the
packets have been tampered with.
• Anti-replay: The receiver rejects old or duplicate data packets to prevent

malicious users from launching attacks by repeatedly sending captured packets.
• IPsec implements secure transmission of IP packets using two security protocols:
Authentication Header (AH) and Encapsulating Security Payload (ESP).
▫ AH provides data origin authentication, data integrity check, and anti-

replay, but does not provide encryption.
▫ ESP provides encryption, data origin authentication, data integrity check, as

well as anti-replay.
• Security functions provided by AH and ESP depend on authentication and

encryption algorithms used by IPsec.
▫ Both AH and ESP can provide data origin authentication and data integrity
check using the following authentication algorithms: Message Digest 5
(MD5), Secure Hash Algorithm 1 (SHA1), SHA2-256, SHA2-384, SHA2-512,
and Senior Middle 3 (SM3).
▫ ESP can only encrypt IP packets using symmetric encryption algorithms,

including Data Encryption Standard (DES), Triple Data Encryption Standard
(3DES), Advanced Encryption Standard (AES), SM1, and SM4.
• The keys used for IPsec encryption and authentication can be manually
configured or dynamically negotiated using the Internet Key Exchange (IKE)
protocol. IKE works in the Internet Security Association and Key Management
Protocol (ISAKMP) framework. It uses the Diffie-Hellman (DH) algorithm to
securely deliver keys and authenticate identities over an insecure network,
ensuring data transmission security. IKE improves key security and simplifies IPsec
management.
• In tunnel mode, AH checks the integrity of the entire IP packet including the new
IP header. ESP checks the integrity of the ESP header, raw IP header, transport-
layer protocol header, data, and ESP trailer, excluding the new IP header.
Therefore, ESP cannot protect the new IP header. ESP encrypts the raw IP header,
transport-layer protocol header, data, and ESP trailer.
• Note: In this example, the ESP trailer and authentication data are not shown in
the figure.
• In transport mode, AH checks the integrity of the entire IP packet. ESP checks the
integrity of the ESP header, transport-layer protocol header, data, and ESP trailer,
excluding the IP header. ESP cannot protect the IP header. ESP encrypts the
transport-layer protocol header, data, and ESP trailer.
• Note: In this example, the ESP trailer and authentication data are not shown in
the figure.
• Because SAs are unidirectional, at least two SAs are required to protect incoming
and outgoing data flows between IPsec peers.
• An IPsec SA is established in manual or IKE auto-negotiation mode. The two

modes differ in the following:
▫ Key generation mode: In manual mode, all the parameters used to establish
an SA, including the encryption key and authentication key, need to be
manually configured and updated, leading to high key management costs
on large- and medium-sized networks. In IKE auto-negotiation mode, the
encryption key and authentication key are generated using the DH
algorithm and can be dynamically updated, reducing key management
costs and improving security.
▫ SA lifetime: In manual mode, an SA exists permanently. In IKE auto-

negotiation mode, the SA lifetime depends on the lifetime parameters
configured on two peers.
• Based on the differences, the manual mode applies to small-sized networks with
a small number of IPsec peers. The IKE auto-negotiation mode is recommended
on large- and medium-sized networks.
• IKE is an application-layer protocol based on UDP and is the signaling protocol of
IPsec.
• This figure shows the relationship between IKE and IPsec. Two peers establish an
IKE SA for identity authentication and key exchange. Protected by the IKE SA, the
peers negotiate a pair of IPsec SAs using the configured AH or ESP parameters.
Subsequently, data is encrypted and transmitted between the peers in an IPsec
tunnel.
• GRE over IPsec encapsulates packets using GRE and then IPsec. GRE over IPsec
supports the transport and tunnel encapsulation modes. The tunnel mode uses
an extra IPsec header, which increases the packet size and makes packets more
likely to be fragmented. Therefore, the transport mode is recommended.
• In the IP header added during IPsec encapsulation, the source IP address is the IP
address of the interface to which the IPsec policy is applied, and the destination
IP address is the IP address of the peer interface to which the IPsec policy on the
remote peer is applied.
• IPsec protects the data flows from the GRE source address to the GRE destination
address. In the IP header added during GRE encapsulation, the source and
destination addresses are the source and destination addresses of a GRE tunnel.
• This example focuses on the IPsec configuration.
• Navi AC: provides security, control, and management for STAs, implementing
identity authentication, authorization, and accounting.
• AP roles on a mesh network:
▫ MP: a mesh-capable node that uses IEEE 802.11 MAC and PHY protocols for
wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. They can provide
both mesh service and user access service.
▫ MPP: an MP that connects a WMN to other types of networks. An MPP has

the portal function and enables MPs to communicate with external
networks.
▫ Neighboring MP: an MP that directly communicates with another MP or

MPP.
▫ Candidate MP: a neighboring MP with which an MP prepares to establish a

mesh link.
▫ Peer MP: a neighboring MP that has established a mesh link with an MP.
• ABC
WLAN Reliability
Foreword
⚫ In real-world applications, many non-technical factors can cause network

failures and service interruptions. An effective way to enhance system
reliability is to improve fault tolerance capabilities of the system, speed up
fault recovery, and reduce the impact of faults on services. This course
introduces you Huawei WLAN reliability solutions, including HSB, dual-link
cold backup, N+1 backup, and CAPWAP link failover.
1 Huawei Confidential
Objectives
On completion of this course, you will be able to:

 Describe common WLAN reliability solutions, including HSB, dual-link cold
backup, N+1 backup, and CAPWAP link failover.
 Perform basic configurations of these WLAN reliability solutions.
Contents
1. WLAN Reliability Overview
2. HSB Technologies
3. Dual-Link Cold Backup
4. N+1 Backup
5. CAPWAP Link Failover
Overview of WLAN Reliability
⚫ There are various WLAN reliability technologies, which can be classified into the following
types based on network faults resolved by them:
 Fault detection technologies: focus on fault detection and diagnosis. For example, Bidirectional
Forwarding Detection (BFD) is a universal fault detection technology and can detect faults at any
layer. Ethernet operation, administration and maintenance (OAM) is a link-layer fault detection
technology.
 Protection switching technologies: focus on network recovery, back up hardware, link, and routing
information, and perform fast switching to ensure service continuity.
 Bypass technologies: focus on WLAN service guarantee upon network faults. Failover policies are
deployed to achieve uninterrupted WLAN services and prevent STAs from being disconnected.
• We focus on protection switching and failover technologies.

Comparison of Common Protection Switching Technologies
Item VRRP HSB Dual-Link HSB Dual-Link Cold Backup N+1 Backup
The AP status switchover is slow and
The AP status switchover is slow The AP status switchover is slow occurs only when CAPWAP link
and occurs only when CAPWAP and occurs only when CAPWAP disconnection timeout is detected.
The switchover speed is
link disconnection timeout is link disconnection timeout is APs and STAs need to go online
Switching speed fast, with little impact on
detected. After the AP status is detected. STAs need to go online again, and services are interrupted
services.
switched, STAs do not need to go again, and services are interrupted for a short period of time, which is
offline and online again. for a short period of time. longer than the service interruption
period in dual-link cold backup mode.
Deployment of
primary and
backup WACs Not supported Supported Supported Supported
at different
places
The models and software versions of the primary and backup The software versions of the primary and backup WACs must be the same.
WACs must be the same. No constraint is placed on the WAC model.
Constraints
One WAC serves as a backup for
One WAC serves as a backup only for one WAC.
multiple WACs, lowering device costs.
High reliability
requirement High reliability requirement
Applicable Low reliability requirement
No need for WAC Need for WAC deployment at Low reliability requirement
scope High cost control requirement
deployment at different different places
places
CAPWAP Link Failover Overview
⚫ In the WAC + Fit AP architecture, CAPWAP tunnels are used to forward control
packets between a WAC and APs. If a CAPWAP link is faulty, STAs on the connected
AP are brought offline, and new STAs cannot access the AP. In an HQ-branch
scenario, APs at branches are typically connected to a WAC at the HQ over the WAN
for centralized management. The WAN quality, however, cannot be guaranteed.
Connections between the WAC and APs suffer from high failure risks. A CAPWAP
link disconnection will significantly degrade the overall network quality.
⚫ CAPWAP link failover allows online STAs to stay and new STAs to access the WLAN
when a CAPWAP link fails. This improves reliability of the enterprise network.
Contents
2. HSB Technologies
4. N+1 Backup
HSB Overview
⚫
In HSB mode, two WACs back up each other. When a fault occurs on one WAC, the physical link between an AP and the WAC, or the
upper-layer link of the WAC, STAs do not need to be authenticated again, and their services are automatically switched to the other
WAC.
⚫
HSB for WACs can be classified into Virtual Router Redundancy Protocol (VRRP) HSB and dual-link HSB based on the key
technologies in use.
WAC1 WAC2
10.1.1.3 10.1.1.2 WAC1 WAC2
HSB channel 10.1.1.3 HSB channel 10.1.1.2
VRRP master VRRP backup
VRRP
Virtual WAC
10.1.1.1/24
Active link Standby link
CAPWAP tunnel
• To support HSB, the two WACs must have the same product model, networking,
and configurations (except configurations that must be different on the WACs,
such as the IP addresses of the management interface).
• Note:
▫ Dual-link: An AP sets up CAPWAP links with both the primary and backup
WACs.
▫ VRRP is short for Virtual Router Redundancy Protocol.
• In dual-link HSB mode, APs establish CAPWAP tunnels with both the primary and
backup WACs. The sequence in which APs or AP groups select the primary WAC
can be specified to allow the APs to support different scenarios, achieving load
balancing on the primary and backup WACs.
• Based on VRRP HSB, two WACs function as one virtual WAC. Therefore, load
balancing is not supported. In VRRP HSB mode, two WACs exchange VRRP
packets to negotiate their master and backup states. VRRP packets can be
transmitted only over Layer 2 networks but not over Layer 3 networks. Therefore,
VRRP HSB is applicable to WACs only in Layer 2 networking.
• In an HSB scenario, WIDS entries on the primary WAC cannot be backed up to
the backup WAC. After an active/standby switchover, WIDS entries are lost.
• Inter-WAC roaming is not supported in dual-link HSB scenarios.
• Portal authentication information cannot be backed up in a dual-link HSB

scenario. If Portal authentication is configured, STAs in Portal authentication
mode need to enter their user names and passwords again after a
primary/backup WAC switchover.
HSB Mechanism
⚫ HSB provides two types of public services:
 HSB service: establishes and maintains an HSB channel, and notifies the active and standby service modules of
channel connect/disconnect events.
 HSB group: has an HSB service bound to provide a data backup channel for each of active and standby service
modules.
WAC1 WAC2
Physical HSB channel
Establishes and maintains an

HSB service HSB channel. HSB service
Provides a data
backup channel.
HSB group HSB group
Service Service Service Service Service Service

module n module 2 module 1 module 1 module 2 module n
• HSB service modules: establishes and maintains an HSB channel (through Hello
packets), and notifies the related service modules of channel connect/disconnect
events.
• HSB group module:

▫ An HSB group is bound to a VRRP instance, and the active and standby
instances are negotiated using the VRRP mechanism.
▫ It is responsible for active/standby negotiation, batch backup, real-time
backup, and periodic synchronization, and requests service modules to back
up service information.
• Service module: responds to active/standby events in service modules, and

performs batch backup, real-time backup, and periodic synchronization.
• Currently, the WAC supports the configurations of only one HSB service and one
HSB group.
• HSB heartbeat packets are frequently exchanged between the primary and
backup WACs, and directly affect the working and negotiation results of the
primary and backup WACs. To ensure normal running of the HSB system and
prevent backup data loss, it is recommended that an independent physical link be
planned for the HSB channel.
VRRP HSB
⚫ Two WACs are added to a VRRP group to share a virtual IP address. The
master WAC synchronizes service information to the backup WAC
WAC1 WAC2
10.1.1.3 10.1.1.2 through an HSB channel.
HSB channel
⚫
By default, the master WAC functions as the virtual WAC. If the master
VRRP
WAC fails, the backup WAC takes over services. All APs establish
CAPWAP tunnels with the virtual WAC.
Virtual WAC
10.1.1.1/24
⚫ The switchover between WACs is determined by the VRRP. To APs, there
is only one WAC.
⚫
This mode restricts deployment locations of the two WACs but supports
a faster switchover speed than other backup modes.
⚫
More protection features are available:
 BFD+VRRP for uplink monitoring
CAPWAP tunnel  MSTP for loop prevention in the downlink
• HSB service backup in real time involves backup for the following information:
▫ User data information
▫ CAPWAP tunnel information
▫ AP entries
▫ DHCP address information
• The HSB channel can be carried by the direct physical link between two WACs or
by a switch. For example, the HSB channel can reuse the physical channel where
VRRP packets are exchanged.
Working Process of VRRP HSB
WAC1 WAC2 1. Master/backup negotiation: Two WACs send VRRP

packets carrying priority information through the HSB
HSB channel channel for negotiation.

2. Data backup: In VRRP HSB, information including STA
entries, CAPWAP link information, and AP entries can be
backed up in real time, in batches, or periodically.
3. Active/standby switchover: When a fault occurs on one
WAC, the physical link between an AP and the WAC, or
the upper-layer link of the WAC, services are
automatically switched to the other WAC.
4. Active/standby switchback: When the link of the original
master WAC recovers, the active/standby switchback is
CAPWAP tunnel triggered in preemption mode.
VRRP Master/Backup Negotiation
⚫ Two WACs send VRRP packets carrying priority information through an HSB channel for master/backup
negotiation.
⚫ The master WAC sends gratuitous ARP packets to notify other devices of the virtual MAC address.
⚫ The master WAC periodically sends VRRP Advertisement packets to WAC to advertise its working status.
0 3 7 15 23 31
Version Type Virtual Rtr ID Priority Count IP Addrs
Auth Type Adver Int Checksum
IP Address (1)
......
IP Address (n)
Authentication Data (1)
Authentication Data (2)
Data Synchronization Process of VRRP HSB
Master WAC Backup WAC
Set up an HSB channel.
Start batch deletion.

Instruct each
Send the batch backup module to traverse
Batch backup start message. APs.
Clear the dynamic
Notify each module of batch backup. data if APs are in
Each service module sends batch standby state on it.
backup data.
Each service module sends

Real-time backup real-time backup data.
The backup WAC periodically checks whether

the existing session entries are consistent with
Periodic synchronization those on the master WAC. Data synchronization

is performed only when the session entries are
inconsistent on the two WACs.
• When the master WAC fails, service traffic can be switched to the backup WAC
only if the backup WAC has the same session entries as the master WAC.
Otherwise, the session may be interrupted. Therefore, data synchronization is
required between the master and backup WAC.
• In VRRP HSB, information including user entries, CAPWAP link information, and
AP entries can be backed up in real time, in batches, or periodically.
▫ Batch backup: The master WAC synchronizes all existing session entries to a
new backup WAC at a time to ensure information consistency between the
WACs. Batch backup is triggered when the master and backup WACs are
determined.
▫ Real-time backup: When the master WAC generates new session entries,
the service module on the master WAC synchronizes them to the service
module on the backup WAC through HSB in real time.
▫ Periodic synchronization: The backup WAC checks whether its existing

session entries are consistent with those on the master WAC every 30
minutes. If they are inconsistent, the session entries on the master WAC are
synchronized to the backup WAC.
VRRP Master/Backup Switchover upon a Downlink
Disconnection
WAC1 WAC2
⚫
When the downlink of the master WAC is disconnected, the
VRRP master VRRP backup HSB group detects that the VLANIF interface is Down and
HSB channel
instructs the HSB group to enter the Independent state
over the HSB channel.
⚫
After WAC2 receives the notification, it instructs its service
module to change the AP status to normal.
⚫ The VRRP mechanism on WAC2 detects a VRRP heartbeat

timeout, and WAC2 switches to the master role. In addition,
the HSB group also detects the change. After the
Master_Down_Timer times out, WAC2 sends a gratuitous
ARP packet carrying the virtual IP. In this way, WAC2 takes
the responsibility of managing APs.
CAPWAP tunnel
• Master_Down_Timer: The backup WAC continuously receives VRRP packets from

the current master WAC. Each time a VRRP packet arrives, the
Master_Down_Timer on the backup WAC is reset. If the backup WAC does not
receive VRRP packets from the master WAC within a specified period and
Master_Down_Timer expires, the backup WAC considers that the master WAC
fails.
• HSB group states include:
▫ Active
▫ Inactive
▫ Independent
▫ Switching
• Three states are defined in a VRRP state machine: Initialize, Master, and Backup.
Only the WAC in Master state can forward packets destined for the virtual IP
address.
VRRP Master/Backup Switchover upon a Fault of the Master
WAC
WAC1 WAC2
VRRP master VRRP backup ⚫
When the master WAC fails, the HSB channel is
HSB channel
disconnected and the HSB module cannot notify WAC2 of
the failure. WAC2 enters the Independent state. When
detecting the abnormal VRRP state, WAC2 instructs APs to
change their states. The switchover is completed.
CAPWAP tunnel
• By default, the interval for sending HSB heartbeat packets is 3 seconds and the
number of retransmissions is 5. Therefore, the HSB channel heartbeat is 15
seconds. When the VRRP heartbeat timeout period is shorter than the heartbeat
timeout period of the HSB channel, the VRRP status change is first detected when
the master WAC is powered off and restarted.
• Then the WAC checks the status of the HSB group. The HSB group find that it is
in Backup state, and does not instruct the service module to change the AP
status. The HSB group changes to the Independent state only after the heartbeat
timer of the HSB channel expires. In this case, the service module is instructed to
change the AP status to Normal. The active/standby switchover is complete.
• When the timeout interval of VRRP heartbeat is longer than that of the HSB
channel, the HSB status changes before the VRRP status changes. After the VRRP
timeout interval expires, the HSB group instructs service modules to change the
AP status.
VRRP Master/Backup Switchover upon an Uplink
Disconnection
⚫ The VRRP association function monitors the

WAC1 WAC2 status of the uplink or interface. When the uplink
HSB channel of WAC1 fails, the VRRP group reduces the
priority of WAC1 to trigger a VRRP
master/backup switchover.
⚫ WAC1 and WAC2 must both work in preemption
mode.
CAPWAP tunnel
• When the uplink interface of the master WAC becomes faulty, VRRP cannot
detect the status change of interfaces outside the VRRP group, which may cause
service interruption. You can associate a VRRP group with the interface status.
When the monitored interface becomes faulty, the priority of the master WAC is
reduced. This triggers a master/backup switchover and reduces the impact of the
uplink interface fault on service forwarding.
• When the fault is rectified, the original master WAC restores its priority to take
over the master role again and begins forwarding traffic.
• When the association between VRRP and the interface status is configured, the
master and backup WACs in the VRRP group must work in preemption mode. It
is recommended that immediate preemption be configured on the backup WAC
and delayed preemption be configured on the master WAC.
VRRP Master/Backup Switchback
⚫
When the link of the original master WAC (WAC1) recovers, an
Master WAC1 Backup WAC2 active/standby switchback is triggered after the preemption delay
expires. The switchback process is as follows:
 After WAC1 recovers, the VRRP state of WAC1 changes from Initialize to
Restore the connection and Backup, and WAC1 listens to VRRP packets.
listen on VRRP packets.  After 3 seconds, when determining that WAC2 receives the receiving a
3 seconds
VRRP packet VRRP packet from WAC2, WAC1 starts the preemption delay.
 After the preemption delay expires, the VRRP status of WAC1 changes
Wait for a to master and sends VRRP packets with a higher priority to notify WAC2
preemption delay. of a switchback.
Send high-priority VRRP packets.  Upon receiving the VRRP packets with a higher priority, WAC2 changes
Roll back to the its own VRRP status back to backup.
backup state.
Data backup process
• After the original master WAC recovers, it becomes the master WAC if it is in
preemption mode or remains in backup state if it is in non-preemption mode.
Configuring VRRP HSB - Configuration Roadmap
WAC1 WAC2
HSB channel
Configuration roadmap
• Configure a VRRP group.

• Configure an HSB service.
Virtual WAC
• Configure an HSB group.
• Bind services to the HSB group.
• Enable the HSB group.
• Verify the configuration.
• Before configuring basic VRRP HSB, configure network layer attributes of

interfaces to ensure network connectivity.
• During the configuration of VRRP HSB, two WACs form a virtual WAC, and all
the APs connected to the WACs communicate with the virtual WAC. Therefore,
when you configure the source IP address of the WACs using the capwap source
command, specify the virtual IP address of the VRRP group bound to the HSB
group as the source IP address.
Configuring VRRP HSB - Configuring a VRRP Group
Create a management VRRP group on WAC1. Set the VRRP priority

10.23.102.1/30 10.23.102.2/30
HSB channel of WAC1 to 120 and the preemption delay to 1800 seconds.
10.23.100.1 10.23.100.2
[WAC1] interface vlanif 100
WAC1 VLAN 100 WAC2
VRRP VRID 1 [WAC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
VRRP master VRRP backup [WAC1-Vlanif100] vrrp vrid 1 priority 120
[WAC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[WAC1-Vlanif100] admin-vrrp vrid 1
[WAC1-Vlanif100] quit
Virtual WAC
10.23.100.3/24
Create a management VRRP group on WAC2, and retain the
default priority and preemption mode.
[WAC2] interface vlanif 100

[WAC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[WAC2-Vlanif100] admin-vrrp vrid 1
[WAC2-Vlanif100] quit
• This example only describes the management VRRP configuration.

Configuring VRRP HSB - Configuring an HSB Service
Create HSB service 0 on WAC1 and configure the IP addresses
10.23.102.1/30 10.23.102.2/30 and port numbers for the active and standby channels. Set the
HSB channel
10.23.100.1 10.23.100.2 number of retransmission attempts and interval of HSB packets.
WAC1 VLAN 100 WAC2 [WAC1] hsb-service 0

VRRP master VRRP VRID 1 VRRP backup [WAC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip
10.23.102.2 local-data-port 10241 peer-data-port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
Virtual WAC Create HSB service 0 on WAC2 and configure the IP addresses
10.23.100.3/24
and port numbers for the active and standby channels. Set the
number of retransmission attempts and interval of HSB packets.
[WAC2] hsb-service 0
[WAC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip
[WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
Configuring VRRP HSB - Configuring an HSB Group
10.23.102.1/30 10.23.102.2/30
Create HSB group 0 on WAC1, and bind HSB service 0 and the
HSB channel
10.23.100.1 10.23.100.2 management VRRP group to the HSB group.
WAC1 VLAN 100 WAC2 [WAC1] hsb-group 0
VRRP master VRRP VRID 1 VRRP backup [WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[WAC1-hsb-group-0] quit
Virtual WAC
Create HSB group 0 on WAC2, and bind HSB service 0 and the
10.23.100.3/24
management VRRP group to the HSB group.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] bind-service 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[WAC2-hsb-group-0] quit
Configuring VRRP HSB - Binding Services to the HSB Group
and Enabling the HSB Group
10.23.102.1/30 10.23.102.2/30
HSB channel On WAC1, bind the NAC, WLAN, and DHCP services to the HSB
10.23.100.1 10.23.100.2
VLAN 100
group, and enable the HSB group.
WAC1 WAC2
VRRP master VRRP VRID 1 VRRP backup [WAC1] hsb-service-type access-user hsb-group 0
[WAC1] hsb-service-type ap hsb-group 0
[WAC1] hsb-service-type dhcp hsb-group 0
[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
Virtual WAC
10.23.100.3/24
On WAC2, bind the NAC, WLAN, and DHCP services to the HSB
group, and enable the HSB group.
[WAC2] hsb-service-type access-user hsb-group 0
[WAC2] hsb-service-type ap hsb-group 0
[WAC2] hsb-service-type dhcp hsb-group 0
[WAC2] hsb-group 0
[WAC2-hsb-group-0] hsb enable
Configuring VRRP HSB - Verifying the Configuration
Run the display hsb-group group-index command to check Run the display hsb-service service-index command to check
HSB group information. HSB service information.
[WAC1]display hsb-group 0 [WAC1]display hsb-service 0

Hot Standby Group Information: Hot Standby Service Information:
---------------------------------------------------------- ----------------------------------------------------------
HSB-group ID :0 Local IP Address : 10.23.102.1
Vrrp Group ID :1 Peer IP Address : 10.23.102.2
Vrrp Interface : Vlanif100 Source Port : 10241
Service Index :0 Destination Port : 10241
Group Vrrp Status : Master Keep Alive Times :3
Group Status : Active Keep Alive Interval :6
Group Backup Process : Realtime Service State : Connected
Peer Group Device Name : AC6005 Service Batch Modules :
Peer Group Software Version : V200R007C10SPC300B220 ----------------------------------------------------------
Group Backup Modules :-
----------------------------------------------------------
Dual-Link HSB Overview
• An AP sets up CAPWAP tunnels with the primary and backup WACs
at the same time. Service information is synchronized between the
WAC1 WAC2 WACs through an HSB channel.
10.1.1.3/24 10.1.1.2/24 • When the link between the AP and primary WAC fails, the AP
HSB channel
instructs the backup WAC to take over services from the primary
WAC.
• The primary and backup WACs are determined based on WAC
priorities. When WACs have the same priority, the primary and
backup WACs are determined based on the WAC load (number of
online APs and STAs).
• In addition to the active/standby HSB mode, the load balancing
mode is supported. In load balancing mode, you can specify WAC1 as
Active link Standby link the primary WAC for some APs and WAC2 as the backup WAC for
other APs, so that the APs set up active CAPWAP links with their own
primary WACs.
• Dual-link HSB frees primary and backup WACs from location
restrictions and allows for flexible deployment. The two WACs can
implement load balancing to make efficient use of resources.
Data traffic
However, service switching takes a relatively long time.
CAPWAP tunnel
• HSB can back up user data information in real time.

• Load balancing is supported.
Working Process of Dual-Link HSB
1. Establish active and standby links: The primary WAC is
preferentially selected and the active link is established. After
the primary WAC delivers configurations, the standby link is
established.
WAC1 HSB channel WAC2
10.1.1.3/24 10.1.1.2/24 2. Data backup: The primary and backup WACs back up user
access authentication information through the HSB channel. In
this way, more STA encryption authentication modes are
supported, ensuring service continuity during an active/standby
switchover or switchback.
3. Active/standby switchover: When the primary WAC fails or the
downlink is disconnected, a switchover is triggered between the
primary and backup WACs to activate the standby link. The
original user traffic is directly switched to the new primary
WAC.
4. Active/standby switchback: Global switchback is enabled. After
an active/standby switchover is performed, a switchback is
Data traffic
triggered when the link of the original primary WAC recovers.
CAPWAP tunnel
• HSB service backup in real time involves backup for the following information:
▫ User data information
▫ CAPWAP tunnel information
▫ AP entries
▫ Load balancing is supported.
Active/Standby Negotiation in Dual-Link HSB
AP Primary WAC Backup WAC ⚫ Active link establishment:

In the Discovery phase, the primary WAC is
preferentially selected.
CAPWAP Discovery Request
 The other steps are the same as those in normal
CAPWAP Discovery Response CAPWAP tunnel establishment.
(carrying information such as the IP address, priority, and load)
CAPWAP Discovery Response (carrying information such as the IP ⚫ Standby link establishment:
address, priority, and load)

To prevent repeated service configuration
The primary WAC is selected based on the priority and
load, and the active link is established. delivery, the AP starts to set up the standby link
with the backup WAC only after the active
Deliver configurations.
CAPWAP link is set up with the primary WAC and
CAPWAP Discovery Request (unicast) configurations are delivered.
CAPWAP Discovery Response (carrying information such as the
IP address, priority, and load)
Standby link establishment
• An AP periodically sends CAPWAP Discovery Request messages to the primary

and backup WACs. The WACs working properly will return Discovery Response
messages to the AP. The Discovery Response messages contain the IP addresses
of primary and backup WACs if any, HSB flags, priorities, loads, and IP addresses
of the WACs.
• After receiving the Discovery Response message, the AP selects a primary WAC
based on information carried in the received message, and sets up an active
CAPWAP link with the primary WAC. The AP selects the primary WAC in the
following sequence:
▫ Check whether any primary WACs are specified. If only one primary WAC is
specified, the AP selects it as the primary WAC. If multiple primary WACs
are specified, the AP selects the WAC with the lowest load as the primary
WAC. If the loads are the same, the AP selects the WAC with the smallest IP
address as the primary WAC.
▫ Compare WAC loads, that is, numbers of access APs and STAs. The AP
selects the WAC with the lowest load as the primary WAC. The number of
allowed APs is compared ahead of the number of allowed STAs. When the
numbers of allowed APs are the same on WACs, the AP selects the WAC
that can connect more STAs as the primary WAC.
▫ If there is no primary WAC, check whether any backup WACs are specified.
If only one backup WAC is specified, the AP selects this WAC as the primary
WAC. If multiple backup WACs are specified, the AP selects the WAC with
the lowest load as the primary WAC. If the loads are the same, the AP
selects the WAC with the smallest IP address as the primary WAC.
▫ If no backup WAC is available, the WAC with a smaller priority value is
selected as the primary WAC. If the WACs have the same priority, the WAC
with the lightest load is selected as the primary WAC. If the loads are the
same, compare the IP addresses. The WAC with a smaller IP address is the
primary WAC.
• Standby link setup:
▫ The AP sends a CAPWAP Discovery Request message to the backup WAC in
unicast mode. The WAC returns a CAPWAP Discovery Response message
containing the IP addresses of primary and backup WACs (if any), HSB flag,
load, and priority to the AP. The AP knows that the HSB function is enabled
after receiving the CAPWAP Discovery Response message, and saves the
priority of the WAC.
▫ The AP sends a Join Request message, notifying the backup WAC that the
configurations have been delivered. After receiving the Join Request
message, the WAC sets up a CAPWAP link with the AP but does not deliver
configurations to the AP.
▫ After the standby link is set up, the AP selects the primary and backup
WACs again based on the link priorities.
Data Synchronization Between the Primary and Backup
WACs in Dual-link HSB
Primary WAC Backup WAC
Set up an HSB channel.

Start batch deletion.
Instruct each module to
traverse APs.
Batch backup Send the batch backup start message. Clear the dynamic data
if APs are in standby
Notify each module of batch backup. state on it.
Each service module sends batch backup data.
Real-time backup Each service module sends real-time backup data.
The backup WAC periodically checks whether the existing session

Periodic synchronization entries are consistent with those on the primary WAC. Data
synchronization is performed only when the session entries are
inconsistent on the two WACs.
• In a dual-link HSB scenario, services are directly bound to the HSB service. In this
way, service data is backed up using HSB, and the active/standby status is
maintained based on the HSB mechanism.
• The primary and backup WACs back up user access authentication information
through the HSB channel. In this way, more STA encryption authentication
modes are supported, ensuring service continuity during an active/standby
switchover or switchback. HSB modes include real-time backup, batch backup,
and periodic synchronization.
Active/Standby Switchover in Dual-Link HSB
⚫
In dual-link HSB mode, an AP determines whether to perform
an active/standby switchover. When the primary WAC is
HSB channel
WAC1 WAC2 faulty or the downlink is disconnected, an active/standby
switchover is triggered.
 After setting up links with the primary and backup WACs, the AP
periodically sends Echo messages to the WACs for CAPWAP
Heartbeat packet timeout heartbeat detection to monitor the CAPWAP link status.
 As shown in the figure, the link between WAC1 and the switch is
Standby link
disconnected or WAC1 is faulty. In this case, if heartbeat packets
Active link
from WAC1 time out for a specified number of times, the AP
determines that the active CAPWAP link is faulty.
 The AP sends an Echo Request message carrying master WAC

Heartbeat traffic
information to WAC2. Then WAC2 switches from the Backup state
to the Working state, and activates the standby link to take over
CAPWAP tunnel
services from the AP. In this way, services are not interrupted.
Active/Standby Switchback in Dual-Link HSB
⚫ The AP periodically sends Discovery Request messages to check whether the original active link
recovers. If so, the AP switches STA data back to this link with a higher priority.
AP Primary WAC Backup WAC Primary WAC Backup WAC
Send the batch

deletion start message.
Discovery Request
The flag indicating
The flag indicating that
that the batch
Discovery Response the batch deletion
deletion message
Set up a new HSB channel. message has been sent
has been sent is set
is set to true.
to true.
Determine the priority. Start batch deletion.
Wait for 20 Echo intervals. Instruct each module
to traverse APs.
Notify the switchover.
Clear the dynamic data
if APs are in standby
state on it.
Start batch backup.
Data backup process
Notify each
Each service module sends module of batch
periodic backup data. backup.
• To prevent the frequent switchovers caused by network flapping, the WACs are
informed of the active/standby switchback after 20 Echo intervals elapse. At the
same time, the AP sends the STA service data to the new primary WAC.
• A backup link can be switched in either of the following modes:

▫ Priority mode (default): The AP switches to the active link based on the
priority.
▫ Network stability mode: When conditions for an active/standby switchover
are met, the AP preferentially switches to a link with higher network
stability. In this case, the switchover is determined by the network stability
of the link, but not the roles of the active and standby links.
• The priority mode is commonly used, which is our focus of this course.
• The network stabilization of active and standby links is determined based on the
Echo packet loss rate. The active/standby link switchover is performed when the
following conditions are met:
▫ An AP collects statistics about Echo packets on the current link for a
specified number of times, and determines that the packet loss rate of the
link exceeds the packet loss rate start threshold.
▫ The packet loss rate of the link in use is higher than that of the other link,
and the difference between the two is higher than the packet loss rate
difference threshold.
Configuring Dual-Link HSB - Configuration Roadmap
WAC1 HSB channel WAC2
Primary Backup • Configure dual-link backup.
• (Optional) Configure the active/standby
link switchover mode.
• Configure the HSB function.
Configuring Dual-Link HSB - Configuring Dual-Link Backup
On WAC1, specify the IP address of WAC2 and the priority of
WAC1 to implement dual-link backup.
10.23.102.1/30 10.23.102.2/30 [WAC1-wlan-view] ac protect enable
HSB channel Warning: This operation maybe cause AP reset, continue?[Y/N]:y
WAC1 WAC2
[WAC1-wlan-view] ac protect protect-ac ip-address 10.23.100.3
Primary Backup [WAC1-wlan-view] ac protect priority 0
10.23.100.1 10.23.100.2
Management VLAN 100 Management VLAN 100
[WAC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
[WAC2-wlan-view] ac protect priority 1
[WAC2-wlan-view] quit
Restart the APs on WAC1 (primary). The dual-link backup

configuration is then delivered to the APs.
[WAC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[WAC1-wlan-view] quit
• To configure dual-link cold backup on a WDS or mesh network, set the CAPWAP
heartbeat interval to 25 seconds and the number of heartbeat packet
transmissions to at least 6. If this configuration is not performed, a WAC sends
heartbeat packets for three times at an interval of 25 seconds by default. This
may cause unstable WDS or mesh link status and result in STA access failures.
• If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat packet transmissions smaller than the default values, CAPWAP link
reliability is degraded. Exercise caution when you set the values. The default
values are recommended.
Configuring VRRP HSB - (Optional) Configuring the Link
Switchover Mode
⚫
The following link switchover modes are supported:
 Priority mode (default): enables an AP to preferentially switch service traffic to the active link.
 Network stabilization mode: enables an AP to preferentially use a link with high network stabilization, which is determined based on the Echo packet
loss rate.
To change the link switchover mode from priority to network stabilization, run the following commands:
[WAC1-wlan-view] ap-system-profile name wlan-net
[WAC1-wlan-ap-system-prof-wlan-net] ac protect link-switch mode network-stabilization
[WAC1-wlan-ap-system-prof-wlan-net] ac protect link-switch packet-loss echo-probe-time 30
[WAC1-wlan-ap-system-prof-wlan-net] ac protect link-switch packet-loss start-threshold 30
Configure the number of times Echo packets are sent within a statistics collection interval.
[WAC1-wlan-view] ac protect link-switch packet-loss echo-probe-time 20
Configure the packet loss rate start and difference thresholds for an active/standby link switchover.
[WAC1-wlan-view] ac protect link-switch packet-loss gap-threshold 15
[WAC1-wlan-view] ac protect link-switch packet-loss start-threshold 20
• This configuration is optional.

• Run the ac protect link-switch packet-loss echo-probe-time echo-probe-time
command to set the number of times Echo packets are sent within a statistics
collection interval.
• By default, the number of times Echo packets are sent within a statistical period
is 20.
• Run the ac protect link-switch packet-loss { gap-threshold gap-threshold | start-
threshold start-threshold } command to configure the packet loss rate start and
difference thresholds for an active/standby link switchover.
• By default, the packet loss rate start and difference thresholds for an
active/standby link switchover are 20% and 15%, respectively.
Configuring Dual-Link HSB - Configuring HSB
Create HSB service 0 on WAC1 and configure the IP addresses
and port numbers for the active and standby channels.
10.23.102.1/30 10.23.102.2/30
HSB channel [WAC1] hsb-service 0
WAC1 WAC2
Primary Backup 10.23.102.2 local-data-port 10241 peer-data-port 10241
10.23.100.2 [WAC1-hsb-service-0] quit
10.23.100.1
Management VLAN 100 Management VLAN 100
Bind the WLAN and NAC services to the HSB service on WAC1.
[WAC1] hsb-service-type ap hsb-service 0
[WAC1] hsb-service-type access-user hsb-service 0
Perform the same operations on WAC2.

[WAC2] hsb-service 0
[WAC2-hsb-service-0] quit
[WAC2] hsb-service-type ap hsb-service 0
[WAC2] hsb-service-type access-user hsb-service 0
Configuring Dual-Link HSB - Verifying the Configuration
Run the display ac protect command on WAC1 and WAC2 Run the display hsb-service 0 command on WAC1 and WAC2
to view the dual-link backup configurations. to check the HSB service status. If the value of the Service State
[WAC1] display ac protect field is Connected, the HSB channel has been established.
------------------------------------------------------------
Protect state : enable [WAC1] display hsb-service 0
Protect AC IPv4 : 10.23.100.3 Hot Standby Service Information:
Protect AC IPv6 :- ----------------------------------------------------------
Priority :0 Local IP Address : 10.23.102.1
Protect restore : enable Peer IP Address : 10.23.102.2
... Source Port : 10241
------------------------------------------------------------ Destination Port : 10241
[WAC2] display ac protect Keep Alive Times :5
------------------------------------------------------------ Keep Alive Interval :3
Protect state : enable Service State : Connected
Protect AC IPv4 : 10.23.100.2 Service Batch Modules : AP
Protect AC IPv6 :- Shared-key :-
Priority :1 ----------------------------------------------------------
Protect restore : enable
...
------------------------------------------------------------
Contents
2. HSB Technologies
4. N+1 Backup
Dual-Link Cold Backup Overview
⚫ Dual-link cold backup allows two WACs on a WAC +

WAC1 WAC2
10.1.1.3/24 10.1.1.2/24 Fit AP network to manage APs simultaneously. The
APs set up CAPWAP links with both WACs, between
which one WAC functions as the master WAC to
provide services for the APs while the other works as
the backup WAC and does not provide services.
⚫ To ensure that both WACs provide the same services,
it is recommended that the same service
configurations be performed on the primary and
Data traffic backup WACs.
CAPWAP tunnel
Working Process of Dual-Link Cold Backup
1. Establish active and standby links: The primary WAC is
preferentially selected and the active link is
WAC1 WAC2 established. After the primary WAC delivers
10.1.1.3/24 10.1.1.2/24
configurations, the standby link is established.
2. Active/standby switchover: When the primary WAC
fails or the downlink is disconnected, a switchover is
triggered between the primary and backup WACs to
activate the standby link. Original STAs on the AP go
offline and then online again.
3. Active/standby switchback: Global switchback is
enabled. After an active/standby switchover is
Data traffic
performed, a switchback is triggered when the link of
CAPWAP tunnel the original primary WAC recovers.
Active/Standby CAPWAP Link Setup Process in Dual-Link
Cold Backup
AP Primary WAC Backup WAC
⚫ Active link establishment.

In the Discovery phase, the primary WAC is
preferentially selected.
 The other steps are the same as those in normal
CAPWAP Discovery Response (carrying information
such as the IP address, priority, and load) CAPWAP tunnel establishment.
CAPWAP Discovery Response (carrying information such as
the IP address, priority, and load) ⚫ Establish the standby link.
The primary WAC is selected based on the priority
and load, and the active link is established. 
To prevent repeated service configuration delivery,
the AP starts to set up the standby link with the
Deliver configurations.
backup WAC only after the active CAPWAP link is set
CAPWAP Discovery Request up with the primary WAC and configurations are
CAPWAP Discovery Response (carrying information such as the delivered.
IP address, priority, and load)
Standby link establishment
• The process of establishing the active and standby links is the same as that in
dual-link HSB.
Active/Standby Switchover in Dual-Link Cold Backup
⚫ After setting up links with the primary and backup WACs, an AP periodically sends Echo messages carrying information about the
active and standby links to the WACs.
⚫
Upon detecting a failure of the active link, the AP sends an Echo Request message carrying primary WAC information to the backup
WAC. Upon receiving this message, the backup WAC determines that its link becomes the active link and takes over services from
the primary WAC. During this process, original STAs on the AP go offline and then online again.
Echo Request
Echo Request interval-value
times-value Set the detection interval and number of detection times.

Echo Request capwap echo { interval interval-value | times times-value }
Echo Request (carrying primary WAC information)

Determine the
Echo Response active/standby status based
on the carried information,
STAs go online again. and perform an
active/standby switchover.
• The AP determines whether to perform an active/standby switchover. When the

primary WAC is faulty or the downlink is disconnected, the primary WAC changes
from the Working state to the Backup state, and the backup WAC changes from
the Backup state to the Working state. The process is as follows:
▫ After setting up links with the primary and backup WACs, the AP
periodically sends Echo messages to the WACs for CAPWAP heartbeat
detection to monitor the CAPWAP link status.
▫ When a link is faulty, the WAC cannot respond to Echo messages from the
AP. If the primary WAC does not respond after the specified number of
CAPWAP heartbeat detections within the CAPWAP heartbeat interval, the
AP determines that the primary link has failed.
▫ The AP sends an Echo Request message carrying information about the

primary WAC to the backup WAC. After receiving the Echo Request
message, the backup WAC switches to the Working state, and the AP sends
STA data to the new primary WAC.
transmissions to at least 6. If this configuration is not performed, the WAC sends
Active/Standby Switchback in Dual-Link Cold Backup
⚫ The AP periodically sends Discovery Request messages to check whether the original active link recovers. If so, the
AP switches STA data back to this link with a higher priority.
⚫ To prevent the frequent switchovers caused by network flapping, the WACs are informed of the active/standby
switchback after 20 Echo intervals elapse. At the same time, the AP sends the STA service data to the new primary
WAC.
Discovery Request
Discovery Response
Wait for 20 Echo intervals.
The AP goes online again. The AP goes offline.
• Dual-link cold backup also supports the network stability mode. The switching
mode is the same as that described in dual-link HSB.
Configuring Dual-Link Cold Backup - Configuration
Roadmap
WAC1 WAC2
Primary Backup
• Configure dual-link backup.

• (Optional) Configure the link
switchover mode.
Configuring Dual-Link Cold Backup - Configuring Dual-Link
Backup
WAC1 to implement dual-link backup. Enable dual-link backup
WAC1 WAC2 and revertive switching globally, and restart all APs to make the
Primary Backup
dual-link backup function take effect.
10.23.100.1 10.23.100.2
Management VLAN 100 Management VLAN 100 [WAC1-wlan-view] ac protect protect-ac ip-address 10.23.100.2
[WAC1-wlan-view] undo ac protect restore disable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

[WAC2-wlan-view] undo ac protect restore disable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
transmissions to at least 6. If this configuration is not performed, a WAC sends
• If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat packet transmissions smaller than the default values, CAPWAP link
reliability is degraded. Exercise caution when you set the values. The default
values are recommended.
• By default, dual-link backup is disabled. In this case, when the ac protect enable
command is run, a message is displayed indicating that all APs will be restarted.
After the APs are restarted, the dual-link backup function takes effect.
• If the dual-link backup function has been enabled, running the ac protect enable
command does not restart the APs. You need to run the ap-reset command on
the active WAC to restart the APs to make the dual-link backup function take
effect.
Configuring Dual-Link Cold Backup - (Optional) Configuring
the Link Switchover Mode
⚫ The following link switchover modes are supported:

Priority mode (default): enables an AP to preferentially switch service traffic to the active link.

Network stabilization mode: enables an AP to preferentially use a link with high network stabilization, which is determined
based on the Echo packet loss rate.
To change the link switchover mode from priority to network stabilization, run the following commands:
[WAC1-wlan-view] ap-system-profile name wlan-net
[WAC1-wlan-ap-system-prof-wlan-net] ac protect link-switch mode network-stabilization
[WAC1-wlan-ap-system-prof-wlan-net] ac protect link-switch packet-loss echo-probe-time 30
[WAC1-wlan-ap-system-prof-wlan-net] ac protect link-switch packet-loss start-threshold 30
Configure the number of times Echo packets are sent within a statistics collection interval.
[WAC1-wlan-view] ac protect link-switch packet-loss echo-probe-time 20
Configure the packet loss rate start and difference thresholds for an active/standby link switchover.
[WAC1-wlan-view] ac protect link-switch packet-loss gap-threshold 15
[WAC1-wlan-view] ac protect link-switch packet-loss start-threshold 20
• This configuration is optional.

• Run the ac protect link-switch packet-loss echo-probe-time echo-probe-time
command to set the number of times Echo packets are sent within a statistics
collection interval.
• By default, the number of times Echo packets are sent within a statistical period
is 20.
• Run the ac protect link-switch packet-loss { gap-threshold gap-threshold | start-
threshold start-threshold } command to configure the packet loss rate start and
difference thresholds for an active/standby link switchover.
• By default, the packet loss rate start and difference thresholds for an
active/standby link switchover are 20% and 15%, respectively.
Configuring Dual-Link Cold Backup - Verifying the
Configuration
Run the display ac protect command to check the dual-link Run the display ap-system-profile name xxx command on
backup status, revertive switchover status, and priorities of WAC1 and WAC2 to check the dual-link information on the two
WACs, and the backup WAC's IP address in the WLAN view. WACs.
[WAC1]display ac protect [WAC1] display ap-system-profile name ap-system1

------------------------------------------------------------ ------------------------------------------------------------
Protect state : enable AC priority :0
Protect AC : 10.23.100.2 Protect AC IP address : 10.23.100.2
Priority :0 Primary AC :
Protect restore : enable Backup AC :
Coldbackup kickoff station : disable ...
------------------------------------------------------------ ------------------------------------------------------------
[WAC2]display ac protect [WAC2] display ap-system-profile name ap-system1
------------------------------------------------------------ ------------------------------------------------------------
Protect state : enable AC priority :1
Protect AC : 10.23.100.1 Protect AC IP address : 10.23.100.1
Priority :1 Primary AC :
Protect restore : enable Backup AC :
Coldbackup kickoff station : disable ...
------------------------------------------------------------ ------------------------------------------------------------
Contents
2. HSB Technologies
4. N+1 Backup
N+1 Backup Overview
⚫
One WAC serves as a backup for multiple primary WACs.
Backup WAC Enterprise HQ  In this example, the WAC in the enterprise HQ can function as
the backup WAC for local WACs in branch 1 and branch 2.
⚫
In normal cases, an AP sets up a CAPWAP link only with the
primary WAC to which it associates.
WAN ⚫
When the primary WAC fails or the link between the
primary WAC and AP is faulty, the backup WAC establishes
a link with the AP to manage and provide services for the
AP.
Primary Primary
WAC WAC
⚫ Active/standby switchover and switchback are supported.
Enterprise Enterprise CAPWAP tunnel

branch 1 branch 2
• When the CAPWAP link between an AP and the primary WAC is disconnected,
the AP attempts to establish a CAPWAP link with the backup WAC. After the new
CAPWAP link is established, the AP restarts and obtains configurations from the
backup WAC. During this process, services are affected.
Working Process of N+1 Backup
Backup WAC Enterprise HQ

1. Active link establishment: The primary WAC is
preferentially selected, and the AP establishes a
CAPWAP link with it.
2. Active/standby switchover: When the primary WAC or
WAN
the CAPWAP link between the primary WAC and AP is
faulty, the backup WAC sets up a CAPWAP link with
the AP and the AP goes online again.
Primary
3. Active/standby switchback: Global switchback is
Primary
WAC WAC enabled. After an active/standby switchover is
performed, a switchback is triggered when the link of
the original primary WAC recovers.
Enterprise Enterprise CAPWAP tunnel
branch 1 branch 2
Selecting Primary and Backup WACs in N+1 Backup
⚫ Active link establishment

CAPWAP Discovery Request  In the Discovery phase, the primary WAC is
CAPWAP Discovery Request preferentially selected.
CAPWAP Discovery Response (carrying information such as the  The other steps are the same as those in
IP address, priority, and load).
normal CAPWAP tunnel establishment.
CAPWAP Discovery Response (carrying information such
as the IP address, priority, and load).
The primary WAC is selected based on the priority
and load, and the active link is established.
• In the Discovery phase, an AP sends a Discovery Request packet to find available

WACs. After receiving the packet, the WACs return a Discovery Response packet
containing the N+1 backup flag, WAC priority, load, and IP address. Based on the
information contained in the Discovery Response packet, the AP selects a primary
WAC to set up a CAPWAP link.
• When planning an N+1 backup network, ensure that the primary WAC can be
selected based on WAC priorities so that all APs can go online on the predefined
primary WAC. Otherwise, the APs select the primary WAC based on loads and IP
addresses, and may go online on WACs other than the predefined primary WAC.
Alternatively, ensure that the primary WAC can be selected among the specified
primary and backup WACs.
• The AP selects the primary WAC based on the following rules:
▫ Check whether any primary WACs are specified. If only one primary WAC is
specified, the AP selects it as the primary WAC. If multiple primary WACs
are specified, the AP selects the WAC with the lowest load as the primary
WAC. If the loads are the same, the AP selects the WAC with the smallest IP
address as the primary WAC.
▫ Compare WAC loads, that is, numbers of access APs and STAs. The AP
selects the WAC with the lowest load as the primary WAC. The number of
allowed APs is compared ahead of the number of allowed STAs. When the
numbers of allowed APs are the same on WACs, the AP selects the WAC
that can connect more STAs as the primary WAC.
▪ Number of allowed APs = Maximum number of access APs – Number
of online APs
▪ Number of allowed STAs = Maximum number of access STAs –
Number of online STAs
▫ If no primary WAC is specified, check whether any backup WACs are
specified. If only one backup WAC is specified, the AP selects this WAC as
the primary WAC. If multiple backup WACs are specified, the AP selects the
WAC with the lowest load as the primary WAC. If the loads are the same,
the AP selects the WAC with the smallest IP address as the primary WAC.
▫ If no backup WAC is specified, the AP compares WAC priorities and selects
the WAC with the highest priority as the primary WAC. A smaller priority
value indicates a higher priority.
▫ If the WAC priorities are the same, the AP selects the WAC with the lowest
load as the primary WAC.
▫ When the loads are the same, the AP compares the WACs' IP addresses and
selects the WAC with the smaller IP address as the primary WAC.
WAC Priority
⚫ A WAC has two types of priorities:

Global priority: WAC priority configured for all APs.

Individual priority: WAC priority configured for a single AP or APs in a specified AP group.
CAPWAP
Backup WAC3 tunnel
Global priority: 5
Primary WAC1 Switch Primary WAC2
Global priority: 6 Global priority: 6

Individual priority for AP_1: 3 Individual priority for AP_301: 3
... ... ...

AP_1 AP_300 AP_301 AP_700
• When receiving a Discovery Request packet from an AP, a WAC checks whether
an individual priority has been specified for the AP. If not, the WAC replies a
Discovery Response packet carrying the global priority. If so, the WAC replies a
Discovery Response packet carrying the individual priority. Configure proper
priorities on the primary and backup WACs to control access of APs on the two
WACs.
• In this figure, we can see:
▫ In the Discovery phase, AP_1 sends a Discovery Request packet to all WACs.
▫ When WAC1 receives the Discovery Response packet from AP_1, WAC1
returns the individual priority 3 for AP_1.
▫ There is no individual priority for AP_1 on WAC2 or WAC3, so WAC2 returns
the global priority 6 and WAC3 returns the global priority 5 to AP_1.
▫ AP_1 compares WAC priorities in the Discovery Response packets and
selects WAC1, which has the highest priority, as the primary WAC to send
an association request.
▫ If WAC1 or the CAPWAP link between WAC1 and AP_1 fails, and no backup
WAC is designated, AP_1 sends new Discovery Request packets to obtain
priorities of the remaining WACs. WAC2 returns the global priority 6, and
WAC3 returns the global priority 5. AP_1 compares WAC priorities and
selects WAC3 with a higher priority as the backup WAC to send an
association request.
Active/Standby Switchover in N+1 Backup
⚫
In normal cases, an AP sets up a CAPWAP link only with the
CAPWAP tunnel
primary WAC and periodically exchanges heartbeat packets
Backup WAC3
CAPWAP tunnel with the primary WAC to monitor the CAPWAP link status.
Global priority: 5
⚫
When the AP detects a heartbeat packet transmission
Primary WAC1 timeout, it considers the link disconnected and sets up a
Switch
Primary WAC2 CAPWAP link with the backup WAC.
⚫
After the CAPWAP link is established, the backup WAC
delivers configurations to the AP again. To ensure that
primary and backup WACs deliver the same WLAN service
... ... ... configurations to an AP, perform the same configurations on
AP_1 AP_300 AP_301 AP_700

both WACs.
⚫
To ensure that APs can work properly after an active/standby
switchover, the specifications of the backup WAC must be
fully considered during design.
• The AP sets up a CAPWAP link with the backup WAC in the following situations:
▫ If the IP address of the backup WAC is configured on the primary WAC, the
AP sets up a CAPWAP link with the backup WAC directly.
▫ If the IP address of the backup WAC is not configured on the primary WAC,
the AP broadcasts Discovery Request packets to discover WACs and selects
the backup WAC to establish a CAPWAP link.
• To ensure that the AP works properly after an active/standby switchover, the
following conditions must be met:
▫ The number of online APs supported by the backup WAC cannot be smaller
than the number of online APs on any of the primary WACs.
▫ The total number of online APs on all primary WACs cannot exceed the
configurable number of APs on the backup WAC.
• Determine the value of N in N+1 backup based on the configurable number of
APs on the backup WAC and the number of APs managed by the N primary
WACs. The number of APs managed by the N primary WACs cannot exceed the
configurable number of APs on the backup WAC.
Active/Standby Switchback in N+1 Backup
⚫ After an AP sets up a CAPWAP tunnel with the
CAPWAP tunnel
Backup WAC3 backup WAC, the AP obtains the IP address of its
CAPWAP tunnel
Global priority: 5
primary WAC from the backup WAC and sends
Primary WAC1 Primary Discovery Request packets at regular intervals

Switch
Primary WAC2
to detect the primary WAC status.
⚫ After the primary WAC recovers, it returns a reply

packet carrying the WAC priority to the AP.
⚫ The AP determines that the primary WAC recovers

... ... ...
based on the response packet from the WAC, and
AP_1 AP_300 AP_301 AP_700
determines whether to perform a revertive switchover
based on the priority comparison result and revertive
switchover configuration.
Configuring N+1 Cold Backup - Configuration Roadmap
Backup WAC3
Primary WAC1 Primary WAC2
Switch • Configure the global priorities of the primary
and backup WACs.
• Configure revertive switching.
• (Optional) Configure heartbeat detection.
• (Optional) Configure the active/standby link
switchover mode.
AP_1 AP_2 • Enable N+1 backup.
• The configurations for heartbeat detection and active/standby link switchover

mode are the same as those in other backup modes. The default configurations
are used in this case and are not mentioned here.
Configuring N+1 Cold Backup - Configuring the WACs'
Global Priorities
Backup WAC3
10.23.100.4 On WAC1, configure the global priority and specify the IP address
Global priority: 5 of WAC3 for N+1 backup.
[WAC_1-wlan-view] ac protect priority 6
Primary WAC1 Primary WAC2 [WAC_1-wlan-view] ac protect protect-ac ip-address 10.23.100.4
Switch
On WAC2, configure the global priority and specify the IP address
10.23.100.2 10.23.100.3 of WAC3 for N+1 backup.
Global priority: 6 Global priority: 6 [WAC_2-wlan-view] ac protect priority 6
Individual priority Individual priority for [WAC_2-wlan-view] ac protect protect-ac ip-address 10.23.100.4
for AP_1: 3 AP_1: 3
On WAC3, configure the global priority.

[WAC_3-wlan-view] ac protect priority 5
AP_1 AP_2 [WAC_3-wlan-view] ac protect protect-ac ip-address 10.23.100.2
[WAC_3-wlan-view] ac protect protect-ac ip-address 10.23.100.3
• WAC priorities determine the WAC roles. The WAC with a higher priority is the
primary WAC, and that with a lower priority is the backup WAC.
• A smaller value indicates a higher priority.
• If multiple WACs have the same priority, the WAC that supports access of more
APs is the primary WAC.
• If the numbers of allowed APs are the same on WACs, the WAC that can connect
more STAs is used as the primary WAC.
• If the preceding conditions are the same, the WAC with a smaller IP address is
the primary WAC.
Configuring N+1 Cold Backup - Configuring Revertive
Switching
Backup WAC3
10.23.100.4
Global priority: 5
Primary WAC1 Primary WAC2

Switch Enable active/standby switching on WAC3. This configuration is
not required on the primary WACs.
10.23.100.2 10.23.100.3
Global priority: 6 Global priority: 6 [WAC3-wlan-view] undo ac protect restore disable
Individual priority Individual priority for
for AP_1: 3 AP_1: 3
AP_1 AP_2
• WAC priorities determine the WAC roles. The WAC with a higher priority is the
primary WAC, and that with a lower priority is the backup WAC.
• A smaller value indicates a higher priority.
• If multiple WACs have the same priority, the WAC that supports access of more
APs is the primary WAC.
• If the numbers of allowed APs are the same on WACs, the WAC that can connect
more STAs is used as the primary WAC.
• If the preceding conditions are the same, the WAC with a smaller IP address is
the primary WAC.
Configuring N+1 Cold Backup - Enabling N+1 Backup
On WAC1, enable N+1 backup and restart all APs to make the
function take effect.
[WAC_1-wlan-view] undo ac protect enable
Backup WAC3
Info: Backup function has already disabled.
10.23.100.4
Global priority: 5 [WAC_1-wlan-view] ap-reset all
Primary WAC1 Primary WAC2 On WAC2, enable N+1 backup and restart all APs to make the
Switch
function take effect.
10.23.100.2 10.23.100.3
Global priority: 6 Info: Backup function has already disabled.
Global priority: 6
Individual priority for Individual priority [WAC_2-wlan-view] ap-reset all
AP_1: 3 for AP_1: 3
On WAC3, enable N+1 backup.
AP_1 AP_2 [WAC_3-wlan-view] undo ac protect restore disable

Info: Protect restore has already enabled.
Info: Backup function has already disabled.
• By default, N+1 backup is enabled. The system displays an Info message when
you run the undo ac protect enable command. Run the ap-reset all command on
the primary WAC to restart all APs. After the APs are restarted, N+1 backup
starts to take effect.
Configuring N+1 Cold Backup - Verifying the Configuration
Run the display ac protect and display ap-system-profile Run the display ac protect and display ap-system-profile
commands on WAC1 and WAC2 to check N+1 backup information. commands on WAC3 to check N+1 backup information.
[WAC_1-wlan-view] display ac protect [WAC_3-wlan-view] display ac protect
------------------------------------------------------------ ------------------------------------------------------------
Protect state : disable Protect state : disable
Protect AC IPv4 : 10.23.100.4 Protect AC IPv4 :-
Protect AC IPv6 :- Protect AC IPv6 :-
Priority :6 Priority :5
Protect restore : enable Protect restore : enable
... ------------------------------------------------------------
------------------------------------------------------------ [WAC_3-wlan-view] display ap-system-profile name ap-system
[WAC_1-wlan-view] display ap-system-profile name ap-system ------------------------------------------------------------
------------------------------------------------------------ AC priority :-
AC priority :3 Protect AC IP address : 10.23.100.2
Protect AC IP address :- Primary AC :-
Primary AC :- Backup AC :-
Backup AC :- ------------------------------------------------------------
... [WAC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------ ------------------------------------------------------------
AC priority :-
Protect AC IP address : 10.23.100.3
Primary AC :-
Backup AC :-
------------------------------------------------------------
Contents
2. HSB Technologies
4. N+1 Backup
Overview of CAPWAP Link Failover
⚫ In direct forwarding mode on a WLAN, if a CAPWAP link fails, a failover policy can
be deployed to achieve uninterrupted WLAN services and retain original online STAs.
⚫ CAPWAP link failover policies include:
 Service holding upon CAPWAP link disconnection.
 Enabling the backup VAP upon CAPWAP link disconnection.
 WAN authentication bypass.
• Service holding upon CAPWAP link disconnection

▫ After a CAPWAP link is disconnected, an AP can still provide data services,
holding services of online STAs and allowing new STAs to access in
authentication mode with low security.
• WAN authentication bypass
▫ In an HQ-branch scenario, after a CAPWAP link is disconnected, an AP can

provide data services, holding services of online STAs and allowing new
STAs to access in original authentication mode locally on the AP.
• Enabling the backup VAP upon CAPWAP link disconnection
▫ After a CAPWAP link is disconnected, the original VAP is disabled, and the
backup VAP is automatically enabled. All STAs go offline from the original
VAP. You need to manually associate the STAs with the backup VAP so that
the STAs can access the backup SSID generated by the backup VAP.
Service Holding upon CAPWAP Link Disconnection in Direct
Forwarding Mode
Campus
network Function description
1. User data is forwarded in direct mode. If the CAPWAP link between the AP and
WAC is disconnected, services of online users are not interrupted and user data
can be forwarded normally.
WAC 2. After the function of allowing new user access upon CAPWAP link disconnection is
enabled, upon CAPWAP link disconnect between the AP and WAC, STA
authentication, association, and key negotiation for new STAs are performed
between the AP and STAs.
3. Whether a new STA can go online depends on the authentication mode bound to
the STA.
Data packet forwarding

Authentication
packet exchange
Application scenario
On a small-scale WLAN without the WAC backup design, this function ensures
uninterrupted user data forwarding when an AP disconnects from a WAC, improving
Online STA New STA service reliability.
• This function is valid only in direct forwarding mode, but does not work in tunnel
forwarding mode.
• When the function of allowing new STA access upon CAPWAP link disconnection
is disabled, the STA association and key negotiation are performed between the
WAC and STA. After this function is enabled, however, the STA authentication,
association, and key negotiation are performed between the AP and STA.
• For new access STAs:
▫ Open system, WEP, or WPA/WPA2-PSK authentication: The authentication

mode for new STAs remains unchanged.
▫ MAC address, Portal, or MAC address-prioritized Portal authentication: New

STAs can access the network without authentication.
▫ Other authentication modes: New STAs cannot access the network.

Enabling the Backup VAP upon CAPWAP Link Disconnection
Campus
network Function description
1. All existing STAs go offline and then access the network in the authentication
mode specified for the backup VAP.
2. The backup VAP supports the open system, WEP, WPA+PSK, WPA2+PSK, and
WAC WPA-WPA2+PSK authentication modes.
3. When the fault is recovered, the backup SSID is automatically disabled and the
original SSID is enabled.
4. Only the direct forwarding mode is supported.
SSID1 SSID2
Application scenario
On a small-scale WLAN where no backup WAC is deployed, this function provides

higher security than service holding upon CAPWAP link disconnection.
Online STAs are New and original STAs
brought offline. reassociate with the
new SSID.
Overview of WAN Authentication Bypass
⚫ In an HQ-branch campus network scenario, branches are connected to the HQ across a WAN, a WAC is deployed at the HQ, and APs
are deployed at branches. To address these problems, you can configure WAN authentication bypass to allow new STAs to connect
to the network after disconnection of CAPWAP tunnels between the WAC at the HQ and branch APs.
Internet Internet
WAC WAC
AP AP
WAN WAN
HQ network HQ network
Branch network Branch network
RADIUS server RADIUS server
Normal Authentication data flow Link failover

Service data flow
Network Architecture for WAN Authentication Bypass
Router WAC
⚫ Branch AP groups are created at branches, and
services, such as user access authentication, are
Server zone processed by APs. This function makes branch
(Portal, RADIUS, Gateway
DNS, etc.) HQ
networks less dependent on the HQ network. In this
way, users at branches can still use the WLAN even if
WAN
the branch networks are disconnected from the HQ
Branch
Gateway network.

WAC: centrally monitors and manages APs.
Switch2

Branch AP group: allows for unified management of
Branch
AP group member APs.
AP1 AP2 AP3 APn


AP1 to APn: member APs in the branch AP group (APs
that are added to the branch AP group are called branch
APs for short).
STA
Process for STAs to Go Online on Offline Branch APs
⚫ In WAN authentication bypass scenarios, STA access is controlled by APs in distributed mode when the APs are disconnected from a
WAC. In this solution, critical services are processed by APs, reducing the probability of packet loss and delay and improving users'
service experience.
⚫
When a STA goes online on an offline branch AP, the first two phases are the same as those for a common STA to go online. The
difference lies in the association phase.
STA AP
⚫
The STA sends an Association Request frame to the AP. This
frame carries the STA's own information and the parameters
selected by the STA according to the service configuration,
including the supported rate, channel, QoS capabilities, access
authentication mode, and encryption algorithm.
Association Request ⚫ After receiving the Association Request frame, the AP
performs access control on the STA.
Access control ⚫
The AP sends an Association Response frame to the STA.
Association Response processing
Implementation of WAN Authentication Bypass: The WAC
Delivers Configurations to APs
Access authentication
⚫ A WAN interruption will disconnect the WAC and APs configuration on APs
that communicate over the WAN. In this case, the APs
need to use the local authentication function to
authenticate new STAs. Therefore, the WAC needs to VAP profile Branch AP group
deliver access authentication configurations to the APs.
⚫ Delivered configurations to an AP are divided into: Authentication Local account
profile

Delivery of the same configuration information on the AP
Authentication
and WAC. 802.1X access profile
scheme
 Delivery of different configurations on the AP and WAC.
Built-in RADIUS
MAC access profile
server
Same configuration
Different configuration
• Delivered configurations are divided into two parts:

▫ Delivery of the same configuration information on the AP and WAC: To
reduce repeated configuration workload of the administrator,
configurations in the VAP profile view are multiplexed for the same
information on the AP and WAC. Delivered configurations include the
authentication profile bound to the VAP profile, and the 802.1X access
profile and MAC address access profile bound to the authentication profile.
▫ Delivery of different configurations on the AP and WAC: Different

information includes local accounts required when local authentication is
performed for STAs and configurations related to the authentication
scheme. For 802.1X access STAs, you need to configure a built-in RADIUS
server for processing EAP authentication packets. Different information on
the AP and WAC is configured in the branch AP group view, and the same
information is delivered to APs in the same branch AP group.
• Note:
▫ Configurations on the WAC are delivered to branch APs.

Implementation of WAN Authentication Bypass: Built-in
RADIUS Server Function of APs
⚫ The built-in RADIUS server of the AP can process EAP authentication packets. In this
case, 802.1X authentication can be performed on STAs when no external
authentication server is deployed.
⚫ EAP authentication protocols supported by the built-in RADIUS server include:
 EAP-TLS
 EAP-PEAP
 EAP-TTLS
• When 802.1X authentication is performed for STAs, the 802.1X authentication

mode of the device must be set to the EAP relay mode because STAs such as
mobile phones do not support the EAP termination mode. When the device is
configured to work in EAP relay authentication mode, the device does not process
EAP authentication packets, and EAP authentication packets need to be sent to
an authentication server for processing.
STA Roaming Between Offline Branch APs
⚫ In WAN authentication bypass scenarios, when APs go offline, STAs can roam
between offline branch APs at both Layer 2 and Layer 3.
CAPWAP tunnel
AC AC
Flow of traffic Flow of traffic
Flow of traffic Flow of traffic
after roaming after roaming
before roaming before roaming
HAP FAP HAP FAP
Roam Roam
STA STA STA STA
• STAs stay in the same subnet before and after Layer 2 roaming. The FAP
forwards packets of Layer 2 roaming STAs in the same way as those of new
online STAs, that is, it directly forwards the packets on the local network.
• STAs stay in different subnets before and after Layer 3 roaming. To enable the
STAs to access the original network after roaming, ensure that user traffic is
forwarded to the original subnet over CAPWAP tunnels.
CAPWAP Link Recovery (1)
⚫ Service holding upon CAPWAP link disconnection:
 When a non-open authentication mode is used, all STAs are forced to go offline and need
to go online again.
 When open system authentication mode is used, STAs are processed differently depending
on whether an AP restarts during the CAPWAP link disconnection period:
◼ If so, all STAs are brought offline.
◼ If not, STAs that are online before link disconnection are not brought offline, but new STAs that
go online during the link disconnection period will be.
CAPWAP Link Recovery (2)
⚫ WAN authentication bypass:
 All STA entries are synchronized to the WAC, and STAs are re-authenticated on the WAC.
Before re-authentication succeeds, all STAs retain the network permissions before the link
disconnection. If re-authentication succeeds, the WAC delivers new network permissions
to the STAs, and the STAs can properly access the network without the need to go online
again. If re-authentication fails, the STAs are brought offline and need to go online again.
⚫ Enabling the backup VAP upon CAPWAP link disconnection
 The AP automatically disables the backup VAP and restores the original VAP. All STAs go
offline from the backup VAP and need to go online again on the original VAP.
Comparing CAPWAP Link Failover Policies
Applicable Networking and
Failover Policy Authentication Mode After a Failover Advantage Disadvantage
Authentication Mode
Services of online STAs are held, and new STAs can access the
network as follows:
• Open system, WEP, or WPA/WPA2-PSK: The authentication Not secure
• Applicable networking: direct
Service holding mode of new STAs does not change. In some
forwarding networking in all Simple
upon CAPWAP scenarios • MAC address, Portal, or MAC address-prioritized Portal authentication modes,
deployment
link disconnection authentication: New STAs can access the network without new STAs cannot
• Authentication mode: all access the network.
authentication.
• Other authentication modes: New STAs cannot access the
network.
• Applicable networking: direct
forwarding networking in HQ- New STAs can
branch scenarios be
• Authentication mode: authenticated Complex deployment
WAN
Services of online STAs are held, and the authentication mode of locally on APs This failover policy is
authentication  WPA/WPA2-PPSK new STAs does not change. after the not available in many
bypass
 MAC address CAPWAP link is authentication modes.
disconnected,
 802.1X which is secure.
 MAC address + 802.1X
• Online STAs are

Enabling the • Applicable networking: direct • Online STAs are brought offline and then access the network in
• Simpler brought offline.
backup VAP upon forwarding networking in all authentication mode specified for the backup VAP.
deployment • STAs must be
CAPWAP link scenarios • The backup VAP supports the open system, WEP, WPA+PSK,
disconnection • More secure associated with the
• Authentication mode: all WPA2+PSK, and WPA-WPA2+PSK authentication modes.
new backup SSID.
Configuring Service Holding and Enabling the Backup VAP
upon CAPWAP Link Disconnection
Configure globally service holding upon CAPWAP link disconnection in the AP system profile.
[WAC-wlan-view] ap-system-profile name ap-system

[WAC-wlan-ap-system-prof-ap-system] keep-service enable allow new-access
[WAC-wlan-ap-system-prof-ap-system] quit
Configure service holding upon CAPWAP link disconnection in the VAP profile, which has a higher priority than that in the AP system profile.
[WAC-wlan-view] vap-profile name vap1

[WAC-wlan-vap-prof-vap1] keep-service enable allow new-access
Configure the device to disable the running VAP and automatically enable the backup VAP after the CAPWAP link is disconnected . The following
example assumes that the original VAP profile is normalvap and the backup VAP profile is backupvap.
[WAC-wlan-view]vap-profile name backupvap

[WAC-wlan-vap-prof-backupvap]copy-from normalvap
[WAC-wlan-vap-prof-backupvap]type service-backup ap-offline
• keep-service enable: enables service holding upon CAPWAP link disconnection.

• keep-service enable allow new-access: allows new STA access upon CAPWAP link
disconnection.
• To enable offline APs to allow access of new STAs in Portal or MAC address
authentication, configure the parameter no-auth when you run the keep-service
enable allow new-access no-auth command.
• The command does not take effect on a WDS network.
• The device detection and containment functions are mutually exclusive with the
function of enabling offline APs to provide access to new STAs. After new STA
access upon CAPWAP link disconnection is enabled, an AP continues to provide
data services after it goes offline. If the wids device detect enable or wids contain
enable command is executed, the WAC considers the AP as a rogue or interfering
device and adds it to the containment list. The containment mechanism prevents
new STAs from accessing the AP. In this case, the new STA access function does
not take effect after the AP goes offline.
• For an AP-offline backup service VAP:

▫ When the number of configured AP-offline backup service VAPs reaches the
maximum on the AP, the enabled offline management VAP does not take
effect when the AP goes offline.
▫ The configuration of an AP-offline backup service VAP is mutually exclusive

with the service holding upon link disconnection in the VAP profile and
tunnel forwarding for DHCP packets or mDNS packets.
Example for Configuring WAN Authentication Bypass
Branch HQ
AP Switch WAC
• Create and configure a branch AP group.
WAN
• Configure local authentication for the branch
AP group.
• Configure a local user in the branch AP group
and the access type of the user.
STA RADIUS server
• Configure a built-in RADIUS server.
Configuring WAN Authentication Bypass - Creating and
Configuring a Branch AP Group
Branch HQ
AP ID: 0
AP Switch WAC
Create a branch AP group named g1 and add AP 0 to the group.
WAN
[WAC-wlan-view] branch-group name g1
[WAC-wlan-branch-group-g1] ap 0
Warning: This operation may cause AP reset. Continue? [Y/N]:y
STA RADIUS server
• A maximum of 50 APs can be added to a branch AP group.

• An AP will restart after being added to a branch AP group. Therefore, exercise
caution when performing this operation.
Configuring WAN Authentication Bypass - Configuring the
Authentication Mode for the Branch AP Group
Set the authentication mode of the branch AP group to local

Branch HQ
authentication.
AP ID: 0
[WAC] aaa
AP Switch WAC [WAC-aaa] authentication-scheme branch
[WAC-aaa-authen-branch] authentication-mode local
WAN [WAC-aaa-authen-branch] quit
[WAC-aaa] quit
[WAC] wlan
[WAC-wlan-view] branch-group name g1
[WAC-wlan-branch-group-g1] authentication-scheme branch
STA RADIUS server
Configuring WAN Authentication Bypass - Configuring Local
Users in the Branch AP Group
Configure parameters of local users.
Branch HQ 802.1X authentication:
AP-ID: 0 [WAC-wlan-branch-group-g1] local-user test1 password cipher

Huawei@123
AP Switch WAC [WAC-wlan-branch-group-g1] local-user test1 service-type 8021x
WAN
MAC address authentication:

[WAC-wlan-branch-group-g1] local-user e005c5fab829 password cipher
Huawei@123
[WAC-wlan-branch-group-g1] local-user e005c5fab829 service-type
STA RADIUS server 8021x
Configuring WAN Authentication Bypass - Configuring a
Built-in RADIUS Server
Configure a built-in RADIUS server.
Branch HQ
[WAC-wlan-branch-group-g1] local-eap-server authentication eap-
AP ID: 0 method eap-peap eap-ttls eap-tls
AP Switch WAC
[WAC-wlan-branch-group-g1] local-eap-server authentication
WAN certificate ca format pem filename caserver.pem
[WAC-wlan-branch-group-g1] local-eap-server authentication
certificate local format pem filename serverlocal.pem
[WAC-wlan-branch-group-g1] local-eap-server authentication private-
key format pem filename server.pem password Huawei@123
STA RADIUS server [WAC-wlan-branch-group-g1] load-authentication-file
• The CA certificate, local certificate, and private key file in this example are for
reference only. Configure them based on the site requirements.
Configuring WAN Authentication Bypass - Verifying the
Configuration
⚫ When the WAC is disconnected from the AP, log in to the AP. You can see that the local user has gone online.
<AP> display access-user
-----------------------------------------------------------------------------------------
UserID Username IP address MAC Status
-----------------------------------------------------------------------------------------
6 test1 10.23.11.163 e005-c5fa-b829 Success
-----------------------------------------------------------------------------------------
Total: 1, printed: 1
Other common query commands:

• display branch-group: displays the branch AP group configuration.
• display ap branch-group: displays information about APs in a branch AP group.
• display ap authentication-file status: displays AP certificate loading information.
Quiz
1. Among protection switching technologies commonly used by Huawei, which does

not allow the primary and backup WACs to be deployed at different places?
2. What forwarding mode is required for CAPWAP link failover?
• VRRP HSB.
• Direct forwarding.
Summary
⚫ In this course, we have learned implementation and typical configurations

of common protection switching solutions for WLAN reliability, including
HSB, dual-link cold backup, N+1 backup, and CAPWAP link failover policies
(service holding upon CAPWAP link disconnection, WAN authentication
bypass, and enabling the backup VAP upon CAPWAP link disconnection).
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.
The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
WLAN Roaming
Foreword
⚫ WLAN roaming ensures that the STA's IP address remains unchanged. After
roaming, the STA can still access the initially associated network without
service interruption.
⚫ This course describes basic concepts of WLAN roaming, roaming
technologies, roaming experience optimization methods, typical roaming
scenarios, and roaming fault rectification.
Objectives

 Understand the technical principles of WLAN roaming.
 Understand common WLAN roaming optimization technologies.
 Understand typical roaming scenarios of Huawei WLAN Solution.
 Understand how to rectify roaming faults.
Contents
1. WLAN Roaming Overview
2. WLAN Roaming Technologies
3. WLAN Roaming Optimization
4. Typical Roaming Scenarios of Huawei WLAN Solution
5. WLAN Roaming Fault Rectification
What Is WLAN Roaming?
WAC
Signal strength
⚫ WLAN roaming enables STAs to move from

Switch
Channel 1 Channel 6 the coverage area of an AP to that of another
AP with nonstop service transmission.
⚫ As shown in this figure, the STA roams from
AP1 AP2
AP1 to AP2 without service interruption.
Distance
STA moving track
STA
Signal strength of AP1 Signal strength of AP2
Conditions of and Problems Solved by WLAN Roaming
Internet
⚫ The APs on which WLAN roaming is implemented must
have the same SSID, security profiles (same
WAC1 WAC2
configurations but can be named differently),
authentication mode, and authentication parameter
settings.
⚫ WLAN roaming offers the following advantages:

Avoids packet loss or service interruption caused by long-
term authentication.
AP1 AP2

Remains STAs' authorization information unchanged.
SSID: Huawei SSID: Huawei
Roaming

Retains STAs' IP addresses.
STA STA
Network Architecture of WLAN Roaming
Internet
Mobility group: STAs can roam
between WACs in the same group. This
WAC1 WAC2 group is called mobility group.
Inter-WAC tunnel (CAPWAP tunnel): is Mobility group
established using CAPWAP to synchronize
information about STAs and APs CAPWAP tunnel
managed by each WAC in a mobility
group.
AP1 AP2 AP3

Intra-WAC
Inter-WAC
roaming
roaming
STA STA STA
• In this example, AP1 and AP2 are managed by WAC1, while AP3 is managed by
WAC2.
Concepts of WLAN Roaming
Internet
WAC1 WAC2
Home AC (HAC): a WAC in a mobility Mobility group Foreign AC (FAC): the WAC that a
group with which a STA first associates STA roams to
CAPWAP tunnel
Home AP (HAP): an AP in a mobility Foreign AP (FAP): the AP that a

group with which a STA first associates STA roams to
AP1 AP2 AP3
roaming
roaming
Intra-AC
Inter-AC
STA STA STA
• Concepts:
▫ Home AC (HAC): the WAC in a mobility group that a STA first associates
with.
▫ Home AP (HAP): the AP in a mobility group that a STA first associates with.
▫ Foreign AC (FAC): the WAC that a STA roams to.
▫ Foreign AP (FAP): the AP that a STA roams to.

• Intra-WAC roaming: A STA roams within the same WAC.
• Inter-WAC roaming: A STA roams between different WACs.

WLAN Roaming Types
Layer 2 roaming Layer 3 roaming
Internet Internet
WAC WAC
VLAN 10 Roaming VLAN 10 VLAN 10 Roaming VLAN 20
SSID: Huawei SSID: Huawei SSID: Huawei SSID: Huawei

STA STA STA STA
• Layer 2 roaming: When a STA moves between APs, the service VLAN of the APs
and the STA gateway remain unchanged before and after roaming.
• Layer 3 roaming: The service VLANs of the SSIDs before and after roaming are
different. The service networks provided by APs are different Layer 3 networks
and correspond to different STA gateways. In this case, to ensure that the STA IP
addresses remain unchanged, STA traffic needs to be sent to the AP on the
initially accessed network segment to implement inter-VLAN roaming.
• Sometimes, two subnets have the same VLAN ID. Based on the VLAN ID, the
system may incorrectly consider that STAs roaming between the two subnets
roam at Layer 2. To prevent this situation, configure a roaming domain to
determine whether the STAs roam within the same subnet. The system considers
that the STAs roam at Layer 2 only when the STAs roam within the same VLAN
and the same roaming domain; otherwise, the STAs roam at Layer 3.
Intra-WAC Roaming
Internet
HAC = FAC
⚫ Intra-WAC roaming: A STA roams within the same

WAC
WAC.
⚫ Intra-WAC roaming can be regarded as a special

case of inter-WAC roaming where the HAC and
HAP FAP
FAC are the same.
VLAN 10 Roaming VLAN 10

STA STA
Inter-WAC Roaming
CAPWAP tunnel
Internet
⚫ Mobility group: WACs on a WLAN network
can be added to different groups. STAs can
roam between WACs in the same group. This
HAC FAC group is called mobility group.
⚫ Inter-WAC tunnel: Inter-WAC roaming
requires that WACs in a mobility group
synchronize STA and AP information with
each other. To achieve this, a tunnel needs to
HAP FAP be set up between WACs to synchronize data
and forward packets. An inter-WAC tunnel is
VLAN 10 Roaming VLAN 20
established using the CAPWAP protocol.
STA STA
• To enable inter-WAC roaming, you can configure one WAC as the mobility server
to maintain the membership table and deliver member information to WACs in
the mobility group. In this way, WACs in the group can identify each other and
set up inter-WAC tunnels.
▫ A mobility server can be an AC outside or inside a mobility group.
▫ A WAC can function as the mobility server of multiple mobility groups, and
can be added only to one mobility group.
▫ A mobility server managing other WACs in a mobility group cannot be

managed by another mobility server. That is, if a WAC functions as a
mobility server to synchronize roaming configurations to other WACs, it
cannot be managed by another mobility server or synchronize roaming
configurations from other WACs. (A WAC with a mobility group configured
cannot be configured as a mobility server.)
▫ A mobility server must be able to communicate with all managed WACs

but does not need to provide high data forwarding capability.
Contents
Proactive STA Roaming Process
⚫ A STA determines whether to trigger roaming based on the AP signal strength. If the signal strength
reaches the preset threshold, the STA triggers roaming. A typical STA roaming process involves three
phases:
 Scanning: Detects visible cells (identified by BSSIDs) based on the current location of the STA, and measures
signal strength of the detected cells.
 Network selection: Selects a cell as the target cell for roaming based on the signal strength of cells.
 Roaming: Selects a roaming mode supported by the network based on the STA and network capability.
Proactive STA Roaming: Scanning
Proactive STA scanning Passive STA scanning
Probe Request
STA1
Probe Response
STA AP AP
STA2
The STA sends a Probe Request frame containing an A STA listens on the Beacon frames that an AP
SSID over each channel to search for an AP with the periodically sends over each channel to obtain AP
same SSID. Only the AP with the same SSID returns a information. A Beacon frame contains various
Probe Response frame. information, including the SSID and supported rate.
• A STA can proactively or passively scan wireless networks.

• Proactive scanning: A STA periodically searches for neighboring wireless networks.
That is, the STA sends a Probe Request frame to an AP. After receiving the frame,
the AP responds with a Probe Response frame. After receiving the Probe
Response frame, the STA discovers the cell of the AP.
• Passive scanning: After receiving a Beacon frame from an AP, a STA discovers the
cell of the AP. The STA may not receive Beacon frames from the AP.
• Before roaming, a STA scans all channels in polling mode.

Proactive STA Roaming: Cell Selection
⚫ After scanning, a STA generates a cell list based on the scanning result and searches for candidate cells for roaming in the list
following certain rules. If no cell meets the preset rules, the STA does not perform cell handover. Cell selection rules vary with STA
vendors.
Internet
WAC
Cell selection rules for proactive STA roaming
⚫
A: signal strength threshold for roaming handover
HAP FAP ⚫
B: signal strength different threshold for roaming
handover
⚫
Proactive STA roaming is triggered when the
STA
following is met: (X < A)&&((Y – X) > B)
The strength of signals received by the STA from the HAP is X dBm.
The strength of signals received by the STA from the FAP is Y dBm.
• Take a Huawei mobile phone as an example, thresholds for triggering roaming:

▫ High-density: –70 dBm (5G); –72 dBm (2.4G)
▫ Low-density: –74 dBm (5G); –78 dBm (2.4G)
• A 5G network is preferred during roaming. As required, the gain of the target cell
must be at least 4 dB.
Proactive STA Roaming: Roaming
STA roaming STA joining
STA New AP STA AP

Probe Request Probe Request
Probe Response Probe Response
Authentication Request Authentication Request

Based on which the
AP determines
Authentication Response Authentication Response
whether the STA is
a newly onboarding
one or joins the AP
through roaming.
Reassociation Request Association Request
Reassociation Response Association Response
A STA roams from an old AP to a new AP. A STA connects to an AP.
• The procedure for a new STA (non-roaming STA) to associate with an AP is

different from that for a STA to roam to another AP. The major difference lies in
the reassociation frame.
• An AP considers that a STA roams from another AP only after receiving a

reassociation frame.
Contents
Roaming Impacts on Services
⚫ Video and voice services are sensitive to network delay and packet loss. Take the voice service as an example. Typically, the recovery
duration for the voice service should not exceed 50 ms. As a result, the number of continuously discarded packets should not exceed
3 during roaming.
 Voice service packet: Generally, voice service packets are sent at a fixed interval, for example, 20 ms, as shown in the figure on the left.
 Video service packet: Each video sample is forwarded via multiple packets. The number and size of packets vary with the video sample. As shown in
the figure on the right, the video samples are sent at an interval of 33 ms.
Voice packet Video Video Video Video packet

sample sample sample
1400 1400
Bytes
Bytes
1000 1000
600 Audio sample 600
200 200
Time Time
20 ms 33 ms
Roaming Duration
⚫ The roaming handover duration is a key
factor that affects in-roaming WLAN service STA AP WAC RADIUS server
experience.
⚫ Compared with open system authentication,
802.1X authentication has two additional Link authentication
processes: STA identity authentication and

Reassociation
key negotiation.
STA identity
⚫ Compared with WEP and PSK authentication, authentication
802.1X authentication takes a longer time in The STA identity
authentication and
STA identity authentication and roaming. key exchange take Key exchange
a long time.
• Open system authentication, WEP authentication, and PSK authentication last for
a short period, resulting in a short roaming duration. This ensures nonstop service
transmission.
• In contrast, 802.1X authentication takes a long time and involves a large number
of exchanged packets. Therefore, the roaming duration is longer than 200 ms.
This poses a great impact on timeliness-sensitive services, such as voice services.
Roaming Optimization Overview
⚫ Services are interrupted for a period of time during roaming handover. How long the interruption lasts for depends
on the roaming mode.
Service interruption duration during 802.1X

roaming
WLAN roaming optimization mode
1s
⚫ Fast roaming using Pairwise Master
Key (PMK) caching
300 ms
⚫ 802.11r roaming
⚫ Smart roaming (sticky STA)
80 ms
802.1X roaming Fast roaming using PMK 802.11r roaming

caching
• PMK (Pairwise Master Key) .

Fast Roaming Using PMK Caching
Internet 1. A STA accesses the Internet through AP1 for the first time. When the
STA is authenticated by WAC1 and a PMK is generated, the STA and
WAC1 both save the PMK. Each PMK has a PMK-ID, which is
calculated based on the PMK, SSID, STA MAC address, and BSSID.
WAC1 CAPWAP tunnel WAC2 WAC1 then synchronizes the PMK information to WAC2 through the
CAPWAP tunnel between them.
2. During roaming, the STA sends AP2 a Re-association Request packet
that carries the PMK-ID.
3. AP2 notifies WAC2 that the STA needs to roam from AP1 to AP2
after receiving the packet.
4. WAC2 searches the PMK caching table for the PMK of the STA
AP1 AP2 according to the PMK-ID carried in the Re-association Request
packet. If WAC2 finds a matching PMK, it considers that 802.1X
Channel 1 Roaming Channel 6 authentication has been performed on the STA and uses the cached
PMK for key negotiation.
SSID: Huawei
STA STA
• When the security policy is WPA2-802.1X, or the security policy is WPA-WPA2-

802.1X and the WPA2 authentication mode is configured on the 802.1X client,
fast roaming allows STAs to perform only key negotiation during roaming,
without having to be 802.1X authenticated again. In this case, fast roaming
reduces the roaming delay and improves WLAN service experience.
Intra - WAC 802.11r Fast Roaming
STA AP1 AP2
1. Associated with AP1

Generate and
2. FT Auth Request install the PTK
3. FT Auth Response
Generate and install the PTK
4. FT Reassociation Request
5. FT Reassociation Response
6. Roaming to AP2
• The 802.11r protocol uses the Fast BSS Transition (FT) function to reduce the
number of times information is exchanged between STAs in the same mobile
domain (MD) and does not require 802.1X authentication or key negotiation
during STA roaming. Users are unaware of service interruption and experience
low-latency data services during roaming, so their online experience is improved.
• FT: Fast BSS Transition.

• Pairwise Transient Key (PTK): is derived from the PMK and is used to encrypt
unicast data frames of a STA.
• Group Transient Key (GTK): is derived from the GMK and is used to encrypt
multicast or broadcast data frames of a specific SSID or AP.
• When a STA accesses the Internet through AP1 for the first time, the STA is
authenticated by the WAC and a PMK is generated.
▫ The WAC generates PMK-R0 (calculated based on the SSID, MDID, WAC
MAC address, and STA MAC address) and PMK-R1 of each AP based on the
PMK (calculated based on the PMK-R0, AP MAC address, and STA MAC
address), and delivers the PMK-R1 to AP1.
▫ The STA and WAC generate and install the pairwise transient key (PTK) and
the group temporal key (GTK) by performing the 4-way and 2-way
handshakes.
• During roaming, the STA sends an 802.11 FT Auth Request to AP2 and delivers
the PMK-R1 to AP2.
• After receiving the request, AP2 generates and installs a PTK according to the
PMK-R1 and information contained in the request. At the same time, AP2 starts
the reassociation timer, and sends an 802.11 FT Auth Response to the STA.
• After receiving the response, the STA generates and installs a PTK based on the
information contained in the response. The STA sends AP2 an FT Reassociation
Request.
• After receiving the request, AP2 disables the reassociation timer, and then sends
an FT Reassociation Response to the STA.
• After the STA receives the response, the roaming is complete.

Inter-WAC 802.11r Fast Roaming
WAC1 WAC2
PMK update for STA
STA AP1 AP2

Associated with AP1
Generate and
FT Auth Request install the PTK
FT Auth Response
Generate and install the PTK
FT Reassociation Request
FT Reassociation Response
Roaming to AP2
• MDID: indicates the roaming domain ID.

• PTK: is derived from the PMK and is used to encrypt unicast data frames of a STA.
• GTK: is derived from the GMK and is used to encrypt multicast or broadcast data
frames of a specific SSID or AP.
• When a STA accesses the Internet through AP1 for the first time, the STA is
authenticated by WAC1 and a PMK is generated.
• WAC1 generates PMK-R0 (calculated based on the SSID, MDID, WAC MAC
address, and STA MAC address) and PMK-R1 of each AP based on the PMK
(calculated based on the PMK-R0, AP MAC address, and STA MAC address), and
delivers the PMK-R1 to AP1.
• The STA and WAC generate and install the PTK and the GTK by performing the
4-way and 2-way handshakes.
• WAC1 synchronizes the PMK information to WAC2 through the tunnel between
them.
• WAC2 generates PMK-R0 and PMK-R1 of AP2 based on the PMK, and delivers
PMK-R1 to AP2.
• During roaming, the STA initiates an 802.11 FT Auth Request to AP2 and delivers
PMK-R1 to AP2.
• After receiving the request, AP2 generates and installs a PTK according to the
PMK-R1 and information contained in the request. At the same time, AP2 starts
the reassociation timer, and sends an 802.11 FT Auth Response to the STA.
• After receiving the response, the STA generates and installs a PTK based on the
information contained in the response, and then sends AP2 a Reassociation
Request.
• After receiving the request, AP2 disables the re-association timer and sends a
Reassociation Response to the STA.
• After the STA receives the response, the roaming is complete.
Comparison of WLAN Roaming Modes
Whether the STA

Roaming Mode Applied Security Policy Description
Support Is Required
• Applicable to all scenarios

• Easy to configure
Common roaming N/A All security policies
• Services may be interrupted for a
short period during roaming
• 802.1X authentication is not required

Fast roaming using WPA2+802.1X, WPA-WPA2+802.1X during roaming
Yes
PMK caching (WPA2 authentication for 802.1X clients) • Key negotiation is required
• Low latency
Open system authentication, • Authentication and key negotiation

802.11r roaming Yes WPA2+PSK+AES, WPA2+PPSK+AES, is not required during roaming
WPA2+802.1X+AES • Low latency
• Fast roaming using PMK caching is applicable only to a few scenarios. (This
function takes effect only when a STA roams to an authenticated AP.)
Sticky STAs in Mobility Scenarios
AP1 AP2 AP3 AP4 AP5
Short distance, low

Short distance, low
path loss, high-quality
path loss, high-quality
signal, high speed.
signal, high speed.
The STA is moving.

1 2
Before the STA moves, it accesses AP1 After the STA moves, it still connects to
with the best signal quality by now. 3 AP1. However, for the STA, AP4 has the
best signal quality now.
• Some STAs on networks have low roaming aggressiveness. As a result, they stick
to the initially associated APs regardless of whether they move far from the APs,
and have weak signals or low data transmission speeds. The STAs fail to roam to
neighboring APs with better signals. They are called sticky STAs.
• Sticky STAs may bring the following problems:
• Poor service experience: The STAs stick to weak-signal APs, causing a sharp
decrease in the data transmission speed of the radio channel.
• Channel performance degradation: The STAs experience poor signals or low data
transmission speeds, and packet loss and retransmissions occur frequently. As a
result, the STAs occupy the radio channels for a long time, preventing STAs with
good signals from using the radio channel for enough time.
Main Principles of Huawei Smart Roaming
Identify sticky STAs.
A STA supports A STA does not

802.11k. support 802.11k.
Enable the STA to N Trigger a

Whether the AP starts
perform 802.11k-based blind
channel scanning?
measurement. handover.
Y
The WAC selects a more The WAC selects a more

appropriate AP for the appropriate AP for the
STA. STA.
The current AP
Does the STA N disconnects the STA and
support 802.11v? steers the STA to roam
to another AP.
Y
Enable the STA to roam

to the target AP using
802.11v.
• To solve the sticky STA issue, Huawei proposes the smart roaming solution.
• Every roaming process consists of three phases: roaming measurement, roaming
decision, and roaming execution.
▫ Roaming measurement: The WAC collects STA information to determine

whether there is a sticky STA and obtain the STA capability.
▫ Roaming decision: Based on the decision mechanism and collected

information, the WAC determines whether a sticky STA needs to roam to
an AP and to which AP the sticky STA roams.
▫ Roaming execution: During roaming, the WAC selects a more appropriate

AP for sticky STAs.
Smart Roaming Process
1. AP1 collects STA information, discovers neighboring
The WAC selects an optimal APs, and periodically reports the STA and neighbor
2
neighboring AP for the STA. information to the WAC.
WAC 
When the STA associates with AP1, AP1 collects the SNR
and access speed of the STA in real time and determines
2
whether it is a sticky STA. If it is a sticky STA, AP1 reports
the STA information to the WAC.
Information collection
and report. 2. After receiving the reported information, the WAC
Result
1 delivery 1 1 selects an optimal neighboring AP as the target AP to
AP1 AP2 AP3 which the STA is to roam and delivers the target AP
information to AP1.
3
3. AP1 forces the STA to roam to AP2 through the BSS
4 transition mechanism defined in the 802.11v protocol
or the forced logout mode.
Roaming
4. The STA roams to AP2.
Smart Roaming: Neighboring AP Information Collection
802.11k-capable STA 802.11k-incapable STA
⚫ When detecting a sticky STA, an AP proactively triggers ⚫ For an 802.11k-incapable STAs, an AP discovers
the STA to collect neighboring AP information based on neighboring APs of the STA through proactive channel
the 802.11k mechanism. scanning.
AP AP AP AP
Proactive scanning Proactive scanning
802.11k-capable STA 802.11k-incapable STA
• Sticky STAs require the network to help them select more appropriate APs.
Therefore, the network side needs to collect information about neighboring APs
of the STAs through the measurement and information collection mechanism
defined in the 802.11k protocol. This mechanism, however, is not applicable to
802.11k-incapable STAs. For STAs that do not support 802.11k, APs discover
neighboring APs of the STAs through proactive channel scanning.
Smart Roaming: Roaming Steering and Handover Process
802.11v-capable STA 802.11v-incapable STA
Before roaming STA After roaming Before roaming STA After roaming
BSS Transition
Management Request Disassociation
BSS Transition
Management Response
Probe Request Probe Request Probe Request
Authentication Request Authentication Request
Authentication Response Authentication Response
Reassociation Request Association Request
Association Response
Reassociation Response
• For an 802.11v-capable STA, the network side selects the most suitable AP for
the STA to roam to. The entire process is as follows: The HAP sends the target AP
information (for example, the AP's working channel) to the STA through a BSS
Transition Management Request frame. The STA returns a BSS Transition
Management Response frame. After the STA and the target AP exchange
authentication information, the STA gets associated with the target AP through
reassociation frames.
• For an 802.11v-incapable STA or a STA that claims to support 802.11v but

actually does not support 802.11v, the WAC instructs the AP that the STA is
currently associated with to disconnect this sticky STA and delivers a STA blacklist
to the AP. Once a STA is blacklisted, the AP stops responding to Probe Request
frames sent by the STA 10 times and rejects the association request from it once.
Configuring Smart Roaming
⚫ Configure smart roaming as follows:
[WAC-wlan-view] rrm-profile name wlan-rrm
[WAC-wlan-rrm-prof-wlan-rrm] undo smart-roam disable //Enable smart roaming.
[WAC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr //Configure the SNR-based roaming triggering mode.
[WAC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15 //Set the threshold for triggering roaming.
Contents
2. WLAN Roaming Technology
Roaming Issues in a Typical Smart Warehousing Scenario
Application
system
AGV scheduling system Stock-in/out management system
Network
⚫
Passive roaming: A STA initiates roaming
only after it is disconnected, leading to
unstable performance.
⚫
Long roaming latency: During STA
roaming, the network is interrupted for
more than 2s, affecting services.
⚫ Abnormal in-roaming disconnection:
Coordinated roaming control module between APs and AGVs
STA STAs go offline abnormally, coupled with
decreased access speed and sudden stops.
AGV Manual intervention is required.
• With the automation wave, the IT investment in the global logistics industry
keeps growing rapidly. Warehousing is one of the most important parts in the
logistics industry. As the industry is developing rapidly, automatic robot control
and scheduling pose unprecedented requirements over the real-time performance,
reliability, and concurrency of WLAN communication.
• The 802.11v and 802.11r protocols that can be used to accelerate roaming are
not mandatory. A large proportion of STAs do not support these protocols. As a
result, STAs need to scan all channels after disconnecting from the currently
associated BSS and before roaming. This is disastrous for continuous and delay-
sensitive network services.
• In a smart warehousing scenario, a WLAN network is deployed to report the
location and status information about AGVs and deliver operation control
instructions so as to implement automatic goods sorting and distribution. In this
scenario, the automatic navigation roaming optimization function is enabled so
that the WLAN network can correctly and reliably send running control
information to the target device in real time.
Key Technologies of Lossless Roaming: Efficient Lossless
Scanning (1)
⚫ Issues: Only channels 36 and 149
need to be scanned.
 Roaming timeliness depends on the scanning
efficiency.
 The duration for scanning all channels is too long
(100 ms x 13 or even 100 ms x 24).
⚫ Optimization solution: Channel Channel Channel

36 48 149
 Huawei solution: Based on the automatic network
topology identification algorithm, APs instruct STAs
to scan only neighboring channels, bringing more
Currently, the AGV
timely and reliable scanning results. works on channel 48.
• Huawei implements lossless roaming for AGVs in the smart warehousing scenario
as follows:
• Huawei lossless roaming technology selects proper neighboring channels to be
scanned by STAs based on the network topology and sends the channel set
information to STAs. The resulting benefits include more timely and reliable
scanning results and much higher channel scanning efficiency of STAs.
• In addition, before a STA performs channel scanning for roaming handover, it
notifies the AP of the scanning initiation. The AP then buffers the packets
destined for the STA and delays packet transmission. This ensures that no packet
is lost during channel scanning.
Key Technologies of Lossless Roaming: Efficient Lossless
Scanning (2)
⚫ Issue:

When an AGV scans channels for roaming handover, the
AP continues sending packets to the AGV, causing packet
loss.
⚫ Optimization solution:
Scanning is completed.

Huawei solution: Before scanning channels for roaming 2 Resume packet
transmission.
handover, the AGV notifies its associated AP not to Start to scan channels
and notify the AP to stop 1
transmit packets to it. The AP then buffers the packets and
transmitting packets.
delays packet transmission. After channel canning is
completed, the STA instructs the AP to transmit packets to
it again. This ensures zero packet loss during channel
scanning.
Key Technologies of Lossless Roaming: Lossless Roaming
Handover
⚫ Issue: WAC

After an AGV roams to another AP, its Start to buffer packets
previously associated AP discards the packets and send the buffered
packets to the WAC. 2 The WAC forwards
3 the buffered packets
that are not sent to the AGV before roaming.
to AP2.
⚫ Optimization solution:
AP1 (before roaming) AP2 (after roaming)

Before roaming, the AGV instructs the AP to
buffer packets destined for the AGV.
 The AP starts to buffer packets.
 After the AGV roams to another AP, the AP2 forwards the
4 buffered packets
buffered packets then are sent to the AGV. 1
to the AGV.
Instruct AP1 to buffer
packets destined for
the AGV.
Key Technologies of Lossless Roaming: Enhanced Anti-
Interference
⚫ Issue:

Currently, applications on an AGV produce light traffic
volume, but pose high requirements over network
reliability. If the network environment deteriorates,
network reliability decreases, adversely affecting AGV
services.
Increase the priority
⚫ Optimization solution: of service packets
from BE to VO.

QoS optimization: Priorities of the uplink and downlink Decrease the data
transmission
AGV service packets are both increased to VO. speed upon
interference.

When the network environment deteriorates, the AMC
algorithm of the AGV's associated VAP reduces the data
transmission speed to improve the anti-interference
capability.
Configuring Roaming Optimization in a Typical Smart
Warehousing Scenario
Enable automatic navigation roaming optimization.
[WAC-wlan-view] vap-profile name profile-name

[WAC-wlan-vap-prof] autonavigation-roam-optimize enable //Enable automatic navigation roaming optimization.
Precautions:
• The 2.4 GHz radio is vulnerable to severe interference. Therefore, you are advised to use the automatic
navigation roaming optimization function on the 5 GHz radio.
• The automatic navigation roaming optimization function takes effect only when the forwarding mode is
tunnel forwarding.
Healthcare Scenario: Agile Distributed SFN Roaming
Roaming
WAN
Room Room Room Room
RU RU RU
Agile distributed Same Frequency Network (SFN) roaming
On an agile distributed WLAN, all RUs of a central AP are deployed on the

Corridor
same working channel and use the public BSSID to communicate with
Central AP
STAs. When a STA moves within the coverage area of the same SSID, the
RU RU RU STA is unaware of the roaming process, and services are not interrupted.
Room Room Room Room
• In healthcare scenarios, medical personnel take handheld STAs for ward

inspection, infusion check, and vital sign recording during mobile ward rounds.
However, these handheld STAs do not support 802.11k, 802.11v, or 802.11r, and
have poor roaming aggressiveness. This may result in packet loss or long network
latency. Making the matter worse, sometimes, network services are interrupted,
and the medical personnel need to log in to the application software again or
scan the barcode again, seriously affecting work efficiency of the medical
personnel.
• To address these problems, Huawei launches the agile distributed SFN roaming
function. On an agile distributed WLAN, all RUs of a central AP are deployed on
the same working channel and communicate with STAs using the public BSSID.
When a STA moves within the coverage area of the same SSID, the STA is
unaware of the roaming process, and services are not interrupted.
• Compared with traditional intra-central AP roaming, agile distributed SFN

roaming eliminates the impact of STA differences on the roaming effect. In
addition, STA reassociation, authentication, and key negotiation are not required
during roaming handover. The resulting benefits include smooth and fast
roaming handover, and much lower packet loss rate.
• The typical application scenarios are as follows:
▫ A hospital deploys only an intranet to which only medical personnel can
access. In addition, agile distributed SFN roaming is enabled on a VAP of
only one radio.
▫ A hospital deploys an intranet and an extranet, which reside on different
radios. Agile distributed SFN roaming is enabled on the radio of the
intranet, while intra-central AP roaming is enabled on the radio of the
extranet.
▫ A hospital deploys an intranet and an extranet, which reside on the same
radio. After agile distributed SFN roaming is enabled on the intranet VAP,
agile distributed SFN roaming is automatically enabled on the extranet VAP.
Agile Distributed SFN Roaming Implementation: STA Access
WAC Central AP HAP STA FAP
Beacon Beacon
Probe Request Probe Request
Authentication Request
Authentication Request
Authentication
Authentication Response Response
The RU sends the Association Request Association Request

Select an RU to Association Request
return an Association frame.
Response frame.
Forward the STA's
Association Response
Association Request
frame. Association Response
Add a STA
association table. Key negotiation
• STA access:
▫ All RUs broadcast Beacon frames to STAs using the public BSSID
automatically generated by the central AP based on the MAC address.
▫ A STA sends a Probe Request frame. After receiving the Probe Request
frame, all RUs respond with a Probe Response frame using the public BSSID.
▫ The STA sends an Authentication Request frame. After receiving the

Authentication Request frame, all RUs respond with an Authentication
Response frame using the public BSSID.
▫ The STA sends an Association Request frame. After receiving the

Association Request frame, all RUs forward it to the central AP and notifies
the central AP of the STA's SNR.
▫ The central AP selects an RU with the optimal SNR to respond to the STA
with an Association Response. Within a specified period, the central AP
discards Association Request frames reported by other RUs. Subsequently,
only the selected RU communicates with the STA.
▫ The central AP reports the Association Request frame of the STA to the
WAC. Then the WAC adds STA information to the STA association table.
▫ The central AP, RU, and STA perform unicast and multicast key negotiation.
Agile Distributed SFN Roaming Implementation: Roaming
Handover
WAC Central AP HAP STA FAP
The RUs send

the STA's RSSI.
Roaming
decision
Roaming handover
• Roaming handover:
▫ The HAP (RU with which the STA first associates) periodically reports the
STA's RSSI to the central AP. The FAP (RU to which the STA roams)
periodically reports the RSSI of neighbors to the central AP.
▫ The central AP selects the optimal RU as the FAP using the roaming
decision algorithm, and synchronizes STA information to the FAP. The
central AP checks the following handover conditions in sequence. If any of
the conditions is met, a roaming handover is triggered. If multiple RUs meet
the following three conditions, the RU with the highest RSSI is selected for
the roaming handover.
▪ The cumulative RSSI change value of the STA reaches the specified
threshold.
▪ The number of times the RSSI of a surrounding RU is higher than that

of the local RU reaches the specified value.
▪ The RSSI gap between the local RU and surrounding RUs reaches the
specified value.
Data Packet Forwarding on an Internal Agile Distributed
SFN
WAN Before roaming:
1. The STA sends service packets to RU1.
2. RU1 forwards the packets to the central AP.
WAC 3. The central AP forwards the packets to the upper-layer network
through the gateway for STAs.
After roaming:
Central AP 3. The central AP forwards the packets to the upper-layer network
RU1 RU2
Data packet flow before roaming
Roaming Data packet flow after roaming

STA STA
Gateway for STAs
Data Packet Forwarding on an External Agile Distributed
SFN
WAN
Before roaming:
WAC 2. RU1 forwards the packets to the central AP.
3. The central AP forwards the packets to the upper-layer network
After roaming:
Central AP
3. The central AP forwards the packets to the upper-layer network
RU1 RU2
Data packet flow before roaming
Roaming Data packet flow after roaming

STA STA
Gateway for STAs
Configuring Agile Distributed SFN Roaming
Enable agile distributed SFN roaming
[WAC-wlan-view] vap-profile name profile-name
[WAC-wlan-vap-prof] sfn-roam enable
Precautions:
• If agile distributed SFN roaming is enabled on both 2.4 GHz and 5 GHz radios, you are advised to use different
SSIDs. Otherwise, STAs may switch radios, affecting user experience. The automatic navigation roaming
optimization function takes effect only when the forwarding mode is tunnel forwarding.
• Agile distributed SFN roaming can be enabled for only one VAP on a radio.
• After agile distributed SFN roaming is enabled on a radio, channel scanning, channel calibration, or smart
roaming cannot be configured on the radio.
• Agile distributed SFN roaming can only be configured based on AP groups instead of APs.
Contents
2. WLAN Roaming Technology
Troubleshooting a STA Roaming Failure (1)
⚫ Check why the STA fails to go online and offline to
WAN
determine whether the STA fails to access the network
or roam to another AP.
WAC1 WAC2

Step 1: Run the display station online-fail-record sta-mac
command on the WAC to check why the STA fails to go
online. Run the display station offline-record sta-mac
command on the WAC to check the STA going-offline
records.

Step 2: If the time recorded in the STA going-online failure
AP1 AP2 reason is the same as the time when the STA fails to roam,
SSID: Huawei SSID: Huawei bring the STA online on AP2. If the STA fails to go online,
rectify the fault based on the troubleshooting roadmap for
Roaming fails
a STA association failure. If the time recorded in the STA
STA STA
going-offline failure reason is the same as the time when
the STA fails to roam, the roaming check fails.
Troubleshooting a STA Roaming Failure (2)
⚫ The following lists the possible causes of a STA's failure to roam from AP1 to AP2:
 The security profile configuration of AP1 is different from that of AP2.
 The STA initiates Layer 3 roaming, but Layer 3 roaming is disabled on the WAC.
 If AP1 and AP2 are connected to different WACs, the inter-WAC roaming configuration may be incorrect or no
service VLAN has been created.
 If the STA goes offline during roaming, the APs' signal coverage may be discontinuous or the power
configuration may be improper.
 Signals with the same SSID from other vendors exist on the air interface.
 The threshold for disconnecting weak-signal STAs during smart roaming is improper.
 AP1 and AP2 are on different subnets, but Layer 2 roaming is configured. (In Layer 2 roaming mode, AP1 and
AP2 must belong to the same VLAN.)
• If the time recorded in the STA going-offline failure reason is the same as the
time when the STA fails to roam, the roaming check fails. These are the possible
causes of a STA roaming failure.
Troubleshooting a STA Roaming Failure: Checking the
Security Profile Configuration
WAN
Check whether the security profile configuration is consistent on
AP1 and AP2.
WAC1 WAC2 Enter the security profile view. Configure a new key and ensure that
the same key is configured in the security profiles of AP1 and AP2.
[WAC-wlan-view] security-profile name default

[WAC-wlan-sec-prof-default] security wpa2 psk pass-phrase huawei123 aes
AP1 AP2
Roaming fails
STA STA
Troubleshooting a STA Roaming Failure: Checking the Layer
3 Roaming Configuration
Check whether Layer 3 roaming is disabled.
WAN 1. Check whether the STA roams at Layer 2 or Layer 3.

[WAC] display vap-profile name default
--------------------------------------------------------------------------------
Service VLAN ID : 101
WAC1 WAC2 Service VLAN Pool :-
Permit VLAN ID :-
Auto off service switch : disable
Auto off starttime :-
Auto off endtime :-
STA access mode : disable
STA blacklist profile :
STA whitelist profile :
Home agent : ap
VLAN mobility group :2
Layer3 roam : enable
AP1 AP2 --------------------------------------------------------------------------------
SSID: Huawei SSID: Huawei 2. If the STA roams at Layer 3, check whether Layer 3 roaming is
Roaming fails disabled in the VAP profile.

[WAC-wlan-view] vap-profile name default
STA STA [WAC-wlan-vap-prof-default] display this
#
layer3-roam disable
• Enter the view of the VAP profile bound to the AP group to which AP1 and AP2
belong respectively, and check whether Layer 3 roaming is disabled in the VAP
profile.
▫ If the STA initiates Layer 3 roaming but Layer 3 roaming is disabled, the
roaming fails.
▫ Depending on whether a STA roams within the same subnet, STA roaming
is categorized as Layer 2 and Layer 3 roaming.
▪ Subnets with different VLAN IDs reside on different network segments.

STAs roaming between these subnets roam at Layer 3.
▪ In some cases, two subnets with the same VLAN ID are on different
network segments. Based on the VLAN ID, the system may incorrectly
consider that STAs roaming between these two subnets roam at Layer
2. To prevent such an error, configure a roaming domain to determine
whether the STAs roam within the same subnet. STAs are considered
roaming at Layer 2 only when they roam within the same VLAN and
same roaming domain; otherwise, the STAs roam at Layer 3.
▪ Enter the view of the VAP profile bound to the AP group to which AP1
and AP2 belong respectively, and check whether Layer 3 roaming is
disabled in the VAP profile. If the STA initiates Layer 3 roaming but
Layer 3 roaming is disabled, the roaming fails.
Troubleshooting a STA Roaming Failure: Checking Whether
the VLAN Configuration Is Correct
WAN ⚫ Check whether the VLAN configuration is correct
before and after roaming.
WAC1 WAC2
 The service VLAN must be correctly created before ad
after roaming. Especially for inter-WAC roaming, service
VLANs of AP1 and AP2 must be created on all WACs
involved in roaming.

If service data is forwarded in direct mode, all ports on the
link between AP1 and AP2 must allow packets from the
AP1 AP2 service VLAN to pass through and the service VLAN must

be created on the WAC. This ensures that data packets
can be forwarded properly after the STA roams.
Roaming fails
STA STA
the Mobility Group Status Is Normal
If the STA roams between WACs, check whether the
WAN
mobility group status is normal.
<WAC> display mobility-group name roam
--------------------------------------------------------------------------------
WAC1 WAC2 AC ID State IP address
--------------------------------------------------------------------------------
1 normal 192.168.10.3
2 fault 192.168.10.4
--------------------------------------------------------------------------------
If the state of a mobility group member is fault, check

whether the mobility group configuration is correct.
[WAC] mobility-group name mobility
AP1 AP2 [WAC-mc-mg-mobility] display this
#
SSID: Huawei SSID: Huawei member ip-address 192.168.10.1
member ip-address 192.168.10.2
Roaming fails
STA STA If the configuration is correct, run the ping command to
check the network connectivity between WACs.
the APs' Signal Coverage Is Continuous
Internet
⚫ Check whether the signal coverage of the HAP and
FAP is continuous.
 If the HAP and FAP are too far away from each other,
WAC
the STA may go offline and online again due to
discontinuous signal coverage, causing a roaming
failure.
HAP FAP
 Use common tools such as the CloudCampus APP to
check the APs' signal coverage.
Roaming fails
 If the APs' signal coverage is discontinuous, increase
the transmit power of the APs or add more APs to
STA ensure continuous signal coverage.
the APs' Transmit Power Is Proper
Internet
Check whether the APs' transmit power is proper.

<WAC> display radio ap-id 25
WAC CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
------------------------------------------------------------------------------------
AP ID Name RfID Band Type Status CH/BW CE/ME STA CU
HAP FAP ------------------------------------------------------------------------------------
25 ap-yuan 0 2.4G bgn on 8/20M 29/29 1 21%
25 ap-yuan 1 5G an11ac on 165/20M 23/30 0 4%
------------------------------------------------------------------------------------
Roaming fails Total:2
STA
• If the transmit power is set to a small value, signal coverage holes may exist. In
this case, run the eirp command in the radio view to increase the transmit power.
• If the transmit power is set to a large value (for example, the full power), the
STA may associate with a remote AP, causing roaming insensitivity. In this case,
run the eirp command in the radio view to reduce the transmit power or enable
smart roaming.
Troubleshooting a STA Roaming Failure: Checking an
Unauthorized SSID
⚫ Check whether an unauthorized AP with the same SSID as an authorized SSID exists on the WLAN.
<WAC> display ap neighbor ap-id 0
Radio: Radio ID of AP
......
Uncontrol AP:
----------------------------------------------------------------------------------------------------------------------------
Radio BSSID Channel RSSI(dBm) Last Update Time SSID
-----------------------------------------------------------------------------------------------------------------------------
0 d0d0-4b22-df00 1 -50 2019-08-24/15:32:18
0 c4b8-b4f0-6980 1 -44 2019-08-24/15:31:06
0 10c1-72dd-12e0 11 -41 2019-08-24/15:28:27 roam
0 9c50-ee45-6240 1 -54 2019-08-24/15:32:06
-----------------------------------------------------------------------------------------------------------------------------
Total: 4
• Check whether an unauthorized AP with the same SSID exists on the WLAN. If so,
disable the SSID of the unauthorized AP.
the Fault Is Rectified
⚫
Move the STA between two APs and run the display station roam-track command to check the STA's roaming track. If the roaming
track displayed in the command output is normal, the fault is rectified. If the roaming still fails, collect system logs and diagnostic
logs generated during the roaming, collect fault diagnosis information using the commands listed in the following table, and contact
Huawei technical support personnel.
Command Description
[WAC] trace enable Display trace information about the STA during the going-online
[WAC] trace object mac-address or roaming process.
[WAC] display station online-fail-record
Display the STA going-online or going-offline cause.
[WAC] display station offline-record
[WAC-diagnose] display wlan wsta block-sta-number all
[WAC-diagnose] display wlan wsta online-statistics
Display the STA going-online or going-offline cause code.
[WAC-diagnose] display wlan wsta online-fail-record by-mac
[WAC-diagnose] display wlan wsta peak-statistics
Display one-click diagnosis information on the WAC, including
[WAC-diagnose] display diagnostic-information the system version, patch version, current configuration, saved
configuration, exception information, and some logs.
Quiz
1. Does a STA need to be re-authenticated or re-logged in during roaming?

2. Do all STAs support 802.11r roaming?
3. How can I determine whether a STA roams at Layer 3?
• The STA does not need to be re-authenticated or re-logged in during roaming.

• Not all STAs support 802.11r roaming. Many traditional STAs do not support
802.11r roaming.
• Subnets with different VLAN IDs reside on different network segments. When
STAs roam between these subnets, they roam at Layer 3. If the two subnets have
the same VLAN ID but different roaming domains, the STAs also roam at Layer 3.
Summary
⚫ This chapter describes the network architecture of WLAN roaming and the
impacts of roaming on services. Roaming optimization modes, such as
802.11r roaming, smart roaming, and agile distributed SFN roaming,
enable smooth, fast roaming handovers and minimize the packet loss rate.
In this way, service data flows are transmitted at a low latency and users
are unaware of the service interruptions during roaming, improving user
experience.
intelligent world.


• Radio calibration is triggered when a new AP is connected to a WLAN, an AP
leaves the WLAN, or the radio environment deteriorates.
• In the figure on the left, four APs work on the 2.4 GHz frequency band.
• AP4 causes co-channel or adjacent-channel interference to neighboring APs no

matter which channel it works on. In addition, the area covered by AP4 can be
fully covered by the other three APs.
• Therefore, AP4 is a redundant AP on this WLAN.
• The following policies are available to process a redundant 2.4 GHz radio:
▫ SWing it to 5G: If 5 GHz channel resources are sufficient, a redundant 2.4

GHz radio is switched to the 5 GHz mode, increasing the maximum
capacity of 5 GHz radios.
▫ SWing it to the monitor mode: If 5 GHz channel resources are insufficient, a

redundant 2.4 GHz radio is switched to the monitor mode and used for
scanning services.
▫ Disabling it: Disabling a redundant 2.4 GHz radio decreases co-channel

interference without affecting radio coverage.
• For 5 GHz Wi-Fi networks in high-density indoor scenarios, adjusting the
frequency bandwidth does not cause extra interference. Therefore, the DBS
algorithm adjusts the frequency bandwidth in hotspot areas to 40 MHz or 80
MHz based on the channel allocation to improve the network throughput.
• If the channels of APs in hotspot areas interfere with those of other APs after the
frequency bandwidth is increased, the DBS algorithm reduces the frequency
bandwidth of the APs in hotspot areas to mitigate interference on the network.
• After global radio calibration is enabled, the WAC requests APs to start neighbor
probing.
• The APs periodically perform neighbor probing and report neighbor information
to the WAC.
• After the WAC receives neighbor information from all of the APs, it uses global
radio calibration algorithms to allocate channels, bandwidth, and power to the
APs.
▫ Global calibration algorithms include the DCA, DBS, DFA, and TPC
algorithms.
• The WAC delivers calibration results to the APs. After the WAC performs global
radio calibration for the first time, it starts the next global radio calibration until
it receives new neighbor information from all APs. The WAC continuously
performs global radio calibration for multiple times to achieve the optimal and
accurate calibration results.
• Typically, automatic radio calibration takes 20 minutes in total, with each round
taking 5 minutes.
• Neighbor probing enables APs to detect each other. Two neighbor probing
modes are available.
▫ Active probing: An AP actively sends Probe Request frames to notify

surrounding APs of its existence. An AP periodically (every 1 minute by
default) sends Probe Request frames destined for a specified multicast IP
address on different channels for multiple times. A random delay is added
to the end of the sending period to reserve sufficient time for the AP to
receive responses from multiple neighbors concurrently. To prevent probing
conflicts in scenarios where a large number of APs are deployed, a remedy
mechanism is designed on the WAC, so that when AP1 receives a Probe
Request frame from AP2 but does not receive a Probe Response frame from
AP2, AP1 is still added to the neighbor list of AP2.
▫ Passive probing: An AP passively receives neighbor information to detect

the existence of neighboring APs. Passive neighbor probing is implemented
to detect interference information from authorized APs, rogue APs, and
non-Wi-Fi devices.
• An AP collects neighbor information, such as neighbor relationships, loads, and
interference, and uses such information as the input data of radio calibration
algorithms for calibration calculation.
• An authorized AP collects the following information:
▫ Neighbor relationship information: In active probing mode, an AP sends

Probe Request frames destined for the multicast IP address
01:25:9e:ee:ee:ee with the maximum transmit power in polling mode on
different channels (such as channels 1, 6, and 11). In passive probing mode,
an AP receives Probe Request frames on different channels to detect
neighboring APs.
▫ Neighbor interference information: Authorized APs may not transmit radio

signals at the maximum power. Therefore, the interference between APs is
not always large. The actual interference of authorized APs needs to be
collected. An AP collects Beacon, Data, Probe Request, and Probe Response
frames on different channels in polling mode, and then calculates the
interference strength based on the RSSI values carried in the frames.
▫ Neighbor load information: Load information about authorized APs is

proactively reported by themselves. The uplink and downlink throughput of
authorized APs is calculated based on their loads.
• Only neighbor relationships of authorized APs whose signal strength is greater
than –85 dBm and the rogue APs whose signal strength is greater than –80 dBm
are reported.
• Neighbor relationships between APs can be abstracted as nodes and lines:
▫ Nodes refer to authorized APs, non-Wi-Fi devices, and rogue APs.
▫ Lines refer to neighbor information about nodes, including the interference

strength between the nodes as well as auxiliary attributes such as the node
loads. In addition, a line is directional. For example, a non-Wi-Fi device can
cause interference to an AP.
• The DCA algorithm pre-selects a channel combination for a calibration group,
and compares the interference of APs using this channel combination and using
the original channel combination. If the interference of APs using this channel
combination is smaller, this channel combination is selected. Otherwise, the
original channel combination is retained. Then, the DCA algorithm calculates the
interference of APs using the next channel combination, and performs
comparison again. Finally, the DCA algorithm selects the channel combination
with the minimum interference for this calibration group.
• After channel calibration is complete, the DCA algorithm marks APs in this
calibration group as calibrated APs and continuously performs channel
calibration for the next calibration group, until the channels of all the APs in the
calibration set are calibrated.
• The minimum and maximum power values that can be adjusted through TPC are
configured to ensure that the adjustable transmit power of AP0 is proper,
minimizing signal interference and meeting radio coverage requirements. If the
adjustable power of AP0 is less than the minimum power value that can be
adjusted through TPC, the power of AP0 is adjusted based on the minimum value.
If the adjustable power of AP0 is greater than the maximum power value that
can be adjusted through TPC, the power of AP0 is adjusted based on the
maximum value. If the adjustable power of AP0 is between the minimum and
maximum power values, the power of AP0 is adjusted based on the calculated
value.
• If the adjustable power of AP0 is greater than the maximum power specified by
local laws and regulations, the power of AP0 is adjusted based on the maximum
power specified by local laws and regulations. Otherwise, the power of AP0 is
adjusted based on the calculated value.
• Both TPC and DCA algorithms are used for automatic radio calibration, but they
are independent of each other. The TPC algorithm determines the coverage
boundary of an AP based on its distances from neighboring APs and then adjusts
the transmit power of the AP. TPC is irrelevant to the DCA result and depends
only on the distance between APs.
• Redundant radio: refers to a radio that still causes interference to surrounding
APs after power adjustment.
• Radio calibration is not applicable to scenarios where APs cannot detect each
other, for example, APs use directional antennas, are far from each other, or
have obstacles between them.
• Radio calibration is not applicable to high-density, WDS/mesh backhaul, rail

transportation, or external directional-antenna scenarios.
• Radios in monitor mode do not participate in calibration.

• To better meet users' access requirements, more and more APs are deployed in
places such as stadiums and restaurants. However, STAs are not evenly
connected to densely-deployed APs in some cases. Since Wi-Fi air interfaces
provide contention-based multi-address access services, more access STAs on the
same radio cause higher contention overheads, lower air interface throughput,
and poorer user experience.
• BTM: BSS Transition Management
• 5G-prior access:
▫ When the number of access STAs on an AP exceeds the start threshold for
5G-prior access, the AP preferentially connects a new STA to the 5 GHz
radio.
▫ When receiving a Probe Request frame from a new STA, the AP parses
information about the frequency bands supported by the STA from the
Probe Request frame. If the STA supports both 2.4 GHz and 5 GHz
frequency bands, the AP suppresses Probe Response frames on the 2.4 GHz
radio and steers STAs to the 5 GHz radio.
• Free selection of the frequency band:
▫ When the number of access STAs on an AP reaches the start threshold for
5G-prior access and the percentage of access STAs on the 5 GHz radio
exceeds the specified percentage threshold, a new STA freely selects a
frequency band.
• Load balancing can be implemented among APs only when the APs are
connected to the same WAC, and all these APs can be discovered by STAs.
• When implementing dynamic load balancing, an AP calculates the load
percentage of each radio in a load balancing group using the formula: Load
percentage of a radio = (Number of access STAs on the radio/Maximum number
of STAs allowed on the radio) x 100%. The WAC then compares load percentage
values of all radios in the load balancing group and obtains the minimum load
percentage value. When a new STA requests to access a radio, the AP calculates
the difference between the radio's load percentage and the minimum load
percentage value, and compares the load difference with the load difference
threshold (configured using a command). If the load difference is smaller than
the threshold, the load is balanced. Otherwise, the load is unbalanced and the
load balancing mechanism is triggered.
• Depending on whether a load balancing group needs to be manually created,
load balancing is classified as either static or dynamic load balancing.
• Static load balancing: APs providing the same services are manually added to a
static load balancing group. APs in the group periodically report information
about associated STAs to the WAC, and the WAC periodically distributes user
traffic among the APs based on the received STA information.
• Static load balancing can be implemented when the following conditions are
met:
▫ The APs have only one radio (2.4 GHz or 5 GHz radio). For APs with
multiple radios, traffic is load balanced among radios of the APs working
on the same frequency band.
▫ Each static load balancing group supports a maximum of 16 APs.

• Dynamic load balancing: Before a STA goes online, it broadcasts Probe Request
frames to scan surrounding APs. The APs that receive the Probe Request frames
all report the STA information to the WAC. The WAC adds these APs to a
dynamic load balancing group and uses a load balancing algorithm to determine
whether to steer the STA to a lightly loaded AP. In static load balancing mode,
each load balancing group supports a limited number of APs. Dynamic load
balancing overcomes this limitation.
• Dynamic load balancing is implemented as follows:
▫ For example, as shown in the figure above, four STAs (STA1 to STA4) are
associated with AP1 and one STA (STA5) is associated with AP2. The start
threshold for load balancing is set to 5. AP1 and AP2 each allow access of
10 STAs at most and the load difference threshold is set to 5%.
▫ According to the load percentage calculation formula, the load percentage

of AP1's radio is 40% (4/10 x 100% = 40%), and the load percentage of
AP2's radio is 10% (1/10 x 100% = 10%). Therefore, the minimum load
percentage is 10%. The difference between the load percentage of AP1's
radio and the minimum load percentage is 30% (40% – 10% = 30%), which
is greater than the load difference threshold (5%). Therefore, the WAC
determines that traffic is not evenly distributed between the two APs, and
starts the load balancing mechanism to steer some STAs from AP1 to AP2.
• Smart antennal:
▫ A smart antenna is an antenna array consisting of multiple antennas.

According to the antenna selection algorithm, specific antenna elements
are selected to transmit and receive signals. Combining different antennas
can form different signal transmission directions, providing STAs at
different locations with optimal antenna combinations to improve received
signal quality and system throughput.
• Spectrum analysis:
▫ The spectrum analysis server analyzes the characteristics of collected radio

signals to identify non-Wi-Fi devices and eliminate the impact of
interference on a WLAN.
• CCA:
▫ The CCA mechanism enables a WLAN chip to determine whether the

channel is idle before transmitting signals to the air interface. If so, the
WLAN chip transmits signals. If not, the WLAN chip waits until the channel
is idle.
• BSS coloring:
▫ When detecting 802.11ax signals, STAs can identify the signals from an
overlapping basic service set (OBSS) based on the BSS color bit or MAC
address, and then determine air interface collisions and perform
interference management according to related information.
• The host maintains a training state machine, delivers training parameters,
processes training data, selects antennas after training, and delivers antenna
configurations. The target receives training parameters from the host, sends
training packets, reports training results, and enables antenna configurations to
take effect.
• In MU-MIMO scenarios, after multiple STAs are paired, the antenna mode in
multi-user (MU) mode is selected based on the antenna mode selected in single-
user (SU) mode.
▫ If the antenna mode selected in MU mode is the same as that in SU mode,

the antenna mode remains unchanged.
▫ If the antenna mode selected in MU mode is different from that in SU

mode, the omnidirectional antenna mode is used.
• A WAC instructs an AP to perform air interface scan.
• The AP periodically performs air interface scanning to obtain original sample

spectrum data. Each piece of sample spectrum data contains a group of
subcarriers, which can be used for interference identification.
• The spectrum analysis module of the AP (functioning as a spectrum analyzer)

computes the sample spectrum data based on a certain algorithm. A common
algorithm is implemented via the following steps: pulse signal extraction, pulse
signal combining, pulse signal clustering, time signature extraction, frequency
feature extraction, period calculation, and duty cycle calculation. After the AP
computes the extracted frequency features, it matches one or more frequency
features against the interference source feature database to identify non-Wi-Fi
devices.
• The AP reports the spectrum data to the spectrum drawing server directly or
through the WAC.
• Spectrum graphs are displayed on the spectrum drawing server.

• The BSS coloring mechanism enables a device to distinguish between the
transmissions on the local and neighboring networks. The transmit power control
(TPC) and dynamic sensitivity control (DSC) functions allow dynamic adjustment
of the transmit power and the signal detection threshold to increase spatial reuse
(SR) efficiency and minimize co-channel interference.
• By enforcing QoS policies on a WLAN, the network administrator can properly
plan and assign network resources based on service characteristics. The WLAN
then provides differentiated access services for applications, meeting customer
requirements and improving network resource usage.
• In the 802.11 protocol, DCF is mandatory and PCF is optional.
• The figure above shows the CSMA/CA working mechanism.
▫ Before sending data to an AP, a STA detects the channel status. When the
channel is idle, the STA sends a data frame after the Distributed Inter-
Frame Space (DIFS) times out and waits for acknowledgment. The data
frame contains its NAV information. After receiving the data frame, other
STAs update their NAV information, indicating that the channel is busy and
that data transmission will be delayed.
▫ The AP receives the data frame, waits until the Short Interframe Space
(SIFS) times out, and sends an ACK frame to the STA. After the ACK frame
transmission is complete, the channel becomes idle. After the DIFS times
out, the STAs use the exponential backoff algorithm to preempt the
channel. The STA of which the backoff counter is first reduced to 0 starts to
send data frames.
• InterFrame Space (IFS): According to the 802.11 protocol, after sending a data
frame, a STA must wait until the IFS times out to send the next data frame. The
IFS length depends on the data frame type. Higher-priority data frames are sent
earlier than lower-priority data frames. There are three IFS types:
▫ Short IFS (SIFS): refers to the time interval between a data frame and its
ACK frame. The SIFS is used for high-priority transmissions, such as
transmissions of ACK and CTS frames.
▫ PCF IFS (PIFS): The PIFS length is the SIFS plus the slot time. PCF-enabled
access points wait for the PIFS to occupy the wireless medium. If a STA
accesses a channel when the slot time starts, other STAs in the BSS detect
that the channel is busy.
▫ DCF IFS (DIFS): The DIFS length is the PIFS plus the slot time. Data and
management frames are transmitted at the DIFS interval.
• ECWmax ≤ Backoff time ≥ ECWmin.
• The transmission duration of data frames is determined by the TXOPLimit.
• WMM defines two ACK policies: normal ACK and no ACK.
▫ Normal ACK: The receiver must return an ACK frame each time it receives a
unicast packet.
▫ No ACK: The receiver does not need to return ACK frames after receiving
packets. This policy is applicable to environments with high communication
quality and little interference.
▫ The ACK policy is only valid to APs.
▫ If the communication quality is poor, the no ACK policy may cause more
packets to be lost. Therefore, it is not recommended.
• User preference (UP): represents the priority of a 802.11 packet. The UP is
contained in the QoS field of the MAC header in a 802.11 packet. The UP ranges
from 0 to 7. WMM defines the mappings between ACs and UPs. There are four
ACs, each of which maps to two UPs. An AP determines the AC of a data packet
based on the UP of the data packet, and then forwards the data packet
according to the AC priority.
• Among the four ACs, a higher-priority AC has a higher chance to occupy the
channel than a lower-priority AC. In this way, differentiated services are provided
for different ACs.
• Generally, voice and video packets in video conferences are AC_VO and AC_VI
packets respectively, and QQ voice and video packets are AC_BE packets.
• In the uplink direction, a STA converts 802.3 packets into 802.11 packets and
sends the packets through a wireless network adapter. After receiving 802.11
packets from the STA, an AP performs priority mapping for the 802.11 packets as
follows:
▫ Maps UPs of the 802.11 packets to DSCP or 802.1p priorities of 802.3

packets.
▫ Map DSCP priorities of the 802.11 packets to DSCP priorities of 802.3

packets.
• In the downlink direction, the WAC forwards 802.3 packets received from the
Internet to the AP directly or through a tunnel. After receiving the 802.3 packets,
the AP maps the DSCP or 802.1p priorities of the 802.3 packets to UPs of 802.11
packets, and then sends the packets to the STA.
• An AP preferentially schedules channel resources for the user that occupies the
channel for the shortest time. In this way, each user is assigned equal time to
occupy the channel, ensuring fairness in channel usage.
• To prevent the first access users from failing to occupy the channel to transmit
data, the AP periodically clears all users' channel occupation time. In this way, all
access users have the same channel occupation weight.
• After WMM is enabled on an AP and STAs, user packets are scheduled based on
their types (service types include VI, VO, BE, and BK). For example, if one user
transmits VI packets and another user transmits VO packets, airtime fair
scheduling is not performed for the two users.
• If multiple users transmit different types of packets, airtime fair scheduling does
not take effect. For example, two users perform packet transmission: one
transmits VI packets and the other transmits VO packets. In this case, airtime fair
scheduling is not performed for the two users.
• The system analyzes service flows passing through a device, and compares the
analysis result with the signature database loaded on the device. By detecting
signatures in data packets, the system can identify applications and then
implement refined QoS policy control for voice and video applications based on
the identification result. This improves communication quality for voice and video
services.
• The configuration in the 5G radio profile wlan-radio5g is similar and is not
described here.
▫ Run the display radio-2g-profile name wlan-radio2g command on the WAC

to check the EDCA parameter settings on APs in the 2G radio profile wlan-
radio2g. The EDCA parameter priorities of AC_VI and AC_VO packets are
higher than those of AC_BE and AC_BK packets. Therefore, voice and video
services can preferentially use wireless channels. The method of verifying
the configuration in the 5G radio profile wlan-radio5g is similar and is not
described here.
▫ Run the display ssid-profile name wlan-net command on the WAC to check
the EDCA parameter settings on STAs in the SSID profile wlan-net. The
EDCA parameter priorities of AC_VI and AC_VO packets are higher than
those of AC_BE and AC_BK packets. Therefore, voice and video services can
preferentially use wireless channels.
▫ Run the display traffic-profile name wlan-traffic command on the WAC to

check the priority mapping configuration in the traffic profile wlan-traffic.
The DSCP priorities of AC_VI and AC_VO packets are higher than those of
AC_BE and AC_BK packets. Therefore, voice and video services will be
preferentially transmitted.
▫ Run the display traffic-profile name wlan-traffic command on the WAC to

check the rate limit configuration in the traffic profile wlan-traffic. The
command output shows that the uplink rate limit of a single STA is 2048
kbit/s (2 Mbit/s) and the total uplink rate limit of all STAs on the VAP is
30720 kbit/s (30 Mbit/s).
• Verification the configuration.
▫ Run the display rrm-profile name wlan-rrm command on the WAC. The
command output shows that airtime fair scheduling has been enabled in
the RRM profile. Therefore, STAs on the network can fairly use network
bandwidth.
▫ Run the display traffic-profile name wlan-traffic command on the WAC.

The command output shows that ACL 3001 has been configured to filter
packets, and the packets with the source IP address 10.23.101.10 and
destination IP address 10.23.101.11 will be denied.
• A WAC identifies VIP users by determining whether they are in a VIP user group.
The priority field is added to the user authorization structure. After users are
added to a VIP user group and the authorization information is delivered to the
VIP user group, users in the VIP user group inherit the priority of the VIP user
group.
• If a non-VIP user attempts to connect to an AP when the number of users

connected to the AP reaches the maximum, the access request is denied.
• If a VIP user attempts to connect to an AP when the number of users connected

to the AP reaches the maximum, the AP disconnects a non-VIP user and connects
the VIP user to the network.
• Identification of VIP users and key applications.
▫ Identification of VIP users.
▪ A WAC identifies a user as a VIP user if the user belongs to a VIP user
group. The priority field is added to the user authorization structure.
After users are added to a VIP user group and the authorization
information is delivered to the VIP user group, users in the VIP user
group inherit the priority of the VIP user group.
▫ Identification of key applications.
▪ With the application identification function, a WAC can identify

various common applications based on the built-in application
signature database. Users can also define new applications based on
application signatures. For example, users can define an application
for traffic destined for a specific IP address and port, and then
configure a policy for preferentially forwarding traffic of this
application, implementing acceleration for this application.
• An FQ buffers data flows with one class of service (CoS) value for a VIP user.
Data flows of each VIP user can be classified into CoS values 1 to 8 according to
the DSCP or 802.1p priority of packets. That is, each VIP user can have eight FQs
(namely, BE, AF1, AF2, AF3, AF4, EF, CS6, and CS7 in ascending order of priority),
which correspond to the eight CoS values. Priorities of key applications can be
increased properly to ensure preferential scheduling of traffic of these
applications. In addition, FQs support traffic shaping to limit the total bandwidth
of each user.
• The SQ of a VIP user consists of eight fixed FQs (namely, BE, AF1, AF2, AF3, AF4,
EF, CS6, and CS7). When FQs are scheduled, the CS7, CS6, and EF queues use the
Priority Queuing (PQ) algorithm, while the AF4, AF3, AF2, AF1, and BE queues
use the Deficit Round Robin (DRR) algorithm. The weight of AF4 and AF3 is 15,
and the weight of AF2, AF1, and BE is 10.
• By using PQ+DRR scheduling, a WAC puts packets of important protocols and

packets of delay-sensitive services into the queues that use the PQ algorithm, and
puts packets of other applications to the queues that the DRR algorithm based
on packet priorities. Packets in the queues are then scheduled based on weight
values in a round robin manner. This ensures that packets of delay-sensitive
services are preferentially scheduled and prevents starvation of packets in low-
priority queues.
• An AP calculates the weights of all TIDs in different packet sending modes (such
as SU, 802.11ac MU, 802.11ax MU, and 802.11ax OFDMA).
• In each packet sending mode, the calculated weights are sorted in descending
order. The AP selects one user (in SU mode) or multiple users (in MU mode) with
the highest weight to generate a user list.
• The AP summarizes the scheduling results generated in each packet sending

mode, selects the packet sending mode used by the user or users with the
highest weight as the effective packet sending mode, and generates the final
scheduling result (a list of users involved in packet sending).
• After the preceding configurations are completed, configure VIP users and
authorization information for the VIP user group on the RADIUS server.
▫ Run the display user-group vip_group command to check configuration

information about the VIP user group. The command output shows that the
priority of the VIP user group vip_group is 1.
▫ Run the display rrm-profile name wlan-rrm command to check

configurations of the RRM profile wlan-rrm. The command output shows
that the access policy for new users is priority-based user replacement when
the number of access users reaches the user CAC threshold based on the
number of users.
▫ Run the display ssid-profile name wlan-net command to check

configurations of the SSID profile wlan-net. The command output shows
that the access policy for new users is priority-based user replacement when
the number of access users on a VAP reaches the maximum.
• Huawei's radio calibration solution is applied to the following scenarios:
▫ A new WLAN is deployed, Routine O&M is performed.
▫ A new AP is added to a WLAN
▫ An AP leaves the WLAN.
▫ Rogue APs cause interference to a WLAN.
▫ Non-Wi-Fi devices cause interference to a WLAN.
• Different applications have differentiated network requirements. The traditional

WLAN is mainly used to transmit data due to its low transmission rate. With the
development of new WLAN technologies, WLANs have been applied to media,
financial, education, and enterprise networks. In addition to data traffic, WLANs
also transmit delay-sensitive multimedia data, such as voice and video data. By
enforcing QoS policies on a WLAN, the network administrator can properly plan
and assign network resources based on service characteristics. The WLAN then
provides differentiated access services for applications, meeting customer
requirements and improving network resource usage.
• Unicast is implemented between a source IP host and a destination IP host. Most
data on the network is transmitted in unicast mode. For example, email sending
and receiving and online banking are all implemented in unicast mode.
▫ In unicast communication, each data packet has a specific destination IP

address. If there are multiple receivers for the same piece of data, the
server needs to send the same number of unicast data packets as the
number of receivers. When there are hundreds or thousands of receivers,
the server needs to consume a lot of resources to create and send same
copies of data, largely compromising the device performance and wasting
link bandwidth. As such, the unicast mode is applicable to networks with a
small number of users, because the network transmission quality cannot be
assured when there are a large number of users.
• Broadcast is implemented between a source IP host and all the other IP hosts on
a network. All hosts can receive data from the source host, regardless of whether
they need the data.
▫ Broadcast data packets are constrained within a broadcast domain. Once a

device sends a broadcast data packet, all devices in the broadcast domain
receive the packet and then have to consume resources to process the
packet. A large number of broadcast packets consume network bandwidth
and device resources. Therefore, the broadcast transmission mode applies
only to a shared network segment, without guaranteeing information
security and paid services.
• IPv4 multicast addresses:
▫ The IPv4 address space is divided into five classes: Class A, B, C, D, and E.
Class D addresses are IPv4 multicast addresses, ranging from 224.0.0.0 to
239.255.255.255. These addresses identify multicast groups and can only be
used as destination addresses of multicast packets but not source addresses.
▫ Source addresses of IPv4 multicast packets are IPv4 unicast addresses,

which can be Class A, Class B or Class C addresses and cannot be Class D or
Class E addresses.
▫ On the network layer, all hosts of a multicast group can identify the same
IPv4 multicast group address. A host can receive multicast packets destined
for a multicast group address once it joins the group.
• The first four bits of an IPv4 multicast address are fixed as 1110, mapping the
leftmost 25 bits of a multicast MAC address. Among the last 28 bits, only 23 bits
are mapped to a MAC address, and the other 5 bits are lost. As a result, 32 IPv4
multicast addresses are mapped to the same MAC address. For example,
multicast IP addresses 224.0.1.1, 224.128.1.1, 225.0.1.1, and 239.128.1.1 are all
mapped to multicast MAC address 01-00-5e-00-01-01. Address conflicts must be
considered in address assignment.
• IETF believes that this will not incur great impact because there is a very low
probability that two or more group addresses in the same LAN are mapped to
the same MAC address.
• A multicast MAC address identifies a group of devices. The rightmost bit of the
first byte in a multicast MAC address is 1, for example, in the MAC address 0100-
5e-00ab.
• A multicast MAC address identifies a group of devices that join the same
multicast group. These devices listen to the data frames whose destination MAC
addresses are the multicast MAC address. Only a unicast MAC address can be
assigned to an Ethernet interface, and a multicast or broadcast MAC address
cannot be assigned to any Ethernet interface. In other words, the two types of
MAC address cannot be used as the source MAC address of a data frame, but can
only be used as the destination MAC address.
• Source: indicates the sender of multicast traffic, such as a multimedia server. A
multicast source does not need to run any multicast protocol, but only needs to
send out multicast data.
• Receiver: also known as a multicast group member, is a device that expects to

receive traffic of a specific multicast group, for example, a PC running the
multimedia live streaming client software.
• Multicast group: is a group of receivers identified by a multicast IP address. Once

a user host (or any other receiver device) joins a multicast group, it becomes a
member of the group and can then identify and receive multicast data packets
destined for the multicast group address.
• Multicast router: is a network device that supports multicast and runs a multicast
protocol. In fact, not only routers but also switches and firewalls (depending on
the device model) support multicast.
• First-hop router: is a router that connects to the multicast source on the

multicast forwarding path and is responsible for forwarding multicast data from
the multicast source.
• Last-hop router: is a router that connects to multicast group members (receivers)

on the multicast forwarding path and is responsible for forwarding multicast
data to these members.
• IGMP is a protocol in the TCP/IP protocol suite that manages IP multicast group
members, and sets up and maintains multicast group memberships between
receivers and their directly connected multicast routers.
• Unicast packet forwarding uses a one-to-one model. In this model, a unicast
router sends an IP packet to its destination, without the need to know the source
address of the packet. Multicast data, on the other hand, is generated by a
multicast source and sent to a group of receivers. A multicast router distributes
packets from the source to the receivers. Then, how does a multicast router know
where to forward multicast data, which receivers need the multicast traffic, what
is the path along which multicast traffic is transmitted? To obtain this
information, a router must run multicast routing protocols.
• Unlike unicast traffic, multicast traffic is sent to a group of receivers. A loop on a

multicast network will cause much more serious impact than a unicast loop.
Therefore, all multicast routers must know the multicast source and forward
multicast packets from the source to the destinations.
• To ensure that data is successfully forwarded from the upstream to downstream

device, each multicast router maintains a multicast routing table.
• A unicast routing protocol determines the shortest (optimal) path to a

destination, without caring about the data source. The multicast routing protocol,
however, must determine the upstream interface (the interface closest to the
source).
• Direct forwarding, with user gateway deployed on the switch.
▫ IP multicast routing and IGMP must be enabled on the switch.
▫ The switch maintains the multicast forwarding table and group

memberships, and forwards received multicast traffic to group members.
• Tunnel forwarding, with user gateway deployed on the WAC.
▫ IP multicast routing and IGMP must be enabled on the WAC.
▫ The WAC maintains the multicast forwarding table and group

memberships, and forwards received multicast traffic to group members.
• In this example, the VAP service deployed on AP2 does not have any multicast
group member. Therefore, after IGMP snooping is enabled on AP2, AP2 does not
forward the traffic received from the switch to its air interface.
• No ACK mechanism is provided for multicast packet transmission on air
interfaces, so packet loss may occur, resulting in artifacts in multicast videos. To
meet the requirements of applications that have high requirements on multicast
stream transmission, such as HD video on demand (VoD), the multicast-to-
unicast conversion function can be enabled.
• Users can configure multicast bandwidth-based CAC or multicast group
membership-based CAC. The two CAC modes are independent of each other and
can be used independently or together.
• Port isolation provides more secure and flexible networking solutions.
• Port isolation can be used together with the proxy ARP function. In some
scenarios, data exchanged between terminals in the same VLAN needs to be
forwarded by the upper-layer device instead of the access switch, so that traffic
management and control policies can be deployed on the upper-layer device. This
transmission mode is called centralized forwarding, in which port isolation is
configured on all downstream Layer 2 devices, so proxy ARP must be configured
on the core switch that functions as the gateway. Typically, intra-VLAN proxy
ARP is used in the centralized forwarding scenario.
• Example for configuring multicast packet suppression in tunnel forwarding mode:
• [WAC] wlan
[WAC-wlan-view] traffic-profile name test
[WAC-wlan-traffic-prof-test] traffic-optimize multicast-suppression packets 100
//Set the rate limit to 100 pps for multicast packets. If multicast services are
configured, it is recommended that you configure the rate limit based on the
service traffic.
• Zero-configuration networking is widely used in home wireless networks and
enterprise office networks. It allows network devices to automatically obtain IP
addresses, resolve domain names, and discover services, without manual
configuration.
• Bonjour-capable service provider devices (such as Apple TV) advertise their
available services using a multicast address (IPv4 address 224.0.0.251). User
terminals (such as iPhone and iPad) send mDNS request packets with the
destination multicast address 224.0.0.251 to request available services on the
local network. In this way, Bonjour implements service sharing while allowing
terminals to easily access service resources.
• However, the destination multicast address 224.0.0.251 used by mDNS is valid

only within a Layer 2 broadcast domain. That is, packets can be forwarded only
within a VLAN, and cannot be forwarded across VLANs or Layer 3 devices.
• To implement inter-VLAN service discovery, Huawei provides the mDNS gateway
solution, in which an mDNS gateway is deployed on the WAC. Service provider
devices (TV1, TV2, and Printer in the figure) on the same network segment as the
WAC multicast mDNS packets to advertise their services. After receiving the
mDNS packets, the WAC records service information. After receiving an mDNS
request packet for service discovery from a terminal (Pad in the figure), the WAC
searches its service list and replies with available services, implementing inter-
VLAN service discovery.
• In the mDNS gateway solution, the service provider devices must be located on
the same network segment as the WAC working as the mDNS gateway. If the
WAC connects to service provider devices or terminals across network
segments — that is, the switch and WAC are connected over a Layer 3 network,
then mDNS packets in VLAN 10 and VLAN 20 cannot be forwarded by the switch
to the mDNS gateway. Therefore, the mDNS gateway cannot record services
provided in VLAN 10 and VLAN 20. To address this problem, the mDNS relay can
be deployed on the switch to discover services across network segments.
• Service provider devices advertise locally available services to the mDNS gateway,
so that the mDNS gateway can record information about all available services on
the network. In the information, the host name identifies the service provider
device, and the service name identifies the service that a device can provide and
records the service type.
• After a service provider device is powered on, it automatically generates a host
name and sends an mDNS request packet with the destination multicast address
being 224.0.0.251 to check whether the host name is unique on the network.
After receiving the mDNS request packet, the mDNS gateway queries its local
host name list. If the host name is found in the host name list, the host name has
been used by another service provider device, so the mDNS gateway sends a
response packet indicating a host name conflict to the service provider device.
After receiving the packet, the service provider device generates a new host name
and checks whether the host name is unique again. If no response packet is
received from the mDNS gateway within the detection period, the host name is
unique. If the host name conflict persists within the detection period, the service
provider device continues to send an mDNS request packet in the next detection
period.
• The service provider device multicasts an mDNS request packet to advertise its
host name and IP address. After receiving the mDNS request packet, the mDNS
gateway records the host name and IP address of the service provider device.
• A service provider device sends an mDNS request packet with the destination
multicast address being 224.0.0.251 to check whether the service name is unique
on the network. After receiving the mDNS request packet, the mDNS gateway
queries its local service name list. If the service name is found in the service name
list, the service name has been used by another service provider device, so the
mDNS gateway sends a response packet indicating a service name conflict to the
service provider device. After receiving the packet, the service provider device
generates a new service name and checks whether the service name is unique
again. If no response packet is received from the mDNS gateway within the
detection period, the service name is unique.
• In this phase, when an mDNS relay is deployed, the process of sending request
packets to the mDNS gateway is similar to the process in which an mDNS service
provider advertises its mDNS services.
• After the mDNS gateway receives the query request from the terminal, it
searches for the requested service in the online service list and domain name
table, and returns the search result to the mDNS relay.
• The mDNS gateway sends a unicast UDP packet in reply to the terminal's request
packet. In the unicast UDP packet, the source IP address (Src IP) is the gateway IP
address, the destination IP address (Dst IP) is the relay IP address, and the
destination port number (Dest Port) is 5353.
• The mDNS relay has a table recording the mappings between terminal IP
addresses, terminal VLANs, and transaction IDs. After receiving the response
packet from the mDNS gateway, the mDNS relay searches the mapping table for
information about the terminal that sends the corresponding request packet
based on the transaction ID in the response packet, and modifies the response
packet as follows: It changes the destination address (Dest IP) to 224.0.0.251,
source IP address (Src IP) to the relay IP address, transaction ID to 0, and TTL to
255. After modifying the response packet, the mDNS relay multicasts the
response packet to the VLANs to which the terminal and service provider belong,
and then deletes the mapping entries.
• In a VLAN with only mDNS service providers that have started before network
connection, the service providers do not proactively notify the mDNS gateway of
the services that they provide. Instead, the mDNS relay or gateway needs to
periodically detect available services, and update its service list and the host
status of service providers.
• After an mDNS gateway is configured on a network and the clients access the
network, the clients can detect all service provider devices connected to this
mDNS gateway, meaning that the clients and service provider devices cannot be
precisely matched. For example, when a mobile phone accesses a network
through an AP, the mobile phone can discover both the Apple TV connected to
this AP and the Apple TVs connected to the other APs. It is not easy for the
mobile phone to distinguish between these Apple TVs, posing security risks.
• IGMP snooping, multicast-to-unicast conversion, multicast CAC, multicast packet
suppression, etc.
WLAN Security and Defense
Foreword
⚫ WLANs use radio waves instead of network cables to transmit data, and
are therefore easier to deploy. On the other hand, the particularity of radio
waves results in more prominent security issues for WLANs.
⚫ The course briefly describes WLAN security threats and security solutions,
and details WLAN security solutions in terms of the management plane,
control plane, and forwarding plane.
Objectives

 Know common security threats to WLANs.
 Understand Huawei WLAN security architecture.
 Describe Huawei WLAN security policies.
 Perform Huawei WLAN security configurations.
Contents
1. Overview of WLAN Security Threats and Security Solutions
2. WLAN Management Plane Security
3. WLAN Control Plane Security
4. WLAN Forwarding Plane Security
5. WLAN Network Security Configuration Example
WLAN Security Objectives
Prevent information theft: Prevent unauthorized access:

• Information interception by attackers • Access from unauthorized users
using snooping software • Resource access without permission
• Communication content reversely
decrypted
Provide stable, efficient wireless access:

• Unstable signals due to interference by rogue APs
• Unavailable WLAN caused by DoS attacks
Common WLAN Security Threats
Scanning An unauthorized user uses a tool to scan open SSIDs, obtains

attack free Internet access permission, and attacks the target network.
An unauthorized user captures data packets sent to the target system

WEP attack
for analysis and key cracking.
Security MAC address An unauthorized user uses a tool to capture data packets, obtains
spoofing
threats a valid MAC address, and launches MAC address spoofing attacks.
A rogue AP emits the signal of the SSID that a user frequently

Rogue device
associates with. After the user associates with this SSID, data is
intrusion
intercepted.
An attacker sends a large number of packets of the same type to

DDoS
a WLAN within a short period of time. As a result, WLAN devices
attack
cannot process data of authorized users.
WLAN Network Architecture and Security Solution (1)
1. Content: Focus on the security of applications and service data of management
plane security
Management
users, that is, the security of management information.
2. Threats: Unauthorized access and abuse of system functions for unauthorized

WAC Aggregation switch operations.
3. Mitigation measures: AAA, HWTACACS user management, SSH, SNMPv3, and

HTTPS.
Control plane
1. Content: Focus on the security of various protocols running on devices.
security
2. Threats: CPU overload caused by ARP, ICMP, TCP, UDP, or flooding.
3. Mitigation measures: WPA/WPA2/WPA3, WIDS, WIPS, URL filtering, intrusion

detection, and antivirus.
plane security
1. Content: focus on data security on forwarding paths to prevent attacks from
Forwarding spreading on the network.
2. Threats: DoS/DDoS attacks and ARP/IP spoofing attack.

Forwarding plane Management plane Control plane
3. Mitigation measures: Traffic suppression, anti-MAC address flapping, port
isolation, CAPWAP data tunnel encryption, Navi AC, and IPSec VPN.
• By referring to the security architecture defined in ITU-T X.805, Huawei divides

the network into the management plane, control plane, and forwarding plane
and divides each plane into the device layer, network layer, and application layer.
Based on this, Huawei provides a plane-based, layered network security
architecture model to guide a wide range of solutions to analyze network
security threats and develop security policies and schemes.
▫ Management plane: This plane focuses on the security of application and

service data for management users, that is, security of operation,
maintenance, and management information.
▫ Control plane: WLAN devices must run various protocols to transmit service
traffic. The services must be protected against attacks or spoofing.
▫ Forwarding plane: WLAN devices use the destination MAC and IP addresses
of packets to search for routes for forwarding the packets. Security
measures must be taken in the forwarding routes to prevent attacks on
WLAN devices and spreading of attack traffic over the IP network.
• By isolating the control, management, and forwarding planes, WLAN devices can
ensure that attacks on any of the planes do not affect other planes.
Contents
Security Protection Capabilities of the WLAN
Management Plane
⚫ To ensure proper running of operating systems and management applications,
the management plane provides the following security protection capabilities:
 WLAN device login security
 AAA user management security
 SNMP device management security
 Prohibition of insecure management protocols from accessing the service plane
 Information center security
 AP management security - CAPWAP control tunnel encryption
WLAN Device Login Security
Login through the console port
• Configure a highly complex login password.
WAC Login through SSH
• Configure password authentication or RSA authentication.

• Change the port number to a non-well-known port number.
• Use an ACL to control the client IP addresses that are
allowed to log in.
Attacker
AP AP
Login through the web system
• Deploy AAA authentication.

• Change the port number to a non-well-known port number.
• Use an ACL to control the client IP addresses that are
allowed to log in.
• Use HTTPS for login.
• Login through SSH.

• Attack behavior.
▫ Brute-force attack: An attacker attempts to access a WLAN device after
obtaining the SSH port number. When the device asks for authentication,
the attacker may crack the password to pass authentication and obtain the
access right.
▫ DoS attack: An SSH server supports only a limited number of users. When
the number of login users reaches the upper limit, new users cannot access
the server. This situation may occur when the server is attacked.
• Security policy.
▫ To defend against the preceding attacks, configure the following security
policies on a WLAN device:
▫ Password authentication and public-key authentication: The SSH server
supports password authentication and public-key authentication. Only
authenticated users can log in to a WLAN device and enter the CLI.
▫ Disabling the service: When the SSH server is enabled, the socket service is
enabled on the device. In this case, the device is prone to scanning by
attackers. Therefore, disable the SSH server if it is not needed.
▫ Changing the port number: By default, the SSH server uses port 22, which is
a well-known port and prone to scanning and attacks. This port number
can be changed to a private one to reduce the probability of being scanned
or attacked.
▫ ACL: In the VTY user interface view, you can configure ACL rules for each
VTY channel to control the client IP addresses that are allowed to log in.
• Login through the web system.
• Attack behavior.
▫ DoS attack: A web server supports only a limited number of users. When
the number of login users reaches the upper limit, new users cannot access
the server. This situation may occur when the server is attacked.
▫ Slow connection attack: Content-Length with a large value is defined in the
HTTP packet header, which is the length of the packet's content. After
committing the header, an attacker does not send the packet body. After
receiving Content-Length, the web server waits for the rest content. Then
the attacker remains the connection and sends a large number of packets
by transmitting one byte every 10 to 100 seconds to exhaust resources.
Once the web server is attacked, users may encounter various problems,
such as slow login, logout, frequent disconnection, and login failures.
• To defend against the preceding attacks, configure the following security policies
on a WLAN device:
▫ AAA authentication: The web server supports AAA authentication. Only
authenticated users can log in to a WLAN device and enter the CLI. Users
are required to enter the user name, password, and randomly generated
verification code for login, reducing the password cracking possibility.
▫ Disabling the service: When the web server is enabled, the socket service is
enabled on the WLAN device.
▫ Changing the port number: By default, the web server uses port 80, which is
a well-known port and prone to scanning and attacks. Configure the web
server to use a private port to reduce the scanning and attack possibility.
▫ ACL: In the system view, configure an ACL for the web server to limit the
source IP addresses that can be used for login.
▫ HTTP over SSL: provides secure transfer to protect transmitted data against
theft. Because HTTP has security risks, WLAN devices from V200R005 allow
for web system login using HTTPS.
AAA User Management Security
Campus
network Attack behavior
An attacker attempts to obtain system administrators' login
WAC
access rights by traversing key information, such as user names
and passwords.
Security policy
To defend against common user name and password attacks

and cracking attempts, limit the number of authentication
failures and set the re-authentication interval to prevent login
Online STA Attacker of unauthorized users.
• Enable local account locking. Set the authentication retry interval to 6 minutes,
maximum number of consecutive incorrect password attempts to 4, and account
locking period to 6 minutes.
• [HUAWEI-aaa] local-aaa-user wrong-password retry-interval 6 retry-time 4

block-time 6 // By default, local account locking is enabled, the retry interval is 5
minutes, the maximum number of consecutive incorrect password attempts is 3,
and the account locking period is 5 minutes.
• Then users who fail in authentication for the maximum number of times will be
blocked for a period, decreasing the attempt success rate and hardening WLAN
device security.
SNMP Device Management Security
Attacker Attack behavior
• An attacker obtains the rights of authorized users by modifying the source IP

addresses of sent packets to perform unauthorized management operations.
• An attacker listens on the communication between the NMS and SNMP agents to
WAC obtain information, such as user names, passwords, and community names,
therefore gaining unauthorized rights.
SNMP server
• An attacker intercepts and then reorders, delays, or retransmits SNMP messages
to affect normal operations, until obtaining unauthorized access rights.
Security policy
• SNMP has three versions: SNMPv1, SNMPv2c, and SNMPv3.

• SNMPv1 and SNMPv2c have low security, and support ACL and view-based access
Online STA control model (VACM).

• SNMPv3 supports MD5/SHA authentication as well as DES and AES encryption
algorithms.
• SNMP is a protocol used to manage network devices and has three versions:
SNMPv1, SNMPv2c, and SNMPv3.
• SNMPv1 and SNMPv2c have low security, and support ACL and view-based
access control model (VACM). Associate an ACL and a MIB view with a
community name to limit the NMSs and nodes that can access a WLAN device,
enhancing system security to some extent.
• SNMPv3 supports the User-based Security Model (USM), Message Digest 5
(MD5) and Secure Hash Algorithm (SHA) authentication, and Data Encryption
Standard (DES) and Advanced Encryption Standard (AES) algorithms. By
authenticating and encrypting communication data, SNMPv3 resolves security
issues, such as message forgery, tampering, and leakage.
▫ MD5 and DES are weak-encryption algorithms. From V200R019C00, MD5

and DES are supported only when a weak-encryption-algorithm plug-in is
installed.
• For the sake of security, you are advised to configure an SNMPv3 user requiring
authentication and encryption, use the SNMPv3 authentication and encryption
mode to manage WLAN devices, and associate an ACL and a MIB view with the
user to limit the user's access rights.
Prohibition of Insecure Management Protocols from
Accessing the Service plane
Security policy
Service interface
WAC
• Service interfaces on WLAN devices support management
Management
Ethernet port protocols by default, and management protocols allow for
login to the WLAN devices through a dedicated management
Mgmt
network Ethernet port. If the customer network has planned a
management plane that manages devices only through the
management Ethernet port, you can prohibit device login using
management protocols over service interfaces.
Online STA Attacker
• To prohibit service plane access using management protocols for a WLAN device
with a dedicated management Ethernet port, run the deny command in the
attack defense policy view to set the action on Telnet, SSH, HTTP, SNMP, FTP,
and ping (ICMP) packets sent to the CPU to discard.
▫ <HUAWEI> system-view
▫ [HUAWEI] cpu-defend policy 1

▫ [HUAWEI-cpu-defend-policy-1] deny packet-type telnet-client wired
▫ [HUAWEI-cpu-defend-policy-1] deny packet-type ssh-client wired

▫ [HUAWEI-cpu-defend-policy-1] deny packet-type http-client wired
▫ [HUAWEI-cpu-defend-policy-1] deny packet-type snmp wired

▫ [HUAWEI-cpu-defend-policy-1] deny packet-type ftp-client wired
▫ [HUAWEI-cpu-defend-policy-1] deny packet-type icmp wired

▫ [HUAWEI-cpu-defend-policy-1] quit
▫ [HUAWEI] cpu-defend-policy 1
Information Center Security
Attack behavior
Attacker • To query information generated on a remotely deployed

WLAN device, a user can configure the WLAN device to
export configuration information to a log server, so that the
user can view device information on the log host. Hackers
WAC can intercept log transmission packets on the network to
Log server obtain user information.
Security policy
• Run the info-center loghost command to configure the

device to export configuration information to a log host.
• To improve log transmission security, specify the ssl-policy
policy-name parameter in the info-center loghost
Online STA
command to configure TCP-based SSL encryption.
AP Management Security - CAPWAP Control Tunnel
Encryption
Security risk
CAPWAP tunnel • In non-DTLS mode, data is transmitted between an AP

WAC
and WAC in plaintext, which has security risks on
untrusted networks.
Security policy
• When an AP establishes a CAPWAP tunnel with a WAC,

you can configure DTLS encryption for CAPWAP control
tunnels to ensure integrity and privacy of management
packets. Currently, devices can encrypt management
packets only using the pre-shared key.
• Enable DTLS encryption for CAPWAP control tunnels and set the pre-shared key
for DTLS encryption to huawei@123.
▫ <HUAWEI> system-view
▫ [HUAWEI] capwap dtls psk huawei@123

▫ [HUAWEI] capwap dtls control-link encrypt
Common Configurations for Security Protection on the
WLAN Management Plane (1)
⚫ WLAN device login security: Change the BootROM password.
Press CTRL+B to enter BIOS menu: 1
Password:
Info: You are advised to change the password to ensure security. BIOS Menu (Version: 072)
1. Boot with default mode
2. Enter serial submenu
3. Enter startup submenu
4. Enter ethernet submenu
5. Enter file system submenu
6. Modify BOOTROM password
7. Clear password for console user
8. Config HigMem to Flash Flag
9. Reboot (Press CTRL+E to enter Diag menu)
Enter your choice(1-9): 6 //Change the password.
Confirm old password : //Enter the old password.
Please enter new password : //Enter a new password.
Please confirm new password : //Enter the new password again.
The password is changed successfully.
WLAN device login security: login through SSH WLAN device login security: login through the web system
[WAC] stelnet server enable [WAC] http server enable
[WAC] ssh server port 55535 //Change the port number to a [WAC] http server port 55536 //Change the port number to a non-
non-well-known port number. well-known port number.
[WAC] acl 2000 [WAC] acl 2000
[WACI-acl-basic-2000] rule permit source 10.1.1.1 0 [WAC-acl-basic-2000] rule 5 permit source 10.10.10.1 0
[WAC] user-interface vty 14 //Configure an ACL to allow only the device with the source IP
[WAC-ui-vty14] acl 2000 inbound address of 10.10.10.1 to log in to the WLAN device through HTTP.
//Configure an ACL to allow only users with the source IP address of [WAC] http acl 2000
10.1.1.1 to log in to the WLAN device. //Configure the HTTP service to reference the ACL.
//To prevent users with an IP address or on an IP address segment
from logging in to a WLAN device, use the inbound parameter. To
prevent a logged-in user from logging in to other WLAN devices, use
the outbound parameter.
AAA user management: Configure the maximum number of consecutive authentication failures and the
authentication retry interval.
[WAC] aaa
[WAC-aaa] local-aaa-user wrong-password retry-interval 6 retry-time 4 block-time 6
//By default, the local account locking function is enabled, the authentication retry interval is 5 minutes, the maximum numb er of
consecutive authentication failures is 3, and the account locking period is 5 minutes.
Configure a WLAN device to send information to a log host with the IPv4 address of 192.168.2.2. Configure
the device to transmit information in TCP mode and encrypt packets using the SSL policy named huawei123.
[WAC] ssl policy huawei123 type client
[WAC-ssl-policy-huawei123] quit
[WAC] info-center loghost 192.168.2.2 transport tcp ssl-policy huawei123
Enable DTLS encryption for CAPWAP control tunnels and set the pre-shared key for DTLS encryption to huawei@123.
[WAC] capwap dtls psk huawei@123
[WAC] capwap dtls control-link encrypt
Contents
WLAN Control Plane Security
⚫ Huawei WLAN provides the following protection measures to protect the air
interface against various security threats:
 Wireless user access security
 WIDS/WIPS
 URL filtering
 Intrusion detection
 Antivirus
• Attacks on the control plane are diversified, and so are protection measures. In
addition to the protection measures listed on this slide, there are also local attack
defense, attack defense based on service and management isolation, device
attack defense, ARP spoofing attack defense, ARP flood attack defense, bogus
DHCP server defense, DHCP flood attack defense, routing protocol security, and
multicast security. This course focuses only on major control plane security
technologies.
Wireless User Access Security: WPA/WPA2
• For some small and medium-sized WLANs, deploying a dedicated authentication server is costly and
difficult to maintain.
• WPA/WPA2 provides a simplified mode, that is, WPA/WPA2 pre-shared key (WPA/WPA2-PSK) mode.
• No dedicated authentication server is required. Only a pre-shared key needs to be set on each WLAN
node (such as the WLAN server, wireless router, and network adapter). A client can access the
WPA/WPA2
WLAN if its pre-shared key is the same as that configured on the WLAN device.
Personal
• The pre-shared key is not used for encryption; therefore, it will not bring security risks like the WEP
shared key authentication.
WPA/WPA2
• The WPA/WPA2-802.1X access authentication mode is used.
WPA/WPA2 • The RADIUS server and Extensible Authentication Protocol (EAP) are used for authentication.
Enterprise • Users provide authentication information, including the user name and password, and are
authenticated by an authentication server (generally a RADIUS server).
• Large-scale enterprise networks usually use the WPA/WPA2-Enterprise edition.
• WEP shared key authentication uses the Rivest Cipher 4 (RC4) symmetric stream
cipher to encrypt data. Therefore, the same static key must be preconfigured on
the server and clients. Both the encryption mechanism and algorithm, however,
are prone to security threats. The Wi-Fi Alliance developed WPA to overcome
WEP defects. In addition to the RC4 algorithm, WPA defines the Temporal Key
Integrity Protocol (TKIP) encryption algorithm on the basis of WEP, uses the
802.1X identity authentication framework, and supports Extensible Authentication
Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-
Transport Layer Security (EAP-TLS) authentication. Subsequent to WPA, IEEE
802.11i defined WPA2, which uses a more secure encryption algorithm: Counter
Mode with CBC-MAC Protocol (CCMP).
• Both WPA and WPA2 support 802.1X access authentication and the TKIP or
CCMP encryption algorithm, giving better compatibility. With almost the same
security level, they mainly differ in the protocol packet format.
• The WPA/WPA2 security policy involves four phases: link authentication, access
authentication, key negotiation, and data encryption. Two authentication
methods are available: WPA/WPA2-PSK authentication and WPA/WPA2-802.1X
authentication.
• Two authentication methods are available: WPA/WPA2-PSK authentication and
WPA/WPA2-802.1X authentication.
▫ WPA/WPA2-PSK authentication: Both WPA and WPA2 support PSK
authentication and the TKIP or AES encryption algorithm. They have almost
the same security level and mainly differ in the protocol packet format.
WPA/WPA2-PSK authentication applies to individual, home, and Small
Office and Home Office (SOHO) networks that do not require high security.
No authentication server is required. If STAs support only WEP encryption,
PSK+TKIP can be implemented without a hardware upgrade, whereas
PSK+AES may require a hardware upgrade.
▫ WPA/WPA2-802.1X authentication: Both WPA and WPA2 support 802.1X
authentication and the TKIP or AES encryption algorithm. They have almost
the same security level and mainly differ in the protocol packet format.
WPA/WPA2-802.1X authentication applies to networks that require high
security, such as enterprise networks. An independent authentication server
is required. If STAs support only WEP encryption, 802.1X+TKIP can be
implemented without a hardware upgrade, whereas 802.1X+AES may
require a hardware upgrade.
• STAs vary and support different authentication and encryption modes. To enable
various types of STAs to access the network and facilitate management,
configure both WPA and WPA2. If the security policy is WPA-WPA2, STAs
supporting WPA or WPA2 can be authenticated. If the encryption mode is TKIP-
AES, any STAs supporting TKIP or AES can encrypt service packets.
WPA/WPA2 Key Overview
⚫ 802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The
pairwise key hierarchy protects unicast data exchanged between STAs and APs. The
group key hierarchy protects broadcast or multicast data exchanged between STAs and
APs.
⚫ During key negotiation, a pairwise transient key (PTK) and a group temporal key (GTK)
are generated based on the pairwise master key (PMK) generated in access
authentication.
 PMK: a pre-shared key configured for generating a PTK. It is not used for data encryption or
decryption.
 PTK: encrypts unicast packets.
 GTK: encrypts multicast and broadcast packets.
WPA/WPA2 Key Negotiation
STA AP WAC
SSID
HASH PMK Link authentication and

(PSK) association
WPA/
WPA2
key 5. The AP sends ANonce (msg 1).
STA's MAC
address PTK
6. The STA sends Snonce+ EAPoL-KEY MIC (msg 2).
Data generation
Encryption
AES/TKIP 7. The AP checks whether the MIC of msg 2 is correct. If the MIC
AP's BSSID HASH Data is correct, the AP instructs the STA to install the PTK.
PTK PTK
installation 8. The STA responds to the PTK installation request.
ANonce 9. The WAC delivers the key to

the AP and instructs the AP
10. The AP sends a group key to update the group key and
update message. enable the authorized port.
SNonce 11. The STA sends a group key
update success message.
WLAN Security Encryption
⚫ After a WLAN user is authenticated and authorized to access a WLAN, the WLAN must use a mechanism to
protect data of the user from tampering and eavesdropping. Encryption is the most commonly used
mechanism, which ensures that only devices with correct keys can decrypt received packets.
⚫ WLAN encryption mode:

Temporal Key Integrity Protocol (TKIP)

Counter Mode with CBC-MAC Protocol (CCMP)
⚫ WPA uses the TKIP encryption algorithm, provides the key reset mechanism, and increases the valid key
length, which greatly compensates for the weakness of WEP.
⚫ WPA2 uses the CCMP encryption mechanism, which uses the Advanced Encryption Standard (AES) encryption
algorithm. AES is a symmetric block encryption technology and is more difficult to crack than TKIP.
⚫ Both WPA and WPA2 can use the TKIP or AES encryption algorithm, ensuring better compatibility. The two
protocols provide almost the same security level.
• As wireless networks use open transmission media, data will face greater risks if
no encryption mechanism is used on transmission links. Anyone who has an
appropriate tool can intercept unprotected data transmitted on open
transmission media.
• Major objectives of communication security are confidentiality, integrity, and
authentication. When data is transmitted on a network, data protection protocols
must help network administrators achieve these objectives.
▫ Confidentiality means that data will not be intercepted by unauthorized

parties.
▫ Integrity means that data is not tampered with during transmission.
▫ Authentication is the basis for all security policies. Data validity partially
depends on reliability of the data source, so the data receiver must verify
correctness of the data source. A system must protect data through
authentication. Authorization and access control are both based on data
authenticity. Before allowing a user to access any data, the system must
verify the user's identity.
• Authentication is implemented using the network access control technology. The

purpose of WLAN security encryption is to ensure data confidentiality and
integrity.
Application Scenarios and Security Comparison of
Security Policies
Link Access Encryption Recommended
Security Policy Remarks
Authentication Authentication Algorithm Application Scenario
Open system No Networks with low security Wireless devices can connect to a
Open N/A
authentication encryption requirements network without authentication.
It does not provide It is not secure to use open system
access authentication independently. Any
No Public places with high user
authentication, but STAs can access the network without
Open system encryption mobility, such as airports,
WEP-open works with Portal authentication. You are advised to
authentication stations, business centers,
authentication or or RC4 configure open system authentication
and conference venues
MAC address together with Portal authentication or
authentication. MAC address authentication.
Shared key Networks with low security This security policy is not
WEP-shared-key N/A RC4
authentication requirements recommended due to its low security.
This security policy has higher security
Home users or small and
Open system than WEP-shared-key authentication.
WPA/WPA2-PSK PSK authentication TKIP or AES medium-sized enterprise
authentication Additionally, no third-party server is
networks
required and the cost is low.
Large-scale enterprise The security is high, but a third-party
WPA/WPA2- Open system 802.1X
TKIP or AES networks with high security server is required, resulting in high
802.1X authentication authentication
requirements costs.
Wireless User Access Security: WPA3
Open: no encryption WEP: weak encryption WPA: strong encryption WPA2: strong encryption WPA3: strongest encryption
• Introduced in 1999 • Introduced in 2003 • Introduced in 2004 • Currently the most secure
• Cracked in 2001 • Replaced by WPA2 in 2004 • Cracked in October 2017 • Meeting high security
requirements
AS-IS To-Be (WPA3)

Encryption algorithm
Opportunity Wireless Encryption (OWE)
No encryption for data on networks added
with open SSIDs • The encryption key is automatically negotiated when
Easy to intercept a terminal connects to an open SSID.
• Advantage: Data on networks with open SSIDs is
Improved algorithm also encrypted.
Personal WPA2-PSK encryption cracked
Simultaneous Authentication of Equals (SAE)
• More secure key exchange mode
WPA2-Enterprise, with the key length Improved algorithm and
• Advantage: Even if attackers obtain intermediate
being 128 bits increased key length
Fails to meet security requirements of keys, they cannot decrypt data.
governments and banks. 192-bit enterprise encryption key algorithm
• Meets high security requirements.
• Compared with WPA and WPA2, WPA3 has the following improvements:
▫ WPA3 introduces Simultaneous Authentication of Equals (SAE), which is a
more secure handshake protocol. Theoretically, SAE provides forward
secrecy. Even if an attacker knows the password on a network, the attacker
cannot decrypt the obtained traffic. A WPA2 network, however, is
vulnerable to password cracking attacks. That is, an attacker can decrypt
obtained traffic using the password. Therefore, the use of SAE makes WPA3
much more secure than earlier WPA standards.
▫ The algorithm strength is enhanced and Suite B cryptography is supported.
That is, WPA3 supports AES-GCM with a 256-bit key and elliptic curve
cryptography with a 384-bit curve.
• Based on application scenarios and security requirements, there are two WPA3
modes: WPA3-Enterprise and WPA3-Personal, that is, WPA3-802.1X and WPA3-
SAE.
• WPA3-Personal introduces the SAE handshake protocol. Compared with
WPA/WPA2-PSK authentication, WPA3-SAE can effectively defend against offline
dictionary attacks and mitigate brute force cracking posed by weak passwords. In
addition, the SAE handshake protocol provides forward secrecy. Even if an
attacker knows the password on the network, the attacker cannot decrypt the
obtained traffic, greatly improving the security of a WPA3-Personal network.
• WPA3-Enterprise still uses the authentication system of WPA2-Enterprise and
uses the Extensible Authentication Protocol (EAP) for identity authentication.
However, WPA3 enhances the algorithm strength by replacing the original
cryptography suite with the Commercial National Security Algorithm (CNSA)
Suite defined by the Federal Security Service (FSS). The CNSA Suite has a
powerful encryption algorithm and applies to scenarios with extremely high
security requirements.
• WPA3-Enterprise supports Suite B, which uses 192-bit minimum-strength security
and supports Galois Counter Mode Protocol-256 (GCMP-256), Galois Message
Authentication Code-256 (GMAC-256), and SHA-384.
• WPA2 is still widely used. To enable WPA3-incapable STAs to access a WPA3-
enabled network, the Wi-Fi Alliance defines the WPA3 transition mode. That is,
WPA3 and WPA2 can coexist for a period of time in the future. This mode applies
only to WPA3-Personal.
• In V200R019C00, WACs and APs support WPA3 authentication. In V200R019C10,
only WACs support WPA3 authentication.
Wireless User Access Security: STA Blacklist and Whitelist
WAC Security policy
The STA blacklist and whitelist function allows you to specify conditions
for filtering STAs to control their access to a WLAN.
• Whitelist: contains MAC addresses of STAs that are allowed to

AP AP
connect to a WLAN. After the STA whitelist function is enabled, only
whitelisted STAs can connect to the WLAN.
• Blacklist: contains MAC addresses of STAs that are not allowed to

connect to a WLAN. After the STA blacklist function is enabled,
blacklisted STAs cannot connect to the WLAN.
Whitelisted Blacklisted
STA STA
• If the STA whitelist or blacklist function is enabled but the whitelist or blacklist is
empty, all STAs can connect to the WLAN.
• Multiple STA whitelist and blacklist profiles can be configured on a WLAN device
and applied to different virtual access point (VAP) profiles or AP system profiles.
In a VAP profile or an AP system profile, either the STA whitelist profile or STA
blacklist profile takes effect at one time.
Wireless User Access Security: Anti-Brute Force Cracking
Brute force password cracking Password anti-brute force cracking
• Brute force password cracking is a method for cracking passwords. • During user authentication, the AP checks whether the number of
• It is actually an exhaustive method, which determines the range of key negotiation failures within a specified period exceeds the
answers based on the conditions of a question and verifies the threshold. If so, the AP considers that the user is cracking the
answers one by one until an answer meets the conditions of the password and reports an alarm to the WAC.
question. • If the dynamic blacklist function is also enabled, the AP adds the
user's STA to the blacklist and discards all packets from the STA until
the dynamic blacklist entry ages.
The AP detects an excess number of

A hacker password negotiations and reports an alarm.
1 attempts to crack Huawei@321 2
the password.
Huawei@213
Password:
... Huawei@123
Hacker AP WAC
4 The STA is added to the
blacklist and cannot connect 3
to the network even if the
The WAC adds the STA to the blacklist
password is correct.
and delivers the blacklist to the AP.
• Attack behavior:
▫ During a brute force attack, the attacker searches for a password by trying
to use all possible password combinations. This method is also called the
exhaustive attack method. For example, a password that contains only 4
digits may have a maximum of 10,000 combinations. Therefore, the
password can be decrypted after a maximum of 10,000 attempts.
Theoretically, brute force can decrypt any password. Attackers, however, are
always looking for ways to shorten the time required to decrypt passwords.
When a WLAN uses WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key as the
security policy, attackers can use the brute force method to decrypt the
password.
• Security policy:
▫ Defense against brute-force key cracking can prolong the time needed to
decrypt passwords. An AP checks whether the number of key negotiation
failures during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key
authentication exceeds the configured threshold. If the threshold is
exceeded, the AP considers that the user is using the brute force method to
decrypt the password and reports an alarm to the WAC. If the dynamic
blacklist function is also enabled, the AP adds the user's STA to the dynamic
blacklist and discards all the packets from the STA until the dynamic
blacklist entry ages.
Wireless User Access Security: Protected Management
Frame (PMF)
⚫
In a spoofing attack, an attacker obtains information about STAs and APs by listening on and spoofs authorized devices. This
attack can be successfully launched since WPA2 encrypts only data frames but not management frames.
⚫ The PMF standard is released by the Wi-Fi Alliance based on IEEE 802.11w. It aims to apply security measures defined in
WPA2 to unicast and multicast management frames to improve network security.
Authorized Authorized AP
STA
Attackers listen to the network traffic

but cannot further cause damage to
the network, as the management
frame information they obtain has
been encrypted and cannot be
decrypted.
Attacking AP
• Attack behavior:
▫ If management frames are not encrypted on a WLAN, security problems
may be generated.
• Security policy:
▫ The PMF standard is released by the Wi-Fi Alliance based on IEEE 802.11w.
It aims to apply security measures defined in WPA2 to unicast and multicast
management action frames to improve network trustworthiness.
▫ Deploying PMF can defend against the following attacks:
▪ Hackers intercept management frames exchanged between APs and

STAs.
▪ Hackers forge APs and send Disassociation and Deauthentication

frames to disconnect STAs.
▪ Hackers forge STAs and send Disassociation frames to APs to

disconnect the STAs.
Management Frame Encryption
Unicast management frame encryption Multicast management frame encryption
⚫ The encryption of unicast management frames is similar to that of • The encryption mechanism of multicast management frames is
unicast data frames, except that unicast management frames similar to that of multicast data frames. Only the data part is
support only the CCMP algorithm. The same PTK as that of data calculated and the message integrity check (MIC) value is added.
frames is used for encryption of unicast management frames. The However, the multicast management frames use the IGTK that is
key generation, negotiation, delivery, and management as well as independent of the GTK. The generation, negotiation, delivery, and
frame encryption and decryption are the same as those for data management mechanisms of the IGTK are the same as those of the
frames. GTK. According to the protocol, the IGTK needs to be updated with
the GTK. The IGTK is delivered with the GTK through a 4-way or 2-
⚫ Because the data part is encrypted, the Protected Frame bit in the
way handshake.
Frame Control field of the MAC frame header is used to indicate the
• The AES-128-CMAC algorithm is used for MIC calculation when
encryption of unicast management frames on the air interface.
multicast management frames are encrypted and decrypted during
transmission and reception. Bits 0 to 127 of the IGTK are used as the
AES-128-CMAC key.
• The data part of multicast management frames is not allowed to be
encrypted.
• The MIME field is added to the encrypted broadcast management
frames for integrity check.
Principles for Receiving and Transmitting Encrypted
Management Frames
⚫ For a STA that does not support PMF, the AP sends and receives unencrypted robust management
frames, and discards encrypted robust management frames. The STA ignores the MMIE field
when receiving encrypted multicast robust management frames.
⚫ For a STA that supports PMF, the AP is not allowed to send or receive robust management frames
(except unencrypted Disassociation and Deauthentication frames) before the PMF negotiation
succeeds (the key is obtained).
⚫ For a STA that supports PMF, after the PMF negotiation succeeds (the key is obtained), the AP
receives and sends encrypted robust management frames, and discards unencrypted robust
management frames.
⚫ The data part in multicast management frames cannot be encrypted, but the MMIE field is added
for integrity protection.
WIDS and WIPS Function Overview
STA AP WAC AAA

WIDS
The Wireless Intrusion Detection System (WIDS) monitors the

Access authentication
running status of networks and systems in accordance with
security policies, analyzes user activities, and determines the type
Link encryption
Policy control
of intrusion events to detect unauthorized networks.
Attack
detection and WIPS
defense
Rogue device The Wireless Intrusion Prevention System (WIPS) monitors

detection and WIDS&WIPS
containment
wireless networks in real time to detect intrusion events and
Rogue device provide active defense against and warning of attacking

behaviors.
WIDS and WIPS: Rogue Device Types
WAC
• Ad-hoc: a temporary wireless network composed of several

devices that are equipped with wireless network adapters.
• Rogue STA: a STA associated with a rogue AP.
• Rogue AP: an AP that is not in the WIDS whitelist and has

AP AP AP
the same SSID as a local AP or has a spoofing SSID.
• Rogue wireless bridge: a wireless bridge that is not in the

WIDS whitelist and has the same SSID as a local wireless
bridge or has a spoofing SSID.
Ad-hoc Rogue STA Rogue AP Rogue wireless bridge
WIDS and WIPS: Wireless Network Device Identification
Management frame identification Data frame encryption
⚫ Identification based on the network type in the frame body of the ⚫

Identification based on the To DS and From DS fields:
802.11 MAC frame:
Management Frame To DS From DS Device Type
Network Type Device Type
Type
Independent basic 0 0 Ad-hoc device
Probe Request, Ad-hoc device
service set (IBSS)
Association Request, and 0 1 AP
Reassociation Request Basic service set (BSS) STA
1 0 STA
Beacon, Probe Response, IBSS Ad-hoc device
Association Response, and 1 1 Wireless bridge
Reassociation Response BSS AP
B0 B1 B2 B3 B4 B7 B8 B9 B10 B11 B12 B13 B14 B15
protoc To From more

type subtype Retry Power More Protect order
ol DS DS Frag Mgmt Data Frame
Bits 2 2 4 1 1 1 1 1 1 1 1
Frame Control field
WIDS and WIPS: Rogue Device Determination
An AP reports information
about surrounding devices
Obtain the device type
AP or wireless bridge STA Ad-hoc device
Is the AP Yes Yes Is the STA

connected to the connected to the
local WAC? local WAC?
No No
Is the AP Is the
Yes No
whitelisted? peer a rogue
AP?
No Yes
Rogue AP or
Neighbor Device Rogue STA Rogue Ad-hoc device
wireless bridge
• The WAC obtains neighbor information entries reported by APs one by one and
performs the following determination by device type:
▫ AP validity: APs can be classified based on the MAC address, SSID, or OUI
whitelist. APs that are not managed by the WAC and cannot be classified
based on the MAC address, SSID, or OUI whitelist are rogue APs.
▫ STA validity: STAs associated with rogue APs are rogue STAs.
▫ Wireless bridge validity: identified in the same way as rogue APs.
▫ Ad-hoc: All Ad-hoc devices are rogue devices.

• Note: If a WAC determines an AP as a rogue AP, it will trigger a rogue AP alarm
and send the alarm to the network management platform through an SNMP
trap. The WAC does not trigger a rogue device alarm for other rogue device
types.
• Device classification by security:
▫ Authorized device: is not managed by the WAC and has no security risks.
▫ Rogue device: is not managed by the WAC and may have security risks.
▫ Interfering device: indicates co-channel AP on the management network.

WIDS and WIPS: Rogue Device Containment
STA AP WAC
1 The containment function is enabled and

the containment mode is specified on the
Configure the
containment mode.
WAC.
Filter devices for

containment from
the rogue device list
Deliver the device list
for containment. The WAC selects rogue devices from the
2
Implement containment wireless device list reported by a monitor AP
based on the rogue and sends the rogue device list to the
device types
monitor AP.
Contain
rogue APs
Contain
rogue STAs
3 The monitor AP implements containment
Contain Ad-
based on the rogue device list delivered by
hoc devices
the WAC.
WIDS and WIPS: Flood Attack Detection and Defense
⚫ Detection and defense mechanism: An AP monitors traffic from each STA. When the traffic rate from a STA
exceeds the configured threshold, the AP considers that the STA is initiating a flood attack and sends an
alarm message to the WAC. If the dynamic blacklist function is enabled, the AP adds the attacking STA to the
dynamic blacklist and discards all packets sent from the STA to protect the WLAN.
An attacker sends a large number of

1 Probe Request frames to the AP.
The AP reports an alarm to the WAC when the
traffic exceeds the threshold.
An authorized STA
sends a request to Malicious 2
the AP, and receives STA
a normal response. 5
Authorized AP 4 WAC
STA 3
The AP discards all packets The WAC adds the attacker to the
sent by the malicious STA. dynamic blacklist and notifies the AP of
the updated blacklist.
• Attack information reported by an AP includes the attacking device's MAC

address, channel, attack type, and received signal strength indicator (RSSI).
• attack detection enable flood
• attack detection flood intvalue timesvalue: specifies the interval for detecting
flood attacks and the number of packets of the same type received by the AP
within the interval.
• An AP can detect flood attacks of the following frames:
▫ Authentication Request.
▫ Deauthentication.
▫ Association Request.
▫ Disassociation.
▫ Probe Request.
▫ Action.
▫ EAPOL Start.
▫ EAPOL-Logoff.
▫ PS-Poll.
▫ 802.11 Null.
WIDS and WIPS: Spoofing Attack Detection and Defense
The STA is disconnected from the Spoofing packet types

network and cannot access the network.
3 • Broadcast Disassociation frame
• Broadcast Deauthentication frame
Authorized Authorized
STA AP Detection and defense mechanism
• After an AP receives a broadcast Disassociation frame

2 or broadcast Deauthentication frame, it checks whether
1 An attacker listens
The attacker sends
to the network to the source MAC address of the frame is its own MAC
a Deauthentication Attacking
frame to the STA. obtain information. address. If so, the WLAN is undergoing a spoofing
AP
attack of Disassociation or Deauthentication frames.
The AP then sends an alarm to the WAC.
• Command: attack detection enable spoof.

WIDS and WIPS: Weak IV Detection and Defense
AP WAC
Detection mechanism
User information
such as the user An AP identifies the IV of each WEP packet. When detecting
name and password The AP detects
WEP packets a packet carrying a weak IV, the AP sends an alarm to the
carrying a weak IV.
WAC, to alert the user that other security policies should be
Report an alarm.
Listening and used to prevent STAs from using the weak IV for encryption.
Attacker cracking
• When WEP is used for encryption on a WLAN, a 24-bit IV is generated for each
packet. When a WEP packet is sent, the IV and shared key are used together to
generate a key string. The plaintext is encrypted using the key string to generate
a ciphertext. A weak IV is an IV generated using insecure methods. For example,
repeated IVs are generated frequently or the same IV is generated all the time.
When a STA sends a packet, the IV in the packet header is sent in plaintext.
Therefore, an attacker can easily crack the shared key and access network
resources.
• Weak IV detection identifies the IV of each WEP packet to prevent attackers from
decrypting the shared key. When an AP detects a packet carrying a weak IV, the
AP sends an alarm to the WAC so that users can use other security policies to
prevent STAs from using the weak IV for encryption.
URL Filtering
⚫ With the rapid development of Internet applications and the popularity of computer networks,
acquisition, sharing, and dissemination of information have become more widespread than ever,
which brings unprecedented threats to enterprises.
 Visiting non-work-related websites during working hours reduces work efficiency.
 Visiting illegitimate or malicious websites may expose confidential information or even incur threats such
as worms, viruses, and Trojan horses.
 During times of high network activity leading to intranet congestion, employees may be unable to access
work-related websites (such as the company homepage and search engines), reducing work efficiency.
⚫ When users send HTTP or HTTPS requests for accessing URLs, URL filtering can be used to permit,
generate alarms for, or block the requests. After URL filtering is enabled:
 Users' access requests to legitimate websites are permitted.
 Users' access requests to illegitimate websites are blocked.
• The URL service needs to be deployed on different network devices based on the
forwarding modes of wireless users' service data packets.
▫ Tunnel forwarding: A CAPWAP tunnel is established between a WAC and an
AP to centrally forward user data packets. In this case, the URL service is
deployed on the WAC. Service data packets of wireless users are
encapsulated into CAPWAP packets on the AP and sent to the WAC through
the CAPWAP tunnel between the AP and WAC. The WAC decapsulates the
CAPWAP packets and performs URL filtering on the original service data
packets of wireless users.
▫ Direct forwarding: Service data packets do not need to be forwarded by a
WAC. In this case, the URL service is deployed on an AP. After receiving
service data packets, the AP directly performs URL filtering on the original
data packets.
URL Filtering Mechanism
2. The AP intercepts the HTTP Get

request and detects that the URL
1. A user visits www.example.com. is forbidden. The AP then pushes
The browser sends an HTTP Get the alarm page and disconnects
request. the TCP connection. www.example.com
1 2
Network
www.huawei.com
3
3. A user visits www.huawei.com. The
traffic is permitted, and the user
can access the website normally.
URL Structure
⚫ A URL describes the address of a web page or other resources on the Internet.
⚫ The common format of a URL is protocol://hostname:port/path?query.
 protocol: application protocol, with HTTP being the most common one.

hostname: domain name or IP address of the web server.

:Port: communication port, which is optional. Application protocols have default ports. For example, the default port for
HTTP is 80. If the server uses the default port, you do not need to configure the port number in a URL filtering rule. If the
server uses a non-default port, the port number is mandatory in a URL filtering rule.

path: directory or file path on the web server, which is a character string that can be separated by slashes (/).

?query: transmits parameters to dynamic web pages, which is optional.
protocol hostname path
http://wwwexample.com:8080/news/education.aspx?name=tom&age=20
:port ?query
URL Matching Modes
⚫ The priorities of URL matching modes are as follows:

Exact matching > suffix matching > prefix matching > keyword matching.
Matching
Definition Item Matching Result
Mode
All URLs that start with www.example are matched. For
Prefix Matches all URLs that start with the specified example:
www.example*
matching character string. • www.example.com
• www.example.com/solutions.do
All URLs that end with aspx are matched. For example:
Suffix Matches all URLs that end with the specified • www.example.com/news/solutions.aspx
*aspx
matching character string. • www.example.com/it/price.aspx
• 10.1.1.1/sports/abc.aspx
All URLs that contain sport are matched. For example:
Keyword Matches all URLs that contain the specified character • sports.example.com/news/solutions.aspx
*sport*
matching string. • sports.example.com/it/
• 10.1.1.1/sports/
The following URLs can match the rule:
First matches the URL against the specified character
• www.example.com
string. If the URL does not match the string, removes
• www.example.com/news
Exact the last directory in the URL and matches the www.example.co
• www.example.com/news/en/
matching remaining part against the string. If the URL is still m
The following URLs do not match the rule:
not matched, removes the second last directory and
• www.example.com.cn/news
matches the remaining part against the string.
• www.example.org/news/www.example.com
• The four matching modes apply to the entire URL. By default, only HTTP URLs
are filtered. After the HTTPS proxy or encrypted traffic filtering function is
enabled, HTTPS URLs can be filtered.
• HTTP mode: The system directly extracts the URLs from the HTTP packets and
matches the URLs against the configured URL blacklist and whitelist.
• HTTPS mode: HTTPS is carried over SSL. SSL encrypts the entire content
transmitted through HTTP. Only the SNI, CN, and SAN fields in the SSL protocol
can be identified, from which URLs are extracted for matching against the
configured URL blacklist and whitelist.
URL Filtering Mode
⚫ After URL filtering is configured, the device processes URL information as follows:
⚫ The device matches the URL against the whitelist.
 If the URL matches the whitelist, the device permits the URL access request.
 If the URL does not match the whitelist, the device goes to the next step.
⚫ The device matches the URL against the blacklist.

 If the URL matches the blacklist, the device denies the URL access request.
 If the URL does not match the blacklist, the configured URL filtering function does not take effect, and
packets are processed according to the normal process.
• Blacklist and whitelist.

▫ The device matches the URL in an HTTP request against the blacklist and
whitelist. If the URL matches the whitelist, the device permits the HTTP
request. If the URL matches the blacklist, the device denies the HTTP
request.
▫ When the URL in the network access request matches the whitelist, no
further processing is performed, helping improve the matching efficiency.
• User-defined URL category.
▫ User-defined URL categories are configured and maintained by users. User-

defined URL categories classify URLs with the same characteristics. Users
can configure policies based on services to permit or deny the access to
URLs in each category. Compared with predefined URL categories, user-
defined URLs enable more refined control of users over URLs.
Implementation Mechanism of Intrusion Prevention
⚫ Intrusion prevention is a security mechanism that detects intrusions (including buffer overflow attacks, Trojan
horses, and worms) by analyzing network traffic, and terminates intrusion behavior in real time using certain
response methods, protecting enterprise information systems and network architectures from being attacked.
The intrusion prevention mechanism is as follows:
Application data Protocol identification and
Signature matching Response
reassembly analysis
The WAC reassembles IP The WAC identifies multiple The WAC matches the After the detection, the WAC
fragments and TCP flows to common application-layer extracted characteristics processes the packets that
ensure the continuity of protocols based on the packet against the IPS signatures. match the signature based
application-layer data and content. If a match is found, the on the configured action.
effectively detect attacks After identifying the protocol of WAC responds
that evade intrusion packets, the WAC performs accordingly.
prevention. refined analysis based on the
specific protocol analysis
solution and extracts packet
characteristics.
• Intrusion prevention is a security mechanism that detects intrusions (including

buffer overflow attacks, Trojan horses, and worms) by analyzing network traffic,
and terminates intrusion behavior in real time using certain response methods,
protecting enterprise information systems and network architectures from being
attacked. Intrusion prevention has the following advantages:
▫ Real-time attack block: The WAC is deployed on a network in in-path mode.

When detecting an intrusion, the device blocks the intrusion and network
attack traffic in real time, minimizing impacts of network intrusions.
▫ In-depth protection: New attacks are hidden at the application layer of the
TCP/IP protocol. Intrusion prevention can detect the content of application-
layer packets, reassemble network data flows for protocol analysis and
detection, and determine the traffic that must be blocked based on the
attack type and defense policy.
▫ All-round protection: Intrusion prevention provides protection measures

against attacks such as worms, viruses, Trojan horses, botnets, spyware,
adware, Common Gateway Interface (CGI) attacks, cross-site scripting
attacks, injection attacks, directory traversal attacks, information leakage,
remote file inclusion attacks, overflow attacks, code execution, DoS attacks,
scanning tools, and backdoor attacks. All-round protection comprehensively
helps defend against various attacks and protect network security.
▫ Internal and external protection: Intrusion prevention can protect
enterprises from both external and internal attacks. The intrusion
prevention system (IPS) can detect the traffic passing through and protect
servers and clients.
▫ Continuous update and precise protection: The IPS signature database is
updated continuously to maintain the highest security level. You can
periodically update the IPS signature database of a device from the update
center to ensure effective intrusion prevention.
Intrusion Prevention: Signature
⚫ An IPS signature describes the characteristics of an attack on the network. The WAC detects and
defends against attacks by comparing data flows with IPS signatures.
Predefined signature User-defined signature
• Predefined signatures are those in the IPS signature • User-defined signatures are created by the administrator
database. Predefined signatures cannot be created, based on user-defined rules.
modified, or deleted. • The signature database may not have a signature for a new
• Each predefined signature has a default action, which type of attack. If you understand the attack, you can create a
can be: user-defined signature for it.
 Allow: The device permits the packet matching the • After a user-defined signature is created, the system
signature and does not generate a log. automatically checks its validity to prevent a waste of system

Alert: The device permits the packet matching the resources.
signature and generates a log. • The action for a user-defined signature can be block or alert.

Block: The device discards the packet matching the You can configure a response action when creating a user-
signature, blocks the data flow to which the packet defined signature.
belongs, and generates a log.
• You are advised to configure a user-defined signature for an attack only when
you understand the characteristics of the attack. Incorrect signatures may be
useless, cause packet loss, or interrupt services.
• Signature filter:
▫ After a device has its signature database updated, a large number of
signatures exist on the device, remaining unclassified. The characteristics
contained in some signatures do not exist on the local network and need to
be filtered out. Therefore, a signature filter is configured for signature
management. Administrators can analyze the characteristics of common
threats on their networks and configure a signature filter to filter out
signatures containing the characteristics, preventing potential intrusions.
▫ A signature filter is a set of signatures matching the specified filtering

conditions, including the signature type, object, protocol, severity, and
operating system. Only signatures that match all the filtering conditions can
be added to a signature filter. Multiple values can be configured for a
filtering condition and these values are ORed. That is, a signature matches
a condition as long as the signature matches any value of this condition.
▫ The action of a signature filter can be block, alert, or default. The action of
a signature filter enjoys a higher priority than the default action of a
signature.
▫ Signature filters configured earlier have higher priorities. If two signature
filters in an IPS profile contain the same signature and a packet matches
the signature, the device processes the packet based on the action of the
signature filter with a higher priority.
• Exception signature.
▫ To facilitate management, all signatures in a signature filter have the same
action. The administrator can add a signature as an exception and
configure a different action for it.
▫ The action for an exception signature can be alert or allow.
▫ The action for an exception signature has a higher priority than that for a
signature filter. If a signature matches both an exception signature and a
signature filter, the action for the exception signature prevails.
▫ For example, the actions for a batch of signatures in the signature filter are
block. Then the device blocks R&D software requested by an employee. The
log indicates that the R&D software matches a signature in the signature
filter and is blocked because of false positive. In such cases, the
administrator adds the signature as an exception and sets the action to
allow.
Data Flow Processing in Intrusion Prevention
⚫ If a data flow matches an IPS profile, the device sends the data flow to the IPS module and matches the data flow against the
signatures referenced by the IPS profile in sequence.
Signature IPS profile
A data flow matches a
signature Type: predefined Signature filter 1 Signature filter 2
Protocol: HTTP Protocol: HTTP Protocol: UDP/HTTP
a01
Action: alert
Search for the IPS profile Others: condition A Others: condition A
Others: condition A
corresponding to the Action: default Action: block
signature Type: predefined a01 a03
Protocol: HTTP a02 a04
a02
Action: block
Yes Use the action Others: condition A
Match an exception Exception signature 1 Exception signature 2
configured for the Set the action for
signature Type: predefined Set the action for
exception signature
a02 to alert a04 to alert
Protocol: UDP
No a03 a02 a04
Action: alert
Yes Use the action Others: condition B Actual actions for signatures
Match a signature configured for the
signature filter Type: predefined Signature Action
filter
Protocol: UDP
a04 a01 Alert
No Action: block
Others: condition B a02 Alert
End a03 Block

a04 Alert
• When a data flow matches multiple signatures, the actual action for the data
flow is as follows:
▫ If the actions for all the matched signatures are alert, the action for the
data flow is alert.
▫ If the action for any matched signature is block, the action for the data
flow is block.
• When a data flow matches multiple signature filters, the action for the signature
filter with the highest priority is performed on the data flow.
Antivirus
⚫ The WAC employs the professional Intelligent Awareness Engine (IAE) and constantly updates antivirus
signature database to detect and remove viruses.
Security center platform
Internet
Signature database update
Allow
Signature matching
Yes
Virus file
Application protocol
Virus detection
identification
Yes Virus detected Virus No No Alert

Supported Application
exception?
protocol? exception?
Block
Network traffic No
Yes
No virus detection
Exception action (allow/alert/block)
performed
Virus detection by the IAE Antivirus handling
• A virus is a malicious code that can infect or be attached to applications or files.

Generally, viruses are transmitted through emails or file sharing protocols,
threatening the security of hosts and networks. Viruses perform various types of
harmful activities on infected hosts, such as exhausting host resources, occupying
network bandwidth, controlling host permissions, stealing data, and even
corrupting host hardware.
• Antivirus is a security mechanism that can identify and process virus files to
ensure network security and avoid data corruption, permission change, and
system crash caused by virus files.
Antivirus: Virus Detection by the IAE
The WAC uses the IAE to detect viruses.
Perform in-depth traffic • The IAE performs in-depth traffic analysis and identifies its protocol type and file
analysis. transfer direction.
Check whether virus • The WAC supports virus detection for files transmitted using the following protocols:
detection applies to the  FTP, HTTP, POP3, SMTP, IMAP, NFS, SMB
protocol used for file • The WAC supports virus detection in upload and download directions:
transfer and the file 
Upload: indicates file transfer from a client to a server.
transfer direction.

Download: indicates file transfer from a server to a client.
• The IAE extracts signatures of applicable files and compares the extracted signatures
with virus signatures in the virus signature database.
Detect viruses. 
If a match is found, the file is considered infected and processed according to the
action specified in the profile.
 If no match is found, the file is permitted.
• The virus signature database is created by Huawei based on the analysis of

common virus signatures. This database defines common virus signatures and
assigns a unique virus ID to each signature. After the database is loaded, the
device can identify viruses that match the signatures defined in the database. To
identify the latest viruses in time, the virus signature database on the device
needs to be continuously updated from the update center.
Antivirus Processing (1)
⚫ When the WAC detects that the file transferred is a virus file, it performs the following operations:
1. Checks whether the virus file matches a virus exception.
• If a detected virus is considered as a false positive, you can add the virus ID to the virus exception list.
• If the virus file matches a virus exception, the WAC allows the file transfer.
2. Checks whether the virus file matches an application exception.
• If the virus file does not match any virus exception, the WAC checks whether it matches an
application exception. If it matches an application exception, it is processed according to the action
(allow, alert, or block) for the application exception.
• When configuring the response action, note the following:
 If the action for a protocol is defined but no action is defined for any application, the action for the
protocol applies to all applications that use the protocol.
 If the action for a protocol and the action for an application that uses the protocol are both
defined, the action for the application is used.
Antivirus Processing (2)
3. Takes the action for the protocol and file transfer direction configured in the profile.
• If the virus file does not match any virus exception or application exception, the WAC takes
the action for the protocol and file transfer direction specified in the profile.
• The WAC supports different response actions for files of different protocols in different file
transfer directions.
Protocol Transfer Direction Action Description

HTTP Upload/Download Alert/Block. The default action is block.
FTP Upload/Download Alert/Block. The default action is block.
NFS Upload/Download Alert • Alert: The device permits the virus file and
generates a virus log.
SMB Upload/Download Alert/Block. The default action is block.
• Block: The device blocks the virus file and
SMTP Upload Alert
generates a virus log.
POP3 Download Alert
IMAP Upload/Download Alert
Local Attack Defense
⚫ In addition to numerous normal service packets, CPUs of devices on a network may also receive large
numbers of attack packets. If a CPU is busy processing attack packets for an extended period, other services,
or even the system itself, will experience breakdown. Similarly, if a large number of normal packets are sent
to the CPU, the CPU usage will surge and device performance will deteriorate, adversely affecting services.
⚫ To ensure that the CPU can properly process and respond to normal services, the device provides the local
attack defense function, which has been specifically designed for packets sent to the CPU and is primarily
used to protect the device from attacks and ensure consistency of existing services when an attack occurs.
⚫ Local attack defense includes:

CPU attack defense

Attack source tracing
• CPU attack defense:

▫ CPU attack defense limits the rate of packets sent to the CPU so that only a
limited number of packets are sent to the CPU within a certain period of
time. This ensures that the CPU can properly process services.
▫ Control Plane Committed Access Rate (CPCAR) is the core of CPU attack
defense. CPCAR limits the rate of protocol packets sent to the control plane
to ensure security of the control plane.
• Attack source tracing:
▫ Attack source tracing defends against denial of service (DoS) attacks. A

device enabled with attack source tracing analyzes packets sent to the CPU,
collects statistics on the packets, and allows a user to set a packet rate
threshold for the packets. Packets sent at a threshold-crossing rate are
considered as attack packets. The device finds the source user address or
source interface of the attacker by analyzing the attack packets and
generates logs or alarms to alert a network administrator. The network
administrator then takes measures to defend against the attack or
configure the device to discard packets sent by the attack source.
Local Attack Defense: CPU Attack Defense
⚫ CPU attack defense can rate-limit packets destined for the CPU so that only a limited number of packets are
sent to the CPU within a certain period of time. This ensures that the CPU can properly process services.
Multi-level security mechanism, implementing

CPU packet rate limiting in active link protection
hierarchical protection for devices
• Level 1: rate-limits the packets sent to the CPU based on When detecting SSH, Telnet, SSHv6, Telnetv6, or FTP
the protocol type. session data, the device enables the active link protection
• Level 2: schedules packets sent to the CPU based on the function for the session. If subsequent packets match the
protocol priority. session characteristics, the packets are sent at a high rate,
ensuring the reliability and stability of services related to
• Level 3: uniformly rate-limits all packets sent to the CPU
the session.
and randomly discards the excess packets.
• CPU attack defense can rate-limit packets destined for the CPU so that only a
limited number of packets are sent to the CPU within a certain period of time.
This ensures that the CPU can properly process services. Multi-level security
mechanisms are used to protect the device.
• The device provides hierarchical protection through the following policies:
▫ Level 1: rate-limits the packets sent to the CPU based on the protocol type,
preventing excess packets of a protocol from being sent to the CPU.
▫ Level 2: schedules packets sent to the CPU based on the protocol priority to
ensure that packets with higher protocol priorities are preferentially
processed.
▫ Level 3: uniformly rate-limits all packets sent to the CPU and randomly
discards the excess packets to ensure CPU security.
• CPU packet rate limiting in active link protection: When detecting SSH, Telnet,
SSHv6, Telnetv6, or FTP session data, the device enables the active link protection
function for the session. If subsequent packets match the session characteristics,
the packets are sent at a high rate, ensuring the reliability and stability of
services related to the session.
Local Attack Defense: Attack Source Tracing
⚫ Attack source tracing defends against DoS attacks. A device enabled with attack source tracing analyzes packets sent to the
CPU, collects statistics on the packets, and allows a user to set a packet rate threshold for the packets. Packets sent at a
threshold-crossing rate are considered as attack packets. The device finds the source user address or source interface of the
attacker by analyzing the attack packets and generates logs or alarms to alert a network administrator. The network
administrator then takes measures to defend against the attack or configure the device to discard packets sent by the attack
source.
 Attack source tracing involves four steps: parsing packets, analyzing traffic, identifying an attack source, and sending logs or alarms to the
network administrator or implementing punishment.
 When the attack source is located, the network administrator blocks traffic sent from the attack source by configuring ACLs or blacklists to
protect the CPU.
Attack source tracing
Packet parsing Traffic analysis Attack source Log & alarm

identification Attack punishment
Chip-based forwarding
Service and Management Isolation
⚫ As shown in the figure, devices on the 192.168.10.X network segment are connected to the independent
management interface on the WAC, and devices on the 192.168.20.X network segment are connected to the
service interface GE0/0/1 on the WAC. They can access the WAC properly. If the management interface is not
isolated, the devices on 192.168.20.X can ping devices on 192.168.10.X. As a result, the management interface
address is exposed and vulnerable to attacks.
Service plane and management plane isolation

Management
GE0/0/1 interface
• To improve network security and prevent attacks from
ETH unauthorized users, you can configure interface policies
WAC
App server Web server and routing policies for the management and service
interfaces to isolate them.
192.168.20.X 192.168.10.X
• To prevent STAs from accessing the WAC through
Service Management Telnet and isolate the service plane from the
management plane, configure security protection.
WLAN Control Plane: WPA3 Configuration
# Configure WPA3-SAE authentication and set the user password to huawei@123.

[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa3 sae pass-phrase huawei@123 aes
# Configure the WPA3-802.1X authentication mode.

[HUAWEI] wlan
[HUAWEI-wlan-sec-prof-p1] security wpa3 dot1x gcmp256
# Configure WPA2-WPA3 hybrid authentication and set the user password to huawei@123.
[HUAWEI] wlan
[HUAWEI-wlan-sec-prof-p1] security wpa2-wpa3 psk-sae pass-phrase huawei@123 aes
WLAN Control Plane: WIDS and WIPS Configuration
# Configure an AP group and enable rogue device detection and containment. # Bind the WIDS profile wlan-wids to the AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0 [AC-wlan-ap-group-ap-group1] wids-profile wlan-wids
[AC-wlan-group-radio-ap-group1/0] work-mode normal [AC-wlan-ap-group-ap-group1] quit
[AC-wlan-group-radio-ap-group1/0] wids device detect enable
[AC-wlan-group-radio-ap-group1/0] wids contain enable # Verify the configuration. You can run the display wlan ids
contain ap command to view AP2 that has been contained.
# Configure an AP group and enable rogue device detection and containment. [AC-wlan-view] display wlan ids contain ap
[AC-wlan-ap-group-ap-group1] radio 1 #Rf: Number of monitor radios that have contained the device
[AC-wlan-group-radio-ap-group1/1] work-mode normal CH: Channel number
[AC-wlan-group-radio-ap-group1/1] wids device detect enable ----------------------------------------------------------------------------
-------
[AC-wlan-group-radio-ap-group1/1] wids contain enable MAC address CH Authentication Last detected time #Rf
SSID
----------------------------------------------------------------------------
# Create a WIDS profile named wlan-wids and configure the WAC to contain -------
rogue APs with spoofing SSIDs. 000b-6b8f-**** 11 wpa-wpa2 2014-11-20/16:16:57 1
wlan-net
[AC-wlan-view] wids-profile name wlan-wids ----------------------------------------------------------------------------
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap Total: 1, printed: 1
Contents
WLAN Forwarding Plane Security
⚫ For the security of the WLAN forwarding plane, pay attention to data security on the
forwarding path to prevent attacks from spreading on the network. The following
approaches can be taken:
 Traffic suppression
 ACL
 MAC address anti-flapping
 Port isolation
 CAPWAP data tunnel encryption
 Navi WAC
 IPsec VPN
Traffic Suppression
⚫ Traffic suppression is a security technology used to control broadcast, unknown-unicast, and multicast traffic
(BUM traffic) and prevent broadcast storms caused by such traffic. Traffic suppression limits traffic based on
the configured threshold.
Traffic suppression mechanism
BUM • When a Layer 2 Ethernet interface on a WLAN device receives broadcast, multicast,
or unknown unicast packets, the WLAN device forwards these packets to other
WAC Layer 2 Ethernet interfaces in the same VLAN if the outbound interfaces cannot be
determined based on the destination MAC addresses of these packets. In this case,
a broadcast storm may occur, degrading forwarding performance of the WLAN
device.
• In the inbound direction, the device supports traffic suppression for the three types
AP of packets based on the packet rate.
• The device monitors the rates of the three types of packets and compares them
with the configured thresholds. When the incoming traffic rate exceeds the
configured threshold, the device discards excess traffic.
ACL – IPv4
Applicable
Type Function Description
IP Version
A basic IPv4 ACL is called a basic ACL for
Defines rules based on the source address, fragmentation information,
Basic ACL IPv4 short. The number ranges from 2000 to
and time range of IPv4 packets.
2999.
Defines rules based on the source IP address, destination IP address, IP
An advanced IPv4 ACL is called an
Advanced precedence, ToS value, DSCP value, IP protocol type, ICMP type, TCP
IPv4 advanced ACL for short. The number
ACL source interface/destination interface, and UDP source
ranges from 3000 to 3999.
interface/destination interface of IPv4 packets.
Defines rules based on the information in Ethernet frame headers of
Layer 2
IPv4 packets, such as the source MAC address, destination MAC address, and The number ranges from 4000 to 4999.
ACL
Ethernet frame protocol type.
Defines rules based on the source IP address, source user group,
destination IP addresses, destination user group, destination domain
User ACL IPv4 name, IP precedence, ToS value, DSCP value, IP protocol type, ICMP The number ranges from 6000 to 6999.
type, TCP source interface/destination interface, and UDP source
interface/destination interface of IPv4 packets.
• ACLs accurately identify and control packets on a network to manage network

access behaviors, prevent network attacks, and improve bandwidth utilization. In
this way, ACLs ensure security and QoS.
• An ACL is a collection of one or more rules. A rule refers to a judgment

statement that describes a packet matching condition, which may be a source
address, destination address, or port number. An ACL classifies packets by using
these rules. When the rules are applied to a WLAN device, the device determines
whether packets are permitted or denied in accordance with these rules. For
example, an ACL can be configured to reject all Telnet access to the local server
or allow each STA to send emails to the local server using SMTP.
• Multiple rules can be defined in each ACL. ACLs are classified into the following
types based on their functions: basic ACL, basic ACL6, advanced ACL, advanced
ACL6, Layer 2 ACL, user ACL, and user ACL6.
ACL – IPv6
Applicable
Type Function Description
IP Version
A basic IPv6 ACL is called a basic ACL6 for
Defines rules based on the source IP address, fragmentation information,
Basic ACL6 IPv6 short. The number ranges from 2000 to
and time range of IPv6 packets.
2999.
Defines rules based on the source IP address, destination IP address,
An advanced IPv6 ACL is called an
Advanced protocol over IP, and protocol-specific features such as the TCP source
IPv6 advanced ACL6 for short. The number
ACL6 interface/destination interface, ICMPv6 protocol type, and ICMPv6 code of
ranges from 3000 to 3999.
IPv6 packets.
Defines rules based on the source IP address, destination IP address,
A user IPv6 ACL is called a user ACL6 or
destination domain name, protocol over IP, and protocol-specific features
User ACL6 IPv6 UCL6 for short. The number ranges from
such as the TCP source interface/destination interface, ICMPv6 protocol
6000 to 6999.
type, and ICMPv6 code of IPv6 packets.
MAC Address Anti-flapping
⚫ MAC address flapping occurs on a network when the network encounters a routing loop or
attack.
Incorrect cable connection
MAC address anti-flapping methods
• Increase the MAC address learning priority of an interface.

WAC1 WAC2 • Prevent MAC address flapping between interfaces with the
same priority.
Note that MAC address flapping is usually caused by loops

or attacks on the network. The preceding methods can
prevent MAC address flapping, but cannot eliminate loops
or attacks behind MAC address flapping.
• MAC address flapping occurs on a network when the network encounters a

routing loop or attack. You can use the following methods to prevent MAC
address flapping:
▫ Increase the MAC address learning priority of an interface: MAC address

flapping occurs when a MAC address is learned by two interfaces in the
same VLAN and the MAC address entry learned later overrides the earlier
one. To prevent MAC address flapping, set different MAC address learning
priorities for interfaces. When two interfaces learn the same MAC address
entries, the MAC address entries learned by the interface with a higher
priority override the MAC address entries learned by the other interface.
▫ Prevent MAC address flapping between interfaces with the same priority:
An uplink interface of a WLAN device is connected to a server, and a
downlink interface is connected to a user. To prevent unauthorized users
from using the server MAC address to connect to the WLAN device, you can
configure the device not to allow MAC address flapping between interfaces
with the same priority. A MAC address then will not be learned by multiple
interfaces, and unauthorized users cannot use the MAC addresses of
network devices to interfere with the communication between WLAN
devices and network devices..
Port Isolation
Requirements
• Users in the same VLAN are isolated to secure user communication and prevent invalid
broadcast packets from affecting services.
WAC
• Data exchanged between users in the same VLAN can be centrally forwarded by the upper-
layer device.
Solution
• Use port isolation to isolate ports in the same VLAN.
• Simply add ports to a port isolation group to implement Layer 2 isolation between these
STA 1 STA 2 STA 3
ports.
1.1.1.1/24 1.1.1.2/24 1.1.1.3/24
• There are two port isolation modes: Layer 2 isolation but Layer 3 interworking, and Layer 2
VLAN 10 (office) and Layer 3 isolation.
 To isolate broadcast packets in the same VLAN but allow users connecting to different
Enable port isolation and add the ports to the interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2
same port isolation group.
isolation but Layer 3 interworking.
 To prevent interfaces in the same VLAN from communicating with each other at both
Layer 2 and Layer 3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.
CAPWAP Data Tunnel Encryption
CAPWAP tunnel WAC
• When the data forwarding mode is tunnel

forwarding, service data packets between an AP
and a WAC are transmitted over a CAPWAP data
tunnel.
Fit AP
• To improve service data security, you can run the
capwap dtls data-link encrypt enable command
to enable DTLS encryption for CAPWAP data
tunnels. This configuration ensures that packets
are encrypted and then transmitted over the
Control tunnel CAPWAP data tunnel.
Fit AP WAC
Data tunnel
• When the data forwarding mode is tunnel forwarding, service data packets
between an AP and a WAC are transmitted over a CAPWAP data tunnel. To
improve service data security, you can run the capwap dtls data-link encrypt
enable command to enable DTLS encryption for CAPWAP data tunnels. This
configuration ensures that packets are encrypted and then transmitted over the
CAPWAP data tunnel.
• DTLS encryption for CAPWAP data tunnels can be configured in both the system
view and AP system profile view. The difference is that the function configured in
the system view takes effect for APs that go online through a WAC and support
this function, while the function configured in the AP system profile view takes
effect for APs configured with the AP system profile. The function in the AP
system profile view takes precedence over that in the system view. When this
function is enabled in both the views, the configuration in the AP system profile
view takes effect.
Navi WAC (1)
Navi WAC solution
Internet
1. During WLAN deployment, a large enterprise needs
DMZ to provide access services for both employees and
Local WAC guests. Guest data brings potential security threats
to the network.
Intranet
application server 2. To isolate guest traffic from employee traffic, the
enterprise diverts guest traffic to the Navi WAC in
Navi WAC General- Guest
the DMZ for centralized management.
purpose guest authentication
server server
1. Local WAC: manages and coordinates APs in a
Intranet
centralized manner, providing functions such as STA
authentication server
access and AP configuration delivery.
2. Navi WAC: provides security, control, and

SSID1: Employee management for STAs, such as identity
SSID2: Guest authentication, authorization, and accounting.
3. CAPWAP tunnel between the local WAC and Navi

Employee's
Guest's
STA CAPWAP tunnel WAC: carries user data packets from the local WAC
STA
to the Navi WAC for centralized forwarding.
CAPWAP tunnel between WACs
Navi WAC (2)
Typical application scenario
Internet Internet
1. Employee traffic and guest traffic are isolated from each other,
decoupling guest management and control from the intranet.
2. The service egress and the operation egress are independent of each
other.
3. Employees are authenticated and authorized on the local WAC in a

unified manner. The local WAC is the authentication point.
4. Guest traffic is forwarded to the Navi WAC for authentication and

Local WAC Navi WAC
authorization through a CAPWAP tunnel between the local WAC and
Navi WAC. The Navi WAC is the authentication point.
5. Employee traffic flows from the local WAC to the Internet.
6. Guest traffic is forwarded from the local WAC to the Navi WAC, and
SSID1: Employee then goes out to the Internet.
SSID2: Guest SSID: Guest
Employee's Guest's CAPWAP tunnel

STA STA Employees' Guests'
CAPWAP tunnel between WACs authentication point
authentication point
• Upstream traffic (AP -> local WAC -> Navi WAC)

▫ When receiving upstream service packets, if the forwarding mode in a VAP
is tunnel forwarding, the AP directly encapsulates the packets using
CAPWAP and sends them to the local WAC.
▫ After receiving the packets, the local WAC decapsulates them and identifies
the VAP to which the packets belong. Then the local WAC determines the
VAP type. If the VAP type is Navi WAC, the local WAC encapsulates the user
packets using CAPWAP, adds the Navi VAP flag (that is, WLAN ID for
CAPWAP tunnel establishment between the local WAC and Navi WAC) and
user VLAN, and forwards the packets to the Navi WAC.
▫ The Navi WAC decapsulates the received packets, identifies the VAP based
on the Navi VAP flag, and executes the corresponding VAP services (such as
authentication).
• Downstream traffic (Navi WAC -> local WAC -> AP)
▫ When receiving downstream service packets, the Navi WAC executes the
downstream services. Then it encapsulates the user packets using CAPWAP
and forwards them to the local WAC.
▫ After receiving the packets, the local WAC decapsulates them. Then the
local WAC encapsulates the packets using CAPWAP again and forwards
them to the AP.
▫ After receiving the packets, the AP decapsulates them. For unicast packets,
the AP forwards them based on the forwarding table. For broadcast
packets, the AP forwards them based on the VLAN.
IPsec Tunnel
⚫ IPsec establishes a bidirectional security association (SA) between IPsec peers to form a secure IPsec tunnel, imports the data
to be protected to the IPsec tunnel by defining the IPsec-protected data flow, and then uses a security protocol to encrypt and
authenticate the data that passes through the IPsec tunnel, thus implementing secure transmission of specified data over the
Internet.
⚫
IPsec SAs can be established manually or through IKEv1 or IKEv2 auto-negotiation.
Branch 1
Headquarters
Branch n
Contents
Rogue AP Containment Based on Fuzzy SSID Matching
⚫ Scenario description: WLAN services are available in
public places, such as banks and airports. Users can
connect to the WLANs after associating with
WAC
corresponding SSIDs.
⚫ If a rogue AP is deployed and provides spoofing
SSIDs similar to authorized SSIDs, the users may be
misled and connect to the rogue AP, which brings AP AP
security risks. To address this issue, you can

configure device detection and containment. After Authorized AP
SSID: wlan-net
rogue AP containment is configured, the WAC
contains the rogue AP and disconnects users from
Rogue AP
STA SSID: wlan-net
the spoofing SSID.
Configuration Roadmap
WAC
Roadmap
• Configure WLAN basic services so that STAs can access

the WLAN.
• Configure a WIDS spoof SSID profile.
AP AP
• Configure rogue device detection and containment so
that the AP can detect rogue devices and report them
Authorized AP
SSID: wlan-net to the WAC, which then contains the rogue devices
and disconnects STAs from the rogue devices.
Rogue AP
STA SSID: wlan-net
Configuring Fuzzy Matching Rules
WAC
Create a WIDS spoof SSID profile named default and set the
fuzzy matching character for spoofing SSIDs to wlan. Use the
regular expression ^wlan$.
AP AP
[WAC-wlan-view]wids-spoof-profile name default
[WAC-default-spoof-prof-default]spoof-ssid fuzzy-match regex ^wlan$
[WAC-default-spoof-prof-default]quit
Authorized AP
SSID: wlan-net
Rogue AP
STA SSID: wlan-net
• The authorized SSID is wlan-net, and there may be spoofing SSIDs wlan-nat or
wlan, so you can use the regular expression ^wlan$ to configure a fuzzy
matching rule.
Enabling Detection and Containment
Enable device detection and containment.
WAC [WAC-wlan-view] ap-group name default

[WAC-wlan-ap-group-default] radio 0
[WAC-wlan-group-radio-default/0] wids device detect enable
[WAC-wlan-group-radio-default/0] wids contain enable
[WAC-wlan-view] ap-group name default
AP AP [WAC-wlan-ap-group-default] radio 1
[WAC-wlan-group-radio-default/1] wids device detect enable
[WAC-wlan-group-radio-default/1] wids contain enable
Authorized AP
SSID: wlan-net [WAC-wlan-view] wids-profile name default
[WAC-default-prof-default] contain-mode spoof-ssid-ap
[WAC-default-prof-default] wids-spoof-profile default
Rogue AP
STA SSID: wlan-net [WAC-wlan-ap-group-default] ap-group name default
[WAC-wlan-ap-group-default] wids-profile default
Verifying the Configuration
Run the display wlan ids contain ap command to check
information about the contained AP.
WAC [WAC-wlan-view] display wlan ids contain ap

#Rf: Number of monitor radios that have contained the device
CH: Channel number
-----------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf SSID
-----------------------------------------------------------------------------------
000b-6b8f-fc6a 11 wpa-wpa2 2014-11-20/16:16:57 1 wlan-net
------------------------------------------------------------------------------------
Total: 1, printed: 1
AP AP
Authorized AP
SSID: wlan-net
Rogue AP
SSID: wlan-net
A STA attempts to connect to the WLAN through a rogue AP, which
however is contained. Then the STA is disconnected from the rogue
STA AP and connects to the authorized AP.
Quiz
1. How many bits does the WPA3 encryption key algorithm have?
• 192
intelligent world.


• The Huawei NAC solution provides various features such as third-party
application authentication, terminal type identification, and NAC escape
mechanism.
• NASs include WLAN devices (WACs and APs), switches, firewalls, and other
network devices.
• You can also manage AAA configurations, such as AAA schemes, server
templates, and authorization information, in an authentication profile, instead of
in a domain.
• Authorization methods:
▫ Local authorization: Users obtain authorization information from a domain.
▫ Server authorization: Users obtain authorization information from both a

server and a domain. Authorization information configured in a domain has
a lower priority than that delivered by a server. If the two types of
authorization information conflicts, authorization information delivered by
the server takes effect. If no conflict occurs, both types of authorization
information take effect. Such domain-based management increases
authorization flexibility.
• RADIUS clients transmit user information to a specified RADIUS server and
process requests (for example, permitting or rejecting user access requests) based
on the response packets received from the server. They can locate at any node on
a network.
• The timer specified by dead-time starts after the device marks the RADIUS server
status as Down. The timer indicates the duration for which the server status
remains Down. After the timer expires, the device marks the RADIUS server
status as Force-up. If a new user needs to be authenticated using RADIUS and no
RADIUS server is available, the device attempts to re-establish a connection with
a RADIUS server in Force-up state.
• Availability and maintainability of a RADIUS server are the basic conditions for
user access authentication. If a device cannot communicate with the RADIUS
server, the server cannot perform authentication or authorization for users. To
resolve this issue, the device supports the user escape function upon transition of
the RADIUS server status to Down. To be specific, if the RADIUS server goes
Down, users cannot be authorized by the server but still have certain network
access rights. This function is available only after the device marks the RADIUS
server status as Down. If the RADIUS server status is not marked as Down and
the device cannot communicate with the RADIUS server, users cannot be
authorized by the server and the escape function is also unavailable. As a result,
users have no network access rights. Therefore, the device must be capable of
detecting the RADIUS server status in a timely manner. If the device detects that
the RADIUS server status transitions to Down, users can obtain escape rights; if
the device detects that the RADIUS server status reverts to Up, users' escape
rights are revoked and the users are reauthenticated.
• In a scenario where user accounts are stored on a third-party server, for example,
an AD or LDAP server, you are advised to configure the automatic account
detection function on the RADIUS server. If this function is not configured, the
performance of the RADIUS server deteriorates when the server queries account
information from the third-party server.
• The device marks the RADIUS server status as Down if either of the following
conditions is met:
• The device marks the RADIUS server status as Down during RADIUS server status
detection.
• When system startup is complete, the RADIUS server status detection timer starts.
If the device does not receive any packet from the RADIUS server after sending
the first RADIUS Access-Request packet and the number of consecutive
unacknowledged packets (n) is greater than or equal to the threshold (dead-
count) in a detection interval, a communication interruption is recorded. If the
device still does not receive any packet from the RADIUS server, the device marks
the RADIUS server status as Down when the number of recorded communication
interruptions reaches the detection cycles.
• The device marks the status of a RADIUS server as Down if no response is

received from the server for a long period of time.
• If the interval at which two consecutive unacknowledged RADIUS Access-Request

packets are sent is greater than the value of max-unresponsive-interval, the
device marks the RADIUS server status as Down. This mechanism ensures that
users can obtain escape authorization.
• RADIUS packet retransmission discussed here applies only to a single server. If
multiple servers are configured in a RADIUS server template, the overall
retransmission period depends on the retransmission interval, retransmission
times, RADIUS server status, number of servers, and algorithm for selecting the
servers.
• The device stops packet retransmission if any of the following conditions is met:
• The device receives a response packet from the RADIUS server. It then stops
packet retransmission and marks the RADIUS server status as Up.
• The device detects that the RADIUS server status is Down. After the device marks
the RADIUS server status as Down:
▫ If the number of retransmission times has reached the maximum, the
device stops packet retransmission and retains the RADIUS server status as
Down.
▫ If the number of retransmission times has not reached the maximum, the
device retransmits an Access-Request packet only once to the RADIUS
server. If the device receives a response packet from the server, it stops
packet retransmission and restores the RADIUS server status to Up.
Otherwise, it stops packet retransmission and retains the RADIUS server
status as Down.
• The number of retransmission times reaches the maximum. The device then
stops packet retransmission and performs the following:
▫ If the device receives a response packet from the RADIUS server, it marks
the RADIUS server status as Up.
▫ If the device has detected that the RADIUS server status is Down, it marks
the RADIUS server status as Down.
▫ If the device receives no response packet from the RADIUS server and does
not detect that the server status is Down, the device does not change the
server status. Actually, the server does not respond.
• Primary/Secondary algorithm: The primary and secondary roles are determined
by the weights configured for the RADIUS authentication or accounting servers.
The server with the largest weight is the primary server. If the weight values are
the same, the earliest configured server is the primary server. The device
preferentially sends an authentication or accounting packet to the primary server
among all servers in Up status. If the primary server does not respond, the device
then sends the packet to the secondary server.
• Load balancing algorithm: When a device sends an authentication or accounting

packet to a server, the device selects a server based on the weights configured for
the RADIUS authentication or accounting servers. In this example, RADIUS server
1 is in Up state and its weight is 80, and RADIUS server 2 is also in Up state and
its weight is 20. The possibility for the device to send the packet to RADIUS server
1 is 80% [80/(80 + 20)], and that for RADIUS server 2 is 20% [20/(80 + 20)].
• You can run the radius-server algorithm { loading-share | master-backup } [

based-user ] command to configure the algorithm for selecting RADIUS servers.
▫ By default, a RADIUS server is selected using the primary/secondary

algorithm.
▫ When multiple authentication or accounting servers are configured in a

RADIUS server template, the device selects RADIUS servers based on the
server selection algorithm and the weight of each server.
• Both HWTACACS and the TACACS+ protocols of other vendors support
authentication, authorization, and accounting. HWTACACS is compatible with
other TACACS+ protocols because their authentication procedures and
implementations are the same.
• Both HWTACACS and RADIUS have the following characteristics:
• Use the client/server model.
▫ HWTACACS client: typically runs on an NAS and can locate at any node on
a network. It transmits user information to a specified HWTACACS server
and processes requests based on the responses received from the server.
▫ HWTACACS server: typically runs on a central computer or workstation and

needs to maintain user authentication and network service access
information. The server receives connection requests from users,
authenticates the users, and sends all required information to clients.
• Use shared keys to encrypt user information.
• Feature good flexibility and extensibility.
• HWTACACS supports separation of authentication from authorization. For

example, one HWTACACS server performs authentication and another one
performs authorization.
• Command line authorization:
• HWTACACS supports command line authorization. The commands that a user

can run are restricted by both the command level and AAA authorization. When
a user enters a command, the command is executed only after being authorized
by the HWTACACS server.
• RADIUS does not support command line authorization. The commands that a
user can run depend on the user privilege level. A user can run the commands of
the same level as or lower level than the user privilege level.
• iMaster NCE-Campus is a web-based centralized management and control
system designed for the CloudCampus Solution. It supports a wide range of
functions, including network service management, network security
management, network access management, network monitoring, network quality
analysis, network application analysis, alarm management, and report
management. As well as these, it provides big data analytics capabilities and
open APIs for integration with other platforms. Enterprise users can perform
service configuration and routine O&M on iMaster NCE-Campus to centrally
manage a large number of devices.
• HACA supports MAC address-prioritized Portal authentication.

• An LDAP directory is tree-structured and consists of multiple entries. Each entry
has a unique distinguished name (DN). LDAP performs the bind and search
operations based on DNs to implement user authentication and authorization.
• CN: common name, which indicates the name of an object. In this example,
"CN=User1" is an object name.
• DC: domain component, for example, huawei and com in huawei.com.
• DN: distinguished name, which indicates the location of an object on the AD or

LDAP server. It starts from an object, to its upper-layers, until the root node. In
this example, the DN of User1 in the directory is "CN=User1, OU=R&D,
OU=People, DC=HUAWEI, DC=COM".
• Base DN: DN of the root node. In this example, the Base DN is "dc=HUAWEI,
dc=COM".
• OU: organization unit. It indicates the organization to which an object belongs.

OUs are stored in a tree structure. An OU can contain OUs. In this example,
User1 belongs to "OU=R&D, OU=People".
• When accessing an LDAP server, a user enters the user name and password and
sends an authentication request to the LDAP client. For example, the user enters
the user name User2 and password Huawei@123.
• The LDAP client obtains the user name and password, and sends an
administrator bind request message carrying the administrator's DN and
password to the LDAP server to obtain the search permission.
• After receiving the administrator bind request message, the LDAP server verifies
the administrator's DN and password, and sends an administrator bind response
message indicating successful binding to the LDAP client.
• After receiving the response message, the LDAP client creates a filter criterion
based on the user name, and sends a user DN search request message to the
LDAP server. For example, the client creates the filter criterion "CN=User2".
• After receiving the user DN search request message, the LDAP server searches for
the DN based on the Base DN, search range, and filter criterion. If the DN is
found, the LDAP server sends a DN search response message indicating
successful search to the LDAP client. One or more DNs may be found. In the
directory structure, for example, if the Base DN is "DC=huawei, DC=com", two
DNs will be returned: "CN=User2, Departments=R&D, OU=People, DC=huawei,
DC=com" and "CN=User2, Departments=R&D, OU=Equipment, DC=huawei,
DC=com".
• The LDAP client sends a user bind request message carrying the user's DN and
password to the LDAP server.
• An AD client is an access device integrating Kerberos and LDAP.
• An AD server integrates Kerberos and LDAP authentication. In most cases, an AD

server is a combination of an LDAP server and a Kerberos server.
▫ An LDAP server stores all directory information.
▫ A Key Distribution Center (KDC) is a Kerberos server that stores all

password and account information of clients. It consists of an AS and a TGS.
▫ An Authentication Server (AS) provides the tickets used to access the TGS.
▫ A Ticket Granting Server (TGS) provides the tickets used to access the AD
server.
• When accessing an AD server, a user sends the user name and password to the
AD client to initiate authentication.
• If the AD client accesses the AD server for the first time, it sends an AS-REQ
message carrying the user name in plain text to the Kerberos server integrated in
the AD server, so that the Kerberos server can authenticate the client.
• The Kerberos server searches for the user in the database according to the user
name. If the user is found, the AS server generates a session key shared between
the Kerberos server and client, as well as a ticket. The AD client can use this
ticket to request a ticket for access to the AD server from the Kerberos server. In
this way, the AD client no longer needs to be authenticated again. The AS server
then returns an AS-REP message to the client. The ticket in the AS-REP message
is encrypted using the shared key between the AS and TGS, and the encrypted
ticket and session key are then encrypted using the client's password.
• The AD client uses its own password to decrypt the AS-REP message to obtain
the session key and encrypted ticket. The AD client sends a TGS-REQ message to
the Kerberos server to request a ticket for access to the AD server. This message
contains the authenticator, encrypted ticket, client name, and AD server name.
The authenticator contains the information encrypted using the session key, such
as the client's user name, client's IP address, time, and realm name.
• The Kerberos server decrypts the ticket using the shared key between the AS and
TGS to obtain the session key, and then decrypts the authenticator using the
session key. If the Kerberos server verifies that the client name and time in the
authenticator are the same as those in the ticket, the authentication is successful.
The Kerberos server then returns a TGS-REP message encrypted using the client
password to the client. The TGS-REP message contains the session key used by
the client and AD server and the ticket encrypted using the AD server's password.
The ticket contains the session key, client name, server name, and ticket validity
period. The Kerberos client uses its own password to decrypt the TGS-REP
message, so as to obtain the session key and the encrypted ticket in the message.
The Kerberos client can use this ticket to access the AD server.
• In the networking diagram on the left, no external authentication server is
deployed. The WAC functions as the local EAP server to perform 802.1X
authentication.
• In the networking diagram on the right, an external authentication server is

deployed to perform 802.1X authentication. If this server is faulty, online users
keep online, and the local EAP server (WAC) performs 802.1X authentication on
new access users.
• Local EAP authentication does not support server detection.
• Local EAP authentication does not support the accounting function.
• Local EAP authentication does not support server authorization.

• 802.1X is a Layer 2 protocol and does not involve Layer 3 processing. It does not
require access devices to provide high performance, which thereby reduces
network construction costs.
• Authentication packets and data packets are transmitted through different

logical interfaces, improving network security.
• EAPoL: is a packet encapsulation format defined by the 802.1X protocol. EAPoL is
mainly used to transmit EAP packets over a LAN between the client and access
device.
• EAPoR: EAP packets are directly encapsulated into EAP over RADIUS (EAPoR)
packets, so that they can traverse a complex network to reach the authentication
server. To support EAP relay, the RADIUS protocol adds the EAP-Message and
Message-Authenticator attributes. EAP-Message is used to encapsulate EAP
packets; Message-Authenticator is used to authenticate and verify authentication
packets, protecting against spoofed packets.
• The EAP relay mode simplifies the processing on the access device and supports
various authentication methods. However, the authentication server must
support EAP and have high processing capability. The commonly used
authentication methods include EAP-TLS, EAP-TTLS, and EAP-PEAP. EAP-TLS has
the highest security because it requires a certificate to be loaded on both the
client and authentication server. EAP-TTLS and EAP-PEAP are easier to deploy
since the certificate needs to be loaded only on the authentication server, but not
the client.
• The main advantage of the EAP termination mode is that mainstream RADIUS
servers support both PAP and CHAP authentication, meaning that there is no
need to upgrade servers. However, because this mode must extract client
authentication information from EAP packets sent by clients and encapsulate it
into standard RADIUS packets, the EAP termination mode results in a heavy
workload on the device. In addition, the device does not support other EAP
authentication methods except MD5-Challenge. The major difference between
PAP and CHAP is that passwords in CHAP authentication are transmitted in
cipher text, whereas passwords in PAP authentication are transmitted in plain
text. In this aspect, CHAP provides higher security and is recommended.
• In EAP termination mode, the MD5 challenge for encrypting the user password is
randomly generated by the access device, instead of by the authentication server
in EAP relay mode. Besides, in EAP termination mode, the access device
encapsulates RADIUS packets with the user name, password encrypted by the
client, and MD5 challenge, and sends the packets to the authentication server for
authentication. In EAP relay mode, in contrast, the access device is only
responsible for encapsulating EAP packets into RADIUS packets and transparently
transmitting them to the authentication server.
• Successful authentication: If the administrator modifies parameters such as
access rights and authorization attributes of an online user on the authentication
server, reauthentication of the user must be performed to ensure user validity.
After reauthentication is configured for online 802.1X-authenticated users, the
device sends the locally saved online user authentication information to the
authentication server. If the user authentication information is the same as that
on the authentication server, the user keeps online. Otherwise, the user is logged
out and needs to be reauthenticated.
• When a user is in preconnection state or fails authentication, the access device

records the user entry and grants limited network access rights to the user. To
ensure that the user can obtain normal network access rights in a timely manner,
the access device needs to reauthenticate the user based on the user entry. If the
user fails the reauthentication before the user entry aging time expires, the
access device deletes the user entry and revokes the granted network access
rights. If the user is successfully reauthenticated before the user entry aging time
expires, the access device adds an authenticated-user entry and grants
corresponding network access rights to the user.
• A client can log out proactively; the access device and server can also log out a
user.
• The access device logs out a user.
▫ If an administrator detects that an unauthorized user is online or wants a

user to go offline and then go online again during a test, the administrator
can run the cut access-user command on the access device to log out the
user.
• The server logs out a user using either of the following methods:
▫ The RADIUS server sends a Disconnect Message (DM) to the access device
to log out the user.
▫ The RADIUS server uses the standard RADIUS attributes Session-Timeout

and Termination-Action to log out the user. The Session-Timeout attribute
specifies the online duration timer of a user. The value 0 of Termination-
Action indicates that the RADIUS server logs out the user when the online
duration timer expires.
• Client: In most cases, a client is a host where an HTTP/HTTPS-capable browser is
installed.
• Access device: a network device such as a switch or router, which provides the
following functions:
▫ Redirects all HTTP and HTTPS requests of users on authentication subnets
to the Portal server before authentication is performed.
▫ Interacts with the Portal server and authentication server to implement user
authentication, authorization, and accounting.
▫ Grants users access to specified network resources upon successful
authentication.
• Portal server: a server system that receives authentication requests from clients,
provides Portal services and authentication pages, and exchanges client
authentication information with access devices.
• Authentication server: interacts with access devices to implement user
authentication, authorization, and accounting.
• Portal authentication has the following advantages:
▫ Ease of use: In most cases, Portal authentication authenticates a user on a
web page, without any additional software required on the client.
▫ Convenient operations: Portal authentication allows for value-added
services on the web page, including advertisement push and enterprise
publicity.
▫ Mature technology: Portal authentication has been widely used on
networks of carriers, fast food chains, hotels, and schools.
▫ Flexible deployment: Portal authentication implements access control at the
access layer or at the ingress of key data.
▫ Flexible user management: Portal authentication can be performed on users
based on the combination of user names and any one of VLANs, IP
addresses, and MAC addresses.
• Built-in Portal authentication is also supported. That is, the Portal authentication
server is deployed on the access device.
• Select a Portal authentication mode based on the actual network requirements.
▫ When Layer 2 authentication is used, the device can learn users' MAC
addresses and identify the users based on their MAC addresses and IP
addresses. Layer 2 authentication provides a simple authentication process
with high security. However, users must be in the same network segment
with the access device, causing inflexible networking.
▫ When Layer 3 authentication is used, the device cannot obtain the MAC
address of a client, so it identifies the user based only on the client IP
address. Layer 3 authentication allows for flexible networking and
facilitates remote control. However, users can only be identified based on
their IP addresses, leading to poor security.
• The Portal authentication process is as follows:
▫ Before authentication, the client establishes a preconnection with the access

device. The access device creates a user online entry for the client and
grants the client access to certain network resources. The Layer 3
authentication process is similar to the Layer 2 authentication process,
except that no preconnection is established between the client and access
device in Layer 3 authentication.
▫ The client initiates an HTTP connection request.

• The following uses CHAP authentication as an example to describe the Portal-
based Portal authentication process:
▫ After receiving the Portal authentication request, the Portal server sends a
Portal challenge request packet to the access device. This step is performed
only when CHAP authentication is used between the Portal server and
access device. If PAP authentication is used, steps 7 and 8 are not
performed.
▫ The access device sends a Portal challenge response packet to the Portal
server.
▫ The Portal server encapsulates a Portal authentication request packet with

the entered user name and password and sends the packet to the access
device.
▫ The access device and RADIUS server exchange user information to

authenticate the user.
▫ The access device encapsulates a RADIUS Access-Request packet with the

entered user name and password and sends the packet to the RADIUS
server.
▫ The RADIUS server authenticates the user name and password. If

authentication succeeds, the RADIUS server sends a RADIUS Access-Accept
packet to the access device. This packet also contains user authorization
information because RADIUS authorization is combined with authentication.
If authentication fails, the RADIUS server sends a RADIUS Access-Reject
packet to the access device.
• HTTPS is a secure HTTP and also known as HyperText Transfer Protocol over
Transport Layer Security (HTTP over TLS) or HyperText Transfer Protocol over
Secure Socket Layer (HTTP over SSL). HTTPS uses HTTP for communication and
SSL/TLS for data encryption.
• A URL is a concise representation of the location and access method of a
resource that can be obtained from the Internet. It is the address of a standard
resource on the Internet. Each file on the Internet has a unique URL. The URL
contains information about the location of the file and how a browser should
process the file.
• When HTTP/HTTPS-based Portal authentication is used, the authentication
process is as follows:
• The Portal server instructs the client to send a Portal authentication request to
the access device.
• The client sends a Portal authentication request (HTTP POST/GET) to the access
device.
• After receiving the Portal authentication request, the access device parses the
packet according to parameter names to obtain information such as the user
name and password, and then sends the obtained user name and password to
the RADIUS server for authentication. The process is similar to the Portal-based
Portal authentication.
• The access device returns the Portal authentication result to the client and adds
the user to the local online user list.
• For example, an HTTP request is sent in Get mode:
https://Portal.example.com/login?userName=test&password=Huawei@123. In this
URL, we can see that the user name and password are transmitted in plain text,
which may be intercepted by other users, posing security risks.
• A client can log out proactively; the access device and server can also log out a
user.
• In Portal authentication scenarios, you can also run a command on the access
device to log out a user.
• This timer applies to an external Portal server that uses the Portal or
HTTP/HTTPS protocol or a built-in Portal server that uses the Portal protocol
• This timer applies to an external Portal server that uses the Portal or
HTTP/HTTPS protocol.
• This timer applies to an external Portal server that uses the Portal protocol.
• The built-in Portal server detects user heartbeats in either of the following
modes:
▫ Forcible mode: If the access device does not receive any heartbeat packet
from a user before the user heartbeat detection timer expires, the access
device logs out the user.
▫ Automatic mode: The access device checks whether the client browser
supports the heartbeat program. If so, the forcible mode is used. If not, the
access device does not detect user heartbeats. This mode is recommended
as it prevents user logout if the browser does not support the heartbeat
program.
• Dumb terminal: Compared with other terminals, dumb terminals have limited
functions and simple interaction modes. In this document, dumb terminals refer
to terminals whose authentication information such as user names and
passwords cannot be entered.
• By default, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication, for example, 0005e0112233.
• Passwords of MAC address authentication users can be processed using PAP or
CHAP. The following MAC address authentication process uses PAP as an
example:
▫ When a terminal accesses the network, the access device detects and learns
the MAC address of the terminal, triggering MAC address authentication.
▫ The access device generates a random value (MD5 challenge), arranges the
user MAC address, password, and random value in sequence, encrypts them
using the MD5 algorithm, encapsulates a RADIUS Access-Request packet
with the encryption results, and sends the packet to the RADIUS server.
▫ The RADIUS server arranges the user MAC address, password saved in the
local database, and received random value in sequence, and encrypts them
using the MD5 algorithm. If the encrypted password is the same as that
received from the access device, the RADIUS server sends a RADIUS Access-
Accept packet to the access device, indicating that MAC address
authentication is successful and the terminal is allowed to access the
network.
▫ Different from PAP, CHAP involves password encryption twice on both the
access device and RADIUS server.
• Successful authentication: If the administrator modifies parameters such as
access rights and authorization attributes of an online user on the authentication
server, reauthentication of the user must be performed to ensure user validity.
After reauthentication is configured for online authenticated users, the device
sends the locally saved online user authentication information to the
authentication server. If the user authentication information is the same as that
on the authentication server, the user keeps online. Otherwise, the user is logged
out and needs to be reauthenticated.
• When a user is in preconnection state or fails authentication, the access device

records the user entry and grants limited network access rights to the user. To
ensure that the user can obtain normal network access rights in a timely manner,
the access device needs to reauthenticate the user based on the user entry. If the
user fails the reauthentication before the user entry aging time expires, the
access device deletes the user entry and revokes the granted network access
rights. If the user is successfully reauthenticated before the user entry aging time
expires, the access device adds an authenticated-user entry and grants
corresponding network access rights to the user.
• The server logs out a user using either of the following methods:
▫ The RADIUS server sends a Disconnect Message (DM) to the access device
to log out the user.
▫ The RADIUS server uses the standard RADIUS attributes Session-Timeout

and Termination-Action to log out the user. The Session-Timeout attribute
specifies the online duration timer of a user. The value 0 of Termination-
Action indicates that the RADIUS server logs out the user when the online
duration timer expires.
• If a user frequently fails MAC address authentication within a short period of
time, a large number of system resources will be occupied and brute force
attacks on the user name and password may occur.
• After the quiet timer function is enabled, if the number of a user's authentication
failures within 60 seconds reaches the specified value, the access device waits for
a period of time controlled by the timer. During this period, the access device
discards the MAC address authentication requests sent from the user.
• When a RADIUS server is used as the authentication server, an Access-Accept
packet indicating successful authentication also contains user authorization
information because RADIUS authorization is combined with authentication.
• VLAN-based authorization: After a user is authenticated, the RADIUS server

delivers an authorized VLAN to the user. The access device then changes the
VLAN to which the user belongs to the authorized VLAN, with the interface
configuration remaining unchanged. The authorized VLAN has a higher priority
than the VLAN configured on the interface. That is, the authorized VLAN takes
effect after the authentication succeeds, and the configured VLAN takes effect
when the user is offline.
• The RADIUS server can assign an authorized ACL to a user in either of the
following modes:
▫ Static ACL assignment: The RADIUS server uses the standard RADIUS
attribute Filter-Id to assign an ACL ID to the user. In this mode, the ACL and
corresponding rules are configured on the access device in advance.
▫ Dynamic ACL assignment: The RADIUS server uses the Huawei extended
RADIUS attribute HW-Data-Filter to assign an ACL ID and corresponding
rules to the user. In this mode, the ACL ID and ACL rules are configured on
the RADIUS server.
• When an authentication-free rule is configured using an ACL, the ACL number is
in the range from 6000 to 6031.
• The NAC escape mechanism grants specified network access rights to users when
the authentication server is Down or to users who fail the authentication or are
in preconnection state. The escape solutions vary according to the authentication
modes. Some escape solutions are shared by all authentication modes, while
some are supported only in specific authentication modes. For details, see "NAC
Escape Mechanism" in the product documentation.
• 5W1H:
▫ Who: identity of a user, for example, a corporate executive, employee, or

guest;
▫ Where: user access location, for example, local (within a campus) or remote
access;
▫ What: type of the access terminal, for example, a mobile phone, PC, or
laptop;
▫ When: time range when a user accesses the network, for example, in the
daytime or at night;
▫ Whose: device owner, for example, a company-issued terminal or BYOD

terminal;
▫ How: user access mode, for example, wired or wireless access.

• Dynamic security groups include users and terminals that can access the network
only after being authenticated.
• Static resource groups include servers, interfaces of network devices, and special
terminals that can access the network using fixed IP addresses without
authentication.
• The NAC escape mechanism grants specified network access rights to users when
the authentication server is Down or to users who fail the authentication or are
in preconnection state. The escape solutions vary according to the authentication
modes.
• For Portal authentication, the NAC escape function is supported only when HTTP
packets are sent to trigger authentication.
• VLAN-based authorization is not supported for online Portal authentication users.
• The device assigns network access rights according to the configuration of the
following user authorization policies in descending order of priority:
▫ If the authentication server is Down: network access rights upon an
authentication server Down event > network access rights for users who fail
authentication > network access rights for users in preconnection state >
user authorization based on whether the function of keeping users who fail
to be authenticated and do not have any network access rights in the
preconnection state is enabled.
▫ If users fail authentication: network access rights for users who fail
authentication > network access rights for users in the preconnection state
> user authorization based on whether the function of keeping users who
fail to be authenticated and do not have any network access rights in the
preconnection state is enabled.
▫ If users are in the preconnection state: network access rights for users in the
preconnection state > user authorization based on whether the function of
keeping users who fail to be authenticated and do not have any network
access rights in the preconnection state is enabled.
▫ If a Portal server is Down: network access rights upon a Portal server Down
event > network access rights before the Portal server is Down.
• To configure the Portal escape function, run the server-detect command on the
device to enable the heartbeat detection function, and enable the heartbeat
detection function on the Portal server.
• A
• Bluetooth is a short-range wireless communication technology. With the
emergence of IoT applications such as smart wearables, smart home, and IoV, a
large number of Bluetooth products are developed, including traditional
Bluetooth-capable mobile phones, Bluetooth headsets, Bluetooth speakers,
Bluetooth mouse devices, and Bluetooth keyboards, smart wristbands, smart
watches, sports bands, vehicle-mounted devices, and smart home products.
• To enable network convergence, Huawei launched IoT APs for IoT expansion. The
APs provide many IoT connection modes such as Bluetooth, RFID, and ZigBee,
implementing a unified portal for various IoT protocols, such as Wi-Fi, Bluetooth,
and RFID.
• Bluetooth, RFID, and ZigBee cards are integrated on IoT APs, so that Wi-Fi and
IoT services can be co-sited, share backhaul resources, and are centrally managed.
This practice can reduce the costs, workload, and damage to the surrounding
environment, and achieve high flexibility and scalability.
• RFID gateway: A third-party RFID card is installed on an AP through the PCIe
interface, integrating the RFID gateway function. In this manner, the AP can
listen to broadcast data of RFID tags. The RFID gateway has an independent ID.
• RFID tag: RFID tags are installed on assets. RFID tags periodically broadcast RFID
packets that carry information such as RFID tag IDs, tag status, and device
working status (current tags).
• Exit alarm: If a baby is carried to the exit, the exit management device will detect
this event and notify the infant wristband. The RFID signal of the infant
wristband then triggers an alarm. After receiving the alarm, the system parses
the location of the exit where the alarm is generated, and takes security
measures, such as audible and visual alarming, access control, and camera
linkage.
• Cut-off alarm: The system generates such an alarm when the infant wristband
reports cut-off information or no signal from the infant wristband can be
detected (no information is reported to the system for alarm processing).
• Mother-infant detaching alarm: The mother wristband analyzes the current baby
distance based on the signal strength. When the distance exceeds a preset
threshold, an alarm is generated.
• Low-battery alarm: The infant wristband broadcasts RFID packets that carry the
battery level information. When the system detects the battery level falls below a
preset threshold, it generates a low-battery alarm.
• Infant check-out timeout alarm: The system sets the check-out time. If a baby is
not returned back to the ward when the check-out time expires, an alarm is
generated.
• Alarming upon a wristband exception:
▫ The wristband reports heartbeat packets through RFID, but the server
cannot detect the heartbeat packets. As a result, an alarm is generated.
▫ The IoT module expanded via the USB port can locate the wristband
through radio-based positioning. If a baby is carried away for a period of
time, the system generates an infant check-out timeout alarm.
▫ If a wristband is cut off, this change is reported through RFID, and a cut-off
alarm is generated. The server then identifies the cut-off alarm.
▫ The mother wristband enables distance monitoring and determines the

distance based on the RFID signal strength received from the infant
wristband. When the distance exceeds a preset threshold, a mother-infant
detaching alarm is generated.
• Backtracking analysis
▫ APs equipped with IoT cards are deployed in public areas, such as corridors,
to obtain the locations of infant wristbands in real time. In this way, the
tracks of babies can be traced and analyzed when the babies are
abnormally carried out of the wards.
• Border alarming
▫ When a baby is carried to the exit, the border manager interacts with the
RFID tag of the infant wristband and identifies that the wristband location
is abnormal. The system then generates an exit alarm.
▫ When an exit alarm is generated, the system can perform linkage with the
access control system and video surveillance system.
• Nurse information system
▫ Nurses record inpatient and outpatient information.
▫ The alarm information is sent to the nurse station or security protection

center.
▫ The nurse station confirms and views the alarm.

• Service scenario:
▫ ESLs, base stations, and ESL servers are deployed in the enterprise HQ,
branches, and stores. The ESL servers in the enterprise HQ and branches
connect to the ERP system. After a customer adjusts product prices in the
ERP system, the adjustments are synchronized to the ESL servers. The ESL
servers then adjust the prices based on the price adjustment result in the
ERP system and the preset price adjustment plan (usually after the closing
of the shopping mall). In addition, the ESL server can display other
information about products based on ESLs, such as the validity period,
discount description, and detailed product parameters.
• ERP system overview
▫ The Enterprise Resource Planning (ERP) system is a management platform
established based on information technologies and advanced management
ideas. It provides systematic management ideas for enterprise employees
and decision makers.
• Solution implementation:
• Physical convergence:
▫ APs provide IoT card slots themselves, and are low-cost Wi-Fi+IoT network
devices.
▫ Wi-Fi and IoT are deployed at the same site, reducing cabling costs.
• Surveillance convergence:
▫ The IoT card status, such as the IP address, MAC address, and bandwidth,
can be queried through the SNMP interface.
▫ Device fault alarms, such as card absence alarm and card type mismatch
alarm
• What are the commonly used short-range wireless communication technologies?
▫ RFID, Bluetooth, ZigBee, and Wi-Fi.
• What are the characteristics and application scenarios of different short-range
wireless communication technologies?
▫ RFID identifies objects based on radio signals and space coupling
(inductance or electromagnetic coupling) or radar reflection. It works on
different frequency bands, including low-frequency and ultra-high-
frequency bands and is applicable to a wide range of scenarios, such as
access control and asset management.
▫ Bluetooth is one of the most widely used short-range wireless
communication standards in the globe. It complies with IEEE 802.15.1 and
works on the 2.4 GHz frequency band. Currently, it is used to interconnect
with peripheral devices (such as Bluetooth headsets and mouse devices),
smart wearables (such as wristbands and watches), and IoT devices (such
as home electronic devices).
▫ ZigBee is a short-range, low-power wireless communication technology
implemented based on IEEE 802.15.4. ZigBee features short range, self-
networking, low power consumption, and low data transmission speed.
ZigBee supports three networking modes: star network, mesh network, and
hybrid network (star + mesh). ZigBee is widely used in industrial and smart
home sectors.
▫ Wi-Fi is a short-range wireless communication technology implemented
based on IEEE 802.11. It works on the 2.4 GHz and 5 GHz frequency bands,
and is mainly used for high-speed Internet access at homes and indoor
places.
• Ultra-wideband (also known as UWB, ultra wideband, ultra-wide band and
ultraband) is a radio technology that can use a very low energy level for short-
range, high-bandwidth communications over a large portion of the radio
spectrum.[1] UWB has traditional applications in non-cooperative radar imaging.
Most recent applications target sensor data collection, precision locating and
tracking applications. As of September 2019, UWB support has started to appear
in high-end smartphones.
• Application layer: carries LBS applications to develop the upper-layer application
platform or develop and display applications by invoking APIs in the customer's
existing systems such as the production management system and administrative
management system.
• Platform layer: consists of the positioning engine, iMaster NCE, and GIS/map
platform.
▫ Positioning engine: calculates the obtained initial positioning information,

such as the RSSI and time, to obtain the coordinates of located objects.
▫ iMaster NCE: manages, configures, and maintains network devices.
▫ GIS/Map platform: provides map information to the positioning engine.
• Network layer: deploys APs to provide Wi-Fi and Bluetooth signal coverage and
management. (Determine whether to deploy iBeacons based on site
requirements. In most cases, iBeacons are required in mobile phone navigation
scenarios.)
▫ An AP scans the RSSI data of Wi-Fi terminals and reports the data.
▫ The AP scans the RSSI data of Bluetooth terminals and reports the data.
▫ The AP can serve as a standard iBeacon to broadcast signals.
▫ The AP transparently transmits positioning packets through a PCIe card.
• Terminal layer: accommodates various terminals to be located.

• RSSI propagation model: measures the distance based on the RSSI.
• RSSI fingerprint: uses the field strength as the fingerprint characteristic value.
• ToA and TDoA: are used to synchronize time between base stations.
• ToF: measures the distance based on the signal flight time.
• AoA: is a typical ranging-based positioning algorithm.
• PoA: determines the distance between two devices based on the carrier phase.
• You can obtain fingerprints in either of the following ways:
▫ In the actual environment, the fingerprint library maintenance mode is

complex, and the fingerprint information change in the environment has
great impact on the positioning result.
▫ The calculation is performed based on the AP deployment positions and

environment to form a virtual fingerprint library. This method does not
require a large amount of collection work. However, the impact of the
environment on the fingerprint library may cause inaccurate positioning
results.
• When the RSSI fingerprinting method is used, the positioning accuracy is affected
by multiple factors, such as signal fluctuation, terminal location, and multi-path
signal transmission.
• Anchor: is a positioning base station.
• ToA: The distance to the target is determined based on the arrival time of radio
waves. Then, the target location is calculated based on the triangulation principle.
A terminal transmits signals to more than three anchors. By measuring the time
used for signals from the terminal to different anchors, the distances between
the terminal and anchors are obtained. Then a circle is drawn by using an anchor
as a center and a measured distance as a radius. The intersection point of the
three circles is the location of the terminal. However, ToA requires strict time
synchronization between the node under test and anchors, which cannot be
supported in most application scenarios.
• TDoA: The difference in distances from the target to different anchors (i.e., base
stations) is calculated based on the difference in the arrival time of signals
received by the anchors. The target location is calculated based on the hyperbola
characteristics. TDoA-based positioning works based on hyperbola positioning.
Four anchors are required for two-dimensional positioning. After the anchor time
is synchronized, the terminal sends a broadcast packet to the anchors. After
receiving the broadcast packet, an anchor marks the timestamp at which the
packet is received, and sends content of the packet to the calculation server. The
calculation server calculates the location of the terminal according to timestamps
of positioning packets from other anchors. By measuring the distance difference
between the terminal and every two anchors, a hyperbola can be drawn when
the distance difference is equal to a constant, and the label coordinates can be
determined at the intersection point of the curves.
▫ Hyperbola: A hyperbola is defined as a set of points whose distance
difference from two fixed points is a constant. The hyperbola focus is the
target location.
• AoA is a positioning algorithm based on the signals' arrival angle. It uses
hardware devices to sense the direction of arrived signals from the transmitter,
calculates the relative azimuth or angle between the receiver and an anchor, and
then uses the triangulation or other methods to calculate the location of an
unknown node.
• The positioning accuracy of the preceding wireless positioning solutions is
affected by multiple factors, such as the installation environment, deployment
density, deployment height, and installation angle of APs, and spatial obstacle
distribution. The actual positioning accuracy may differ from the theoretical value.
During delivery, onsite commissioning is required.
• Wi-Fi positioning can also locate rogue APs that are not uniformly deployed and
non-Wi-Fi interference sources (such as microwave ovens).
• The WAC can report location information to the positioning engine using UDP or
HTTP packets.
• Network planning suggestions:
▫ Plan triangulation-based positioning to ensure that the terminal to be

located is within line of sight (LOS) of the three APs. It is recommended
that the distance between the APs be less than 15 m.
▫ Outdoor AP models require large deployment distance and thus do not

support this positioning solution.
• BLE devices that can be managed by APs must comply with southbound interface
specifications of Huawei APs.
• A software development kit (SDK) is a collection of program interfaces,
documents, and development tools.
• BLE devices that can be managed by APs must comply with southbound interface
specifications of Huawei APs.
• The inertial navigation module is a gyroscope, an accelerometer, and the like
inside a mobile phone.
• Wi-Fi, Bluetooth, RFID, UWB, ZigBee, etc.
• ABC
• The IANA is responsible for assigning global Internet IP addresses. The IANA
assigns some IPv4 addresses to continent-level RIRs, and then each RIR assigns
addresses in its regions. The five RIRs are as follows:
▫ RIPE: Réseaux IP Européens, which is a European IP address registration
center and serves Europe, Middle East, and Central Asia.
▫ LACNIC: Latin American and Caribbean Internet Address Registry, which is
an Internet address registration center for Latin America and the Caribbean
and serves the Central America, South America, and the Caribbean.
▫ ARIN: American Registry for Internet Numbers, which is an Internet number
registration center in the United States and serves North America and some
Caribbean regions.
▫ AFRINIC: Africa Network Information Centre, which serves Africa.
▫ APNIC: Asia Pacific Network Information Centre, which serves Asia and the
Pacific.
• IPv4 has proven to be a very successful protocol. It has survived the development
of the Internet from a small number of computers to hundreds of millions of
computers. However, this protocol is designed to support the network scale
several decades ago. With the expansion of the Internet and the launch of new
applications, IPv4 has shown more and more limitations.
• In the 1990s, the IETF launched technologies such as network address translation
(NAT) and classless inter-domain routing (CIDR) to delay IPv4 address
exhaustion. However, these transition solutions can only slow down the speed of
address exhaustion, but cannot fundamentally solve the issue.
• Nearly infinite address space: This is the most obvious advantage over IPv4. An
IPv6 address consists of 128 bits. The address space of IPv6 is about 8 x 1028
times that of IPv4. It is claimed that IPv6 can allocate a network address to each
grain of sand in the world. This makes it possible for a large number of terminals
to be online at the same time and unified addressing management, providing
strong support for the Internet of Things (IoT).
• Hierarchical address structure: IPv6 addresses are divided into different address
segments based on application scenarios thanks to the nearly infinite address
space. In addition, the continuity of unicast IPv6 address segments is strictly
required for IPv6 address segments, which facilitates IPv6 route summarization to
reduce the size of IPv6 address tables.
• Plug-and-play: Any host or terminal must have a specific IP address to obtain
network resources and transmit data. Traditionally, IP addresses are assigned
manually or automatically using DHCP. In addition to the preceding two
methods, IPv6 supports SLAAC.
• E2E network integrity: NAT widely used on IPv4 networks damages the integrity
of E2E connections. After IPv6 is used, NAT devices are no longer required, and
online behavior management and network monitoring become simple. In
addition, applications do not need complex NAT adaptation code.
• Enhanced security: IPsec was initially designed for IPv6. Therefore, IPv6-based
protocol packets (such as routing protocol and neighbor discovery packets) can
be encrypted in E2E mode, despite the fact that this function is not widely used
currently. The security capability of IPv6 data plane packets is similar to that of
IPv4+IPsec.
• IPv6 unicast address: identifies an interface. Since each interface belongs to a
node, the IPv6 unicast address of any interface on the node can identify the node.
Packets sent to an IPv6 unicast address are delivered to the interface identified by
this address. IPv6 defines multiple types of unicast addresses, including the
unspecified address, loopback address, LLA, GUI, and ULA.
▫ The IPv6 unspecified address is 0:0:0:0:0:0:0:0/128 or ::/128, indicating that
an interface or a node does not have an IP address. It can be used as the
source IP address of some packets, such as Neighbor Solicitation (NS)
messages in duplicate address detection.
▫ The IPv6 loopback address is 0:0:0:0:0:0:0:1/128 or ::1/128. Similar to the
IPv4 loopback address 127.0.0.1, the IPv6 loopback address is used when a
node needs to send IPv6 packets to itself. This IPv6 loopback address is
usually used as the IP address of a virtual interface such as a loopback
interface.
▫ An IPv6 GUI is an IPv6 address with a global unicast prefix, and is similar to
an IPv4 public address. IPv6 GUIs support routing prefix aggregation,
helping limit the number of global routing entries. A global unicast address
consists of a global routing prefix, subnet ID, and interface ID.
▫ LLAs are used only in communication between nodes on a local link. An LLA
uses the link-local prefix of FE80::/10 as the leftmost 10 bits (1111111010 in
binary) and an interface ID as the rightmost 64 bits. When IPv6 runs on a
node, an LLA that consists of the fixed prefix and an interface ID in EUI-64
format is automatically assigned to each interface of the node. This
mechanism enables two IPv6 nodes on a link to communicate without any
additional configuration. Therefore, LLAs are widely used in neighbor
discovery and stateless address configuration.
• You can apply for a GUA from a carrier or the local IPv6 address management
organization.
• DAD checks whether an IPv6 unicast address is being used before the address is
assigned to an interface. DAD is required if IPv6 addresses are configured
automatically. An IPv6 unicast address that is assigned to an interface but not
verified by DAD is called a tentative address. An interface cannot use a tentative
address for unicast communication.
• Router Advertisement (RA) message: Each routing device (including the IPv6
WAC) periodically multicasts RA messages carrying network prefixes and flags to
declare its existence to hosts and devices on a Layer 2 network.
• RS message: After being connected to a network, a host immediately sends an RS

message to obtain network prefixes. Devices on the network reply with RA
messages.
• An IPv6 packet is composed of the following parts:
▫ IPv6 header
▪ Each IPv6 packet must contain a header with a fixed length of 40
bytes.
▪ The IPv6 header provides basic packet forwarding information, which
is parsed by all routers on a forwarding path.
▫ Extension headers
▪ An IPv6 extension header is an optional header that may follow an
IPv6 header. An IPv6 packet can contain no extension header, or it can
contain one or more extension headers with different lengths. The
IPv6 header and extension headers replace the IPv4 header and its
options. The extension headers enhance IPv6 significantly. Unlike the
options in an IPv4 header, the maximum length of an extension
header is not limited. Therefore, an extension header can contain all
the extension data required for IPv6 communication. The extended
packet forwarding information provided by an extension header is
generally parsed by the destination router but not all routers on a
path.
▫ Upper-layer protocol data unit
▪ An upper-layer protocol data unit is composed of the upper-layer
protocol header and its payload, which can be an ICMPv6 packet, a
TCP packet, or a UDP packet.
• The IPv6 header is also called fixed header, which contains eight fields. The total
length of the fixed header is 40 bytes. The eight fields are Version, Traffic Class,
Flow Label, Payload Length, Next Header, Hop Limit, Source Address, and
Destination Address.
• Version
▫ This field indicates the version of IP and its value is 6. The length is 4 bits.
• Traffic Class
▫ This field indicates the class or priority of an IPv6 packet and its function is
similar to that of the ToS field in an IPv4 header. The length is 8 bits.
• Flow Label
▫ An IPv4 header does not contain the field. This is a new field. It is used by a
source to label sequences of packets for which the label requests special
handling by IPv6 routers. The length is 20 bits. Generally, a flow can be
determined based on the source IPv6 address, destination IPv6 address, and
flow label.
• Payload Length
▫ This field indicates the length of the IPv6 payload. The payload refers to the
extension header and upper-layer protocol data unit that follow the IPv6
header. This field is 16 bits long and can indicate the payload with a
maximum length of 65535 bytes. If the payload length exceeds 65535
bytes, the field is set to 0, and the Jumbo Payload option in the Hop-by-
Hop Options header is used to express the actual payload length.
• When creating a static route, you can specify both the outbound interface and
next hop.
▫ Alternatively, you can specify either the outbound interface or next hop,
depending on the interface type: For point-to-point (P2P) interfaces, specify
the outbound interface.
▫ For non-broadcast multiple access (NBMA) interfaces, specify the next hop.
▫ For broadcast interfaces, specify the outbound interface. If the next hop
address is also specified, it does not need to be a link-local address.
• Specifying the same preference value for static routes to the same destination
implements load balancing among these routes. Conversely, specifying different
preference values for static routes to the same destination implements route
backup among the routes.
• If the destination IP address and mask are set to all 0s, the default IPv6 static
route is configured. By default, no default IPv6 static route is configured.
• When configuring static routes, note the following:
▫ If no preference is set for a static route, the static route uses the default
preference 60.
▫ If the destination address and mask of a static route are all 0s, the static
route is a default route.
• The OSS is a support platform used for network service development and
operation. On a typical network, the OSS may be a network management
platform or an SDN controller.
• The ipv6 nd autoconfig managed-address-flag command sets the M flag of
stateful autoconfiguration in an RA message. If the M flag is set, a host obtains
an IPv6 address through stateful autoconfiguration.
• The ipv6 nd autoconfig other-flag command sets the O flag of stateful

autoconfiguration in an RA message. If the O flag is set, a host uses stateful
autoconfiguration to obtain other configuration parameters (excluding IPv6
address), including the router lifetime, neighbor reachable time, retransmission
interval, and PMTU.
• In this example, the WAC and AP belong to the same VLAN. The AP sends a
multicast CAPWAP Discovery Request packet to discover the WAC.
• ND provides powerful functions but lacks security mechanisms. Attackers often
use ND to attack network devices. Attackers often use ND to attack network
devices.
▫ Address spoofing attack: An attacker uses the IP address of host A to send
Neighbor Solicitation (NS) or neighbor advertisement (NA) packets to host
B or the gateway. Host B or the gateway then modifies their ND entries. As
a result, host B cannot receive packets or communicate with other hosts. In
addition, the attacker can intercept the packets of host A to obtain the
game and bank passwords of host A. Host A will suffer a huge loss.
▫ RA attack: An attacker uses the IP address of the gateway to send the
Router Advertisement (RA) packet to hosts. The hosts then modify their ND
entries or record incorrect IPv6 parameters. As a result, the hosts cannot
communicate with each other.
▫ The WAC provides the ND snooping function to prevent ND attacks.
• ND snooping:
▫ Deploy ND snooping on APs, configure the AP's interface connected to the
authorized router (WAC) as a trusted interface, and enable ND protocol
packet validity check on the user-side interface.
▫ When receiving NA/NS/RS packets from a user-side interface, the AP checks
packet validity against the dynamic ND snooping binding table and filters
out forged NA/NS/RS packets.
▫ The AP discards RA messages received from user-side interfaces (untrusted
interfaces by default) and processes only RA messages received from
trusted interfaces. This prevents attacks caused by forged RA messages.
• Bogus DHCP server attack: If a bogus DHCP server sends a bogus DHCP Reply
message with the incorrect gateway address, DNS server address, and IP address
to a DHCP client, the DHCP client cannot obtain the correct IP address and
required information. The authorized user then fails to access the network and
user information security is affected.
• DHCP flood attack: An attacker sends a large number of DHCP messages to a
device in a short period to generate a huge impact on the device performance. As
a result, the device may fail to work.
• Bogus DHCP message attack: An attacker pretends to be an authorized user to
continuously send DHCP Request messages to the DHCP server to renew the IP
address; therefore, the IP address cannot be reclaimed and other authorized
users cannot obtain IP addresses.
• DHCP server DoS attack: A large number of attackers maliciously apply for IP
addresses. As a result, IP addresses on the DHCP server are exhausted and
authorized users cannot obtain IP addresses.
• The DHCP snooping function ensures that DHCP clients obtain IP addresses from
the authorized DHCP server.
▫ If a bogus DHCP server is deployed on the network, DHCP clients may
obtain incorrect IP addresses and network configuration parameters and
cannot communicate properly. The DHCP snooping function controls the
source of DHCP Reply messages to prevent bogus DHCP servers from
assigning IP addresses and other configurations to DHCP clients.
▫ DHCP snooping involves two interface roles: trusted interface and untrusted
interfaces. Trusted interfaces receive DHCP ACK, DHCP NAK, and DHCP
Offer messages from a DHCP server.
▫ The device discards DHCP ACK messages, NAK messages, and Offer
messages on untrusted interfaces.
• Answer 1: Unlimited address space, hierarchical address structure, plug-and-play,
simplified packet header, security features, mobility, and enhanced QoS features.
• Answer 2:
▫ The packet format of IPv6 header + extension headers is used.
▫ The checksum at Layer 3 is removed. The checksums at Layer 2 and Layer 4

are sufficiently robust, and therefore the checksum at Layer 3 is removed to
save router processing resources.
▫ The fragmentation function on the intermediate node is removed.

Fragments are processed only on the source node that generates data but
not on the intermediate node, preventing the intermediate node from
consuming a large amount of CPU resources to process fragments.
▫ The fixed-length IPv6 header is defined to facilitate fast hardware

processing and improve the forwarding efficiency of routers.
▫ Security options are supported. IPv6 provides optimal support for IPsec,
allowing the upper-layer protocols to omit many security options.
▫ The Flow Label field is added to improve QoS efficiency.

• MSP: Managed Service Provider
• Networks are the most important part of enterprise digital transformation. They
need to offer many expected functions as soon as possible, including carrying and
deploying services in an agile manner, ensuring cloud access experience, and
guaranteeing ICT security. In the future, networks will become simplified and AI-
powered; they will proactively detect service changes and predict network risks in
a timely manner. This, in turn, will drive the transformation of enterprises' ICT
infrastructure, and help enterprises to reshape their business models, improve
customer experience, and embrace a better future.
• Huawei is dedicated to helping customers build a powerful engine for IP

networks in the intelligence era. To this end, Huawei has deeply engaged in
mainstream scenarios such as campus, data center, WAN, WLAN, and network
security. As such, Huawei has proposed its "four engines" brand strategy,
covering four categories of products, namely, CloudEngine switches, NetEngine
routers, AirEngine Wi-Fi 6 WACs and APs, and HiSecEngine security gateways.
• iMaster NCE-Campus is a web-based centralized management and control
system used in the CloudCampus Solution. It delivers a wide range of functions,
including network service management, network security management, user
access management, network monitoring, network quality analysis, network
application analysis, alarm management, and report management. It also
provides open application programming interfaces (APIs) that facilitate
integration with other platforms. On iMaster NCE-Campus, enterprise users can
perform service configuration, routine O&M, and many more tasks, thereby
centrally managing a large number of devices.
• WLAN Planner Website
▫ https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/dist/#/toolappmarket
• The registration center is a public cloud service provided by Huawei on the
Internet and can therefore be considered a cloud platform. It is mainly used to
implement plug-and-play of devices on the user network. During the deployment
configuration of network devices, the most important thing is to register them
with iMaster NCE and enable them to be managed by iMaster NCE. Huawei
CloudCampus Solution supports the public cloud deployment mode and MSP-
owned cloud deployment mode. Therefore, multiple iMaster NCE instances may
exist on the Internet. The problem is which iMaster NCE should a device register
with after the device is powered on and connected to the network?
• Huawei has set up a registration center. Users can implement plug-and-play of

network devices through the registration center in the Huawei public cloud or
MSP-owned cloud scenarios. Users need to record information about the network
devices to be managed on iMaster NCE, including device SNs. iMaster NCE
synchronizes the information to the Huawei registration center, which maintains
the information. After a user connects a Huawei cloud managed device to the
network with factory settings, the device obtains an IP address and then initiates
a query request to the registration center. The domain name of the registration
center has been preset on the device before delivery. The domain name is unique
globally. The device initiates resolution requests through DNS servers in different
regions and obtains the addresses of the registration centers in these regions.
Then, the registration center returns information such as the IP address of the
corresponding iMaster NCE to the device. In this way, the device can initiate a
registration request to the address so it can get managed by iMaster NCE.
• VXLAN allows a virtual L2 or L3 network (overlay network) to be built over a
physical network (underlay network). The overlay network transmits packets
between different sites through L3 forwarding paths provided by the underlay
network.
• In technical applications, different overlay networks are created for different

services. Services are aware of the overlay network only. The underlay network is
transparent to services.
• Configuration can be performed before or after installation. If configuration is
performed before installation, topology information must be recorded in advance.
If installation is performed before configuration, the topology can be
automatically discovered.
• OPEX means the operating expense, which is the sum of various costs during the
enterprise operations, including maintenance cost, marketing expense, labor cost,
and depreciation expense.
• Disadvantages of manual calibration:
▫ Some customers use manual calibration and channel planning. One
planning process requires multiple adjustments for several consecutive days,
but the final result is uncertain. The calibration result may be worse due to
channel conflicts and signal interference when APs are densely installed.
Once the environment changes (for example, new APs are deployed or a
wall is added), the original planning needs to be adjusted again. The re-
adjustment may have the global impact, so it may be full of difficulties.
• Real-time simulation feedback
▫ Real-time simulation feedback enables the system to automatically perform
adjustment when network interference occurs. The simulation effect is
evaluated based on the radio quality score. This feature greatly improves
O&M efficiency and user experience on wireless networks.
• Insufficient automatic calibration capability of the device itself
▫ Traditional automatic calibration of the device itself is centered on signal
coverage. Calibration triggered in the early morning lacks user behavior
data because only a few or no users access the network in the early
morning. It can be performed only based on the current status and cannot
detect the load of real APs or interference in the daytime. Therefore the
calibration effect cannot be guaranteed and radio resources cannot be fully
used.
• Predictive calibration:
▫ intelligent radio calibration collects user access data in the past seven days,
uses the AI algorithm to accurately predict the AP load trend, and guides
radio calibration based on the predicted values, implementing network
change as required.
• On a campus network, access terminals include smart terminals (such as PCs and
mobile phones) and dumb terminals (such as IP phones, printers, and IP
cameras). Currently, terminal management on campus networks faces the
following challenges:
▫ The network management system (NMS) can only display the IP and MAC
addresses of access terminals, but cannot identify the specific terminal type.
As a result, the NMS cannot provide refined management for network
terminals.
▫ Network service configurations and policies vary according to the terminal
type. Consequently, administrators need to manually configure different
services and policies for each type of service terminals, complicating service
deployment and operations.
• To address these challenges, Huawei provides the automatic terminal
identification and policy delivery solution, which delivers the following functions:
▫ iMaster NCE-Campus can display the network-wide terminal types and
operating systems, for example, dumb terminals including printers, IP
cameras, smart all-in-one cards, and access control systems. iMaster NCE-
Campus can also collect statistics and display traffic by terminal type.
▫ Administrators do not need to manually configure different services and
policies for different types of dumb terminals such as IP phones, printers,
and IP cameras on the campus network. This is because iMaster NCE-
Campus can automatically identify terminals and deliver the corresponding
access policies and service configurations to them.
• In high-density scenarios, such as exhibition halls and stadiums, a limit is usually
imposed on the maximum number of users who can associate with a radio and
VAP so as to improve user experience. In addition, preferential access of VIP users
is deployed to ensure that new VIP users can still access the network even when
the number of access users reaches the threshold. This function improves user
experience of VIP users.
• Identification of VIP users
▫ A device identifies a user as a VIP if the user belongs to a VIP user group.
The priority field is added to the user authorization structure. After users
are added to a VIP user group and the authorization information is
delivered to the VIP user group, users in the VIP user group inherit the
priority of the VIP user group.
• D
• Wired, wireless, and IoT network convergence, allowing diversified terminals and
services
▫ Huawei S series switches integrate the WLAN access controller (WAC)
functionality to implement wired and wireless convergence and provide
unified wired and wireless management and experience. Huawei APs
integrate IoT modules to provide functions of IoT base stations,
implementing converged Wi-Fi and IoT networks as well as simplified
management. Huawei's solution provides unified authentication and access
policy control for wired and wireless users by integrating the user
authentication, user management, and policy association functions.
Administrators can obtain consistent user management experience and
simplify O&M of wired and wireless networks.
• All-scenario WLAN: ideal for differentiated access requirements of customers
▫ Huawei provides Wi-Fi 6 APs, high-density APs, and an agile distributed Wi-
Fi solution tailored for a diverse of scenarios, such as common indoor
deployments, high-density stadiums, outdoor environments, and dense
rooms. These offerings provide pervasive high-density WLAN coverage and
deliver assured user access experience. The resulting benefits include
convenient deployment and reduced investment costs.
• Hybrid optical-electrical switch providing PoE++ power over a distance of up to
300 m: higher bandwidth and more flexible network deployment
▫ With the advent of 802.11ax standards and products, the access rate of
STAs exceeds 1 Gbps. However, the access rate of GE interfaces fails to
meet this trend. Huawei provides hybrid optical-electrical switches in the
industry. The switches provide PoE++ power for APs over a distance of up to
300 m.
• Network layer
▫ Physical network: is also called the underlay network and provides basic
connection services for campus networks. To meet access requirements of
multiple types of terminals, the physical network provides a unified three-
network access capability, and allows access of wired, wireless, and IoT
terminals simultaneously.
▫ Virtual network: is also called the overlay network. Virtualization

technology is used to construct one or more overlay networks over the
underlay network. Service policies are deployed on the overlay networks
and are separated from the underlay network, decoupling services from
networks. Multiple overlay networks can serve different services or
customer segments.
• Management layer
▫ iMaster NCE-Campus abstracts network devices and applications, and

rapidly develops and automatically deploys applications through
orchestration and by invoking abstract models. iMaster NCE-Campus
illustrates the entire network but not independent devices (such as
switches, routers, and APs) or discrete configurations (such as access
control, QoS, and routing policies) on devices.
• Physical network layer: also called underlay network. It is a physical topology
consisting of physical network devices (such as switches, APs, firewalls, and
routers) to provide interconnection and interoperability capabilities for all services
on a campus network, building the basic network for campus service data
forwarding.
• A fabric is a fully-connected logical topology built on top of a physical underlay

topology using VXLAN technology. A service network is created on the fabric to
decouple the service network from the physical network. When the service
network needs to be adjusted, the physical network topology does not need to be
changed.
• Virtual network layer: also called overlay network. It is abstracted from the
physical network layer through virtualization technologies to group physical
network resources into a network resource pool that can be flexibly scheduled by
the service layer. Multiple VNs can be created on a fabric based on service
requirements to isolate services. On a traditional campus network, to isolate
services, the OA network and security network are designed as two independent
physical networks. On a virtualized network, physical network sharing is
implemented through the overlay. That is, two VNs can be created and used as
the OA network and security network for service isolation.
• Hierarchical design
▫ Each layer can be considered as a well-structured module with specific role

and function. This layered structure is easy to expand and maintain,
reducing the design complexity and difficulty.
• Modular design
▫ Each module corresponds to a department, function, or service area.

Modules can be expanded flexibly based on the network scale, and
adjustment in a department or area covers a small scope, which facilitates
fault locating.
• Redundancy design
▫ Dual-node redundancy design can ensure device-level reliability.

Appropriate redundancy improves reliability, but excessive redundancy
makes O&M difficult. If dual-node redundancy cannot be implemented, you
may consider card-level redundancy, such as dual main control boards or
switch fabric units (SFUs), for modular core switches or egress routers. In
addition, Eth-Trunk can be deployed to ensure link-level reliability of
important links.
• Symmetry design
▫ The symmetric network structure makes the topology clearer and facilitates
service deployment, and protocol design and analysis.
• Determine the number of ports on access switches based on the network scale.
Generally, one port corresponds to one terminal or one network access point (for
example, AP).
• Select switches based on the port rates of terminals' network adapters.
• Calculate the number of access switches. Number of access switches required =
Number of access ports/Downlink port density of an access switch. If the
calculation result is greater than 1, aggregation switches need to be deployed.
Otherwise, use the single-layer architecture.
• Select aggregation switches based on the uplink port rates of access switches.
• Calculate the number of uplinks of an access switch using either of the following
methods:
▫ Based on the network bandwidth: Number of uplinks = Network
bandwidth/Uplink port rate of an access switch
▫ Based on the network scale: Number of uplinks = Number of access ports x
Access port rate x Bandwidth oversubscription ratio/Uplink port rate of an
access switch
• Calculate the number of aggregation switches. Number of aggregation switches
required = Number of uplinks of access switches/Downlink port density of an
aggregation switch. If the number is greater than 1, select the three-layer
architecture. Otherwise, use the two-layer architecture.
• In the preceding calculations, the calculation results need to be rounded up.
• To simplify O&M, the stacking core networking is recommended. If the customer
is sensitive to service interruption, the dual-core networking is recommended.
• 2-Layer networking on large and medium-sized campus networks typically uses

stacking core networking.
• Service VLAN:
▫ You can assign VLANs by logical area, geographical area, personnel
structure, or service type.
▫ If different users have the same multicast data service, you are advised to
plan a multicast VLAN and bind the user VLANs to the multicast VLAN. By
doing this, the uplink gateway does not copy multicast data in multiple user
VLANs.
▫ VLAN 1 is not recommended as the service VLAN.
• Management VLAN:
▫ It is recommended that the management VLAN be planned for a Layer 2
switch and the VLANIF interface of the management VLAN be used as the
management interface. The NMS uses this interface to manage the switch.
It is recommended that all Layer 2 switches use the same management
VLAN.
▫ It is recommended that service interfaces be used as management
interfaces on Layer 3 devices (gateways or higher-level devices), and no
management VLAN needs to be planned.
• Interconnection VLAN:
▫ An interconnection VLAN is usually configured between two Layer 3
switches or between a Layer 3 switch and a router. VLANIF interfaces are
created for Layer 3 interconnection.
• IP address planning should comply with the following guidelines:
▫ Uniqueness: Each host on an IP network must have a unique IP address.
▫ Contiguousness: Node addresses of the same service must be contiguous to
facilitate route planning and summarization, reducing the size of the
routing table and speeding up route calculation and convergence.
▫ Scalability: IP addresses need to be reserved at each layer. When the
network is expanded, no address segments or routes need to be added.
▫ Easy maintenance: Device and service address segments need to be clearly
distinguished from each other, facilitating subsequent statistics monitoring
and security protection based on address segments. IP addresses can be
planned based on VLANs.
• Pay attention to the following points when designing the three types of IP
addresses:
▫ Service IP address: Considering the scope of a broadcast domain and easy
planning, it is recommended that an IP address segment with a 24-bit mask
be reserved for each service. If the number of service terminals exceeds 200,
another IP address segment with a 24-bit mask is reserved.
▫ Management IP address: It is recommended that a Layer 3 device use a
Layer 3 interface for management and deployment. The interface address is
used as the management IP address for local login and interworking with
the controller.
▫ Interconnection IP address: Interconnection IP addresses are usually
aggregated before being advertised. Therefore, allocate contiguous and
aggregatable IP addresses as interconnection IP addresses.
• It is recommended that the DHCP service for network deployment be provided by
core switches. For details, see the network deployment slide.
• The routing design includes internal and egress route design of a campus
network.
• Internal route design: Enable communication between devices and terminals on
the campus network, as well as communication between the internal network
and external networks. It is recommended that internal routes be designed based
on the gateway location.
▫ If gateways are deployed at the aggregation layer, routes need to be
deployed at the core and aggregation layers. Routing tables can be
dynamically updated along with network topology changes, so an Interior
Gateway Protocol (IGP), such as Open Shortest Path First (OSPF), is
recommended.
▫ If gateways are deployed at the core layer, you only need to configure
routes at the core layer. It is recommended that static routes be used
preferentially.
• Egress route design:
▫ Meet requirements of internal terminals for accessing the Internet and
WAN.
▫ A large and medium-sized campus network usually has a large number of
branches. The egress needs to support multiple links for Internet access and
mutual communication between enterprise branches. For this purpose, a
large number of routes need to be imported to the campus network.
Therefore, you are advised to plan a dynamic routing protocol such as
OSPF.
• Typically, egress and core devices on large- and medium-sized campus networks
are centrally deployed in a core equipment room. Services transmitted on these
devices are complex and their locations on the network are important. In most
cases, network engineers need to commission devices onsite during the
deployment. Therefore, you are advised to use web system or CLI to deploy
devices at the core layer and upper layers (including core devices, independent
WACs in off-path mode, and egress devices).
• A large number of devices (including aggregation devices, access devices, and

APs) are deployed downstream from the core layer, and service configurations
are similar. Therefore, plug-and-play deployment is recommended to simplify
deployment.
▫ You are advised to use the DHCP option mode to achieve plug-and-play
deployment
▫ In DHCP Option-based plug-and-play deployment, the IP addresses and

DHCP Options (IP address of iMaster NCE-Campus configured using Option
148 and IP address of the WAC configured using Option 43) required by
devices are configured on the DHCP server. After a device goes online, it
automatically obtains the management IP address and DHCP Option from
the DHCP server, and then automatically registers with iMaster NCE-
Campus. The switches downstream from the core layer register with
iMaster NCE-Campus through DHCP Option 148, and APs register with the
WAC through DHCP Option 43.
• The network administrator first deploys the DHCP server and configures Option
148 parameters. The network administrator enters the mode type (cloud mode),
controller domain name or address, and port number into the parameters. After
obtaining such information through DHCP, network devices can automatically
register with the controller.
▫ The core switch at a tenant's site can function as the DHCP server. The
administrator can configure the DHCP server function and Option 148
parameters on the controller. If possible, a third-party DHCP server can also
be used.
▫ After a network device at a site starts, it obtains parameters such as the IP

address through DHCP and obtains parameters such as the running mode,
controller IP address, and port number through Option 148. The device
automatically restarts, switches to the cloud mode, and applies for an IP
address again. After the device in cloud mode obtains an IP address, it
automatically sends a registration request to the controller.
• In the Huawei's CloudCampus Solution, a DHCP server helps implement plug-
and-play deployment of switches, removing the need to manually enable
NETCONF and configure iMaster NCE-Campus's address information.
▫ An unconfigured switch starts and sends a request packet containing VLAN
1 to the DHCP server.
▫ A user-defined VLAN can be used by the device to initiate a DHCP request.
This VLAN is called PnP VLAN.
• In this example, assume that non-VLAN1 is used as the PnP VLAN. You need to
configure the PnP VLAN on the core switch or configure the PnP VLAN on the
iMaster NCE-Campus after the core switch registers and is managed by the
iMaster NCE-Campus. In this mode, bring devices online first and then determine
the network topology.
▫ During network deployment, the administrator uses the preceding methods
to deploy and bring devices online. If there are aggregated links between
the devices, the redundant links will be blocked by STP because link
aggregation has not been configured when the devices are installed and
brought online. After the devices go online and register with the controller,
the administrator checks the topology and deploys link aggregation and
service configurations on the controller.
• This deployment process is applicable to scenarios where the installation
operations are scattered.
• Note:
▫ Link Layer Discovery Protocol (LLDP)
▫ Network Configuration Protocol (NETCONF)
▫ Plug-and-play (PnP)
• This deployment process is applicable to scenarios where the installation
operations are centralized. The administrator is advised to plan the network first
and then onboard devices. If the network cannot be planned in advance, the
administrator can onboard devices and then determine the network topology.
• Plan the network first, then bring devices online:
▫ During network deployment, the administrator enters device ESNs and

specifies stack members and aggregated links on the controller to complete
network topology planning.
▫ Alternatively, the administrator can import the preceding planning

information in batches using a template. Using a template to import data
in batches simplifies operations and is therefore recommended.
▫ The administrator then uses the preceding methods to deploy and bring
devices online.
▫ After devices go online and register with the controller, the controller
automatically checks whether the actual topology of the devices is the
same as the planned one. If cables are incorrectly connected during
installation, the controller immediately notifies the administrator.
• The following network resources need to be planned for underlay automation:
▫ Network scope for the fabric: Devices are connected through VLANIF
interfaces at Layer 3. Each interconnection link is assigned a VLAN.
▫ IP addresses of the VLANIF interfaces for device interconnection: Devices

are automatically assigned interconnection IP addresses with 30-bit masks.
▫ Device loopback addresses: Each device is automatically assigned the IP

address of Loopback 0 with a 32-bit mask. This IP address serves as the
OSPF route ID and VTEP address.
• Fabric service resource planning:
▫ In the resource model design for the fabric, network service resources are
created on the border node so that service terminals on the campus
network can access service resources in the network management zone,
such as the DHCP server and NAC server.
▫ You can create multiple network service resources, or add addresses for
accessing network service resources to a network service resource model.
▫ If only a few service resources in the network management zone need to be

accessed, you are advised to plan these resources in the same network
service resource model. This saves interconnection VLAN and IP address
resources and simplifies route configuration on the network management
zone side.
• Fabric access management:
▫ Configuring access management for the fabric is to configure

authentication control points and plan access point resources for VN
creation.
▫ Wired access point resources refer to switch interfaces connected to

terminals, and wireless access point resources refer to SSIDs connected to
terminals.
• Application scenarios of the two-layer networking:
▫ This mode applies to small-scale networks with a small number of access

users.
▫ This mode applies to scenarios where access users are densely distributed.
For example, all access users are located on the same floor of the same
building.
• Application scenarios of the three-layer networking:
▫ This mode applies to large-scale networks with a large number of access

users (a large number of access switches).
▫ This mode applies to scenarios where access users are sparsely distributed.
For example, all access users are located in different buildings. Therefore,
traffic of each building can be centralized through aggregation switches,
and traffic of different buildings can be centralized through core switches in
the core equipment room.
• It is recommended that core devices be used as border nodes. Access or
aggregation devices can be used as edge nodes, and you are advised to use
access devices as edge nodes.
• You are advised to configure BGP EVPN route reflectors (RRs) on the VXLAN
network. After RRs are configured, BGP peer relationships only need to be
established between edge and border nodes.
▫ If no RR is configured, BGP peer relationships need to be established

between edge nodes, and between edge and border nodes. The
configuration is complex and many BGP connections consume CPU
resources.
• Both border and edge nodes can function as RRs. It is recommended that border
nodes be used as RRs because they have the strongest processing capability.
• Note: Ethernet Network Processor (ENP)

• All terminal data inside a campus network is forwarded through VXLAN tunnels.
When the campus network needs to communicate with an external network, the
data must pass through the border node. For example, a campus network
communicates with an external network such as the Internet, DC, or another
branch through the border node.
• The L3 shared egress mode is applicable to the scenario where firewalls do not
need to perform security detection on virtual networks (VNs) and traffic of all
VNs is transmitted in the same security zone. The L3 exclusive egress mode is
suitable for the scenario where firewalls need to perform security detection on
VNs and traffic of all VNs is transmitted in multiple security zones. The L2 shared
egress mode applies to the scenario where the user gateway must be located
outside the fabric, and the border node and egress firewalls are connected at
Layer 2.
• In L3 shared egress mode, the campus network shares the same VPN-Instance
(VRF) to access an external network, and static routes or dynamic BGP routes can
be used between the border node and egress firewalls.
▫ Static route design: A border node learns global internal routes. The default
route points to an egress firewall. A VPN-Instance on the border node is
configured with a static default route that points to the public interface
connected to the egress firewall. If there are multiple egress firewalls, you
can deploy association between Network Quality Analysis (NQA) or
Bidirectional Forwarding Detection (BFD) and static routes for switching.
▫ BGP route design: A border node establishes a BGP connection with a
firewall, summarizes user routes in VPN-Instances, and re-advertises the
summarized routes to the BGP.
• VN design:
▫ VNs are generally divided based on services on a campus network. An

independent service is assigned a VN, and VNs are isolated from each other
by default. For example, on a campus network, services such as guest,
teaching, IoT, and video surveillance services, each is assigned to an
independent VN.
• Policy design:
▫ You are advised not to deploy a VN to meet isolation requirements caused

by user role differences. This is because VNs are isolated by default and
require additional configurations for interworking. It is recommended that
these isolation requirements be implemented using policy control
technologies (such as free mobility).
• VN access design:
▫ Service data enters different VNs according to the VLAN to which the user
belongs from a physical network through an edge node. Therefore, during
network design, you need to plan the mappings between VLANs of physical
networks and BDs of VNs, and configure VLANs for wired and wireless
users.
• Dynamically authorized VLAN mode:
▫ Authorized user VLANs of wired users can be either directly delivered or
delivered through policy association to corresponding interfaces of access
switches.
▫ A service VLAN is configured for the SSID of a wireless user, but the service
VLAN does not take effect. After the user is authenticated successfully, an
authorized VLAN is delivered to the user and takes effect.
• Static VLAN mode:
▫ A static VLAN is configured for wired users on an interface of an access
switch.
▫ A static service VLAN is configured for wireless users on an SSID.
• Application scenarios:
▫ The static VLAN mode applies when terminals access the VLAN at fixed
locations and do not need to be authenticated. This access mode is more
secure but lacks flexibility. When the locations of terminals change, you
need to perform the configuration again.
▫ The dynamically authorized VLAN mode applies when terminals access the
VLAN anywhere and need to be authenticated based on the VLAN
information delivered during user authentication. This access mode is
flexible and the configuration does not need to be changed when the
locations of terminals change. Dynamic access is more automated, easy to
manage and use, and is recommended.
• Inter-VN communication can be implemented through a border node or an
external gateway.
▫ Through a border node: If two VNs belong to the same security zone and
have low security control requirements, devices on the two VNs can directly
communicate with each other through a border node. In addition,
permission control can be implemented based on the free mobility policy.
To implement communication between VNs, the border node needs to
import the network segment routes that can be reachable between devices
on the VNs.
▫ Through an external gateway: If two VNs belong to different security zones

and have high security control requirements, it is recommended that
devices on the two VNs communicate through an external gateway (a
firewall) and that a security zone policy be configured on the firewall for
permission control.
• The design objective of the network admission control solution is to solve the
user authentication and policy control issues of user networks. This solution uses
the user organization structure and account information to implement classified
user authentication and policy control.
• If 802.1X or MAC address authentication (Layer 2 authentication technologies) is
used, the authentication point must be on the same network segment as the user
host. It is recommended that the access device function as the authentication
point and policy enforcement point.
▫ If the access device supports transparent transmission of 802.1X packets,

you are advised to deploy policy association. The gateway functions as the
authentication point and policy control point, and the access device
functions as the policy enforcement point to simplify policy deployment.
• If Portal authentication is used, the authentication point can be deployed

anywhere as long as it is routable to the user host. Layer 2 Portal authentication
is recommended.
• Hybrid authentication mode is applicable to scenarios where one port is used for
access of multiple types of users. For example, if a PC is connected upstream to
an IP phone, you can configure hybrid authentication (MAC address
authentication + 802.1X authentication). In this way, the IP phone uses MAC
address authentication, and the PC uses 802.1X authentication.
• On large and medium-sized campus networks, access terminals include smart
terminals (such as PCs and mobile phones) and dumb terminals (such as IP
phones, printers, and IP cameras). Currently, terminal management on campus
networks faces the following challenges:
▫ The network management system (NMS) can only display the IP and MAC
addresses of access terminals, but cannot identify the specific terminal type.
As a result, the NMS cannot provide refined management for network
terminals.
▫ Network service configurations and policies vary according to the terminal
type. Consequently, administrators need to manually configure different
services and policies for each type of service terminals, complicating service
deployment and operations.
• To address these challenges, Huawei provides the automatic terminal
identification and policy delivery solution, which delivers the following functions:
▫ iMaster NCE-Campus can display the network-wide terminal types and
operating systems, for example, dumb terminals including printers, IP
cameras, smart all-in-one cards, and access control systems. iMaster NCE-
Campus can also collect statistics and display traffic by terminal type.
▫ Administrators do not need to manually configure different services and
policies for different types of dumb terminals such as IP phones, printers,
and IP cameras on the campus network. iMaster NCE-Campus can
automatically identify terminals and deliver the corresponding access
policies and service configurations to them.
• When a terminal accesses the network, the network device connected to it can
collect information about the terminal and report the information to iMaster
NCE-Campus or iMaster NCE-Campus automatically scans terminal information.
Then, iMaster NCE-Campus automatically identifies the type, operating system,
and vendor of the terminal.
• Passive fingerprint-based identification: Network devices collect fingerprints of
terminal packets and report the fingerprints to iMaster NCE-Campus for terminal
type identification.
• Proactive scanning and identification: iMaster NCE-Campus proactively detects or

scans terminals, and identifies terminal types based on feedback information
from the terminals.
• On this slide, "general scenarios" refer to authentication, non-authentication, and
dynamic/static IP address assignment scenarios.
• In non-authentication scenarios, iMaster NCE-Campus can display information

about wired terminals only after the ARP snooping function is enabled on access
devices.
• It is recommended that admission and authorization policies be automatically
delivered to dumb terminals (such as printers, IP phones, and IP cameras) based
on terminal types. This helps implement automatic service provisioning and plug-
and-play for dumb terminals.
• On a large or medium-sized campus network, the WLAN typically uses the "WAC
+ Fit AP" networking architecture. Depending on the location of the WAC, two
WAC deployment modes are available: in-path and off-path. When a native WAC
(integrated on a switch) is used, only the in-path deployment mode can be
adopted. When a standalone WAC is used, the two deployment modes are both
supported (off-path mode recommended).
• In new deployment scenarios or synchronous wired and wireless network
reconstruction scenarios, the native WAC is recommended and the tunnel
forwarding mode is preferred for APs.
• Experience rate: perceived data rate under a light network load
▫ Target rate that can be achieved in 95% of areas according to SpeedTest on

a light-loaded network where the channel utilization is less than 20%. The
rate is typically considered as the peak rate.
• Endurance rate: guaranteed rate under a heavy network load
▫ Target rate that can be achieved in 90% of time according to SpeedTest in

a multi-user concurrency scenario where the network load is less than 80%.
The rate is typically considered as the guaranteed rate.
• 2.4G@HT20 indicates that the 2.4 GHz frequency band uses 20 MHz bandwidth,
and 5G@HT40 indicates that the 5 GHz frequency band uses 40 MHz bandwidth.


• If the coverage distance is greater than 20 m, the spacing between 5G antennas

is 4 m, and that between 2.4G antennas is 16 m (2.4G@HT20; 5G@HT40).

a light-loaded network where the channel utilization is less than 20%.


a light-loaded network where the channel utilization is less than 20%.





• C
• BCF
• Network cloudification
▫ Cloud computing has completely changed the production mode of

enterprises over the past decade. A large number of services are deployed
and operating on the cloud, enabling enterprises to quickly launch new
services. Thanks to the evolution of the cloud architecture, enterprises can
focus on services without the need to pay too much attention to the IT
architecture construction.
▫ As the pipe, the most important part in the cloud-pipe-device architecture,

the network plays a decisive role in user experience. To support service
cloudification, enterprises need to create a ubiquitous, intelligent,
controllable, and on-demand network. The traditional network architecture
cannot adapt to cloud transformation. The network needs to be more a
service than a solution, which is not only the business value brought by
network cloudification to enterprises but the trend of network
cloudification.
▫ Network cloudification is an important method to build service-based

networks. With IaaS, enterprises no longer need to repeatedly construct
infrastructure. Similarly, with network cloudification, enterprises simply
need to consider the functions a network needs to provide and no longer
need to care about the architecture, location, or function implementation of
networks. In this way, enterprises can fully focus on services.
• Huawei CloudCampus Solution migrates local network management to the
cloud, and implements automated and centralized management of multiple
branches based on the Internet. In addition, this solution enables campus
networks to support cloud features such as multi-tenancy, ultra large scale, and
elastic scalability, and to provide data collection and analysis capabilities that
cannot be provided by traditional networks. In addition, the solution can restrict
the overall traffic of access users, the traffic of a certain application, and the
uniform resource locators (URLs) accessible to users.
• Plug-and-play network devices improve deployment efficiency
▫ iMaster NCE-Campus centrally delivers configurations of multiple sites,
reducing onsite configuration and commissioning workload and improving
deployment efficiency. The network is plug-and-play and able to be
expanded on demand, requiring low cost for upgrades.
• Cloud-based centralized O&M simplifies multi-site O&M
▫ iMaster NCE-Campus centrally manages scattered campus branches on the
cloud through the Internet, and integrates multiple automation tools for
troubleshooting, monitoring, and other management operations, so as to
implement remote automated O&M.
• Open APIs accelerate business application integration
▫ With open APIs and big data analytics capabilities, iMaster NCE-Campus
can interconnect with multiple management systems to achieve unified
network management. It is also able to provide diversified value-added
applications to lead enterprises into digital transformation.
• Small and medium-sized campus networks are small in scale and are sensitive to
CAPEX and OPEX. Therefore, the public cloud management mode is
recommended for such networks. In this mode, Huawei or MSPs provide SaaS
services to manage the networks.
• The public cloud management mode can be Huawei public cloud management
mode or MSP-owned cloud management mode. The two modes are essentially
the same. The only difference lies in the operational entity and the provider that
offers cloud management services. Unless otherwise specified, the Huawei public
cloud management mode is used as an example in the following slides.
• Huawei CloudCampus Solution for small and medium-sized campus networks
uses cloud computing technology to implement automatic and centralized
network management, and provides data collection and analysis capabilities that
are unavailable on traditional networks, so as to achieve network (LAN/WLAN)
as a service (NaaS).
• There are three layers in the architecture of Huawei CloudCampus Solution for
small and medium-sized campus networks: multi-tenant network, iMaster NCE-
Campus, and value-added SaaS platform.
• Multi-tenant network: It consists of hundreds of network devices, including APs,
switches, firewalls, and ARs, and is deployed at the customer side to provide user
access.
• Cloud management platform: iMaster NCE-Campus — an SDN controller — is
the core component of the CloudCampus Solution. It is also a cloud-based
network management, O&M, and control system. In addition to basic
management and configuration for cloud-based devices, remote O&M and
monitoring, and user admission control, iMaster NCE-Campus can implement
various value-added services based on the big data platform. iMaster NCE-
CampusInsight is an intelligent network analysis engine and provides intelligent
O&M services for user networks. It integrates AI to the O&M.
• Value-added SaaS platform: iMaster NCE-Campus provides open interfaces to
interconnect with other service systems (such as the big data platform) to offer
tenants a variety of value-added application services, such as customer flow
analysis, business portal push, electronic shelf label (ESL), asset management,
and medical IoT.
• The roadmap of designing the architecture of Huawei CloudCampus Solution for
small and medium-sized campus networks is as follows:
▫ Construct a cloud campus communication network that features unified

bearing, on-demand definition, and elastic scaling. Then determine the
networking solution of the multi-tenant network based on user
requirements and application scenarios, and conduct the network design
according to the actual service requirements of users, including the physical
network design, basic network service design, WLAN service design, and
user access control design.
▫ After the network design is complete, use a centralized cloud management

system to implement automatic management and intelligent analysis of the
network with automated deployment and intelligent O&M features. In
addition, to meet requirements of basic network attributes such as security,
reliability, and openness, the design in network security and interconnection
with other value-added platforms must also be considered.
• Before designing a networking solution, obtain the following information:
▫ Scale of the customer's network, including the area to be covered by the

network and the number of terminals to be supported on the network. This
information helps determine the number of APs to be deployed.
▫ The customer's security requirements, for example, whether the customer

needs advanced security features and whether the egress gateway devices
need to work in dual-system hot standby mode. This information helps
select egress device models.
• The CloudCampus Solution supports rights- and domain-based management.
▫ In rights- and domain-based management, rights are assigned to users

based on roles, responsibilities, and managed domains so as to properly
control the rights and scope of the operations to be performed. This
reduces the possibility of causing service security issues out of
misoperations and unauthorized operations. If rights and domains are not
divided or are divided improperly, O&M efficiency will be adversely affected,
and users may even operate NEs beyond their managed domains or
perform unauthorized operations, causing service interruptions.
▫ After rights- and domain-based management is implemented, the platform,

MSP, and tenant cannot implement functions of other organizations or
levels without authorization. Super administrators of a certain level can
only manage organizations at this level, and cannot operate organizations
at other levels. For example, the platform super administrator cannot
perform operations of the MSP system administrator. The MSP super
administrator cannot perform operations of the tenant super administrator
or system administrator.
• Access device selection
▫ PoE-capable switches need to be selected based on the number of
connected APs.
▫ The number of APs connected to a PoE switch depends on the power
provided by the PoE switch. The power of an AP ranges from 10 W to 20 W,
and the power provided by a single power module of a PoE switch is more
than 300 W. Therefore, you need to select a PoE switch with a proper
power module based on the AP model.
▫ In multi-room building scenarios such as hotels and dormitories, central APs
are used to provide PoE access and management for RUs. RUs provide
WLAN capabilities.
• Networking design
▫ For large-scale networks in medium-sized shopping malls, supermarkets,
and primary/secondary education campuses, it is recommended that stack
networking be used at the access layer. If a single device can provide
sufficient access capacity for downstream terminals, the single-device
networking can be used at the access layer. If the upstream devices for
access-layer devices are stacked, it is recommended that Eth-Trunks be
used to connect to such upstream devices.
▫ For a small-scale network, for example, hotels, small and medium-sized
shopping malls and supermarkets, and medium-sized stores, it is
recommended that the single-device networking be used at the access layer
and a single link be used to connect to the upstream device. If more APs
need to be deployed, use the PoE switch to increase the number of APs to
be connected. In small and medium-sized stores where APs need to be
deployed, connect APs directly to egress gateways without access switches.
• iMaster NCE-Campus provides management-side reliability. It is deployed in
highly reliable data centers and the cloud management software provides high
redundancy. Network reliability is the focus of network design.
• Authentication reliability: When the device is connected to the authentication

server, you can consider the bypass policy that is used if the authentication server
is faulty. Currently, there are two types of policies that come into effect after a
fault: those that require no authentication and those that prevent user access
from being affected.
• Network reliability involves link reliability and device reliability:
▫ Reliability of egress links: In most scenarios, there is only one egress link,
and therefore no link redundancy needs to be considered. In scenarios that
need high reliability, more than one egress link needs to be deployed, so
primary and secondary links must be configured.
▫ Reliability of links internal to a campus network: Typically, Eth-Trunk

technology is adopted to ensure link reliability. It is recommended that
inter-device Eth-Trunks be used to ensure link reliability of switch stacks.
▫ Device reliability: Two devices can be deployed as egress gateways in hot

standby mode. LAN switches at the core and aggregation layers can be
stacked for physical device redundancy.
• The registration query center is a public cloud service provided by Huawei on the
Internet and can therefore be considered a cloud platform. It is mainly used to
implement plug-and-play of devices on the user network. During the deployment
configuration of network devices, the most important thing is to register them
with iMaster NCE-Campus and enable them to be managed by iMaster NCE-
Campus. Huawei CloudCampus Solution supports the public cloud deployment
mode and MSP-owned cloud deployment mode. Therefore, multiple iMaster
NCE-Campus instances may exist on the Internet. The problem is which iMaster
NCE-Campus should a device register with after the device is powered on and
connected to the network?
• Huawei has set up a registration center. Users can implement plug-and-play of
network devices through the registration center in the Huawei public cloud or
MSP-owned cloud scenarios. Users need to record information about the network
devices to be managed on iMaster NCE-Campus, including device SNs. iMaster
NCE-Campus synchronizes the information to the Huawei registration center,
which maintains the information. After a user connects a Huawei cloud device to
the network with factory settings, the device obtains an IP address and then
initiates a query request to the registration center. The domain name of the
registration center has been preset on the device before delivery. The domain
name is unique globally. The device initiates resolution requests through DNS
servers in different regions and obtains the addresses of the registration centers
in these regions. Then, the registration center returns information such as the IP
address of the corresponding iMaster NCE-Campus to the device. In this way, the
device can initiate a registration request to the address so it can get managed by
iMaster NCE-Campus.
• VLAN 1 is not recommended as the service VLAN.
• The service IP address is the IP address of a server, host, or gateway. You are
advised to use the same last digit as the gateway address, such as .254. The IP
address range of each service, server, and client must be clearly distinguished.
The IP addresses of each type of service terminals must be contiguous and can be
aggregated. Considering the scope of a broadcast domain and easy planning, it is
recommended that an IP address segment with a 24-bit mask be reserved for
each service. If the number of service terminals exceeds 200, another IP address
segment with a 24-bit mask is reserved.
• Dynamic IP address assignment or static IP address binding can be used for IP
address assignment. On a small or midsize campus network, IP addresses are
assigned based on the following principles:
• IP addresses of WAN interfaces on egress gateways are assigned by the carrier in

static, DHCP, or PPPoE mode. The IP addresses of the egress gateways need to be
obtained from the carrier in advance.
• It is recommended that servers and special terminals (such as clock-in/out

machines, printing servers, and IP video surveillance devices) use statically bound
IP addresses.
• It is recommended that the DHCP server be deployed on the gateway to

dynamically assign IP addresses to user terminals such as PCs and IP phones
using DHCP.
• The routing design for a small or midsize campus network includes design of
internal routes and the routes between the campus egress and the Internet or
WAN devices.
• The internal routing design for the campus network must meet the
communication requirements of devices and terminals on the campus network
and enable interaction with external routes. As the campus network is small in
size, the network structure is simple.
▫ APs: After an AP obtains an IP address through DHCP, a default route is

generated by default.
▫ Switches and gateways: Static routes can be used to meet requirements. No

complex routing protocol needs to be deployed.
• The egress routing design must be able to support Internet and WAN access of
intranet users. When the egress device is connected to the Internet or WAN, you
are advised to configure static routes on the egress device.
• Network planning is important for WLAN project implementation. WLAN
planning consists of the following parts:
▫ Network coverage design: Determine the requirements and principles for

signal coverage.
▫ Network capacity design: Determine the bandwidth requirements of a

single user based on the service model and STA behavior, and then
determine the number of APs based on the AP capability.
▫ AP and switch deployment design: Determine AP deployment positions

based on the deployment principles.
▫ AP channel design: Properly plan channels for APs in neighboring areas to

minimize co-channel and adjacent-channel interference.
▫ AP power supply and cabling design
• This document does not describe the WLAN design from the preceding
dimensions. For details, see the WLAN Design Guide.
https://e.huawei.com/en/material/networking/campusnetwork/5133b49714a04ab
08d5851d0e44e59a1
• Huawei provides an online cloud-based WLAN Planner to guide users through

WLAN network planning in simple steps.
• The core algorithm logic of a cloud AP is the same as that of a traditional WAC:
APs detect and collect radio frequency and interference information about
neighboring APs, and then report the information to the calibration compute
engine. After the computing is complete, the compute engine delivers the
allocated channel and power to each AP.
• When a traditional network and a traditional WAC are deployed, the calibration
compute engine resides on the WAC. When a cloud network is deployed, the
calibration compute engine resides on the leader AP.
• Radio calibration of cloud APs depends on the leader AP (elected) in an AP

group. The number of APs that the leader AP can manage is limited and varies
according to models. For example, AP4050DN-E can manage 50 APs and
AP6050DN can manage 128 APs. If the number of APs exceeds the management
capability of a leader AP, network planning is required. Management VLANs need
to be planned for AP grouping. When there are a large number of APs in a
management VLAN, the APs are automatically divided into multiple groups.
• Radio calibration is performed on WLANs in a continuous area. Therefore, it is

recommended that APs be grouped using a method such as by floor to ensure
that APs in a group are in the same area. This maximizes the calibration effect.
• During scheduled radio calibration, you can enable intelligent radio calibration
and use the analyzer to analyze historical data of the WLAN and predict
interference sources on the network. During network optimization, APs can avoid
possible interference sources on the network in advance to improve the quality of
the entire WLAN.
• During deployment, you are advised to perform manual calibration to

automatically plan the channels and power of APs after the APs are deployed
and go online.
• 802.11r fast roaming supports an enhanced roaming mechanism based on
device-pipe synergy when working with Huawei terminals. This mechanism helps
further reduce the roaming handover delay and packet loss rate. Therefore, you
are advised to enable the mechanism when enabling 802.11r fast roaming.
• Notes:
▫ Wireless roaming is supported only by APs at the same site.
▫ If the Layer 2 roaming domain is large, broadcast packets may be flooded.

You are advised to rate limit broadcast packets on the controller. By
default, the rate limit for broadcast packets is 256 pps.
▫ Each AP supports only 64 Layer 3 roaming STAs. If there are a larger

number of Layer 3 roaming STAs, roaming fails and STAs need to go offline
and then online again.
▫ When a STA roams at Layer 3, its traffic is detoured to the AP that the STA
accesses for the first time or another AP in the same Layer 2 domain as the
AP that the STA accesses for the first time. Therefore, it is recommended
that a large Layer 2 domain be planned for APs at the network ingress to
facilitate traffic detouring and load sharing after Layer 3 roaming.
• Customer flow analysis requires APs to periodically report STA information to
iMaster NCE-Campus. The STA information includes the MAC address, IP address,
access AP, SSID, and signal strength. Therefore, enable the function of reporting
STA locations in the settings of the site where the APs reside on iMaster NCE-
Campus. If using STA information may pose data security threats, disable this
function.
• By default, customer flow analysis is performed by site. To check results of some

devices at the site, mark APs with tags. One AP can be marked with multiple tags
to facilitate result check from different dimensions. For example, in shopping
mall A, an AP at the entrance of store B can be marked with A\B\entrance. AP
check and behavior analysis then can be performed based on such tags.
• Huawei CloudCampus Solution for small and medium-sized networks can be

interconnected with third-party terminal behavior management software to
provide more detail-oriented services such as terminal profiling and behavior
analysis. This solution provides APIs for easy interconnection. Third-party
software can easily adapt to the APIs to provide customer behavior analysis
based on big data for commercial promotion. If necessary, contact Huawei
engineers.
• In the IoT field, Huawei WLAN builds a pipe-based technology platform and
ecosystem to fully leverage IoT partners' advantages, implement multi-network
convergence, and maximize benefits for customers.
▫ Huawei IoT cloud APs provide pipe-layer capabilities, that is, standard Mini
PCIe expansion slots and USB ports for access of IoT card modules, as well
as uplink data channels.
▫ Partners provide access-layer capabilities, that is, IoT card modules that
comply with Huawei interface specifications and connect to Huawei IoT
cloud APs through Mini PCIe ports or USB ports.
▫ Partners provide terminal-layer capabilities, including tags and wristbands,
to interact with IoT cards.
▫ Huawei IoT cloud APs only forward uplink and downlink data of IoT card
modules, but do not process data of specific IoT service protocols.
• Compared with traditional IoT solutions, Huawei Wi-Fi and IoT convergence
solution offers the following advantages:
▫ IoT base stations and APs are deployed on the same site, and the Wi-Fi and
IoT networks are converged, facilitating site planning and power supply
while reducing deployment costs.
▫ APs provide uplink data channels for a unified entry and unified
management, simplifying deployment.
▫ APs provide pipe-layer capabilities, enabling flexibility and scalability.
• Based on the preceding authentication modes:
• Access devices are recommended as authentication points.
• The advantages of using access devices as authentication points are as follows:
▫ Multiple access devices perform user authentication to share the workload

of centralized authentication.
▫ Authentication points are closer to terminals, improving security.
▫ The configuration is simple. If authentication points are deployed at the

upper layer, the following factors must be considered: performance
specifications of the devices acting as authentication points, Layer 2
isolation at the access layer, and configuration for transparent transmission
of 802.1X protocol packets at the access layer.
• The purpose of rate limiting is to prevent some users or applications from
occupying a large amount of bandwidth resources. In this way, other users or
applications can obtain sufficient bandwidth resources, ensuring user experience.
• The security policy is the core function of firewalls. In normal cases, there is no
need to divide many security zones for a small or midsize campus network. To
simplify configuration, you are advised to add WAN-side interfaces to the Untrust
zone and LAN-side interfaces to the Trust zone, and allow inter-zone traffic.
Traditional firewalls block or forward traffic between security zones based on 5-
tuple, including source IP address, destination IP address, source port, destination
port, and protocol type. The security policy of Huawei NGFWs cannot only
replace the packet filtering function but also implement traffic forwarding
control based on users and applications. In addition, it can detect and process
traffic content. Security policies of NGFWs can adapt to modern network
characteristics and meet modern network requirements.
• Wireless Intrusion Detection System (WIDS): WIDS can detect rogue APs, wireless
bridges, STAs, ad-hoc devices, and interfering APs with overlapping channels.
• Wireless Intrusion Prevention System (WIPS): WIPS can disconnect authorized

users from rogue APs and disconnect unauthorized STAs and ad-hoc devices from
the WLAN, defending against rogue devices.
• WIDS is used to detect unauthorized terminals, malicious user attacks, and

wireless network intrusions. WIPS is an extension to WIDS and further protects
enterprise wireless networks. It prevents enterprise networks and users from
authorized access and provides defense against attacks to network systems.
• Concepts related to WIDS and WIPS:
▫ Rogue AP: an unauthorized or malicious AP. A rogue AP can be an AP that

is connected to a network without permission, an unconfigured AP, a
neighbor AP, or an AP manipulated by an attacker.
▫ Rogue client: an unauthorized or malicious client on a network, similar to a

rogue AP.
▫ Rogue wireless bridge: an unauthorized or malicious wireless bridge.
▫ Monitor AP: an AP that scans or listens on wireless channels and attempts

to detect attacks to the wireless network.
▫ Ad hoc mode: working mode of a wireless client. Ad-hoc devices can

directly communicate with each other without the support of any device.
• Based on application scenarios and security requirements, there are two WPA3
modes: WPA3-Enterprise and WPA3-Personal, that is, WPA3-SAE and WPA3-
802.1X.
• WPA2 is still widely used. To enable WPA3-incapable STAs to access a WPA3-

configured network, the Wi-Fi Alliance defines the WPA3 transition mode. That is,
WPA3 and WPA2 can coexist for a period of time in the future. This mode applies
only to WPA3-Personal.
• B. The current switch version does not differentiate the cloud management
mode.
• ABCD
• After VXLAN technology is introduced, multiple virtual networks (VNs) can be
created on one physical network of a campus network. Different VNs are applied
to different services, such as OA, R&D, and IoT.
• iMaster NCE-Campus can centrally manage network-wide devices, and

administrators can perform network configuration on the iMaster NCE-Campus
GUI.
• iMaster NCE-Campus is able to translate the network service configuration intent

of the administrator into device commands and deliver the commands to each
device through NETCONF, realizing "autonomous driving" of the network.
• A VXLAN tunnel is defined by a pair of VTEPs.
• The source VTEP encapsulates packets and sends the encapsulated packets to the
destination VTEP through the VXLAN tunnel. After receiving the encapsulated
packets, the destination VTEP decapsulates the packets.
• Generally, the IP address of a loopback interface on a device is used as the VTEP

address.
• In large and medium-sized campus networks, the virtualization solution is
classified into the centralized gateway solution and distributed gateway solution
based on the user gateway location. You can select a gateway solution when
creating a fabric on iMaster NCE-Campus.
• In the centralized gateway solution, a border node functions as the gateway of

all users, and all inter-subnet traffic is forwarded by the border node. In the
distributed gateway solution, multiple edge nodes function as user gateways, and
inter-subnet traffic is forwarded through these edge nodes.
• EVPN extends BGP to define several types of BGP EVPN routes, which can be
used to transmit VTEP addresses and host information. EVPN is applied to VXLAN
networks to move VTEP discovery and host information learning from the data
plane to the control plane.
• To ensure connectivity between IBGP peers, you need to establish fully-mesh
connections between the IBGP peers. If there are n devices in an AS, n(n-1)/2
IBGP connections need to be established. Configuring a large number of devices
is complicated and needs extensive network and CPU resources. A route reflector
(RR) can be used between IBGP peers to solve this problem.
• The basic concepts related to an RR are as follows:
▫ RR: A BGP device that can reflect the routes learned from an IBGP peer to
other IBGP peers.
▫ Client: An IBGP device whose routes are reflected by the RR to other IBGP
devices. In an AS, clients need to be directly connected to the RR only.
▫ Non-client: An IBGP device that is neither an RR nor a client. In an AS, a

non-client must establish full-mesh connections with the RR and all the
other non-clients.
• Clients in a cluster need to exchange routing information only with the RR in the
same cluster. Therefore, clients need to establish IBGP connections only with the
RR. This reduces the number of IBGP connections in the cluster. After a client
advertises a route to an RR, the RR reflects the route to all other clients.
• Policy association provides a solution to contradiction between policy strengths
and complexity on large campus networks. In the solution, user access policies
are centrally managed on the gateway devices and enforced by gateway and
authentication access devices.
• After policy association is configured, authentication access devices can

transparently transmit BPDUs and report user logoff and user access positions in
real time. In addition, the authentication control device requests authentication
access devices to enforce user access policies, thus controlling user access to the
network.
• On a large or midsize campus network, the virtualization solution can be used to
decouple services from the network, construct a multi-purpose network, and
achieve flexible, fast service deployment without changing the basic network
infrastructure. In this solution, the virtual campus network architecture poses
requirements different from those on traditional network architecture. This slide
illustrates the virtual campus network architecture. The underlay is the physical
network layer, and the overlay is the virtual network layer constructed on top of
the underlay based on VXLAN technology.
• On a fabric network, VXLAN tunnel endpoints (VTEPs) are further divided into
the following roles:
▫ Border: border node of the fabric network. It corresponds to a physical

network device and provides data forwarding between the fabric and
external networks. In most cases, VXLAN-capable core switches function as
border nodes.
▫ Edge: edge node of the fabric network, which corresponds to a physical

network device. User traffic enters the fabric network from the edge node.
Generally, VXLAN-capable access or aggregation switches are used as edge
nodes.
• VXLAN-based large and medium-sized campus networks have complex services.
Therefore, the deployment process is complex. The deployment process provided
in this slide is the general process for your reference.
• The following part of this course focuses on key operations in the deployment
process.
• iMaster NCE-CampusInsight can be deployed independently or integrated with
iMaster NCE-Campus. When iMaster NCE-CampusInsight is deployed
independently, network device functions (such as data reporting) must be
configured on each device using commands. When iMaster NCE-CampusInsight is
integrated with iMaster NCE-Campus, network device configurations can be
automatically delivered by iMaster NCE-Campus. In addition, iMaster NCE-
Campus can work with iMaster NCE-CampusInsight to implement functions such
as path tracing and fault demarcation. It is recommended that iMaster NCE-
CampusInsight be integrated with iMaster NCE-Campus in the CloudCampus
Solution. To prevent the instability of the network between iMaster NCE-
CampusInsight and iMaster NCE-Campus, it is recommended that iMaster NCE-
CampusInsight and iMaster NCE-Campus be deployed at the same location, for
example, in the same data center or equipment room.
• In the virtualization solution for a large or midsize campus network, after the
software (including iMaster NCE-Campus software) is installed on servers, you
need to configure the gateway in the network management zone. During the
configuration, ensure that each network plane of each software server cluster can
communicate. Additionally, ensure that each software component can
communicate with the campus network.
• This slide describes how to configure the gateway in the network management
zone. If the network management zone where the software (including iMaster
NCE-Campus software) is deployed is a data center network, refer to the data
center network solution for the networking on the server side and the gateway
configuration.
• In this example, VLAN 20 and VLAN 30 are used for interconnection between
Switch and Core. The traffic on the management plane is separated from that on
the service plane. Therefore, two independent interconnection VLANs are used.
• On a large or midsize campus network, the WLAN typically adopts the "WAC +
Fit AP" architecture, under which Fit APs are centrally managed and configured
by the WAC. After the WAC is managed by iMaster NCE-Campus, you can switch
to the web system of the WAC from iMaster NCE-Campus to manage Fit APs.
• To facilitate device management and improve service deployment efficiency, add
devices on the same network of a tenant to the same site.
• You can create sites on iMaster NCE-Campus for unified O&M management. Two
methods are available to create sites:
▫ Create sites one by one: You can create sites one by one when a small
number of sites need to be added.
▫ Create sites in a batch: You can create sites in a batch when a large number
of sites need to be added. Cloud sites cannot be created in a batch.
• Customer pain points: In traditional network deployment, engineers need to
commission network devices one by one onsite, resulting in heavy configuration
workload and low efficiency.
• This case demonstrates the plug-and-play feature of network devices in the

CloudCampus Solution. The DHCP option solution is used to implement plug-
and-play of switches. In this case, the DHCP service and related parameters must
be configured on the AR in advance.
• In this step, switches on the campus network can be directly deployed using
factory settings and get managed by iMaster NCE-Campus, greatly reducing the
configuration workload.
• Parameters in the fabric global resource pool:
▫ VLAN: Configure a service VLAN pool when you need to configure VLANs
for interconnection with external gateways and network service resources,
management VLANs for policy association, and access VLANs for virtual
network access.
▫ Loopback interface IP address: Configure a loopback interface IP address

pool when underlay automation is enabled. Loopback interface IP addresses
are used as the VTEP IP addresses of a VXLAN tunnel.
▫ BD: On a VXLAN network, VNIs can be mapped to BDs in 1:1 mode so that
a BD can function as a VXLAN network entity to transmit traffic.
▫ VNI: A VNI is similar to a VLAN ID and identifies a VXLAN.

• When configuring a fabric, you can enable network domain orchestration to
implement automatic deployment of the underlay network. In this way, the
VLANIF interfaces, loopback interfaces, VTEP IP addresses, and routes required
for establishing a fabric with BGP EVPN are automatically provisioned,
implementing automatic configuration of the underlay network. iMaster NCE-
Campus automatically allocates resources from the resource pool to devices.
• Underlay automation resource parameters:
▫ Interconnection VLAN: Configure an interconnection VLAN resource pool for

interconnection between devices that participate in automatic routing
orchestration of the underlay network in a fabric.
▫ Interconnection IP address: Configure an interconnection IP address

resource pool for interconnection between devices that participate in
automatic routing orchestration of the underlay network in a fabric.
• A fabric consists of a group of interconnected core, aggregation, and access
devices, and provides undifferentiated access capabilities. On a fabric, an access
device allows access of different network services, reducing costs and improving
network device efficiency.
• A virtualized campus network uses overlay virtualization technologies (such as

VXLAN) to support multiple virtual networks on the same fabric and allow for
flexible service deployment.
• The networking type specifies the fabric deployment mode:
▫ Centralized: The gateway in a fabric is a centralized gateway. Traffic

accessing external networks and intranet passes through the centralized
gateway. In this case, only the border node can function as the centralized
gateway.
▫ Distributed: Gateways in a fabric are distributed gateways. Traffic accessing

external networks and intranet passes through different distributed
gateways. In this case, both border nodes and edge nodes can function as
distributed gateways.
• In this step, add devices to the desired fabric and define device roles.
• Role: Specify the roles of devices on the fabric, including the border node, edge
node, and extended node. By default, the role of a device is an extended node.
• Automatic routing domain configuration: After this function is enabled, the
underlay network is automatically configured. You can specify sites for automatic
routing domain configuration and specify OSPF route parameters. Currently, the
following parameters are supported:
▫ Area: In a single-area OSPF network, all devices belong to OSPF area 0. In a
multi-area OSPF network, border nodes belong to OSPF area 0, and each
edge node and its connected border node belong to the same area.
▫ Network type: You can specify the OSPF network type to broadcast, p2mp,
or p2p.
▫ Encryption: You can set the encryption mode between adjacent devices to
hmac-sha256, md5, or none.
▫ Key: It refers to the authentication key ID used for ciphertext authentication
on an interface, and must be consistent with that of the peer device. The
value is an integer in the range from 1 to 255.
▫ Password: It specifies the ciphertext authentication key. The value is a string
of 1 to 255 characters and cannot contain spaces.
▫ Confirm password: You need to enter the ciphertext authentication key
again for confirmation.
▫ OSPF GR: You can enable OSPF GR.
• AS number: You can specify the BGP AS number used on a fabric network.
• After this step is complete, a fabric is successfully created based on the physical
network, and the underlay network configuration (such as interconnection
between network devices and OSPF configuration) is automatically completed by
iMaster NCE-Campus, laying a foundation for creating VNs.
• In this step, create user network segments for the VN. Network segments can be
manually created one by one by the network administrator or created in a batch
through automatic allocation.
• This step specifies the wired access port and wireless access points of the VN.
• A security group is a collection of communication objects on a network. Security
groups can be authorized to users based on 5W1H conditions. Users who meet
the 5W1H conditions can be authorized to the specified security groups.
Alternatively, security groups can be defined by statically binding IP addresses.
Security group-based authorization is delivered through Huawei proprietary
RADIUS attributes (26-160).
• The priority of a member dynamically authorized a security group is higher than

that of a member statically bound to a security group. For example, if a user at
IP1 is statically bound to security group 1 and a RADIUS server authorizes the
user to security group 2, the device adds the user to security group 2.
• By default, the unknown and any groups are supported. Unauthenticated users or
resources are added to the unknown group. The any group is generally used to
configure default rules for any users or resources. The any group can only be
used as the destination group, not as the source group.
• After security groups and resource groups are defined, tenant administrators can
define inter-group network-wide access control policies based on the security
groups and resource groups. The inter-group control policies are presented in a
policy matrix. After the policy matrix is defined, tenant administrators can
configure policies for controlling access from the source security group to the
destination security group or resource group based on the policy matrix.
• An inter-group control policy controls access between groups. When multiple

policies are configured to control access between a source security group and
multiple destination security groups, the sequence in which these policies are
matched can be determined based on the policy priority. For example, if a
destination security group is a resource group where the destination IP addresses
of the resources may be the same, you need to manually adjust the priority of a
specific policy to ensure that this policy is matched first.
• You can configure an authentication rule to authenticate clients and users that
access the network, ensuring network security.
• iMaster NCE-Campus has a default authentication rule named default. If this rule
applies, users are authenticated using the local data source by default. You can
modify the default rule to configure user authentication based on a third-party
data source.
• You can configure the permission set, traffic rate limiting policy, and filtering
policy obtained after end users pass authentication in an authorization result
when configuring Portal authentication, 802.1X authentication, or MAC address
authentication. Configuring authorization results is applicable to the scenario
where authentication points reside on firewalls, ARs, APs, switches, or WACs, and
can be performed for specific user groups.
• iMaster NCE-Campus provides two default authorization results: Permit Access

and Deny Access. Once selected, the default authorization result takes effect for
all sites and cannot be modified or deleted.
• When authorizing a user who passes the authentication, the system matches the
user against an authorization rule and grants specific permissions to the user
based on the matching rule.
• iMaster NCE-Campus provides a default authorization rule named default, whose

authorization result is Deny Access. The default authorization rule can be
modified.
• After an end user passes authentication, the authorization result specifies the
rights of the end user. If the authorization rule is met, the end user matches the
authorization policy. The authorization result takes effect for the end user that
matches the authorization rule. If no authorization rule is set, the authorization
result is applicable to all authenticated end users.
• Portal authentication involves four main components: user client, authentication
control point, Portal server, and authentication server.
▫ User client: a host that has a browser running the HTTP/HTTPS protocol
installed.
▫ Authentication control point: a network device that supports Portal

authentication.
▫ Portal server: provides free web portal services and authentication GUI for
user clients and exchanges authentication information of user clients with
access devices.
▫ Authentication server (usually a RADIUS server): carries out authentication,

authorization, and accounting on users.
• Create sites one by one: You can create sites one by one when a small number of
sites need to be added. Create sites in a batch: You can create sites in a batch
when a large number of sites need to be added.
• ABCD
• In deployment design, the following items need to be considered for network
planning: administrator roles, sites, physical networks, deployment modes, basic
services, WLAN services, and network admission control.
• The design and planning of small and medium-sized campus networks involve
multiple aspects. For example, the LAN-side networking solution design, network
design, QoS design, security design, and O&M management design.
• This document describes only WLAN network planning. For details about other
contents, see the HCIE-WLAN certification course CloudCampus Solution for
Small and Medium-Sized Campus Networks.
• Huawei provides WLAN Planner, a cloud-based network planning tool. You can
use this tool to easily complete WLAN planning, obtain the AP deployment plan,
and import the network planning result to iMaster NCE-Campus.
• WLAN Planner: https://serviceturbo-cloud-

cn.huawei.com/serviceturbocloud/dist/#/toolsummary?entityId=d59de9ac-e4ef-
409e-bbdc-eff3d0346b42
• The network planning results can be imported from WLAN Planner to iMaster
NCE-Campus.
• iMaster NCE-Campus product documentation:
https://support.huawei.com/enterprise/en/network-management-and-analysis-
software/imaster-nce-campus-pid-250852420/doc
• iMaster NCE-CampusInsight installation guide:
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100154773&lang=en
• This section describes how to install an AP. For details about how to install other
devices, see the product documentation.
• General requirements on the distance between antennas for anti-interference

deployment in indoor installation scenarios:
▫ Distance between antennas > 7 m
▫ Distance from 4G antennas of the carrier > 5 m
▫ Keep antennas away from electronic equipment that may cause signal
interference, such as microwave ovens.
• For a device with a built-in antenna, the requirements on the distance between
devices are the same as the preceding requirements.
• A wall for installing the device needs to meet the following requirements:
▫ The wall can bear the weight of four times the total weight of the device
and mounting bracket without damage. When the total weight of the
device and mounting bracket is less than 1.25 kg, the load-bearing
capability of the wall must be greater than or equal to 5 kg.
▫ When the tightening torque of a screw reaches 3.5 N•m, the screw still
properly works, without crack or damage on the wall.
• Mounting brackets and expansion screws are required to install the AP on a wall.
The procedures are as follows:
▫ Attach the mounting bracket against the wall and adjust its position
properly. Mark positions of the mounting holes with a marker.
▫ Use a 6 mm drill bit to drill 35 mm to 40 mm deep holes in the marked
positions. Hammer the expansion tubes into the holes until the expansion
tubes are completely embedded into the wall.
▫ Fix the mounting bracket to the wall, and use a Phillips screwdriver to
fasten three expansion screws into the expansion tubes.
▫ Connect and properly route the cables.
▫ Fasten the AP according to the figure. When you hear a click, the AP is
secured to the lock position.
• After the device is installed, ensure that the ejector lever springs back in place.
Ensure that the installation space meets the specified requirements to facilitate
future maintenance.
• In a scenario with heavy vibrations, tighten the AP to the mounting bracket using
M3x12 screws with a torque of 0.5 N•m. This prevents the AP from falling off due
to vibrations. In normal scenarios, you do not need to install these screws.
• With certain IT capabilities, a tenant administrator can deploy and maintain a
campus network. This scenario is called tenant-managed construction and
maintenance. The tenant administrator is the main implementer, and the MSP
administrator only provides simple deployment assistance. The tenant
administrator can apply to the MSP for the managed construction and
maintenance services. After being authorized, the MSP constructs and maintains
the campus network for the tenant. This scenario is called MSP-managed
construction and maintenance, in which the MSP administrator is the main
implementer.
• In this document, the deployment roadmap and process in each networking

scenario are described based on the tenant-managed construction and
maintenance scenario. Tenant administrators are the main network
implementers. In the MSP-managed construction and maintenance scenario, MSP
administrators are the main network implementers and perform the same tasks
as another role.
• A site usually corresponds to the headquarters or a branch. A site is a general
term for networks and network users, and is also a basic unit for managing small
and medium-sized campus networks. To facilitate device management and
improve service deployment efficiency, add devices on the same network of a
tenant to the same site.
• To facilitate device management and improve service deployment efficiency, add
devices on the same network of a tenant to the same site.
• You can create sites on iMaster NCE-Campus for unified O&M management. Two
methods are available to create sites:
▫ Create sites one by one: You can create sites one by one when a small
number of sites need to be added.
▫ Create sites in a batch: You can create sites in a batch when a large number
of sites need to be added. Cloud sites cannot be created in a batch.
• On iMaster NCE-Campus, you can create a site by cloning an existing site to

reduce repeated configurations.
• In addition to the deployment function, the CloudCampus APP also provides the
Wi-Fi experience test, speed test, and video test.
• Network Address Translation (NAT) is a technology that translates the private
(reserved) address into a valid IP address. Typically, NAT is used to translate
private addresses in IPv4 packet headers to public addresses, so that multiple
users on a private network can use a few public addresses to access the Internet.
In this manner, NAT resolves public IPv4 address shortage caused by Internet
scale enlargement.
• On a small or medium-sized campus network, only the egress gateway has a

public IP address. When users on the campus network need to access the
Internet, NAT is mandatory on the egress gateway. Therefore, you need to enable
NAT on the egress gateway on iMaster NCE-Campus.
▫ Typically, an AR or firewall functions as the egress gateway on a small or

medium-sized campus network.
▫ In a single-AP networking scenario, you need to set Network connection

mode to NAT in the SSID configuration of the AP.
• Calibration mode suggestion:
▫ During deployment, perform a manual radio calibration to automatically

plan the channels and power of APs after APs are deployed and go online.
▫ When the network is running properly, the scheduled mode is

recommended to periodically calibrate the network during off-peak hours
to minimize the impact on services.
• Security policies are control rules that consist of matching conditions (such as
quintuples, users, and time ranges) and actions. After receiving traffic, the
firewall identifies traffic attributes (such as quintuples, users, and time ranges),
and matches the traffic attributes against the matching conditions of security
policies. If all the conditions of a security policy are met, the traffic matches the
policy. The firewall takes the action defined in the matched security policy for the
traffic.
• With this function, enterprises can conveniently customize their own Portal pages
so as to launch VASs such as brand promotion and advertisement push. You can
customize the Portal page in the following ways:
▫ Customization based on a built-in template
▪ By this way, you only need to set a few parameters to customize a
Portal page. For example, you can set the page text, language, page
push protocol, and background image.
▪ The language that the Portal page uses can only be Chinese or
English. If you need to design a Portal page in another language,
customize a Portal page based on a user-defined template.
▪ You can customize a built-in template using any of the following
methods: Method 1: Slightly modify a Portal page based on a built-in
template. Method 2: Create a Portal page based on a built-in
template. Method 3: Upload a Portal page customized based on a
built-in template.
▫ Customization based on a user-defined template
▪ By this way, you can set more parameters. For example, you can
customize a Portal page in more languages, design the page layout,
and configure the content and text layout.
▪ By default, the system supports templates in four languages: Chinese,
English, German, and Spanish. In a language template, you can
configure the content to be displayed on a Portal page by language
and page.
• Check the cloud managed device health, network health, and STA packet loss
rate.
▫ Cloud managed device health score = (1 – Number of abnormal

devices/Total number of devices) x 100
▫ Network health score (Wi-Fi)/Radio health score = (1 – Number of

abnormal radios/Total number of radios) x 100
▫ Network health score (WAN) = Average quality of all links at a site (SLQM:
site link quality monitor) x 10
• You can view basic device information, including the device name, version
number, patch version, model, public IP address, vendor, registration time,
description, online time, MAC address, last offline time, ESN, SSH proxy tunnel,
southbound IP address, and performance data reporting interface.
• You can monitor interface data.
• You can view device login and logout logs.
• You can view the device location on a map.
• You can perform ping/self-ping, trace, and virtual cable test (VCT) operations to
test network connectivity.
• You can manage device files.
• You can check the CPU usage and memory usage of the device.
• You can view the alarm information generated by the device.

• You can view key WLAN indicators in a region, including top AP statistics, top
region statistics, access user trends, AP information, and SSID information.
• ABC
• AP troubleshooting is performed based on the AP onboarding process. Therefore,
WLAN engineers must be familiar with the CAPWAP tunnel establishment
process.
• The preceding configurations can be implemented in either of the following
ways:
▫ Bind the AAA schemes to the authentication profile.
▫ Bind the AAA schemes to the domain and then bind the domain to the
authentication profile.
• If both the methods are used, the AAA schemes bound to the authentication
profile take effect preferentially. In this case, check the configuration mode of
AAA schemes in the authentication profile and then check whether the AAA
scheme configuration is correct in the corresponding view.
• In the command output:
▫ If the message "Account test succeed" is displayed, the link between the
device and RADIUS server is normal, and the user name and password are
correct.
▫ If the message "User name or password is wrong" is displayed, the link

between the device and RADIUS server is normal, but the user name or
password is incorrect. You need to check the user name and password.
▫ If the message "Account test time out" is displayed, the device and RADIUS
server are unreachable or the RADIUS server template is incorrectly
configured.
• If Portal authentication is triggered when you attempt to access an HTTPS
website, the browser displays a security prompt, requiring you to click Continue
to complete Portal authentication.
• Redirection is not supported if the browser or website runs HTTP Strict Transport
Security (HSTS).
• If the destination port in HTTPS request packets sent by STAs is a non-well-

known port (443), redirection cannot be performed.
• Check the Portal server status on the WAC.
▫ If the Portal server status is Abnormal, check whether the Portal server
supports the detection function and whether the Portal server detection
function is enabled.
▫ If the Portal server supports the detection function, enable the Portal server
detection function.
▫ If the Portal server does not support the detection function, run the
following commands on the WAC to disable the Portal server detection
function:
▪ <WAC> system-view
▪ [WAC] web-auth-server portal
▪ [WAC-web-auth-server-portal] undo server-detect

• If the number of packets does not increase, perform the following operations:
▫ Check whether the Portal server can properly send packets.
▪ Check whether the IP address of the WAC is added to the Portal
server. Assume that the RADIUS server is used as the Portal server. If
the IP address of the WAC is not added to the RADIUS server, a
message will be displayed indicating that the authentication succeeds
after you enter the user name and password on the authentication
page. However, when you access the Internet, you are redirected to
the Portal authentication page again. This occurs because the RADIUS
server did not send a Portal authentication request to the WAC and
you were not successfully authenticated on the WAC. If the IP address
of the WAC is not added to the Portal server, add it to the Portal
server.
▪ Check whether the port numbers for receiving and sending packets on
the Portal server are the same as those configured on the WAC. If
they are different, reconfigure the port numbers on the Portal server,
which should be the same as those on the WAC.
▫ Check whether the value of the Packer error number field increases. If so,
the request packets received from the Portal server are incorrect. To fix this
problem, perform the following operations:
▪ Check whether the shared key configured on the Portal server is the
same as that configured on the WAC. If they are different, run the
following commands on the WAC to modify the shared key.
▫ Check whether the source IP address of the request packets sent by the
Portal server is the same as the server IP address configured on the WAC. If
not, run the following commands on the WAC to change the server IP
address.
• Check whether the AP's channel utilization is normal.
▫ All STAs on a WLAN share and compete for bandwidth resources. If there
are a large number of STAs or many broadcast and multicast packets
(these packets are sent at a low rate and consume many air interface
resources) on the WLAN, STAs may preempt channels of each other. As a
result, the channel utilization is high, the WLAN is unstable, the ping packet
delay is long, and packet loss occurs.
• If the buffer queue of the AP's Wi-Fi driver module is congested, the buffer queue
is occupied by some STAs. For example, when a STA has weak signals or leaves
the Wi-Fi coverage area, packets sent to the STA cannot be sent out and are
blocked in the buffer queue of the AP.
• Check the packet sending queue of the AP's Wi-Fi driver module using the display
wifi txq-buf radio radio-id command.
• If the buffer queue of the AP Wi-Fi driver module is congested, the buffer queue
is occupied by some STAs. For example, when a STA has weak signals or leaves
the Wi-Fi coverage area, packets sent to the STA cannot be sent out and are
blocked in the buffer queue of the AP.
• For an AP that supports only 802.11ac, such as AP5x30xN, check the packet
sending queue of the Wi-Fi driver module of the AP.
▫ In V200R007 and later versions, run the display wifi txq-buf radio radio-id
command.
• For an AP that supports only 802.11n, such as AP6x10xN, check the packet
sending queue of the Wi-Fi driver module of the AP.
▫ In V200R006C20 and later versions, run the display wifi txq-buf radio radio-
id command.
• Configure Layer 2 isolation on the interfaces of the switch or WAC. The WAC is
used as an example.
▫ <WAC> system-view
▫ [WAC] interface GigabitEthernet 0/0/1
▫ [WAC-GigabitEthernet0/0/1] port-isolate enable
▫ [WAC-GigabitEthernet0/0/1] quit
• Configure Layer 2 user isolation in the WAC's traffic profile.
▫ [WAC] wlan
▫ [WAC-wlan-view] traffic-profile name default
▫ [WAC-wlan-traffic-prof-default] user-isolate l2
• Enable rate limiting for broadcast and multicast packets on the switch or WAC.
The WAC is used as an example.
▫ [WAC] interface GigabitEthernet 0/0/1
▫ [WAC-GigabitEthernet0/0/1] broadcast-suppression packets 1000
▫ [WAC-GigabitEthernet0/0/1] multicast-suppression packets 1000

• To ensure that other STAs can access the network, perform the following
operations:
▫ Limit the rate of a single STA based on the network situation.
▪ [WAC-wlan-view] traffic-profile name p1
▪ [WAC-wlan-traffic-prof-p1] rate-limit client up 2000
▪ [WAC-wlan-traffic-prof-p1] rate-limit client down 2000
▫ Enable smart roaming.
▪ [WAC-wlan-view] rrm-profile name wlan-rrm
▪ [WAC-wlan-rrm-prof-wlan-rrm] smart-roam enable //In V200R008

and later versions, smart roaming is enabled by default. If smart
roaming is disabled, run the undo smart-roam disable command to
enable it.
• Increase the rate limit for sending ARP Request packets to the CPU.
▫ <LSW> system-view
▫ [LSW] cpu-defend policy test

//Create an attack defense policy.
▫ [LSW-cpu-defend-policy-test] packet-type arp-request rate-limit 256 wired

//Adjust the rate limit of ARP Request packets.
▫ [LSW-cpu-defend-policy-test] quit
▫ [LSW] cpu-defend-policy test

//Apply the policy.
• Configure attack source tracing.
▫ [LSW] cpu-defend policy test
▫ [LSW-cpu-defend-policy-test] auto-defend protocol arp
▫ [LSW-cpu-defend-policy-test] auto-defend threshold 50

//Set the threshold for attack source tracing to 50 pps. If the threshold is
exceeded, the device considers that an attack occurs.
▫ [LSW-cpu-defend-policy-test] auto-defend action deny timer 60 //After

detecting an attack, the device discards the packets from the STA and adds
the STA to the blacklist for 60 seconds.
▫ [LSW-cpu-defend-policy-test] quit
▫ [LSW] cpu-defend-policy test

//Apply the policy.
• Check whether the STA is far away from the AP's antennas and whether
obstacles exist between them.
• Generally, a distance of more than 50 m between a STA and an AP's antennas

increases signal attenuation. In addition, AP signals attenuate if obstacles exist
between a STA and an AP's antennas.
• If the STA's RSSI is low due to the preceding reasons, you can move the STA
closer to the AP to increase the STA's RSSI. It is recommended that a STA's RSSI
be greater than –65 dBm.
• If both a STA and an AP support 802.11ax, the 160 MHz channel bandwidth can
be configured.
• The channel bandwidth must be supported by the AP. For example, non-802.11ax
APs do not support the 160 MHz channel bandwidth.
• The actual link setup rate of a STA may be lower than the maximum link setup
rate due to interference on the air interface.
• p: permit
• i: interference
• Ch: Channel
• NF: Noise Floor
• CommIf: Common-Channel Interference
• AdjaceIf: Adjacent-Channel Interference
• #AP: Number of APs detected
• The result of the air interface scanning is not displayed during the first query.
Therefore, you need to run this command again.
• When AP radio scanning is enabled using this command, the air interface
performance of the AP is affected. If this command is not executed again within
5 minutes, AP radio scanning is automatically disabled.
• If the parameter radio radio-id is not specified, air interface information about all
radios on the AP is displayed.
• If Receive from fwd is not displayed, the ping request packet is not successfully
sent from the forwarding module to the Wi-Fi module. In this case, there is a
high probability that the fault occurs on the wired side.
• If Receive from fwd is displayed but send to air ok is not displayed, the Wi-Fi
module fails to send the packet to the STA. In this case, the fault occurs on the
wireless side.
• If send to np ok is displayed, the STA has sent the ping response packet, which is
forwarded to the forwarding module. In this case, there is a high probability that
the fault occurs on the wired side.
• If the ping request packet is successfully sent to the STA but send to np ok is not
displayed, the fault occurs on the wireless side.
• SeqNo[xxx]: indicates the sequence number carried in a ping packet. This field
can map the trace action and a specific ping packet.
• Receive from fwd: indicates that the Wi-Fi module receives a ping request packet
sent from the forwarding module destined for the STA.
• send to rt ok: indicates that the Wi-Fi PMAC module successfully sends a ping
request packet to the SMAC module.
• send to air ok: indicates that the Wi-Fi module successfully forwards the ping
request packet to the STA through the air interface.
• send to np ok: indicates that the Wi-Fi module successfully forwards the ping
response packet to the forwarding module for processing and to the wired
network device through the AP's network port.
• send to air fail, reason code: 0: indicates that receiving a response frame times
out and further analysis is required.
• Adjust the transmit power.
▫ [WAC-wlan-view] ap-id 19
▫ [WAC-wlan-ap-19] radio 1
▫ [WAC-wlan-radio-19/1] eirp 20
• Reduce the transmit power based on actual test results while ensuring that the
coverage requirements can be met. You are advised to adjust the transmit power
of surrounding APs at the same time.
• Configure the function of disconnecting low-RSSI STAs.
▫ [WAC-wlan-view] rrm-profile name default
▫ [WAC-wlan-rrm-prof-default] smart-roam enable //In V200R008C10 and
later versions, smart roaming and the function of quickly disconnecting
STAs are enabled by default.
▫ [WAC-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
• Configure the SNR-based threshold based on actual network coverage conditions.
For example, configure a high threshold in areas where APs are densely
deployed. Otherwise, configure a low threshold.
• Determine whether to disable Layer 3 roaming according to the service
requirements. To enable Layer 3 roaming, run the undo layer3-roam disable
command.
• Non-authentication, MAC address authentication, and SN authentication; MAC
address authentication; In the WLAN view, run the ap auth-mode XXX command
to change the authentication mode.
• Redirection to the Portal URL and access to the Portal page.

• Customer benefits: The transformation is to improve efficiency by using
algorithms. With scenario-based continuous learning and expert experience,
intelligent O&M frees O&M personnel from complex alarms and noises, making
O&M more automatic and intelligent.
• SaaS, software as a service
• IaaS, infrastructure as a service
• Intuitive insights into campus network health based on multi-faceted wired and
wireless network health monitoring, implementing intelligent, simplified campus
network O&M.
• Network health topology as a uniform portal for rapidly handling network and
device problems in local buildings, simplifying network O&M.
• KQI: key quality indicator

• Wireless Network Health Evaluation Model:
▫ Access Experience
▪ Access success rate: Association/Authentication/DHCP success rate.
▪ Access duration: Association/Authentication/DHCP duration.
▫ Roaming Experience
▪ Roaming fulfillment rate: Roaming success rate/Roaming duration.
▫ Throughput Experience
▪ Signal and interference: STA signal strength and interference rate.
▪ Capacity fulfillment rate: Channel utilization/Number of users.
▪ Throughput fulfillment rate: Interference rate/Non-5G-prior access/Air

interface congestion fulfillment rate.
• Wired Network Health Evaluation Model:
▫ Device Environment: Fault of a device, board, fan, power supply, or file

system
▫ Device Capacity: ARP/MAC/FIB entry capacity, ACL resources, storage

capacity
▫ Network status: Intermittent port disconnection, port suspension, optical

module exception
▫ Network performance: Port congestion, queue congestion, port error

packets
• The service topology collects statistics on the status, access, congestion, and error
packet issues, displays the number of clients and traffic volume based on sites,
regions, buildings, and floors. This allows administrators to quickly search for and
view the buildings that users pass by, helping administrators quickly identify
campus network issues.
• In the Service Topology of CampusInsight, you can access WLAN Topology to

view the radio heat map of the network.
• Note: The process of viewing wired user experience visibility is the same as that
of viewing wireless user experience visibility.
• Note: The procedure for locating wired access problems is the same as that for
locating wireless access problems.
• Case:
▫ The O&M personnel check the audio and video session list in the office area
and find that the session quality is poor for a client. After checking the
poor-quality session details, the O&M personnel find that a large number of
packets are lost on the access switch of the client. The correlative analysis
result of access switch port KPIs shows that the port is congested. After the
traffic rate limit is adjusted and the port congestion issue is solved, the
quality of the audio and video session becomes normal.
• Constraints:
▫ This feature is supported only for audio and video applications that use
non-encrypted SIP signaling and are carried by the RTP in the IPv4 scenario.
Huawei IP phones, such as HUAWEI Video Phone 8950, can function as
hard terminals.
▫ Switches of specific models support audio and video service analysis, while
APs of specific models support only audio service analysis. For details, see
HUAWEI Device Support SPEC List in the CampusInsight specification list.
▫ Switches of V200R013C00 or a later version and APs of V200R010C00 or a

later version are supported.
▫ Path analysis is supported only on cloud devices.

• The statistics of the "Number of Clients & Authentication Failure Ratio”:
▫ Noise reduction for abnormal terminals: The authentication failure rate

increases sharply in some time periods. The analysis result shows that the
abnormal terminals initiate a large number of authentication requests, and
the failure rate is 100%. This issue is not caused by network faults, and
noise data needs to be removed. (The client revisit shows that these clients
are new employees and the terminals are not installed with Huawei Wi-Fi
certificate. In this manner, frequent re-authentication causes a large
number of failure events.)
▫ Intelligent identification of issues with a large number of failed clients and

a large failure rate: When the number of wireless access users increases
sharply at 8:00 a.m., the authentication failure rate reaches 70%. (The
RADIUS server cannot respond to authentication requests in a timely
manner due to its limited performance.) This is a typical issue with a large
number of failed clients and a large failure rate, indicating that a group
fault occurs.
▫ Connection failure but not a fault: Due to the instability of wireless client
access (for example, when a client moves or passes through a coverage
hole), the user authentication failure persists in each time segment, but
does not affect user experience. The fault is rectified after the user
automatically accesses the network again.
• In densely populated scenarios such as canteens, offices, waiting rooms, and
cafes, a large number of STAs connect to APs and then leave after a short period
of time. The air interface resources of these APs are occupied by these STAs,
resulting in performance deterioration. In addition, the network access experience
of such STAs is affected due to unnecessary switching of network access modes.
For ease of description, these APs are called edge APs, and STAs that are
temporarily connected and quickly leave are called nomadic STAs. The
CampusInsight can determine whether an AP is an edge AP based on the
network indicator data reported by the AP. In the next AI-Powered Predictive
calibration, the CampusInsight adjusts the AP's transmit power to suppress access
of nomadic STAs and improve the health of AP radios.
• ABCD
• The network evaluation process consists of delivery preparation, network
information collection, network evaluation analysis, and network evaluation
report output.
• Delivery preparation include:
▫ Analyze original user requirements and clarify signal coverage, signal
quality, service experience, etc.
▫ Interview the customer and investigate the issues on the live network.
▫ Formulate the acceptance solution with the customer. Generally, the
acceptance solution is presented as an acceptance report.
• Information to be collected includes:
▫ Obtain written authorization from the customer.
▫ Collect data related to issues reported by the customer.
▫ Collect the configuration and running data of the WAC and access switches
(optional).
▫ Use eDesk to inspect the WAC and access switches.
▫ Test the signal quality and user experience based on the WLAN Service Test
Solution negotiated with the customer, and collect related service test data.
• Network evaluation analysis is an important part of the network evaluation
report. It is recommended that this report include the heat map analysis report,
wireless network performance evaluation, service experience evaluation, wired
network evaluation, and evaluation and optimization suggestions.
• CloudCampus APP, WLAN Planner, and eDesk are Huawei WLAN tools. Related
data can also be collected by other tools.
• The wireless network performance data and service experience test data will be
introduced later.
• Start the CloudCampus APP. Touch Tool, and then touch Acceptance.
• Use the uniportal account to log in to WLAN Planner. Click Settings in the upper
right corner and select the offline or online dotting mode.
• Select a project and enable acceptance items as required.

• In addition to the CloudCampus APP, CampusInsight also provides the coverage
issue analysis function, which has been introduced in other courses.
• Network optimization engineers need to comprehensively analyze the load of
wireless devices based on users' service conditions, bandwidth requirements, and
concurrency requirements, evaluate whether the current network can meet the
requirements of the user access bandwidth and the number of concurrent users,
analyze capacity-related problems such as multi-user access failure and slow
Internet access, and provide optimization suggestions.
• The reference concurrency rate varies depending on scenarios. For details about
the reference concurrency rate in different scenarios, see Scenario-based WLAN
Design series.
• https://support.huawei.com/enterprise/en/doc/EDOC1000133941
• Based on the CloudCampus APP, users can view Wi-Fi interference information,
including the number of SSIDs on the current air interface, strength of
interference signals, and recommended channels.
• Figure 1 shows all SSIDs in the air interface environment (each curve represents
one SSID). You can view the working channel of the local SSID and other SSIDs
working on the current channel.
• Figure 2 shows the strength of interference signals. You can select a frequency
band and check the interference rate of radio signals on each channel to identify
cleaner channels with less interference (recommended channels).
• Use the WLAN Evaluation Report as the input to start the WLAN optimization
process. The WLAN optimization process is classified into different phases: wired
network optimization, WAC optimization, AP optimization, and STA optimization
based on engineering habits. Optimization objects vary in these phases. Finally,
network optimization engineers output the WLAN Optimization Solution.
• In the production environment, there may be other optimization steps, such as

WLAN security optimization to implement different user authentication modes,
user isolation, and traffic rate limiting.
• Design the deployment modes of WACs, switches, and APs based on the network
scale and data traffic. WACs support in-path and off-path deployment modes,
mapping direct forwarding and tunnel forwarding, respectively.
▫ In direct forwarding mode, APs directly connect to wired networks through

VLANs. This mode provides high forwarding performance, but the
configuration is more complex than that in tunnel forwarding mode.
▫ In tunnel forwarding mode, the collected data cannot be decrypted on the

intermediate link, enhancing network security. In terms of connecting to
APs, the WAC in tunnel forwarding mode provides weaker capabilities than
that in direct forwarding mode. In this case, WAC parameters need to be
optimized.
• We will look into parameter optimization configurations and related principles in
chapter Solution Implementation and Acceptance.
• AP positions can be adjusted from the ceiling to the walls.
• The antenna angle is adjusted to face the target coverage area.

• In most cases, do not install APs above ceilings.
• It is recommended that directional antennas be installed at a height of 6 m to 8
m and omnidirectional antennas be installed at a height of 4 m to 6 m in
outdoor scenarios.
• Capacity optimization suggestions:
▫ User rate limiting: The STA rate is limited without compromising user
experience to ensure the network availability of most STAs.
▫ Load balancing: STAs are evenly distributed among multiple APs.
▫ AP capacity expansion: Increase the number of APs.
▫ AP replacement: Replace APs with higher-performing ones.

• Follow these rules for installing APs and antennas:
▫ Antennas must be vertically installed. Ensure that beams provide even

coverage and the main lobe of a directional antenna faces the target
coverage area
▫ Indoor distributed antennas must be installed away from girders and metal
objects to reduce signal attenuation caused by obstacles.
▫ If any 2G/3G indoor distributed systems exist around antennas, a higher

isolation between the systems is needed. The distances between WLAN
antennas and carriers' 2G/3G antennas must be greater than 2 m.
▫ The overlapping areas of AP antennas should be as small as possible to

reduce the multi-path interference of signals from the same AP and the co-
channel and adjacent-channel interference between APs.
▫ In indoor deployment scenarios, APs or antennas should be installed inside

rooms to enhance coverage and reduce interference on other coverage
areas.
▫ When indoor settled APs are densely deployed in an open scenario, AP

coverage should be controlled using obstacles such as walls and pillars to
reduce co-channel and adjacent-channel interference between APs. In
addition, the APs should be installed more than 5 m apart.
▫ For a teaching building or dormitory with single-sided rooms, wideband

directional ceiling-mounted antennas can be deployed to minimize signal
loss, reduce interference on non-target areas, and enhance coverage in the
target areas.
• Configuration precautions:
▫ Global radio calibration is implemented on all APs.
▫ Radio calibration is not applicable to scenarios where APs cannot detect

each other, for example, APs use directional antennas, are far from each
other, or have obstacles between them.
▫ Radio calibration is not applicable to high-density, WDS/mesh backhaul, rail

transportation, or external directional antenna scenarios.
▫ After functions that depend on channel scanning, such as radio calibration,

smart roaming, and WIDS, are configured, if radio channel switching is
triggered during channel scanning, the service data delay increases at the
channel switching moment, which may affect wireless service experience.
• The following intervals for sending Beacon frames are recommended for APs
with different VAP quantities on a single radio:
▫ ≤ 4 VAPs: about 100 to 150 TUs
▫ 5–8 VAPs: about 200 TUs

• After the rate of Beacon and Probe Response frames increases, the AP coverage
range decreases. This configuration is recommended only in high-density
scenarios to improve effective bandwidth while reducing inter-AP interference. A
rate higher than 11 Mbit/s is not recommended. If a rate other than 802.11b
rates (1, 2, 5.5, and 11 Mbps) is configured, STAs that support only 802.11b
cannot discover the network.
• The 5 GHz frequency band supports a minimum rate of 6 Mbps and has many
channels. Therefore, this parameter is not adjusted on the 5 GHz frequency band.
• The RTS/CTS mechanism brings extra overheads during packet transmission. If
the value is too small, the overall air interface throughput is affected. You can
adjust the value based on the actual effect.
• If mutual access between LANs is required, do not enable Layer 2 isolation.
• After the real-time accounting function is configured, the device sends real-time
accounting packets to the accounting server at intervals. After receiving the real-
time accounting packets, the accounting server charges the user. If the device
detects that the paid user goes offline, it stops sending real-time accounting
packets and the accounting server stops accounting. The accounting result is
precise.
• WLAN optimization involves a series of tasks, including wireless network
requirement survey, network evaluation, and optimization implementation. These
tasks are performed by WLAN optimization engineers to resolve problems such
as poor wireless service experience, high O&M costs, and difficult fault locating.
WLAN optimization consists of information collection, WLAN evaluation, and
WLAN optimization solution design.
• ABCD
• What are the differences between WLAN planning in indoor scenarios and that in
outdoor scenarios?
▫ In indoor scenarios, only the indoor building floor plan is required. In
outdoor scenarios, in addition to the floor plan, coordinates are required.
▫ In indoor scenarios, you can easily test signal attenuation. In outdoor
scenarios, if obstacles are too large, you need to circumvent obstacles or
estimate the obstacle height to raise the antenna positions.
▫ In outdoor scenarios, more factors need to be considered, including power
supply, cable routing, waterproof design, surge protection, dustproof design,
and antenna selection.
• What factors need to be considered during channel planning? Why?
▫ Interference: Avoid co-channel and adjacent-channel interference, and use
recommended channels such as 1, 5, 9, 13, and 149 to 165. In addition, pay
attention to local laws and regulations, which determine legitimate
channels in a country. For example, in China, channel 36 cannot be used on
the outdoor 5 GHz frequency band but can be used on the indoor 5 GHz
frequency band.
▫ Frequency bandwidth: The frequency bandwidth can typically be set to 20
MHz, 40 MHz, 80 MHz, or 160 MHz. Requirements on frequency bandwidth
vary depending on scenarios.
▫ Power: The power is usually planned together with channels. High power
may lead to unnecessary interference.
• During the onsite interference survey, record the height, frequency band,
frequency bandwidth, power, and direction of interference sources to reduce
interference during AP deployment.

HCIE-WLAN V1.0 Training Material

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCIE-WLAN V1.0 Training Material

Uploaded by

Copyright:

Available Formats

• WAN authentication bypass typically applies to HQ-branch networks where

branch networks connect to the HQ network through the WAN. In traditional

▫ Management plane: This plane focuses on the security of application and

▫ Wi-Fi access service for daily office work.

▫ Built-in Bluetooth module, supporting RFID and ZigBee to expand IoT

▫ Integrated Wi-Fi and IoT access network management, simplifying O&M.

• Unified management, reducing network construction costs.

▫ IoT and Wi-Fi services share the same backhaul network.

▫ Only one physical site needs to be managed and maintained.

▫ Positioning engine: calculates the obtained initial positioning information,

▫ iMaster NCE: manages, configures, and maintains network devices.

▫ GIS/Map platform: provides map information to the positioning engine.

▫ The AP can serve as a standard iBeacon to broadcast signals.

▫ The AP transparently transmits positioning packets through a PCIe card.

• Terminal layer: accommodates various terminals to be located.

▫ Proactive issue identification: proactively identifies 85% of potential

▫ Intelligent fault prediction: uses AI to learn historical data and dynamically

• Intelligent Network Optimization.

▫ Real-time simulation feedback: evaluates channel conflicts on wireless

▫ Plug-and-play and automatic deployment of devices greatly reduce network

▫ Cloud management solutions usually provide various tools on the cloud,

• Demilitarized zone (DMZ): serves as a buffer zone between an insecure system

▫ DHCP deployment mode: The Navi AC functions as a DHCP server to assign

▫ Guest service data forwarding mode: Data is centralized to the Navi AC

▫ Open system authentication is used by default, and no PSK is used.

▫ The management SSID can only be hidden but cannot be deleted. A

▫ The management SSID is used only for AP management. STAs associating

▫ When a new AP is deployed, the AP can automatically connect to the

▫ When an AP leaves from a wireless mesh network, the network can

▫ RANN frame: This frame is used to announce the presence of an MPP.

▪ An MPP periodically broadcasts a RANN frame.

▫ WAC: deployed on the ground network to manage and control trackside

• Depending on the use of vehicle-mounted APs, vehicle-ground fast link handover

▫ The vehicle-mounted AP in the rear of a moving train does not need to

▫ The vehicle-mounted AP in the front of a moving train does not need to

▫ To enable vehicle-ground communication, a vehicle-mounted AP sets up

▫ If the RSSI of a mesh link is smaller than N (N = Minimum RSSI threshold

• Serving time of the current active link ≥ link holding time:

• Multicast data guarantee

▫ Vehicle-mounted multimedia devices on a moving train deliver multimedia

▫ Mesh functions are not supported by the following models: AP7060DN,

▫ The 4.9 GHz frequency band is applicable to outdoor backhaul scenarios

▫ After the mesh configuration is complete, APs can connect to a WAC

▫ Configure network connectivity and enable the AP (MPP) in AP1 to go

▫ The ingress PE receives an X protocol packet from the interface connected

▫ The ingress PE adds an IP header to the packet because the transport

▫ The decapsulation process is opposite to the encapsulation process.

▫ After the Keepalive detection function is enabled on the source end of a

▫ The Keepalive detection function takes effect on one end of a tunnel,

▫ The user-side physical Ethernet interface GE0/0/2 on WAC1 receives an

▫ Tunnel0/0/1 on WAC2 decapsulates the received packet using GRE. When

▫ After the decapsulated Ethernet packet reaches VE0/0/1 of WAC2, WAC2

▫ WAC2 sends the Ethernet packet to Network_2 through the outbound

• Anti-replay: The receiver rejects old or duplicate data packets to prevent

▫ AH provides data origin authentication, data integrity check, and anti-

▫ ESP provides encryption, data origin authentication, data integrity check, as

• Security functions provided by AH and ESP depend on authentication and

▫ ESP can only encrypt IP packets using symmetric encryption algorithms,

• An IPsec SA is established in manual or IKE auto-negotiation mode. The two

▫ SA lifetime: In manual mode, an SA exists permanently. In IKE auto-

• AP roles on a mesh network:

▫ MPP: an MP that connects a WMN to other types of networks. An MPP has

▫ Neighboring MP: an MP that directly communicates with another MP or

▫ Candidate MP: a neighboring MP with which an MP prepares to establish a