100% found this document useful (3 votes)

2K views

AC6605 - Configuration Web-Based

Manual Huawei Controller AC6605 WEB

Uploaded by

ulissesmoragas

100% found this document useful (3 votes)

2K views

AC6605 - Configuration Web-Based

Manual Huawei Controller AC6605 WEB

Uploaded by

ulissesmoragas

You are on page 1/ 1325

Huawei Access Controllers

V200R007C10

Web Platform Configuration Guide

Issue 06
Date 2017-01-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://e.huawei.com

Issue 06 (2017-01-20) Huawei Proprietary and Confidential i

About This Document

Intended Audience
This document describes how to configure and maintain your device using the web platform.

This document is intended for:

l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.

Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

Indicates a potentially hazardous situation

which, if not avoided, may result in minor
or moderate injury.

Indicates a potentially hazardous situation

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential ii

Symbol Description

NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n

times.

# A line starting with the # sign is comments.

Model Declaration for Carriers Outside China

This document is provided to both enterprise and carrier users. Table 1 lists WLAN product
models supported for carriers outside China.

Table 1 WLAN product models for carriers outside China

Software Version Product Model

V200R007C10 AC6005

Issue 06 (2017-01-20) Huawei Proprietary and Confidential iii

Software Version Product Model

AC6605

AP2030DN

AP2050DN

AP2050DN-E

AP4030DN

AP4050DN-E

AP4130DN

AP5030DN

AP5130DN

AP6050DN

AP6150DN

AP6510DN-AGN

AP7050DE

AP7050DN-E

AP8030DN

AP8130DN

AD9430DN-12

AD9430DN-24

R230D

R240D

R250D

R250D-E

Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.

Changes in Issue 06 (2017-01-20) V200R007C10

This version has the following updates:

The following information is modified:

Issue 06 (2017-01-20) Huawei Proprietary and Confidential iv

l 3 Monitoring
The following information is deleted:
l Delete V200R007C00.

Changes in Issue 05 (2016-12-26) V200R007(C00&C10)

This version has the following updates:
The following information is modified:
l Inter-AC Roaming
l AP Info
l External Portal Server
l PKI Domain
l Reliability Config
l HSB Config
l Radio Calibration

Changes in Issue 04 (2016-11-22) V200R007(C00&C10)

This version has the following updates:
The following information is modified:
l 7.1.4 Traffic Profile
l Layer 2 ACL Settings
l Historical Alarm & Event
l External Portal Server
l RADIUS
l 4.6 Reliability Config
l 6.1.9 Administrator
The following information is added:
l Inter-AC Roaming
l Layer 2 ACL Settings

Changes in Issue 03 (2016-10-13) V200R007(C00&C10)

This version has the following updates:
The following information is modified:
l 4.1.1 AC
l Service Scheme
l RADIUS
l HWTACACS
l 7.1.1 VAP Profile
l 7.3.3 AP Wired Port Profile
l 7.3.2 AP System Profile

Issue 06 (2017-01-20) Huawei Proprietary and Confidential v

The following information is added:

l MLD Snooping
l 4.5.5 Multicast
l IGMP Snooping
l VRRP6 List
l 6.1.8 Alarm & Event
l Active Alarm
l Historical Alarm & Event

Changes in Issue 02 (2016-07-22) V200R007C00

This version has the following updates:
The following information is modified:
l Radio Calibration
l 7.3.2 AP System Profile
l 6.1.9 Administrator
The following information is added:
l 7.1.29 IPS Profile
l 7.1.28 URL Filtering Profile
l 7.1.30 Antivirus Profile
l 7.1.27 Attack Defense Profile
l 6.1.6 Signature DB
l 4.4.7 Attack Defense

Changes in Issue 01 (2016-05-31) V200R007C00

Initial commercial release.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential vi

Contents

About This Document.....................................................................................................................ii

1 Obtaining Technical Support......................................................................................................1
2 Getting Started............................................................................................................................... 2
2.1 Functions........................................................................................................................................................................ 3
2.2 Configuring Web Platform Login Parameters................................................................................................................ 3
2.2.1 Web Platform Overview.............................................................................................................................................. 3
2.2.2 Accessing the CLI....................................................................................................................................................... 4
2.2.3 Configuring an IP Address for Web Platform Login...................................................................................................5
2.2.4 (Optional) Uploading the Web System File Through FTP.......................................................................................... 6
2.2.5 (Optional) Uploading the Web System File Through SFTP........................................................................................8
2.2.6 (Optional) Loading the Web System File.................................................................................................................. 10
2.2.7 (Optional) Creating User Accounts for the Web Platform.........................................................................................11
2.2.8 (Optional) Configuring an HTTPS Server.................................................................................................................11
2.2.9 Logging In to the Web Platform................................................................................................................................ 12
2.3 Switching to the CLI Through the Web Platform.........................................................................................................13
2.4 Precautions for Using the Web Platform...................................................................................................................... 14
2.5 Web Page Description...................................................................................................................................................15
2.6 Help and Version of the Web Platform......................................................................................................................... 16
2.7 Common Web Platform Buttons...................................................................................................................................17

3 Monitoring.................................................................................................................................... 18
3.1 Summary.......................................................................................................................................................................19
3.2 AC.................................................................................................................................................................................21
3.2.1 AC..............................................................................................................................................................................21
3.2.2 Roaming STA Quantity............................................................................................................................................. 22
3.2.3 Interface Traffic Statistics Collection........................................................................................................................ 22
3.3 User...............................................................................................................................................................................23
3.3.1 User Statistics............................................................................................................................................................ 24
3.3.2 User Distribution....................................................................................................................................................... 26
3.3.3 Dynamic Blacklist..................................................................................................................................................... 27
3.4 Radio.............................................................................................................................................................................28
3.5 AP................................................................................................................................................................................. 31
3.5.1 AP Statistics Collection............................................................................................................................................. 31

Issue 06 (2017-01-20) Huawei Proprietary and Confidential vii

3.5.2 AP Wired Interface Statistics Collection................................................................................................................... 34

3.6 SSID..............................................................................................................................................................................35
3.6.1 SSID...........................................................................................................................................................................35
3.6.2 VAP............................................................................................................................................................................36
3.7 Mesh&WDS................................................................................................................................................................. 37
3.7.1 Mesh Link Information..............................................................................................................................................37
3.7.2 WDS Network Bridge Information........................................................................................................................... 38
3.8 Potential Risk................................................................................................................................................................39
3.9 WIDS............................................................................................................................................................................ 42
3.10 Spectrum Analysis...................................................................................................................................................... 47

4 Configuration............................................................................................................................... 52
4.1 Fast Config................................................................................................................................................................... 53
4.1.1 AC..............................................................................................................................................................................53
4.1.2 AP.............................................................................................................................................................................. 59
4.1.3 Mesh.......................................................................................................................................................................... 66
4.2 AC Config.....................................................................................................................................................................71
4.2.1 Basic Config.............................................................................................................................................................. 71
4.2.2 VLAN........................................................................................................................................................................ 79
4.2.3 Interface..................................................................................................................................................................... 85
4.2.4 IP................................................................................................................................................................................93
4.3 AP Config................................................................................................................................................................... 115
4.3.1 AP Group................................................................................................................................................................. 115
4.3.2 AP Config................................................................................................................................................................ 121
4.3.3 Profile...................................................................................................................................................................... 131
4.4 Security....................................................................................................................................................................... 131
4.4.1 AAA.........................................................................................................................................................................131
4.4.2 User Group.............................................................................................................................................................. 154
4.4.3 ACL......................................................................................................................................................................... 159
4.4.4 SSL.......................................................................................................................................................................... 174
4.4.5 PKI...........................................................................................................................................................................177
4.4.6 Security Defense......................................................................................................................................................183
4.4.7 Attack Defense........................................................................................................................................................ 184
4.5 Other Services.............................................................................................................................................................185
4.5.1 Bonjour Gateway..................................................................................................................................................... 185
4.5.2 SAC......................................................................................................................................................................... 188
4.5.3 VPN......................................................................................................................................................................... 191
4.5.4 STP.......................................................................................................................................................................... 205
4.5.5 Multicast.................................................................................................................................................................. 218
4.5.6 BLE..........................................................................................................................................................................226
4.6 Reliability Config....................................................................................................................................................... 228
4.6.1 Reliability Config.................................................................................................................................................... 228

5 Diagnosis.....................................................................................................................................243

Issue 06 (2017-01-20) Huawei Proprietary and Confidential viii

5.1 Intelligent Diagnosis...................................................................................................................................................244

5.2 Diagnosis Tool............................................................................................................................................................ 246
5.2.1 One-click Information Collection............................................................................................................................246
5.2.2 Wireless Packet Obtaining.......................................................................................................................................247
5.2.3 Ping.......................................................................................................................................................................... 250
5.2.4 Trace Route..............................................................................................................................................................251
5.2.5 AAA Test................................................................................................................................................................. 252
5.2.6 RF-Ping....................................................................................................................................................................252
5.2.7 AP-Ping................................................................................................................................................................... 253

6 Maintenance............................................................................................................................... 255
6.1 AC Maintenance......................................................................................................................................................... 256
6.1.1 Basic........................................................................................................................................................................ 256
6.1.2 AC Restart............................................................................................................................................................... 257
6.1.3 AC Upgrade............................................................................................................................................................. 257
6.1.4 Patch........................................................................................................................................................................ 258
6.1.5 License.....................................................................................................................................................................259
6.1.6 Signature DB........................................................................................................................................................... 261
6.1.7 Log...........................................................................................................................................................................262
6.1.8 Alarm & Event.........................................................................................................................................................267
6.1.9 Administrator...........................................................................................................................................................272
6.1.10 System................................................................................................................................................................... 277
6.1.11 Electronic Label.....................................................................................................................................................283
6.1.12 SNMP.................................................................................................................................................................... 284
6.2 AP Maintenance......................................................................................................................................................... 291
6.2.1 AP Upgrade............................................................................................................................................................. 291
6.2.2 AP Restart................................................................................................................................................................295
6.2.3 Log...........................................................................................................................................................................296
6.2.4 Account....................................................................................................................................................................298

7 Profile...........................................................................................................................................301
7.1 Wireless Service......................................................................................................................................................... 302
7.1.1 VAP Profile..............................................................................................................................................................302
7.1.2 SSID Profile.............................................................................................................................................................306
7.1.3 Security Profile........................................................................................................................................................ 312
7.1.4 Traffic Profile.......................................................................................................................................................... 315
7.1.5 802.1X Profile......................................................................................................................................................... 321
7.1.6 Portal Profile............................................................................................................................................................323
7.1.7 MAC Authentication Profile................................................................................................................................... 325
7.1.8 Authentication-free Rule Profile............................................................................................................................. 327
7.1.9 Authentication Scheme............................................................................................................................................329
7.1.10 Authorization Scheme........................................................................................................................................... 331
7.1.11 Accounting Scheme............................................................................................................................................... 334
7.1.12 Authentication Profile............................................................................................................................................336

Issue 06 (2017-01-20) Huawei Proprietary and Confidential ix

7.1.13 STA Blacklist Profile............................................................................................................................................. 337

7.1.14 STA Whitelist Profile............................................................................................................................................ 339
7.1.15 SAC Profile............................................................................................................................................................341
7.1.16 Soft GRE Profile....................................................................................................................................................344
7.1.17 UCC Profile........................................................................................................................................................... 345
7.1.18 Cellular Network Profile....................................................................................................................................... 347
7.1.19 Roaming Consortium Profile.................................................................................................................................349
7.1.20 NAI Realm Profile.................................................................................................................................................351
7.1.21 Network Connection Capability Profile................................................................................................................ 353
7.1.22 Operator Domain Profile....................................................................................................................................... 355
7.1.23 Operator Name Profile...........................................................................................................................................357
7.1.24 Venue Name Profile...............................................................................................................................................359
7.1.25 Operating Class Profile..........................................................................................................................................360
7.1.26 Hotspot2.0 Profile..................................................................................................................................................361
7.1.27 Attack Defense Profile...........................................................................................................................................363
7.1.28 URL Filtering Profile.............................................................................................................................................364
7.1.29 IPS Profile..............................................................................................................................................................367
7.1.30 Antivirus Profile.................................................................................................................................................... 370
7.2 Radio Management.....................................................................................................................................................373
7.2.1 Regulatory Domain Profile......................................................................................................................................373
7.2.2 RRM Profile............................................................................................................................................................ 375
7.2.3 Air Scan Profile....................................................................................................................................................... 379
7.2.4 2G Radio Profile...................................................................................................................................................... 380
7.2.5 5G Radio Profile...................................................................................................................................................... 388
7.3 AP............................................................................................................................................................................... 397
7.3.1 AP Wired Port Link Profile..................................................................................................................................... 397
7.3.2 AP System Profile................................................................................................................................................... 401
7.3.3 AP Wired Port Profile..............................................................................................................................................408
7.4 Mesh........................................................................................................................................................................... 413
7.4.1 Mesh Whitelist Profile.............................................................................................................................................413
7.4.2 Mesh Handover Profile............................................................................................................................................415
7.4.3 Mesh Profile............................................................................................................................................................ 416
7.5 WDS........................................................................................................................................................................... 422
7.5.1 WDS Whitelist Profile.............................................................................................................................................422
7.5.2 WDS Profile............................................................................................................................................................ 424
7.6 WIDS.......................................................................................................................................................................... 426
7.6.1 WIDS Whitelist Profile........................................................................................................................................... 426
7.6.2 WIDS Spoof SSID Profile....................................................................................................................................... 429
7.6.3 WIDS Profile........................................................................................................................................................... 431
7.7 WLAN Location......................................................................................................................................................... 434
7.7.1 WLAN Location Profile.......................................................................................................................................... 434
7.8 Buletooth Location..................................................................................................................................................... 437

Issue 06 (2017-01-20) Huawei Proprietary and Confidential x

7.8.1 BLE Profile..............................................................................................................................................................437

7.9 IoT.............................................................................................................................................................................. 439
7.9.1 Serial Profile............................................................................................................................................................ 439
7.9.2 IoT Profile................................................................................................................................................................441

8 Configuration Examples...........................................................................................................443
8.1 WLAN Common Service Configuration Examples................................................................................................... 444
8.1.1 Example for Configuring Internal Personnel to Access the WLAN (802.1x Authentication)................................444
8.1.2 Example for Configuring Guests to Access the WLAN (MAC Address-prioritized Portal Authentication)......... 455
8.1.3 Example for Configuring High-Density WLAN Services...................................................................................... 470
8.1.4 Example for Configuring WLAN Backhaul............................................................................................................490
8.1.5 Example for Configuring Rail Transportation WLAN Services............................................................................. 506
8.1.6 Example for Configuring Agile Distributed Wi-Fi Services................................................................................... 526
8.1.7 Example for Configuring WLAN IoT Services (Infant Protection) .......................................................................535
8.1.8 Example for Configuring WLAN Location (Wi-Fi Terminal Location)................................................................. 545
8.1.9 Example for Configuring Rogue Device Detection and Containment.................................................................... 557
8.2 WLAN Basic Networking Configuration Examples.................................................................................................. 568
8.2.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode.................................................................... 568
8.2.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode...................................................................577
8.2.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode..................................................................586
8.2.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode.................................................................595
8.2.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode.................................................................... 605
8.2.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode...................................................................619
8.2.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode..................................................................632
8.2.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode.................................................................644
8.2.9 Example for Configuring NAT Traversal Between the AC and APs...................................................................... 655
8.2.10 Example for Configuring VPN Traversal Between the AC and APs.................................................................... 664
8.2.11 Example for Configuring Common WDS Services...............................................................................................674
8.2.12 Example for Configuring Back-to-Back WDS......................................................................................................690
8.2.13 Example for Configuring Common Mesh Services.............................................................................................. 704
8.2.14 Example for Configuring Dual-MPP Mesh Services............................................................................................ 714
8.3 Authentication Configuration Examples.................................................................................................................... 725
8.3.1 Example for Configuring External Portal Authentication....................................................................................... 725
8.3.2 Example for Configuring Built-in Portal Authentication for Local Users.............................................................. 739
8.3.3 Example for Configuring MAC Address-prioritized Portal Authentication........................................................... 749
8.3.4 Example for Configuring 802.1X Authentication................................................................................................... 764
8.3.5 Example for Configuring MAC Address Authentication........................................................................................775
8.3.6 Example for Configuring MAC Authentication for Local Users............................................................................ 786
8.3.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............................794
8.4 Reliability Configuration Examples........................................................................................................................... 807
8.4.1 Example for Configuring Dual-link Backup (Global Configuration Mode)........................................................... 807
8.4.2 Example for Configuring Dual-Link Hot Standby (HSB) for ACs.........................................................................814
8.4.3 Example for Configuring VRRP to Implement AC Hot Standby........................................................................... 823

Issue 06 (2017-01-20) Huawei Proprietary and Confidential xi

8.4.4 Example for Configuring N+1 Backup for ACs in the Same Network Segment....................................................835
8.4.5 Example for Configuring N+1 Backup for ACs in Different Network Segments.................................................. 848
8.5 Roaming Configuration Examples............................................................................................................................. 863
8.5.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 863
8.5.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 875
8.5.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 887
8.5.4 Example for Configuring Inter-AC Layer 3 Roaming............................................................................................ 900
8.6 Agile Distributed Networking Configuration Examples............................................................................................ 912
8.6.1 Example for Configuring an Agile Distributed WLAN.......................................................................................... 912
8.7 High-Density Configuration Examples...................................................................................................................... 921
8.7.1 Example for Configuring High-Density WLAN Services...................................................................................... 921
8.8 Example for Configuring Vehicle-Ground Communication...................................................................................... 941
8.8.1 Example for Configuring Vehicle-Ground Fast Link Handover............................................................................. 942
8.9 Radio Resource Management Configuration Examples.............................................................................................962
8.9.1 Example for Configuring Dynamic Load Balancing...............................................................................................962
8.9.2 Example for Configuring Static Load Balancing.................................................................................................... 974
8.9.3 Example for Configuring Band Steering................................................................................................................. 986
8.9.4 Example for Configuring Smart Roaming...............................................................................................................999
8.10 Spectrum Analysis Configuration Examples..........................................................................................................1012
8.10.1 Example for Configuring Spectrum Analysis..................................................................................................... 1012
8.11 WLAN Security Configuration Examples..............................................................................................................1025
8.11.1 Example for Configuring Rogue Device Detection and Containment................................................................ 1025
8.11.2 Example for Configuring Attack Detection.........................................................................................................1035
8.11.3 Example for Configuring the STA Blacklist and Whitelist................................................................................. 1047
8.12 WLAN Location Configuration Examples.............................................................................................................1057
8.12.1 Example for Configuring AeroScout Tag-based WLAN Location Services.......................................................1057
8.12.2 Example for Configuring AeroScout MU-based WLAN Location Services...................................................... 1066
8.12.3 Example for Configuring Ekahau Tag-based WLAN Location Services............................................................1075
8.12.4 Example for Configuring Wi-Fi Terminal Location Services............................................................................. 1084
8.12.5 Example for Configuring Bluetooth Location Services...................................................................................... 1096
8.12.6 Example for Configuring WLAN Infant Protection Services............................................................................. 1107
8.13 WLAN QoS Configuration Examples.................................................................................................................... 1118
8.13.1 Example for Configuring WMM and Priority Mapping......................................................................................1118
8.13.2 Example for Configuring Traffic Policing...........................................................................................................1133
8.13.3 Example for Configuring Airtime Fair Scheduling............................................................................................. 1144
8.13.4 Example for Configuring ACL-based Packet Filtering....................................................................................... 1156
8.13.5 Example for Configuring Optimization for Voice and Video Services............................................................... 1169
8.13.6 Example for Configuring Priorities for Lync Packets......................................................................................... 1181
8.14 WLAN Enhanced Services Configuration Examples.............................................................................................1194
8.14.1 Example for Configuring WLAN-based E-schoolbag.........................................................................................1194
8.14.2 Example for Configuring WLAN Hotspot2.0 Services.......................................................................................1211
8.14.3 Example for Configuring Service Holding upon WLAN CAPWAP Link Disconnection..................................1225

Issue 06 (2017-01-20) Huawei Proprietary and Confidential xii

8.14.4 Example for Configuring Channel Switching Without Service Interruption...................................................... 1235
8.14.5 Example for Configuring an AP to Go Online Using a Static IP Address.......................................................... 1243
8.14.6 Example for Configuring the Soft GRE Service................................................................................................. 1248
8.14.7 Example for Configuring the Bonjour Gateway..................................................................................................1259
8.14.8 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................. 1272
8.14.9 Example for Interconnecting an AC with a Network Management Server.........................................................1282
8.14.10 Example for Configuring Wireless Packet Obtaining....................................................................................... 1293
8.14.11 Example for Configuring an AC as a DHCP Relay Agent................................................................................1302
8.15 Common Misconfigurations................................................................................................................................... 1310
8.15.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network Access of STAs.............................. 1310

Issue 06 (2017-01-20) Huawei Proprietary and Confidential xiii

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 1 Obtaining Technical Support

1 Obtaining Technical Support

If you fail to locate or rectify the faults encountered during maintenance or troubleshooting by
following instructions in this document, use the following methods to obtain technical
support:
l Seek technical support by calling Global Service Hotline.
l Contact the technical support personnel in Huawei local office.
NOTE

For contact information about local offices, visit Huawei technical support website.
l Enterprise technical support website: http://support.huawei.com/enterprise
l Carrier technical support website: http://support.huawei.com
l Query technical documentation on Huawei technical support website.
– Enterprise technical support website: http://support.huawei.com/enterprise
– Carrier technical support website: http://support.huawei.com

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1

2 Getting Started

About This Chapter

2.1 Functions
2.2 Configuring Web Platform Login Parameters
2.3 Switching to the CLI Through the Web Platform
2.4 Precautions for Using the Web Platform
2.5 Web Page Description
2.6 Help and Version of the Web Platform
2.7 Common Web Platform Buttons

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 2

2.1 Functions
This product offers different functions. You can choose the desired function according to
service requirements. Available functions are as follows:

l Monitoring: This function helps you learn the running status of the device and check
device information, including STA access, AP access, radio frequency status, Mesh link
and WDS bridge information, potential risks on the device, and rogue devices.
l Configuration: A full range of device configuration options are provided to allow users
to perform overall device configuration, including AC basic configuration, AP service
configuration, security management, and backup configuration. In addition, quick
configuration is provided for the WLAN basic service and Mesh service.
l Diagnosis: A series of intelligent diagnosis functions and diagnosis tools are provided
for diagnosis when network or device faults are detected.
l Maintenance: This function helps users to perform maintenance operations, such as
restarts and upgrades, patch management, system management, log management, license
management, components' electronic label management, and administrator information
management.

2.2 Configuring Web Platform Login Parameters

2.2.1 Web Platform Overview

To help users to manage and maintain the access controller, the access controller provides a
built-in web server to enable a connected terminal (for example, a PC) to access the web
platform.

Figure 2-1 shows the running environment of the web platform.

Figure 2-1 Running environment of the web platform

NOTE

The preceding figure shows the networking when a user completes initial configurations through the console
port. It is for reference only.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 3

2.2.2 Accessing the CLI

Context
When you use the web platform for the first time, access the CLI to perform initial
configurations. The command lines help complete the required configurations easily and
quickly. This section uses PuTTY as an example to illustrate how to log in to the device
through the console port or STelnet. You can download the PuTTY from http://
www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
Before the device is delivered, HTTP and HTTPS services have been configured on the
device. The port number is 80 for HTTP and 443 for HTTPS. The default user name and
password are respectively admin and [email protected]. You can also log in to the web
platform to perform the initial configurations. For details, see 2.2.9 Logging In to the Web
Platform.

Procedure
l Log in through the console port.
a. Connect the console port of the wireless controller to the COM port of a PC through
console cables.
b. Start PuTTY on the PC.
The PuTTY Configuration dialog box is displayed.
c. Set Connection type to Serial, enter COM1 or COM2 in Serial line based on the
serial port of the PC, and retain default settings for the other parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 4

d. Click Open.

After the connection is complete, enter the login password and press Enter. The
<AC6605> prompt is displayed, indicating that you have logged in to the access
controller. In this case, you can enter commands to configure or manage the access
controller.
l Log in using stelnet.
– Ensuring that the IP address 169.254.1.1 and subnet mask 255.255.0.0 have been
configured on MEth0/0/1 of the AC6605 and the ACU2 before the delivery.
– Ensuring that the IP address 169.254.1.1 and subnet mask 255.255.0.0 have been
configured on VLANIF 1 of the AC6005 before the delivery, and interfaces
GE0/0/1 to GE0/0/8 have been added to VLAN 1 by default.
– Before the device is delivered, the STelnet service has been configured on the
device. The STelnet interface number is 22, and the default user name and password
are respectively admin and [email protected].
a. Configure the PC's IP address and subnet mask. The IP address must be on the
network segment 169.254.0.0/16 but cannot be 169.254.1.1. 169.254.1.100 is
recommended. The subnet mask is 255.255.0.0.
b. Use the network cable to connect the PC's Ethernet port to MEth0/0/1 of the device.
NOTE

l Connect the PC's network interface to MEth0/0/1 of the AC6605 and the ACU2.
l Connect the PC's network interface to any GE interface of the AC6005.
c. Ping 169.254.1.1 from the PC to check whether the device can be pinged
successfully. If the ping operation fails, check whether the PC's IP address is correct
or replace the network cable.
d. Log in to the device using PuTTY, enter the device's IP address, and select the SSH
protocol.
e. Click Open. In the displayed page, enter the user name admin and password
[email protected] and press Enter. You have logged in to the device. (The
following information is for reference only.)
login as: admin
Sent username "admin"

[email protected]'s password:

----End

2.2.3 Configuring an IP Address for Web Platform Login

Context
Users can use the default IP address or a configured IP address to log in to the web platform.

The AC supports IPv4 and IPv6 addresses. The methods to configure an IPv6 and IPv4
address are similar. An IPv4 address is used as an example here.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 5

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the vlan vlan-id command to create a VLAN and enter the VLAN view.

Step 3 Run the quit command to return to the system view.

Step 4 Run the interface vlanif vlanif-id command to create a VLANIF interface and enter the
VLANIF interface view.

Step 5 Run the ip address ip-address { mask | mask-length } [ sub ] command to configure an IP
address for the VLANIF interface.

Step 6 Run the quit command to return to the system view.

Step 7 Run the interface interface-type interface-number command to enter the interface view.

Step 8 Run the port link-type trunk command to configure the link type for the interface.

Step 9 Run the port trunk allow-pass vlan vlan-id command to add the interface to the VLAN
created in step 2.
For example, set the management IP address of GE0/0/0 to 192.168.200.161 and mask length
to 24.
<AC6605> system-view
[AC6605] vlan 10
[AC6605-vlan10] quit
[AC6605] interface Vlanif 10
[AC6605-Vlanif10] ip address 192.168.200.161 24
[AC6605-Vlanif10] quit
[AC6605] interface gigabitethernet 0/0/1
[AC6605-GigabitEthernet0/0/1] port link-type trunk
[AC6605-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[AC6605-GigabitEthernet0/0/1] quit

NOTE

MEth0/0/1 is the management port of the AC6605. If you expect to use the IP address of MEth0/0/1 to log in
to the web platform, run the following commands to configure the IP address:
1. Run the system-view command to enter the system view.
2. Run the interface MEth 0/0/1 command to enter the view of MEth0/0/1.
3. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure an IP address for
MEth0/0/1.

----End

2.2.4 (Optional) Uploading the Web System File Through FTP

Context
Ensure that the route between the access controller and the FTP server is reachable. If the new
software package that contains the web system file has been uploaded to the access controller,
you do not need to upload the web system file again.

NOTE

The FTP protocol will bring risk to device security. The SFTP V2 mode is recommended.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 6

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the ftp server enable command to start the FTP server.

Step 3 Run the aaa command to enter the AAA view.

Step 4 Run the local-user user-name password irreversible-cipher password command to set the
local user name and password.

Step 5 Run the local-user User name service-type ftp command to set the service type of the local
user to FTP.

Step 6 Run the local-user User name ftp-directory directory command to set the FTP directory.

Step 7 Run the local-user user-name privilege level level command to set the local user level.
NOTE

The local user level must be set to 3 or higher. Otherwise, users cannot log in to the device through FTP.

Step 8 Enter the command-line interface (CLI) on the FTP server. For example, in Windows 7,
choose Start > Run and enter cmd in the displayed dialog box.

Step 9 Access the directory that stores the web system file, for example, D:\ftp.

Step 10 Run the ftp IP address command to log in to the access controller using FTP.

In the preceding command, IP address indicates the management IP address of the access
controller.

Enter the user name and password, and press Enter. If the command prompt in the FTP client
view is displayed, for example, ftp>, you have accessed the FTP directory, as shown in
Figure 2-2.

Figure 2-2 Logging in to the FTP server

Step 11 Run the binary command to enter the binary mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 7

NOTE

The FTP supports the following transmission modes:

l ASCII: Text files are transmitted using ASCII characters, separated by a new-line character.
l Binary: Binary files are transmitted directly.
The default transmission mode is ASCII, but the binary mode is recommended here. You can run the
ascii or binary command to switch between the two modes.

Step 12 Run the put **.zip command to upload the web system file from the FTP server to the access
controller. In the preceding command, **.zip indicates the name of the web system file, as
shown in Figure 2-3.

Figure 2-3 Uploading the web system file

Step 13 On the access controller, run the dir command to check whether the web system file exists in
the current directory.
NOTE

If the size of the web system file on the access controller is different from that on the FTP file server, a
transmission exception may occur. Upload the web system file again.

----End

2.2.5 (Optional) Uploading the Web System File Through SFTP

Context
SFTP is an SSH-based protocol. It enables a user terminal to set up secure connections with a
remote device, improving system file transfer security.

To allow the access controller to obtain the web system file through SFTP, ensure that the
route between the access controller and the SFTP server is reachable. If a new software
package that contains the web system file has been uploaded to the device, you do not need to
upload the web system file again.

NOTE

The SFTP V1 protocol will bring risk to device security. The SFTP V2 mode is recommended.

Procedure
Step 1 Run the system-view command to enter the system view.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 8

Step 2 Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE

There are security risks if the configured local key pair length is smaller than 1024 bits. You are advised
to use the local key pair with the default length 2048 bits.

Step 3 Runt the sftp server enable command to enable the SFTP server function.

Step 4 Run the user-interface vty first-ui-number [ last-ui-number ] command to enter the VTY
user interface view.

Step 5 Run the authentication-mode aaa command to set the authentication mode to AAA.

Step 6 Run the protocol inbound all command to configure the VTY user interface to support all
protocols, including Telnet and SSH.

NOTICE
Run the protocol inbound ssh command to configure the VTY user interface to support only
SSH. In this case, the VTY user interface does not support the Telnet protocol. To allow the
VTY user interface to support SSH and Telnet, run the protocol inbound all command.

Step 7 Run the quit command to return to the system view.

Step 8 Run the aaa command to enter the AAA view.

Step 9 Run the local-user user-name password irreversible-cipher password command to

configure a local user name and password.

Step 10 Run the local-user user-name service-type ssh command to set the service type of the local
user to SSH.

Step 11 Run the local-user user-name ftp-directory directory command to specify an SFTP working
directory for the SFTP user.

Step 12 Run the local-user user-name privilege level level command to set the local user level.
NOTE

The local user level must be set to 3 or higher. Otherwise, users cannot log in to the device through
SFTP.

Step 13 Run the quit command to return to the system view.

Step 14 Run the ssh user user-name authentication-type password command to set the
authentication mode of SSH users to password authentication.

Step 15 On a local terminal, access the device through SFTP.

NOTE
You need to install the SSH client on the terminal before login. Third-party software OpenSSH and Windows
command line interface are used as an example here.
l For details on how to install OpenSSH, see the instruction of the software.
l You need to use OpenSSH commands for login through OpenSSH. For details on how to use the
OpenSSH commands, see the help document of the software.
l OpenSSH commands can be used in the Windows command line interface only after the OpenSSH
software is installed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 9

Open the Windows command line interface and run OpenSSH commands to access the device
through SFTP.

When the command line prompt of the SFTP client view, such as sftp>, is displayed, you are
in the working directory of the SFTP server. (The command output provided here is used for
reference only.)
C:\Documents and Settings\Administrator> sftp [email protected]
Connecting to 10.136.23.5...
The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
RSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.136.23.5' (RSA) to the list of known hosts.

User Authentication
Password:
sftp>

Step 16 On the Windows command line interface, run the OpenSSH command to change the path
where the SSH client file is saved, for example, saving the web file to D:\update.
sftp> lcd D:\update

Step 17 On the Windows command line interface, run the OpenSSH command to upload the local web
file **.zip to the access controller.
sftp> put web.zip
Uploading web.zip to /web.zip
web.zip 100% 387000 30.8KB/s 00:00
sftp>

Step 18 Run the dir command on the access controller to check whether the web system file exists in
the current directory.
NOTE

If the size of the web system file in the current directory on the access controller is different from that on
the SFTP file server, an error may occur during file transfer. Upload the system file again.

----End

2.2.6 (Optional) Loading the Web System File

Context
Before loading the web system file, ensure that the file has been uploaded to the access
controller. The web system file is in .zip format. If the router has loaded the new software
package that contains the web system file, you can simply enable the HTTP service and do
not need to load the web system file again.

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the http server load file-name command to load the web system file.

By default, the device loads the default web file contained in the system software when the
HTTP service is enabled.

Step 3 Run the http server enable command to enable the HTTP service.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 10

By default, the HTTP server is enabled.

----End

2.2.7 (Optional) Creating User Accounts for the Web Platform

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the aaa command to enter the AAA view.

Step 3 Run the local-user user-name password irreversible-cipher password command to set the
web user name and password.
Step 4 Run the local-user user name privilege level level command to set the local user level.
NOTE

The default user name and password are admin and [email protected]. You are advised to change
the password after logging in to the device for security.
Users with level 0 or without a level configured cannot log in to the web platform. Mappings between
user levels and users are as follows:
l 1: common administrator
l 2: enterprise administrator
l 3-15: super administrator

Step 5 Run the local-user user name service-type http command to set the user access type to
HTTP.
Step 6 Run the quit command to return to the system view.

Step 7 (Optional) Run the http timeout timeout command to set the timeout interval for HTTP
sessions. In the command, timeout is in minutes.
The default timeout interval is 10 minutes.

----End

2.2.8 (Optional) Configuring an HTTPS Server

Context
In some insecure scenarios where attacks may occur, you can use the Hypertext Transfer
Protocol Secure (HTTPS) protocol to log in to the web platform. The HTTPS protocol
encrypts data, ensuring data transmission security.

Procedure
Step 1 Configure a server SSL policy.
# Specify the PKI domain default in the client SSL policy.
The device provides a default SSL policy, and the web page file contains the SSL certificate.
Therefore, you do not need to upload the certificate or configure the SSL policy. To ensure

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 11

security, it is recommended that you obtain a new digital certificate from the certificate
authority (CA) and manually configure an SSL policy.
[AC6605] ssl policy userserver type server
[AC6605-ssl-policy-userserver] pki-realm default

Step 2 Configure an HTTPS server.

# Apply the SSL policy userserver to the HTTPS service.
[AC6605] http secure-server ssl-policy userserver

# Enable the HTTPS server function on the AC.

[AC6605] http secure-server enable
This operation will take several minutes, please
wait.........................................................
Info: Succeeded in starting the HTTPS server
[AC6605] quit

Step 3 Start the browser on a host, and enter https://IP address in the address box. The host access
web pages of the AC using HTTPS, and you can manage the AC on the web pages.
----End

2.2.9 Logging In to the Web Platform

Context
Before logging in to the web platform, ensure that:
l The IP address of the device's access port has been configured.
l The device and your PC are properly connected.
l The device is running properly, and the HTTP and HTTPS services are correctly
configured.
l The web browser software has been installed on your PC.
NOTE

l The IP address 169.254.1.1 and subnet mask 255.255.0.0 have been configured on MEth0/0/1 of the
AC6605 before the delivery.
l The IP address 169.254.1.1 and subnet mask 255.255.0.0 have been configured on MEth0/0/1 of the
ACU2 before the delivery.
l The IP address 169.254.1.1 and subnet mask 255.255.0.0 have been configured on VLANIF 1 of the
AC6005 before the delivery, and interfaces GE0/0/1 to GE0/0/8 have been added to VLAN 1 by default.
l Before the device is delivered, the STelnet service has been configured on the device. The STelnet port
number is 22, and the default user name and password are respectively admin and [email protected].
l Before the device is delivered, the HTTP and HTTPS services have been configured on the device. The
default port number is 80 for HTTP and 443 for HTTPS. The default user name and password are
respectively admin and [email protected].

Figure 2-4 shows the running environment of the web platform that can be managed and
configured on your PC.

Figure 2-4 Running environment of the web platform

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 12

Procedure
Step 1 Open a browser such as Internet Explorer 10.0, enter http://IP address or https://IP address
in the address box, for example, http://169.254.1.1 or https://169.254.1.1, and press Enter.
(For the IP address, see IP addresses of access interfaces configured in 2.2.3 Configuring an
IP Address for Web Platform Login.) The web platform login page is displayed.
NOTE

When a user logs in to a device through HTTP, the HTTPS login page is displayed. If the HTTPS
service is unavailable, for example, the HTTPS service is not enabled, or the HTTPS service is enabled
but not bound to an SSL policy, the incorrect page is displayed.

Step 2 Enter the login information.

1. Select a language.
The system supports English and Chinese. By default, the system uses the same language
as the browser.
2. Enter a user name and password.
The default user name and password are admin and [email protected].
3. Click Login.
NOTE

If the login fails, the following possible causes are displayed at the same time:
l Username or password is wrong!: indicates that the entered user name or password is incorrect.
Click OK to check the user name and password. If they are incorrect, enter them again.
l The number of login users have reached the maximum!: indicates that the number of online web
users reaches the upper limit. By default, the maximum number of online web users is 5.
l User has no right to login!: indicates that the current online user has no permission to log in to the
web platform. Contact network administrators.
l The number of incorrect passwords reaches limit. Your account is locked!: indicates that the
current login account is locked and will be automatically unlocked after 5 minutes.

Step 3 Click Logout in the upper right corner to Log out of the web platform. The login page is
displayed.
Step 4 If you do not perform any operation within a specified duration (10 minutes by default), you
are logged out. To return to the login page, click OK.
----End

2.3 Switching to the CLI Through the Web Platform

After you log in to the web platform, click Console in the upper right corner of the page so
that you can enter the command-line interface (CLI) and use commands to manage and
maintain the device.
To display the CLI by clicking Console, enable the Telnet service on the device. For the
detailed operation, see Service Management.
NOTE

There are security risks in using the Telnet service, so you are advised to disable it after using the
Console function.

If you are using Microsoft Internet Explorer, Initialize and script ActiveX controls not
marked as safe for scripting must be set to Enable or Prompt. Choose Tools > Internet

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 13

Options > Security, click Custom level, and set Initialize and script ActiveX controls not
marked as safe for scripting to Enable or Prompt. Internet Explorer 10.0 is used only as an
example.

2.4 Precautions for Using the Web Platform

l The web platform supports different browsers. You can log in to the web system using
the Internet Explorer 10.0, Internet Explorer 11.0, Firefox40.0 to Firefox46.0, or Google
Chrome 39.0 to Google Chrome 52.0 browsers. If the version of your web browser is not
supported, the web page may be displayed incorrectly.
l When you log in to the web platform using Internet Explorer, the security level cannot be
set to High; otherwise, web pages cannot be displayed. When accessing the web
platform using the web proxy, choose Tools > Internet Options > Advanced from the
menu of Internet Explorer 8.0, and select Use HTTP 1.1 through proxy connections.
Choose Tools > Internet Options > Security, click Custom level, and set Allow
Scriptlets, Run ActiveX controls and plug-ins, and Active scripting to Enable;
otherwise, web pages cannot be displayed. Internet Explorer 10.0 is used only as an
example.
l If the message "Your browser's security settings are too high to complete this process.
See the help menu for instructions on adjusting your security settings." is displayed
during file upload, configure the Internet Explorer as follow:
a. Choose Tools > Internet Options > Security > Custom Level.
b. Click Enable or Prompt next to Initialize and script ActiveX controls not
marked as safe for scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt, the
message "An ActiveX control on this page might be unsafe to interact with other
parts of the page. Do you want to allow this interaction?" is displayed. If you click
Yes, the file can be uploaded.
c. Click Enable next to Include local directory path when uploading files to a
server.
l After the device software version changes or the HTTP/HTTPS port number is changed,
clear the browser cache before using the web platform. Otherwise, web pages may be
incorrectly displayed.
– When you log in to the web platform using the IE browser, choose Tools > Internet
Options > General, click Delete, select Temporary Internet files and website
files and Cookies and website data, and click Delete to clear the browser cache.
Here, Internet Explorer 10.0 is used as an example.
– When you log in to the web platform using the Firefox browser, choose Options >
Privacy, click clear your recent history, select Cookie and Cache, and click
Clear Now to clear the browser cache. Here, Firefox 37.0 is used as an example.
– When you log in to the web platform using the Chrome browser, choose History,
click Clear browsing data, select Cookies and other site and plug-in data and
Cached images and files, and click Clear browsing data to clear the browser
cache. Here, Chrome 46.0 is used as an example.
l The web platform does not support back, forward, and refresh buttons on the browser. If
you click these buttons, the web platform may return to the login page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 14

2.5 Web Page Description

This section describes elements on the main page of the web platform and their functions.

Layout
The main page of the web platform mainly includes the following areas, as shown in Figure
2-5.

Figure 2-5 Main page of the web platform

Table 2-1 Layout

Are Name Description
a

1 Button You can click these buttons to save settings, get help information, and
log out of the platform.

2 Navigati Functions are displayed in a navigation tree.

on tree The level-1 menu is on the upper left corner of the page, and the level-2
menu is on the left of the page.

3 Operati You can configure functions or view function status in the operation
on area area.

Button
Buttons locate in the upper right corner of the main page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 15

Table 2-2 Buttons

Button Function

Save Commits the configured commands.

After modifying device configuration information on web pages, you need to
click Save to save the modification to the device configuration file. Unsaved
configuration information will be lost after the device restarts.

Console Displays the command-line interface (CLI).

You can manage and maintain devices on the CLI.

Alarm &
You can click to quick open Alarm & Event page.
Event

Logout Logs you out of the web platform.

To log out of the web platform, click . To log in to the web platform,
enter the user name and password.

Help Provides online help.

You can click or press F1 on any page to view help information about the
current page, including the configuration procedure and parameters.
If the browser automatically blocks pop-up windows, configure the browser
to allow the display of pop-up windows.
In the displayed help window, you can view help information about any page
in the navigation tree on the left side.

About Displays product version information.

You can click to view product version information and obtain technical
support by accessing the technical support website.

Language Switches languages for the web platform.

l Click . The web page displays in English.

l Click . The web page displays in Chinese.

2.6 Help and Version of the Web Platform

The Help and About icons ( and respectively) are on the upper right corner of the web
page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 16

Table 2-3 Description of the Help and About icons

Icon Description

Help
You can click or press F1 on any page to view help information about the
current page, including the configuration procedure and parameters.
If the browser automatically blocks pop-up windows, configure the browser
to allow the display of pop-up windows.
In the displayed help window, you can view help information about any page
in the navigation tree on the left side.

About
You can click to view product version information and obtain technical
support by accessing the technical support website.

2.7 Common Web Platform Buttons

This section describes common web platform buttons.

Table 2-4 Common web platform buttons

Button Description

Create Displays the page for creating table entries and profiles.

Delete Deletes selected table entries or profiles.

Clear Clears table entries or profiles.

Refresh Updates information displayed on the current page.

Auto Automatically updates information displayed on the current page.

refresh

Apply Makes the current page configuration effective.

Confirm Makes the current page configuration effective.

Display Displays information of profiles that uses the current profile.

Reference

Searches for results.

Returns to the previous page from the current page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 17

3 Monitoring

About This Chapter

3.1 Summary
3.2 AC
3.3 User
3.4 Radio
3.5 AP
3.6 SSID
3.7 Mesh&WDS
3.8 Potential Risk
3.9 WIDS
3.10 Spectrum Analysis

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 18

3.1 Summary
Background
You can view device status information to verify that a device runs properly.

Choose Monitor > Summary. The Summary page is displayed.

The Summary page includes the following areas:

l Health
l Access User Quantity
l Throughput

Health
You can view the health status of users, radios, and APs in this window.

Devices collect statistics about performance indicators and use graphics to represent the
health status of devices. When the health score is higher than or equal to 60, the icon is green,
indicating that all indicators are normal. A higher score indicates better health status. When
the score is lower than 60, the icon turns orange, indicating that some indicators are low.
Health status indicators include:
l User: Rate, SNR, Downlink retransmission ratio, and Downlink packet loss ratio
– Rate: indicates the transmission rate. A value of higher than 12 Mbit/s is normal.
– SNR: indicates the signal-to-noise ratio (SNR) of the user. A larger value indicates
a smaller SNR and less impact on signal transmission. An SNR larger than 20 dB is
normal.
– Downlink retransmission ratio: indicates the downlink retransmission ratio of
service data packets . A downlink retransmission ratio less than 50% is normal.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 19

– Downlink packet loss ratio: indicates the ratio of lost data packets to total data
packets sent from the AP to STAs. Packet loss occurs if data retransmission fails for
a specified number of times. A downlink packet loss ratio less than 5% is normal.
The user health score is calculated as: the proportion of the number of users whose
indicators are normal to the total number of users. If the proportion is 70%, the health
score will be 70.
l Radio: Channel utilization, Noise strength, Interference ratio, Downlink
retransmission ratio, and Downlink packet loss ratio
– Channel utilization: indicates the sum of the transmission time proportion, receive
time proportion, and interference ratio on a radio interface. Channel utilization less
than 70% is normal.
– Noise strength: indicates the received signal strength indicator (RSSI), which is
used to evaluate the quality of radio signals. An RSSI smaller than -80 dBm is
normal.
– Interference ratio: indicates the interference ratio of the radio signal. An
interference ratio less than 40% is normal.
– Downlink retransmission ratio: indicates the downlink retransmission ratio of
radio packets. A downlink retransmission ratio less than 50% is normal.
– Downlink packet loss ratio: indicates the ratio of lost data packets to total
transmitted data packets on radios. Packet loss occurs if data retransmission fails for
a specified number of times. A downlink packet loss ratio less than 5% is normal.
The radio health score is calculated as: the proportion of the number of radios whose
indicators are normal to the total number of radios.
l AP: Normal status, Access failure ratio, Logout ratio, and Access user quantity
– Normal status: indicates that an AP is in normal, committing, download, or
standby state.
– Access failure ratio: indicates the proportion of the number of user access failures
to the total number of successful user access times and access failures on a single
AP. User access failures due to service exceptions are counted, for example, the
number of users on an SSID reaches the maximum, and access of weak-signal STAs
is denied. An access failure rate less than 20% is normal.
– Logout ratio: indicates the ratio of the number of unexpected STA disconnections
to the number of successful STA access times on a single AP. A logout ratio less
than 20% is normal. Possible causes for unexpected STA disconnections include
authentication failure or timeout, inter-AC roaming failure, AP faults, faulty data
synchronization between the AC and APs, and association or reassociation with
different VAPs of the same AP.
– Access user quantity: indicates the number of access users on an AP. An access
user quantity smaller than 40 is normal.
The AP health score is calculated as: the proportion of the number of APs whose
indicators are normal to the total number of APs.

Access User Quantity

You can view user access information in this window, including the number of online users,
number of the online 2.4 GHz users, and number of the online 5 GHz users.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 20

Throughput
You can view valid uplink and downlink throughput of devices.

3.2 AC

3.2.1 AC

Background
You can view AC information to verify the CPU usage and memory usage of an AC and other
basic information.

Choose Monitoring > AC > AC. The AC page is displayed.

CPU Usage
You can view the CPU usage of the AC in this window.

Memory Usage
You can view the memory usage of the AC in this window.

AC Basic Information
You can view basic information of the AC in this window, including:
l Device model: Model of a device.
l Device name: To modify the device name, click Modify.
l Device serial number: serial number of a device. Each device has a unique serial number.
l MAC address: MAC address of a device.
NOTE

Only users of level 3 or higher level can view the MAC address.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 21

l System software version: software version of the current system. To upgrade system
software, click Upgrade. For details, see 6.1.3 AC Upgrade.
l Running time: running duration of a device.
l Maximum number of managed APs: maximum number of devices managed by the
device (this number is determined by the license configured on the device).
l Maximum number of STAs: Maximum number of access users that the device support.
l Device temperature: current temperature of a device.

3.2.2 Roaming STA Quantity

Background
You can view statistics on roaming users.

Choose Monitoring > AC > Roaming STA Quantity. The Roaming STA Quantity page is
displayed.

Inter-AC Roaming User Total Count by AC

You can view statistics on roaming users on an AC in this window.

Statistics include: Peer AC IP, Status, Number of STAs Roaming From Peer AC to Local
AC, and Number of STAs Roaming From Local AC to Peer AC.

Roaming User Total Count by AP

You can view statistics on roaming users on an AP in this window, including AP ID, AP
Name, Number of STAs Roaming To Local AC, and Number of STAs Roaming To Another
AC.

3.2.3 Interface Traffic Statistics Collection

Procedure
l View interface traffic statistics.
a. Choose Monitoring > AC > Interface Traffic Statistics Collection. The Interface
Traffic Statistics Collection page is displayed.
b. Check traffic statistics on the specified interface.Table 3-1 describes the related
parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 22

Table 3-1 Interface traffic statistic parameters

Parameter Description

Interface Name Name of the physical interface.

Number of Sent Packets Number of packets sent by the

interface.

Number of Sent Bytes Number of bytes in packets sent by the

interface.

Number of Received Packets Number of packets received by the

interface.

Number of Received Bytes Number of bytes in packets received

by the interface.

l Clear interface traffic statistics.

NOTICE
The cleared traffic statistics cannot be restored. Exercise caution when you clear traffic
statistics.

a. Choose Monitoring > AC > Interface Traffic Statistics Collection. The Interface
Traffic Statistics Collection page is displayed.
b. In Interface Traffic Statistics List, select the physical interface of which you want
to clear traffic statistics. Click Reset. In the Info dialog box that is displayed, click
OK.

----End

3.3 User

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 23

3.3.1 User Statistics

Context
You can view traffic statistics of each user through the user monitoring page so that you can
learn the wireless network status.

Procedure
l View the user list.
a. Choose Monitoring > User > User Statistics. The User List page is displayed.
b. Click the downward arrow next to Default to customize items to be displayed.
Click All to display all items.

Table 3-2 Statistics in the user list

Parameter Description

User Name Name of the user.

l In open authentication mode, the MAC address of the
user is displayed.
l In MAC address authentication mode using the MAC
address, the MAC address of the user is displayed.
l In MAC address authentication mode using the fixed
user name, the fixed name of the user is displayed.
l In Portal or 802.1x authentication mode, the user
name entered upon user access is displayed.

MAC Address MAC address of the STA.

AP ID ID of the AP with which the STA associates.

AP Name Name of the AP with which the STA associates.

AP Group AP group of the AP with which the STA associates.

IPv4 Address IPv4 address of the STA.

IPv6 Address IPv6 address of the STA.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 24

Parameter Description

SSID SSID with which the STA associates.

Frequency Band Frequency band type used by the STA to access the
wireless network.

Supported Band Frequency bands supported by the STA.

Mode Radio working mode.

Authentication Mode Authentication mode used by the STA to go online.

VLAN VLAN for data services of the STA.

RSSI Strength of RF signals received by the STA.

Negotiation Rate Negotiated rate of the STA when it goes online on an AP.

Throughput Valid downlink and uplink throughput of the STA.

SNR SNR of the STA.

Channel Channel used by the STA.

Channel Usage Channel usage of the STA.

Frame Quantity Number of uplink and downlink frames transmitted by

the STA.

Downlink Downlink retransmission ratio of service data of the

Retransmission Ratio STA.

Downlink Packet Downlink packet loss ratio of service data of the STA.
Loss Ratio

c. Search for a user.

In STA Performance Distribution, select specific users based on the downlink
negotiation rate, SNR, and downlink packet loss ratio, (select an area in the bar
graph).
NOTE

l Move the cursor to Channel Usage to view details about channel usage of the user, including the
transmitting time ratio, receiving time ratio, interference ratio, and idle rate of the channel.
l Click the rightward arrow on the left of the list to view the following recent information about the
user: SNR, downlink negotiation rate, channel usage, valid downlink and uplink throughput,
downlink retransmission ratio, and downlink packet loss ratio graph.
l Intelligently diagnose STA access faults.
Select a user in User List and click Intelligent Diagnosis to diagnose login failures,
disconnection, and slow service rate or unavailable service transmission. The web
platform will provide handling suggestions. For details, see 5.1 Intelligent Diagnosis.
l Collect application statistics on STAs.
Select a STA in User List and click Application Statistics. Details about top 10
applications of traffic within the latest 60s and cumulative traffic on the STA are
displayed. You can click Reset to clear the application statistics.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 25

Click ... next to Application name in Query by Application. Details about traffic
consumption of other applications are displayed.
l Query the roaming track of a STA.
Select a STA in User List and click Roaming Track. Its roaming track is displayed.
l Query login failure records.
Click Login Failure Record. All login failure records on the AC are displayed, helping
identify fault causes.
l Query user logout records.
Click Logout Record. All logout records on the AC are displayed, helping identify fault
causes.
l Force a STA to go offline.
Select a STA in User List and click Forcible Logout. The STA is forced to go offline.
l Export user information.
Click Export Info in User List. User information is exported in .csv file.
----End

3.3.2 User Distribution

Context
On the User Distribution page, you can see distribution of users on APs and in AP groups.

Procedure
l Check user statistics by AP.
Choose Monitoring > User > User Distribution. The User Distribution page is
displayed. You can check user statistics on an AP in User Statistics List by AP.

Table 3-3 Parameters on the User Statistics List by AP

Parameter Description

AP Name Name of the AP that the STA associates with.

User Quantity Number of STAs access the AP.

Number of 2.4G Users Number of 2.4 GHz users connected to the AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 26

Parameter Description

Number of 5G Users Number of 5 GHz users connected to the AP.

l Check user statistics by AP group.

Choose Monitoring > User > User Distribution. The User Distribution page is
displayed. You can check user statistics of an AP group in User Statistics List by AP
Group.

Table 3-4 Parameters on the User Statistics List by AP Group

Parameter Description

AP Group Name AP group name.

User Quantity Total number of users connected to all APs in an AP group.

Number of 2.4G Users Total number of 2.4G users connected to all APs in an AP
group.

Number of 5G Users Total number of 5G users connected to all APs in an AP

group.

----End

3.3.3 Dynamic Blacklist

Context
You can view information about STAs in the dynamic blacklist through the user monitoring
page.

Procedure
Step 1 Choose Monitoring > User > Dynamic Blacklist. The Dynamic Blacklist page is displayed.

Table 3-5 Statistics in the dynamic blacklist

Parameter Description

MAC Address MAC address of the STA.

Aging Time Aging time after which the STA entry is removed from the
dynamic blacklist.

Validity Time Time when the STA is added to the dynamic blacklist.

Add to Blacklist Cause Cause for adding the STA to the dynamic blacklist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 27

----End

3.4 Radio
Context
You can view details about radios of APs through the radio monitoring page.

Procedure
l View the radio list.
a. Choose Monitoring > Radio. The Radio List page is displayed.

b. Click the downward arrow next to Default to customize items to be displayed.

Click All to display all items.

Table 3-6 Statistics in the radio list

Parameter Description

AP ID ID of the AP.

AP Name Name of the AP.

Radio ID Radio ID of the AP.

Frequency Band Frequency band on which a radio works.

Mode Radio type.

Status Radio status.

Working Mode Radio working mode.

Channel Working channel of a radio.

Frequency Channel bandwidth of a radio.

Bandwidth

EIRP/Max EIRP Radio power configured/Maximum power in compliance

with local laws and regulations.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 28

Parameter Description

Access STA Number of STAs associated with a radio.

Noise Strength Radio noise level.

Channel Usage Channel usage of a radio.

Rate Radio rate.

Total Frame Quantity Total number of frames received and sent by a radio.

Downlink Downlink retransmission ratio on a radio.

Retransmission Ratio

Downlink Packet Downlink packet loss ratio on a radio.

Loss Ratio

c. Search for a radio.

In Radio Performance Distribution, select specific radios based on the noise
level, channel usage, and interference ratio (select an area in the bar graph).
NOTE

l Move the cursor to Channel Usage to view details about channel usage of the radio, including the
transmitting time ratio, receiving time ratio, interference ratio, and idle rate of the channel.
l Click the rightward arrow on the left of the list to view the following information about the radio:
the number of recently accessed STAs, noise level, channel usage, rate, downlink retransmission
ratio and downlink packet loss ratio.
l Implement spectrum analysis.

Select a radio from Radio List and click Spectrum Analysis. The spectrum charts of the
radio are displayed. For details, see 3.10 Spectrum Analysis.
l Intelligently diagnose radio faults.

Select a radio in Radio List and click Intelligent Diagnosis to diagnose Mesh link
faults, AP failures, and AP upgrade failures. The web platform will provide handling
suggestions. For details, see 5.1 Intelligent Diagnosis.
l Capture wireless packets.

Select a radio in Radio List and click Wireless Packet Obtaining to capture wireless
packets so that you can identify faults. For details, see 5.2.2 Wireless Packet Obtaining.
l View field strength information.
Select a radio in Radio List and click Field Strength Collection. Field strength
information is displayed.

Table 3-7 Field strength information

Parameter Description

Local AP ID ID of the local AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 29

Parameter Description

Local AP Name Name of the local AP.

Local AP MAC MAC address of the local AP.

Radio ID ID of a radio of which field strength information is collected.

Local AP Position No. This parameter takes effect only when the location-based
handover algorithm is enabled.

Neighboring AP ID ID of the peer AP.

Neighboring AP Name of the peer AP.

Name

Neighboring AP MAC MAC address of the peer AP.

Neighboring AP This parameter takes effect only when the location-based

Position No. handover algorithm is enabled.

Neighboring AP RSSI RSSI of the peer AP.

Refresh Time Interval for updating field strength information.

l View radio calibration records.

Click Radio Calibration Record. Radio calibration records are displayed.

Table 3-8 Description of radio calibration records

Parameter Description

Time Time when calibration is triggered.

AP ID ID of the AP.

AP Name Name of the AP.

Radio ID ID of the radio.

Channel Before/After Calibration Radio channel before/after radio

calibration.

Bandwidth Before/After Calibration Radio bandwidth before/after radio

calibration.

Eirp Before/After Calibration Transmit power of the radio before/after

radio calibration.

RSSI Before/After Calibration RSSI of an AP before/after radio

calibration.

Calibration Cause Cause of radio calibration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 30

l Export the radio list.

Click Export Info. The radio list is exported in a .csv file.
----End

3.5 AP

3.5.1 AP Statistics Collection

Context
You can view AP performance statistics on the AP Statistics Collection page.

Procedure
l View the AP list.
a. Choose Monitoring > AP > AP Statistics Collection. The AP List page is
displayed.

In AP Performance Analysis, the AP distribution in a coordinate diagram is

displayed based on the load, STA access failure ratio, and STA logout ratio.
AP Distribution Based on Load
The horizontal coordinate indicates the range of STA quantity on a single AP, and
the vertical coordinate indicates the number of APs. The green bar chart indicates
that the number of STAs associated with an AP is proper, the orange bar chart
indicates that excessive STAs are associated with an AP, and figures above the bar
charts indicate the number of APs with which STAs are associated.
AP Distribution Based on STA Access Failure Ratio
The STA access failure ratio is the ratio of the number of STA access failures to the
total number of STA access times on a single AP.
The horizontal coordinate indicates the range of STA access failure ratio on a single
AP, and the vertical coordinate indicates the number of APs. The green bar chart
indicates that the STA access failure ratio on an AP is normal, the orange bar chart

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 31

indicates that the STA access failure ratio on an AP exceeds the upper limit, and
figures above the bar charts indicate the number of APs corresponding to the STA
access failure ratio.

AP Distribution Based on STA Logout Ratio

The STA logout ratio is the ratio of the number of unexpected STA disconnections
to the number of successful STA access times on a single AP.

The horizontal coordinate indicates the range of STA logout ratio on a single AP,
and the vertical coordinate indicates the number of APs. The green bar chart
indicates that the STA logout ratio on an AP is normal, the orange bar chart
indicates that the STA logout ratio exceeds the upper limit, and figures above the
bar charts indicate the number of APs corresponding to the STA logout ratio.
b. Click the downward arrow next to Default to customize items to be displayed.
Click All to display all items.

Table 3-9 Statistics in the AP list

Parameter Description

AP ID ID of the AP.

AP Name Name of the AP.

MAC Address MAC address of the AP.

AP Group AP group to which APs belong.

IP Address IP address of the AP.

AP Type Type of the AP.

Version Software version of the AP.

Serial Number SN of the AP.

Status Working status of the AP.

Click the working status of the AP to view status details.

Central AP ID ID of the central AP.

Central AP Name Name of the central AP.

Central AP MAC MAC address of the central AP.

Address

STA Access Failure Failure ratio of STAs connecting to a WLAN.

Ratio

Logout Ratio User logout ratio.

STA Quantity Number of STAs associated with the AP.

CPU Usage Current CPU usage of the AP.

Memory Usage Current memory usage of the AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 32

Parameter Description

Wired-side Throughput on the wired side.

Throughput

Login Period Time when the AP went online.

Total Restart Count Total number of times the AP restarts.

Poweroff Restart Number of times the AP restarts due to power failures.

Count

Longitude, Latitude Longitude and latitude of the AP.

l Intelligently diagnose AP faults.

Select an AP in AP List and click Intelligent Diagnosis to diagnose Mesh link faults,
AP failures, and AP upgrade failures. The web platform will provide handling
suggestions. For details, see 5.1 Intelligent Diagnosis.
l View login failure records.

Click Login Failure Record in AP List. The Login Failure Record page is displayed,
on which you can view all records about the STA login failure on the AP to locate the
related fault causes.
l View user logout records.

Click Logout Record in AP List. The Logout Record page is displayed, on which you
can view all STA offline records on the AP to locate the related fault causes.
l View status of the soft GRE tunnel.

Select an AP in AP List and click SoftGRE Tunnel Status. The status of the soft GRE
tunnel on the AP is displayed.
l Export the AP list.

Click Export Info. The AP list is exported in a .csv file.

l View information about the IoT card.
Click IoT Card Info. Information about the IoT card is displayed.

Table 3-10 IoT card information description

Parameter Description

AP ID ID of the AP.

AP Name Name of the AP.

Card1 Status Status of slot 1.

Card2 Status Status of slot 2.

Card3 Status Status of slot 3.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 33

Parameter Description

Protocol version Protocol version.

Wireless standard Wireless protocol supported by a card.

Frequency Card frequency.

Vendor name Vendor code.

Card type Card model.

Hardware version Hardware version of the card.

Firmware version Firmware version of the card.

Card serial number Module ID of the card.

----End

3.5.2 AP Wired Interface Statistics Collection

Context
You can view statistics about the AP's wired interfaces on the AP Wired Interface Statistics
Collection page.

Procedure
l View the AP wired interface statistics list.
a. Choose Monitoring > AP > AP Wired Interface Statistics Collection. The AP
Wired Interface Statistics List page is displayed.

b. View statistics about the AP's wired interfaces in AP Wired Interface Statistics
List. See Table 3-11 for descriptions of related parameters.

Table 3-11 Parameters in the AP Wired Interface Statistics List page

Parameter Description

AP ID AP ID.

AP Name AP name.

MAC Address AP's MAC address.

Interface Name Name of the AP's wired interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 34

Parameter Description

Connection Status Connection status of the AP's wired interface.

Negotiated Rate Negotiated rate of the AP's wired interface.

----End

3.6 SSID
3.6.1 SSID

Context
You can view transmission statistics about a network identified by a service set identifier
(SSID).

Procedure
l View the SSID list.

Choose Monitoring > SSID > SSID. The SSID List page is displayed.

Table 3-12 Statistics in the SSID list

Parameter Description

SSID SSID of the network that STAs access.

User Quantity Number of STAs that access the network identified by a

specific SSID.

AP Quantity Number of APs using a specific SSID.

Valid Throughput Valid throughput of the SSID.

Frame Quantity Number of frames

Downlink Ratio of retransmitting downlink data packets from the AP to

Retransmission Ratio all STAs in the SSID.

Downlink Packet Loss Ratio of lost data packets to all data packets sent from the
Ratio AP to all STAs in the SSID.

l View the status graph.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 35

Select an SSID in SSID List to view the user statistic graph and throughput statistic
graph matching the SSID.

----End

3.6.2 VAP

Context
You can view transmission statistics on each VAP through the VAP monitoring page.

Procedure
l View the VAP list.

Choose Monitoring > SSID > VAP. The VAP List page is displayed.

Table 3-13 Statistics in the VAP list

Parameter Description

AP ID ID of the AP on which the VAP is created.

AP Name Name of the AP on which the VAP is created.

Radio ID Radio ID of the AP on which the VAP is created.

WLAN ID VAP ID.

SSID SSID of the VAP

BSSID BSSID of the VAP.

Authentication Mode Authentication mode of the VAP.

Access User Quantity Number of access users on the VAP.

Status Working status of the VAP.

l View the status graph.

Select a VAP in VAP List to view graphs of top 10 applications of traffic within the
latest 60s and cumulative traffic at the lower part of the page.

Click ... next to Application name in Query by Application to view details about
traffic of other applications.
l Clear application statistics on a VAP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 36

Select the target VAP in VAP List and click Reset Application Statistics to clear
application statistics on the VAP.

----End

3.7 Mesh&WDS
3.7.1 Mesh Link Information

Context
You can view Mesh link information through the Mesh link information monitoring page.

Procedure
l View the Mesh link list.
a. Choose Monitoring > Mesh&WDS > Mesh Link Information. You can view
Mesh link list at the page that is displayed.

Table 3-14 Statistics in the Mesh link list

Parameter Description

AP ID ID of the local AP.

AP Name Name of the local AP.

AP MAC MAC address of the local AP.

AP Group AP group to which the local AP belongs.

Radio ID Radio ID of a Mesh link.

Channel Channel of a Mesh link.

Coverage Distance Radio coverage distance of the local AP.

Different radio coverage distance parameters correspond to
different values of slottime (inter-frame interval), acktimeout
(ACK timeout period), and ctstimeout (RTS/CTS timeout
period). You must configure a proper coverage distance
parameter based on AP distance; otherwise, Mesh links
cannot be established due to a packet timeout.

Mesh Working Mode Mesh mode of the local AP.

Peer AP ID ID of the peer AP.

Peer MAC MAC address of the peer AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 37

Parameter Description

Peer AP Name Name of the peer AP.

Peer AP Status Working status of the peer AP.

Current RSSI Current RSSI of a Mesh link.

Maximum RSSI Maximum RSSI that a Mesh link ever had.

----End

3.7.2 WDS Network Bridge Information

Context
You can view WDS link information through the WDS bridge information monitoring page.

Procedure
l View WDS network bridge information.
a. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information. The
WDS Network Bridge List page is displayed.

Table 3-15 Statistics in the WDS bridge list

Parameter Description

AP ID ID of the local AP.

AP Name Name of the local AP.

AP MAC MAC address of the local AP.

AP Group AP group to which the local AP belongs.

Radio ID Radio ID of a WDS link.

Channel Channel of a WDS link.

Coverage Distance Radio coverage distance of the local AP.

Different radio coverage distance parameters correspond to
different values of slottime (inter-frame interval), acktimeout
(ACK timeout period), and ctstimeout (RTS/CTS timeout
period). You must configure a proper coverage distance
parameter based on AP distance; otherwise, WDS links
cannot be established due to a packet timeout.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 38

Parameter Description

Mesh Working Mode Bridge mode of the local AP.

Peer AP ID ID of the peer AP.

Peer MAC MAC address of the peer AP.

Peer AP Name Name of the peer AP.

Peer AP Status Working status of the peer AP.

Current RSSI Current RSSI of a WDS link.

Maximum RSSI Maximum RSSI that a WDS link ever had.

----End

3.8 Potential Risk

Context
You can view and analyze statistics on exceptions of STAs and radios so that you can identify
potential risks.

Procedure
l View potential risks of STAs.
a. Choose Monitoring > Potential Risk. The Potential Risk page is displayed.

b. Click the number next to a condition in the User area. The details about faulty users
are displayed in the User List at the lower part of the page.

Table 3-16 Statistics on a faulty user

Parameter Description

User Name Name of the user.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 39

Parameter Description

MAC Address MAC address of the STA.

AP ID ID of the AP with which the STA associates.

AP Name Name of the AP with which the STA associates.

AP Group AP group to which the AP belongs.

IP Address IP address of the STA.

SSID SSID with which the STA associates.

Frequency Band Frequency band used by the STA to associate with the AP.

Supported Band Frequency bands supported by the STA.

Mode Current radio mode of the STA.

Authentication Mode Authentication mode used by the STA to go online.

VLAN VLAN for data services of the STA.

RSSI Strength of RF signals received by the STA.

Negotiation Rate Negotiated rate of the STA.

Throughput Valid throughput of the STA.

SNR Uplink SNR of the STA.

Channel Channel used by the STA.

Channel Usage Channel usage for service data of the STA.

Frame Quantity Number of frames of service data of the STA.

Downlink Downlink retransmission ratio of service data of the STA.

Retransmission Ratio

Downlink Packet Loss Downlink packet loss ratio of service data of the STA.
Ratio

l Intelligently diagnose STA access faults.

Select a user in User List at the lower part of the page and click Intelligent Diagnosis to
diagnose login failures, disconnection, and slow service rate or unavailable service
transmission. The web platform will provide handling suggestions. For details, see 5.1
Intelligent Diagnosis.
l View potential risks of radios.
a. Choose Monitoring > Potential Risk. The Potential Risk page is displayed.
b. Click the number next to a condition in the Radio area. The details about faulty
radios are displayed in Radio List at the lower part of the page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 40

Table 3-17 Statistics on a faulty radio

Parameter Description

AP ID ID of the AP.

AP Name Name of the AP.

Radio ID Radio ID of the AP.

Frequency Band Frequency band on which a radio works.

Mode Radio type.

Status Radio status.

Working Mode Radio working mode.

Channel Working channel of a radio.

Frequency Bandwidth Channel bandwidth of a radio.

EIRP/Max Radio power configured/Maximum power in compliance

EIRP(dBm) with local laws and regulations.

Access STA Number of STAs associated with a radio.

Noise Strength Radio noise level.

Channel Usage Channel usage of a radio.

Rate Radio rate.

Total Frame Quantity Total number of frames received and sent by a radio.

Downlink Downlink retransmission ratio on a radio.

retransmission Ratio

Downlink packet Loss Downlink packet loss ratio on a radio.

Ratio

l Intelligently diagnose radio faults.

Select a user or radio to diagnose Mesh link faults, AP failures, and AP upgrade failures.
The web platform will provide handling suggestions. For details, see 5.1 Intelligent
Diagnosis.
l Implement spectrum analysis.

Select a radio from Radio List and click Spectrum Analysis. The spectrum charts of the
radio are displayed. For details, see 3.10 Spectrum Analysis.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 41

3.9 WIDS
Procedure
l View device detection results.
a. Choose Monitoring > WIDS. The WIDS page is displayed.
b. View device detection results in Device Detection. Table 3-18 describes the device
detection parameters.

Table 3-18 Device detection parameters

Parameter Description

Unauthorized device Number of unauthorized devices.

Interference source Number of interference sources.

Authorized device Number of authorized devices.

Countermeasure list Number of countered devices.

c. Click A number in the detection result list.

The detected device information is displayed in Device Detection Information.
Table 3-19 describes the parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 42

Table 3-19 Device detection parameters

Parameter Description

MAC Address MAC address of the device.

Device Model -

SSID SSID of the device.

Channel Channel used by the device.

Number of Detected APs Number of APs that detect the device.

Last Discovered At Last time when the device is detected.

d. Select a device in the detected device list and click View Discovered APs.
Information about the APs that detect the device is displayed. Table 3-20 describes
the parameters.

Table 3-20 Parameters of APs that detect the device

Parameter Description

AP ID ID of the AP that detects the device.

AP Name Name of the AP that detects the device.

MAC Address MAC address of the AP that detects

the device.

AP Group AP group to which the AP that detects

the device belongs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 43

Parameter Description

IP Address IP address of the AP that detects the

device.

RSSI of Detected Device RSSI of the detected device.

e. In the list of APs that detect the device, select an AP and click View Whitelist to
check the WIDS whitelist of the AP.
l Clear device detection statistics.
a. Choose Monitoring > WIDS. The WIDS page is displayed.
b. Click Clear in Device Detection.
l View attack detection results.
a. Choose Monitoring > WIDS. The WIDS page is displayed.
b. View attack detection results in Attack Detection. Table 3-21 describes the attack
detection parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 44

Table 3-21 Attack detection parameters

Parameter Description

Flood attack Number of flood attacks, including the

following types of attacks:
l Flood attack of probe request
frames
l Flood attack of authentication
request frames
l Flood attack of deauthentication
request frames
l Flood attack of association request
frames
l Flood attack of disassociation
request frames
l Flood attack of reassociation
request frames
l Flood attack of action frames
l Flood attack of EAPOL
authentication request frames
l Flood attack of EAPOL offline
frames

Weak IV attack Number of weak IV attacks.

Spoofing attack Number of spoofing attacks, including

the following types of attacks:
l Attack of spoofing deauthentication
frames
l Attack of spoofing disassociation
frames
l Other types of spoofing frames

Brute force cracking Number of brute force cracking

attacks, including the following types
of attacks:
l Brute force cracking attack in
WEP-SK authentication mode
l Brute force cracking attack in
WPA-PSK authentication mode
l Brute force cracking attack in
WPA2-PSK authentication mode
l Brute force cracking attack in
WAPI authentication mode

c. Click a number in the attack detection result list to view details. Table 3-22
describes the parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 45

Table 3-22 Attack detection parameters

Parameter Description

MAC Address MAC address of the attacking device.

Channel Channel used by the attacking device.

RSSI RSSI of the attacking device.

Monitor AP Name of the AP that detects attacks.

Last Discovered At Last time when attack is detected.

NOTE

By default, information about the active attacks is displayed. You can click Historical Attack to
check historical attack detection records.
d. Click View Dynamic Blacklist. The View Dynamic Blacklist page is displayed.
Table 3-23 describes the dynamic blacklist parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 46

Table 3-23 Dynamic blacklist parameters

Parameter Description

MAC Address MAC address of the attacking device.

Attack Type Type of attacks detected.

Monitor AP Name of the AP that detects attacks.

l Clear attack detection statistics.

a. Choose Monitoring > WIDS. The WIDS page is displayed.
b. Click Clear in Attack Detection.
----End

3.10 Spectrum Analysis

Context
The AP3010DN-AGN, AP3010DN-V2, and AP9330DN do not support this function.
On the Spectrum Analysis page, you can enable or disable the spectrum analysis function on
a radio and view spectrum charts. The Spectrum Analysis page can display eight types of
spectrum charts, including Swept Spectrogram, Active Devices, Real-Time FFT, Channel
Metrics, Channel Quality Trend, FFT Duty Cycle, Interference Power, and Quality
Spectrogram.

Table 3-24 Description of spectrum charts

Ty Icon Description
pe

Swe Swept Spectrogram displays RSSI distribution of

pt one or all channels within valid collection intervals.
Spe It can reflect the spectrum characteristics of a
ctro specific device. For example, frequency modulation
gra (FM) devices feature instantaneous frequency
m deviation, such as cordless phones, Bluetooth
devices, and wireless game controllers.
On Swept Spectrogram, the horizontal coordinate
indicates the channel frequencies, and the vertical
coordinate indicates the time (with the latest time
displayed at the bottom). The color brightness
indicates the RSSI strength. The colors blue, green,
cyan, yellow, and red indicate the RSSI strength in
ascending order.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 47

Ty Icon Description
pe

Acti Active Devices displays non-Wi-Fi interference

ve devices identified by the AP.
Dev Currently, the AP can identify baby monitors,
ices Bluetooth devices, digital cordless phones (at 2.4
GHz frequency band only), wireless audio
transmitters, wireless game controllers, and
microwave ovens. Due to spectrum differences of
individual APs, some of these non-Wi-Fi devices
may not be identified.
Active Devices can be displayed as a pie chart

(default) or table. You can click and to

switch between the two display modes.
Active Devices provides the following information:
l Table: type of the detected non-Wi-Fi device,
RSSI, duty cycle, center frequency, time at
which the non-Wi-Fi device is detected,
frequency bandwidth, time at which the non-Wi-
Fi device is activated, and channels affected by
the non-Wi-Fi device
l Pie chart: type of the detected non-Wi-Fi device
and the percentage

Rea Real-Time FFT displays the RSSI values of one or

l- all channels within valid collection intervals.
Tim On Real-Time FFT, the horizontal coordinate
e indicates the channel frequencies, and the vertical
FFT coordinate indicates the RSSI values.

Cha Channel Metrics can be displayed as a bar chart

nnel
Met (default) or table. You can click and to
rics switch between the two display modes.
Channel Metrics provides the following
information:
l Table: channel at which the non-Wi-Fi device is
detected, number of authorized APs, number of
rogue APs, number of non-Wi-Fi devices, center
frequency, channel usage, maximum EIRP, and
maximum interference
l Bar chart: channel usage of Wi-Fi and non-Wi-
Fi devices (On the bar chart, the horizontal
coordinate indicates the channels, and the
vertical coordinate indicates the channel usage.)

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 48

Ty Icon Description
pe

Cha Channel Quality Trend displays the quality trends

nnel of channels. Channel quality = 1 - Sum of duty
Qua cycle of each interference source
lity On Channel Quality Trend, the horizontal
Tre coordinate indicates the time, and the vertical
nd coordinate indicates the channel quality. Channels
are distinguished by the color.

FFT FFT Duty Cycle displays duty cycle information

Dut about each frequency within a valid collection
y interval (60s).
Cyc Duty cycle indicates the ratio of the time segment t
le during which the RSSI value is 20 dB higher than
the predefined noise value to the entire collection
interval T.
On FFT Duty Cycle, the horizontal coordinate
indicates frequencies, and the vertical coordinate
indicates the duty cycle.

Inte Interference Power displays the real-time

rfer interference strength of channels.
enc On Interference Power, the horizontal coordinate
e indicates channels, and the vertical coordinate
Pow indicates the interference signal strength.
er Interference types are distinguished by the color.

Qua Quality Spectrogram displays the quality of one

lity or all channels within valid collection intervals.
Spe Channel quality = 1 - Sum of duty cycle of each
ctro interference source
gra On Quality Spectrogram, the horizontal
m coordinate indicates the channel frequencies, and
the vertical coordinate indicates the time (with the
latest time displayed at the bottom). The color
brightness indicates the channel quality. The colors
blue, green, cyan, yellow, and red indicate the
channel quality in ascending order.

Procedure
l Enable spectrum analysis on a radio and view spectrum charts.
a. Choose Monitoring > Spectrum Analysis. The Radio List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 49

Table 3-25 Parameters on the Radio List page

Parameter Description

AP Name AP name.

AP ID AP ID.

Radio ID Radio ID of an AP.

Working Mode Working mode of a radio.

Frequency Band Frequency band on which a radio works.

Mode Radio type.

Channel Working channel of a radio.

Frequency Channel bandwidth of a radio.

Bandwidth

EIRP/Max EIRP Radio power configured/Maximum power in compliance

with local laws and regulations.

Downlink Packet Downlink Packet Loss Ratio on a radio.

Loss Ratio

Status Whether to enable the spectrum analysis function on a

radio.

b. Select an AP and click Start.

c. In the AP radio list, click View Drawing in the Operation column. The related
spectrum charts are displayed. A maximum of four spectrum charts can be
displayed.
NOTE

If you log in to the web platform using the Chrome browser, simultaneously opening three or
more spectrum charts may have frame freezing. Internet Explorer is recommended for displaying
spectrum charts.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 50

d. Select your desired spectrum chart from the drop-down list box in the upper left
corner. Particularly, you can select Lower or Upper on the spectrum charts of a 5G
radio to view spectrum charts of different frequencies.
e. On the Swept Spectrogram chart, click Modify, set the signal strength scope at
both ends of the color bar, and click Apply.

f. On the Active Devices chart, click . The detected non-Wi-Fi devices are

displayed in a list. Click . The detected non-Wi-Fi devices are displayed in a pie
chart.

Table 3-26 Parameters in the non-Wi-Fi device list

Parameter Description

Device Type Type of the detected non-Wi-Fi device.

Signal RSSI of the non-Wi-Fi device.

Duty Cycle Duty cycle of the non-Wi-Fi device.

First Time Time when the non-Wi-Fi device is detected.

Activity Duration Time when the non-Wi-Fi device is activated.

Channel Affected Channel interfered by the non-Wi-Fi device.

Center Frequency Center frequency of the non-Wi-Fi device.

Bandwidth Bandwidth of the non-Wi-Fi device.

l Disable spectrum analysis on a radio.

a. Choose Monitoring > Spectrum Analysis. The Radio List page is displayed.
b. Select an AP and click Stop.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 51

4 Configuration

About This Chapter

4.1 Fast Config

4.2 AC Config
4.3 AP Config
4.4 Security
4.5 Other Services
4.6 Reliability Config

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 52

4.1 Fast Config

4.1.1 AC
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the basic AC attributes are configured.

Procedure
Step 1 Choose Configuration > Fast Config > AC. The AC quick configuration page is displayed.

Step 2 Configure a network interface.

1. Click the name of the target network interface on the 1. Configure Ethernet Interface
page.

2. Configure the parameters in the displayed window. For description of the parameters, see
Table 4-1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 53

Table 4-1 Network interface parameters

Parameter Description

Interface name Interface name.

Default VLAN Default VLAN of the interface.

Link type Link type of the interface.

Added VLAN ID ID of the VLAN to which the interface belongs.

NOTE

– For a hybrid link, enter the VLAN ID, click , and specify a mode (Tagged or Untagged) in the
displayed window.

– For a trunk link, enter the VLAN ID and click to add an interface to the VLAN in tagged mode.
3. Click OK.
4. Click Next.

Step 3 Configure a VLAN.

1. Click Create on the 2. Configure Virtual Interface page.

2. Configure the parameters in the displayed window. For description of the parameters, see
Table 4-2.

Table 4-2 VLAN parameters

Parameter Description

Interface type VLAN type (VLANIF/LoopBack).

VLAN ID ID of the VLAN to be created, which is valid only when the

interface type is VLANIF.

Interface number Number of the interface through which traffic in the VLAN
passes, which is valid only when the interface type is
LoopBack.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 54

Parameter Description

IPv4 address/mask IPv4 address and subnet mask of the VLANIF interface.

IPv6 address/prefix IPv6 address and prefix length of the VLANIF interface.
length

3. Click OK.
4. Click Next.

Step 4 Configure a DHCP address pool.

1. Click Create on the 3. Configure DHCP page.

2. Configure the parameters in the displayed window. For description of the parameters, see
Table 4-3 and Table 4-4.

Table 4-3 Parameters for configuring a DHCP global address pool

Parameter Description

DHCP status Whether to enable the DHCP function globally.

Address pool type DHCP address pool type (global address pool/interface
address pool)

address pool name Name of the global address pool. The name is a string of 1 to
64 characters, including only numbers, letters, dots (.),
hyphens (-), and underscores (_). A single hyphen (-) or
multiple hyphens (--) alone cannot be used as an address
pool name.

Subnet address Available network segment addresses in a global address

pool.

Subnet mask Subnet mask of the IP address assigned to the DHCP client;
namely, the subnet mask of the current interface. The
gateway IP address and subnet mask together identify the
range of an interface address pool.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 55

Parameter Description

Vendor-defined User-defined option for the global IP pool. The options are
as follows:
– none: The user-defined option is not configured for the
interface IP pool.
– sub-option: Specifies the value of the user-defined sub-
options and configures the parameter of the sub-options.
n ascii: Specifies the user-defined option code as an
ASCII character string.
n hex: Specifies the user-defined option code as a
hexadecimal number.
n ip-address: Specifies the user-defined option code as
an IP address. One to eight IP addresses can be
specified.
NOTE
– The user-defined option can only be set to hex or sub-option.
– If the value of the sub-option is 1, the sub-option can only be set
to hex.
– If the value of the sub-option is 2, the sub-option can only be set
to ip-address.
– If the value of the sub-option is 3, the sub-option can only be set
to ascii and only an IP address such as 10.1.1.1 can be entered.

Gateway IP Egress gateway IP address in a global address pool.

– To add a gateway IP address, enter a gateway IP address
and click . You can repeat this operation to add a
maximum of eight gateway IP addresses.
– To delete a gateway IP address, select a gateway IP
address and click .

Address pool interface Interface that can use addresses in the address pool. Users
going online through this interface can obtain configuration
information, such as IP addresses, from the global address
pool.
– To add an interface, select an interface and click . To
add multiple interfaces, repeat this operation.
– To delete an interface, select an interface and click .

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 56

Parameter Description

IP that are not IP address that will not be dynamically allocated to clients.
allocated When IP addresses are assigned to other servers such as
DNS servers, the IP addresses cannot be assigned to DHCP
clients. Specify these IP addresses as forbidden IP addresses.
This operation avoids IP address conflicts and shortens the
IP address detection time during IP address assignment,
which improves DHCP efficiency. Perform the following
operations to add or delete forbidden IP addresses:
– Adding forbidden IP addresses: Set the start and end IP
addresses and click . To add multiple forbidden IP
addresses or IP address segments, repeat this operation.
– Deleting forbidden IP addresses: Select the check boxes
of forbidden IP addresses or select the check box next to
Forbidden IP, and click .

Table 4-4 Parameters for Configuring a DHCP interface address pool

Parameter Description

DHCP status Whether to enable the DHCP function globally.

Address pool type DHCP address pool type (global address pool/interface
address pool)

Select Interface Interface of the DHCP server on which the address pool is
configured. The IP addresses in the network segment to
which the interface IP address belongs can be allocated

Interface IP address IP address of the current interface; namely, the gateway

address of the DHCP client.

Mask Subnet mask of the IP address assigned to the DHCP client;

namely, the subnet mask of the current interface. The
gateway IP address and subnet mask together identify the
range of an interface address pool.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 57

Parameter Description

NOTE

Gateway IP and IP that are not allocated must be in the address pool. To ensure correct
configuration, the Subnet address and Subnet mask parameters of the global address pool and the
Select Interface parameter of the interface address pool can be modified or selected only when
Gateway IP and IP that are not allocated are not configured.
3. Click OK.
4. Click Next.

Step 5 Configure an AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 58

1. Configure the parameters on the 4. Configure AC page. For description of the

parameters, see Table 4-5.

Table 4-5 AC parameters

Parameter Description

AC source address Source interface of an AC.

NOTE
The selected source interface must have an IP address.

AP authentication Mode in which the AC authenticates APs.

mode

2. Click Next.

Step 6 Check and confirm the settings on the 5. Confirm Setting page and click Finish.

----End

4.1.2 AP
l Create an AP group.
a. Choose Configuration > Fast Config > AP.
b. Click Create in AP Group List.
c. Enter the name of the AP group in the displayed window, then click OK.
l Delete an AP group.
a. Choose Configuration > Fast Config > AP.
b. Select the AP group that you want to delete in AP Group List, and click Delete.
c. Click OK in the displayed window.
l View AP configuration in an AP group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 59

a. Choose Configuration > Fast Config > AP.

b. Select an AP group in AP Group List, and you can view and manage AP
configuration on the right of the page.

Service Settings

Context
This section describes how to create an SSID as well as how to add a VAP to and delete a
VAP from an AP group.

Procedure
l Set the country code for an AP group.
a. Choose Configuration > Fast Config > AP. Select a desired AP group in AP
Group List and click the Service Settings tab.

b. Select the target country or area in the Country code drop-down list box, and click
Apply.
l Create an SSID in an AP group.
a. Choose Configuration > Fast Config > AP. Select a desired AP group in AP
Group List and click the Service Settings tab.
b. Click Create and configure SSID parameters in the displayed window. For
description of the parameters, see Table 4-6, Table 4-7, and Table 4-8.

Table 4-6 Basic SSID parameters

Parameter Description

SSID SSID name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 60

Parameter Description

Forwarding mode Data forwarding mode of the corresponding AP.

Service VLAN Service VLAN bound to the corresponding VAP, which

can be configured as a single VLAN or a VLAN pool.

Service VLAN ID ID of a service VLAN,

which is valid only when Service VLAN is set to Single
VLAN.

VLAN Pool VLAN pool used for service VLANs,

which is valid only when Service VLAN is set to VLAN
Pool.

Radio Radio to which a VAP is applied.

WLAN ID VAP corresponding to the SSID.

Table 4-7 SSID security parameters

Parameter Description

Security Settings Security policy used on a wireless network.

l High: WPA-WPA2 802.1X
l Medium: WPA-WPA2 PSK
l Low: OPEN

Encryption mode Encryption mode of a security policy,

which is valid only when Security Settings is set to
High or Medium.

Password type Password format of a security policy,

which is valid only when Security Settings is set to
Medium.

Password/Confirm Encryption password of a security policy,

password which is valid only when Security Settings is set to
Medium.

Table 4-8 SSID authentication parameters

Parameter Description

Authentication mode Authentication mode used by an STA that accesses a

wireless network using the SSID.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 61

Parameter Description

Server IP IP address of an external RADIUS server,

which is valid only when Authentication mode is set to
External RADIUS.

Port number Port number of an external RADIUS server,

which is valid only when Authentication mode is set to
External RADIUS.

Shared key/Confirm Shared key of an external RADIUS server,

shared key which is valid only when Authentication mode is set to
External RADIUS.

Access mode Access mode of an external RADIUS server,

which is valid only when Authentication mode is set to
Local authentication or External RADIUS.

External Portal External Portal server, which is valid only when Access
Server mode is set to External Portal Server.
l Server name: name of an external Portal server
l URL: interface URL of an external Portal server
l Server IP: IP address of an external Portal server
l Port number: port number of an external Portal
server
l Shared key/Confirm shared key: shared key of an
external Portal server

Built-in Portal Server Built-in Portal server, which is valid only when Access
mode is set to Built-in Portal Server.
l Server IP: IP address of a built-in Portal server
l Port number: port number of a built-in Portal server
l SSL policy: SSL policy

c. Click OK.
l Add an SSID to an AP group.
a. Choose Configuration > Fast Config > AP. Select a desired AP group in AP
Group List and click the Service Settings tab.
b. Click Add. Configure SSID parameters in the displayed window. For description of
the parameters, see Table 4-9.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 62

Table 4-9 SSID parameters

Parameter Description

Select SSID SSID that has been created in another AP group.

Radio Radio associated with the SSID.

WLAN ID VAP associated with the SSID.

l Remove an SSID from an AP group.

a. Choose Configuration > Fast Config > AP. Select a desired AP group in AP
Group List and click the Service Settings tab.
b. Select the SSID that you want to remove and click Remove.
c. Click OK in the displayed window.
----End

AP List

Context
In the AP list, you can add APs to or delete APs from AP groups.

Procedure
l Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an AP group.
a. Choose Configuration > Fast Config > AP. In AP Group List, select the AP
group to which you want to add APs, then click the AP List tab.
b. Click Add. On the page that is displayed, set Mode to Select existing APs.

c. Select APs from the list below, and click OK.

l Manually add APs to an AP group.
This operation allows you to manually add a maximum of 10 APs offline to an AP
group.
a. Choose Configuration > Fast Config > AP. In AP Group List, select the AP
group to which you want to add APs, then click the AP List tab.
b. Click Add. On the page that is displayed, set Mode to Manually add.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 63

c. Configure AP parameters. For description of the parameters, see Table 4-10.

Table 4-10 Parameters for manually adding an AP

Parameter Description

Keyword Keyword specified when an AP is manually added,

which can be the AP's MAC address or SN.

AP MAC MAC address of the new AP.

AP ID ID of the new AP.

AP type Type of the new AP.

AP SN Serial number of the AP.

NOTE

You can click to add a maximum of 10 APs manually.

d. Click OK.
l Import APs using a template.
This operation allows you to manually add multiple APs offline to an AP group.

NOTE

If AP authentication mode is set to SN authentication, ensure that the AP SNs have been
configured when importing APs offline.
It is recommended that you export the planned radio ID, AP channel, frequency bandwidth, and
power into a .csv file using WLAN Planner, fill in the AP file template with the collected
information, and then import the new file to the AC using the web system.
a. Choose Configuration > Fast Config > AP. In AP Group List, select the AP
group to which you want to add APs, then click the AP List tab.
b. Click Add. On the page that is displayed, set Mode to Batch import.

c. Click to download the batch import template to your local computer.

d. Use the network planning and optimization tool to plan the network parameters and
export the planned parameters to the AP information template. Table 4-11 describes
the parameters of the AP information template.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 64

NOTE

If you download an AP information template of the Chinese web system under an English
Windows operating system (OS), the Chinese characters in the AP information template cannot be
displayed. You can choose Start > All Programs > Microsoft Office > Microsoft Office Tools >
Microsoft Office 2003 Language Settings in the Windows OS (take Microsoft Office 2003 as an
example) and set Primary Editing Language to Chinese(PRC) in the Editing Language tab.
After completing the setting, restart the Microsoft Office Excel and open the AP information
template. The Chinese characters in the template will be displayed normally.

Table 4-11 Parameters of the AP information template

Parameter Description

AP ID ID of the AP. If an AP is imported not for the first time

and the MAC address of the AP is not specified, the AP
ID is mandatory; otherwise, the AP ID is optional.

AP Name Name of the AP. This parameter is optional.

AP Type Type of the AP. This parameter is optional.

AP MAC MAC address of the AP. If the AP authentication mode is

MAC address authentication, AP MAC must be set when
the AP is imported for the first time or the AP ID is not
specified.

AP SN SN of the AP. If the AP authentication mode is SN

authentication, AP SN must be set when the AP is
imported for the first time.

AP Group AP group to which the AP belongs. This parameter is

optional.

Radio ID Radio ID of the AP. This parameter is optional. If you set

Channel, Band Width, or Power, Radio ID must be set.

Channel Radio channel of the AP. This parameter is optional. If

you set this parameter, Band Width and Radio ID must
be set.

Band Width Radio bandwidth of the AP. This parameter is optional. If

you set this parameter, Channel and Radio ID must be
set.

Power Radio power of the AP. This parameter is optional. If you

set this parameter, Radio ID must be set.

Longitude Longitude of the AP. This parameter is optional. If you

set this parameter, Latitude must be set.

Latitude Latitude of the AP. This parameter is optional. If you set

this parameter, Longitude must be set.

e. Click ... to select the batch import template, then click Import.
f. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 65

After APs are imported in batches, error information is displayed in red in the
result. Move the cursor to error information to view the error message.

NOTE

If the message "Your browser's security settings are too high to complete this process. See the
help menu for instructions on adjusting your security settings." is displayed during file upload,
configure the Internet Explorer as follow:
1. Choose Tools > Internet Options > Security > Custom Level.
2. Click Enable or Prompt next to Initialize and script ActiveX controls not marked as safe
for scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt, the message "An
ActiveX control on this page might be unsafe to interact with other parts of the page. Do you
want to allow this interaction?" is displayed. If you click Yes, the file can be uploaded.
3. Click Enable next to Include local directory path when uploading files to a server.

----End

4.1.3 Mesh
l Create an AP group.
a. Choose Configuration > Fast Config > AP.
b. Click Create in AP Group List.
c. Enter the name of the AP group in the displayed window, then click OK.
l Delete an AP group.
a. Choose Configuration > Fast Config > AP.
b. Select the AP group that you want to delete in AP Group List, and click Delete.
c. Click OK in the displayed window.
l View AP configuration in an AP group.
a. Choose Configuration > Fast Config > AP.
b. Select an AP group in AP Group List, and you can view and manage AP
configuration on the right of the page.

Service Setting

Context
This section allows you to configure Mesh parameters for all APs in an AP group.

Procedure
Step 1 Choose Configuration > Fast Config > Mesh. In AP Group List, select an AP group, then
click the Service Setting tab.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 66

Step 2 Configure Mesh parameters for all APs in the AP group. For description of the parameters,
see Table 4-12.

Table 4-12 Mesh parameters

Parameter Description

Mesh role Role of a Mesh node.

l Mesh-Portal: MPP
l Mesh-node: MP

Radio Radio used by Mesh links.

l Radio 0: 2.4 GHz
l Radio 1: 5 GHz

Mesh ID Mesh ID in the Mesh profile.

Bandwidth Operating bandwidth of the radio.

Radios of different AP nodes on a Mesh link must be configured
with the same bandwidth.

Channel Radio channel.

Radios of different AP nodes on a Mesh link must be configured
with the same channel.

EIRP Transmit power of a radio.

WDS/Mesh bridge Radio coverage distance.

distance

Antenna gain Antenna gain of a radio.

Security policy Security policy in the Mesh profile. Currently, the Mesh profile
supports only the security policy WPA2+PSK+AES.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 67

Parameter Description

Password type Shared key authentication.

l PASS-PHRASE: indicates a key phrase.
l HEX: indicates a hexadecimal number.

Password Authentication key.

Step 3 Configure a Mesh whitelist.

After the Mesh whitelist is bound to an AP radio, only neighboring APs with MAC addresses
in the whitelist can connect to the AP.
1. Click Edit following Mesh Whitelist.

2. Configure the Mesh whitelist in the displayed window.

– To add MAC addresses to the Mesh whitelist, enter AP MAC addresses and click
.
– To delete MAC addresses from the Mesh whitelist, select AP MAC addresses that
you want to delete and click .
3. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 68

Step 4 Click Apply.

----End

AP List

Context
In the AP list, you can add APs to or delete APs from AP groups.

Procedure
l Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an AP group.
a. Choose Configuration > Fast Config > Mesh. In AP Group List, select the AP
group to which you want to add APs, then click the AP List tab.
b. Click Add. On the page that is displayed, set Mode to Select existing APs.

c. Select APs that you want to add to the AP group from the list below, and click OK.
l Manually add APs to an AP group.
This operation allows you to manually add a maximum of 10 APs offline to an AP
group.
a. Choose Configuration > Fast Config > Mesh. In AP Group List, select the AP
group to which you want to add APs, then click the AP List tab.
b. Click Add. On the page that is displayed, set Mode to Manually add.

c. Configure AP parameters. For description of the parameters, see Table 4-13.

Table 4-13 Parameters for manually adding an AP

Parameter Description

Keyword Keyword specified when an AP is manually added,

which can be the AP's MAC address or SN.

AP MAC MAC address of the new AP.

AP ID ID of the new AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 69

Parameter Description

AP type Type of the new AP.

AP SN Serial number of the AP.

NOTE

You can click to add a maximum of 10 APs manually.

d. Click OK.
l Import APs using a template.
This operation allows you to manually add multiple APs offline to an AP group.

NOTE

If AP authentication mode is set to SN authentication, ensure that the AP SNs have been
configured when importing APs offline.
a. Choose Configuration > Fast Config > Mesh. In AP Group List, select the AP
group to which you want to add APs, then click the AP List tab.
b. Click Add. On the page that is displayed, set Mode to Batch import.

c. Click to download the batch import template to your local computer.

d. Use the network planning and optimization tool to plan the network parameters and
export the planned parameters to the AP information template. Table 4-14 describes
the parameters of the AP information template.
NOTE

Table 4-14 Parameters of the AP information template

Parameter Description

AP ID ID of the AP. If an AP is imported not for the first time

and the MAC address of the AP is not specified, the AP
ID is mandatory; otherwise, the AP ID is optional.

AP Name Name of the AP. This parameter is optional.

AP Type Type of the AP. This parameter is optional.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 70

Parameter Description

AP MAC MAC address of the AP. If the AP authentication mode is

MAC address authentication, AP MAC must be set when
the AP is imported for the first time or the AP ID is not
specified.

AP SN SN of the AP. If the AP authentication mode is SN

authentication, AP SN must be set when the AP is
imported for the first time.

AP Group AP group to which the AP belongs. This parameter is

optional.

Radio ID Radio ID of the AP. This parameter is optional. If you set

Channel, Band Width, or Power, Radio ID must be set.

Channel Radio channel of the AP. This parameter is optional. If

you set this parameter, Band Width and Radio ID must
be set.

Band Width Radio bandwidth of the AP. This parameter is optional. If

you set this parameter, Channel and Radio ID must be
set.

Power Radio power of the AP. This parameter is optional. If you

set this parameter, Radio ID must be set.

Longitude Longitude of the AP. This parameter is optional. If you

set this parameter, Latitude must be set.

Latitude Latitude of the AP. This parameter is optional. If you set

this parameter, Longitude must be set.

e. Click ... to select the batch import template, then click Import.
f. Click OK.

After APs are imported in batches, error information is displayed in red in the
result. Move the cursor to error information to view the error message.

----End

4.2 AC Config
4.2.1 Basic Config

AC Configuration

Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the AC basic parameters are configured.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 71

Procedure
Step 1 Choose Configuration > AC Config > Basic Config > AC Configuration. The AC
Configuration page is displayed.

Step 2 Configure AC basic parameters. The following table describes the AC basic parameters.

Table 4-15 AC basic parameters

Parameter Description

AC source address Source interface of the AC.

l VLANIF: A VLANIF interface is used as the source
interface.
l LoopBack: A loopback interface is used as the source
interface.
l IP Address: The virtual IP address of the VRRP group is
used as the source interface.
NOTE
The selected source interface must have an IP address.

To delete the AC's source interface, click .

AP data buffer Whether to enable the AC to buffer AP data.

Buffer duration Period during which an AC buffers AP data. The parameter

takes effect only when you set AP data buffer to ON.

AP authentication mode Authentication mode used to authenticate APs. By default, the

AC authenticates APs using MAC address authentication.
NOTE
l MAC address authentication: The AP authentication mode can be set
to MAC address authentication.
l SN authentication: The AP authentication mode can be set to SN
authentication.
l Non-authentication: The AP authentication mode can be set to non-
authentication.
NOTE
When the parameter is set to MAC address authentication or SN
authentication, you can click Add AP to add APs manually or import
APs in batches. For details, see AP Info.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 72

Parameter Description

IPv6 services for STAs Whether to enable IPv6 services for STAs.

Table 4-16 AC advanced parameters

Parameter Description

Priority of CAPWAP Priority of CAPWAP management packets sent from an AC to

management packets AP.
sent form AC to AP

Priority of CAPWAP Priority of CAPWAP management packets sent from an AP to

management packets AC.
sent form AP to AC

Allow AP to establish Whether to allow an AP to establish a DTLS session with an AC

DTLS session with AC using the default pre-shared key.
using default pre-shared
key

Pre-shared key Pre-shared key used for DTLS encryption.

Confirm pre-shared key Confirmation of the pre-shared key used for DTLS encryption.

CAPWAP heartbeat CAPWAP heartbeat detection interval.

detection interval

CAPWAP heartbeat Number of CAPWAP heartbeat detections.

detection count

Step 3 Click Apply.

----End

Inter-AC Roaming

Context
On a WLAN, a STA can only roam between ACs in the same mobility group. To enable inter-
AC roaming, you can configure a mobility group and add ACs to the mobility group.
To support inter-AC roaming, ACs in a mobility group must be able to identify each other.
l Remote obtain: If an AC is specified as the mobility server, configure a mobility group
on the mobility server, add ACs to the group, and specify the mobility server on the ACs
in the group. The mobility server will deliver configurations of the mobility group to all
the ACs in the group. After an AC receives configurations of the mobility group, the AC
automatically sets up inter-AC tunnels with other ACs in the group. The inter-AC
tunnels are used for ACs to exchange STA information and forward service packets
when STAs roam between ACs.
l Local configuration: If no AC is specified as the mobility server, configure the mobility
group on each AC in the group and add ACs to the group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 73

Procedure
l Local configuration
a. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The
Inter-AC Roaming page is displayed.
b. Set Mobility group configuration mode to Local configuration. Set other inter-
AC roaming parameters. See Table 4-17 for descriptions of inter-AC roaming
parameters.

Table 4-17 Local configuration parameter description

Item Description

DTLS encryption DTLS encryption of an inter-AC

tunnel.
l ON: Enable DTLS encryption of an
inter-AC tunnel.
l OFF: Disable DTLS encryption of
an inter-AC tunnel.
By default, DTLS encryption of an
inter-AC tunnel is disabled.

PSK key Pre-shared key used for DTLS

encryption of an inter-AC tunnel.
This parameter needs to be configured
when DTLS encryption of an inter-AC
tunnel is enabled.
By default, the pre-shared key used for
DTLS encryption of an inter-AC tunnel
is huawei_seccwp.

Confirm PSK key Confirms the PSK key. The format of

this parameter is the same as that of
PSK key.

Mobility Group List Mobility groups configured on the

mobility server.

Mobility Group Name Configured mobility group name.

Added AC IP Address IP addresses of the ACs added in a

mobility group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 74

c. Configure a mobility group.

n Create a mobility group.
1) Choose Configuration > AC Config > Basic Config > Inter-AC
Roaming. The Inter-AC Roaming page is displayed.
2) In Mobility Group List, click Create. The Create Mobility Group page
is displayed. Set related parameters to configure the mobility group.

3) Click OK. A mobility group is created.

n Modify a mobility group.
1) Choose Configuration > AC Config > Basic Config > Inter-AC
Roaming. The Inter-AC Roaming page is displayed.
2) In Mobility Group List, click the name of the mobility group that you
want to modify. The Modify Mobility Group page is displayed.
3) On the Modify Mobility Group page, modify the corresponding
parameters.
NOTE
The name of the selected mobility group cannot be modified.
4) Click OK. The selected mobility group is modified.
n Delete a mobility group.
1) Choose Configuration > AC Config > Basic Config > Inter-AC
Roaming. The Inter-AC Roaming page is displayed.
2) In Mobility Group List, select a mobility group to be deleted and click
Delete. The Info dialogue box is displayed. Click OK. The selected
mobility group is deleted.

d. In Mobility Group List, click . Details about configured mobility groups are
displayed. Table 4-18 lists the parameters.

Table 4-18 Mobility group parameter description

Item Description

AC IP IP addresses of the ACs added in a

mobility group.

Status Status of the ACs in a mobility group.

Description Description of the ACs in a mobility

group.

e. Click Apply. The inter-AC roaming configuration is complete.

l Remote obtain
a. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The
Inter-AC Roaming page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 75

b. Set Mobility group configuration mode to Remote obtain. Set other inter-AC
roaming parameters. See Table 4-19 for descriptions of inter-AC roaming
parameters.

NOTE

DTLS encryption must be enabled on ACs at both ends of the tunnel, and the ACs must have the
same pre-shared key.

Table 4-19 Remote obtain parameter description

Item Description

DTLS encryption DTLS encryption of an inter-AC

tunnel.
l ON: Enable DTLS encryption of an
inter-AC tunnel.
l OFF: Disable DTLS encryption of
an inter-AC tunnel.
By default, DTLS encryption of an
inter-AC tunnel is disabled.

PSK key Pre-shared key used for DTLS

Confirm PSK key Confirms the PSK key. The format of

this parameter is the same as that of
PSK key.

Remote AC IP address IP address of the mobility server

specified for the AC.

c. Click Apply. The inter-AC roaming configuration is complete.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 76

Radio Calibration

Procedure
l Configure manual calibration.
a. Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed.
b. Set Calibration to ON.
c. Set Calibration mode to Manual.

d. Set calibration parameters. Table 4-20 describes the calibration parameters.

Table 4-20 Calibration parameters

Parameter Description

Calibration policy Calibration policy.

l Rogue AP
When rogue APs (rogue APs
cannot be controlled by an AC)
exist on a network, set the radio
calibration policy to Rogue AP.
The device then implements radio
calibration to minimize the rogue
AP interference on the entire
network.
l Load
When an AP is heavily loaded, set
the radio calibration policy to
Load. The device then
preferentially allocates channels
with a little interference to the
heavily loaded APs.
l Non-Wi-Fi
When non-Wi-Fi devices exist on a
network, set the radio calibration
policy to Non-Wi-Fi. The device
then implements radio calibration to
reduce interference of non-Wi-Fi
devices on the network.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 77

Parameter Description

Calibration sensitivity Configure radio calibration sensitivity.

There are three levels of radio
calibration sensitivity:
l Low
l Medium
l High

e. Click Apply. In the Info dialog box that is displayed, click OK.
f. Click Immediate Calibration to trigger the calibration.
l Configure automatic calibration.
a. Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed.
b. Set Calibration to ON.
c. Set Calibrate mode to Auto and specify Calibration interval(min) and Start time
point.

d. Set calibration parameters. Table 4-20 describes the calibration parameters.

e. Click Apply. In the Info dialog box that is displayed, click OK.
l Configure scheduled calibration.
a. Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed.
b. Set Calibration to ON.
c. Set Calibrate mode to Scheduled and specify Start time point.

d. Set calibration parameters. Table 4-20 describes the calibration parameters.

e. Click Apply. In the Info dialog box that is displayed, click OK.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 78

4.2.2 VLAN
VLAN

Context
After an interface is added to a VLAN, the interface can forward packets of the VLAN.
Devices in a VLAN can directly communicate with each other, whereas devices in different
VLANs cannot. Broadcast packets are forwarded within a VLAN.

Procedure
l Enable global IPv6.
a. Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
b. Select ON or OFF next to Global IPv6 to enable or disable global IPv6.
l Create a VLAN.
a. Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
b. Click Create. Set parameters on the Create VLAN page. Table 4-21 describes the
parameters for creating a VLAN.

c. Click OK.
The created VLAN is added to the VLAN list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 79

Repeat steps 2 and 3 to create multiple VLANs.

Table 4-21 Parameters for creating a VLAN

Parameter Description

VLAN ID ID of the VLAN to be created.

Description Description of the VLAN.

Select Interface Adds or deletes interfaces that allow

packets from the VLAN to pass
through. The procedure for adding or
removing interfaces is as follows:
l Adding interfaces: In Available
Interface List, select the interfaces
that you want to add and click

. Set Link type and Mode

on the Modify Link Type page.
Click OK. The selected interfaces
are added to Added Interface List.
l Removing interfaces: In Added
Interface List, select the interfaces
that you want to delete and click

. The selected interfaces

are added to Available Interface
List.

Modify Link Type

Link type Link type of the interface: hybrid,

access or trunk.

Mode Mode in which the interfaces are added

to the VLAN: tagged or untagged.

Creat VLANIF

Description Description of a VLANIF interface.

IP address format IP address format of the VLANIF

interface.

IPv4 address/mask IPv4 address and mask of the VLANIF

interface.

IPv6 address/prefix length IPv6 address and mask of the VLANIF

interface.

l Modify a VLAN.
a. Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 80

b. In the VLAN list, click the name of the VLAN that you want to modify.
c. On the Modify VLAN page, modify parameters. Table 4-21 describes the
parameters. VLAN ID cannot be modified.
d. Click OK.
l Delete a VLAN.
a. Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
b. In the VLAN list, select the VLAN that you want to delete and click Delete. In the
Info dialog box that is displayed, click OK. The selected VLAN is deleted.
l Create VLANs in batches.
a. Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
b. Click Batch Create.
c. In Batch Create VLAN, enter IDs of the VLANs that you want to create and click
OK.

l Delete VLANs in batches.

a. Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
b. Click Batch Delete.
c. In Batch Delete VLAN, enter IDs of the VLANs that you want to delete and click
OK.

----End

VLANIF

Context
A VLANIF interface is a Layer 3 interface and can be configured with an IP address. Before
creating a VLANIF interface, you must create a VLAN. A device can use a VLANIF interface
to communicate with devices at the network layer.

NOTICE
Assume that the VLANIF interface address is the IP address for logging in to the web
platform. If the VLANIF interface is deleted or shut down, you cannot log in to the web
platform. If the VLANIF interface IP address is changed, you must use the new IP address to
log in to the web platform.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 81

Procedure
l Enable global IPv6.
a. Choose Configuration > AC Config > VLAN > VLANIF. The VLANIF page is
displayed.
b. Select ON or OFF next to Global IPv6 to enable or disable global IPv6.
l Create a VLANIF interface.
a. Choose Configuration > AC Config > VLAN > VLANIF. The VLANIF page is
displayed.
b. Click Create. Set parameters on the Create VLANIF page. Table 4-22 describes
the parameters for creating a VLANIF interface.

c. Click OK.
The created VLANIF interface is added to the VLAN interface list.

Table 4-22 Parameters for creating a VLANIF interface

Parameter Description

VLAN ID ID of the VLAN for which a VLANIF

interface is created.
NOTE
The specified VLAN must exist.

Interface status Whether to enable VLANIF interfaces.

MTU MTU of the VLANIF interface.

Description Description of the VLANIF interface.

IP address format IP address format of the VLANIF

interface.

IPv4 Address

Primary IP address/mask Primary IP address and mask of the

VLANIF interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 82

Parameter Description

Secondary IP address/mask Secondary IP address and mask of the

VLANIF interface.
To implement communication between
multiple subnets of an interface,
configure secondary IP addresses for
the interface. Click to add multiple
secondary IP addresses. A maximum
of 31 secondary IP addresses can be
added.

IPv6 Address

IPv6 address/prefix length IPv6 address and prefix length of the

VLANIF interface.

l Modify a VLANIF interface.

a. Choose Configuration > AC Config > VLAN > VLANIF. The VLANIF page is
displayed.
b. In the VLANIF interface list, click the name of the VLANIF interface that you want
to modify.
c. On the Modify VLANIF page, modify parameters. Table 4-22 describes the
parameters. VLAN ID cannot be modified.
d. Click OK.
l Delete a VLANIF interface.
a. Choose Configuration > AC Config > VLAN > VLANIF. The VLANIF page is
displayed.
b. In the VLANIF interface list, select the VLANIF interface that you want to delete
and click Delete. In the Info dialog box that is displayed, click OK.
----End

VLAN Pool

Context
You can add multiple VLANs to a VLAN pool and configure the VLANs as service VLANs.
In this way, an SSID can use multiple service VLANs to provide wireless access services.
STAs are dynamically assigned to VLANs in the VLAN pool, which reduces the number of
STAs in each VLAN and also the size of the broadcast domain. Additionally, IP addresses are
evenly allocated, preventing IP address waste.

Procedure
l Enable global IPv6.
a. Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool
page is displayed.
b. Select ON or OFF next to Global IPv6 to enable or disable global IPv6.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 83

l Create a VLAN pool.

a. Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool
page is displayed.
b. Click Create. Set parameters listed in Table 4-23.

Table 4-23 Parameters for creating a VLAN pool

Parameter Description

VLAN pool name -

VLAN assignment VLAN assignment algorithm in the VLAN pool.

mode l When the VLAN assignment algorithm is set to even,
service VLANs are assigned to STAs from the VLAN
pool based on the order in which STAs go online. The
STAs are assigned a similar number of IP addresses.
If a STA goes online many times, it obtains different
IP addresses.
l When the VLAN assignment algorithm is set to hash,
VLANs are assigned to STAs from the VLAN pool
based on the harsh result of their MAC addresses. As
long as the VLANs in the VLAN pool do not change,
the STAs obtain fixed service VLANs. A STA is
preferentially assigned the same IP address when
going online at different times.

VLAN ID VLAN ID used by add or delete the VLAN.

l Adding a VLAN: Enter its VLAN ID and click .
l Deleting a VLAN: Enter its VLAN ID and click .

l Modify a VLAN pool.

a. Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool
page is displayed.
b. In the VLAN pool list, click the name of the VLAN pool that you want to modify.
c. Modify parameters on the page that is displayed. Table 4-23 describes the
parameters. VLAN pool name cannot be modified.
d. Click OK.
l Delete a VLAN pool.
a. Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool
page is displayed.
b. Select the VLAN pool that you want to delete and click Delete.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 84

c. Click OK.
l Display or hide the reference relationship.
a. Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool
page is displayed.
b. Select a VLAN pool and click Display Reference to view the reference type and
name.

Click Hide Reference to hide the displayed reference relationship.

----End

4.2.3 Interface

Interface Attribute

Context
You can view and configure Ethernet interfaces as required.

Procedure
l Modify interface attributes.
a. Choose Configuration > AC Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
b. Click the interface name. On the Modify Interface Settings page that is displayed,
modify interface parameters. Table 4-24 describes the interface parameters.

c. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 85

Table 4-24 Description of parameters for modifying interface attributes

Parameter Description

Interface name Name of the Ethernet interface.

NOTE
The name of the Ethernet interface cannot
be modified.

Default VLAN Default VLAN to which the interface

is added.
NOTE
The default VLAN must exist on the
device.

Interface status Status of the physical interface (open

or close).

Link type Link type of the interface.

Description Interface description.

PHB mapping Whether PHB mapping is configured

for outgoing packets on an interface.

Added VLAN ID VLAN IDs allowed on the interface.

l When Link type is Access, only
packets of the default VLAN are
allowed to pass through the
interface.
l When Link type is Hybrid,
packets of VLANs are configured
to pass through the interface in
tagged or untagged mode.
l When Link type is Trunk, packets
of VLANs are configured to pass
through the interface only in tagged
mode.

Configure attack defense

Attack Defense Profile Attack defense profile referenced on a

specified interface.

l Delete interface attributes.

a. Choose Configuration > AC Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
b. Select the physical interface whose configuration needs to be cleared and click
Clear Settings. In the Info dialog box that is displayed, click OK.

After attribute configurations of the interface are cleared, the default attribute
settings are used.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 86

Logical Interface

Context
Logical interfaces are manually configured interfaces and can be used to exchange data but do
not exist physically. Loopback interfaces are logical interfaces that can be configured through
the web platform. Once a loopback interface is configured, its status remains UP. Users can
configure loopback interfaces to improve network reliability.

Procedure
l Create a logical interface.
a. Choose Configuration > AC Config > Interface > Logical Interface. The Logical
Interface page is displayed.
b. Click Create. On the Create Logical Interface page that is displayed, set
parameters. Table 4-25 describes the parameters for creating a logical interface.

c. Click OK.
The new logical interface is added to the logical interface list.

Table 4-25 Parameters for creating a logical interface

Parameter Description

Interface type Logical interface type. The type is

specified as loopback and cannot be
modified.

Interface number Number of a loopback interface.

Description Description of a loopback interface.

IP address format IP address format of the VLANIF

interface.

Primary IP address/mask Primary IP address and mask of the

VLANIF interface

Secondary IP address/mask Secondary IP address and mask of the

VLANIF interface.

IPv6 address/prefix length IPv6 address and mask of the VLANIF

interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 87

l Modify a logical interface.

a. Choose Configuration > AC Config > Interface > Logical Interface. The Logical
Interface page is displayed.
b. Click the name of the logical interface that you want to modify.
c. On the Modify Logical Interface page that is displayed, reconfigure parameters.
Table 4-25 describes the parameters. Interface type and Interface number cannot
be modified.
d. Click OK.
l Delete a logical interface.
a. Choose Configuration > AC Config > Interface > Logical Interface. The Logical
Interface page is displayed.
b. In the logical interface list, select the logical interface that you want to delete and
click Delete. In the Info dialog box that is displayed, click OK.
NOTE

A logical interface on which WLAN services are being transmitted cannot be deleted. To delete
the interface, remove the WLAN services bound to the interface first.

----End

Eth-Trunk
Eth-Trunk load balances incoming and outgoing traffic among multiple links and improves
the bandwidth and connection reliability between two devices.

Context
You can configure Eth-Trunk in the following scenarios:
l The bandwidth is insufficient when two devices are connected through only one link.
l The connection reliability cannot meet requirements when two devices are connected
through only one link.

Procedure
l Set the system LACP priority.
a. Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk
page is displayed.

b. Enter the system LACP priority. A smaller value indicates a higher priority.
c. Click Apply.
l Create an Eth-Trunk interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 88

a. Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk
page is displayed.
b. In Eth-Trunk Interface List, click Create. The Create Eth-Trunk page is
displayed.

Table 4-26 describes the parameters on the Create Eth-Trunk page.

Table 4-26 Parameters on the Create Eth-Trunk page

Parameter Description

Interface ID ID of an Eth-Trunk interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 89

Parameter Description

Working mode Working mode of an Eth-Trunk

interface, including:
l Manual load balancing mode
When the bandwidth or reliability
between two devices needs to be
increased and one device does not
support LACP, you can create an
Eth-Trunk interface in manual load
balancing mode and add member
interfaces to the Eth-Trunk
interface.
l Static LACP made
The links between two devices can
implement redundancy backup.
When a fault occurs on some links,
the backup links replace the faulty
ones to sustain ongoing data
transmissions.
NOTE
l You can change the working mode of
an Eth-Trunk interface only when the
Eth-Trunk interface has no member
interface.
l The working modes on the local end
and remote end must be the same.

Lower threshold for active interfaces Lower threshold of active member

interfaces. You can specify the lower
threshold to determine the minimum
number of active member interfaces in
an Eth-Trunk interface. If the number
of active member interfaces is smaller
than this value, the status of the Eth-
Trunk interface becomes Down.
NOTE
l The upper threshold of active member
interfaces must be greater than or equal
to the lower threshold of active
member interfaces.
l The lower thresholds of active member
interfaces can be set to different values
for the local end and remote end. If the
lower thresholds at the two ends are
different, the greater one is used.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 90

Parameter Description

Upper threshold for active interfaces Upper threshold of active member

interfaces.
NOTE
l The upper threshold of active member
interfaces must be greater than or equal
to the lower threshold of active
member interfaces.
l The upper thresholds of active member
interfaces can be set to different values
for the local end and remote end. If the
upper thresholds at the two ends are
different, the smaller one is used.
l In manual load balancing mode, this
parameter has a fixed value 8.

LACP timeout interval(s) Timeout interval at which LACP

packets are received.
If a local member interface does not
receive any LACP packet within the
configured timeout interval, it goes
down immediately and no longer
forwards data.

LACP preemption LACP preemption.

In LACP mode, when one of the active
links fails, the system selects the link
of the highest priority from backup
links to replace the faulty one. When
the faulty link is restored and LACP
preemption is enabled, the faulty link
replaces the backup link and switches
to active state if the priority of the
faulty link is higher than that of the
backup one.

Preemption time LACP preemption time.

After LACP preemption is enabled and
the LACP preemption time is set, when
the faulty link (link A) recovers, if the
priority of the link is higher than that
of the current active link (link B) and
the number of current active links
reaches the upper threshold, link A
replaces link B and becomes active
after the LACP preemption time
expires.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 91

Parameter Description

Load balancing mode Load balancing mode of Eth-Trunk,

including:
l desIp: Based on destination IP
addresses
l desMac: Based on destination MAC
addresses
l sourceIp: Based on source IP
addresses
l sourceDesIp: Based on the
"Exclusive-OR" result of the source
and destination IP addresses
l sourceMac: Based on source MAC
addresses
l sourceDesMac: Based on the
"Exclusive-OR" result of the source
and destination MAC addresses

Link type Link type of an interface. This

parameter cannot be changed.

Jumbo frame Maximum length of a jumbo frame. If

you do not enter any value, the default
value is used.

Interface description Description of the created Eth-Trunk

interface.

Select Interface Adds member interfaces to the Eth-

Trunk interface. The selected interface
is displayed in the following interface
list.
An Eth-Trunk interface contains a
maximum of 8 member interfaces.
NOTE
l The member interfaces of an Eth-Trunk
interface must be of the same type.
That is, Ethernet interfaces and
GigabitEthernet interfaces cannot be
added to the same Eth-Trunk interface.
l A member interface cannot be an Eth-
Trunk interface.

c. Set the required parameters.

When selecting an interface,

n If this interface has no configuration, you can select it.
n If this interface has configurations except shutdown and combo, the Error
page is displayed. You can clear the original configurations of this interface or
select a new interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 92

n If the working mode of the Eth-Trunk interface is set to static LACP, you can
specify the LACP priority of the interface.
d. Click OK.
l Modify an Eth-Trunk interface.
a. Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk
page is displayed.
b. Select the Eth-Trunk interface that you want to modify and click the interface name.
The Modify Eth-Trunk page is displayed.
Table 4-26 describes the parameters on the Modify Eth-Trunk page.

NOTE

l The Eth-Trunk interface name cannot be modified.

l Before changing the working mode of an Eth-Trunk interface, ensure that the Eth-Trunk
interface contains no member interface.
c. Set the required parameters.
When selecting an interface,
n If this interface has no configuration, you can select it.
n If this interface has configurations except shutdown and combo, the Error
page is displayed. You can clear the original configurations of this interface or
select a new interface.
n If the working mode of the Eth-Trunk interface is set to static LACP, you can
specify the LACP priority of the interface.
d. Click OK.
l Delete an Eth-Trunk interface.
a. Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk
page is displayed.
b. Select the Eth-Trunk interface that you want to delete and click Delete. The system
asks you whether to delete the interface.
c. Click OK.
NOTE

An Eth-Trunk interface cannot be deleted when it has member interfaces.

l Check member interfaces of an Eth-Trunk interface.
a. Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk
page is displayed.
b. Click the row of the Eth-Trunk interface about which you want to check member
interface information. In Eth-Trunk Member Interface, you can check
information about the member interfaces, including Interface Name, Interface
Status, and LACP Priority.
----End

4.2.4 IP

DHCP Address Pool

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 93

Context
After a global address pool or interface address pool is configured, users who go online from
all interfaces or a specified interface can obtain configuration information such as IP
addresses from the DHCP Address pool.

Procedure
l Enable DHCP globally.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Address Pool. The DHCP Address Pool tab page is displayed.
b. Select ON or OFF next to DHCP status to enable or disable DHCP.

n When ON is selected, DHCP is enabled. In the Info dialog box that is

displayed, click OK.
n When OFF is selected, DHCP is disabled. In the Info dialog box that is
displayed, click OK.
l Create a DHCP address pool.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Address Pool. The DHCP Address Pool tab page is displayed.
b. In the Address Pool List area, click Create. In the Create DHCP Address Pool
dialog box that is displayed, set parameters described in Table 4-27 and Table 4-28.

Table 4-27 Parameters for creating a global address pool

Parameter Description

Address pool name Name of a global address pool. It is a

string of 1 to 64 characters and can
only contain digits, letters, dots (.),
hyphens (-), and underlines (_). The
value cannot be - or --.

Subnet address Network segment that can be allocated

in the global address pool.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 94

Parameter Description

Subnet mask Subnet mask of the IP address assigned

to the DHCP client, that is, subnet
mask of the selected interface. The
gateway IP address and the subnet
mask identify an address pool of the
interface.

Vendor-defined User-defined option for the global IP

pool. The options are as follows:
l none: The user-defined option is
not configured for the interface IP
pool.
l sub-option: Specifies the value of
the user-defined sub-options and
configures the parameter of the sub-
options.
– ascii: Specifies the user-defined
option code as an ASCII
character string.
– hex: Specifies the user-defined
option code as a hexadecimal
number.
– ip-address: Specifies the user-
defined option code as an IP
address. One to eight IP
addresses can be specified.
NOTE
l The user-defined option can only be set
to hex or sub-option.
l If the value of the sub-option is 1, the
sub-option can only be set to hex.
l If the value of the sub-option is 2, the
sub-option can only be set to ip-
address.
l If the value of the sub-option is 3, the
sub-option can only be set to ascii and
only an IP address such as 10.1.1.1 can
be entered.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 95

Parameter Description

Lease IP address lease of DHCP clients, that

is, duration during which IP addresses
assigned to DHCP clients take effect.
Set this parameter based on the
duration during which DHCP clients of
the interface address pool are
connected to the network. For
example, set a short lease, such as 8
hours, for wireless clients who
frequently connect to and disconnect
from the wireless network. Set a long
lease even a permanent lease for stable
clients.

Primary DNS server Primary DNS server address assigned

to the DHCP client.

Secondary DNS server Secondary DNS server address

assigned to the DHCP client. When the
primary DNS server fails to perform
domain name resolution, the DHCP
client sends a domain name resolution
request to the secondary DNS server.

Primary WINS server Primary WINS server address assigned

to the DHCP client. The DHCP client
running the Windows operating system
uses the Network Basic Input Output
System (NetBIOS) protocol for
communication. The NetBIOS server
translates host names to IP addresses
for the client. Translating the NetBIOS
name into an IP address is performed
locally, in broadcast mode, or by a
WINS server. Ensure that the route
between the primary WINS server and
the DHCP server is reachable.

Secondary WINS server Secondary WINS server address

assigned to the DHCP client. When the
primary WINS server fails to perform
NetBIOS name resolution, the DHCP
client sends a NetBIOS name
resolution request to the secondary
WINS server. Ensure that the route
between the secondary WINS server
and the DHCP server is reachable.

DNS domain name Suffix of the domain name that the

DNS server allocates to the DNS
client.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 96

Parameter Description

Gateway IP Egress gateway address of the global

address pool. Perform the following
operations to create or delete the
gateway IP address:
l Creating gateway IP addresses:
Enter the gateway IP address and

click . Repeat the preceding

operations to create multiple
gateway IP addresses. A maximum
of eight gateway IP addresses can
be created.
l Deleting gateway IP addresses:
Select the check boxes of gateway
IP addresses or select the check box
next to Gateway IP, and click .

IP that are not allocated IP address that will not be dynamically

allocated to clients. When IP addresses
are assigned to other servers such as
DNS servers, the IP addresses cannot
be assigned to DHCP clients. Specify
these IP addresses as IP addresses that
are not allocated. This operation avoids
IP address conflicts and shortens the IP
address detection time during IP
address assignment, which improves
DHCP efficiency. Perform the
following operations to add or delete
IP addresses that are not allocated:
l Creating IP addresses that are not
allocated: Set the start and end IP
addresses and click . Repeat the
preceding operations to create
multiple IP addresses or IP address
ranges that are not allocated.
l Deleting IP addresses that are not
allocated: Select the check boxes of
IP addresses that are not allocated
or select the check box next to IP
That Are Not Allocated, and click
.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 97

Parameter Description

Address pool interface Interface used by the address pool.

Users who go online from this
interface can obtain configuration
information such as IP addresses from
the global address pool. Perform the
following operations to add or delete
interfaces used by the address pool:
l Creating interfaces used by the
address pool: Select an interface
used by the address pool and click

. Repeat the preceding

operations to create multiple
interfaces used by the address pool.
A maximum of eight interfaces
used by the address pool can be
created.
l Deleting interfaces used by the
address pool: Select the check
boxes of interfaces used by the
address pool or select the check box
next to Address Pool Interface,
and click .

Statically bound IP/MAC Binding between assignable IP

addresses and MAC addresses of the
clients. When receiving a request for
applying for an IP address from a
client matching the MAC address, the
DHCP server assigns the fixed IP
address bound to the client's MAC
address to this client. Perform the
following operations to create or delete
a static IP address entry:
l Creating static IP address binding
entries: Enter the IP address and
MAC address to bind and click

. To create multiple static IP

address binding entries, repeat this
operation.
l Deleting static IP address binding
entries: Select the check boxes of
static IP address binding entries or
select the check box next to
Statically Bound IP/MAC, and
click .

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 98

Parameter Description

NetBIOS type Type of the NetBIOS node. The

options are as follows:
l Not specified: The NetBIOS node
type is not specified.
l b-node: The NetBIOS node obtains
the mapping between the host name
and IP address in broadcast mode. b
indicates broadcast.
l p-node: The NetBIOS node obtains
the mapping between the host name
and IP address by communicating
with the NetBIOS server. p
indicates peer to peer.
l m-node: The NetBIOS node is a p-
type node with some broadcast
features. m indicates mixed.
l h-node: The NetBIOS node is a b-
type node using the peer-to-peer
communication mechanism. h
indicates hybrid.

Table 4-28 Parameters for creating an interface address pool

Parameter Description

Select interface Interface mapping the interface address

pool of a DHCP server. The network
segment that the interface IP address
belongs to must be allocatable.

Interface IP address IP address of the selected interface,

that is, the gateway address used by the
DHCP client.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 99

Parameter Description

Mask Subnet mask of the IP address assigned

to the DHCP client, that is, subnet
mask of the selected interface. The
gateway IP address and the subnet
mask identify an address pool of the
interface.

Vendor-defined User-defined option for the global IP

Lease For details, see Table 4-27.

Primary DNS server For details, see Table 4-27.

Secondary DNS server For details, see Table 4-27.

Primary WINS server For details, see Table 4-27.

Secondary WINS server For details, see Table 4-27.

DNS domain name For details, see Table 4-27.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 100

Parameter Description

IP that are not allocated For details, see Table 4-27.

Statically bound IP/MAC For details, see Table 4-27.

NetBIOS type For details, see Table 4-27.

NOTE
Values of Gateway IP, IP that are not allocated, and Statically bound IP/MAC must be
in the specified address pool. Parameters Subnet address and Subnet mask of the global
address pool or Select interface of the interface address pool is available only when
parameters Gateway IP, IP that are not allocated, and Statically bound IP/MAC are not
set.
c. Click OK.
l Modify a DHCP address pool.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Address Pool. The DHCP Address Pool tab page is displayed.
b. In the IP Pool List area, click the name of the DHCP address pool that you want to
modify. The Modify DHCP Address Pool page is displayed.
c. On the Modify DHCP Address Pool page that is displayed, modify parameters
described in Table 4-27 and Table 4-28.
d. Click OK.
l Delete a DHCP address pool.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Address Pool. The DHCP Address Pool tab page is displayed.
b. In the IP Pool List area, select the check box of a DHCP address pool and click
Delete.
c. In the dialog box that is displayed, click OK.
l Check address pool information.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Address Pool. The DHCP Address Pool tab page is displayed.
b. In the Address Pool List area, select a DHCP address pool and click Display
Address Pool. Information about the selected DHCP address pool is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 101

Table 4-29 Address pool parameters

Parameter Description

Bind IP Binds the IP address to a MAC address

using the static binding mode.

Reserve IP Configures IP addresses that not

automatically allocated in the address
pool.

Fix IP Locks the IP address pool.

Reclaim IP Resets the IP address pool configured

on the device.

Unbind IP Deletes the bindings between the IP

addresses and MAC addresses in the
global address pool.

Not Reserve IP Deletes the IP addresses that are not

automatically allocated.

----End

DHCP Relay

Context
By using a DHCP relay agent, DHCP clients on a LAN can communicate with DHCP servers
on other network segments, and obtain IP addresses from them. The DHCP clients on
different network segments can also use one DHCP server, which reduces costs and achieves
centralized device management.

l Before configuring the DHCP relay function, you must configure DHCP server groups.
l DHCP relay is introduced to transmit packets between DHCP clients and a DHCP server
that are in different network segments. A DHCP relay agent can transparently transmit
DHCP broadcast packets between DHCP clients and a DHCP server that are in different
network segments.
l In applications, the DHCP relay function is generally implemented on a VLANIF
interface of the device. This interface needs to be configured with an IP relay address to
specify the DHCP server group. An IP relay address refers to the IP address of the
DHCP server group specified on the DHCP relay agent. When DHCP relay is enabled on
an interface, broadcast DHCP packets received on this interface are sent to the specified
DHCP server group.
l If no DHCP server group is configured on a network, the DHCP relay function can be
enabled on the device, so that DHCP Request packets from clients can be transmitted to
the DHCP server group on another network through the DHCP relay agent. To enable
clients to obtain IP addresses, a DHCP server in the DHCP server group must use a
global address pool. That is, the interface of the server connected to the DHCP relay
agent cannot be configured with any address pool.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 102

Procedure
l DHCP server group
– Create a DHCP server group.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. In the DHCP Server Group List area, click Create. In the Create DHCP Server
Group dialog box that is displayed, set DHCP server group parameters described in
Table 4-30.

Table 4-30 Parameters for creating a DHCP server group

Parameter Description

DHCP server group name Name of a DHCP server group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 103

Parameter Description

DHCP server IP address IPv4 or IPv6 address of a DHCP

server. Perform the following
operations to add or delete DHCP
server IP addresses:
l Adding DHCP server IP addresses:
Enter the IP address of a DHCP

server and click . To add

multiple DHCP server IP addresses.
A maximum of 20 DHCP server IP
addresses are supported.
l Deleting DHCP server IP
addresses: Click next to the
DHCP server IP addresses to delete.

c. Click OK.
– Modify a DHCP server group.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. On the DHCP Server Group List page, click the name of the DHCP server group
that you want to modify. The Modify DHCP Server Group page is displayed.
c. In the Modify DHCP Server Group dialog box that is displayed, modify the
parameters described in Table 4-30. Parameter DHCP server group name cannot
be modified.
d. Click OK.
– Delete a DHCP server group.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. In the DHCP Server Group List area, select the check box of a DHCP server
group and click Delete.
c. In the dialog box that is displayed, click OK.
l DHCP relay
– Create a DHCP relay.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. In the DHCP Relay List area, click Create. In the Create DHCP Relay dialog box
that is displayed, set DHCP relay parameters described in Table 4-31.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 104

Table 4-31 DHCP relay parameters

Parameter Description

Interface name Interface to be configured with DHCP

relay.

IPv4 DHCP server group name Name of a DHCP server group with a
specified IPv4 address.

IPv6 DHCP server group name Name of a DHCP server group with a
specified IPv6 address.

DHCPv4 agent Whether to enable the DHCP relay

proxy function.

c. Click OK.
– Modify a DHCP relay.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. On the DHCP Relay List page, click the interface name of the DHCP relay that
you want to modify. The Modify DHCP Relay page is displayed.
c. In the Modify DHCP Relay dialog box, set DHCP server group name, as shown
in Table 4-31. Parameter Interface name cannot be modified.
d. Click OK.
– Delete a DHCP relay.
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. In the DHCP Relay List area, select the check box of a DHCP relay and click
Delete.
c. In the dialog box that is displayed, click OK.
l Advanced DHCP Configuration
a. Log in to the web platform and choose Configuration > AC Config > IP > DHCP
Relay. The DHCP Relay tab page is displayed.
b. Click Advanced DHCP Configuration. Enter the timeout period for the DHCP
relay to receive DHCP packets in DHCP Proxy timeout time.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 105

NAT

ALG Configuration
Generally, NAT translates only the address in the IP packet header and the port number in the
TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address or
port number in the data fields. Such contents cannot be translated through NAT. Therefore,
communication between the internal network and external networks will fail.
To solve this problem, NAT must be able to identify the IP address or port information in the
data field. The application level gateway (ALG) function enables the NAT device to identify
the IP address or port number in the data field, and translate addresses according to the
mapping table. The device provides the ALG function, so the device can support various
special application protocols, including DNS, FTP, PPTP and RTSP.
l Configure the ALG.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In the ALG settings area, select application protocols supported by ALG.

c. Click Apply. In the dialog box indicating that the operation succeeds that is
displayed, click OK. The ALG configuration is complete.
----End

NAT Mapping
When internal enterprise users access the Internet using NAT, network address port translation
(NAPT) can be configured to implement concurrent address translation. NAPT allows
multiple internal addresses to be mapped to the same public address. It is also called many-to-
one address translation or address multiplexing. NAPT translates the IP address and port
number of a packet so that multiple private users can use the same public IP address to access
the Internet.
Easy IP uses access control lists (ACLs) to control the private IP addresses that can be
translated. Easy IP applies to the scenario where hosts on small-scale LANs access the
Internet. Generally, small-scale LANs are deployed at small- and medium-sized cybercafes or
small-sized offices where only a few internal hosts are used and the outbound interface
obtains a temporary public IP address through dial-up. Internal hosts use the temporary public
IP address to access the Internet.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 106

l Create an NAT mapping entry.

a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In NAT Mapping, click Create. The Create NAT Mapping page is displayed.
c. On the Create NAT Mapping page, set parameters. Table 4-32 describes the
parameters.

Table 4-32 NAT Mapping parameters

Parameter Description

Interface name Name of an interface where network access is

to be enabled. Generally, Layer 3 interface is
configured, except loopback and NULL
interfaces.

Translation mode IP address translation mode used by private

network users to access external servers.
Translation modes are as follows:
l PAT: The IP address and port number in a
data packet are translated at the same time.
l Easy IP: The IP address of the selected
interface is used as the translated public IP
address.
l NO-PAT: Only the IP address in a data
packet is translated. The port number is not
used.

Translated source address Translated source address in PAT mode.

l IP subnet: Specifies an IP address subnet of
the translated source IP address (the
network subnet of the NAT address pool).
l LoopBack: Specifies a loopback interface
IP address as the translated source IP
address.

Start IP Start IP address of the NAT address pool.

End IP End IP address of the NAT address pool. The

end IP address must be not smaller than the
start IP address. A maximum of 255 IP
addresses can be configured in the NAT
address pool.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 107

Parameter Description

Loopback Specify the loopback interface after

translation.

ACL number Number of an ACL for private network users.

d. Click OK.
l Modify an NAT mapping entry.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In NAT Mapping, click the interface name corresponding to the nat mapping entry
to be modified. The Modify NAT Mapping page is displayed.
c. Modify parameters listed in Table 4-32 based on the site requirements. The
Interface name parameter cannot be modified.
d. Click OK to make the settings take effect.
l Delete an NAT mapping entry.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In NAT Mapping, select the check box next to an nat mapping configuration, and
click Delete.
c. In the dialog box that is displayed, click OK.
----End

One-to-One Address Translation

Some enterprise hosts must use fixed IP addresses to access public networks when NAT is
enabled. One-to-one address translation maps a public IP address to a fixed private IP address.

NOTE

One-to-one address translation establishes static binding between private IP addresses and public IP
addresses, and allows private network hosts to access public networks.
When establishing one-to-one static binding between private IP addresses and public IP addresses, ensure that
the public IP address is on the same network segment as the IP address of the interface enabled with one-to-
one address translation. Packets sent to private network servers can be correctly forwarded to the interface
enabled with one-to-one address translation.
l Create a one-to-one address translation entry.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In One-To-one Address Translation, click Create. The Create One-To-one
Address Translation page is displayed.
c. Set parameters on the Create One-To-one Address Translation page. Table 4-33
describes the parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 108

Table 4-33 One-to-one address translation parameters

Parameter Description

Interface name Name of an interface where one-to-one

address translation is to be enabled. Generally,
Layer 3 interface is configured, except
loopback and NULL interfaces.

Conversion type Whether to translate addresses according to the

protocol type:
l Protocol conversion: translates addresses
only when IP packets are transmitted on the
specified protocol.
l Address conversion: translates IP addresses
when IP packets are transmitted on any
protocol.

Protocol type Protocol type for which NAT is used.

Currently, the following protocols are
supported: Transmission Control Protocol
(TCP), User Datagram Protocol (UDP), and
Internet Control Message Protocol (ICMP).
NOTE
When this parameter is set to ICMP, you need to set
only External IP and Internal IP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 109

Parameter Description

External IP Setting server public IP address. Private IP

addresses can be translated into public IP
addresses in the following ways:
l Interface IP: The IP address of the selected
interface is used as the translated public IP
address.
l User-defined: A public IP address is
manually specified. The specified IP
address cannot be in use. The public IP
address must be on the same network
segment as the IP address of the NAT-
enabled interface.
l Loopback interface: A loopback interface
is used as the public IP address.

External port number Port number used by private network users to

access public network servers. You can select
a value from the drop-down list box or enter a
port number.

Internal IP IP address of an private network user.

Internal port number Source port number used by private network

users to access public networks. You can select
a value from the drop-down list box or enter a
port number.

d. Click OK.
l Modify a one-to-one address translation entry.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In One-To-one Address Translation, click the interface name corresponding to the
one-to-one address translation entry to be modified. The Modify One-To-one
Address Translation page is displayed.
c. Modify parameters listed in Table 4-33. The parameter Interface name cannot be
modified.
d. Click OK.
l Delete a one-to-one address translation entry.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. Select a one-to-one address translation entry, and click Delete.
c. In the dialog box that is displayed, click OK.
----End

Internal Server Mapping

NAT can hide internal hosts. An enterprise network can use NAT to communicate with
external networks, but external users cannot access internal servers. After the mappings

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 110

between "public IP address+port number" and "private IP address+port number" are defined
on a virtual server, external users can access internal servers.
l Create an internal server mapping.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In Internal Server Mapping, click Create. The Create Internal Server Mapping
page is displayed.
c. Set parameters on the Create Internal Server Mapping page. Table 4-34
describes the parameters.

Table 4-34 Internal server mapping parameters

Parameter Description

Interface name Name of an interface where NAT is to be

enabled. Generally, Layer 3 interface is
configured, except loopback and NULL
interfaces.

Conversion type Whether to translate addresses according to the

Protocol type Protocol type over the internal server.

Currently, the following protocols are
supported: TCP, UDP, and ICMP.
NOTE
When this parameter is set to ICMP, you need to set
only External IP and Internal IP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 111

Parameter Description

External IP Setting server public IP address. Private IP

External port number Port number used by external users to access

internal servers. You can select a value from
the drop-down list box or enter a port number.

Internal IP IP address of an internal server.

Internal port number Port number of an internal server. You can

select a value from the drop-down list box or
enter a port number.

d. Click OK.
l Modify an internal server mapping.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. In Internal Server Mapping, select the interface name corresponding to the
internal server mapping entry to be modified. The Modify Internal Server
Mapping page is displayed.
c. Modify parameters listed in Table 4-34. Interface name cannot be modified.
d. Click OK.
l Delete an internal server Mapping.
a. Log in to the web platform, and choose Configuration > AC Config > IP > NAT.
The NAT page is displayed.
b. Select an internal server mapping and click Delete.
c. In the dialog box that is displayed, click OK.

----End

NAT Mapping Entry

No NAT mapping entry is created if no packet's address needs to be translated based on NAT
rules.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 112

Step 1 Log in to the web platform, and choose Configuration > AC Config > IP > NAT. The NAT
page is displayed.

Step 2 If the device performs NAT on some packets, you can view NAT information about the
packets, including the packet addresses and ports on the NAT Mapping Entry page. See
Table 4-35 for descriptions of the NAT parameters.

Table 4-35 Description of NAT parameters

Item Description

Protocol Type Protocol type of packets.

Source address/ Source address and port number of the packets before NAT is
Port Number performed.
Before
Translation

Destination Destination address and port number of the packets before NAT is
address/Port performed.
Number Before
Translation

Source address/ Source address and port number of the packets after NAT is performed.
Port Number
After
Translation

Destination Destination address and port number of the packets after NAT is
address/Port performed.
Number After
Translation

----End

Route

Context
You can check the routing table to view routing information about the device, which helps
you manage the networks. Configuring static routes helps you accurately manage route
selection.

Procedure
l Check the routing table.
a. Choose Configuration > AC Config > IP > Route. The route management page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 113

b. Check routing table information in Routing Table. Table 4-36 describes the
parameters.

Table 4-36 Parameters of the routing table

Parameter Description

Destination IP Destination IP address or network of IP packets.

Subnet Mask Subnet mask length of the destination address. The

network mask is used with the destination address to
identify the address of the network segment where the
destination host or router resides.

Route Type Routing protocol.

Next Hop Address Next hop address of the route, that is, next-hop device to
which packets are forwarded.

Outbound Interface Outbound interface of the route, that is, local router
interface from which packets are forwarded.

l Manage the static route configuration table.

a. Choose Configuration > AC Config > IP > Route. The route management page is
displayed.

b. Click next to Static Route Configuration Table to collapse Static Route

Configuration Table.
c. Create or delete a static route.

Creating a static route

Click Create, configure static route information on the new page, and click OK.
Table 4-37 describes the parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 114

Table 4-37 Parameters of the static route

Parameter Description

Destination IP Destination IP address of the static route.

Subnet Mask Subnet mask of the static route. The value is in dotted
decimal notation.

Next Hop Address Next hop address of the static route.

Outbound Interface Outbound interface of the static route.

Priority Priority of the static route. A smaller value indicates a

higher priority.

Description Description of the static route.

Deleting a static route

Select a static route and click Delete. In the dialog box that is displayed, click OK.
----End

4.3 AP Config

4.3.1 AP Group

AP Group

Context
The AP group function is used to configure multiple APs in batches. When multiple APs
managed by an AC require the same configurations, you can add these APs to one AP group
and configure the AP group to complete AP configuration.

NOTE

For details about configurations of each profile bound to an AP group, see 7 Profile.

Procedure
l Create an AP group.
a. Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 115

b. Click Create. Set the parameters in Table 4-38.

Table 4-38 Parameters for creating an AP group

Parameter Description

AP group name Name of the AP group

Copy parameters Copy configuration parameters from other AP groups to

from other groups the current AP group.

c. Click OK.
l Delete an AP group.
a. Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
b. Select the AP group that you want to delete and click Delete.
c. Click OK.
l Bind profiles to the AP group.
a. Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
b. Click an AP group name. On the AP group configuration page that is displayed,
you can see the configurations of the AP group. See 7 Profile for descriptions of the
configuration profiles and Table 4-39 for details about the configuration
parameters.

Table 4-39 Configuration parameters of an AP group

Parameter Description

VAP Configuration Configures VAPs for AP groups: adds

or removes VAP profiles for AP
groups. After a VAP profile is added,
the AP generates a VAP to implement
basic WLAN services.
For detailed parameters, see 7.1
Wireless Service.

Radio Management Configures radio parameters for AP

groups, enabling the radios to work at
the optimal performance.
l Regulatory domain profile:
configures the country code and
DCA parameters for radios.
l Radio 0/Radio 1/Radio 2:
configures parameters for radios.
For detailed parameters, see 7.2 Radio
Management. Configure radios
describes parameters on the Radio 0,
Radio 1, and Radio 2 pages.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 116

Parameter Description

AP Configures system and interface

parameters for AP groups.
l AP system profile: configures
system parameters for AP groups.
l ETH profile/GE profile/ETH-
TRUNK/MultiGE profile profile:
configures interface parameters for
AP groups.
For detailed parameters, see 7.3 AP.
See 7.3.3 AP Wired Port Profile for
parameters of the ETH, GE, ETH-
TRUNK and MultiGE profiles.

Mesh Configures the Mesh function for AP

groups.
l Mesh profile: adds or removes
Mesh profiles for radios in AP
groups.
l Mesh whitelist: adds or removes
Mesh whitelist profiles for radios in
AP groups.
For detailed parameters, see 7.4 Mesh.

WDS Configures the WDS function for AP

groups.
l WDS profile: adds or removes
WDS profiles for radios in AP
groups.
l WDS whitelist: adds or removes
WDS whitelist profiles for radios in
AP groups.
For detailed parameters, see 7.5 WDS.

WIDS Configures the WIDS function for AP

groups.
For detailed parameters, see 7.6
WIDS.

WLAN Location Configures the location function for

AP groups.
For detailed parameters, see 7.7
WLAN Location.

Bluetooth Location Configures the bluetooth function for

APs.
For detailed parameters, see 7.8
Buletooth Location.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 117

Parameter Description

IoT Configures the IoT function for AP

groups.
For detailed parameters, see 7.9 IoT.

c. Click Apply.
l Configure radios.
a. Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
b. Click an AP group name. The AP group configuration page is displayed.
c. Click ahead of Radio Management. Among the displayed items, click Radio
0, Radio 1, or Radio 2. The radio configuration page is displayed. For detailed
parameters, see Table 4-40.

Table 4-40 Radio parameters

Parameter Description

Radio 0 Settings/Radio 1 Settings/Radio 2 Settings

Working status Whether the radio is enabled or

disabled.

Working mode Working mode of APs, which can be:

l normal
l monitor

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 118

Parameter Description

Inter-Band Scanning Whether inter-band scanning is

enabled.
This function is supported only when
Working mode is set to monitor.
Only radio 0 and radio 2 support this
function.

EIRP Transmit power of a radio.

Channel Working bandwidth and working

channel of the radio.

Antenna gain Antenna gain of the radio.

WDS/Mesh bridge distance Radio coverage distance.

Spectrum Analysis Whether spectrum analysis is enabled

on the radio.

Switch to 5G Whether the working frequency of a

radio is switched to the 5 GHz
frequency band. Only radio 0 and radio
2 support this parameter.

WIDS Control

Device detection Whether the device detection function

is enabled on the radio.

Countermeasure of unauthorized Whether rogue device containment is

devices enabled.

Attack detection type Attack detection type. Multiple options

can be selected.

d. Click Apply.

----End

Static Load Balancing Group

Context
The load balancing function applies to scenarios where there is a high degree of overlap
between APs' coverage ranges. If APs engaged in load balancing are far from each other, a
STA may connect to a distant AP, which affects wireless experience of users.

When the load difference between APs reaches the load difference threshold, some STAs may
access the network slowly because the APs will reject access requests of STAs according to
the load balancing algorithm. If a STA continues sending association requests to an AP, the
AP allows the STA to associate when the number of consecutive association attempts of the
STA exceeds the maximum number of rejection times.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 119

In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request
packet to an AC through an AP. The AC determines whether to permit access from the STA
according to a load balancing algorithm. The implementation of static load balancing must
meet the following conditions.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.

Procedure
l Create a static load balancing group.
a. Choose Configuration > AP Config > AP Group > Static Load Balancing
Group. The Static Load Balancing Group page is displayed.
b. Click Create. Set the parameters in Table 4-41.

Table 4-41 Parameters for creating a static load balancing group

Parameter Description

Static load balancing Name of the static load balancing group

group name

Maximum number of Maximum number of associations for the load balancing

rejections group
When the load in a load balancing group is unbalanced,
the AC rejects a STA's request for associating with an AP
with heavy load, but does not keep rejecting. When the
number of consecutive association requests of the STA
exceeds the maximum value, the AP allows the STA to
associate with the AP.

Start threshold for -

load balancing

Load difference -
threshold for load
balancing

Optional AP AP that can be added to the load balancing group.

Seleted AP AP to be added to the load balancing group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 120

c. Click OK.
l Modify a static load balancing group.
a. Choose Configuration > AP Config > AP Group > Static Load Balancing
Group. The Static Load Balancing Group page is displayed.
b. Click the static load balancing group name, find the desired static load balancing
group on the displayed page, and modify parameters. For details about how to set
parameters in a profile, see 7 Profile.
c. Click OK.
l Delete a static load balancing group.
a. Choose Configuration > AP Config > AP Group > Static Load Balancing
Group. The Static Load Balancing Group page is displayed.
b. Select the static load balancing group and click Delete.
c. Click OK.
NOTE

Click Refresh to refresh the displayed static load balancing group information.

----End

4.3.2 AP Config

AP Info

Context
You can view AP information and configure APs on the AP Info page.

Procedure
l Manually add an AP.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.

b. Click Add. Set Add mode to Manually add on the page that is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 121

c. Set parameters for the AP. Table 4-42 describes the parameters for manually adding
an AP.

Table 4-42 Parameters for manually adding an AP

Parameter Description

Keyword Keyword specified when an AP is manually added,

which can be the AP's MAC address or SN.

AP MAC MAC address of the new AP.

AP ID ID of the new AP.

AP type Type of the new AP.

AP SN Serial number of the AP.

NOTE

You can click to add a maximum of 10 APs.

d. Click OK.
l Import AP information from a template.
Edit an AP information template on your local host and import AP information to the AC
from the template.

NOTE

It is recommended that you export the planned radio ID, AP channel, frequency bandwidth, and power
into a .csv file using WLAN Planner, fill in the AP file template with the collected information, and
then import the new file to the AC using the web system.

Fill in the template with AP information by referring content in the template. Click ... to
select the template and click Import to import AP information.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Click Add. Set Add mode to Batch import on the page that is displayed.

c. Click to download the AP template to your local host.

d. Use the network planning and optimization tool to plan the network parameters and
export the planned parameters to the AP information template. Table 4-43 describes
the parameters of the AP information template.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 122

NOTE

Table 4-43 Parameters of the AP information template

Parameter Description

AP ID ID of the AP. If an AP is imported not for the first time

and the MAC address of the AP is not specified, the AP
ID is mandatory; otherwise, the AP ID is optional.

AP Name Name of the AP. This parameter is optional.

AP Type Type of the AP. This parameter is optional.

AP MAC MAC address of the AP. If the AP authentication mode is

MAC address authentication, AP MAC must be set when
the AP is imported for the first time or the AP ID is not
specified.

AP SN SN of the AP. If the AP authentication mode is SN

authentication, AP SN must be set when the AP is
imported for the first time.

AP Group AP group to which the AP belongs. This parameter is

optional.

Radio ID Radio ID of the AP. This parameter is optional. If you set

Channel, Band Width, or Power, Radio ID must be set.

Channel Radio channel of the AP. This parameter is optional. If

you set this parameter, Band Width and Radio ID must
be set.

Band Width Radio bandwidth of the AP. This parameter is optional. If

you set this parameter, Channel and Radio ID must be
set.

Power Radio power of the AP. This parameter is optional. If you

set this parameter, Radio ID must be set.

Longitude Longitude of the AP. This parameter is optional. If you

set this parameter, Latitude must be set.

Latitude Latitude of the AP. This parameter is optional. If you set

this parameter, Longitude must be set.

e. Click ... to select the template and click Import to import AP information.
f. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 123

After APs are imported in batches, error information is displayed in red in the
result. Move the cursor to error information to view the error message.
l Modify AP information.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Select multiple APs and click Modify.

c. Set the parameters on the page that is displayed. Table 4-44 describes the
parameters for deploying an AP.

Table 4-44 Parameters for deploying an AP

Parameter Description

AP group AP group to which the AP belongs.

AP mode AP working mode.

AP ID ID of the AP.

AP MAC MAC address of the AP, which is the unique identifier of

the AP.

AP Name Name of the AP.

IP Obtaining Mode How the AP obtains an IP address. Options are DHCP/

Static.

IP Address IP address assigned to the AP. This parameter is valid

only when IP Obtaining Mode is set to Static.

IP Address Mask Subnet mask for the AP. This parameter is valid only
when IP Obtaining Mode is set to Static.

Gateway Default gateway address for the AP. This parameter is

valid only when IP Obtaining Mode is set to Static.

Status AP status.

d. Click OK.
l Modify AP group information.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Click an AP group in the AP list, and modify AP parameters on the page that is
displayed.
c. Click OK.
l Replace APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 124

a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Select an AP and click Replace.
c. Enter the MAC address of the replacement AP in New AP MAC or click ... and
select an AP on the displayed page.
d. Click OK. On the displayed page, click OK.
l Delete an AP.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Select an AP and click Delete.
c. Click OK in the confirm dialog box that is displayed.
l Add an AP to a MAC address whitelist or an SN whitelist.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Select an AP and click Add to MAC Whitelist or Add to SN Whitelist.
c. In the dialog box that is displayed, click OK.
l Add an AP to the blacklist.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Select an AP and click Add to Blacklist.
c. Click OK in the confirm dialog box that is displayed.
An AP in the whitelist cannot be added to the blacklist. For details about the AP
whitelist, see AP Whitelist.
l Manage unauthorized APs.
If AP authentication is set to MAC address authentication or SN authentication
(configured in AC Configuration) for an AC, the APs out of the whitelist and blacklist
of the AC are added to Non-authorized AP List. You can add these APs to the whitelist
or blacklist.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.

b. Click before Non-authorized AP List to expand the unauthorized AP list.

c. Select unauthorized APs in the list and click Add to Whitelist or Add to Blacklist.
l Configure AP specific parameters.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Click an AP ID. On the AP Customized Settings page that is displayed, you can
see AP configurations. The digit next to AP customized settings is the AP ID. See
7 Profile for descriptions of the configuration profiles and Table 4-45 for details
about the configuration parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 125

Table 4-45 AP configuration parameters

Parameter Description

VAP Configuration Configures VAPs for APs: adds or

removes VAP profiles for APs. After a
VAP profile is added for an AP, the AP
generates a VAP to implement basic
WLAN services.
For detailed parameters, see 7.1
Wireless Service.

Radio Management Configures radio parameters for APs,

enabling the radios to work at the
optimal performance.
l Regulatory domain profile:
configures the country code and
DCA parameters for radios.
l Radio 0/Radio 1/Radio 2:
configures parameters for radios.
For detailed parameters, see 7.2 Radio
Management. Configure radios
describes parameters on the Radio 0,
Radio 1, and Radio 2 pages.
NOTE
Only the AP4030TN supports radio 2.

AP Configures system and interface

parameters for APs.
l AP system profile: configures
system parameters for APs.
l ETH profile/GE profile/MultiGE
profile/ETH-TRUNK profile:
configures interface parameters for
APs.
For detailed profile parameters, see 7.3
AP. See 7.3.3 AP Wired Port Profile
for parameters of the ETH, GE,
MultiGE, and ETH-TRUNK profiles.

Mesh Configures the Mesh function for APs.

l Mesh profile: adds or removes
Mesh profiles for AP radios.
l Mesh whitelist: adds or removes
Mesh whitelist profiles for AP
radios.
For detailed parameters, see 7.4 Mesh.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 126

Parameter Description

WDS Configures the WDS function for APs.

l WDS profile: adds or removes
WDS profiles for AP radios.
l WDS whitelist: adds or removes
WDS whitelist profiles for AP
radios.
For detailed parameters, see 7.5 WDS.

WIDS Configures the WIDS function for

APs.
For detailed parameters, see 7.6
WIDS.

WLAN Location Configures the location function for

APs.
For detailed parameters, see 7.7
WLAN Location.

Bluetooth Location Configures the Bluetooth function for

APs.
For detailed parameters, see 7.8
Buletooth Location.

IoT Configures the IoT function for APs.

For detailed parameters, see 7.9 IoT.

c. Click Apply.
l Configure radios.
a. Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
b. Click an AP ID. The AP Customized Settings page is displayed.
c. Click ahead of Radio Management. Among the displayed items, click Radio 0
or Radio 1. The radio configuration page is displayed. For detailed parameters, see
Table 4-46.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 127

Table 4-46 Radio parameters

Parameter Description

Radio 0 Settings/Radio 1/Radio 2 Settings

Only the AP4030TN supports radio 2.

Working status Whether the radio is enabled or

disabled.

Working mode Working mode of APs, which can be:

l normal
l monitor

Inter-Band Scanning Whether inter-band scanning is

enabled.
This function is supported only when
Working mode is set to monitor.

EIRP Transmit power of a radio.

Channel Working bandwidth and working

channel of the radio.

Antenna gain Antenna gain of the radio.

Coverage distance Radio coverage distance.

Spectrum Analysis Whether spectrum analysis is enabled

on the radio.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 128

Parameter Description

Switch to 5G Whether the working frequency of a

radio is switched to the 5 GHz
frequency band. This parameter is
supported only by radio 0 of the
AP2010DN, AP8130DN, AP8130DN-
W, and AP4030TN as well as radio 2
of the AP4030TN.

WIDS Control

Device detection Whether the device detection function

is enabled on the radio.

Countermeasure of unauthorized Whether rogue device containment is

devices enabled.

Attack detection type Attack detection type. Multiple options

can be selected.

d. Click Apply.
----End

AP Whitelist

Context
If AP authentication is set to MAC address authentication or SN authentication
(configured in AC Configuration) for an AC, the APs out of the whitelist and blacklist of the
AC are added to Non-authorized AP List. You can add the MAC addresses or SNs of these
APs to the whitelist.

Procedure
l Add AP MAC addresses to the AP whitelist.
a. Choose Configuration > AP Config > AP Config > AP Whitelist. The AP
Whitelist page is displayed.
b. In the MAC Whitelist area, click Create to add AP MAC addresses to the
whitelist.
Manually adding AP MAC addresses
i. Set Creation mode to Manually add.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 129

ii. Set MAC address. You can click to add a maximum of 10 AP MAC
addresses.
iii. Click OK.
Batch importing AP MAC addresses
i. Set Creation mode to Batch import.

ii. Click to download the AP template to your local host. Edit the template
and save it.
iii. Click ... select the AP template and click Import.
iv. Click OK.
l Delete an AP from the MAC address whitelist.
a. Choose Configuration > AP Config > AP Config > AP Whitelist. The AP
Whitelist page is displayed.
b. Select an AP in the MAC Whitelist area and click Delete.
c. Click OK in the confirm dialog box that is displayed.
l The operations for the SN whitelist are similar to the preceding operations.
----End

AP Blacklist

Context
If AP authentication is set to MAC address authentication (configured in AC
Configuration) for an AC, the APs out of the whitelist and blacklist of the AC are added to
Non-authorized AP List. You can add the MAC addresses of these APs to the blacklist.

Procedure
l Add AP MAC addresses to the AP blacklist.
a. Choose Configuration > AP Config > AP Config > AP Blacklist. The AP
Blacklist page is displayed.
b. Click Create to add AP MAC addresses to the blacklist.
Manually adding AP MAC addresses
i. Set Creation mode to Manually add.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 130

ii. Set MAC address. You can click to add a maximum of 10 AP MAC
addresses.
iii. Click OK.

Batch importing AP MAC addresses

i. Set Creation mode to Batch import.

ii. Click to download the AP template to your local host. Edit the template
and save it.
iii. Click ... select the AP template and click Import.
iv. Click OK.
l Delete an AP MAC address from the blacklist.
a. Choose Configuration > AP Config > AP Config > AP Blacklist. The AP
Blacklist page is displayed.
b. Select an AP MAC address and click Delete.
c. Click OK in the confirm dialog box that is displayed.

----End

4.3.3 Profile
For details, see 7 Profile.

4.4 Security
4.4.1 AAA

Authentication Profile

Procedure
l Create an authentication profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 131

a. Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile List page is displayed.
b. Click Create. The Create Authentication Profile page is displayed.
c. Enter the name of the new authentication profile in Profile name.
d. Click OK. The parameter setting page of the new authentication profile is
displayed.

e. Set parameters for the authentication profile. Table 4-47 describes the parameters
for creating an authentication profile.
f. Click Apply. In the Info dialog box that is displayed, click OK.

Table 4-47 Parameters for creating an authentication profile

Parameter Description

Prevent authentication overwrite Whether the newly delivered

authentication information overwrites
all the original authentication
information.

Security character string separator Security character string separator.

User group Select a user group name to bind the

user group to the authentication profile.
The user group is configured on User
Group.

Authorization VLAN ID before ID of the VLAN in which the network

authentication resources are accessible to users before
authentication.

Authorization VLAN ID upon ID of the VLAN in which the network

authentication failure resources are accessible to users after
an authentication failure.

l Modify an authentication profile.

a. Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile List page is displayed.
b. Click the name of the authentication profile that you want to modify. The
Authentication Profile page is displayed.
c. Modify parameters for the authentication profile. For the parameter description, see
Table 4-47.
d. Click Apply. In the Info dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 132

l Delete an authentication profile.

a. Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure a profile referenced in the authentication profile.

The following profiles can be referenced in the authentication profile: 802.1X profile,
Portal profile, MAC access profile, authentication-free rule profile, RADIUS profile,
HWTACACS profile, authentication scheme profile, authorization scheme profile,
accounting scheme profile, and service scheme profile.

a. Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile List page is displayed. Click to the left of
Authentication Profile List in the navigation tree to expand the authentication
profile list. Click to the left of the the authentication profile name to view the
names of other profiles referenced in the authentication profile.
b. Click any profile referenced in the authentication profile. The profile configuration
page is displayed. Select a profile name from the drop-down list box and modify
parameters for the referenced profile or click Create to set parameters for the
referenced profile according to the parameter description table for the specific
profile.
c. Click Apply. In the Info dialog box that is displayed, click OK.

----End

Service Scheme

Context
Access users must obtain authorization information before they can go online. Authorization
information about users can be managed by configuring a service scheme.

Procedure
l Create a service scheme profile.
a. Choose Configuration > Security > AAA > Service Scheme. The Service
Scheme page is displayed.
b. Click Create. The Create Service Scheme page is displayed. Set parameters for
the service scheme profile. Table 4-48 describes the parameters for creating a
service scheme profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 133

c. Click OK.

The new service scheme profile is added to the service scheme profile list.

Table 4-48 Parameters for creating a service scheme profile

Parameter Description

Server scheme name Name of the service scheme.

Primary DNS server IP address of the primary DNS server.

Secondary DNS server IP address of the secondary DNS server.

Idle user disconnection Rule for disconnecting idle users, which can
be:
l Based on uplink traffic: determines
whether to disconnect a user based on the
upstream traffic rate.
l Based on downlink traffic: determines
whether to disconnect a user based on the
downstream traffic rate.
l Based on uplink and downlink traffic:
determines whether to disconnect a user
based on the upstream and downstream
traffic rate.
l Close: disables the idle-cut function.

Traffic threshold Traffic rate threshold for disconnecting idle

users. When the traffic rate of a user stays
below this threshold for a certain period, the
device considers that the user is in idle state.

Idle user disconnection interval Interval at which an idle user can stay online.

l Modify a service scheme profile.

a. Choose Configuration > Security > AAA > Service Scheme. The Service
Scheme page is displayed.
b. In the service scheme profile list, click the name of the service scheme profile that
you want to modify.
c. Modify parameters on the Modify Service Scheme page that is displayed. For the
parameter description, see Table 4-48. The Server scheme name parameter cannot
be modified.
d. Click OK to save the changes.
l Delete a service scheme profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 134

a. Choose Configuration > Security > AAA > Service Scheme. The Service
Scheme page is displayed.
b. In the service scheme profile list, select a service scheme profile that you want to
delete and click Delete. In the Info dialog box that is displayed, click OK.
----End

External Portal Server

Context
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an
entity embedded in the access device (that is, functions of the Portal server are implemented
by the access device).
During external Portal authentication, you must configure parameters for the Portal server (for
example, the IP address for the Portal server) to ensure smooth communication between the
device and the Portal server.

Procedure
l Set the maximum number of Portal authentication users.
a. Choose Configuration > Security > AAA > External Portal Server. The
External Portal Server page is displayed.

b. Set the maximum number of concurrent Portal authentication users in Maximum

number of STAs.
c. Click Apply. In the Info dialog box that is displayed, click OK.
l Create a Portal authentication server.
a. Choose Configuration > Security > AAA > External Portal Server. The
External Portal Server page is displayed.
b. Click Create in the Portal Authentication Server List. Set parameters in the
displayed Create Authentication Server window. Table 4-49 describes the
parameters for creating a Portal authentication server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 135

c. Click OK.

If a new entry is displayed in Portal Authentication Server List, the configuration

is successful.

Table 4-49 Parameters for creating a Portal authentication server

Parameter Description

Server name Name of a Portal authentication server.

Server IP IP address of the Portal server.

After entering the IP address, click . To delete an IP

address, select the IP address in the Server IP list and click
.
If multiple IP addresses need to be configured, multiple
URLs must be configured for the Portal server.

Shared key Shared key that the device uses to exchange information with
the Portal server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 136

Parameter Description

Confirm shared Enter the shared key again.

key

Packet port Port number that the device uses to listen on Portal protocol
number packets.

Source address Source IP address for the device to communicate with a

of outgoing Portal server.
packets

URL URL of the Portal server.

URL The final format of the URL is displayed based on the

configuration configuration of URL and URL Option Settings.
result

URL Option Settings

Set parameters carried in the URL in URL Option Settings. The format of the
URL carrying parameters is displayed in URL configuration result.

AC-IP AC IP address carried in the URL.

AC-MAC AC MAC address carried in the URL.

User access URL Original URL that a user accesses carried in the URL.

User MAC User MAC address carried in the URL.

User IP User IP address carried in the URL.

System name Device system name carried in the URL.

AP-IP AP IP address carried in the URL.

AP-MAC AP MAC address carried in the URL.

SSID SSID that users associate with.

MAC address l Without hyphens.

format l normal: sets the MAC address format to XXXX-XXXX-
XXXX. You can specify a character as the delimiter.
l compact: sets the MAC address format to XX-XX-XX-
XX-XX-XX. You can specify a character as the delimiter.

Separator Delimiter in a MAC address.

Encrypted Name of an encrypted parameter in the URL.

parameter name

Encryption Name of an encryption vector.

vector name

Encryption key Encryption key.

Confirm Enter the encryption key again.

encryption key

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 137

Parameter Description

Server Detection Configuration

Portal server Whether to enable the Portal server detection function.

detection

Detection Portal server detection interval.

interval

Maximum Maximum number of Portal server detection failures.

number of
detection failures

Minimum Minimum number of Portal servers in Up state.

number of Portal
servers in up
state

Action after the Action taken when the maximum number of detection
number of failures on the Portal server is exceeded.
detection failures
exceeds the
maximum

l Modify a Portal authentication server.

a. Choose Configuration > Security > AAA > External Portal Server. The
External Portal Server page is displayed.
b. Click the Portal authentication server that you want to modify in Portal
Authentication Server List.
c. Set parameters in the displayed Modify Authentication Server window. For the
parameter description, see Table 4-49.
d. Click OK to save the changes.
l Delete a Portal authentication server.
a. Choose Configuration > Security > AAA > External Portal Server. The
External Portal Server page is displayed.
b. In Portal Authentication Server List, select a Portal authentication server that you
want to delete and click Delete. In the Info dialog box that is displayed, click OK.
----End

Built-in Portal Server

Context
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an
entity embedded in the access device (that is, functions of the Portal server are implemented
by the access device).
During the built-in Portal server configuration process, to ensure that the server can provide
the web authentication service, set parameters such as SSL policy, Port, and Web page file.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 138

Procedure
l Create a built-in Portal server.
a. Choose Configuration > Security > AAA > Built-in Portal Server. The Built-in
Portal Server page is displayed.
b. Set parameters for the built-in Portal server. Table 4-50 describes the parameters for
creating a built-in Portal server.

c. Click Apply. In the Info dialog box that is displayed, click OK.

Table 4-50 Parameters for creating a built-in Portal server

Parameter Description

Server IP IP address of the Portal server. Users

are then redirected to the Portal server
if they enter URLs that are not located
in the free IP subnet.
NOTE
l The IP address assigned to the built-in
Portal server must have a reachable
route to the user.
l The built-in Portal server cannot use
the gateway IP address of the device
interface connected to clients.
l It is recommended that a loopback
interface address be assigned to the
built-in Portal server because the
loopback interface is stable.
Additionally, packets destined for
loopback interfaces are not sent to
other interfaces on the network;
therefore, system performance is not
deteriorated even if many users request
to go online.

SSL policy SSL policy applied to HTTPS services

provided by the Portal server.

Port number Port that provides the authentication

service on the Portal server.

Authentication mode Authentication mode including PAP

and CHAP. You are advised to use the
CHAP with high security.

Page file package File in .zip format. The file contains

web pages that users access during
authentication.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 139

Parameter Description

Maximum number of STAs Maximum number of users who can

access the Portal server.

l Create a customized Portal page.

In built-in Portal authentication mode, enterprise users can define the style of the
authentication web page, including the web page background, corporate logo, and web
page advertisements, to meet requirements of the enterprises.
a. Choose Configuration > Security > AAA > Built-in Portal Server. The Built-in
Portal Server page is displayed.
b. Click Page Style. Three page styles are displayed. The first two are default styles
and the last one is a customized style.

n Default style: Use the default background and user-defined logo and
advertisement images. The logo and advertisement image are displayed in
preconfigured areas.
n Customized style: Use a user-defined image as the background.
c. Set parameters for the customized Portal page. Table 4-51 describes the parameters
for creating a customized Portal page.
d. Click Apply.
To reset the parameters, click Clear Settings. To preview the customized page,
click Preview.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 140

NOTE

If the message "Your browser's security settings are too high to complete this process. See the
help menu for instructions on adjusting your security settings." is displayed during file upload,
configure the Internet Explorer as follows:
1. Choose Tools > Internet Options > Security > Custom Level.
2. Click Enable or Prompt next to Initialize and script ActiveX controls not marked as safe
for scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt, the message "An
ActiveX control on this page might be unsafe to interact with other parts of the page. Do you
want to allow this interaction?" is displayed. If you click Yes, the file can be uploaded.
3. Click Enable next to Include local directory path when uploading files to a server.

Table 4-51 Parameters for creating a customized Portal page

Parameter Description

Logo The logo is displayed at the upper left

corner on the Portal page.
Click Browse and select an image.
The logo image size cannot be larger
than 128 KB. The logo image can be in
JPG, JPEG, or PNG format, with
resolutions within 591 x 80 pixels.

Advertisement image The advertisement is displayed at the

right side of the Portal page.
Click Browse and select an image.
The advertisement image size cannot
be larger than 256 KB. The image can
be in JPG, JPEG, or PNG format, with
resolutions within 670 x 405 pixels.

Background image Click Browse and select an image.

The background image size cannot be
larger than 512 KB. The image can be
in JPG, JPEG, or PNG format, with
resolutions within 1366 x 768 pixels.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 141

Parameter Description

Background color Set a background color to fill in areas

not covered by the background image.
The hexadecimal notation of the RGB
color model is used for setting colors
of web page elements. The color value
represents the intensity of additive
primary colors, red, green, and blue.
The lowest intensity and highest
intensity of each color are respectively
0 and 255. The intensity value of each
primary color is represented by a
hexadecimal number. The three values
are listed together and prefixed with
the pound sign (#). For example, the
color value #FF0000 indicates red.

Disclaimer(HTML) The administrator can edit the login

page used for user authentication to
customize a disclaimer page. The
hyperlink Acceptable Use Policy will
be displayed on the login page. You
can click the link to visit the disclaimer
page.

Portal description(HTML) This area is displayed on the right of

the Portal login page. You can
customize the display contents in the
area.

----End

RADIUS

Context
RADIUS protects a network from unauthorized access. It is often used on the networks that
require high security and remote user access control.

Procedure
l Configure a RADIUS server profile.
– Create a RADIUS server profile.
a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. Click Create in RADIUS Server Profile. Set parameters for the RADIUS server
profile. Table 4-52 describes the parameters for creating a RADIUS server profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 142

c. Click OK.

Table 4-52 Parameters for creating a RADIUS server profile

Parameter Description

Profile name Name of a RADIUS server profile.

Key Shared key for the RADIUS server.

The shared key is used to encrypt the
password and generate the response
authenticator.

Confirm key Confirmed shared key of the RADIUS

server.

User name Whether the device encapsulates the

domain name in the user name when
sending RADIUS packets to a
RADIUS server.
Original user name configures the
device not to modify the user name
entered by the user in the packets sent
to the RADIUS server.

Mode l Active/Standby mode: The server

with the largest weight value
functions as the active server, other
servers function as standby servers.
A standby server with a larger
weight value has a higher priority.
l Load balancing mode: When
configuring authentication or
accounting servers, distribute
authentication or accounting
requests to servers according to
weights of the servers.

– Modify a RADIUS server profile.

a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. Click the name of a RADIUS server profile that you want to modify in RADIUS
Server Profile.
c. Modify parameters on the Modify RADIUS Server Profile page, among which
Profile name cannot be modified.
d. Click OK to save the changes.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 143

– Delete a RADIUS server profile

a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. On the RADIUS Server Profile list, choose the RADIUS server profile you want
to delete. Click Delete. In the Confirm dialog box that is displayed, clickOK.
l Configure an authentication/accounting server.
– Create an authentication/accounting server.
a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. Click Create in Authentication/Accounting Server. Set parameters for the
authentication/accounting server. Table 4-53 describes the parameters for creating
an authentication/accounting server

c. Click OK.

Table 4-53 Parameters for creating an authentication/accounting server

Parameter Description

Profile name Name of the created RADIUS server

profile.

Server type RADIUS server type: authentication or

accounting server.

IP address IPv4: IPv4 address of the

authentication or accounting server.

IPv6: IPv6 address of the

authentication or accounting server.

Port number Port number of the authentication or

accounting server.

Source address of outgoing packets Source address of outgoing packets.

Use a loopback address or IP address.

Weight Weight of the authentication or

accounting server.

Key Shared key for the authentication or

accounting server.

Confirm key Confirmed shared key of the

authentication or accounting server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 144

NOTE

You can quickly search for the created authentication or accounting servers based on the
specified criteria.
– Modify an authentication/accounting server.
a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. Click the authentication/accounting server that you want to modify in
Authentication/Accounting Server.
c. Modify parameters on the Modify Authentication/Accounting Server page,
among which Profile name and Server type cannot be modified.
d. Click OK to save the changes.
– Delete an authentication/accounting server.
a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. On the Authentication/Accounting Server list, choose the Authentication/
Accounting Server you want to delete. Click Delete. In the Confirm dialog box that
is displayed, clickOK.
l Configure an authorization server.
– Create an authorization server.
a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. Click Create in Authorization Server. Set parameters for the authorization server.
Table 4-54 describes the parameters for creating an authorization server.

c. Click OK.

Table 4-54 Parameters for creating an authorization server

Parameter Description

Authorization server IP address IP address of an authorization server.

Profile name Name of the created RADIUS server

profile.

key Shared key of the RADIUS

authorization server.

Confirm key Confirmed shared key of the RADIUS

authorization server.

– Modify an authorization server.

a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. Click the authorization server that you want to modify in Authorization Server
list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 145

c. Modify parameters on the Modify Authorization Server page, among which

Authorization server IP address cannot be modified.
d. Click OK to save the changes.
– Delete an authorization server.
a. Choose Configuration > Security > AAA > RADIUS. The RADIUS page is
displayed.
b. On the Authorization Server list, choose the Authorization Server you want to
delete. Click Delete. In the Confirm dialog box that is displayed, clickOK.
----End

HWTACACS

Context
HWTACACS prevents unauthorized users from attacking a network and supports command-
line authorization. Compared with RADIUS, HWTACACS is more reliable in transmission
and encryption, and is more suitable for security control.

Procedure
l Enable or disable HWTACACS.
a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.

b. Set the HWTACACS function to ON or OFF. In the Info dialog box that is
displayed, click OK.
l Configure an HWTACACS server profile.
– Create an HWTACACS server profile.
a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.
b. Click Create in HWTACACS Server Profile. Set parameters for the HWTACACS
server profile. Table 4-55 describes the parameters for creating an HWTACACS
server profile.

c. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 146

Table 4-55 Parameters for creating an HWTACACS server profile

Parameter Description

Profile name Name of an HWTACACS server

profile.

key Shared key for the HWTACACS

server.
The shared key is used to encrypt the
password and generate the response
authenticator.

Confirm key Confirmed shared key of the

HWTACACS server.

User name Whether the device encapsulates the

domain name in the user name when
sending HWTACACS packets to an
HWTACACS server.
Original user name configures the
device not to modify the user name
entered by the user in the packets sent
to the HWTACACS server.

– Modify an HWTACACS server profile.

a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.
b. Click the name of an HWTACACS server profile that you want to modify in the
HWTACACS Server Profile list.
c. Modify parameters on the Modify HWTACACS Server Profile page, among
which Profile name cannot be modified.
d. Click OK to save the changes.
– Delete an HWTACACS server profile.
a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.
b. On the HWTACACS Server Profile list, choose the HWTACACS Server Profile
you want to delete. Click Delete. In the Confirm dialog box that is displayed,
clickOK.
l Configure an authentication/authorization/accounting server.
– Create an authentication/authorization/accounting server.
a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.
b. Click the Create in Authentication/Authorization/Accounting Server to set
parameters for the authentication/authorization/accounting server. Table 4-56
describes the parameters for the authentication/authorization/accounting server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 147

c. Click OK.

Table 4-56 Parameters for creating an authentication/authorization/accounting

server

Parameter Description

Profile name Name of the created HWTACACS

server profile.

Server type HWTACACS server type:

authentication/authorization/
accounting server

Primary server IP address IP address of the primary

authentication/authorization/
accounting server

Primary server port number Port number of the primary

authentication/authorization/
accounting server

Secondary server IP address IP address of the secondary

authentication/authorization/
accounting server

Secondary server port number Port number of the secondary

authentication/authorization/
accounting server

NOTE

You can quickly search for the created authentication/authorization/accounting server based
on the specified criteria.
– Modify an authentication/authorization/accounting server.
a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.
b. Click the name of an authentication/authorization/accounting server that you want
to modify in the Authentication/Authorization/Accounting Server list.
c. Modify parameters on the Modify Authentication/Authorization/Accounting
Server page, among which Profile name and Server type cannot be modified.
d. Click OK to save the changes.
– Delete an authentication/authorization/accounting server.
a. Choose Configuration > Security > AAA > HWTACACS. The HWTACACS
page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 148

b. On the Authentication/Authorization/Accounting Server list, choose the

Authentication/Authorization/Accounting Server you want to delete. Click Delete.
In the Confirm dialog box that is displayed, clickOK.

----End

Local User

Context
You need to create a local user account and configure attributes of the local user so that the
administrator can authenticate and authorize users who log in based on the local user
information.

Procedure
l Create a local user.
a. Choose Configuration > Security > AAA > Local User. The Local User page is
displayed.
b. In Local User, click Create. Set parameters for creating a local user. Table 4-57
describes the parameters for configuring MAC address authentication globally.

c. Click OK.

Table 4-57 Parameters for creating a local user

Parameter Description

Creation mode Indicates the mode for creating a local

user.

User name Indicates a user file template to be

imported. Click to download a
user file template.

User name Indicates a new user name.

Password Indicates a new password.

Confirm password Confirms the password. The format of

this parameter is the same as that of
Password.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 149

Parameter Description

User status Indicates the state of a local user.

l Activate: the device accepts and
processes the authentication request
from the user.
l Block: the device rejects the
authentication request from the
user.
NOTE
If a user has established a connection with
the device, when the user is set in blocking
state, the connection still takes effect but
the device rejects subsequent
authentication requests from the user.

Access mode Indicates the access type. After you

specify the access type of a user, only
the users of the specified access type
can log in.

Forcible logout Whether to force a modified user to go

offline.
NOTE
It is recommended that you select this
parameter when modifying the user level to
ensure security. If you modify the level of
an online user, the modification can take
effect only when the user goes online next
time.

l Modify a local user.

a. Choose Configuration > Security > AAA > Local User. The Local User page is
displayed.
b. In the local user list, click the name of the local user that you want to modify.
c. In the Modify user page, set parameters for modifying a local user. Table 4-57
describes the parameters for modifying a local user. The User name cannot be
modified.
d. Click OK to confirm and save the configuration.
l Delete a local user.
a. Choose Configuration > Security > AAA > Local User. The Local User page is
displayed.
b. In the local user list, select the name of the local user that you want to delete. Click
Delete. In the Info dialog box that is displayed, click OK.
l Set a user group.
a. Choose Configuration > Security > AAA > Local User. The Local User page is
displayed.
b. In the local user list, select local users that you want to add to a user group and click
Set a User Group. In the Set a User Group dialog box that is displayed, select a
user group name and click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 150

If user group name none is selected, local users will be deleted from the user group.
l Set a user password policy.
a. Choose Configuration > Security > AAA > Local User. The Local User page is
displayed.
b. Set User Password Policy to ON.
c. Set Number of historical forced.
d. Click Apply.
----End

Advanced

Procedure
l Configure 802.1X authentication globally.
a. Choose Configuration > Security > AAA > Advanced. The Advanced page is
displayed.

b. In 802.1X Authentication Global Settings, set parameters for configuring 802.1X

authentication globally. Table 4-58 describes the parameters for configuring 802.1X
authentication globally.
c. Click Apply. In the Info dialog box that is displayed, click OK.

Table 4-58 Parameters for configuring 802.1X authentication globally

Parameter Description

Quiet timer Whether to start the quiet timer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 151

Parameter Description

Maximum authentication failure count Maximum number of times that a user

before turning quiet fails authentication before the quiet
function is enabled, which is 3 by
default. When the number of times that
a user fails 802.1X authentication
within 60s reaches the value set in
Maximum authentication failure
count before turning quiet, the device
keeps the user quiet for a period of
time.

Quiet timer value Quiet period, which is 60 by default.

During the quiet period of an 802.1X
authentication user, the device discards
the 802.1X authentication request
packets from the user.

Authentication request interval (s) Interval for sending authentication

requests, in seconds.

l Configure Portal authentication globally.

a. Choose Configuration > Security > AAA > Advanced. The Advanced page is
displayed.
b. In Portal Authentication Global Settings, set parameters for configuring Portal
authentication globally. Table 4-59 describes the parameters for configuring Portal
authentication globally.
c. Click Apply. In the Info dialog box that is displayed, click OK.

Table 4-59 Parameters for configuring Portal authentication globally

Parameter Description

Quiet timer Whether to start the quiet timer.

Maximum authentication failure count Maximum number of times that a user

before turning quiet fails authentication before the quiet
function is enabled, which is 3 by
default. When the number of times that
a user fails Portal authentication within
60s reaches the value set in Maximum
authentication failure count before
turning quiet, the device keeps the
user quiet for a period of time.

Quiet timer value Quiet period, which is 60 by default.

During the quiet period of a Portal
authentication user, the device discards
the Portal authentication request
packets from the user.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 152

Parameter Description

Port number in portal packets Port number used by the device to

listen on Portal protocol packets, which
is 2000 by default.

Transparent transmission of Whether to enable transparent

authentication information transmission of authentication
information.

Portal version Version of the Portal protocol.

HTTPS Redirection Status Whether to enable HTTPS redirection.

Upper alarm threshold percentage Upper alarm threshold percentage of

Portal authentication user quantity,
which must be greater than or equal to
Lower alarm threshold
percentage(%).

Lower alarm threshold percentage Lower alarm threshold percentage of

Portal authentication user quantity.

l Configure MAC address authentication globally.

a. Choose Configuration > Security > AAA > Advanced. The Advanced page is
displayed.
b. In MAC Address Authentication Global Settings, set parameters for configuring
MAC address authentication globally. Table 4-60 describes the parameters for
configuring MAC address authentication globally.
c. Click Apply. In the Info dialog box that is displayed, click OK.

Table 4-60 Parameters for configuring MAC address authentication globally

Parameter Description

Maximum authentication failure count Maximum number of times that a user

before turning quiet fails authentication before the quiet
function is enabled, which is 1 by
default. When the number of times that
a user fails MAC address
authentication within 60s reaches the
value set in Maximum authentication
failure count before turning quiet,
the device keeps the user quiet for a
period of time.

Quiet timer value Value of the quiet timer. When a user

fails authentication, the device keeps
the user quiet for a period before
processing the authentication request
from the user. During the quiet period,
the device does not process
authentication requests from the user.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 153

l Others.
a. Set Apple CNA configuration.
n Not configured: performs Portal redirection on all HTTP data.
n Bypass: permits Apple CNA packets without Portal redirection. This setting is
applicable to scenarios when automatically displaying the Portal page to STAs
is not required.
n Self-adaptive: performs Portal redirection on Apple CNA packets only for the
first time. This setting is applicable to scenarios that need to display the Portal
page to STAs attempting to associate with the AP and then invoke the
background app.
b. To improve web application security, data from untrustworthy sources must be
encoded before being sent to clients. URL encoding is most commonly used in web
applications. After Portal URL encoding and decoding are enabled, some special
characters in redirected URLs are converted to secure formats, preventing clients
from mistaking them for syntax signs or instructions and unexpectedly modifying
the original syntax. In this way, cross-site scripting attacks and injection attacks are
prevented.
c. Click Apply. In the Info dialog box that is displayed, click OK.

----End

4.4.2 User Group

User Group

Context
After a WLAN user is authenticated, the RADIUS server sends user group information to the
device to control authorization of the user.
l A user group can be bound to one or more ACLs, so users' data packets are filtered based
on the bound ACL.
l A user group can be bound to one QoS profile, so the bandwidth used by users in the
user group is restricted based on the bound QoS profile. To configure a QoS profile, see
QoS Profile.
l Isolation flags can be set in user groups to isolate users in the same group or in different
groups. The inter-group isolation flag isolates users in the same group, and the intra-
group isolation flat isolates users in a group from users in other groups.
l User VLANs can be configured in a user group. Users can visit resources in the same
VLAN.

Procedure
l Create a user group.
a. Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
b. Click Create. The Create User Group page is displayed. Table 4-61 describes the
parameters for creating a user group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 154

c. Click OK.
The new user group is added to the user group list.

Table 4-61 Parameters for creating a user group

Parameter Description

User group name Indicates a new user group name.

Isolation mode Inter-group isolation and inner-group isolation

can take effect at the same time.

VLAN VLAN or VLAN pool, which is set as the

service VLAN.
NOTE
l If each SSID has only one service VLAN to
deliver wireless access to STAs, IP address
resources may become insufficient in areas
where many STAs access the WLAN, and IP
addresses in the other areas are wasted.
l After a VLAN pool is created, add multiple
VLANs to the VLAN pool and configure the
VLANs as service VLANs. In this way, an
SSID can use multiple service VLANs to
provide wireless access services. STAs are
dynamically assigned to VLANs in the VLAN
pool, which reduces the number of STAs in each
VLAN and also the size of the broadcast
domain. Additionally, IP addresses are evenly
allocated, preventing IP address waste.

QoS profile QoS profile used to monitor traffic for users in

the user group.

Click . In the Select page that is

displayed, select a QoS profile and click OK
to create or delete a QoS profile. If too many
QoS profiles are in Select, enter the keyword
of a profile name and click .

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 155

Parameter Description

Attack defense profile Attack defense profile that is bound.

Click . In Select that is displayed,

select an attack defense profile and click OK.
If too many attack defense profiles are
displayed in Select, enter the keyword of a
profile name and click .

ACL ACL to be selected and configured. A user

group can be bound to a single ACL, multiple
ACLs, or no ACL.
When multiple ACLs are bound to a user
group, the system matches packets against the
ACLs in the order that the ACLs are bound,
from top to bottom in the list. To adjust the
binding order, click or of each entry.
l ACL Number: specifies the ID of the
bound ACL.
l ACL Name: specifies the name of the
bound ACL.
l ACL Description: specifies the description
of the bound ACL.
l Operation: adjusts the matching order or
ACLs or unbinds an ACL.

l Modify a user group.

a. Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
b. Click the name of the user group that you want to modify.
c. In the Modify User Group page that is displayed, set parameters for modifying a
user group. Table 4-61 describes the parameters for modifying a user group.
d. Click OK to save your configuration.
l Delete a user group.
a. Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
b. Select the user group that you want to delete and click Delete. In the info dialog
box that is displayed, click OK.
----End

QoS Profile

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 156

Context
In a QoS profile, you can configure parameters such as the bandwidth limit and priority. After
a QoS profile is bound to a user group, the RADIUS server can deliver user group
information to an AC so that the AC can limit the bandwidth of users.

Procedure
l Create a QoS profile.
a. Choose Configuration > Security > User Group > QoS Profile to display the
QoS Profile page.
b. On the QoS Profile page, click Create. The Create QoS Profile page is displayed.
c. Set the parameters on the Create QoS Profile page that is displayed. Table 4-62
describes the parameters.

Table 4-62 Parameters for creating a QoS profile

Parameter Description

Profile name Name of a QoS profile.

User priority User priority. The value is an integer

that ranges from 0 to 7. A larger value
indicates a higher priority.

Inbound CAR Parameters Traffic policing parameters for

incoming traffic.

CIR(kbit/s) Committed information rate (CIR),

which is the average rate of traffic that
can pass through.

PIR(kbit/s) Peak information rate (PIR), which is

the maximum rate of traffic that can
pass through.
The PIR cannot be smaller than the
CIR.

CBS(bytes) Committed burst size (CBS), which is

the average volume of burst traffic that
can pass through.
The CBS cannot be smaller than the
CIR.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 157

Parameter Description

PBS(bytes) Peak burst size (PBS), which is the

maximum volume of burst traffic that
can pass through.
The PBS cannot be smaller than the
CIR.

Outbound CAR Parameters Traffic policing parameters for

outgoing traffic.

CIR(kbit/s) Committed information rate (CIR),

which is the average rate of traffic that
can pass through.

PIR(kbit/s) Peak information rate (PIR), which is

the maximum rate of traffic that can
pass through.
The PIR cannot be smaller than the
CIR.

CBS(bytes) Committed burst size (CBS), which is

the average volume of burst traffic that
can pass through.
The CBS cannot be smaller than the
CIR.

PBS(bytes) Peak burst size (PBS), which is the

maximum volume of burst traffic that
can pass through.
The PBS cannot be smaller than the
CIR.

d. Click OK.
l Modify a QoS profile.
a. Choose Configuration > Security > User Group > QoS Profile to display the
QoS Profile page.
b. Click the name of the QoS profile that you want to modify. The Modify QoS
Profile page is displayed.
c. On the Modify QoS Profile page, re-enter or reselect the parameters. Table 4-62
describes the parameters. Profile name cannot be modified.
d. Click OK.
l Delete a QoS profile.
a. Choose Configuration > Security > User Group > QoS Profile to display the
QoS Profile page.
b. On the QoS Profile page, select the QoS profile to be deleted and click Delete.
c. Click OK.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 158

4.4.3 ACL

Basic ACL Settings

Context
After basic ACLs are configured, routers classify IPv4 packets based on information such as
source IP addresses, destination IP addresses, and time ranges in the packets.

Procedure
l Create a basic ACL.
a. Choose Configuration > Security > ACL > Basic ACL Settings. The Basic ACL
Settings page is displayed.
b. Click Create. On the Create Basic ACL page that is displayed, enter the ACL
name, ACL number, and ACL description, and click OK.

The new basic ACL is added to the basic ACL list.

NOTE

If you enter only the ACL name, the device automatically assigns an ACL number. The ACL
number is the greatest among the available ACL numbers.
c. Add rules to the basic ACL.
i. Click Add Rule in the new ACL.
ii. Set parameters on the Add Rule page that is displayed. Table 4-63 describes
the parameters for adding a rule.

iii. Click OK.

○ To modify a rule, click the number of the rule, and then modify the
parameters on the Modify Rule page.

○ To delete a rule, click to the right of the rule.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 159

Table 4-63 Parameters for adding a rule to a basic ACL

Parameter Description

Rule ID ACL rule ID.

NOTE
If you do not specify a rule ID, the system allocates
an ID for the rule. The rule ID cannot be changed.

Action Whether to permit or deny packets.

Source IP Source IP address and wildcard of packets to

be matched by the ACL rule.
Wildcard
The source address and wildcard are both in
dotted decimal notation.
NOTE
A wildcard is in dotted decimal notation. After the
value is converted into a binary number, the value 0
indicates that the IP address needs to be matched
and the value 1 indicates that the IP address does
not need to be matched. The value 1 and 0 can be
discontinuous. For example, the IP address
192.168.1.169 and the wildcard 0.0.0.172 represent
the website 192.168.1.x0x0xx01. The value x can
be 0 or 1.
If no source address or wildcard is specified, the
packets with any source address are matched with
the ACL rule.

Time range Name of a time range during which ACL rules

take effect.
NOTE
The time range name is displayed on the Validity
Time tab page.
If this parameter is not specified, ACL rules are
always valid.

l Modify a basic ACL.

a. Choose Configuration > Security > ACL > Basic ACL Settings. The Basic ACL
Settings page is displayed.
b. In the basic ACL list, click Modify to the right of the basic ACL that you want to
modify. Modify the ACL description and click OK.
l Delete a basic ACL.
a. Choose Configuration > Security > ACL > Basic ACL Settings. The Basic ACL
Settings page is displayed.

b. In the basic ACL list, click to the right of the basic ACL that you want to
delete or select the basic ACL and click Delete. Click OK in the Info dialog that is
displayed.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 160

Advanced ACL Settings

Context
After advanced ACLs are configured, routers classify IPv4 packets based on information such
as source IP addresses, destination IP addresses, source port numbers, destination port
numbers, protocol types, priorities, and time ranges in the packets.

Procedure
l Create an advanced ACL.
a. Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
b. Click Create. On the Create Advanced ACL page that is displayed, enter the ACL
name, ACL number, and ACL description, and click OK.

The new advanced ACL is added to the advanced ACL list.

NOTE

If you enter only the ACL name, the device automatically assigns an ACL number. The ACL
number is the greatest among the available ACL numbers.
c. Add a rule to the advanced ACL.
i. Click Add Rule in the new ACL.
ii. Set parameters on the Add Rule page that is displayed. Table 4-64 describes
the parameters for adding a rule.

iii. Click OK.

○ To modify a rule, click the number of the rule, and then modify the
parameters on the Modify Rule page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 161

○ To delete a rule, click to the right of the rule.

Table 4-64 Parameters for adding a rule to an advanced ACL

Parameter Description

Rule ID ACL rule ID.

NOTE
If you do not specify a rule ID, the system allocates
an ID for the rule. The rule ID cannot be changed.

Action Whether to permit or deny packets.

Protocol type Advanced ACL rules support the following

protocol types:
l GRE(47)
l ICMP(1)
When this parameter is set to ICMP(1), set
ICMP parameter whose value is in the
format of ICMP message type/message
code.
l IGMP(2)
l IP
l IPINIP(4)
l OSPF(89)
l TCP(6)
l UDP(17)
l Customized type
NOTE
The value Customized type is valid only in the
Add Rule dialog box.
When this parameter is set to Customized type,
enter a protocol number in the Customized
parameter text box.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 162

Parameter Description

Matching priority The following types of priority to be matched

are supported:
l none
The ACL rule does not filter packets based
on the priority field.
l Differentiated services code point (DSCP)
priority
The ACL rule filters packets based on the
DSCP value. Enter a DSCP priority in the
text box displayed after you select DSCP
priority.
l IP priority
After selecting IP priority, you can set
ToS and Precedence.
– ToS
The ACL rule filters packets based on
the ToS field. Enter a ToS priority in the
text box displayed after you select IP
priority.
– Precedence
The ACL rule filters packets based on
the IP priority field. Enter a Precedence
priority in the text box displayed after
you select IP priority.

Source IP/Wildcard Source IP address and wildcard of packets to

be matched by the ACL rule.
The source address and wildcard are both in
dotted decimal notation.
NOTE
A wildcard is in dotted decimal notation. After the
value is converted into a binary number, the value 0
indicates that the IP address needs to be matched
and the value 1 indicates that the IP address does
not need to be matched. The value 1 and 0 can be
discontinuous. For example, the IP address
192.168.1.169 and the wildcard 0.0.0.172 represent
the website 192.168.1.x0x0xx01. The value x can
be 0 or 1.
If no source address or wildcard is specified, the
packets with any source address are matched with
the ACL rule.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 163

Parameter Description

Dest IP/Wildcard Destination IP address and wildcard of packets

to be matched by the ACL rule.
The destination address and wildcard are both
in dotted decimal notation.
NOTE
If no destination address or wildcard is specified,
the packets with any destination address are
matched with the ACL rule.

Source port number This parameter is valid only when the protocol
type is TCP or UDP. If this parameter is not
specified, Transmission Control Protocol
(TCP) or User Datagram Protocol (UDP)
packets with any source port are matched.

Dest port number This parameter is valid only when the protocol
type is TCP or UDP. If this parameter is not
specified, TCP or UDP packets with any
destination port are matched.

Time range Name of a time range during which ACL rules

take effect.
NOTE
The time range name is displayed on the Validity
Time tab page.
If this parameter is not specified, ACL rules are
always valid.

l Modify a advanced ACL.

a. Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
b. In the basic ACL list, click Modify to the right of the advanced ACL that you want
to modify. Modify the ACL description and click OK.
l Delete an advanced ACL.
a. Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.

b. In the advanced ACL list, click to the right of the advanced ACL that you want
to delete or select the advanced ACL and click Delete. Click OK in the Info dialog
that is displayed.

----End

Layer 2 ACL Settings

Context
A Layer 2 ACL classifies data packets according to the link layer information, including the
source MAC address, VLAN ID, Layer 2 protocol type, and destination MAC address.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 164

Procedure
l Create a Layer 2 ACL.
a. Choose Configuration > Security > ACL > Layer 2 ACL Settings. The Layer 2
ACL Settings page is displayed.
b. Click Create. On the Create Layer 2 ACL page that is displayed, enter the ACL
name, ACL number and ACL description, and click OK.

c. Add a rule to the Layer 2 ACL.

i. Click Add Rule in the new ACL.
ii. Set parameters on the Add Rule page that is displayed. Table 4-65 describes
the parameters for adding a rule.

Table 4-65 Parameters for adding a rule to a Layer 2 ACL

Parameter Description

Rule ID ACL rule ID. The value is an integer that

ranges from 0 to 4294967294.
NOTE
If you do not specify a rule ID, the system
allocates an ID for the rule. The rule ID cannot
be changed.

Action Whether to permit or deny packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 165

Parameter Description

Source MAC address/Mask Source MAC address and mask of packets

to be matched by the ACL rule.
You can obtain the required source MAC
address range by specifying source MAC
address and mask. For example, 00e0-
fc01-0101 ffff-ffff-ffff specifies a MAC
address 00e0-fc01-0101, whereas 00e0-
fc01-0101 ffff-ffff-0000 specifies a MAC
address range from 00e0-fc01-0000 to
00e0-fc01-ffff.

Dest MAC address/Mask Destination MAC address and mask of

packets to be matched by the ACL rule.
You can obtain the required destination
MAC address range by specifying
destination MAC address and mask. For
example, 00e0-fc01-0101 ffff-ffff-ffff
specifies a MAC address 00e0-fc01-0101,
whereas 00e0-fc01-0101 ffff-ffff-0000
specifies a MAC address range from 00e0-
fc01-0000 to 00e0-fc01-ffff.

Layer 2 protocol type Protocol types supported by Layer 2 ACL

rules. Each protocol type corresponds to a
hexadecimal value. Layer 2 ACL rules
support the following protocol types:
l ARP, corresponding to 0x0806
l IP, corresponding to 0x0800
l IPv6, corresponding to 0x08dd
l RARP, corresponding to 0x8035
l Customized type. When this parameter
is set to Customized type, enter a
protocol number in the text box. The
value is ranging from 0x600 to 0xFFFF

Protocol type mask Mask of protocol number.

Source VLAN ID/Source Outer VLAN ID contained in a packet that

VLAN ID mask matches the rule.
l Source VLAN ID: specifies the number
of the VLAN ID.
l Source VLAN ID mask: specifies the
mask of the VLAN ID.

802.1p priority 802.1p priority in the outer VLAN tag of a

packet that matches the rule. The value is
an integer ranging from 0 to 7.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 166

Parameter Description

Time range Name of a time range during which ACL

rules take effect.
NOTE
The time range name is displayed on the
Validity Time tab page. For the configuration,
see Validity Time
If this parameter is not specified, ACL rules are
always valid.

iii. Click OK.

iv. To modify a rule, click the number of the rule, and then modify the parameters
on the Modify Rule page.

v. To delete a rule, click to the right of the rule. Click OK in the Confirm
dialog that is displayed.
l Modify a Layer 2 ACL.
a. Choose Configuration > Security > ACL > Layer 2 ACL Settings. The Layer 2
ACL Settings page is displayed.
b. In the basic ACL list, click Modify to the right of the Layer 2 ACL that you want to
modify. Modify the ACL description and click OK.
l Delete a Layer 2 ACL.
a. Choose Configuration > Security > ACL > Layer 2 ACL Settings. The Layer 2
ACL Settings page is displayed.

b. In the Layer 2 ACL list, click to the right of the Layer 2 ACL that you want to
delete or select the Layer 2 ACL and click Delete. Click OK in the Confirm dialog
that is displayed.

----End

User ACL Settings

Context
After user ACLs are configured, routers classify IPv4 packets based on information such as
source IP addresses, destination IP addresses, source port numbers, destination port numbers,
protocol types, priorities, time ranges and user group in the packets.

Procedure
l Create a user ACL.
a. Choose Configuration > Security > ACL > User ACL Settings. The User ACL
Settings page is displayed.
b. Click Create. On the Create User ACL page that is displayed, enter the ACL
name, ACL number and ACL description, and click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 167

The new user ACL is added to the user ACL list.

c. Add a rule to the user ACL.
i. Click Add Rule in the new ACL.
ii. Set parameters on the Add Rule page that is displayed. Table 4-66 describes
the parameters for adding a rule.

iii. Click OK.

○ To modify a rule, click the number of the rule, and then modify the
parameters on the Modify Rule page.

○ To delete a rule, click to the right of the rule.

Table 4-66 Parameters for adding a rule to a user ACL

Parameter Description

Rule ID ACL rule ID.

NOTE
If you do not specify a rule ID, the system allocates
an ID for the rule. The rule ID cannot be changed.

Action Whether to permit or deny packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 168

Parameter Description

Protocol type User ACL rules support the following protocol

types:
l GRE(47)
l ICMP(1)
When this parameter is set to ICMP(1), set
ICMP parameter whose value is in the
format of ICMP message type/message
code.
l IGMP(2)
l IP
l IPINIP(4)
l OSPF(89)
l TCP(6)
l UDP(17)
l Customized type
NOTE
The value Customized type is valid only in the
Add Rule dialog box.
When this parameter is set to Customized type,
enter a protocol number in the Customized
parameter text box.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 169

Parameter Description

Matching priority The following types of priority to be matched

Source IP/Wildcard Source IP address and wildcard of packets to

Source user group User group information about the source user
whose IP address matches the ACL rule.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 170

Parameter Description

Dest IP/Wildcard Destination IP address and wildcard of packets

Dest user group User group information about the destination

user whose IP address matches the ACL rule.

Dest port number This parameter is valid only when the protocol
type is TCP or UDP. If this parameter is not
specified, TCP or UDP packets with any
destination port are matched.

Time range Name of a time range during which ACL rules

take effect.
NOTE
The time range name is displayed on the Validity
Time tab page.
If this parameter is not specified, ACL rules are
always valid.

l Modify a user ACL.

a. Choose Configuration > Security > ACL > User ACL Settings. The User ACL
Settings page is displayed.
b. In the basic ACL list, click Modify to the right of the user ACL that you want to
modify. Modify the ACL description and click OK.
l Delete a user ACL.
a. Choose Configuration > Security > ACL > User ACL Settings. The User ACL
Settings page is displayed.

b. In the user ACL list, click to the right of the user ACL that you want to delete
or select the user ACL and click Delete. Click OK in the Info dialog that is
displayed.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 171

Validity Time

Context
To start services or functions periodically or make them effective in a specified period of time,
you can set a time range for ACL rules.

Procedure
l Create a time range.
a. Choose Configuration > Security > ACL > Validity Time. The Validity Time
page is displayed.
b. Click Create, and set parameters on the Create Time Range page that is displayed.
Table 4-67 describes the parameters for creating a time range.

c. Click OK.
The new time range is added to the time range list.

Table 4-67 Parameters for creating a time range

Parameter Description

Time range name Name of a time range during which ACL rules
take effect.

Periodic Time Range Period during which ACL rules take effect.
The Periodic Time Range area has
parameters Validity time, Start time, and
End time.
Set Validity time to one or more days of the
week.
Both the values of Start time and End time
range from 00:00 to 23:59. When both the start
time and end time are set to 00:00, the ACL
validity period starts at 0 am and ends at 12
pm.
After setting the three parameters, click Add.
To create multiple ACL validity periods,
repeat this procedure.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 172

Parameter Description

Validity Period Time range during which ACL rules take

effect. The Validity Period area has
parameters Start time and End time.
After setting the two parameters, click Add.
To create multiple validity time ranges, repeat
this procedure.
NOTE
If the end time is not specified, the device takes the
allowed maximum value, for example, 23:59
2099/12/31.

l Modify a time range.

a. Choose Configuration > Security > ACL > Validity Time. The Validity Time
page is displayed.
b. In the time range list, click the time range that you want to modify.
c. On the Modify Time Range page that is displayed, modify the parameters. For the
parameter description, see Table 4-67.

The Time range name parameter cannot be modified. To delete the configured
time range, click to the right of Added Time Range.
d. Click OK to save the configuration.
l Delete a time range.
a. Choose Configuration > Security > ACL > Validity Time. The Validity Time
page is displayed.
b. In the time range list, select the time range that you want to delete and click Delete.
Click OK in the Info dialog that is displayed.

----End

Domain Name Configuration

Context
ACLs can be configured to control network access rights of users. If an administrator needs to
control user access to a certain domain name, the administrator can search for the IP address
matching the domain name and control rights of users for access to the IP address. If a domain
name matches multiple IP addresses, the maintenance workload of the administrator will be
heavy. In this case, you can configure a global domain name and control access rights through
the global name in ACLs.

You can only configure global domain names for ACLs 6000 to 6031 delivered to APs.

Procedure
l Create a domain name.
a. Choose Configuration > Security > ACL > Domain Name Configuration. The
Domain Name Configuration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 173

b. Click Create, and set Domain name ID and Domain name on the Create domain
name page that is displayed. Table 4-68 describes the parameters for creating a
domain name.

c. Click OK.

Table 4-68 Parameters for creating a domain name

Parameter Description

Domain name ID The ID of a global domain name.

Domain name The value is a string of 3 to 127 case-

insensitive characters. It can only contain
digits, letters, and special characters such as -,
_, ., and *. The asterisk (*) can only be placed
at the beginning of the character string.
For example, the domain name weixin.com
matches only weixin.com. The domain name
*.weixin.com matches weixin.com and sub-
domain names vip.weixin.com and
auth.vip.weixin.com.

l Modify a domain name.

a. Choose Configuration > Security > ACL > Domain Name Configuration. The
Domain Name Configuration page is displayed.
b. In the domain name list, click the domain ID that you want to modify, and modify
the Domain name. For the parameter description, see Table 4-68. The Domain
name ID parameter cannot be modified.
c. Click OK to save the configuration.
l Delete a domain name.
a. Choose Configuration > Security > ACL > Domain Name Configuration. The
Domain Name Configuration page is displayed.
b. In the domain name list, select the domain name that you want to delete and click
Delete. Click OK in the Info dialog that is displayed.
----End

4.4.4 SSL
SSL

Context
A device supports server Secure Sockets Layer (SSL) policies and client SSL policies.
l To use a device as an SSL server, configure a server SSL policy on the device. During an
SSL handshake, the device uses SSL parameters in the server SSL policy to negotiate

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 174

session parameters with an SSL client. After the handshake is complete, the device
establishes a session with the client.
l To use a device as an SSL client, configure a client SSL policy on the device. During an
SSL handshake, the device uses SSL parameters in the client SSL policy to negotiate
session parameters with the SSL server. After the handshake is complete, the device
establishes a session with the server.

Procedure
l Create an SSL policy.
– Create a server SSL policy.
i. Choose Configuration > Security > SSL. The SSL page is displayed.
ii. Click Create. The Create SSL Policy page is displayed. Set SSL policy type
to Server, and set other parameters according to Table 4-69.

iii. Click OK.

The new server SSL policy is added to the SSL list.

Table 4-69 Parameters for creating a server SSL policy

Parameter Description

SSL policy name Name of an SSL policy, which is case-

sensitive.

PKI domain Name of a PKI domain.

Maximum session count Maximum number of sessions that can be

saved on the SSL server.

Session timeout interval Timeout period of a saved session.

Supported cipher suite Cipher suite supported by the server SSL

policy.

– Create a client SSL policy.

i. Choose Configuration > Security > SSL. The SSL page is displayed.
ii. Click Create. The Create SSL Policy page is displayed. Set SSL policy type
to Client, and set other parameters according to Table 4-70.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 175

iii. Click OK.

The new client SSL policy is added to the SSL list.

Table 4-70 Parameters for creating a client SSL policy

Parameter Description

SSL policy name Name of an SSL policy, which is case-

sensitive.

SSL server identity Whether to enable SSL server identity

authentication authentication.

PKI domain Name of a PKI domain.

SSL protocol version SSL protocol version.

Preferred cipher suite Cipher suite used by the client SSL policy.

l Modify an SSL policy.

a. Choose Configuration > Security > SSL. The SSL page is displayed.
b. Click the name of the SSL policy that you want to modify.
c. On the Modify SSL Policy page that is displayed, modify the SSL policy
parameters according to Table 4-69 or Table 4-70. The values of SSL policy name
and SSL policy type cannot be modified.
d. Click OK to save your configuration.
l Delete an SSL policy.
a. Choose Configuration > Security > SSL. The SSL page is displayed.
b. Select the SSL policy that you want to delete and click Delete. In the info dialog
box that is displayed, click OK.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 176

4.4.5 PKI

PKI Entity

Context
A certificate binds a public key to a set of information that uniquely identifies a public key
interface (PKI) entity. The parameters of an entity indicate the identity information of the
entity. A Certificate Authority (CA) uniquely identifies a certificate applicant based on
identity information provided by an entity.

Procedure
l Create a PKI entity.
a. Choose Configuration > Security > PKI > PKI Entity. The PKI Entity page is
displayed.
b. Click Create. On the Create PKI Entity page that is displayed, set parameters for
creating a PKI entity. Table 4-71 describes the parameters for creating a PKI entity.

c. Click OK.

Table 4-71 Parameters for creating a PKI entity

Parameter Description

PKI entity name Name of a PKI entity.

Common name Common name of a PKI entity.

IP address IP address of a PKI entity.

Domain name Fully qualified domain name (FQDN)

of a PKI entity.

Country/Area Country name or province name of a

PKI entity.

State/Province State name or province name of a PKI

entity.

Geographic region Geographic area of a PKI entity.

Organization Organization name of a PKI entity.

Department Department name of a PKI entity.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 177

l Modify a PKI entity.

a. Choose Configuration > Security > PKI > PKI Entity. The PKI Entity page is
displayed.
b. In the PKI entity list, click the name of the PKI entity that you want to modify.
c. On the Modify PKI Entity page, re-enter or select parameters. PKI entity name
cannot be modified.
d. Click OK.
l Delete a PKI entity.
a. Choose Configuration > Security > PKI > PKI Entity. The PKI Entity page is
displayed.
b. In the PKI entity list, select the PKI entity that you want to delete and click Delete.
In the Info dialog box that is displayed, click OK.
NOTE

When a PKI entity is referenced by a PKI domain, delete the PKI entity from the PKI domain
before you delete the PKI entity.

----End

PKI Domain

Context
Before an entity applies for a certificate, some enrollment information must be configured.
The collection of the enrollment information is called the PKI domain of an entity.

Procedure
l Create a PKI domain.
a. Choose Configuration > Security > PKI > PKI Domain. The PKI Domain page
is displayed.
b. Click Create. On the page that is displayed, set parameters for creating a PKI
domain. Table 4-72 describes the parameters for creating a PKI domain.

c. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 178

Table 4-72 Parameters for creating a PKI domain

Parameter Description

PKI domain name Name of a PKI domain.

PKI entity name Name of a created PKI entity.

Certificate check method Certificate check mode, which can be

crl, ocsp, or none.

Certificate revocation password Revocation password of the certificate.

Confirm password Confirmed revocation password of the

certificate.

Automatic registration and update Whether to enable the automatic

certificate enrollment and update
function.

Percentage Percentage of the certificate's validity

period after which a new certificate is
requested automatically. This
parameter is valid only when
Automatic registration and update is
set to Enable.

Regenerate key Whether to generate a key again. This

parameter is valid only when
Automatic registration and update is
set to Enable.

CA identifier ID of a CA.

Certificate request URL Enrollment URL.

The URL is in the format of http://
server_location/ca_script_location. The
server_location field supports only the
IP address format and the
ca_script_location field is the path
where CA's application script is
located, for example, http://
10.137.145.158:8080/certsrv/mscep/
mscep.dll.

RA mode Whether to enable the registration

authority (RA) mode.

Certification signature hash algorithm Hash algorithm used to sign certificate

enrollment requests. You can set the
hash algorithm to MD5, SHA256,
SHA384, SHA512, or SHA1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 179

Parameter Description

CA certificate fingerprint CA certificate fingerprint used in CA

certificate authentication. The options
are as follows:
l MD5: message digest algorithm 5
l SHA1: secure hash algorithm 1

OCSP server URL URL of the Online Certificate Status

Protocol (OCSP) server.

CDP URL CRL distribution point (CDP) URL.

CRL refers to certificate revocation
list.

CRL cache Whether to use the buffered CRL in the

PKI domain.

CRL update interval Interval for updating the CRL.

l Modify a PKI domain.

a. Choose Configuration > Security > PKI > PKI Domain. The PKI Domain page
is displayed.
b. In the PKI domain list, click the name of the PKI domain that you want to modify.
c. On the Modify PKI Domain page, re-enter or select parameters. PKI domain
name cannot be modified.
d. Click OK.
l Delete a PKI domain.
a. Choose Configuration > Security > PKI > PKI Domain. The PKI Domain page
is displayed.
b. In the PKI domain list, select the PKI domain that you want to delete and click
Delete. In the Info dialog box that is displayed, click OK.
NOTE

A PKI domain is referenced by the SSL policy cannot be deleted. To delete the PKI domain,
remove the PKI domain from the SSL policy first. For details on how to modify or delete an SSL
policy, see 4.4.4 SSL.
l Registering a PKI certificate

You can register a PKI certificate in either of the following ways:

a. In the Create PKI Domain dialog box, select Enable next to Automatic
registration and update and click OK. The device generates certificate files
***_ca.cer, ***_local.cer, and ***_ra.cer. *** indicates the name of the new PKI
domain.
b. In the Create PKI Domain dialog box, deselect select Enable next to Automatic
registration and update and register the PKI certificate as follows:
i. Choose Configuration > Security Management > PKI > PKI Domain. The
PKI Domain page is displayed.
ii. Select a PKI domain in the PKI Domain Information area.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 180

iii. Click Register Certificate.

iv. In the dialog box that is displayed, click OK. The device generates certificate
files ***_ca.cer, ***_local.cer, and ***_ra.cer. *** indicates the name of the
new PKI domain.
l Importing a PKI certificate
a. Choose Configuration > Security > PKI > PKI Domain. The PKI Domain page
is displayed.
b. Select a PKI domain in the PKI Domain Information area and click Import
Certificate. In the dialog box that is displayed, set certificate parameters. Table
4-73 describes the parameters.

Table 4-73 Parameters for importing a PKI certificate

Item Description

Certificate type Certificate type, which can be Local,

CA, or OCSP.

Certificate format Certificate format, which can be DER,

P12, or PEM.

Certificate name Certificate file to be imported.

l The name extension of a DER
certificate file is .der or .cer.
l The name extension of a P12
certificate file is .p12.
l The name extension of a PEM
certificate file is .pem or .cer.

Private key file format Private key file format, which can be
DER, P12, or PEM.

Private key file name Private key file to be imported.

l The name extension of a DER
certificate file is .der or .cer.
l The name extension of a P12
certificate file is .p12.
l The name extension of a PEM
certificate file is .pem or .cer.

Private key password Password of the private key.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 181

NOTE

Private key file format, Private key file name, and Private key password are displayed
only when Certificate type is set to Local.
c. Click OK. The PKI certificate is imported.
l Exporting a PKI certificate
a. Choose Configuration > Security > PKI > PKI Domain. The PKI Domain page
is displayed.
b. Select a PKI domain in the PKI Domain Information area and click Export
Certificate. In the dialog box that is displayed, set certificate parameters. Table
4-74 describes the parameters.

Table 4-74 Parameters for exporting a PKI certificate

Item Description

Certificate type Certificate type, which can be Local,

CA, or OCSP.

Certificate format Certificate format, which can be DER,

P12, or PEM.

Certificate name Certificate file to be exported.

Private key file format Private key file format, which can be
P12 or PEM.

Private key file name Private key file to be exported.

Private key password Password of the private key.

Confirm Password Confirm password of the private key.

NOTE

Private key file format, Private key file name, Private key password, and Confirm
Password are displayed only when Certificate type is set to Local.
c. Click OK. The PKI certificate is exported.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 182

4.4.6 Security Defense

ACL Filtering

Context
An ACL is a set of rules that can only differentiate packets.
After ACLs are configured, you can configure ACL filtering to apply the ACLs so that
packets are filtered.

Procedure
l Create an ACL filter.
a. Choose Configuration > Security > Security Defense > ACL Filtering. The ACL
Filtering page is displayed.
b. Click Create. The Create ACL Filtering page is displayed. Set parameters for
creating an ACL filter. Table 4-75 describes the parameters for creating an ACL
filter.

c. Click OK.
The new ACL filter is added to the ACL filter list.

Table 4-75 Parameters for creating an ACL filter

Parameter Description

Select interface Name of the interface to which the ACL filter

is applied.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 183

Parameter Description

ACL ACL to be applied.

Click . The Add Rule page is

displayed. Select an ACL to be applied in the
ACL list and click OK.
If there are too many ACLs in the ACL list, set
the search criteria in the upper right corner.
Enter a key word in the search box and click
. The ACLs matching the key word are
displayed.
NOTE
The displayed ACLs are those configured in Basic
ACL Settings, Advanced ACL Settings, and User
ACL Settings.
The ACLs used for packet filtering on an interface
can be basic ACLs, advanced ACLs, and user
ACLs.

Direction Direction of the packets where an ACL filter is

applied.

l Modify an ACL filter.

a. Choose Configuration > Security > Security Defense > ACL Filtering. The ACL
Filtering page is displayed.
b. In the ACL filter list, click the name of the ACL filter that you want to modify.
c. On the Modify ACL Filtering page that is displayed, set parameters for modifying
an ACL filter. Table 4-75 describes the parameters for modifying an ACL filter.
The Interface name parameter and Direction parameter cannot be modified.
d. Click OK to save your configuration.
l Delete an ACL filter.
a. Choose Configuration > Security > Security Defense > ACL Filtering. The ACL
Filtering page is displayed.
b. In the ACL filter list, select the ACL filter that you want to delete and click Delete.
In the Info dialog box that is displayed, click OK.
----End

4.4.7 Attack Defense

Context
Enable the security engine function before using the URL filtering, intrusion prevention,
antivirus, and Smart Application Control (SAC) functions.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 184

Procedure
Step 1 Choose Configuration > Security > Attack Defense. The Attack Defense page is displayed.

Step 2 Set Security Engine to ON or OFF to enable or disable the security engine function.

----End

4.5 Other Services

4.5.1 Bonjour Gateway

Context
The device as the Bonjour gateway needs to maintain service lists of all service provisioning
devices. A service list records the service name, service type, service VLAN, TTL, host name,
and IP address. The TTL is provided by a service provisioning device to the Bonjour gateway,
and represents the aging time of a service. If the Bonjour gateway receives Bonjour response
packets from a service provisioning device within the aging time, the Bonjour gateway
updates its service information. If the Bonjour gateway does not receive Bonjour response
packets from a service provisioning device within the aging time, the Bonjour gateway deletes
its service information.

NOTE
When using the Bonjour gateway function, ensure that the route between the Bonjour gateway and Bonjour
device is reachable.

Procedure
l Global Setting
a. Choose Configuration > Other Services > Bonjour. The Bonjour page is
displayed.
b. In Global Setting, set Bonjour gateway to ON, enter the source IP address in
Source IP, and click Apply. The Bonjour gateway function is enabled.

n Source IP specifies the source IP address of Multicast Domain Name Service

(mDNS) Request packets periodically sent by the Bonjour gateway to discover
services. When sending an mDNS Request packet, the Bonjour gateway
encapsulates the configured source IP address into the packet so that it can
receive reply packets from service provision devices.
NOTE
Source IP is configured to ensure integrity of IP packets. The Bonjour server does not use
this IP address as the destination IP address of reply packets. Therefore, Source IP can be
an IP address existent or non-existent on the server.
n If periodic service discovery is enabled on the Bonjour gateway in a VLAN
and an IP address is configured for the corresponding VLANIF interface, the

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 185

Bonjour gateway automatically encapsulates the IP address of the VLANIF

interface into the mDNS Request packet rather than the source IP address
configured by the user. In this case, you do not need to configure the value of
Source IP address.
l Specify Device to Discover VLANs
– Create Scheduled Service Discovery
i. In Specify Device to Discover VLANs, click Create. The Create Scheduled
Service Discovery page is displayed.
ii. Configure parameters and click OK. See Table 4-76 for descriptions of the
corresponding parameters.

Table 4-76 Descriptions of Create Scheduled Service Discovery parameters

Item Description

Service discovery interval Interval at which the Bonjour

gateway starts discovering services.
The Bonjour gateway sends service
query messages at regular intervals
and updates the service information
table based on reply messages
received from the service provision
devices.

Select VLAN ID of the VLAN where the service

provision device resides.

Click to add VALN IDs. You

can add multiple VLAN IDs at a
time.

– Modify Periodic Service Discovery

i. In Specify Device to Discover VLANs, click the VLAN ID of the scheduled
discovery task that you want to modify. The Modify Scheduled Service
Discovery page is displayed.
ii. Modify parameters and click OK. See Table 4-76 for descriptions of the
corresponding parameters.
– Delete VLANs discovered by the device.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 186

In Specify Device to Discover VLANs, select the VLANs to be deleted and click
Delete. The selected VLANs are deleted.
l Service Information List
Display service information details.
In Service Info List, click Information Details. The Service Information Details page
is displayed. See Table 4-77 for descriptions of Service Information Details
parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 187

Table 4-77 Descriptions of Service Information Details parameters

Item Description

Domain Name Domain name mapping the service name.

Port Port number.

Cache Flush Service buffer information.

Class Type of the service.

TTL TTL of the service.

Aging Time Aging time of the service, that is, time

elapsed since the service was recorded, in
seconds.

Data Length TXT data length.

Priority Service priority.

Weight Service weight.

VLAN ID Service VLAN ID.

IP Address IP address mapping the domain name.

Text Service text.

----End

4.5.2 SAC

Signature File

Context
After the security engine is enabled, the system automatically loads the default signature
database.

Procedure
l Check the SAC signature database.
Choose Configuration > Other Services > SAC > Signature File. The Signature File
page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 188

----End

Application Protocol Group

Procedure
l Check the application protocol groups.

Choose Configuration > Other Services > SAC > Application Protocol Group. The
Application Protocol Group page is displayed.

----End

Voice&Video Optimization

Procedure
l Turn on the voice optimization
a. Choose Configuration > Other Services > SAC > Voice&Video Optimization.
The Voice&Video Optimization page is displayed.
b. In the Voice&Video Optimization page, turn the Voice optimization to ON,click
Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 189

l Turn on the video optimization

a. Choose Configuration > Other Services > SAC > Voice&Video Optimization.
The Voice&Video Optimization page is displayed.
b. In the Voice&Video Optimization page, turn the Video optimization to ON,click
Apply.
l Turn on the voice optimization and video optimization at the same time
a. Choose Configuration > Other Services > SAC > Voice&Video Optimization.
The Voice&Video Optimization page is displayed.
b. In the Voice&Video Optimization page, turn the Voice optimization and Video
optimization to ON, click Apply at the same time.

----End

Lync

Procedure
l Enable the device to interact with a Lync server and specify a local port.
a. Choose Configuration > Other Services > SAC > Lync. The Lync page is
displayed.
b. On the Lync page, set Lync listener to ON Table 4-78. Table 4-78 describes Lync
parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 190

Table 4-78 Lync parameters

Parameter Description

Type Specifies the service type, which can be HTTP

or HTTPS.

Http port Specifies the port number of the HTTP

service.

Https port Specifies the port number of the HTTPS

service.

SSL policy Specifies the SSL policy to be bound. The SSL

policy must be a server SSL policy.

c. Click Apply.

----End

4.5.3 VPN

Concepts
IPSec

IPSec is a protocol suite defined by the Internet Engineering Task Force (IETF) for securing
IP communication by authenticating and encrypting each IP packet of a communication
session. Two communicating parties can encrypt data and authenticate the data origin at the IP
layer to ensure data confidentiality and integrity and prevent replay of data packets.

IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating
Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the
IKE protocol, which simplifies use and management of IPSec.

IPSec Security Protocol

AH defines the authentication method and checks data integrity and data origin. ESP defines
the encryption and authentication methods and ensures data reliability.

l AH: provides data origin authentication, data integrity check, and the anti-replay service.
The sender performs hash calculation on the IP payload and all header fields of an IP
packet except for variable fields to generate a message digest. The receiver calculates a
message digest according to the received IP packet and compares the two message
digests to determine whether the IP packet has been modified during transmission. AH
does not encrypt the IP payload.
l ESP: encrypts the IP payload in addition to providing all the functions of AH. ESP can
encrypt and authenticate the IP payload but does not authenticate the IP packet header.

IPSec Peer

IPSec provides secure IP communication between two endpoints. The two endpoints are
called IPSec peers.

Security Association (SA)

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 191

A security association (SA) is a set of algorithms such as the encryption algorithm and
parameters such as keys for secure data transmission between IPSec peers.

Encapsulation Mode
l Transport mode: inserts an IPSec header between the IP header and the header of the
upper-layer protocol (AH or ESP). In this mode, the protocol type field in the IP header
is changed to AH or ESP, and the checksum in the IP header is recalculated. The
transport mode applies to communication between two hosts or between a host and a
security gateway.
l Tunnel mode: encapsulates an IPSec header (AH or ESP) on the original IP header and
adds a new IP header. In this mode, the original IP packet is transmitted as the payload of
the packet and is protected by IPSec. The tunnel mode applies to communication
between two security gateways. Packets encrypted by one security gateway must be
decrypted by the other security gateway.

Authentication Algorithm and Encryption Algorithm

l IPSec uses the Message Digest 5 (MD5) algorithm, Secure Hash Algorithm (SHA-1) or
Secure Hash Algorithm (SHA-2) for authentication. The MD5 algorithm computes faster
than the SHA-1 algorithm, but the SHA-1 algorithm is more secure than the MD5
algorithm. SHA-2 increases the number of encrypted data bits and is more secure than
SHA-1.
l IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption
Standard (AES) algorithm for encryption. The AES algorithm encrypts plain text by
using a key of 128 bits, 192 bits, or 256 bits.

Establishing an IPSec Tunnel Using IKE Negotiation

IKE

IKE builds upon the Internet Security Association and Key Management Protocol (ISAKMP)
and provides the key negotiation, identity authentication, and SA establishment functions to
simplify IPSec use and management.

IKE Version

IKE supports IKEv1 and IKEv2 versions.

l IKEv1: defines two phases for IPSec key negotiation. IKEv1 phase 1 operates in either
main mode or aggressive mode. The aggressive mode allows two IPSec peers to
establish an IKE SA more quickly than in main mode. In main mode, only IP addresses
can be used to identify IPSec peers. In aggressive mode, both IP addresses and names
can be used to identify IPSec peers.
l IKEv2: defines three types of exchanges and enables two IPSec peers to establish an IKE
SA more quickly than IKEv1.

IKE Security Mechanism

l Diffie-Hellman (DH) algorithm: DH algorithm is a public key algorithm. The two
communicating parties do not transmit a key but exchange data to calculate a shared key.
They use the calculated shared key to encrypt data and exchange the encrypted data.
IKE-enabled devices never directly transmit a key on an insecure network. Instead, the
devices calculate a shared key by exchanging data. Even though a third party (such as a
hacker) intercepts all exchanged data for key calculation, it cannot calculate the actual
key.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 192

l Perfect Forward Secrecy (PFS): PFS is a property that prevents other keys from being
decoded when one key is decoded. The key used in IPSec phase 2 is derived from the
key used in IPSec phase 1. After intercepting the key used in phase 1, an attacker may
collect enough information to calculate the key to be used in phase 2. PFS provides an
additional DH key exchange to secure the key used in phase 2.
l Identity authentication: authenticates identities of the two communicating parties
including pre-shared key authentication and digital certificate authentication. In pre-
shared key authentication, two communicating parties use a shared key to calculate a
digest for a received packet and compare the digest with the digest field in the packet. If
the calculated digest is the same as that in the packet, authentication succeeds; otherwise,
authentication fails. In digital certificate authentication, two communicating parities use
an agreed algorithm to calculate the digest for a packet. The sender uses its own private
key to encrypt the digest field and generates a digital signature. The receiver uses the
sender's public key to decrypt the digital signature and compares the calculated digest
with the original digest field. If the calculated digest is the same as the original digest of
the packet, authentication succeeds; otherwise, authentication fails.

Establishing an IPSec Tunnel Using an IPSec Virtual Tunnel Interface

An IPSec virtual tunnel interface is a Layer 3 logical interface supporting dynamic routing
protocols. All packets passing through the IPSec virtual tunnel interface are protected by
IPSec.
After an IPSec tunnel is established using an IPSec virtual tunnel interface, data flows routed
to the IPSec virtual tunnel interface are protected by IPSec. Compared to using an ACL to
determine data flows to be protected, using routing to determine the flows to be protected
simplifies the IPSec policy deployment and prevents IPSec configuration from being affected
by the network plan. This enhances network scalability and reduces network maintenance
costs.

IPSec Policy Management

Context
Authentication and encryption parameters in an IPSec policy must be consistent on two
devices.
For details about basic IPSec concepts, see 4.5.3 VPN.

Procedure
l Create an IPSec policy.
a. Choose Configuration > Other Services > VPN > IPSec Policy Management.
The IPSec Policy Management page is displayed.
b. Click Create. On the Create IPSec Policy page that is displayed, enter or select
parameters as required. Table 4-79 describes the parameters for creating an IPSec
policy.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 193

c. Click OK.

Table 4-79 IPSec policy parameters

Parameter Description

IPS IPSec Name of an IPSec policy.

ec connection The IPSec policy name cannot be changed after an IPSec
poli name policy is configured.
cy
para
met Name of the interface where an IPSec policy is applied.
Interface
er The interface cannot be changed after an IPSec policy is
name
setti configured.
ngs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 194

Parameter Description

Networking mode of a router:

l Branch site: The router functions as the enterprise branch
gateway and establishes IPSec tunnels between a branch
and the headquarters or among different branches.
Networkin l Headquarters site: The router functions as the
g mode headquarters gateway and establishes IPSec tunnels with
a branch after receiving an IPSec connection request
from the branch.
The networking mode cannot be changed after an IPSec
policy is configured.

ID of an IPSec policy.
The IPSec connection name and Connection ID
parameters identify an IPSec policy. Multiple IPSec policies
Connectio with the same IPSec connection name constitute an IPSec
n ID policy group. An IPSec policy group contains a maximum
of 16 IPSec policies, and an IPSec policy with the smallest
ID has the highest priority. After an IPSec policy group is
applied to an interface, all IPSec policies in the group are
applied to the interface to protect different data flows.

IKE ID of an IKE version, including IKEv1&IKEv2, IKEv1, or

version IKEv2.

IKEv1 negotiation mode.

l Main mode: The main mode separates the key exchange
information from identity authentication information.
This provides higher security.
l Aggressive mode: The aggressive mode does not provide
identity authentication but can meet special network
Negotiatio
requirements. This mode can be used to establish an IKE
n mode
SA more quickly in the following situations:
IKE
para – The IP address of the SA initiator is unknown or
met keeps changing, and both ends need to use the pre-
er shared key authentication to establish the IKE SA.
setti – The SA initiator knows the IPSec policy used by the
ngs responder.

Remote
IP address or domain name of the remote IKE peer.
address

Authentication method used by IKE:

Authentica
l Pre-shared Key
tion mode
l RSA certificate

Pre-shared key used by IKE for authentication. The local

Pre-shared
and remote ends of IKE negotiation must be configured with
Key
the same authenticator.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 195

Parameter Description

Configured public key infrastructure (PKI) domain. When

PKI
IKE uses the Revist-Shamir-Adleman Algorithm (RSA)
Domain
certificate for authentication, set this parameter.

Whether to enable Online Certificate Status Protocol

OCSP
(OCSP)

Authentication algorithm used by the IKE:

l MD5: specifies HMAC-MD5 as the authentication
algorithm.
l SHA1: specifies HMAC-SHA-1 as the authentication
algorithm.
l SHA2-256: specifies 256-bit SHA-256 as the
authentication method.
Authentica l SHA2-384: specifies 384-bit SHA-384 as the
tion authentication method.
algorithm l SHA2-512: specifies 512-bit SHA-512 as the
authentication method.
l AES-XCBC-MAC-96: specifies AES-XCBC-MAC-96
as the authentication algorithm.
The MD5 algorithm uses a 128-bit key, whereas the SHA-1
algorithm uses a 160-bit key. The MD5 algorithm computes
faster than the SHA-1 algorithm, but the SHA-1 algorithm is
more secure than the MD5 algorithm. Only IKEv2 supports
the AES-XCBC-MAC-96 algorithm.

Integrity algorithm used for IKEv2 security proposal:

l AES-XCBC-96: specifies AES-XCBC-96 as the
integrity algorithm.
l HMAC-MD5-96: specifies HMAC-MD5-96 as the
integrity algorithm.
l HMAC-SHA1-96: specifies HMAC-SHA1-96 as the
Integrity
integrity algorithm.
algorithm
l HMAC-SHA2-256: specifies HMAC-SHA2-256 as the
integrity algorithm.
l HMAC-SHA2-384: specifies HMAC-SHA2-384 as the
integrity algorithm.
l HMAC-SHA2-512: specifies HMAC-SHA2-512 as the
integrity algorithm.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 196

Parameter Description

Encryption algorithm used by the IKE:

l 3DES: indicates that the IKE uses the 168-bit Triple
Data Encryption Standard (3DES) encryption algorithm
in CBC mode.
l AES-128: indicates that the IKE uses the 128-bit
Advanced Encryption Standard (AES) encryption
algorithm.
l AES-192: indicates that the IKE uses the 192-bit AES
Encryption algorithm encryption.
algorithm l AES-256: indicates that the IKE uses the 256-bit AES
algorithm encryption.
l DES: indicates that the IKE uses the DES-CBC
encryption algorithm.
The 3DES algorithm provides high levels of privacy and
security, but its encryption speed is slow. When security is a
low priority, use the DES algorithm. You can also use the
AES algorithm, which supports keys of 128 bits, 192 bits,
and 256 bits.

Diffie-Hellman group used in IKE negotiation, which is key

negotiation:
l Group1: uses the 768-bit Diffie-Hellman group.
DH group l Group2: uses the 1024-bit Diffie-Hellman group.
ID l Group5: uses the 1536-bit Diffie-Hellman group.
l Group14: uses the 2048-bit Diffie-Hellman group.
Group1 provides the lowest encryption, while Group14
provides the strongest encryption.

Security protocol used by an IPSec:

l AH: indicates that the IPSec uses the AH protocol
defined by RFC 2402. The AH protocol authenticates the
IPS data source, verifies the data integrity, and prevents
ec packet replay. This protocol uses the MD5 authentication
para algorithm by default and does not support encryption.
Security
met
protocol l AH-ESP: indicates that the IPSec proposal encapsulates
er
setti packets through ESP, then through AH.
ngs l ESP: indicates that the IPSec uses the ESP protocol
defined by RFC 2406. The ESP protocol uses the DES
encryption algorithm. The AH protocol uses the MD5
authentication algorithm by default.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 197

Parameter Description

Authentication algorithm used by AH in the IPSec:

l MD5
AH
authenticat l SHA1
ion l SHA2-256
algorithm
l SHA2-384
l SHA2-512

Authentication algorithm used by ESP in the IPSec:

l Non-authentication
l MD5
ESP l SHA1
authenticat
ion l SHA2-256
algorithm l SHA2-384
l SHA2-512
The authentication algorithm and encryption algorithm of
ESP cannot be kept blank simultaneously.

Encryption algorithm used by ESP in the IPSec:

l Non-encryption
l 3DES: indicates that the IKE uses the 168-bit 3DES
encryption algorithm in CBC mode.
l AES-128: indicates that the IKE uses the 128-bit AES
ESP
encryption algorithm.
encryption
algorithm l AES-192: indicates that the IKE uses the 192-bit AES
algorithm encryption.
l AES-256: indicates that the IKE uses the 256-bit AES
algorithm encryption.
l DES: indicates that the IKE uses the DES-CBC
encryption algorithm.

Encapsulation mode that IPSec uses to encapsulate IP

Encapsulat packets:
ion mode l Tunneling mode
l Transmission mode

Name of a configured ACL that IPSec uses to protect data

AC flows. When the router functions as the headquarters site,
L you can configure no ACL to protect all data flows on the
para interface.
ACL
met
number For details about the ACL configuration, see Advanced
er
setti ACL Settings. IPSec supports ACL rules based on the
ng source IP address, destination IP address, destination port
number, and protocol number to protect data flows.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 198

Parameter Description

Mode in which IKE SAs are triggered:

l Auto: After an IPSec policy is applied, the system
completes IKE negotiation and establishes an IPSec
IKE
tunnel.
negotiation
l Traffic-based: When an interface receives packets, the
system completes IKE negotiation and establishes an
IPSec tunnel.

Type of the local ID used in IKE negotiation:

l IP Address: The interface IP address is used as the local
ID. When performing IKE negotiation with the peer, the
Local local device exchanges identity information with the
identity peer.
type l Name: A string of characters is used as the local ID. You
can set Local name in IPSec Global Settings to identify
the local device. When Local name is left blank, the
device name is used.

Type of the remote ID used in IKE negotiation:

Remote
l IP Address: value of Remote address (IP address/
identity
domain name).
type
Adv l Name: value of Remote name.
anc
ed Local
Name of the local ID used in IKE negotiation.
name

Remote Name of the peer in IKE negotiation. The value must be the
name local ID configured on the peer.

Whether to enable NAT traversal.

NAT
traversal The NAT traversal function is valid only when IKE
negotiation is in the aggressive mode.

Whether to enable the dead peer detection (DPD) function.

DPD IKE peers send DPD packets to check whether the other
party is alive.

DPD mode:
l On-Demand: indicates the on-demand DPD mode. If the
local end does not receive any packets from the remote
peer within the specified period, it sends a DPD packet
DPD type to check whether the remote peer is available.
l Periodic: indicates the periodic DPD mode. If the local
end does not receive any packets from the remote peer
for a long time, it sends DPD packets at specific
intervals to check whether the remote peer is available.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 199

Parameter Description

Sequence of the payload in DPD packets:

DPD
l hash-notify: indicates that the payload of DPD packets is
packet
in the sequence of hash-notify.
payload
sequence l notify-hash: indicates that the payload of DPD packets is
in the sequence of notify-hash.

DPD idle
Idle time for sending DPD packets.
time

DPD
packet
retransmis Interval for retransmitting DPD packets.
sion
interval

DPD
packet
Maximum number of times DPD packets are retransmitted.
retransmis
sion count

Algorithm used to generate the pseudo random number:

l PRF-AES-XCBC-128: indicates the AES-XCBC-128
algorithm.
l PRF-HMAC-MD5: indicates the HMAC-MD5
algorithm.
l PRF-HMAC-SHA1: indicates the HMAC-SHA-1
algorithm.
PRF l PRF-HMAC-SHA2–256: indicates the 256-bit HMAC-
SHA-256 algorithm.
l PRF-HMAC-SHA2–384: indicates the 384-bit HMAC-
SHA-384 algorithm.
l PRF-HMAC-SHA2–512: indicates the 512-bit HMAC-
SHA-512 algorithm.
Specifies 256-bit HMAC-SHA-256 as the algorithm used to
generate the pseudo random number.

The Perfect Forward Secrecy (PFS) enables IPSec to

perform an additional round of key exchange in phase 2 of
IKE negotiation to improve communication security:
l none: the PFS feature is disabled.
PFS l dh-group1: indicates the 768-bit Diffie-Hellman group.
l dh-group2: indicates the 1024-bit Diffie-Hellman group.
l dh-group5: indicates the 1536-bit Diffie-Hellman group.
l dh-group14: indicates the 2014-bit Diffie-Hellman
group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 200

Parameter Description

Lifetime of IKE SAs. Both ends negotiate a new SA before

IKE SA
the old one times out. The old SA is still used prior to the
duration
establishment of the new SA.

SA lifetime in an IPSec policy. In IPSec negotiation, the SA

uses the shorter lifetime between the lifetime set on the local
end and that set on the remote end.
The SA lifetime can be measured by time or by traffic:
l Time-based (s): indicates the period of time an SA can
exist after being established.
IPSec SA l Traffic-based (KB): indicates the maximum traffic
aging volume that an SA can process.
mode When the specified time or traffic volume is reached, the SA
becomes invalid. When the SA is about to expire, IPSec
negotiates a new SA.
By default, when no IPSec SA lifetime is set for the IPSec
policy, the global IPSec SA lifetime is used. The global
IPSec SA lifetime is set by the parameter IPSec SA aging
management in IPSec Global Settings. If IPSec SA aging
management is not set, the default value is used.

Whether to set the IP address of the local end.

Local
address By default, the local end address is the IP address of the
interface bound to the IPSec policy.

Type of the local IP address.

l Interface address: The local end address is the IP address
Address of the interface bound to the IPSec policy.
type l Specified address: When the outbound interface has a
primary address and a secondary address, enter an IP
address in the IP address text box.

IP address IP address of the local end in IKE negotiation.

Route
Whether to enable the route import function.
import

Route import mode:

l Static: The route of the IPSec peer is added to the local
routing table upon device startup and remains
Route unchanged.
import l Dynamic: Route reachability is determined based on
type IPSec tunnel status. If the IPSec tunnel is Up, the route
of the IPSec peer is added to the local routing table and
advertised on the network. If the IPSec tunnel is Down,
the route of the IPSec peer is deleted and withdrawn.

Route
Priority of an injection route.
priority

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 201

l Modify an IPSec policy.

a. Choose Configuration > Other Services > VPN > IPSec Policy Management.
The IPSec Policy Management page is displayed.
b. In IPSec Policy Management, click the name of the IPSec policy that you want to
modify.
c. In Modify IPSec Policy, enter or select parameters as required. Table 4-79
describes the parameters.
d. Click OK.

----End

IPSec Global Settings

Procedure
Step 1 ChooseConfiguration > Other Services > VPN > IPSec Global Settings. The IPSec Global
Settings page is displayed.

Step 2 Enter or select parameters as required. Table 4-80 describes the parameters.

Step 3 Click Apply. In the Info dialog box that is displayed, click OK.

If you want to restore the default values of all parameters, click Reset. If a message indicating
operation success is displayed, settings take effect.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 202

Table 4-80 Parameters for IPSec Global Settings

Parameter Description

Local name Local host name used in IKE negotiation,

which is case-sensitive.
When configuring IPSec policies in IPSec
Policy Management, if you specify Local
identity type as the name, you need to set
this parameter to a value that is consistent
with that of Remote name on the peer
device.
By default, no local host name is configured
for IKE negotiation. The device name is
used as the local name. To view or change
the device name, see device information in
Monitoring.

IPSec SA aging management Global SA lifetime in an IPSec policy. In

IPSec negotiation, the SA uses the shorter
lifetime between the lifetime set on the local
end and that set on the remote end.
The SA lifetime can be measured by time or
by traffic:
l Time-based (seconds): indicates the
period of time an SA can exist after
being established.
l Traffic-based (KB): indicates the
maximum traffic volume that an SA can
process.
When the specified time or traffic volume is
reached, the SA becomes invalid. When the
SA is about to expire, IPSec negotiates a
new SA.
If IPSec SA aging mode is set on the IPSec
Policy Management tab page, the global
SA lifetime does not take effect.

IKE heartbeat sending interval Interval for sending heartbeat packets.

If no heartbeat packet is received during the
duration specified by IKE heartbeat
timeout interval (seconds), the IPSec SA is
deleted. Therefore, the timeout duration of
heartbeat packets must be set longer than
the interval for sending heartbeat packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 203

Parameter Description

IKE heartbeat timeout interval Timeout interval during which an IKE SA

waits for a heartbeat packet.
On a network, packet loss rarely occurs
more than three consecutive times.
Therefore, the timeout interval of heartbeat
packets on one end can be set to three times
the interval for sending heartbeat packets on
the other end.

NAT keepalive interval Interval for sending NAT keepalive packets.

If the IPSec tunnel with NAT traversal
enabled is established and no packet passes
through the NAT gateway in a long period,
NAT session entries are aged and deleted on
the NAT gateway. In this case, data cannot
be transmitted through the IPSec tunnel.
Therefore, to retain NAT session entries,
configure the device to send NAT keepalive
packets periodically.

Anti-replay Whether to enable the anti-replay function.

After the anti-replay function is enabled, the
system discards replayed packets and does
not encapsulate them, saving system
resources.

DF bit setting Don't fragment (DF) flag bit:

l clear: If the DF flag bit is 0, IP packets
can be fragmented.
l set: If the DF flag bit is 1, no IP packet
is fragmented.
l copy: Specifies the flag bit of original
packets.

Fragment before encryption Whether to enable packet fragment before

encryption when the DF flag bit is 1.
Before IP packets are encapsulated with the
IPSec header, the system calculates the
predicted length of the encapsulated IP
packets. If the predicted length of the
encapsulated IP packets exceeds the MTU
of the outbound interface, the router
fragments the IP packets before encryption.
The IKE peer of the router decrypts and
assembles IPSec fragments. This reduces
the CPU usage of the router.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 204

4.5.4 STP
This chapter describes how to query the STP information and set the global STP parameters,
STP parameters on an interface, and parameters of an STP region.
The Spanning Tree Protocol (STP) is applicable to ring networks. It uses certain algorithms to
implement path redundancy and trim a ring network into a loop-free tree topology to prevent
infinite looping of packets.

STP Info
You can view STP information on the STP Information page.

Procedure
Step 1 Choose Configuration > Other Service > STP > STP Info. The STP Info page is displayed.

Step 2 You can view detailed STP information. Table 4-81 describes the parameters on the STP Info
page.

Table 4-81 Parameters on the STP Info page

Parameter Description

CIST Global Info

Mode Working mode.

CIST bridge ID of the CIST bridge.

l The first 16 bits represent the priority of
the switch on the CIST.
l The last 48 bits represent the MAC
address of the switch.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 205

Parameter Description

CIST bridge time parameter CIST bridge time information:

l Hello: interval for sending BPDUs.
l MaxAge: maximum lifetime of the
BPDU.
l FwDly: delay for interface status
transition.
l MaxHop: maximum number of hops in
an MST region.

CIST root bridge/ERPC ID of the CIST root switch/External root

path cost (ERPC) from the local switch to
the CTST root switch.

CIST regional root/IRPC ID of the CIST region root/Internal root

patch cost (IRPC) from the local switch to
the CIST region root switch.

CIST root port ID ID of the CIST root interface. 0.0 indicates

that the switch is a root switch and does not
have a root interface.

BPDU protection Whether BPDU protection is enabled.

l Disabled: BPDU protection is disabled.
l Enabled: BPDU protection is enabled.

Number of received TC BPDUs or TCN Number of received topology change (TC)

BPDUs packets or topology change notification
(TCN) packets.

STP convergence mode STP convergence mode.

Last time the topology has been changed Time elapsed since the last topology
change.

Instance Info

Instance Instance ID.

Path Cost Root path cost of the instance.

Priority Bridge priority of the MSTI.

STP Brief

Instance Instance ID.

Interface Interface number.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 206

Parameter Description

Port Role Interface role. In the CIST region, the roles

of interfaces are as follows:
l Root interface
l Designated interface
l Alternate interface
l Backup interface

STP Status Interface status. In the CIST region, the

status of interfaces is as follows:
l FORWARDING
l LEARNING
l DISCARDING

Protection Type Protection type. The protection type of an

interface can be:
l Root protection
l Loop protection
l None protection

Step 3 Click an instance. Brief information about the instance can be displayed. Table 4-81 describes
the detailed parameters.

----End

STP Global Configuration

You can set global STP parameters on the STP Global Configuration page.

Context
On certain networks, you need to modify STP parameters of some devices to optimize their
performance.

Procedure
Step 1 Choose Configuration > Other Service > STP > STP Global Configuration. The STP
Global Configuration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 207

Table 4-82 describes the parameters on the STP Global Configuration page.

Table 4-82 Parameters on the STP Global Configuration page

Parameter Description

Global STP status Whether to enable the STP function globally.

Instance Instance Instance ID. You can select any ID ranging from 0 to
4094.

Root type Root type. The values and meanings are as follows:
l none
The root type is not set.
l Primary
The device is configured as the root of the MSTI.
l Secondary
The device is configured as the backup root of
the MSTI.
By default, the none option is selected.

Priority Priority of the device.

The priority is a major basis for the spanning tree
calculation. You can set different priorities for a
device in different MSTIs.
NOTE
In an instance, if Root Type is Not set, you can select a
priority from the drop-down list box. If Root Type is
Primary or Secondary, the priority cannot be set.

Advanced BPDU Protection Whether to enable BPDU protection.

Settings After BPDU protection is enabled, the device shuts
down the edge interfaces that receive BPDUs and
notifies the NMS. The edge interfaces that are shut
down can only be manually started by the network
administrator.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 208

Parameter Description

Timeout interval Timeout interval. The timeout interval is calculated

based on the hello interval and hello time multiplier.

Working mode Working mode. The values and meanings are as

follows:
l MSTP
The device sends MSTP BPDUs in this mode.
l STP
The device sends STP BPDUs in this mode.
l RSTP
The device sends RSTP BPDUs in this mode.

Maximum hop Maximum number of hops.

count This parameter limits the network scale of the
spanning tree in the MST region. A configuration
message has the maximum hop count on the root
bridge. The hop count decreases by 1 every time the
configuration message passes a device. When the
hop count decreases to 0, the configuration message
is discarded; therefore, the devices beyond the
maximum hop count cannot participate in the
spanning tree calculation. The network scale of the
MST region is therefore limited.

Path cost Standards used to calculate the path cost. The values
calculation and meanings are as follows:
standard l Dot1t
Indicates the IEEE 802.1t standards.
l Dot1d-1998
Indicates the IEEE 802.1d standards.
l Legacy
Indicates Huawei calculation standards.

Network Network diameter.

diameter The network diameter refers to the maximum
number of devices between any two devices on a
network.
A larger network diameter indicates a larger network
scale.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 209

Parameter Description

STP convergence STP convergence mode. The values and meanings

mode are as follows:
l Fast
In this mode, the device deletes the useless MAC
address entries and ARP entries directly.
l Normal
In this mode, the device sets the remaining aging
time of the MAC address entries and ARP entries
to 0 and ages them. If the number of ARP aging
probe times is greater than 0, the device carries
out aging probe for the ARP entries.
The default mode is Normal.

Network Forward-delay Delay for interface status transition.

Diameter and
Timer Hello Time Interval for sending hello packets. The root bridge
sends hello packets at this interval to check whether
links are faulty.

Max-age Maximum lifetime of a configuration message. This

parameter determines whether a configuration
message has expired. You can configure the
parameter according to actual network situation.

Step 2 Set the required parameters.

Step 3 Click Apply.

----End

STP Interface Configuration

You can set STP parameters on an interface.

Context
On certain networks, you need to modify STP parameters of some interfaces to achieve the
optimal performance.

Procedure
l Set STP parameters for an interface.
a. Choose Configuration > Other Service > STP > STP Interface Configuration.
The STP Interface Configuration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 210

b. Select an interface and click Config. The Config STP on Interface page is
displayed.

Table 4-83 describes the parameters on the Config STP on Interface page.

Table 4-83 Parameters on the Config STP on Interface page

Parameter Description

Interface name Interface name. It is displayed

automatically and cannot be modified after
you select an interface.

MSTP Whether to enable MSTP.

When STP is disabled on an interface, the
interface does not take part in the spanning
tree calculation and is always in
Forwarding state.
NOTE
Loops may occur when STP is disabled on an
interface.

Instance Instance ID of an instance. You can select any

instance ID ranging from 0 to 4094.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 211

Parameter Description

Port priority Priority of the interface. A smaller value

indicates a higher priority.
The priority of an interface affects its role
in the specified MSTI. You can set different
priorities for an interface in different
MSTIs so that traffic of VLANs can be load
balanced among different physical links.
NOTE
When the priority of an interface changes,
MSTP recalculates the role of the interface and
changes the status of the interface.

Path cost Path cost of the interface. The path cost

range is decided by the algorithm and is
1-200,000 for the Huawei proprietary
algorithm, 1-65,535 for the algorithm
defined in IEEE 802.1d, and 1 to
200,000,000 for the algorithm defined in
IEEE 802.1t.
The path cost is the basis for calculating the
spanning tree. If you set different path costs
for an interface in different MSTIs, traffic
of different VLANs is load balanced among
multiple physical links.
NOTE
When the path cost of an interface changes, the
MSTP recalculates the spanning tree based on
the new path cost.

Advanced Edge port When the spanning tree is recalculated,

Settings edge ports transit to the Forwarding state
directly, which reduces the status transition
time. If an Ethernet interface is not
connected to any Ethernet interface of the
device, you need to configure the Ethernet
interface as an edge interface. Three states
are available: enabled, disabled, and none.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 212

Parameter Description

Protection type Protection type on an interface. The values

and meanings are as follows:
l none
No protection type is set.
l root
Root protection prevents topology
changes caused by incorrect
configurations or malicious attacks.
l loop
When link congestion occurs or a
unidirectional link is faulty, the interface
connected to the link cannot receive
BPDUs from the upstream device. In
this case, the local device selects a new
root interface, the original root interface
becomes the designated interface, and
the blocked interface transits to the
Forwarding state. Loop is therefore
generated on the switching network. To
prevent this problem, you can enable
loop protection.

P2P Point-to-point connection type of the

interface. The values and meanings are as
follows:
l auto
The interface automatically detects
whether it is connected to a point-to-
point link.
l force-true
The interface is connected to a point-to-
point link.
l force-false
The interface is not connected to a
point-to-point link.

Maximum number Maximum number of BPDUs that an

of sent BPDUs interface can send in a hello interval.
A larger value indicates more BPDUs sent
in a hello interval and therefore more
system resources are occupied. A proper
value of this parameter can limit the rate of
sending BPDUs and prevent excessive
bandwidth usage when network flapping
occurs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 213

Parameter Description

Digest snooping Whether to enable digest snooping.

NOTE
Digest snooping makes the BPDU key of a
Huawei device the same as that of a third-party
device.

Fast transition Fast state transition mode. The value can be

Normal or Enhanced.

c. Set the required parameters.

d. Click OK.
l Check detailed STP information on an interface.
a. Choose Configuration > Other Service > STP > STP Interface Configuration.
The STP Interface Configuration page is displayed.
b. Select an interface and click Details. The Details page is displayed.

Table 4-84 describes parameters on the Details page.

Table 4-84 Parameters on the Details page

Parameter Description

Interface Interface number.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 214

Parameter Description

Port protocol STP status on the interface:

l enabled: STP is enabled on the
interface.
l disabled: STP is disabled on the
interface.

Port status Interface status. In the CIST region, the

status of interfaces is as follows:
l FORWARDING
l LEARNING
l DISCARDING

Designated bridge or port info ID of the designated switch and

designated interface. The first 16 bits
represent the priority of the switch in
the CIST region, and the last 48 bits
represent the MAC address of the
switch. The first four bits of the
interface ID represent the priority, and
the last 12 bits represent the interface
number.

Edge port Edge interface specified by the

administrator.

P2P Link type of the interface.

Rate limit of outgoing BPDUs Maximum number of BPDUs that are

sent every second.

Protection type Protection type. The protection type of

an interface can be:
l Root protection
l Loop protection
l None protection

Packet type Format of packets sent and received on

the interface, which can be:
l auto
l legacy
l dot1s

configure digest snooping Whether to enable digest snooping.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 215

Parameter Description

Number of sent BPDUs Statistics on the sent BPDUs,

TCN,Config,RST,MST including:
l TCN: TCN packets
l Config: STP packets
l RST: RSTP packets
l MST: MSTP packets

Number of received BPDUs Statistics on the received BPDUs.

TCN,Config,RST,MST l TCN: TCN packets
l Config: STP packets
l RST: RSTP packets
l MST: MSTP packets

l Check instance information on an interface.

a. Choose Configuration > Other Service > STP > STP Interface Configuration.
The STP Interface Configuration page is displayed.
b. Select an interface and click View Instance. The View Instance page is displayed.

Table 4-85 describes parameters on the View Instance page.

Table 4-85 Parameters on the View Instance page

Parameter Description

Interface name Interface number.

Instance Instance ID.

Port Priority Priority of an interface.

Path cost Path cost of an interface.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 216

STP Region
This topic describes how to modify the configuration of an STP region.

Context
You need to modify the configuration of an MST region when you want to add a device that is
not enabled with STP to the MST region or move a device enabled with STP from one MST
region to another.

Procedure
Step 1 Choose Configuration > Other Service > STP > STP Region. The STP Region page is
displayed.

Table 4-86 describes the parameters on the STP Region page.

Table 4-86 Parameters on the STP Region page

Parameter Description

MST region name Name of an MST region. The default value

is the MAC address of the device.
The MST region name, the VLAN mapping
table, and the MSTP revision level identify
the region that the device belongs to.

MST revision level MST revision level of the MST region.

The MST region name, the VLAN mapping
table, and the MST revision level identify
the region that the device belongs to.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 217

Parameter Description

MSTI-VLAN Mapping Mappings between MSTIs and VLANs. You

can add, modify, or delete a mapping. For
example, you can add a mapping by
referring to Adding a Mapping Between
an MSTI and a VLAN.

Adding a mapping between an MSTI and a VLAN.

1. Set the required parameters.
NOTE

You need to set the following parameters:

– Instance: select an instance ID.
– Mapped VLAN ID: enter a VLAN ID.

2. Click .

Step 2 Set the required parameters.

Step 3 Click Apply.

----End

4.5.5 Multicast

IGMP Snooping

Context
Internet Group Management Protocol Snooping (IGMP snooping) is a Layer 2 IPv4 multicast
protocol. The IGMP snooping protocol maintains information about the outbound interfaces
of multicast packets by snooping multicast protocol packets exchanged between the Layer 3
multicast device and user hosts. The IGMP snooping protocol manages and controls the
forwarding of multicast packets at the data link layer.

Procedure
l Enable IGMP snooping globally.

When IGMP snooping is disabled globally, IGMP snooping cannot be configured in a

VLAN.

a. Choose Configuration > Other Services > Multicast > IGMP Snooping.
b. Set Global IGMP Snooping to ON.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 218

l Configure IGMP snooping in a VLAN.

a. Choose Configuration > Other Services > Multicast > IGMP Snooping.
b. Select the VLAN in which IGMP snooping is to be configured and click Config.
The Configure IGMP Snooping in VLAN page is displayed.
NOTE

You can select multiple VLANs.

c. Configure related parameters. For parameter descriptions, see Table 4-87.

Table 4-87 Parameters for configuring IGMP snooping in a VLAN

Parameter Description

IGMP Snooping in VLAN

VLAN ID VLAN selected by users, which cannot

be modified.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 219

Parameter Description

IGMP Snooping Whether to enable IGMP snooping in a

VLAN.
NOTE
l Before enabling IGMP snooping in a
VLAN, enable global IGMP snooping.
l After IGMP snooping is enabled in a
VLAN, this function takes effect only
on Ethernet interfaces in this VLAN.

Maximum response time Maximum response time for IGMP

General Query messages.
By setting the Maximum response
time, you can:
l Control the deadline for a host to
send an IGMP Report message.
When hosts are required to respond
to IGMP General Query messages
quickly, set a short maximum
response time. To avoid congestion
caused by a large number of IGMP
messages sent by hosts, set a long
maximum response time.
l Adjust the aging time of member
ports.

IGMP robustness variable IGMP robustness variable.

By setting the IGMP robustness
variable, you can:
l Specify the number of times the
querier sends a Group-Specific
Query message, which prevents
packet loss on the network.
l Adjust the aging time of member
ports.

Interval for sending IGMP general Interval for sending IGMP Query
query messages messages.

Aging time of the router port Aging time of a router interface.

Multicast VLAN Whether to enable Multicast VLAN.

User VLAN User VLAN.

d. Click OK.
l View Forwarding Table
a. Choose Configuration > Other Services > Multicast > IGMP Snooping.
b. Click View Forwarding Table. The IGMP Snooping Forwarding Entries in a
VLAN page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 220

c. For parameter descriptions, see Table 4-88.

Table 4-88

Parameter Description

VLAN ID VLAN ID.

Multicast packet forwarding mode Multicast forwarding mode in the

VLAN, which can be:
l IP
l MAC

(Source, Group) (S, G) entry, specifying the multicast

source and multicast group. The
Router-port field indicates a router
port.

Interface Interface.

Out-Vlan VLAN ID of packets.

l View router port information.

a. Choose Configuration > Other Services > Multicast > IGMP Snooping.
b. Click View Router Port Information. The IGMP Snooping Router Port
Information in a VLAN page is displayed.

c. For parameter descriptions, see Table 4-89.

Table 4-89 Parameters for the router port

Parameter Description

VLAN ID VLAN ID.

Interface Name Port name of a router.

Life Time Hold time of a router port.

Remaining Aging Time Aging time of a router port.

Router Port Type Type of a router port.

l Configure multicast CAC.

a. Choose Configuration > Other Services > Multicast > IGMP Snooping.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 221

b. Click next to Multicast CAC Settings to collapse Multicast CAC Settings.

c. Configure related parameters. For parameter descriptions, see Table 4-90.

Table 4-90 Parameters for multicast CAC settings

Parameter Description

Multicast CAC Settings

Global multicast bandwidth Global multicast bandwidth.

Global number of multicast group Global number of multicast group

memberships memberships.

Multicast Group Bandwidth Settings

Start IP Address of The Multicast Start IP address of the multicast group.

Group

End IP Address of The Multicast End IP address of the multicast group.

Group

Multicast Group Bandwidth Multicast group bandwidth.

d. Click Apply.
----End

MLD Snooping

Context
Multicast Listener Discovery Snooping (MLD snooping) is an IPv6 Layer 2 multicast
protocol. The MLD snooping protocol maintains information about the outbound interfaces of
multicast packets by snooping multicast protocol packets exchanged between the Layer 3
multicast device and user hosts. MLD snooping manages and controls multicast packet
forwarding at the data link layer.

Procedure
l Configure MLD snooping globally.
a. Choose Configuration > Other Services > Multicast > MLD Snooping.
b. Configure related parameters. For parameter descriptions, see Table 4-91.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 222

c. Click Apply.

Table 4-91 Parameters for configuring MLD snooping globally

Parameter Description

Global MLD Snooping Whether to enable global MLD

snooping.
When MLD snooping is disabled
globally, MLD snooping cannot be
configured in a VLAN.

MLD Snooping send-query Whether to enable the device to send

the MLD General Query message upon
a topology change.

MLD Snooping send-query IPv6 Source IPv6 address of the MLD

address General Query message.

l Configure MLD snooping in a VLAN.

a. Choose Configuration > Other Services > Multicast > MLD Snooping.
b. Select the VLAN in which MLD snooping is to be configured and click Config.
The Configure MLD Snooping in VLAN page is displayed.
NOTE

You can select multiple VLANs.

c. Configure related parameters. For parameter descriptions, see Table 4-92.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 223

Table 4-92 Parameters for configuring MLD snooping in a VLAN

Parameter Description

MLD Snooping in VLAN

VLAN ID VLAN selected by users, which cannot

be modified.

MLD Snooping Whether to enable MLD snooping in a

VLAN.
NOTE
l Before enabling MLD snooping in a
VLAN, enable global MLD snooping.
l After MLD snooping is enabled in a
VLAN, this function takes effect only
on Ethernet interfaces in this VLAN.

MLD Snooping version Version of the MLD packets to be

processed.

MLD Snooping querier Whether to enable MLD snooping

querier.

MLD Snooping proxy Whether to enable the MLD snooping

proxy function.

Maximum response time Maximum response time for MLD

General Query messages.
By setting the maximum response
time, you can:
l Control the deadline for a host to
send an MLD Report message.
When hosts are required to respond
to MLD General Query messages
quickly, set a short maximum
response time. To avoid congestion
caused by a large number of MLD
messages sent by hosts, set a long
maximum response time.
l Adjust the aging time of member
ports.

MLD robustness variable MLD robustness variable.

By setting the MLD robustness
variable, you can:
l Specify the number of times the
querier sends a Group-Specific
Query message, which prevents
packet loss on the network.
l Adjust the aging time of member
ports.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 224

Parameter Description

Interval for sending MLD general Interval for sending MLD Query
query messages messages.

Aging time of the router port Aging time of a router port.

d. Click OK.
l View Forwarding Table
a. Choose Configuration > Other Services > Multicast > MLD Snooping.
b. Click View Forwarding Table. The MLD Snooping Forwarding Entries in a
VLAN page is displayed.

c. For parameter descriptions, see Table 4-93.

Table 4-93
Parameter Description

VLAN ID VLAN ID.

Multicast packet forwarding mode Multicast forwarding mode in the

VLAN, which can be:
l IP
l MAC

(Source, Group) (S, G) entry, specifying the multicast

source and multicast group. The
Router-port field indicates a router
port.

Interface Interface.

Out-Vlan VLAN ID of packets.

l View router port information.

a. Choose Configuration > Other Services > Multicast > MLD Snooping.
b. Click View Router Port Information. The MLD Snooping Router Port
Information in a VLAN page is displayed.

c. For parameter descriptions, see Table 4-94.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 225

Table 4-94 Parameters for the router port

Parameter Description

VLAN ID VLAN ID.

Interface Name Port name of a router.

Life Time Hold time of a router port.

Remaining Aging Time Aging time of a router port.

Router Port Type Type of a router port.

----End

4.5.6 BLE
A Bluetooth Low Energy (BLE) device is a Bluetooth signal generator that periodically sends
BLE broadcast frames to surrounding devices. The content of frames complies with the
iBeacon protocol.

Global Settings

Context
BLE devices work with location systems to locate Bluetooth terminals through the iBeacon
protocol. APs with built-in Bluetooth modules and Bluetooth terminals (such as mobile
phones) send collected information about BLE devices to a location server. The location
server then computes physical locations of the BLE devices and sends the location data to the
Bluetooth terminals through app servers so that users can view their own locations on maps.

Procedure
l Configure a low power alarm threshold for BLE devices.
a. Choose Configuration > Other Services > BLE > Global Settings. The Global
Settings page is displayed.

b. Set Low power alarm threshold.

c. Click Apply. In the Info dialog box that is displayed, click OK.
l Create a monitoring device.
a. Choose Configuration > Other Services > BLE > Global Settings. The Global
Settings page is displayed.
b. Under BLE Device Monitoring List, click Create.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 226

c. On the Create Monitoring Device page that is displayed, select MAC address or
MAC address segment.
n Select MAC address and enter a MAC address.

n Select MAC address segment and set Start MAC and End MAC.

d. Click OK.
l Delete a monitoring device.
a. Choose Configuration > Other Services > BLE > Global Settings. The Global
Settings page is displayed.
b. Under BLE Device Monitoring List, select a device that you want to delete and
click Delete. In the Info dialog box that is displayed, click OK.
----End

BLE Monitoring Result

Procedure
l Choose Configuration > Other Services > BLE > BLE Monitoring Result. The BLE
Monitoring Result page is displayed. Table 4-95 describes the parameters on this page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 227

Table 4-95 BLE monitoring result parameters

Item Description

Device MAC MAC address of a BLE device.

Signal Strength Signal strength of a BLE device.

Battery Power Battery power of a BLE device.

Broadcast Frame Content Content in a broadcast frame sent by a

BLE device.

Remaining Aging Period Remaining aging time of a BLE device.

The maximum value is 60 minutes.

l Delete a BLE Monitoring Result

a. Choose Configuration > Other Services > BLE > BLE Monitoring Result.
b. Under the BLE Monitoring Result list, select a device that you want to delete and
click Delete.
l Delete BLE monitoring results.
a. Choose Configuration > Other Services > BLE > BLE Monitoring Result.
b. Click Clear. In the Confirm dialog box that is displayed, click OK. All BLE
monitoring results are deleted.
----End

4.6 Reliability Config

4.6.1 Reliability Config

Reliability Config

Context
In the AC + Fit AP networking, the AC manages and controls WLAN services of users. An
AC may control hundreds of APs and thousands of STAs; therefore, the AC must be highly
reliable. If the AC is faulty, the services of all users connected to the AC are interrupted. An
AC can perform dual-link cold backup, dual-link hot backup, or VRRP hot backup based on
actual requirements.
l Dual-Link Cold Backup
As shown in Figure 4-1, an active AC and a standby AC are deployed on the WLAN.
The AP establishes CAPWAP tunnels with the two ACs, and periodically exchanges
CAPWAP packets with the ACs to monitor link status. The active AC controls access of
STAs. If the AP detects a fault on the link between the AP and active AC, the AP
requests the standby AC to trigger an active/standby switchover, that is, the standby AC
becomes the active AC to control access of STAs. This mechanism improves WLAN

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 228

reliability. After the original active AC is restored, the AP requests the active and
standby ACs to perform revertive switchover. The restored AC becomes the active AC
again.

Figure 4-1 Dual-link cold backup networking diagram

l Dual-Link Hot Backup

An AP establishes CAPWAP tunnels with the active AC and standby AC. The two ACs
synchronize control information and implement the heartbeat mechanism through the hot
standby (HSB) function. When a fault occurs on the active AC, the standby AC can
immediately detect it and fast switch the standby CAPWAP tunnel as the new active
CAPWAP tunnel to prevent user services from being interrupted.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 229

Figure 4-2 Dual-link hot backup networking diagram

l VRRP Hot Backup

An AP can only obtain the IP address of one AC, which is the virtual IP address of the
active and standby ACs in the VRRP group. The active and standby ACs are elected
among the ACs in the VRRP group based on their priorities. The active AC manages and
controls all APs and users, and periodically sends the standby AC the status information
and information that needs to be backed up, including AP entries, CAPWAP link
information, and user information. When a fault occurs on the active AC, the standby
AC can immediately detect it using VRRP and fast switch the standby AC as the new
active AC to prevent user services from being interrupted.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 230

Figure 4-3 VRRP hot backup networking diagram

Procedure
l Configuring device backup
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > Reliability Config. The Reliability Config page is displayed.
b. Select Dual-link cold backup, Dual-link hot backup, or VRRP hot backup
according to service requirements. Set or enter corresponding backup parameters.
For description of the parameters, see Table 4-96, Table 4-97, and Table 4-98.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 231

Table 4-96 Description of dual-link cold backup parameters

Parameter Description

AC dual-link backup status Whether to enable dual-link backup.

By default, dual-link backup is
disabled globally.

AC dual-link switchover status Whether to enable the active/standby

link switchback function. By default,
the active/standby link switchback
function is enabled.
Assume that AC1 is the active AC and
AC2 is the backup AC. When the link
between AC1 and an AP fails, AC2
takes the active role and the link
between AC2 and the AP becomes the
active link. In the case that active/
standby link switchback is enabled,
when the link between AC1 and the
AP recovers, the AP detects that AC1
priority is higher than AC2 and
instructs AC1 and AC2 to perform
switchback. AC1 becomes the active
AC again.

Local priority Priority of the AC.

In dual-link backup mode, the AC with
a higher priority acts as the active AC
and the AC with a lower priority acts
as the backup AC. A smaller value
indicates a higher priority.

IP address of the backup AC IP address of the backup AC.

Table 4-97 Description of dual-link hot backup parameters

Parameter Description

AC dual-link backup status For description of this parameter, see

Table 4-96.

AC dual-link switchover status For description of this parameter, see

Table 4-96.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 232

Parameter Description

Local priority For description of this parameter, see

Table 4-96.

IP address of the backup AC For description of this parameter, see

Table 4-96.

HSB channel HSB channel. You need to create or

modify the HSB channel on the HSB
Config page. For details, see HSB
Config.

HSB service l User access: enables or disables

backup of user access services.
l AP: enables or disables backup of
WLAN services.

Table 4-98 Description of VRRP hot backup parameters

Parameter Description

HSB Whether to enable the HSB function.

To configure VRRP hot backup, the
HSB function must be enabled.

VRRP version VRRP has two versions: Version2 and

Version3.
VRRPv3 does not support
authentication, whereas VRRPv2
supports.
VRRPv3 uses the centiseconds,
whereas VRRPv2 uses the seconds.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 233

Parameter Description

VRRP advertisement learning time Whether to enable the function that

learns the interval for sending VRRP
packets.
When the VRRP group switches to the
active status due to a link failure, the
forwarding of service traffic will be
interrupted. Therefore, VRRP smooth
switching must be enabled. Before
that, you must enable the function that
learns the interval for sending VRRP
advertisement packets. After this
function is enabled, the non-master
devices learn the interval for sending
VRRP advertisement packets and
synchronize their timers with the
master device.

Sending gratuitous ARP packets Whether to enable the function that

sends gratuitous ARP packets.
To enable the network elements
connected to the AC to learn the virtual
IP address of the VRRP group, the
VRRP group needs to send gratuitous
ARP packets to the network elements.

Gratuitous ARP sending interval Interval for sending gratuitous ARP

packets.

HSB group HSB group. You need to create or

modify an HSB group on the HSB
Config page. For details, see HSB
Config.

Recover delay Specifies the delay in recovering a

VRRP group.

c. Click Apply to complete the backup configuration.

----End

VRRP List

Context
The Virtual Router Redundancy Protocol (VRRP) integrates multiple routing devices to a
virtual router and uses a certain mechanism to switch traffic to a standby router when the next
hop router of the host fails, ensuring continuous and reliable communication.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 234

Procedure
l Creating a VRRP list
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > VRRP List. The VRRP List configuration page is displayed.
b. Click Create. In the displayed Create VRRP Group page, select or enter each
parameter for VRRP configuration. For description of the parameters, see Table
4-99.

Table 4-99 Description of the parameters for creating a VRRP group

Parameter Description

VLANIF/IP VLANIF interface that requires VRRP configuration.

The VLANIF interface must exist in the system.

VRID ID of a VRRP group.

VRRP type VRRP group type. Two types of VRRP groups are
available:
l VRRP group: common VRRP group
l mVRRP group: management VRRP group

Virtual IP address Virtual IP address of the VRRP group. The virtual IP

address can be either an idle IP address in the network
segment of the VRRP group or the IP address of an
interface in the VRRP group.

VRID of the mVRRP Specifies the VRID of a VRRP group.

group

mVRRP interface Specifies the type and number of the interface

configured with an mVRRP group.

Preemption mode Whether to enable the preempt mode. In preempt mode,

once a backup device has a higher priority than the
current master device, it will automatically take the role
as a master device.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 235

Parameter Description

Preemption delay Preempt delay time set for the VRRP group.
By default, the preempt delay time is 0, indicating
immediate preemption. A backup device working in
immediate preempt mode preempts to be the master
device immediately when it detects that its priority is
higher than the priority of the current master device.

Interval for sending Interval (in seconds) for sending VRRP advertisement
VRRP advertisement packets by devices in the VRRP group.
packets The master device sends VRRP advertisement packets to
backup devices at intervals to notify the backup devices
that it works normally. If backup devices do not receive
any VRRP advertisement packets after the timer expires,
the backup device with the highest priority becomes the
new master device.

Priority Priority of a device in the VRRP group, based on which

the device role is determined.

Authentication mode Available authentication modes for VRRP:

l None authentication: The device neither
authenticates VRRP advertisement packets to be sent
nor authenticates received VRRP packets. It
considers all the received VRRP packets as valid.
l MD5 authentication: The device uses the Message
Digest 5 (MD5) algorithm to encrypt the
authentication key and encapsulates the key in an
outgoing VRRP advertisement packet. The device
that receives the VRRP advertisement packet
matches the authentication mode in the packet with
the decrypted authentication key to check the validity
of the packet.
l Simple authentication: The device encapsulates the
authentication mode and authentication key into an
outgoing VRRP advertisement packet. The device
that receives the VRRP advertisement packet
compares the authentication mode and authentication
key in the packet with those configured on itself.
NOTE
MD5 authentication ensures higher security than simple
authentication.

VRRP group VRRP authentication modes key.

authentication key

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 236

Parameter Description

Interface name Interface that needs to be tracked by VRRP.

NOTE
The monitored
interface is configured
only when the VRRP
type is set to a
management VRRP
group.

c. Click OK to complete VRRP configuration.

l Modifying the VRRP group
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > VRRP List. The VRRP List configuration page is displayed.
b. In VRRP List, click the VRID of the VRRP group that you want to modify. The
Modify VRRP Group page is displayed.
c. On the Modify VRRP Group page, select the VRRP parameters to be modified
and enter or select each parameter. For description of the parameters, see Table
4-99.
d. Click OK to complete VRRP modification.
l Deleting the VRRP group
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > VRRP List. The VRRP List configuration page is displayed.
b. On the VRRP List page, select the check box next to the VRRP to be deleted and
click Delete.
c. In the dialog box that is displayed, click OK. The VRRP is deleted.
----End

VRRP6 List

Procedure
l Creating a VRRP6 list
a. Log in to the web platform.Choose Configuration > Reliability Config >
Reliability Config > VRRP6 List. The VRRP6 List configuration page is
displayed.
b. Click Create. The Create VRRP6 Group page is displayed.
c. In the displayed Create VRRP6 Group page, select or enter each parameter for
VRRP6 configuration. For description of the parameters, see Table 4-100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 237

Table 4-100 Description of the parameters for creating a VRRP6 group

Parameter Description

VLANIF/IP VLANIF interface that requires VRRP6 configuration.

The VLANIF interface must exist in the system.

VRID ID of a VRRP6 group.

VRRP type Common or management VRRP6 group (mVRRP6

group).

Virtual Link-local The virtual IPv6 address of the VRRP6 group is a link-
address local address.

Virtual IPv6 address Virtual IPv6 address of the VRRP6 group. The virtual
IPv6 address can be either an idle IPv6 address in the
network segment of the VRRP6 group or the IPv6
address of an interface in the VRRP6 group.
This parameter can be configured only after the virtual
link-local address is configured.

VRID of the mVRRP VRID of the mVRRP6 group.

group

mVRRP interface Type and number of the interface configured with an

mVRRP6 group.

Preemption mode Whether to enable the preempt mode. In preempt mode,

once a backup device has a higher priority than the
current master device, it will automatically take the role
as a master device.

Preemption delay Preempt delay time set for the VRRP6 group.
By default, the preempt delay time is 0, indicating
immediate preemption. A backup device working in
immediate preempt mode preempts to be the master
device immediately when it detects that its priority is
higher than the priority of the current master device.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 238

Parameter Description

Interval for sending Interval (in seconds) for sending VRRP6 advertisement
VRRP6 packets by devices in the VRRP6 group.
advertisement The master device sends VRRP6 advertisement packets
packets to backup devices at intervals to notify the backup
devices that it works normally. If backup devices do not
receive any VRRP6 advertisement packets after the
timer expires, the backup device with the highest priority
becomes the new master device.

Priority Priority of a device in the VRRP6 group, based on which

the device role is determined.

Interface name Interface that needs to be tracked by VRRP6.

NOTE
The monitored
interface is configured
only when the VRRP
type is set to a
management VRRP6
group.

d. Click OK to complete VRRP6 configuration.

l Modifying the VRRP6 group
a. Log in to the web platform.Choose Configuration > Reliability Config >
Reliability Config > VRRP6 List. The VRRP6 List configuration page is
displayed.
b. In VRRP6 List, click the VRID of the VRRP6 group that you want to modify. The
Modify VRRP6 Group page is displayed.
c. On the Modify VRRP6 Group page, select the VRRP6 parameters to be modified
and enter or select each parameter. For description of the parameters, see Modify
VRRP6 Group Table 4-100.
d. Click OK to complete VRRP6 modification.
l Deleting the VRRP6 group
a. Log in to the web platform.Choose Configuration > Reliability Config >
Reliability Config > VRRP6 List. The VRRP6 List configuration page is
displayed.
b. On the VRRP6 List page, select the check box next to the VRRP6 group to be
deleted and click Delete.
c. In the dialog box that is displayed, click OK. The VRRP6 group is deleted.
----End

HSB Config

Context
In hot-standby backup mode, there are two devices, one acting as a master device and the
other a backup one. The master device forwards services and the backup device monitors the

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 239

forwarding. The master device periodically sends the backup device the status information
and information that needs to be backed up.

To reduce impact of single-point failures on a wireless access network, a traditional backup

solution deploys two devices on an access node for backup. Access devices on a wireless
network usually run Dynamic Host Configuration Protocol (DHCP), network admission
control (NAC), and wireless local area network (WLAN) services, which require real-time
information backup from the master device to the backup device. For example, the master
DHCP device must synchronize user status information to the backup DHCP device in real
time. Otherwise, services will be interrupted after link switching.

Hot Standby (HSB) can implement redundancy between access devices while ensuring
uninterrupted service transmission. The HSB service supports batch backup and real-time
backup between the two access devices. Before link switching, the backup device
synchronizes information from the master device. When the master device fails, service traffic
is immediately switched to the backup device without interrupting services. This improves
connection availability.

Procedure
l HSB channel 0
– Configure HSB channel 0.
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > HSB Config. The HSB Config configuration page is
displayed.
b. On the HSB Config page, select or enter each parameter to configure an HSB
channel. For description of the parameters, see Table 4-101.

Table 4-101 Description of HSB channel parameters

Parameter Description

Local IP address Local IP address on the HSB channel.

Peer IP address Peer IP address on the HSB channel.

Local port Local port on the HSB channel.

Remote port Remote port on the HSB channel.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 240

Parameter Description

Backhaul times Number of times for retransmitting

heartbeat packets.

Interval Interval for sending heartbeat packets

through the HSB channel.
Heartbeat packets are used to detect the
status of the data synchronization
channel in a hot standby group. If the
local end does not receive heartbeat
packets of the peer end in the interval
specified by Retransmit
Times*Retransmit Interval, the local
end considers that the channel where
dual-system HSB data is synchronized
is faulty.

c. Click Apply to complete HSB channel configuration.

– Delete settings of HSB channel 0.
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > HSB Config. The HSB Config configuration page is
displayed.
b. Click Clear Settings in HSB Channel 0. In the dialog box that is displayed, click
OK. Settings of HSB channel 0 are deleted.
l HSB group 0
– Configure HSB group 0.
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > HSB Config. The HSB Config configuration page is
displayed.
b. On the HSB Config page, select or enter each parameter to configure an HSB
group. For description of the parameters, see Table 4-102.

Table 4-102 Description of HSB group parameters

Parameter Description

HSB channel HSB channel that has been created.

HSB service l DHCP: enables or disables backup

of DHCP services.
l User access: enables or disables
backup of user access services.
l AP: enables or disables backup of
WLAN services.

VRID VRRP group ID.

Interface name Interface configured with a VRRP

group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 241

c. Click Apply to complete HSB group configuration.

– Delete settings of HSB group 0.
a. Log in to the web platform. Choose Configuration > Reliability Config >
Reliability Config > HSB Config. The HSB Config configuration page is
displayed.
b. Click Clear Settings in HSB Group 0. In the dialog box that is displayed, click
OK. Settings of HSB group 0 are deleted.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 242

5 Diagnosis

About This Chapter

5.1 Intelligent Diagnosis

5.2 Diagnosis Tool

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 243

5.1 Intelligent Diagnosis

Context
When a fault occurs on a WLAN, you can use the Intelligent Diagnosis function to diagnose
WLAN devices and the network and rectify the fault accordingly. For faults that you cannot
rectify by yourself, export the diagnosis information and logs, then contact technical support
personnel.

Procedure
l Configure diagnosis parameters for WLAN users.
a. Choose Diagnosis > Intelligent Diagnosis. The Intelligent Diagnosis page is
displayed.
b. Click the user, AP, or AC icon, choose the object to diagnose, and configure
diagnosis parameters on the page that is displayed. For description of the
parameters, see Table 5-1.

Diagnosis objects can be users, APs, and ACs. Users can be further divided into
wired and wireless users, depending on their access modes.

Table 5-1 Diagnosis parameters

Parameter Description

Diagnosis mode Mode in which intelligent diagnosis is

performed.

Start time Start time of a fault.

End time End time of a fault.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 244

Parameter Description

Start diagnosis time Start time of the diagnosis when

Diagnosis mode is set to Scheduled.

Input type Mode in which APs to diagnose are

selected.
l MAC address: APs are selected
based on MAC addresses.
l IP address: APs are selected based
on IP addresses.
l AP name: APs are selected based
on AP names.
NOTE
You are advised to select APs to be
diagnosed based on MAC addresses.

User

User access mode Mode in which a user connects to an

AP.

User MAC address MAC address of a user.

l When User access mode is set to
Wireless, enter the MAC address

directly, or click and then

find the user in the displayed user
list.
l When User access mode is set to
Wired, enter the MAC address of
the wired user to diagnose.

User IP IP address of the wired user.

User gateway MAC address Gateway IP address of the wired user.

AP name Name of the AP to which the wired

user connects.

c. Click Start Diagnosis or OK.

n If Diagnosis mode is set to Real-time, the system will start diagnosing the
object after you click Start Diagnosis.
n If Diagnosis mode is set to Scheduled, the system creates a scheduled
diagnosis task after you click OK.

After the diagnosis is complete, the system displays the result at the bottom left of
the page and real-time connection information of the diagnosed object at the bottom
right of the page.
d. Click Suggestion to view the suggestions on how to rectify the fault.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 245

l View scheduled diagnosis tasks.

a. Click . The Diagnosis list page is displayed.

b. Click Non-diagnosed to view scheduled diagnosis tasks that have not started.
c. Click Diagnosed to view scheduled diagnosis tasks that are complete.
l Delete a scheduled diagnosis task.

a. Click . The Diagnosis list page is displayed.

b. To delete a scheduled diagnosis task that has not started, click Non-diagnosed and
then .

c. To delete a scheduled diagnosis task that is complete, click Diagnosed and then .
l Export diagnosis information.
a. Click Export Diagnosis Info.

b. In the dialog box that is displayed, click OK.

The system saves the diagnosis information to the device as txt files
(overall_diaginfo_xxx.txt and autodiagnose-detail.txt), and prompts you to save
the file to a local computer.
n overall_diaginfo_xxx.txt: contains all diagnosis information on the device.
n autodiagnose-detail.txt: contains the result of the current intelligent
diagnosis.
c. Save diagnosis information to your local computer.
l Export logs.
a. Click Export Logs.
b. On the Export Logs page that is displayed, select the log files to export, and click
OK.

----End

5.2 Diagnosis Tool

5.2.1 One-click Information Collection

Context
The one-click information collection function exports a large amount of diagnosis information
running on the device to the web_diaginfo.txt file. The information includes startup
configuration, current configuration, interface information, time, and system version.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 246

Procedure
Step 1 Choose Diagnosis > Diagnosis Tool > One-click Information Collection.

Step 2 Click One-click Collection. In the Information dialog box that is displayed, click OK.

Step 3 Click to export the current web_diaginfo.txt file.

The web_diaginfo.txt file can be exported only when the collection is completed.

----End

5.2.2 Wireless Packet Obtaining

Context
Packets on air ports can be obtained through the Wireless Packet Obtaining function, but
packets on the wired side cannot. Analysis of the obtained packets can help locate and
troubleshoot faults. Packets to be obtained include:
l All packets sent from the local AP and packets with the destination (BSSID) as the local
AP
l All 802.11 protocol packets sent from other APs/STAs or with the destination (BSSID)
as other APs/STAs, except the ARP, DHCP, and EAPOL packets

Procedure
Step 1 Choose Diagnosis > Diagnosis Tool > Wireless Packet Obtaining. The Wireless Packet
Obtaining page is displayed.

Step 2 Set global parameters.

1. In Global Settings, set parameters related to the Wireless Packet Obtaining function. For
description of the parameters, see Table 5-2.
2. Click Apply. In the Info dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 247

Table 5-2 Global parameters

Parameter Description

Maximum data packet length Maximum length of packets to be

obtained through the Wireless Packet
Obtaining function.
After you enable the Wireless Packet
Obtaining function on an AP radio, the
AP starts collecting packet headers. The
AP collects only data packets with
lengths smaller than the configured
maximum length.

Saving mode Mode used to save the obtained packets.

Two modes are available:
– Save locally: The obtained packets are
saved locally.
– Send in real time: The obtained
packets are forwarded to the server in
real time.

Destination IP address IP address of the server in real-time

transmission mode.

Maximum size of storage file Maximum size of the storage file when
the obtained packets are saved locally.

Upload mode Mode used to upload the local file to the

server when the obtained packets are
saved locally.

Server IP address IP address of the Server.

User name User name of the Server.

Password Password of the Server.

Step 3 Configure the rule for filtering packets.

l Creating a filtering rule profile
a. In Filter Rule Profile Management, click Create.

b. Set the parameters on the Create Filter Rule page that is displayed. For description
of the parameters, see Table 5-3.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 248

c. Click OK.

Table 5-3 Parameters for creating a filtering rule profile

Parameter Description

profile name Name of the filtering rule profile.

After the Wireless Packet Obtaining
function starts, the AP filters packets
based on filtering rules contained in the
filtering rule profile and collects only
packets that match the rules.

Filtering protocol Protocol type of packets to be obtained

through the Wireless Packet Obtaining
function.
n Beacon: The device collects only
Beacon packets.
n Probe: The device collects only
Probe packets.
n EAP: The device collects only EAP
packets.
n DHCP: The device collects only
DHCP packets.
n Other-mgnt: The device collects
802.11 management packets except
the Beacon and Probe packets.
n Data: The device collects only data
packets.

Address MAC address of packets to be obtained

through the Wireless Packet Obtaining
function.
n Source MAC address: specifies the
source MAC address of packets to
be obtained.
n Destination MAC address: specifies
the destination MAC address of
packets to be obtained.
n BSSID: specifies the BSSID of
packets to be obtained.

l Modifying a filtering rule profile

a. In the list of filtering rule profiles, click the filtering rule profile to modify.
b. Modify the parameters on the Modify Filter Rule page that is displayed. For
description of the parameters, see Table 5-3. (The Profile name parameter cannot
be modified.)
c. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 249

l Deleting a filtering rule profile

In the list of filtering rule profiles, choose the filtering rule profile to delete and click
Delete. In the Info dialog box that is displayed, click OK.

Step 4 Enable the Wireless Packet Obtaining function.

1. Click Start.
2. In the Wireless Packet Obtaining dialog box that is displayed, set AP name, Radio ID,
Filter rule profile, and Channel, then click OK.

----End

Follow-up Procedures
l To stop a packet obtaining task, select a record in the packet obtaining task list, then
click Stop.
l If Saving mode is set to Save locally, you can select a record in the packet obtaining
task list and click Upload File to upload the saved file to the server.

5.2.3 Ping

Context
The ping tool checks whether a destination IP address or host is reachable to determine
network connectivity to the host.

After the ping test is performed, the test result is displayed.

Procedure
Step 1 Choose Diagnosis > Diagnosis Tools > Ping.

Step 2 In the IP address/host name text box, enter the destination IP address or host name.

Step 3 Click Start.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 250

----End

5.2.4 Trace Route

Context
The Trace Route tool tracks the forwarding path from a source device to a destination device.
When a network failure occurs, you can use the Trace Route function to locate the fault. You
can specify a destination IP address or host name.

After the Trace Route test is performed, the test result is displayed.

Procedure
Step 1 Choose Diagnosis > Diagnosis Tools > Trace Route.

Step 2 In the IP address/host name text box, enter the destination IP address or host name.

Step 3 Click Start.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 251

5.2.5 AAA Test

Context
The AAA test tool checks whether a specified user can pass the RADIUS authentication.
After the AAA test is performed, the test result is displayed.

Procedure
Step 1 Choose Diagnosis > Diagnosis Tool > AAA Test.

Step 2 Enter parameters such as the RADIUS server profile, user name, and password. For parameter
information, see Table 5-4.
Step 3 Click Start.

Table 5-4 AAA test parameters

Parameter Description

RADIUS server profile RADIUS server profile used in the

authentication.

Authentication mode Authentication mode used in the

authentication.

User name User name of the user to be tested.

Password Password of the user to be tested.

----End

5.2.6 RF-Ping
Context
The RF-Ping tool checks the quality of the link between the AP and STA.
After the RF-Ping test is performed, the test result is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 252

Procedure
Step 1 Choose Diagnosis > Diagnosis Tool > RF-Ping. The RF-Ping page is displayed.

Step 2 In MAC Address, enter the MAC address of the STA.

Step 3 Click Start.

----End

5.2.7 AP-Ping

Context
Using the AP-Ping tool, you can check connectivity between an AP and network device.

After an AP ping operation is complete, the AP ping result is displayed in the AP-Ping page.

NOTE
Before you use the AP-Ping tool, ensure that the AP is properly online and has an IP address configured.

Procedure
Step 1 Choose Diagnosis > Diagnosis Tool > AP-Ping. The AP-Ping page is displayed.

Step 2 Set AP-Ping parameters. For description of the parameters, see Table 5-5.

Table 5-5 AP-Ping parameters

Parameter Description

AP name AP name used in an AP ping operation.

IP address/host name Domain name or IP address of the

destination host.

Packet transmission times Number of times ICMP Echo Request

packets are sent.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 253

Parameter Description

Packet length Length of an ICMP Echo Request packet

excluding the IP header and ICMP header.

Waiting time Time to wait before sending the next ICMP

Echo Request packet.

Timeout period Timeout period for an ICMP Echo Response

packet.

Step 3 Click Start.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 254

6 Maintenance

About This Chapter

6.1 AC Maintenance
6.2 AP Maintenance

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 255

6.1 AC Maintenance

6.1.1 Basic

Context
You can configure AC information to differentiate ACs.

Procedure
Step 1 Choose Maintenance > AC Maintenance > Basic. The Basic page is displayed.

Step 2 Set parameters on the Basic page. Table 6-1 describes the parameters.

Step 3 Click Apply. In the Info dialog box that is displayed, click OK.

Table 6-1 Basic AC parameters

Parameter Description

Device name AC name.

Device position AC position.

Contact Contact information of the equipment

administrator.
NOTE
This parameter is required for the NMS
administrator to view contact and location
information of equipment administrators if the
NMS manages many devices. This helps the
NMS administrator to contact equipment
administrators for fault location and rectification.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 256

6.1.2 AC Restart
Context
After the system is upgraded or when some device configuration is changed, for example, the
startup configuration file is modified, restart the device to make the new configuration take
effect. You are advertised to save the current configuration and back up the current
configuration file before restarting the system.

Procedure
Step 1 Click Save on the upper right corner to save the current configuration.

Step 2 Choose Maintenance > AC Maintenance > AC Restart. The AC Restart page is displayed.

Step 3 Click Export Configuration File to back up the configuration on the local host.

Step 4 Specify the system software for the next startup.

Step 5 Specify the configuration file for next startup.

Step 6 Click Restart Device. The Confirm dialog box is displayed.

l To save the current configuration and then restart the AC, click Yes.
l To restart the AC without saving the current configuration, click No.
l To cancel the restart operation, click Cancel.

----End

6.1.3 AC Upgrade
Context
The device software includes BIOS software and system software. After the device is
powered on, it runs the BIOS software to initialize the hardware and display hardware
parameters, and then runs the system software. The system software provides drivers and
adaptation functions for hardware, and offers service features. The BIOS software and system

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 257

software are prerequisites for device startup and operation, providing support, management,
and services for the device.

NOTE

The BIOS software is included in the system software package (.cc file) of the device. The BIOS
software is automatically upgraded in system software upgrade.

Procedure
Step 1 Choose Maintenance > AC Maintenance > AC Upgrade. The AC Upgrade page is
displayed.

Step 2 Click to select the system software that you want to upload.

Step 3 Click Load to upload the select system software to the AC and specify the system software
for next startup.
NOTE

If the message "Your browser's security settings are too high to complete this process. See the help menu for
instructions on adjusting your security settings." is displayed during file upload, configure the Internet
Explorer as follows:
1. Choose Tools > Internet Options > Security > Custom Level.
2. Click Enable or Prompt next to Initialize and script ActiveX controls not marked as safe for
scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt, the message "An ActiveX
control on this page might be unsafe to interact with other parts of the page. Do you want to allow this
interaction?" is displayed. If you click Yes, the file can be uploaded.
3. Click Enable next to Include local directory path when uploading files to a server.

You must restart the device to make the system software take effect.

----End

6.1.4 Patch

Context
A patch is a kind of software compatible with the system software. It is used to remove the
urgent bugs of the system software. Patches can also fix errors or improve adaptation of the
system software. For example, patches can fix defects of the system and optimize some
functions to meet service requirements.

The patches are released in patch files. A patch file may contain one or more patches with
different functions. When patch files are loaded from the storage device to the patch area in
the memory, a unique sequence number is assigned to each patch file to identify, manage, and
operate the patches.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 258

Procedure
Step 1 Choose Maintenance > AC Maintenance > Patch. The Patch tab page is displayed.

Step 2 Click in the Upload Patch area and select the patch to upload.

Step 3 Click Upload to upload the patch to the device.

NOTE

If the message "Your browser's security settings are too high to complete this process. See the help menu for
instructions on adjusting your security settings." is displayed during file upload, configure the Internet
Explorer as follow:
1. Choose Tools > Internet Options > Security > Custom Level.
2. Click Enable or Prompt next to Initialize and script ActiveX controls not marked as safe for
scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt, the message "An ActiveX
control on this page might be unsafe to interact with other parts of the page. Do you want to allow this
interaction?" is displayed. If you click Yes, the file can be uploaded.
3. Click Enable next to Include local directory path when uploading files to a server.

Step 4 Select a patch to load in the Load Patch area and click Load. The patch is loaded.

Step 5 To uninstall the current patch, click Uninstall.

----End

6.1.5 License

Context
You need to activate licenses in either of the following situations:
l Purchasing a license to obtain permissions on related functions after you purchase a new
device.
l Applying for a new license file, and upgrade and activate the license file when the
license file is activated on the device and a new feature is required.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 259

Procedure
Step 1 Choose Maintenance > AC Maintenance > License. The License page is displayed.

Step 2 Click in Load License and select the license file to be uploaded.

Step 3 Click Activate to active the license file.

NOTE

If you need to adjust a license file between devices (for example, move a license file from device A to
device B) without changing the license authorization certificate or an upgraded license file is
incompatible with the original one, click Revoke in the License Information area to obtain a license
revocation code. Use the license revocation code to obtain a new license file, and activate the license
file.

You can view the license status, resources controlled by the license, and authorization
information in the License Information area. Table 6-2 describes license parameters.

Table 6-2 License parameters

Parameter Description

License status deactivated: default status. By default, a license is not activated after
the system starts or when it is invalid.
Normal: A commercial license enters the Normal state after it is
activated.
Trial: A license enters the Trial state when the activated ESN does not
match the license or after the license expires.
Demo: A temporary license enters the Demo state after it is activated.
Emergency: When a license enters the Emergency state, dynamic
resources on the device are free from the license controls. That is, the
device runs with the maximum configurations of dynamic resources. A
license can remain in Emergency state for at most seven days. After
seven days, the license enters the original state.

Maximum Maximum number of APs allowed on an AC.

number of
managed APs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 260

Parameter Description

Number of Number of APs connected to an AC.

connected APs

----End

6.1.6 Signature DB

Context
Upgrade a signature database to improve the capability and efficiency of a device for
detecting intrusion behavior and viruses, and identifying applications, malicious domain
names, as well as locations of IP addresses.

Procedure
Step 1 Configure a server.
1. Choose Maintenance > AC Maintenance > Signature DB. The Signature DB page is
displayed.
2. Configure the server parameters. Table 6-3 describes the parameters for configuring a
server.

Table 6-3 Upgrade server parameters

Parameter Description

Server address IP address or domain name of the

upgrade server.

Port number Port number of the upgrade server.

Advanced

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 261

Parameter Description

Use the proxy server Whether to enable the signature database

proxy update.

Server domain name/IP address IP address or domain name of the proxy

server.

Port number Port number of the proxy server.

User name User name used to log in to the proxy

server.

Password Password used to log in to the proxy

server.

3. Click Apply to apply the server configuration.

Click Clear to clear the server configuration.
Step 2 Upgrade a signature database.
1. Under OperationOperation of Signature Database List, select a signature database and
upgrade it immediately, locally, or as scheduled, or roll it back. Table 6-4 lists the
parameters in Signature Database List.

Table 6-4 Signature database list parameters

Parameter Description

Signature Database Signature database name.

Current Version Signature database version.

Release Date Release date of a signature database.

Status Upgrade or file loading status of a

signature database.

Operation Upgrade operation performed for a

signature database.

Whether to Enable Scheduled Upgrade Whether to enable scheduled upgrade.

----End

6.1.7 Log
The information center works as the information hub of the system. By classifying and
managing system information excepting session logs, the information center helps network
administrators and developers to monitor network operation and analyze network faults. You
can configure a log server, view logs, and filter logs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 262

View AC Logs

Context
Logs are displayed in a log list. You can view logs of a specified type and delete logs.

Procedure
l Search for logs.
a. Choose Maintenance > AC Maintenance > Log > View AC Logs. The View AC
Logs page is displayed.

b. Set parameters for searching logs. The following table describes these parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 263

Table 6-5 Parameters for searching logs

Parameter Description

Level Log severity.

l All: Logs of all severities are displayed.
l Emergent: A fault causes the device to fail to run
normally unless it is restarted. For example, the
device is restarted because of program exceptions or a
memory error is detected.
l Alert: A fault needs to be rectified immediately. For
example, memory usage of the system reaches the
upper limit.
l Critical: A fault needs to be analyzed and processed.
For example, the memory usage falls below the lower
threshold; temperature falls below the alarm
threshold; BFD detects that a device is unreachable or
detects locally generated error messages.
l Error: An improper operation is performed or
exceptions occur during service processing. The fault
does not affect services but needs to be analyzed. For
example, users enter incorrect commands or
passwords; error protocol packets are received from
other devices.
l Warning: Some events or operations may affect
device running or cause service processing faults,
which requires full attention. For example, a routing
process is disabled; BFD detects packet loss; error
protocol packets are detected.
l Notification: A key operation is performed to keep
the device running normally. For example, the
shutdown command is run; a neighbor is discovered;
protocol status changes.
l Information: A normal operation is performed. For
example, the display commands are run.
l Debugging: A routine operation is performed, and no
action is required.

Time Time segment during which logs are generated.

Keyword Specified keyword contained in logs.

Search Click this button to display logs matching specified

criterion.

Reset Click this button to reset the parameter settings on the

current page.

c. Click Refresh. All log information is displayed in the log list. Table 6-6 describes
the log parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 264

Table 6-6 Log parameters

Para Description
met
er

Tim Time at which a log was generated.

Seve Severity of a log.

rity

Mod Module where a log was generated.

ule

Abst Brief information about a log.

ract

Cont Content of a log.

ent

l Export logs.
a. Choose Maintenance > AC Maintenance > Log > View AC Logs. The View AC
Logs page is displayed.
b. Click Export.
c. In the Export Logs dialog box that is displayed, select the logs that you want to
export and click OK.

If the operation is successful, the logs in the log buffer are saved to the log file.
l Clear logs.
a. Choose Maintenance > AC Maintenance > Log > View AC Logs. The View AC
Logs page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 265

b. Click Clear.
c. In the Info dialog box that is displayed, click OK.
If the operation is successful, all logs in the log list are deleted.
----End

Log Settings

Context
You can save logs in either of the following ways:
l Configure the log buffer. A router reserves a certain size of flash memory to save a small
number of logs.
l Configure a log host to save logs.

NOTE

The web platform supports 8 log hosts. When the number of configured log hosts exceeds that limited
by the web platform, a dialog box is displayed indicating the number of log hosts reaches the maximum.

Procedure
l Configure the log buffer.
a. Choose Maintenance > AC Maintenance > Log > Log Settings. The Log
Settings page is displayed.

b. Set Information to ON.

c. Set the number of logs in Log buffer size.
By default, the log buffer stores up to 512 logs.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Configure the log host.
a. Create a log host.
i. Choose Maintenance > AC Maintenance > Log > Log Settings. The Log
Settings page is displayed.
ii. Click Create on the Log Host Management page.
iii. In the Create Log Host dialog box that is displayed, set Log host IP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 266

iv. Click OK.

If the operation is successful, Log Host Management is returned and a new
configuration entry is added. Repeat the preceding operations to add multiple
log hosts.
b. Delete a log host.
i. Choose Maintenance > AC Maintenance > Log > Log Settings. The Log
Settings page is displayed.
ii. In the log host list, select the log host that you want to delete and click Delete.
In the Info dialog box that is displayed, click OK.

----End

6.1.8 Alarm & Event

An alarm is generated when a fault occurs or the environment in which it is kept, fails to meet
the requirements for its normal operation. The alarm messages vary with fault categories, fault
functionality, or modules where the faults occur.

Active Alarm

Context
Alarm information is displayed in the alarm list. Users can check specified alarms and
procedures as required.

Procedure
Step 1 Choose Maintenance > AC Maintenance > Alarm & Event > Active Alarm. The Active
Alarm page is displayed.

Step 2 Set parameters for a current alarm. The following table describes the alarm parameters.

Table 6-7 Description of alarm parameters

Item Description

Auto refresh Automatic refresh switch of the alarm.

If the function is enabled, the interval for automatic refresh can
be set to 30s, 60s, or 180s.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 267

Item Description

Severity Severity level of the alarm.

l All: indicates alarms of all severity levels.
l Urgent: indicates that a fault affects normal operation of the
system. Effective measures must be taken immediately.
l Major: indicates that a fault decreases system quality.
Effective measures must be taken immediately.
l Minor: indicates that a fault has not affected service quality
but needs to be processed or observed to prevent serious
faults.
l Warning: indicates that a fault may have potential errors that
will affect services, requiring measures to be taken according
to errors.
l Indeterminate: indicates that the severity level cannot be
determined. This means that the severity level is determined
by the real-world situation.
l Cleared: indicates that one or more previous alarms have
been cleared.

Time Time range of the alarm.

Search Check specified alarms by selecting a search criterion from the

drop-down list box and type a value in the text box.

Reset Click the Reset button to reset parameter settings on the Active
Alarm page.

Step 3 Click Refresh. All alarms are displayed in the list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 268

Table 6-8 Alarm item list

Item Description

Level Alarm severity

OID ID of a MIB object.

Content Details of the alarm.

AP Name Name of the AP.

AP MAC MAC address of the AP.

IP Address IP address of the AP.

Module Module where the alarm is generated.

Time Time when the alarm is generated.

Mnemonic Alias name of the alarm.

Operation Click View Details to display handling procedures for the alarm
on the online help page.

----End

Historical Alarm & Event

Context
Historical alarm and event information is displayed in the historical alarm and event list.
Users can check specified alarms and procedures as required.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 269

Procedure
Step 1 Choose Maintenance > AC Maintenance > Alarm & Event > Historical Alarm & Event.
The Historical Alarm & Event page is displayed.

Step 2 Set historical alarm and event parameters. The following table describes the historical alarm
and event parameters.

Table 6-9 Description of historical alarm and event parameters

Item Description

Level Severity level of a historical alarm or event.

l All: indicates historical alarms and events at all severity
levels.
l Emergencies: a fault causes the device to fail to run normally
unless it is restarted. For example, the device restarts because
of a program exception or a fault about memory usage.
l Alert: a fault needs to be rectified immediately. For example,
memory usage of the system reaches the upper limit.
l Critical: a fault needs to be analyzed and processed. For
example, the memory usage falls below the lower threshold;
BFD detects that a device is unreachable.
l Error: an improper operation is performed or exceptions
occur during service processing. The fault does not affect
services but needs to be analyzed. For example, users enter
incorrect commands or passwords; error protocol packets are
received.
l Warning: some events or operations may affect device
running or cause service processing faults, which requires
full attention. For example, a routing process is disabled;
BFD detects packet loss; error protocol packets are detected.
l Notification: a key operation is performed to keep the device
running normally. For example, the shutdown command is
run; a neighbor is discovered; protocol status changes.
l Informational: a normal operation is performed. For
example, a display command is run.
l Debugging: a normal operation is performed, which requires
no attention.

Time Time range of a historical alarm or event.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 270

Item Description

Search Check specified historical alarms and events by selecting a

search criterion from the drop-down list box and type a value in
the text box.

Reset Click the Reset button to reset parameter settings on the page.

Step 3 Click Refresh. All historical alarms and events are displayed in the list.

Table 6-10 Historical alarm and event item list

Item Description

Level Severity level of a historical alarm or event.

OID ID of a MIB object.

Content Details of a historical alarm or event.

AP Name Name of the AP.

AP MAC MAC address of the AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 271

Item Description

IP Address IP address of the AP.

Module Module where a historical alarm or event is generated.

Time Time when a historical alarm or event is generated.

Mnemonic Alias name of a historical alarm or event.

Operation Click View Details to display procedures for handling a

historical alarm or event on the online help page.

----End

6.1.9 Administrator

Context
The super administrator can create, modify, or delete other administrator accounts to manage
other administrators.

Procedure
l Create an administrator account.
a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. In the Administrator List area, click Create. The Create Administrator page is
displayed.
c. Set parameters on the Create Administrator page. Table 6-11 describes the
parameters for creating an administrator account.

Table 6-11 Parameters for creating an administrator account

Parameter Description

User name User name of the administrator.

Password Password of the administrator.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 272

Parameter Description

Confirm password Enter the password again to confirm the

password.
The value must be the same as the value of
Password.

Access level Access level of a local user.

Three user roles are defined (in ascending
order): Super administrator, Enterprise
administrator, and Common administrator.
The user level corresponding to each user role
in the Administrator List area is as follows:
l The user level of the Common
administrator is 1.
l The user level of the Enterprise
administrator is 2.
l The user level of the Super administrator is
3 to 15.
NOTE
Only a super administrator can create a local user
through the web platform.

User status Indicates the state of a local user.

l Activate: the device accepts and processes
the authentication request from the user.
l Block: the device rejects the authentication
request from the user.
NOTE
If a user has established a connection with the
device, when the user is set in blocking state, the
connection still takes effect but the device rejects
subsequent authentication requests from the user.

Access mode Indicates the access type. After you specify the
access type of a user, only the users of the
specified access type can log in.

d. Click OK.
l Modify an administrator account.
a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. In Administrator List, click the administrator account that you want to modify.
The Modify Administrator page is displayed.
c. Set parameters on the Modify Administrator page. Table 6-12 describes the
parameters for modifying an administrator account.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 273

Table 6-12 Parameters for modifying an administrator account

Parameter Description

User name User name of the administrator.

Old password To change your own password, enter the old

password. If your account has the permission
to change the passwords of other
administrators, you do not need to enter the old
password when changing the password of
another administrator.

New password New password for the administrator.

Confirm password New password entered for confirmation. The

confirm password must be the same as the new
password.

Access level Access level of a local user.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 274

Parameter Description

User status Indicates the state of a local user.

l Activate: the device accepts and processes
the authentication request from the user.
l Block: the device rejects the authentication
request from the user.
NOTE
If a user has established a connection with the
device, when the user is set in blocking state, the
connection still takes effect but the device rejects
subsequent authentication requests from the user.

Forcible logout Whether to force a modified user to go offline.

NOTE
It is recommended that you select this parameter
when modifying the user level to ensure security. If
you modify the level of an online user, the
modification can take effect only when the user goes
online next time.

Access mode Indicates the access type. After you specify the
access type of a user, only the users of the
specified access type can log in.

d. Click OK.
l Delete an administrator account.
a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. In Administrator List, select the administrator account that you want to delete and
click Delete. Click OK in the confirm dialog box that is displayed.
l Password Policy.
a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. Set password policy parameters in Password Policy. For details, see Table 6-13.

Table 6-13 Setting password policy parameters

Parameter Description

Administrator password policy Whether to enable the administrator password

policy.

Password validity period Days for which the password is valid.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 275

Parameter Description

Password expiration prompt Days before password expiration when the

time system prompts users to change the password.

Number of historical forced Number of latest passwords as which the new

passwords password cannot be the same.

c. Click Apply.
l View administrator logout records.
a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. View the administrator logout records in Administrator Logout Records.

Table 6-14 Administrator logout record parameters

Parameter Description

User Name User name.

IP Address IP address of a user.

Authentication Type Authentication type of a user, which depends

on the access type of the user.

Domain Name Authentication domain of a user.

Logout Cause Reason why a user goes offline.

Login Time Time when a user goes online.

Logout Time Time when a user goes offline.

l View user access records.

a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. View user access records in Access User Record.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 276

Table 6-15 User access record parameters

Parameter Description

User Name User name.

IP Address IP address of the login user.

Access Start Time Access start time.

l Force users to log out.

a. Choose Maintenance > AC Maintenance > Administrator. The Administrator
page is displayed.
b. In Access User Record, select a user and click Forcible Logout to force the user to
log out.
----End

6.1.10 System

File Management

Context
On the File Management page, you can manage files on storage devices.

Procedure
Step 1 Choose Maintenance > AC Maintenance > System > File Management.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 277

Step 2 Check the total and available spaces of the storage medium on top of the page.

Step 3 Manage files in the File Management area.

l To move a file to the recycle bin, select the file and click Delete. You can restore the
deleted file in the Recycle Bin area.
l To permanently delete a file, select the file and click Completely Delete.
l To upload a file to the storage device, click Upload.
NOTE

If the message "Your browser's security settings are too high to complete this process. See the help
menu for instructions on adjusting your security settings." is displayed during file upload, configure the
Internet Explorer as follow:
1. Choose Tools > Internet Options > Security > Custom Level.
2. Click Enable or Prompt next to Initialize and script ActiveX controls not marked as safe for
scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt, the message "An
ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want
to allow this interaction?" is displayed. If you click Yes, the file can be uploaded.
3. Click Enable next to Include local directory path when uploading files to a server.

l To download a file to the local PC, select the file and click .
NOTE
Only files saved in the root directory of a storage medium can be downloaded currently.

Step 4 Manage files in the Recycle Bin area.

l To restore a file in the recycle bin, select the file and click Restore File.
l To permanently delete a file from the recycle bin, select the file and click Completely
Delete.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 278

Service Management

Context
The File Transfer Protocol (FTP) applies to scenarios that do not require high file transfer
security. FTP is widely used for version upgrades.
In the TCP/IP protocol suite, the Telnet protocol applies to the application layer. The Telnet
protocol provides remote login and virtual terminal functions through networks. Telnet is
implemented based on the client/server model. Telnet clients send requests to the Telnet server
that provides the Telnet service.
Secure Shell Telnet (STelnet) ensures secure Telnet services. STelnet secures client access on
a traditional insecure network by authenticating the client and encrypting data bidirectionally.
The Secure File Transfer Protocol (SFTP) secures file transfer on a traditional insecure
network by authenticating the client and encrypting data bidirectionally.
If you do not perform any operation before the web service times out, the system forcibly logs
you out and prompts you to log in to the web platform again when you perform an operation.
The default web service timeout period, 10 minutes, is recommended.

Procedure
l Perform service management.
a. Choose Maintenance > AC Maintenance > System > Service Management.

b. Set ON/OFF of FTP, Telnet, STelnet, and SFTP to enable or disable the
corresponding service.
c. Set Web service timeout interval.
d. Click Apply.
l Create a remotely trusted host.
a. Choose Maintenance > AC Maintenance > System > Service Management.
b. In Trusted Host, click Create. The Create Trusted Host page is displayed.
c. Set parameters on the Create Trusted Host page. Table 6-16 describes the
parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 279

Table 6-16 Parameter description

Parameter Description

IP address IP address of the remotely trusted host.

Description Description of the remotely trusted host.

Accessible service type Service type that a remotely trusted host can
access. A remote trust host can only access
services that are allowed to.

d. Click OK.
l Modify a remotely trusted host.
a. Choose Maintenance > AC Maintenance > System > Service Management.
b. In Trusted Host, select the IP address of the remotely trusted host. The Modify
Trusted Host page is displayed.
c. Reconfigure parameters and click OK. The value of IP address cannot be
modified.
l Delete a remotely trusted host.
a. Choose Maintenance > AC Maintenance > System > Service Management.
b. In Trusted Host, select the IP address of the remotely trusted host that you want to
delete and click Delete. In the dialog box that is displayed, click OK.
----End

System Time

Context
To ensure communication between the router and other devices, set the accurate system time.
The device support automatic system time synchronization with the NTP server or manual
system time setting. The first method is recommended.

Procedure
l Time Zone Settings
a. Choose Maintenance > AC Maintenance > System > System Time. The System
Time page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 280

b. Table 6-17 describes the parameters for setting the time zone.

Table 6-17 Parameters for setting the time zone

Item Description

Time Zone Specifies the time zone name.

DST Specifies whether to enable the Daylight Saving Time

(DST).
l OFF: disabled
l ON: enabled

DST Type Specifies the DST type.

l Absolute DST
l Periodic DST

Start time Specifies the mode for setting the DST start time.
l By week: Set the DST start time to a day in the Nth
week in a specified month.
l By day: Set the DST start time to a time on a day of a
month.

End time Specifies the mode for setting the DST end time.
l By week: Set the DST end time to a day in the Nth
week in a specified month.
l By day: Set the DST end time to a time on a day of a
month.
The DST end time must be later than the start time, and
the DST start time and end time cannot be in the same
month.

DST difference Specifies the DST time difference. The value must be
less than or equal to 2 hours.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 281

Item Description

Start and end years Specifies the year when the DST takes effect.

c. Click Apply to complete the time zone setting.

l Create an NTP server.
a. Choose Maintenance > AC Maintenance > System > System Time. The System
Time page is displayed.

b. In NTP Server List, click Create. The Create NTP Server page is displayed.

c. Enter the IP address of the NTP server on the Create NTP Server page and click
OK.
NOTE

The device supports a maximum of 128 NTP servers.

l Delete an NTP server.
a. Choose Maintenance > AC Maintenance > System > System Time. The System
Time page is displayed.
b. In NTP Server List, select the NTP server you want to delete and click Delete.
c. In the dialog box that is displayed, click OK.
l Automatically Sync with NTP Server
a. Choose Maintenance > AC Maintenance > System > System Time. The System
Time page is displayed.
b. In Date and Time Settings, click Auto.
c. Click Apply. The device automatically synchronizes time with one of the NTP
servers on the list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 282

NOTE

l During automatic time synchronization, the device synchronizes time with the NTP server
with the highest master clock level. For example, if the master clock level of NTP1 is higher
than that of NTP2, the device synchronizes time with NTP1.
l If the primary clock level of the web platform is higher than the NTP servers, the web platform
does not synchronize the system time with the NTP server.
l The check box of each IP address in the NTP Service List area is only used to delete the
corresponding NTP server.
l Manually Adjust Settings
a. Choose Maintenance > AC Maintenance > System > System Time. The System
Time page is displayed.
b. In Date and Time Settings, click Manual.
c. Click the date-picker control and set the date and time.
d. Click the Select time zone drop-down list box, and select the time zone.
e. In Date and time, click the date control, set the date and time, and click OK.
f. Click Apply. You can manually set the system time.

----End

6.1.11 Electronic Label

Context
Electronic labels identify information about hardware components of a device. You can export
and save electronic label information to facilitate future network maintenance.

Procedure
l View an electronic label.
a. Choose Maintenance > AC Maintenance > Electronic Label. The Electronic
Label page is displayed.

b. In Filter electronic label info, select the electronic label that you want to view.
l Export electronic label information.
a. Choose Maintenance > AC Maintenance > Electronic Label. The Electronic
Label page is displayed.
b. Click Export Info to save electronic label information locally.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 283

6.1.12 SNMP
Global Configuration

Procedure
Step 1 Choose Maintenance > AC Maintenance > SNMP > Global Configuration. The Global
Configuration page is displayed.

Step 2 Set global SNMP parameters. Table 6-18 describes the global SNMP parameters.
Step 3 Click Apply.

Table 6-18 Global SNMP parameters

Para Description
mete
r

SNM Whether to enable the SNMP agent.

P l ON: The SNMP agent is enabled.
agent
l OFF: The SNMP agent is disabled.

SNM SNMP protocol version

P l v1: SNMPv1
versi
on l v2c: SNMPv2c
l v3: SNMPv3

The Whether to enable the device to send extended error codes.

devic l ON: The device is enabled to send extended error codes.
e
sends l OFF: The device is disabled from sending extended error codes.
exten
ded
error
code

Local The following three options are supported:

engin l Default: uses the default value of the system.
e ID
l Generated automatically: uses the value generated by the system.
l Customized: uses the local engine ID customized by users.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 284

Community/Group Management

Procedure
l Create a community.
a. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
b. On the Community page, click Create. Set parameters on the Create Community
page. Table 6-19 describes the parameters for creating a community.

c. Click OK.

Table 6-19 Parameters for creating a community

Parameter Description

Community name It is used to complete authentication

between an agent and the NMS. The
value is a string of characters and can
be customized.

Access mode Mode to access a community name.

Read-only and Read-write are
supported.

MIB view Name of the MIB view.

ACL number Number of the ACL configured to the

community name.

l Delete a community.
a. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
b. In the community list, select the community that you want to delete and click
Delete. In the Info dialog box that is displayed, click OK.
l Create a group.
a. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
b. On the Group page, click Create. Set parameters on the Create Group page.
Table 6-20 describes the parameters for creating a group.

c. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 285

Table 6-20 Parameters for creating a group

Parameter Description

Group name SNMP group name.

Security level Security level of the group.

Read-only view Name of the read-only MIB view

matching the group.

Read-write view Name of the read-write MIB view

matching the group.

Notification view Name of the notification MIB view

matching the group.

ACL number Number of the ACL matching the

group

l Delete a group.
a. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
b. In the group list, select the group to be deleted and click Delete. In the Info dialog
box that is displayed, click OK.
l Create a user.
a. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
b. On the User page, click Create. Then, set parameters on the displayed Create User
page. Table 6-21 describes the parameters for creating a user.

c. Click OK.

Table 6-21 Parameters for creating a user

Parameter Description

User name User name used to identify a user.

Group name Name of the group matching the user.

ACL number Number of the ACL matching the

group

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 286

Parameter Description

Security level Security level of the group.

Authentication mode Authentication mode used by the user.

l SHA
l MD5

Authentication password Authentication password of the user.

Confirm authentication password The authentication password is

reentered for confirmation.

Encryption mode Encryption mode used by the user.

Encryption password Encryption password of the user.

l AES128
l DES56

Confirm encryption password The encryption password is reentered

for confirmation.

l Delete a user.
a. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
b. In the user list, select the user that you want to delete and click Delete. In the Info
dialog box that is displayed, click OK.

----End

MIB View

Procedure
l Create an MIB view.
a. Choose Maintenance > AC Maintenance > SNMP > MIB View. The MIB View
page is displayed.
b. On the MIB View page, click Create. Set parameters on the Create View Rule
page. Table 6-22 describes the parameters for creating an MIB view.

c. Click to add rules.

The added rules are shown in the rule list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 287

Table 6-22 Parameters for creating an MIB view

Parameter Description

View name Name of the MIB view.

Rule Rule of the MIB view. The following

two types are supported:
l Exclude: The view does not include
the sub-tree.
l Include: The view includes the sub-
tree.

MIB sub-tree name Name of the MIB sub-tree, which is

used to identify the sub-tree.

MIB sub-tree mask Mask of the MIB sub-tree, which is

used to define the access scope of the
view.

d. Click OK.
l Modify an MIB view.
a. Choose Maintenance > AC Maintenance > SNMP > MIB View. The MIB View
page is displayed.
b. In the MIB view list, click the name of the MIB view that you want to modify. Set
parameters on the Modify View Rule page.

Table 6-22 describes the parameters. View name cannot be modified. Click to
delete view rules.
c. Click OK.
l View MIB view rules.
a. Choose Maintenance > AC Maintenance > SNMP > MIB View. The MIB View
page is displayed.
b. In MIB View, select the MIB view that you want to view and click Display View
Rule.

The rules of the MIB view are displayed in View Rule.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 288

l Delete an MIB view.

a. Choose Maintenance > AC Maintenance > SNMP > MIB View. The MIB View
page is displayed.
b. In the MIB view list, select the MIB view that you want to delete and click Delete.
In the Info dialog box that is displayed, click OK.

----End

Trap Setting

Procedure
l Set basic trap information.
a. Choose Maintenance > AC Maintenance > SNMP > Trap Setting. The Trap
Setting page is displayed.

b. Set trap parameters. Table 6-23 describes the trap parameters.

c. Click Apply. In the Info dialog box that is displayed, click OK.

Table 6-23 Basic trap parameters

Parameter Description

SNMP trap Whether to enable the SNMP trap

function.
l ON: A trap message is sent to the
NMS when the SNMP interface
status changes.
l OFF: No trap message is sent to the
NMS when the SNMP interface
status changes.

TTL of trap messages Time to live (TTL) of trap messages.

The unit is second and the default
value is 120.

Length of the trap message queue Length of the trap message queue. The
default value is 100.

Source interface for sending traps Select the source interface for sending
trap messages from the drop-down list
box.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 289

l Create a trap destination host.

a. Choose Maintenance > AC Maintenance > SNMP > Trap Setting. The Trap
Setting page is displayed.
b. In Destination Host Receiving Traps, click Create.
c. In the Create Trap Destination Host dialog box that is displayed, set parameters.
Table 6-24 describes the parameters for creating a trap destination host.

d. Click OK.
If the operation succeeds, Destination Host Receiving Traps is displayed and the
new trap destination host is added to the list. Repeat the preceding steps to add
multiple trap destination hosts.

Table 6-24 Parameters for creating a trap destination host

Parameter Description

Host name Name of the trap destination host.

Destination host IP address IP address of the trap destination host.

UDP port number of destination host UDP port number of the trap
destination host.

Trap version Version of the protocol transmitting

trap messages.

Trap host name Name of the host generating trap

messages. If the protocol transmitting
trap messages is SNMPv3, the value of
this parameter is an SNMPv3 user
name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 290

Parameter Description

Security level The following security levels are

supported:
l No-auth & no-encrypt: If the
protocol transmitting trap messages
is SNMPv3 and trap messages are
not authenticated by the receiver or
encrypted by the sender, specify
this parameter.
l Auth & no-encrypt: If the protocol
transmitting trap messages is
SNMPv3 and trap messages are
authenticated by the receiver, but
not encrypted by the sender, specify
this parameter.
l Auth & encrypt: If the protocol
transmitting trap messages is
SNMPv3 and trap messages are
authenticated by the receiver and
encrypted by the sender, specify
this parameter.

l Delete a trap destination host.

a. Choose Maintenance > AC Maintenance > SNMP > Trap Setting. The Trap
Setting page is displayed.
b. In Destination Host Receiving Traps, select the trap destination host that you want
to delete, and click Delete. In the Info dialog box that is displayed, click OK.

----End

6.2 AP Maintenance
6.2.1 AP Upgrade

Upgrade Configuration

Context
You can upgrade a large number of APs on your network in batches on the Upgrade
Configuration page.

Before starting a batch AP upgrade, upgrade an AP to check whether the target version is
normal, ensuring success of the subsequent batch upgrade.

NOTE
The batch AP upgrade and single AP upgrade functions on the web system apply only to online APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 291

Procedure
l Set the upgrade mode.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.

b. Set parameters on the Upgrade Configuration page. The AP upgrade mode can be
AC, FTP, or SFTP. Table 6-25 describes the parameters you need to set in the
three upgrade modes.
c. Click Apply. In the Info dialog box that is displayed, click OK.
NOTE
The parameter settings in Upgrade Mode take effect for both batch AP upgrade and single AP
upgrade.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 292

Table 6-25 Parameters for upgrade mode

Parameter Description

Upgrade mode AP upgrade mode.

l AC: The upgrade system software
must be uploaded to the AC in
advance. Upgrading APs in batches
takes a long time. To shorten the
service interruption time, you are
advised to upgrade APs in FTP or
SFTP mode.
l FTP: The upgrade system software
must be uploaded to the FTP server
in advance, and APs can
communicate with the FTP server.
l SFTP: The upgrade system
software must be uploaded to the
SFTP server in advance, and APs
can communicate with the SFTP
server.

Upload upgrade file AP upgrade file to be uploaded.

Server IP IP address of the FTP server or SFTP

server for storing the upgrade system
software.

FTP user name User name for logging in to the FTP

server.

FTP password Password for logging in to the FTP

server.

SFTP user name User name for logging in to the SFTP

server.

SFTP password Password for logging in to the SFTP

server.

l Upgrade APs in batches.

a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
b. In AP Batch Upgrade, click Create to set parameters for upgrading APs in
batches. Table 6-26 describes the parameters for upgrading APs in batches.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 293

Table 6-26 Parameters for upgrading APs in batches

Parameter Description

AP type Type of APs to be upgraded.

Upgrade file AP upgrade file.

AP group AP group to which the APs to be

upgraded belong.

c. Click Apply. In the Info dialog box that is displayed, click OK.
d. Select AP type, AP group, and Upgrade mode, and click Apply. In the Confirm
dialog box that is displayed, click OK. The upgrade starts.
NOTE
The download progress is displayed during the AP upgrade.
l Delete batch AP upgrade configurations.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
b. In AP Batch Upgrade, click Delete. In the Info dialog box that is displayed, click
OK.
l Upgrade a single AP.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
b. In Select AP of AP Upgrade, select the AP to be upgraded. Select the upgrade file
in Upgrade file and click Upgrade. In the Info dialog box that is displayed, click
OK.
----End

Upgrade Status

Context
By checking AP upgrade status, you can know the AP upgrade progress.

Procedure
Step 1 Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade Status. The Upgrade
Status page is displayed.

Step 2 Check AP upgrade status on the Upgrade Status page. Table 6-27 describes the AP upgrade
status parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 294

Table 6-27 Upgrade status parameters

Parameter Description

AP ID AP ID.

AP Name AP name.

AP MAC MAC address of an AP.

Group Name AP group to which an AP belongs.

Type AP type.

Upgrade Status Upgrade status of an AP.

Step 3 Select the AP to be restarted and click Restart. In the Info dialog box that is displayed, click
OK.

----End

6.2.2 AP Restart

Procedure
l Restart an AP.
a. Choose Maintenance > AP Maintenance > AP Restart. The AP Restart page is
displayed.

b. Select the AP that you want to restart from the AP list and click Restart. In the Info
dialog box that is displayed, click OK to restart the AP.

To restart all the APs in the AP list, click Restart All. For descriptions about the
AP parameters, see Table 6-28.

Table 6-28 Descriptions about the AP parameters

Para Description
met
er

AP ID of the AP.
ID

AP Name of the AP.

Nam
e

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 295

Para Description
met
er

MA MAC address of the AP.

C
Add
ress

Gro Name of the group that the AP belongs to.

up
Nam
e

IP IP address of the AP.

Add
ress

Type Type of the AP.

STA Number of STAs connected to the AP.

Qua
ntity

Logi Online duration of the AP.

n
Peri
od

Stat Status of the AP.

Vers Version of the AP.

ion

Seri Sequence number (SN) of the AP.

al
Num
ber

----End

6.2.3 Log

Procedure
l View logs.
a. Choose Maintenance > AP Maintenance > Log. The Log page is displayed.

b. View logs in the list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 296

The logs containing the keyword are displayed. Table 6-29 describes the log
parameters.

Table 6-29 Log parameters

Para Description
met
er

AP ID of the AP.
ID

AP Name of the AP.

Nam
e

AP MAC address of the AP.

MA
C

Gro Name of the group that the AP belongs to.

up
Nam
e

IP IP address of the AP.

Add
ress

Type Type of the AP.

Oper Operation that can be performed.

ation

l Export logs or diagnosis information.

a. Choose Maintenance > AP Maintenance > Log. The Log page is displayed.
b. Click Export the log or diagnosis information.
c. In the Export the Log or Diagnosis Information dialog box that is displayed,
select the logs and diagnosis information that you want to export and click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 297

If the operation is successful, the logs in the log buffer are saved to the log file, and
diagnosis information is saved in the diagnosis information file.
----End

6.2.4 Account

Context
Unauthorized users may use the default user name and password to log in to APs, causing
security risks. To prevent this problem, use Account menu to change the user name and
password used to log in to APs.
The default user name and password of an AP are admin and [email protected],
respectively.

Procedure
l Modify AP account information.
a. Choose Maintenance > AP Maintenance > Account. The Account page is
displayed.
b. Enter the new user name and password in Modify AP Account. Table 6-30
describes the parameters for modifying AP account information.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 298

Table 6-30 Parameters for modifying AP account information

Parameter Description

New user name The value is a string of 4 to 31

characters. It can contain letters,
underscores, and digits, and must start
with a letter.

New password The value is a string of 8 to 32 case-

sensitive characters. It must contain at
least one uppercase letter, one
lowercase letter, and one digit, and
cannot contain any question mark (?).

Confirm new password Confirms the password. The format of

this parameter is the same as that of
New password.

c. Click Apply.
The AP user name field then displays the new user name.
l Restore the default AP account settings.
a. Choose Maintenance > AP Maintenance > Account. The Account page is
displayed.
b. Click Restore Default Settings.
l Password Policy
a. Choose Maintenance > AP Maintenance > Account. The Account page is
displayed.
b. Set password policy parameters. For details, see Table 6-31.

Table 6-31 Setting password policy parameters

Parameter Description

Administrator password policy Whether to enable the administrator

password policy.

Password validity period Days for which the password is valid.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 299

Parameter Description

Password expiration prompt time Days before password expiration when

the system prompts users to change the
password.

Number of historical forced passwords Number of latest passwords as which

the new password cannot be the same.

c. Click Apply.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 300

7 Profile

About This Chapter

Context
You can configure and manage WLAN profiles in unified and centralized manners through
the profile management page.
Choose Configuration > AP Config > Profile. The Profile Management page is displayed.
7.1 Wireless Service
7.2 Radio Management
7.3 AP
7.4 Mesh
7.5 WDS
7.6 WIDS
7.7 WLAN Location
7.8 Buletooth Location
7.9 IoT

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 301

7.1 Wireless Service

7.1.1 VAP Profile

Context
The administrator needs to deliver service parameters to an AP so that the AP can provide
network access services for wireless users. A VAP profile is a set of service parameters. You
can configure different VAP profiles and deliver configurations in the profiles to APs to
provide differentiated WLAN services.

Procedure
l Create a VAP profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile.
The VAP Profile List page is displayed.
b. Click Create. The Create VAP Profile page is displayed.
c. Enter the name of the new VAP profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new VAP profile is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 302

e. Set parameters for creating a VAP profile. Table 7-1 describes the parameters for
creating a VAP profile.

Table 7-1 Parameters for creating a VAP profile

Parameter Description

VAP Profile Name of the VAP profile, which cannot

be modified.

Status Whether to enable the service mode of

a VAP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 303

Parameter Description

VAP type VAP type.

l If the type of a VAP is set to
service, STAs connected to the
VAP can only access network
resources but not APs. Service
VAPs are used in regular WLAN
deployment scenarios.
l If the type of a VAP is set to ap-
management, STAs connected to
the VAP can only access APs but
not network resources. AP
management VAPs are used in STA
access and AP management
scenarios.

Service VLAN Service VLAN of a VAP.

l When a specific VLAN is
configured as the service VLAN of
a VAP, STAs connected to the VAP
join the same VLAN.
l When VLANs in a VLAN pool are
configured as service VLANs of a
VAP, STAs connected to the VAP
join different VLANs.

Service VLAN ID ID of the service VLAN.

VLAN Pool VLAN pool used for service VLANs.

Forwarding mode Service forwarding mode.

mDNS packets over tunnel Whether to enable tunnel forwarding

of mDNS packets.

SoftGRE profile Soft GRE profile to be referenced by

the VAP profile.

Band steering Whether to enable band steering.

Home agent Home agent of roaming users.

Roaming domain ID Roaming domain ID.

Layer 3 roaming Whether to enable Layer 3 roaming.

ARP probe Whether to enable dynamic ARP

probing.

IP binding check Whether to enable IP source guard on

an AP.

IP learning Whether to enable STA address

learning.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 304

Parameter Description

Strict IP learning Whether to enable strict STA IPv4/

IPv6 address learning through DHCP.

Dynamic blacklist of static IPv4 Whether to add STAs with bogus IPv4
addresses addresses to a dynamic blacklist.

Dynamic blacklist of static IPv6 Whether to add STAs with bogus IPv6
addresses addresses to a dynamic blacklist.

DHCP trusted port Whether to enable the DHCP trusted

port function on an AP.

ND trusted port Whether to enable the ND trusted port

function on an AP.

Appending Option 82 Whether to enable an AP to insert the

Option 82 field in DHCP packets sent
from a STA.

RID format Format of the remote-ID in the Option

82 field inserted in DHCP packets sent
from a STA.

CID format Format of the circuit-ID in the Option

82 field inserted in DHCP packets sent
from a STA.

Delimiter Format of the AP's MAC address in the

Option 82 field.

User-defined User-defined format in the Option 82

field.

Effective after logout Whether to enable offline management

VAP and antenna alignment VAP
functions.

Automatically disable VAP Whether to enable the scheduled VAP

auto-off function.

Automatic disabling time Time range when a VAP is disabled.

You can set this parameter using
Direct setting or Select time range.
The time range can be created or
modified as required.

Broadcast flood attack detection Whether to enable broadcast flood

attack detection.

Broadcast attack threshold Broadcast traffic rate limit.

Adding attackers to the blacklist Whether to add detected attackers to

the blacklist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 305

Parameter Description

Allowed VLAN Whether to enable the authorization

VLAN verification function. If this
function is enabled, you can specify
VLANs from which packets are
allowed to pass through.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a VAP profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile.
The VAP Profile List page is displayed.
b. Click the name of the VAP profile that you want to modify. The VAP Profile page
is displayed.
c. Set parameters for modifying a VAP profile. Table 7-1 describes the parameters for
modifying a VAP profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a VAP profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile.
The VAP Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile.
The VAP Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure profiles referenced by a VAP profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > VAP. The
VAP Profile List page is displayed. Click next to VAP. The system displays
names of the VAP profiles. Click next to a VAP profile name. The profiles
referenced by the VAP profile are displayed in the menu navigation area.
b. Click any profile referenced in the VAP profile. The configuration page of the
referenced profile is displayed. Select a profile name from the drop-down list box
and configure parameters of the referenced profile. For descriptions of the profile
parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.

----End

7.1.2 SSID Profile

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 306

Context
An SSID profile is mainly used to configure STA association and access parameters based on
SSIDs, including the SSID name, STA association timeout period, non-HT STA access, and
QoS CAR.

Procedure
l Create an SSID profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SSID Profile.
The SSID Profile List page is displayed.
b. Click Create. The Create SSID Profile page is displayed.
c. Enter the name of the new SSID profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new SSID profile is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 307

e. Set parameters for creating an SSID profile. Table 7-2 describes the parameters for
modifying an SSID profile.

Table 7-2 Parameters for creating an SSID profile

Parameter Description

SSID Profile Name of the SSID profile, which

cannot be modified.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 308

Parameter Description

SSID Name of an SSID.

NOTE
When command lines are used to configure
an SSID name containing non-English
characters, the non-English characters can
only be edited using the command editor of
the UTF-8 encoding format.

Association timeout STA association timeout period. If an

AP receives no data packet from an
STA in a continuous period of time, the
STA goes offline after the association
timeout period is reached.

Maximum number of STAs Maximum number of access STAs on a

single VAP.

Hide SSID after the maximum number Whether to hide SSIDs when the
of STAs is reached number of users on a VAP reaches the
maximum.

Disable non-HT terminal access Whether to disable non-HT STA

access.

Denied STA type Type of STAs whose access is denied.

802.11r

802.11r fast roaming Whether to enable 802.11r fast

roaming.

Re-association timeout interval STA re-association timeout interval.

EDCA Parameters

Area Preset EDCA parameters for different

scenarios. Users can select the
corresponding scenarios or adjust the
preset EDCA parameters.
l User-defined: Values of EDCA
parameters are defined by users.
l Voice: Voice packets preferentially
use a channel.
l Voice and video: Voice and video
packets preferentially use a
channel.

Packet Type Packet type.

l AC_VO: Voice
l AC_VI: Video
l AC_BE: Best Effort
l AC_BK: Background

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 309

Parameter Description

AIFSN Arbitration inter frame spacing number

(AIFSN), which determines the
channel idle time. A larger AIFSN
value indicates that the STA must wait
for a longer time and has a lower
priority.

ECWmin Exponent form of the minimum

contention window (ECWmin) and
ECWmax exponent form of the maximum
contention window (ECWmax)
together determine the average backoff
time. Larger ECWmin and ECWmax
values indicate that the average backoff
time for the STA is longer and the STA
priority is lower.

TXOPLimit Transmission opportunity limit

(TXOPLimit), which determines the
maximum duration in which an STA
can occupy the channel. A larger
TXOPLimit value indicates that the
STA can occupy the channel for a
longer time.

Inbound CAR Parameters

CIR Average rate of traffic that can pass

through in the inbound direction.

PIR Maximum rate of traffic that can pass

through in the inbound direction.

CBS Average volume of committed burst

traffic that can pass through in the
inbound direction.

PBS Maximum volume of burst traffic that

can pass through in the inbound
direction.

Outbound CAR Parameters

CIR Average rate of traffic that can pass

through in the outbound direction.

PIR Maximum rate of traffic that can pass

through in the outbound direction.

CBS Average volume of committed burst

traffic that can pass through in the
outbound direction.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 310

Parameter Description

PBS Maximum volume of burst traffic that

can pass through in the outbound
direction.

Admin Frame Expense Optimization

Beacon frame rate on 2.4G radio Rate at which 2.4 GHz Beacon frames
are sent.

Beacon frame rate on 5G radio Rate at which 5 GHz Beacon frames

are sent.

Deny broadcast probe Whether to disable an AP from

responding to broadcast Probe Request
frames.

Probe response retransmission Number of times Probe Response

packets ate retransmitted.

Others

DTIM interval Number of Beacon frames sent before

the Beacon frame that contains the
DTIM.

Hide SSID Whether to enable SSID hiding in

Beacon frames.

U-APSD power saving mode Whether to enable U-APSD.

MU-MIMO Whether to enable MU-MIMO.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an SSID profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SSID Profile.
The SSID Profile List page is displayed.
b. Click the name of the SSID profile that you want to modify. The SSID profile
configuration page is displayed.
c. Set parameters for modifying an SSID profile. Table 7-2 describes the parameters
for modifying an SSID profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an SSID profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SSID Profile.
The SSID Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > SSID Profile.
The SSID Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 311

b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.3 Security Profile

Procedure
l Create a security profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Security
Profile. The Security Profile List page is displayed.
b. Click Create. The Create Security Profile page is displayed.
c. Enter the name of the new security profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new security profile is displayed.

e. Set parameters for creating a security profile. Table 7-3 describes the parameters
for creating a security profile.

Table 7-3 Parameters for creating a security profile

Parameter Description

Security Profile Name of the security profile, which

cannot be modified.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 312

Parameter Description

Security policy Security policy of the security profile.

SHARE-KEY Whether to use the pre-shared key.

Authentication policy Authentication mode of the security

policy.

Encryption mode Encryption mode of the security policy.

Password type Password type, which is a hexadecimal

number or a passphrase.

Password No. Password number, which you can

select from the drop-down list box.

Password Password of the security profile.

Confirm password Confirmation of the password.

PTK update interval Whether to enable periodic PTK

update during WPA/WPA2/WPA-
WPA2 encryption.

PTK update interval PTK update interval during WPA/

WPA2/WPA-WPA2 encryption. A
smaller update interval indicates more
frequent PTK updates and more secure
data encryption. However, if the PTK
update interval is set too small, the
STA and AP implement more PTK
negotiations, affecting the throughput.

Management frame protection Whether to enable management frame

protection.

Forcibly enable management frame Whether to forcibly enable

protection management frame protection.

Specify AC private key file/password Private key file and password of the
AC certificate specified for the security
profile when the security policy is set
to WAPI.

Specify AC certificate/password AC certificate and password specified

for the security profile when the
security policy is set to WAPI.
NOTE
The certificates must be valid and correct.

Specify issuer's certificate/password Issuer certificate and password

specified for the security profile when
the security policy is set to WAPI. The
issuer certificate helps to check
whether the AC certificate is modified.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 313

Parameter Description

Specify ASU certificate/password ASU certificate and password specified

for the security profile when the
security policy is set to WAPI.
NOTE
If the authentication system uses only two
certificates, the issuer certificate is the
same as the ASU certificate, with the same
file name. If the authentication system uses
three certificates, the issuer certificate and
ASU certificate are different from each
other and both must be imported.
The certificates must be valid and correct.

ASU IP IP address of the ASU server when the

security policy is set to WAPI.
NOTE
The parameter determines to which ASU
server WAPI packets are sent. Users must
ensure the correctness of both ASU
certificates and ASU servers; otherwise,
users may fail the authentication.

Retransmission count of certificate Number of certificate authentication

authentication packets packet retransmissions specified for the
security profile when the security
policy is set to WAPI.

Association timeout interval Timeout period of a security

association (SA).

BK lifetime percentage BK lifetime percentage.

BK update interval BK update interval.

Key update Key update function. You can select

Unicast Key Update, Multicast Key
Update, or both.

Unicast Key Update / Multicast Key Update

Update interval Key update interval. When the key

update mode is set to time-based key
update, the key update interval needs
to be configured.

Number of update packets Number of update packets using a

certain key. The key is updated when
the number of packets using the key
reaches the Number of update
packets value.

Retransmission count of negotiation Number of key negotiation packet

packets retransmissions.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 314

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a security profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Security
Profile. The Security Profile List page is displayed.
b. Click the name of the security profile that you want to modify. The security profile
configuration page is displayed.
c. Set parameters for modifying a security profile. Table 7-3 describes the parameters
for modifying a security profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a security profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Security
Profile. The Security Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Security
Profile. The Security Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.4 Traffic Profile

Procedure
l Create a traffic profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Traffic
Profile. The Traffic Profile List page is displayed.
b. Click Create. The Create Traffic Profile page is displayed.
c. Enter the name of the new traffic profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new traffic profile is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 315

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 316

e. Set parameters for creating a traffic profile. Table 7-4 describes the parameters for
creating a traffic profile.

Table 7-4 Parameters for creating a traffic profile

Parameter Description

Traffic Profile Name of the traffic profile, which

cannot be modified.

User isolation mode User isolation mode.

Multicast-to-unicast Whether to enable the function of

converting multicast packets to unicast
packets.
You can enable the function of
converting multicast packets to unicast
packets in scenarios that have high
requirements on multicast stream
transmission, such as a high-definition
video on-demand scenario. After the
function is enabled, an AP listens on
Report and Leave packets to maintain
multicast-to-unicast entries. When
sending multicast packets to the client,
the AP converts the multicast packets
to unicast packets based on the
multicast-to-unicast entries to improve
multicast stream transmission
efficiency.

Broadcast & multicast traverse to Whether to traverse packets and

unicast forward or discard the packets if
converting multicast packets into
unicast packets fails on air interfaces.

IGMP-Snooping Whether to enable IGMP snooping.

VAP multicast total bandwidth Total multicast bandwidth on a VAP.

When remaining multicast bandwidth
on the VAP is insufficient, new users
cannot access the multicast group.

Number of multicast group Number of multicast group

memberships on a VAP memberships on a VAP. When the
maximum value of this parameter is
reached, new users cannot access the
multicast group.

MLD-Snooping Whether to enable MLD snooping.

Multicast Report/Leave Suppression Whether to enable suppression of

multicast Report/Leave packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 317

Parameter Description

Broadcast packet rate limit Rate limit for broadcast packets.

Broadcast packets are discarded if their
rates exceed the rate limit.

Multicast packet rate limit Rate limit for multicast packets.

Multicast packets are discarded if their
rates exceed the rate limit.

Unknown unicast packet rate limit Rate limit for unknown unicast
packets. Unknown unicast packets are
discarded if their rates exceed the rate
limit.

TCP adjust-MSS Maximum Segment Size (MSS) of

TCP packets on an interface.

Packet filtering

Packet filtering Packet filtering type. The options are

as follows:
l L2 packet filtering
l IPv4 packet filtering
l IPv6 packet filtering

Inbound ACL IPv4 ACL used to filter incoming

packets.

Outbound ACL IPv4 ACL used to filter outgoing

packets.

Inbound ACLv6 IPv6 ACL used to filter incoming

packets.

Outbound ACLv6 IPv6 ACL used to filter outgoing

packets.

Uplink Priority Mapping on Air Interface

Tunnel priority mapping for packets sent to the AC from an AP.
To restore the default priority mapping, click Use Default Mapping.

Trust mode Trusted priority on the air interface,

which is the 802.11e or DSCP priority.
When the DSCP priority is trusted, you
can click Add to configure mapping
from DSCP priorities of 802.11e
packets to DSCP priorities of tunnel
packets.

802.11e 802.11e user priority.

DSCP DSCP priority of 802.11e packets.

Tunnel DSCP DSCP priority of tunnel packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 318

Parameter Description

Tunnel 802.1p 802.1p priority of tunnel packets.

Downlink Priority Mapping on Air Interface

Priority mapping for packets sent to an AP from upper-layer devices.
To restore the default priority mapping, click Use Default Mapping.

Trust mode Trusted priority on the air interface,

which is the 802.1p or DSCP priority.

802.1p 802.1p priority of 802.3 packets.

802.11e 802.11e user priority.

DSCP DSCP priority of 802.3 packets.

Rate Limit

STA uplink rate limit Uplink rate limit for a STA.

STA downlink rate limit Downlink rate limit for a STA.

VAP uplink rate limit Uplink rate limit for all STAs on a
VAP. The value of this parameter must
be greater than the uplink rate limit set
for a STA.

VAP downlink rate limit Downlink rate limit for all STAs on a
VAP. The value of this parameter must
be greater than the downlink rate limit
set for a STA.

Re-marking

Re-marking Re-marking type. The options are as

follows:
l L2 re-marking
l IPv4 re-marking
l IPv6 re-marking

Inbound ACL Inbound ACL. The value is an integer

that ranges from 3000 to 3031 and
from 6000 to 6031 for IPv4 ACLs,
from 3000 to 3031 for IPv6 ACLs, and
from 4000 to 4031 for Layer 2 ACLs.
l 3000 to 3031: advanced ACLs
l 6000 to 6031: user ACLs
l 4000 to 4031: Layer 2 ACLs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 319

Parameter Description

Re-marked priority Priority type for incoming packets that

are re-marked and the corresponding
priority value. The options are as
follows:
l 802.11e: The value is an integer
that ranges from 0 to 7. A larger
value indicates a higher priority.
l DSCP: The value is an integer that
ranges from 0 to 63. A larger value
indicates a higher priority.

Outbound ACL Outbound ACL. The value is an

integer that ranges from 3000 to 3031
and from 6000 to 6031 for IPv4 ACLs,
from 3000 to 3031 for IPv6 ACLs, and
from 4000 to 4031 for Layer 2 ACLs.
l 3000 to 3031: advanced ACLs
l 6000 to 6031: user ACLs
l 4000 to 4031: Layer 2 ACLs

Re-marked priority Priority type for outgoing packets that

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a traffic profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Traffic
Profile. The Traffic Profile List page is displayed.
b. Click the name of the traffic profile that you want to modify. The traffic profile
configuration page is displayed.
c. Set parameters for modifying a traffic profile. Table 7-4 describes the parameters
for modifying a traffic profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a traffic profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Traffic
Profile. The Traffic Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 320

l Display the profile reference relationship.

a. Choose Configuration > AP Config > Profile > Wireless Service > Traffic
Profile. The Traffic Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.5 802.1X Profile

Context
You can configure 802.1X authentication to implement interface-based network access
control, that is, to authenticate and control users connected to an interface of an access control
device.

Procedure
l Create an 802.1X profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > 802.1X
Profile. The 802.1X Profile List page is displayed.
b. Click Create. The Create 802.1X Profile page is displayed.
c. Enter the name of the new 802.1X profile in Profile name.
d. Click OK. The parameter setting page for creating an802.1X profile is displayed.

e. Set 802.1X profile parameters. For description of the parameters, see Table 7-5.

Table 7-5 802.1X profile parameters

Parameter Description

802.1X profile Name of the new 802.1X profile,

which cannot be modified.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 321

Parameter Description

User authentication mode User authentication mode. The options

are as follows:
l CHAP: Challenge Handshake
Authentication Protocol
l PAP: Password Authentication
Protocol
l EAP: Extensible Authentication
Protocol

Reauthentication Whether to enable the periodical re-

authentication function.

Reauthentication interval 802.1X re-authentication interval.

Maximum authentication request count Maximum number of 802.1X

authentication requests. The default
value is recommended.

Authentication timeout interval 802.1X authentication timeout interval.

EAP packet code number Code number in EAP packets sent in

response to user requests.

EAP packet data type Data type in EAP packets sent in

response to user requests.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an 802.1X profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > 802.1X
Profile. The 802.1X Profile List page is displayed.
b. Click the 802.1X profile to modify. The 802.1X profile page is displayed.
c. Modify 802.1X profile parameters. For description of the parameters, see Table
7-5.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an 802.1 X profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > 802.1X
Profile. The 802.1X Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > 802.1X
Profile. The 802.1X Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 322

NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.6 Portal Profile

Context
In Portal authentication, users do not need a specific client. The Portal server provides users
with free Portal services and a Portal authentication page.

Procedure
l Create a Portal profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Portal
Profile. The Portal Profile List page is displayed.
b. Click Create. The Create Portal Profile page is displayed.
c. Enter the name of the new Portal profile in Profile name.
d. Click OK. The parameter setting page of the new Portal profile is displayed.

e. Set parameters for creating a Portal profile. Table 7-6 describes the parameters for
creating a Portal profile.

Table 7-6 Parameters for creating a Portal profile

Parameter Description

Portal profile Name of the Portal profile, which

cannot be modified.

Portal authentication Portal authentication mode.

Built-in portal server anonymous login Whether to enable the anonymous

Built-in portal server Whether to enable the built-in Portal

server.

Active server External active Portal server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 323

Parameter Description

Standby server External standby Portal server.

Authentication mode Authentication mode of the external

Portal server.

Source authentication network Enter the source authentication

segment/mask network segment and mask of the
external Portal server and click . To
delete the source authentication
network segment and mask, select the
source authentication network segment
and mask that you want to delete and
click .

Portal escape If the external Portal server is Down,

users cannot pass the authentication
and thereby have no network access
rights. The network access rights can
be configured for the users when the
Portal server is Down, so that the users
can access specified network
resources.
To implement the function, you need to
enable the Portal server detection
function for the External Portal
Server.

Authorized user group Name of the user group based on

which network access rights are
assigned to users when the Portal
escape function is enabled.

Portal-server-up action re-authen Whether to reauthenticate users going

online when the external Portal server
is Down after the Portal server
recovers. After the reauthentication
function is enabled, the device assigns
normal network access rights to the
users passing the reauthentication.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a Portal profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Portal
Profile. The Portal Profile List page is displayed.
b. Click the name of the Portal profile that you want to modify. The Portal profile
configuration page is displayed.
c. Modify parameters in the Portal profile. Table 7-6 describes the parameters for
modifying a Portal profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 324

d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a Portal profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Portal
Profile. The Portal Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Portal
Profile. The Portal Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.7 MAC Authentication Profile

Context
MAC address authentication controls network access permissions of a user based on the
access interface and MAC address of the user. The user does not need to install any client
software. The user name and password are the MAC address of the user device. After
detecting the MAC address of a user for the first time, a network device starts authenticating
the user.

Procedure
l Create a MAC authentication profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > MAC
Authentication Profile. The MAC Authentication Profile List page is displayed.
b. Click Create. The Create MAC Authentication Profile page is displayed.
c. Enter the name of the new MAC authentication profile in Profile name.
d. Click OK. The parameter setting page of the new MAC authentication profile is
displayed.

e. Set parameters for creating a MAC authentication profile. Table 7-7 describes the
parameters for creating a MAC authentication profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 325

Table 7-7 Parameters for creating a MAC authentication profile

Parameter Description

MAC authentication profile Name of the MAC authentication

profile, which cannot be modified.

Reauthentication Whether to enable reauthentication.

Reauthentication interval Interval of MAC address

reauthentication.

User name mode The MAC address or fixed user name

is used for authentication.

MAC address Whether the MAC address contains the

hyphen (-).

Configure password Password in MAC address

authentication.

Confirm password Confirm password in MAC address

authentication.

User name User name for MAC address

authentication.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a MAC authentication profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > MAC
Authentication Profile. The MAC Authentication Profile List page is displayed.
b. Click the name of the MAC authentication profile that you want to modify. The
MAC authentication profile configuration page is displayed.
c. Modify parameters in the MAC authentication profile. Table 7-7 describes the
parameters for modifying a MAC authentication profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a MAC authentication profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > MAC
Authentication Profile. The MAC Authentication Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > MAC
Authentication Profile. The MAC Authentication Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 326

7.1.8 Authentication-free Rule Profile

Procedure
l Create an authentication-free rule profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication-free Rule Profile. The Authentication-free Rule Profile List
page is displayed.
b. Click Create. The Create Authentication-free Rule Profile page is displayed.
c. Enter the name of the new authentication-free rule profile in Profile name.
d. Click OK. The parameter setting page of the new authentication-free rule profile is
displayed.
e. Select Authentication-free Rule in Control mode. The Authentication-free Rule
List is displayed.
f. Click Create. The Create Authentication-free Rule page is displayed.

g. Set parameters for creating an authentication-free rule. Table 7-8 describes the
parameters for creating an authentication-free rule.

Table 7-8 Parameters for creating an authentication-free rule

Parameter Description

Rule ID ID of the authentication-free rule.

Source IP
If packets from Portal authentication users match the following parameters under
Source IP, Portal authentication users do not need to pass authentication, and can
access network resources configured under Destination IP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 327

Parameter Description

Authentication-free Whether authentication-free is

performed for the source IP address. If
this parameter is selected, any
condition is matched.

IP address Source IP address in the

authentication-free rule. If Specified is
specified, the IP address and mask
need to be configured.

Mask The mask and IP address specify a

network segment.

Destination IP
Network resource range that authentication-free users can access.

Authentication-free Whether authentication-free is

performed for the destination IP
address. If this parameter is selected,
any condition is matched.

IP address Destination IP address in the

authentication-free rule. If Specified is
specified, the IP address and mask
need to be configured.

Mask The mask and IP address specify a

network segment.

Protocol type Type of the protocol that users are

allowed to access.

Dest port number Destination port number that users are

allowed to access.

h. Click OK. The parameter setting page of the new authentication-free rule profile is
displayed.
NOTE

Repeat steps 5 to 7 to configure multiple authentication-free rules.

i. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an authentication-free rule profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication-free Rule Profile. The Authentication-free Rule Profile List
page is displayed.
b. Click the name of the authentication-free rule profile that you want to modify.
c. Click the name of the authentication-free rule that you want to modify. The
authentication-free rule modification page is displayed.
d. Set parameters for modifying an authentication-free rule. Table 7-8 describes the
parameters for modifying an authentication-free rule.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 328

To delete an authentication-free rule, select the name of the authentication-free rule

that you want to delete, and click Delete. In the Info dialog box that is displayed,
click OK.
e. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an authentication-free rule profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication-free Rule Profile. The Authentication-free Rule Profile List
page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication-free Rule Profile. The Authentication-free Rule Profile List
page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Bind the user ACL.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication-free Rule Profile. The Authentication-free Rule Profile List
page is displayed.
b. Select ACL in Control mode.
c. Specify the ACL to be bound in ACL number.
d. Click Apply. In the Info dialog box that is displayed, click OK.
----End

7.1.9 Authentication Scheme

Context
Authentication, Authorization, and Accounting (AAA) provides a management mechanism
for network security.
Authentication: determines the users who can access the network. Authentication modes are
as follows:
l Non-authentication: Users are trusted without the check on their validity. This mode is
rarely used.
l Local authentication: Information about users is configured on a network access server
(NAS). Local authentication features fast processing and low operation cost, whereas the
amount of information that can be stored is limited by the hardware capacity of the
device.
l Remote authentication: Information about users is configured on an authentication
server. Remote authentication supports the Remote Authentication Dial In User Service
(RADIUS) protocol and the Huawei Terminal Access Controller Access Control System
(HWTACACS) protocol.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 329

Procedure
l Create an authentication scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Scheme. The Authentication Scheme List page is displayed.
b. Click Create. The Create Authentication Scheme page is displayed.
c. Enter the name of the new authentication scheme profile in Profile name.
d. Click OK. The parameter setting page of the new authentication scheme profile is
displayed.

e. Set parameters for creating an authentication scheme profile. Table 7-9 describes
the parameters for creating an authentication scheme profile.

Table 7-9 Parameters for creating an authentication scheme profile

Parameter Description

Authentication scheme Name of the authentication scheme

profile, which cannot be modified.

First authentication The value can be RADIUS,

HWTACACS, Local, or Non-
Authentication.

Second authentication The value can be a mode except the

first authentication mode. When the
authentication server of the first
authentication mode does not respond,
the second authentication mode is
triggered.
When the first authentication mode is
no authentication, the second
authentication mode cannot be
configured.

Third authentication The value can be a mode except the

first and second authentication modes.
When the authentication servers of the
first and second authentication modes
do not respond, the third authentication
mode is triggered.
When the second authentication mode
is no authentication or not configured,
the third authentication mode cannot
be configured.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 330

Parameter Description

Fourth authentication The value can be no authentication or

not configured. When the
authentication servers of the first,
second, and third authentication modes
do not respond, the fourth
authentication mode is triggered.
When the third authentication mode is
no authentication or not configured, the
fourth authentication mode cannot be
configured.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an authentication scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Scheme. The Authentication Scheme List page is displayed.
b. Click the name of the authentication scheme profile that you want to modify. The
authentication scheme profile configuration page is displayed.
c. Set parameters for modifying an authentication scheme profile. Table 7-9 describes
the parameters for modifying an authentication scheme profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an authentication scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Scheme. The Authentication Scheme List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Scheme. The Authentication Scheme List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.10 Authorization Scheme

Context
Authentication, Authorization, and Accounting (AAA) provides a management mechanism
for network security.

Authorization: authorizes users to use particular services. Authorization modes are as follows:

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 331

l Non-authorization: Users are not authorized.

l Local authorization: Users are authorized based on related attributes of the local user
accounts configured on the NAS.
l HWTACACS authorization: A HWTACACS server authorizes users.
l if-authenticated authorization: Users are authorized after the users pass the authentication
in either local or remote authentication mode.

Procedure
l Create an authorization scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authorization Scheme. The Authorization Scheme List page is displayed.
b. Click Create. The Create Authorization Scheme page is displayed.
c. Enter the name of the new authorization scheme profile in Profile name.
d. Click OK. The parameter setting page of the new authorization scheme profile is
displayed.

e. Set parameters for creating an authorization scheme profile. Table 7-10 describes
the parameters for creating an authorization scheme profile.

Table 7-10 Parameters for creating an authorization scheme profile

Parameter Description

Authorization scheme Name of the authorization scheme

profile, which cannot be modified.

First authorization The value can be IF-authenticated,

HWTACACS, Local, or Non-
authorization.

Second authorization The value can be a mode except the

first authorization mode. When the
authorization server of the first
authorization mode does not respond,
the second authorization mode is
triggered.
When the first authorization mode is
no authorization, the second
authorization mode cannot be
configured.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 332

Parameter Description

Third authorization The value can be a mode except the

first and second authorization modes.
When the authorization servers of the
first and second authorization modes
do not respond, the third authorization
mode is triggered.
When the second authorization mode is
no authorization or not configured, the
third authorization mode cannot be
configured.

Fourth authorization The value can be no authorization or

not configured. When the authorization
servers of the first, second, and third
authorization modes do not respond,
the fourth authorization mode is
triggered.
When the third authorization mode is
no authorization or not configured, the
fourth authorization mode cannot be
configured.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an authorization scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authorization Scheme. The Authorization Scheme List page is displayed.
b. Click the name of the authorization scheme profile that you want to modify. The
authorization scheme profile configuration page is displayed.
c. Set parameters for modifying an authorization scheme profile. Table 7-10 describes
the parameters for modifying an authorization scheme profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an authorization scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authorization Scheme. The Authorization Scheme List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authorization Scheme. The Authorization Scheme List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 333

7.1.11 Accounting Scheme

Context
Authentication, Authorization, and Accounting (AAA) provides a network security
management mechanism.

Accounting: records the use of network resources by users. The following accounting modes
are available:
l Non-accounting: Users are not charged.
l Remote accounting: A RADIUS server or an HWTACACS server performs remote
accounting.

Procedure
l Create an accounting scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Accounting
Scheme. The Accounting Scheme List page is displayed.
b. Click Create. The Create Accounting Scheme page is displayed.
c. Enter the name of the new accounting scheme profile in Profile name.
d. Click OK. The parameter setting page of the new accounting scheme profile is
displayed.

e. Set parameters for the accounting scheme profile. Table 7-11 describes the
parameters for creating an accounting scheme profile.

Table 7-11 Parameters for creating an accounting scheme profile

Parameter Description

Accounting scheme Name of the accounting scheme

profile, which cannot be modified.

Accounting mode Accounting mode, which can be

RADIUS authentication, HWTACACS
accounting, or non-accounting.

Real-time accounting Whether to enable real-time

accounting.

Real-time accounting interval Interval for real-time accounting.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 334

Parameter Description

Maximum real-time accounting failure Maximum number of non-responses to

count real-time accounting requests. If the
authentication device does not receive
any response to the accounting request
sent after the number of non-responses
reaches the maximum value, the device
considers that the accounting fails and
applies the real-time accounting failure
policy to the charged users.

Policy upon real-time accounting Policy applied to users after real-time

failure accounting fails.

Accounting-start failure policy Policy used after an accounting-start

failure.
l Prevent user login: Users cannot go
online after an accounting-start
failure.
l Allow user login: Users can still go
online after an accounting-start
failure.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an accounting scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Accounting
Scheme. The Accounting Scheme List page is displayed.
b. Click the accounting scheme profile that you want to modify. The settings of the
accounting scheme profile are displayed.
c. Modify parameters for the accounting scheme profile. Table 7-11 describes the
parameters for modifying an accounting scheme profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an accounting scheme profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Accounting
Scheme. The Accounting Scheme List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Accounting
Scheme. The Accounting Scheme List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 335

7.1.12 Authentication Profile

Procedure
l Create an authentication profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Profile. The Authentication Profile List page is displayed.
b. Click Create. The Create Authentication Profile page is displayed.
c. Enter the name of the new authentication profile in Profile name.
d. Click OK. The parameter setting page of the new authentication profile is
displayed.

e. Set parameters for the authentication profile. Table 7-12 describes the parameters
for creating an authentication profile.

Table 7-12 Parameters for creating an authentication profile

Parameter Description

Prevent authentication overwrite Whether the newly delivered

authentication information overwrites
all the original authentication
information.

Security character string separator Security character string separator.

User group Select a user group name to bind the

user group to the authentication profile.
The user group is configured on User
Group.

Authorization VLAN ID before ID of the VLAN in which the network

authentication resources are accessible to users before
authentication.

Authorization VLAN ID upon ID of the VLAN in which the network

authentication failure resources are accessible to users after
an authentication failure.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an authentication profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Profile. The Authentication Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 336

b. On the Authentication Profile List page, click the authentication profile you want
to modify.
c. On the page that is displayed, modify the parameters as required. For parameter
description, see Table 7-12.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an authentication profile.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Profile. The Authentication Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service >
Authentication Profile. The Authentication Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.13 STA Blacklist Profile

Context
STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and
reject access from unauthorized STAs.
l A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN.
After the whitelist function is enabled, only the STAs in the whitelist can connect to the
WLAN, and access from other STAs is rejected.
l A blacklist contains MAC addresses of STAs that are not allowed to connect to a
WLAN. After the blacklist function is enabled, STAs in the blacklist cannot connect to
the WLAN, and other STAs can connect to the WLAN.

If the whitelist or blacklist is empty, all STAs can connect to the WLAN.

Procedure
l Create a STA blacklist profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA Blacklist
Profile. The STA Blacklist Profile List page is displayed.
b. Click Create. The Create STA Blacklist Profile page is displayed.
c. Enter the name of the new STA blacklist profile in Profile name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 337

e. Maintain MAC addresses in the STA blacklist.

n Adding MAC addresses one by one
# Click Creat. The Creat MAC Address page is displayed.
# Set Creation mode to Manually Add.

# Enter a MAC address and description and click . Multiple MAC

addresses can be added. Click to delete the selected MAC address and
description.

# Click OK
n Adding MAC addresses in batches
# Click Creat. The Creat MAC Address page is displayed.
# Set Creation mode to Batch Import. The page for batch importing MAC
addresses is displayed.

# Click and select the MAC file containing MAC addresses that you
want to import, and click Import.
NOTE

You can click to download the MAC file profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 338

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a STA blacklist profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA Blacklist
Profile. The STA Blacklist Profile List page is displayed.
b. Click the name of the STA blacklist profile that you want to modify. The STA
blacklist profile configuration page is displayed.
c. Set parameters for modifying a STA blacklist profile. For details, see e.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a STA blacklist profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA Blacklist
Profile. The STA Blacklist Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA Blacklist
Profile. The STA Blacklist Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.14 STA Whitelist Profile

If the whitelist or blacklist is empty, all STAs can connect to the WLAN.

Procedure
l Create a STA whitelist profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA
Whitelist Profile. The STA Whitelist Profile List page is displayed.
b. Click Create. The Create STA Whitelist Profile page is displayed.
c. Enter the name of the new STA whitelist profile in Profile name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 339

e. Maintain MAC addresses in the STA whitelist.

n Adding MAC addresses one by one
# Click Add. The Import MAC Address page is displayed.

# Enter a MAC address and description and click . Multiple MAC

addresses can be added. Click to delete the selected MAC address and
description.

# Click OK
n Adding MAC addresses in batches
# Click Batch Import. The Import MAC Address page is displayed.

# Click and select the MAC file containing MAC addresses that you
want to import, and click Import.
NOTE

You can click to download the MAC file profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 340

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a STA whitelist profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA
Whitelist Profile. The STA Whitelist Profile List page is displayed.
b. Click the name of the STA whitelist profile that you want to modify. The STA
whitelist profile configuration page is displayed.
c. Set parameters for modifying a STA whitelist profile. For details, see e.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a STA whitelist profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA
Whitelist Profile. The STA Whitelist Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > STA
Whitelist Profile. The STA Whitelist Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.15 SAC Profile

Context
Smart Application Control (SAC) is a smart engine that can identify and classify application
protocols. It uses service awareness technology to identify packets of dynamic protocols such
as HTTP and RTP by checking Layer 4 to Layer 7 information in the packets. SAC helps
implement fine-granular QoS policy control.

Procedure
l Create an SAC profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SAC Profile.
The SAC Profile List page is displayed.
b. Click Create. The Create SAC Profile page is displayed.
c. Enter the name of the new SAC profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new SAC profile is displayed.
e. Set parameters for creating an SAC profile. Table 7-13 describes the parameters for
creating an SAC profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 341

Table 7-13 Parameters for creating an SAC profile

Parameter Description

SAC Profile Name of the SAC profile, which

cannot be modified.

WLAN-based statistics Whether to enable the VAP-based

protocol statistics collection function.

STA-based statistics Whether to enable the STA-based

protocol statistics collection function.

Application protocol group Application or application protocol

group supported by the SAC profile.
After an application protocol group is
created, you can select the application
protocol group. For details on how to
create an application protocol group.

Policy type l Priority policy: Sets a priority for

packets of the specified applications
or application protocol groups.
l Drop policy: Drops packets of the
specified applications or application
protocol groups.
l Rate limit policy: Sets rate limit on
packets of specified applications or
application protocol groups.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 342

Parameter Description

Priority policy mode Priority policy mode.

l Differentiated Services Code Point
(DSCP): DSCP priority.
The value ranges from 0 to 63. A
larger value indicates a higher
priority.
l 802.1P:
802.1p priority.
The value ranges from 0 to 7. A
larger value indicates a higher
priority.
The parameter needs to be configured
when Policy type is set to Priority
policy.

Rate limit message application strategy The value ranges from 64 to 10000000,
in kbit/s.
The parameter needs to be configured
when Policy type is set to Rate limit
policy.

f. Click to add the configured policy to the profile.

g. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an SAC profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SAC Profile.
The SAC Profile List page is displayed.
b. Click the name of the SAC profile that you want to modify. The SAC Profile page
is displayed.
c. Set parameters for modifying an SAC profile. Table 7-13 describes the parameters
for modifying an SAC profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an SAC profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SAC Profile.
The SAC Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > SAC Profile.
The SAC Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 343

NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.16 Soft GRE Profile

Context
When deploying a WLAN on the live network, the operator requires that wireless users be
authenticated and charged on the original BRAS device so that unified authentication,
charging, and management can be implemented on wired and wireless users. In these
scenarios, the AC is usually connected to the network in bypass mode and is only responsible
for AP management and wireless service configuration. The AP directly forwards traffic from
wireless users to BRAS devices over soft GRE tunnels.

Basic parameters of a soft GRE tunnel can be configured in a soft GRE profile.

Procedure
l Create a soft GRE profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.
b. Click Create. The Create SoftGRE Profile page is displayed.
c. Enter the name of the new soft GRE profile in Profile name.

e. Set parameters for creating a soft GRE profile. Table 7-14 describes the parameters
for modifying a soft GRE profile.

Table 7-14 Parameters for creating a soft GRE profile

Parameter Description

SoftGRE Profile Name of the soft GRE profile, which

cannot be modified.

SoftGRE tunnel destination IP address Destination IP address of the soft GRE

tunnel, that is, the peer IP address of
the soft GRE tunnel.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 344

Parameter Description

Tunnel heartbeat detection Whether to enable the keepalive

function of the soft GRE tunnel.

Tunnel heartbeat detection period Interval for sending keepalive packets

in the soft GRE tunnel.

Unreachability count Maximum number of keepalive packet

retransmissions in the soft GRE tunnel.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a soft GRE profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.
b. Click the name of the soft GRE profile that you want to modify. The soft GRE
profile configuration page is displayed.
c. Set parameters for modifying a soft GRE profile. Table 7-14 describes the
parameters for modifying a soft GRE profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a soft GRE profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.17 UCC Profile

Context
Unified Communication and Collaboration (UCC) is a smart engine that can identify and
classify application protocols. It uses service awareness technology to identify packets of
dynamic protocols such as HTTP and RTP by checking Layer 4 to Layer 7 information in the
packets. UCC helps implement fine-granular QoS policy control.

Procedure
l Create an UCC profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 345

a. Choose Configuration > AP Config > Profile > Wireless Service > UCC Profile.
The UCC Profile List page is displayed.
b. Click Create. The Create UCC Profile page is displayed.
c. Enter the name of the new UCC profile in Profile name.

To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new UCC profile is displayed.
e. Set parameters for creating an UCC profile. Table 7-15 describes the parameters for
creating an UCC profile.

Table 7-15 Parameters for creating an UCC profile

Parameter Description

UCC profile Name of the UCC profile, which

cannot be modified.

Lync voice DSCP priority DSCP priority.

The value ranges from 0 to 63. A larger
value indicates a higher priority.

Lync voice Dot1p priority 802.1p priority.

The value ranges from 0 to 7. A larger
value indicates a higher priority.

Lync video DSCP priority DSCP priority.

The value ranges from 0 to 63. A larger
value indicates a higher priority.

Lync video Dot1p priority 802.1p priority.

The value ranges from 0 to 7. A larger
value indicates a higher priority.

Lync desktop sharing DSCP priority DSCP priority.

The value ranges from 0 to 63. A larger
value indicates a higher priority.

Lync desktop sharing priority 802.1p priority.

The value ranges from 0 to 7. A larger
value indicates a higher priority.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 346

Parameter Description

Lync file transfer DSCP priority DSCP priority.

The value ranges from 0 to 63. A larger
value indicates a higher priority.

Lync file transfer Dot1p priority 802.1p priority.

The value ranges from 0 to 7. A larger
value indicates a higher priority.

f. Click to add the configured policy to the profile.

g. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an UCC profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > UCC Profile.
The UCC Profile List page is displayed.
b. Click the name of the UCC profile that you want to modify. The UCC Profile page
is displayed.
c. Set parameters for modifying an UCC profile. Table 7-15 describes the parameters
for modifying an UCC profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an UCC profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > UCC Profile.
The UCC Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > UCC Profile.
The UCC Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.18 Cellular Network Profile

Procedure
l Create a cellular network profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Cellular
Network Profile. The Cellular Network Profile List page is displayed.
b. Click Create. The Create Cellular Network Profile page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 347

c. Enter the name of the new cellular network profile in Profile name.

e. Set parameters for the cellular network profile. Table 7-16 describes the parameters
for creating a cellular network profile.

Table 7-16 Parameters for creating a cellular network profile

Parameter Description

Cellular Network Profile Name of the cellular network profile,

which cannot be modified.

PLMN ID Enter the Public Land Mobile Network

(PLMN) ID and click . To add
multiple PLMN IDs, repeat the
operation. Click to delete a
selected PLMN ID.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 348

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a cellular network profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Cellular
Network Profile. The Cellular Network Profile List page is displayed.
b. Click the name of the cellular network profile that you want to modify. The cellular
network profile configuration page is displayed.
c. Modify parameters for the cellular network profile. For the parameter description,
see Table 7-16.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a cellular network profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Cellular
Network Profile. The Cellular Network Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Cellular
Network Profile. The Cellular Network Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.19 Roaming Consortium Profile

Context
When configuring Hotspot2.0 services, configure network parameters according to operator
requirements. When connecting to networks, user terminals can obtain the network
parameters to select desired networks. If the user terminals need to roam among Hotspot2.0
networks of different operators, configure a roaming consortium profile and add the
organization identifiers (OIs) of the operators to the roaming consortium profile. In this way,
after the user terminals connect to a network of an operator in the profile, they can roam to
networks of the other operators while maintaining online.

Procedure
l Create a roaming consortium profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Roaming
Consortium Profile. The Roaming Consortium Profile List page is displayed.
b. Click Create. The Create Roaming Consortium Profile page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 349

c. Enter the name of the new roaming consortium profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new roaming consortium profile is
displayed.

e. Set parameters of the roaming consortium profile and click . Table 7-17
describes the parameters for creating a roaming consortium profile.

Repeat the preceding operations to add multiple OIs. Click to delete the
selected OI.

Table 7-17 Parameters for creating a roaming consortium profile

Parameter Description

Roaming Consortium Profile Name of the roaming consortium

profile, which cannot be modified.

Roaming Consortium OI Organization identifier (OI) of the

operator that provides the roaming
service, which is used by STAs to
select networks.

Carried in Beacon and Probe response Whether Beacon and probe-response

packets frames sent by the AP contain the OI.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a roaming consortium profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Roaming
Consortium Profile. The Roaming Consortium Profile List page is displayed.
b. Click the name of the roaming consortium profile that you want to modify. The
roaming consortium profile configuration page is displayed.
c. Modify parameters in the roaming consortium profile. Table 7-17 describes the
parameters for modifying a roaming consortium profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 350

d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a roaming consortium profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Roaming
Consortium Profile. The Roaming Consortium Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Roaming
Consortium Profile. The Roaming Consortium Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.20 NAI Realm Profile

Context
An NAI realm profile is used to configure the network access identifier (NAI) realm name,
authentication mode, and authentication parameters for networks accessible to users.

Procedure
l Create an NAI realm profile.
a. Choose Configuration > AP Config > Profile > Wireless service > NAI Realm
Profile. The NAI Realm Profile List page is displayed.
b. Click Create. The Create NAI Realm Profile page is displayed.

c. Enter the name of the new NAI realm profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new NAI realm profile is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 351

e. Set parameters for creating an NAI realm profile. Click . Table 7-18 describes
the parameters for creating an NAI realm profile.

Repeat the preceding operations to add multiple NAI realms. A maximum of 32

NAI realms can be configured. Click to delete the selected NAI realm.

Table 7-18 Parameters for creating an NAI realm profile

Parameter Description

NAI Realm Profile Name of the NAI realm profile, which

cannot be modified.

Realm name Name of an NAI realm.

EAP authentication Extensible Authentication Protocol

(EAP) authentication method of an
NAI realm. If this parameter is not
specified, all EAP authentication
modes are supported.

Authentication parameter identifier Click Identification Table. In the

dialog box that is displayed, select the
EAP authentication ID of an NAI
realm.

Authentication parameters EAP authentication parameters of an

NAI realm.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an NAI realm profile.
a. Choose Configuration > AP Config > Profile > Wireless service > NAI Realm
Profile. The NAI Realm Profile List page is displayed.
b. Click the name of the NAI realm profile that you want to modify. The NAI realm
profile configuration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 352

c. Modify parameters in the NAI realm profile. Table 7-18 describes the parameters
for modifying an NAI realm profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an NAI realm profile.
a. Choose Configuration > AP Config > Profile > Wireless service > NAI Realm
Profile. The NAI Realm Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless service > NAI Realm
Profile. The NAI Realm Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.21 Network Connection Capability Profile

Context
You can configure Hotspot2.0 services for networks. When user terminals connect to the
networks, they can obtain network connection capability information from APs, including
allowed protocols and ports, which helps them to select desired networks.

Procedure
l Create a connection capability profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Network
Connection Capability Profile. The Network Connection Capability Profile List
page is displayed.
b. Click Create. The Create Network Connection Capability Profile page is
displayed.

c. Enter the name of the new connection capability profile in Profile name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 353

e. Set parameters for creating a connection capability profile. Table 7-19 describes the
parameters for creating a connection capability profile.

Table 7-19 Parameters for creating a connection capability profile

Parameter Description

Network Connection Capability Profile Name of the connection capability

profile, which cannot be modified.

Enable all Whether all protocols are supported.

ESP Whether ESP (port number 0) is

supported.

ICMP Whether ICMP (port number 0) is

supported.

FTP Whether FTP (port number 20) is

supported.

HTTP Whether HTTP (port number 80) is

supported.

PPTP for VPN service Whether PPTP for VPN services (port
number 1723) is supported.

SSH Whether SSH (port number 22) is

supported.

TLS VPN Whether TLS VPN (port number 443)

is supported.

VoIP Whether VoIP (port number 5060) is

supported.

IKEv2 Whether IKEv2 (port number 4500 or

500) is supported.

VoIP Whether UDP VoIP (port number

5060) is supported.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 354

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a connection capability profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Network
Connection Capability Profile. The Network Connection Capability Profile List
page is displayed.
b. Click the name of the connection capability profile that you want to modify. The
connection capability profile configuration page is displayed.
c. Modify parameters in the connection capability profile. Table 7-19 describes the
parameters for modifying a connection capability profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a connection capability profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Network
Connection Capability Profile. The Network Connection Capability Profile List
page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Network
Connection Capability Profile. The Network Connection Capability Profile List
page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.22 Operator Domain Profile

Context
An operator domain profile is used to configure a domain name for a hotspot operator. STAs
can obtain the domain name information through ANQP, which is used as a basis for network
selection.

Procedure
l Create an operator domain profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Domain Profile. The Operator Domain Profile List page is displayed.
b. Click Create. The Create Operator Domain Profile page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 355

c. Enter the name of the new operator domain profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new operator domain profile is
displayed.

e. Set parameters for creating an operator domain profile. Table 7-20 describes the
parameters for creating an operator domain profile.

Table 7-20 Parameters for creating an operator domain profile

Parameter Description

Operator Domain Profile Name of the operator domain profile,

which cannot be modified.

Domain name Domain name of a hotspot operator.

Click to add a domain name of a
hotspot operator. Repeat the preceding
operations to add multiple domain
names. A maximum of 32 domain
names can be configured. Click to
delete the selected domain name.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an operator domain profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Domain Profile. The Operator Domain Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 356

b. Click the name of the operator domain profile that you want to modify. The
operator domain profile configuration page is displayed.
c. Modify parameters in the operator domain profile. Table 7-20 describes the
parameters for modifying an operator domain profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an operator domain profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Domain Profile. The Operator Domain Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Domain Profile. The Operator Domain Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.23 Operator Name Profile

Procedure
l Create an operator name profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Name Profile. The Operator Name Profile List page is displayed.
b. Click Create. The Create Operator Name Profile page is displayed.
c. Enter the name of the new operator name profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new operator name profile is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 357

e. Click Language Type Table. In the Language Type Table dialog box that is
displayed, search for a language type and click Disable.
f. Enter the ID corresponding to the language type in Language type and enter the
name in Carrier friendly name according to the selected language type.
NOTE

When command lines are used to configure a name containing non-English characters, the non-
English characters can only be edited using the command editor of the UTF-8 encoding format.

g. Click to add the operator name profile name to the profile.

h. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an operator name profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Name Profile. The Operator Name Profile List page is displayed.
b. Click the name of the operator name profile that you want to modify. The Operator
Name Profile page is displayed.
c. Modify parameters in the operator name profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an operator name profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Name Profile. The Operator Name Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operator
Name Profile. The Operator Name Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 358

7.1.24 Venue Name Profile

Procedure
l Create a venue name profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Venue Name
Profile. The Venue Name Profile List page is displayed.
b. Click Create. The Create Venue Name Profile page is displayed.
c. Enter the name of the new venue name profile in Profile name.

e. Click Language Type Table. In the Language Type Table that is displayed, select
a language type and click Disable.
f. Enter the number of the selected language type in Language type and enter a venue
name in the selected language in Venue name.
NOTE

When command lines are used to configure a name containing non-English characters, the non-
English characters can only be edited using the command editor of the UTF-8 encoding format.

g. Click to add the venue name to the profile.

h. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a venue name profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Venue Name
Profile. The Venue Name Profile List page is displayed.
b. Click the name of the venue name profile that you want to modify. The Venue
Name Profile page is displayed.
c. Modify parameters for the venue name profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a venue name profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 359

a. Choose Configuration > AP Config > Profile > Wireless Service > Venue Name
Profile. The Venue Name Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Venue Name
Profile. The Venue Name Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.25 Operating Class Profile

Procedure
l Create an operating class profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operating
Class Profile. The Operating Class Profile List page is displayed.
b. Click Create. The Create Operating Class Profile page is displayed.
c. Enter the name of the new operating class profile in Profile name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 360

e. Click Global frequency band indication No.. In the Global Frequency Band
Indication No. dialog box that is displayed, select a frequency band and click
Disable.
f. Enter the frequency band in Frequency band indication No..

g. Click to add the frequency band to the profile.

h. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an operating class profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operating
Class Profile. The Operating Class Profile List page is displayed.
b. Click the name of the operating class profile that you want to modify. The
Operating Class Profile page is displayed.
c. Modify parameters in the operating class profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an operating class profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operating
Class Profile. The Operating Class Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Operating
Class Profile. The Operating Class Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.26 Hotspot2.0 Profile

Procedure
l Create a Hotspot2.0 profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Hotspot2.0
Profile. The Hotspot2.0 Profile List page is displayed.
b. Click Create. The Create Hotspot2.0 Profile page is displayed.
c. Enter the name of the new Hotspot2.0 profile in Profile name.

To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new Hotspot2.0 profile is displayed.
e. Set parameters for creating a Hotspot2.0 profile. Table 7-21 describes the
parameters for creating a Hotspot2.0 profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 361

Table 7-21 Parameters for creating a Hotspot2.0 profile

Parameter Description

Hotspot2.0 Profile Name of the Hotspot2.0 profile, which

cannot be modified.

Network type Type of a Hotspot2.0 network.

Internet access Whether a Hotspot2.0 network

supports Internet access.
l ON: The Hotspot2.0 network
supports Internet access.
l OFF: The Hotspot2.0 network does
not support Internet access.

Area type Venue type of a Hotspot2.0 network.

Area name Venue name of a Hotspot2.0 network.

HESSID Homogenous Extended Service Set

Identifier (HESSID) of a Hotspot2.0
network.

IP availability Available type of an IP address on a

Hotspot2.0 network.

IPv4 availability Available type of an IPv4 address on a

Hotspot2.0 network.

IPv6 availability Available type of an IPv6 address on a

Hotspot2.0 network.

Network authentication type Network authentication type of a

Hotspot2.0 network.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 362

Parameter Description

Prevent cross connections of P2P Whether a Hotspot2.0 network allows

devices for P2P device cross connections.
l ON: The Hotspot2.0 network
allows for P2P device cross
connections.
l OFF: The Hotspot2.0 network
prevents P2P device cross
connections.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a Hotspot2.0 profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Hotspot2.0
Profile. The Hotspot2.0 Profile List page is displayed.
b. Click the name of the Hotspot2.0 profile that you want to modify. The Hotspot2.0
Profile page is displayed.
c. Modify parameters in the Hotspot2.0 profile. Table 7-21 describes the parameters
for modifying a Hotspot2.0 profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a Hotspot2.0 profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Hotspot2.0
Profile. The Hotspot2.0 Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Hotspot2.0
Profile. The Hotspot2.0 Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.27 Attack Defense Profile

Context
As the network develops continuously, there are various types of potential risks such as
Trojan horses, worms, and viruses in packets. After an attack defense profile is created,
various security functions are available, such as URL filtering, intrusion prevention, and
antivirus.
Choose Configuration > Security > Attack Defense. The Attack Defense page is displayed.
Enable Security Engine before checking an attack defense profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 363

Procedure
l Create an attack defense profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Attack
Defense Profile. The Attack Defense Profile page is displayed.
b. Click Create. The Create Attack Defense Profile page is displayed.
c. Enter the name of the new attack defense profile in Profile name.
d. Click OK. The parameter setting page of the new attack defense profile is
displayed. Table 7-22 describes the parameters for creating an attack defense
profile.

Table 7-22 Parameters for creating an attack defense profile

Parameter Description

URL Filtering Profile URL filtering profile referenced in the

attack defense profile.

IPS Profile IPS profile referenced in the attack

defense profile.

Antivirus Profile Antivirus profile referenced in the

attack defense profile.

l Delete an attack defense profile.

a. Choose Configuration > AP Config > Profile > Wireless Service > Attack
Defense Profile. The Attack Defense Profile page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Attack
Defense Profile. The Attack Defense Profile page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.28 URL Filtering Profile

Context
Uniform Resource Locator (URL) filtering regulates online behavior by controlling URLs that
users can access.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 364

Choose Configuration > Security > Attack Defense. The Attack Defense page is displayed.
Enable Security Engine before checking a URL filtering profile.

Procedure
l Create a URL filtering profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > URL
Filtering Profile. The URL Filtering Profile List page is displayed.
b. Click Create. The Create URL Filtering Profile page is displayed.
c. Enter the name of a new URL filtering profile in Profile name.

To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Set parameters for creating a URL filtering profile. Table 7-23 describes the
parameters for creating a URL filtering profile.

Table 7-23 URL filtering profile

Item Description

URL filtering profile Name of a new URL filtering profile,

which cannot be modified.

Default action If a URL or host name does not match

any URL or host name in the blacklist
or whitelist, or any URL locally
buffered, the AC performs the default
action.
l Allow: The AC allows users to
access the URL or host.
l Block: The AC prevents users from
accessing the URL or host.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 365

Item Description

URL Whitelist After the URL whitelist is enabled,

users are allowed to access URLs or
host names in the URL whitelist.

URL Blacklist After the URL blacklist is enabled,

users are not allowed to access URLs
or host names in the URL blacklist.

URL When URL is selected, enter URLs

that you want to add to the URL
whitelist or blacklist in the text box
next to Host Name.

Click to add these host names to

the URL whitelist or blacklist.

Host Name When Host Name is selected, enter

host names that you want to add to the
URL whitelist or blacklist in the text
box next to Host Name.

Click to add these host names to

the URL whitelist or blacklist.

e. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a URL filtering profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > URL
Filtering Profile. The URL Filtering Profile List page is displayed.
b. Click the URL filtering profile that you want to modify. The URL Filtering Profile
page is displayed.
c. Set parameters for modifying a URL filtering profile. Table 7-23 describes the
parameters for modifying a URL filtering profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a URL filtering profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > URL
Filtering Profile. The URL Filtering Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > URL
Filtering Profile. The URL Filtering Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 366

7.1.29 IPS Profile

Context
An intrusion prevention system (IPS) is a security mechanism. It detects intrusion behavior
such as buffer overflow attacks, Trojan horses, and worms by analyzing network traffic, and
terminates intrusion behavior in real time through certain response methods. This mechanism
protects enterprise information systems and network architectures against intrusions.
Choose Configuration > Security > Attack Defense. The Attack Defense page is displayed.
Enable Security Engine before checking an IPS profile.

Procedure
l Create an IPS profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > IPS Profile.
The IPS Profile List page is displayed.
b. Click Create. The Create IPS Profile page is displayed.
c. Enter the name of a new IPS profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new IPS profile is displayed.
e. Set parameters for creating an IPS profile. Table 7-24 describes the parameters for
creating an IPS profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 367

Table 7-24 IPS profile

Item Description

IPS profile Name of a new IPS profile, which

cannot be modified.

Action Action of the IPS signature filter.

l Default action of the signature: The
signature filter uses the action of
each signature to process packets.
l Alert: If a packet matches a
signature in the signature filter, the
packet is forwarded and a log is
generated.
l Block: If a packet matches a
signature in the signature filter, the
packet is discarded and a log is
generated.

Set a Filter Condition

The signature filter is a collection of signatures that meet specified filter
conditions. Only signatures that meet all filter conditions can be added to the
signature filter.

Object Target whose IPS signatures are to be

added to the IPS signature filter.
l Server: Adds IPS signatures of
servers to the signature filter.
l Client: Adds IPS signatures of
clients to the signature filter.

Severity Severity of IPS signatures that are to

be added to the IPS signature filter.
l High: Adds signatures with a high
threat level to the signature filter.
l Medium: Adds signatures with a
medium threat level to the signature
filter.
l Low: Adds signatures with a low
threat level to the signature filter.
l Info: Adds signatures with the info
threat level to the signature filter.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 368

Item Description

OS Operating system whose IPS signatures

are to be added to the IPS signature
filter.
l UNIX-like: Specifies the UNIX
operating system such as Linux,
HP-UX, AIX, and Solaris.
l Windows: Specifies the Windows
operating system.
l Android: Specifies the Android
operating system.
l iOS: Specifies the iOS operating
system.
l Other: Specifies other operating
systems.

Protocol Protocol whose IPS signatures are to

be added to the IPS signature filter.

Threat type Threat type of IPS signatures that are

to be added to the IPS signature filter.

Set Exception Signatures

To facilitate management, the signature filter filters signatures in batches and you
need to configure unified actions for these signatures. If administrators need to
configure actions for some signatures different from actions of the signature
filter, they can add the signatures to exception signatures and configure actions
for the signatures independently.

Add Whether to add IPS signatures with

specified IDs to the exception
signature list.

Action Action specified for IPS signatures

with specified IDs.
l Allow: If a packet matches a
signature in the signature filter, the
packet is forwarded and no log is
generated.
l Alert: If a packet matches a
signature in the signature filter, the
packet is forwarded and a log is
generated.
l Block: If a packet matches a
signature in the signature filter, the
packet is discarded and a log is
generated.

Delete Whether to delete signatures with

specified IDs from the exception
signature list.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 369

f. Click Preview The Signature Filter Result to check the signature filter result.
g. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an IPS profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > IPS Profile.
The IPS Profile List page is displayed.
b. Click the IPS profile that you want to modify. The IPS Profile page is displayed.
c. Set parameters for modifying an IPS profile. Table 7-24 describes the parameters
for modifying an IPS profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an IPS profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > IPS Profile.
The IPS Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > IPS Profile.
The IPS Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.1.30 Antivirus Profile

Context
Antivirus is a security mechanism that identifies and remove viruses to secure the network
and prevent such problems as data corruption, permission escalation, and system crash.

Choose Configuration > Security > Attack Defense. The Attack Defense page is displayed.
Enable Security Engine before checking an antivirus profile.

Procedure
l Create an antivirus profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Antivirus
Profile. The Antivirus Profile page is displayed.
b. Click Create. The Create Antivirus Profile page is displayed.
c. Enter the name of the new antivirus profile in Profile name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 370

d. Click OK. The parameter setting page of the new antivirus profile is displayed.
Table 7-25 describes the parameters for creating an antivirus profile.

Table 7-25 Parameters for creating an antivirus profile

Parameter Description

Configure Antivirus for Protocols

Protocol Type of a protocol that requires virus

detection.

Upload Virus detection for uploaded files.

Download Virus detection for downloaded files.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 371

Parameter Description

Action Action performed when viruses are

detected.
l Alert: The system permits the files
and generates logs.
l Block: The system disconnects the
network and generates logs.

Configure Exception Applications

Application Name Name of an application.

Action Exception response action performed

for files transmitted through a specified
application.
l Alert: The system permits the files
and generates logs.
l Allow: The system permits the
files.
l Block: The system disconnects the
network and generates logs.
After selecting Applications Name
and Action, click . To delete an
exception application, select the
application name and click .

Configure Exception Viruses

Virus signature ID Signature ID of an exception virus.

Enter the signature ID of a virus and
click . To delete a virus signature
ID, select the virus signature ID and
click .

e. Click Apply, In the Confirm dialog box that is displayed, click OK.
l Delete an antivirus profile.
a. Choose Configuration > AP Config > Profile > Wireless Service > Antivirus
Profile. The Antivirus Profile page is displayed.
b. Select the profile that you want to delete and click Delete. In the Confirm dialog
box that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Wireless Service > Antivirus
Profile. The Antivirus Profile page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 372

NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.2 Radio Management

7.2.1 Regulatory Domain Profile

Context
A regulatory domain profile is used to configure the country code, and calibration channel and
bandwidth. The configuration in the regulatory domain profile takes effect on APs using the
profile.

Procedure
l Create a regulatory domain profile.
a. Choose Configuration > AP Config > Profile > Radio Management >
Regulatory Domain Profile. The Regulatory Domain Profile List page is
displayed.
b. Click Create. The Create Regulatory Domain Profile page is displayed.
c. Enter the name of the new regulatory domain profile in Profile name.

To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new regulatory domain profile is
displayed.
e. Set parameters for creating a regulatory domain profile. Table 7-26 describes the
parameters for creating a regulatory domain profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 373

Table 7-26 Parameters for creating a regulatory domain profile

Parameter Description

Regulatory Domain Profile Name of the regulatory domain profile,

which cannot be modified.

Country code AC's country code.

4.9 GHz frequency band Open 4.9 GHz frequency band.

WARNING
Before using the 4.9 GHz frequency band,
ensure that you have obtained the 4.9 GHz
license from the local administrative
department and use the band properly.

2.4 GHz DCA Channel Set 2.4 GHz channel set.

5 GHz DCA Channel Set 5 GHz channel set.

Frequency bandwidth Channel bandwidth.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a regulatory domain profile.
a. Choose Configuration > AP Config > Profile > Radio Management >
Regulatory Domain Profile. The Regulatory Domain Profile List page is
displayed.
b. Click the name of the regulatory domain profile that you want to modify. The
Regulatory Domain Profile page is displayed.
c. Set parameters for modifying a regulatory domain profile. Table 7-26 describes the
parameters for modifying a regulatory domain profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a regulatory domain profile.
a. Choose Configuration > AP Config > Profile > Radio Management >
Regulatory Domain Profile. The Regulatory Domain Profile List page is
displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Radio Management >
Regulatory Domain Profile. The Regulatory Domain Profile List page is
displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 374

7.2.2 RRM Profile

Context
WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as
transmission medium. Radio waves will attenuate when they are transmitted over air,
degrading service quality for wireless users. Radio resource management enables a WLAN to
adapt to changes in the radio environment by dynamically adjusting radio resources. This
improves service quality for wireless users.

Procedure
l Create an RRM profile.
a. Choose Configuration > AP Config > Profile > Radio Management > RRM
Profile. The RRM Profile List page is displayed.
b. Click Create. The Create RRM Profile page is displayed.
c. Enter the name of the new RRM profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new RRM profile is displayed.
e. Set parameters for creating an RRM profile. Table 7-27 describes the parameters
for creating an RRM profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 375

Table 7-27 Parameters for creating an RRM profile

Parameter Description

RRM Profile Name of the RRM profile, which

cannot be modified.

Automatic channel optimization Whether to enable automatic channel

selection.

Automatic power optimization Whether to enable automatic transmit

power selection.

Packet loss ratio threshold triggering Packet loss ratio threshold for
partial calibration triggering channel or power
adjustment.

Airtime fair scheduling Whether to enable airtime fair

scheduling.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 376

Parameter Description

Dynamic EDCA Whether to enable dynamic EDCA.

UAC

UAC policy User CAC policy.

New user count threshold CAC threshold for new users based on
the user quantity.

Roaming user count threshold CAC threshold for roaming users

based on the user quantity.

New user channel usage threshold CAC threshold for new users based on
the channel usage.

Roaming user channel usage threshold CAC threshold for roaming users
based on the channel usage.

Hide SSID when user count threshold Whether to enable an AP to

is exceeded automatically hide its SSID when the
number of new users reaches the CAC
threshold.

Restrict access of weak-signal STAs Whether to restrict access from weak-

signal STAs.

Threshold for rejecting access of weak- Threshold for rejecting access from
signal STAs weak-signal STAs.

Band Steering

Start threshold for load balancing Start threshold for load balancing
between frequencies between two radios on the AP that has
band steering enabled.

Load difference threshold for load Load difference threshold for load
balancing between frequencies balancing between two radios on the
AP that has band steering enabled.

Maximum number of rejections Maximum number of times an AP

rejects association requests of a STA
through band steering.

Probe count for aging STA frequency Number of times an AP continuously

band receives probe frames from the same
frequency band.

Dynamic Load Balancing

Load balancing Whether to enable load balancing.

Maximum number of rejections Maximum number of times an AP

rejects association requests of a STA
for dynamic load balancing.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 377

Parameter Description

Start threshold for load balancing (STA Start threshold for dynamic load
count) balancing.

Load difference threshold for load Load difference threshold for dynamic
balancing load balancing.

Smart Roaming

Smart roaming Whether to enable smart roaming.

Check roaming threshold Trigger mode of smart roaming, which

can be check SNR or check rate.

SNR threshold SNR-based roaming threshold.

Rate percentage threshold Rate-based roaming threshold.

Upper threshold of roaming SNR Upper threshold for triggering STA

difference roaming.

Lower threshold of roaming SNR Lower threshold for triggering STA

difference roaming.

SNR detection interval SNR detection interval of smart

roaming STAs.

Aging time of "unable to roam" record Aging time of "unable to roam" record
of smart roaming STAs.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an RRM profile.
a. Choose Configuration > AP Config > Profile > Radio Management > RRM
Profile. The RRM Profile List page is displayed.
b. Click the name of the RRM profile that you want to modify. The RRM Profile page
is displayed.
c. Modify parameters in the RRM profile. Table 7-27 describes the parameters for
modifying an RRM profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an RRM profile.
a. Choose Configuration > AP Config > Profile > Radio Management > RRM
Profile. The RRM Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Radio Management > RRM
Profile. The RRM Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 378

NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.2.3 Air Scan Profile

Context
After an air scan profile is created and bound to a radio profile of an AP, the AP periodically
scans surrounding radio signals and reports the collected information to an AC or server. The
information is used for radio calibration, smart roaming, spectrum analysis, WLAN location,
or WIDS data analysis.

Procedure
l Create an air scan profile.
a. Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.
b. Click Create. The Create Air Scan Profile page is displayed.
c. Enter the name of the new air scan profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new air scan profile is displayed.
e. Set parameters for creating an air scan profile. Table 7-28 describes the parameters
for creating an air scan profile.

Table 7-28 Parameters for creating an air scan profile

Parameter Description

Air Scan Profile Name of the air scan profile, which

cannot be modified.

Scanning Whether to enable the air scan

function.

Channel scanning interval Channel scanning interval.

Channel scanning duration Channel scanning duration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 379

Parameter Description

Probe channel set Air scan channel set.

Voice optimization Whether to enable the optimization

function for voice packets on a radio.

Video optimization Whether to enable the optimization

function for video packets on a radio.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an air scan profile.
a. Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.
b. Click the name of the air scan profile that you want to modify. The Air Scan
Profile page is displayed.
c. Set parameters for modifying an air scan profile. Table 7-28 describes the
parameters for modifying an air scan profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an air scan profile.
a. Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.2.4 2G Radio Profile

Context
A 2G radio profile is used to configure and optimize the 2G radio of an AP, but does not take
effect on the 5G radio. Create a proper radio profile and bind it to an AP specific profile or
AP group. In this way, the AP provides better radio signal transmit and receive capabilities.

Procedure
l Create a 2G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 380

b. Click Create. The Create 2G Radio Profile page is displayed.

c. Enter the name of the new 2G radio profile in Profile name.

To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new 2G radio profile is displayed.
e. Set parameters for the 2G radio profile. Table 7-29 describes the parameters for
creating a 2G radio profile.

Figure 7-1 2G Radio Profile

Figure 7-2 802.11n

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 381

Figure 7-3 802.11bg Rate Set

Figure 7-4 Interference Detection

Figure 7-5 WMM

Table 7-29 Parameters for creating a 2G radio profile

Parameter Description

2G Radio Profile Name of the 2G radio profile, which

cannot be modified.

Radio type Radio type.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 382

Parameter Description

Automatically disable radio Whether to enable the scheduled radio

disabling function.

Automatic disabling time Time range when a radio is disabled as

scheduled. You can set this parameter
using Direct setting or Select time
range. The time range can be created
or modified as required.

Meanings of Wi-Fi indicator status Parameter reflected by the blinking

frequency of the Wireless indicator.
l Signal strength: The blinking
frequency of the Wireless indicator
on an AP indicates the signal
strength. When the Wireless
indicator blinks fast, the signal
strength is strong.
l Service traffic: The blinking
frequency of the Wireless indicator
on an AP indicates the service
traffic volume. When the Wireless
indicator blinks fast, the service
traffic volume is high.

Channel switching announcement Whether channel switching

announcement is enabled.

Channel switching announcement Channel switching announcement

mode mode, which can be:
l Stop traffic transmission: stops data
transmission from STAs on the
current channel during channel
switching.
l Proceed traffic transmission:
continues data transmission on the
current channel during channel
switching.

Packet-based power control Whether per-packet power control is

enabled.

Packet fragmentation threshold Package length threshold for

fragmentation.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 383

Parameter Description

RTS-CTS mode RTS/CTS operation mode, which can

be:
l rts-cts: When an AP needs to send
data to a STA, the AP sends an RTS
packet to all STAs associated with
it. After receiving the RTS packet,
none of the devices within the AP's
coverage area sends data within a
specified period. After the
destination STA receives the RTS
packet, it sends a CTS packet. After
receiving the CTS packet, none of
the devices within the STA's
coverage area sends data within a
specified period. Using the rts-cts
mode to avoid conflicts requires
two packets (RTS and CTS
packets), increasing packet
overhead.
l cts-to-self: When an AP needs to
send data to STAs, it sends a CTS
packet with its IP address as the
source and destination addresses.
Then none of the devices within the
AP's coverage area sends data
within a specified period. In cts-to-
self mode, an AP only needs to
send a CTS packet to avoid channel
conflicts in most scenarios.
However, if there is a device within
the STA's coverage area but not
within the AP's coverage area, a
channel conflict may still occur.
l Disable: disables RTS-CTS.

RTS-CTS threshold RTS/CTS threshold.

Support short preamble Whether short preamble is supported.

Beacon interval Interval at which an AP sends Beacon

frames.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 384

Parameter Description

Utmost power Whether a radio sends packets at the

maximum power.
Only radios of the AD9430DN-24
(including the mapping RUs),
AD9430DN-12 (including the mapping
RUs), AP5030DN, AP5130DN,
AP8030DN, AP8130DN, AP7030DE,
AP9330DN, AP2030DN, AP4030DN,
AP4130DN, AP9131DN, AP9132DN,
AP4030TN, AP4050DN-E,
AP4050DN-HD, AP6050DN,
AP6150DN, AP7050DN-E,
AP7050DE, AP2050DN, AP2050DN-
E, and AP8130DN-W can send packets
at maximum power.

Smart antenna Whether the smart antenna function is

enabled.
Currently, only the AP7030DE and
AP7050DE support the smart antenna
function.

802.11n

GI mode Guard interval mode.

l Short: short guard interval
l Normal: normal guard interval

Beamforming Whether beamforming is enabled.

HT AMPDU Whether MPDU aggregation is

enabled.

Index of maximum length of HT Maximum length of an A-MPDU. The

AMPDUs value ranges from 0 to 3.
l 0: indicates that the maximum
length of the A-MPDU is 8191
bytes.
l 1: indicates that the maximum
length of the A-MPDU is 16383
bytes.
l 2: indicates that the maximum
length of the A-MPDU is 32767
bytes.
l 3: indicates that the maximum
length of the A-MPDU is 65535
bytes.

802.11bg Rate Set

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 385

Parameter Description

Basic rate Basic rate set of 802.11bg.

Maximum rate Maximum rate supported by 802.11bg.

Multicast rate Multicast rate of wireless packets on

the 2.4 GHz radio.

Interference Detection

Interference detection Whether interference detection is

enabled.

AP co-channel interference alarm Alarm threshold for co-channel

threshold interference.

AP adjacent-channel interference Alarm threshold for adjacent-channel

alarm threshold interference.

STA interference alarm threshold Alarm threshold for STA interference.

WMM

WMM Whether WMM is enabled.

Restrict access of non-WMM terminals Whether to allow WMM-incapable

STAs to connect to a WMM-enabled
AP.

Area Provides different preset values for the

EDCA parameters in different
scenarios. You can directly select a
specific scenario or make an
adjustment to the preset values.
l Default: specifies the default of an
EDCA parameter.
l Voice: indicates that voice packets
preempt a channel.
l Voice and video: indicates that
voice and video packets preempt a
channel.

Packet type Type of packets.

AIFSN Arbitration inter frame spacing number

(AIFSN), which determines the
channel idle time.
In the distributed coordination function
(DCF) protocol, the DCF inter frame
space (DIFS) has a fixed value. WMM
provides different DIFS values for
different ACs. A large AIFSN value
means that the STA must wait for a
long time and has a low priority.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 386

Parameter Description

ECWmin Exponent form of the minimum

contention window. ECWmin and
ECWmax determine the average
backoff time. A larger value indicates a
longer average backoff time and a
lower priority.

ECWmax Exponent form of the maximum

contention window. ECWmax and
ECWmin determine the average
backoff time. A larger value indicates a
longer average backoff time and a
lower priority.

TXOPLimit Transmission opportunity limit

(TXOPLimit). It determines the
maximum duration in which an STA
can occupy a channel. A larger value
indicates a longer duration. If the
TXOPLimit value is 0, the STA can
send only one data frame every time it
preempts a channel.

ACK Policy ACK policy, which includes:

l Reply: During 802.11 packet
exchange, the receiver sends an
ACK packet to confirm the
receiving of a packet from the
sender.
l No reply: The receiver sends no
ACK packet to confirm the
receiving of a packet from the
sender. It applies to scenarios where
communication quality is good and
interference is low.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a 2G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.
b. Click the name of the 2G radio profile that you want to modify. The 2G Radio
Profile page is displayed.
c. Modify parameters for the 2G radio profile. For the parameter description, see
Table 7-29.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a 2G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 387

b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure a profile referenced in the 2G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed. Click to the left of the
2G Radio Profile in the navigation tree to expand the 2G radio profile list. Click
to the left of the 2G radio profile name to view the names of the profiles
referenced in the 2G radio profile.
b. Click any profile referenced in the 2G radio profile. The profile configuration page
is displayed. Select a profile name from the drop-down list box and set parameters
for the referenced profile according to the parameter description table for the
specific profile.
c. Click Apply. In the Info dialog box that is displayed, click OK.

----End

7.2.5 5G Radio Profile

Context
A 5G radio profile is used to configure and optimize the 5G radio of an AP, but does not take
effect on the 2G radio. Create a proper radio profile and bind it to an AP specific profile or
AP group. In this way, the AP provides better radio signal transmit and receive capabilities.

Procedure
l Create a 5G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed.
b. Click Create. The Create 5G Radio Profile page is displayed.
c. Enter the name of the new 5G radio profile in Profile name.

To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new 5G radio profile is displayed.
e. Set parameters for the 5G radio profile. Table 7-30 describes the parameters for
creating a 5G radio profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 388

Figure 7-6 5G Radio Profile

Figure 7-7 802.11a Rate Set

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 389

Figure 7-8 802.11ac

Figure 7-9 Interference Detection

Figure 7-10 WMM

Table 7-30 Parameters for creating a 5G radio profile

Parameter Description

5G Radio Profile Name of the 5G radio profile, which

cannot be modified.

Radio type Radio type.

Automatically disable radio Whether to enable the scheduled radio

disabling function.

Automatic disabling time Time range when a radio is disabled as

scheduled. You can set this parameter
using Direct setting or Select time
range. The time range can be created
or modified as required.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 390

Parameter Description

Meanings of Wi-Fi indicator status Parameter reflected by the blinking

Channel switching announcement Whether channel switching

announcement is enabled.

Channel switching announcement Channel switching announcement

mode mode.
l Stop traffic transmission: stops data
transmission from STAs on the
current channel during channel
switching.
l Proceed traffic transmission:
continues data transmission on the
current channel during channel
switching.

Packet-based power control Whether per-packet power control is

enabled.

Packet fragmentation threshold Package length threshold for

fragmentation.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 391

Parameter Description

RTS-CTS mode RTS/CTS operation mode, which can

RTS-CTS threshold RTS/CTS threshold.

Beacon interval(ms) Interval at which an AP sends Beacon

frames.

GI mode Guard interval mode.

l Short: short guard interval
l Normal: normal guard interval

Beamforming Whether beamforming is enabled.

HT AMPDU Whether MPDU aggregation is

enabled.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 392

Parameter Description

Index of maximum length of HT Maximum length of an A-MPDU. The

VHT AMSDU Indicates that 802.11 packets are sent

in A-MSDU aggregation mode.

Length of VHT AMSDUs Maximum number of subframes that

can be aggregated once in A-MSDU
aggregation mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 393

Parameter Description

Index of maximum length of VHT Maximum length of an A-MPDU. The

AMPDUs value ranges from 0 to 7.
l 0: indicates that the maximum
length of the A-MPDU is 8191
bytes.
l 1: indicates that the maximum
length of the A-MPDU is 16383
bytes.
l 2: indicates that the maximum
length of the A-MPDU is 32767
bytes.
l 3: indicates that the maximum
length of the A-MPDU is 65535
bytes.
l 4: indicates that the maximum
length of the A-MPDU is 131071
bytes.
l 5: indicates that the maximum
length of the A-MPDU is 262143
bytes.
l 6: indicates that the maximum
length of the A-MPDU is 524287
bytes.
l 7: indicates that the maximum
length of the A-MPDU is 1048575
bytes.

Utmost power Whether a radio sends packets at the

Smart antenna Whether the smart antenna function is

enabled.
Currently, only the AP7030DE and
AP7050DE support the smart antenna
function.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 394

Parameter Description

802.11a Rate Set

Basic rate Basic rate set of 802.11a.

Maximum rate Maximum rate supported by 802.11a.

Multicast rate Multicast rate of wireless packets on

the 5 GHz radio.

802.11ac

Spatial stream quantity Whether the spatial streams support

configuration of the maximum
Modulation and Coding Scheme
(MCS) value.

Maximum MCS value Maximum MCS value supported by

the spatial streams.

Interference Detection

Interference detection Whether interference detection is

enabled.

AP co-channel interference alarm Alarm threshold for co-channel

threshold interference.

AP adjacent-channel interference Alarm threshold for adjacent-channel

alarm threshold interference.

STA interference alarm threshold Alarm threshold for STA interference.

WMM

WMM Whether WMM is enabled.

Restrict access of non-WMM terminals Whether to allow WMM-incapable

STAs to connect to a WMM-enabled
AP.

Area Provides different preset values for the

Packet type Type of packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 395

Parameter Description

AIFSN Arbitration inter frame spacing number

ECWmin Exponent form of the minimum

contention window. ECWmin and
ECWmax determine the average
backoff time. A larger value indicates a
longer average backoff time and a
lower priority.

ECWmax Exponent form of the maximum

contention window. ECWmax and
ECWmin determine the average
backoff time. A larger value indicates a
longer average backoff time and a
lower priority.

TXOPLimit Transmission opportunity limit

ACK Policy ACK policy, which includes:

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a 5G radio profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 396

a. Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed.
b. Click the name of the 5G radio profile that you want to modify. The 5G Radio
Profile page is displayed.
c. Modify parameters for the 5G radio profile. For the parameter description, see
Table 7-30.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a 5G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure a profile referenced in the 5G radio profile.
a. Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed. Click to the left of the
5G Radio Profile in the navigation tree to expand the 5G radio profile list. Click
to the left of the 5G radio profile name to view the names of the profiles
referenced in the 5G radio profile.
b. Click any profile referenced in the 5G radio profile. The profile configuration page
is displayed. Select a profile name from the drop-down list box and set parameters
for the referenced profile according to the parameter description table for the
specific profile.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End

7.3 AP
7.3.1 AP Wired Port Link Profile

Context
An AP wired port link profile allows you to perform link-layer management and
configuration of AP wired interfaces.

Procedure
l Create an AP wired port link profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 397

a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Link
Profile. The AP Wired Port Link Profile List page is displayed.
b. Click Create. The Create AP Wired Port Link Profile page is displayed.
c. Enter the name of the new AP wired port link profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new AP wired port link profile is
displayed.
e. Set parameters for creating an AP wired port link profile. Table 7-31 describes the
parameters for creating an AP wired port link profile.

Table 7-31 Parameters for creating an AP wired port link profile

Parameter Description

AP Wired Port Link Profile Name of the AP wired port link profile,
which cannot be modified.

Port Whether to enable the AP wired

interface.

LLDP Whether to enable LLDP on the AP

wired interface.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 398

Parameter Description

Advertise basic TLV type Basic TLV that an AP is allowed to

advertise in LLDPDUs.
l All: An AP is allowed to advertise
all basic TLVs in LLDPDUs.
l Management-address: An AP is
allowed to advertise Management
address TLVs in LLDPDUs.
l Port-description: An AP is allowed
to advertise Port description TLVs
in LLDPDUs.
l System-capability: An AP is
allowed to advertise System
capability TLVs in LLDPDUs.
l System-description: An AP is
allowed to advertise System
description TLVs in LLDPDUs.
l System-name: An AP is allowed to
advertise System name TLVs in
LLDPDUs.

CRC error alarm Whether to enable the alarm function

for CRC errors on the AP wired
interface.

CRC error alarm threshold Alarm threshold for CRC errors on the
AP wired interface.

CRC error clear alarm threshold Clear alarm threshold for CRC errors
on the AP wired interface.

PoE Settings

PoE Whether to enable the PoE function on

the AP.
Only the R250D-E, AP2050DN-E,
AP4050DN-E, AP4050DN-HD,
AP7050DN-E, AD9430DN-24, and
AD9430DN-12 support this function.

Power supply priority Power priority of PoE interfaces on the

AP.
Only the AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AD9430DN-24,
and AD9430DN-12 support this
function.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 399

Parameter Description

Forcible PoE power supply Whether to enable forcible PoE power

supply on the AP's interfaces.
Only the AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AD9430DN-24,
and AD9430DN-12 support this
function.

PD compatibility check Whether to enable PD compatibility

check on the AP.
Only the AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AD9430DN-24,
and AD9430DN-12 support this
function.

PoE power-off time range Effective PoE power-off time range on

an interface.
Only the AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AD9430DN-24,
and AD9430DN-12 support this
function.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an AP wired port link profile.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Link
Profile. The AP Wired Port Link Profile List page is displayed.
b. Click the name of the AP wired port link profile that you want to modify. The AP
Wired Port Link Profile page is displayed.
c. Modify parameters in the AP wired port link profile. Table 7-31 describes the
parameters for modifying an AP wired port link profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an AP wired port link profile.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Link
Profile. The AP Wired Port Link Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Link
Profile. The AP Wired Port Link Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 400

7.3.2 AP System Profile

Context
To centrally manage and maintain multiple APs, add these APs to a group, set parameters in
an AP system profile, and then reference the AP system profile in the AP group view.

Procedure
l Create an AP system profile.
a. Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP
System Profile List page is displayed.
b. Click Create. The Create AP System Profile page is displayed.
c. Enter the name of the new AP system profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new AP system profile is displayed.
e. Set parameters for the AP system profile. Table 7-32 describes the parameters for
creating an AP system profile.

Figure 7-11 AP System Profile

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 401

Figure 7-12 Dual-link Configuration

Figure 7-13 LLDP

Figure 7-14 Eapol

Figure 7-15 AP Alarm

Figure 7-16 Log Backup

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 402

Figure 7-17 Spectrum Analysis

Figure 7-18 PoE settings

Figure 7-19 Others

Table 7-32 Parameters for creating an AP system profile

Parameter Description

AP System Profile Name of the new AP system profile,

which cannot be modified.

Service holding upon link Whether to enable or disable service

disconnection holding upon link disconnection.

Offline AP permit access of new STAs Whether to enable or disable the APs
in fault state to allow access of new
STAs.

Role in mesh networking Role of an AP on the Mesh network.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 403

Parameter Description

MPP active reselection Whether to enable or disable active

MPP reselection.

MTU Maximum transmission unit (MTU) on

an Ethernet interface.

Dual-link Configuration

AC priority AC priority.

IP address of the backup AC IP address of the backup AC.

LLDP

Delay in enabling LLDP Delay in re-enabling LLDP on APs.

Working mode LLDP working mode on APs.

Packet transmission delay Delay after which an AP sends LLDP

packets to neighboring devices.

Packet transmission interval Interval at which an AP sends LLDP

packets to neighboring devices.

TTL of packets Number of hold time intervals during

which AP information can be saved on
a neighboring device.

Neighbor information report interval Interval at which an AP reports LLDP

neighbor information to an AC.

Eapol

Eapol-response packet conversion EAPoL-response packet conversion

method.

Eapol-response packet encapsulation EAPoL-response packet encapsulation

method.

Eapol-response MAC address Unicast MAC address of EAPoL-

response packets.
This parameter must be set when
Eapol-response packet encapsulation
is set to Unicast packets with specific
MAC addresses.

Eapol-start packet conversion EAPoL-start packet conversion

method.

Eapol-start packet encapsulation EAPoL-start packet encapsulation

method.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 404

Parameter Description

Eapol-start MAC address Unicast MAC address of EAPoL-start

packets.
This parameter must be set when
Eapol-start packet encapsulation is
set to Unicast packets with specific
MAC addresses.

AP Alarm

Alarm suppression Whether to enable the alarm

suppression function for APs.

Alarm suppression interval Interval during which alarms are

suppressed on APs.

High temperature alarm threshold High temperature alarm threshold for

APs.

Low temperature alarm threshold Low temperature alarm threshold for

APs.

CPU usage alarm threshold CPU usage alarm threshold for APs.

Memory usage alarm threshold Memory usage alarm threshold for

APs.

Log Backup

IP address of the log backup server IP address of the log backup server.

Log backup level Severity of AP logs to be backed up.

Spectrum Analysis

Server IP IP address of a spectrum server. The

value can be an IPv4 or IPv6 address.

Port number Port number of a spectrum server.

Use AC for transparent data Whether an AC is used for transparent

transmission data transmission:
l OFF: Data is transmitted directly to
the spectrum server
l ON: Data is transmitted to the
spectrum server through an AC.

AC port number Port number used by an AC to receive

the spectrum information (UDP
packets) sent by an AP when the AC is
used for transparent data transmission.

Aging time of non-Wi-Fi devices Aging time of non-Wi-Fi devices on an

AC during spectrum analysis.

PoE Settings

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 405

Parameter Description

Maximum output power Maximum output power of the AP.

Only the AP4050DN-HD, AP7050DN-
E, AD9430DN-24, and AD9430DN-12
support this function.

PoE reserved power percentage Percentage of reserved PoE power to

the available PoE power on the AP.
Only the AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AD9430DN-24,
and AD9430DN-12 support this
function.

Alarm threshold of PoE power Alarm threshold of PoE power

consumption percentage consumption percentage.
Only the AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AD9430DN-24,
and AD9430DN-12 support this
function.

IEEE802.3af switching Whether to enable the AP to provide

PoE power in compliance with IEEE
802.3af.
Only the AP7050DN-E,
AD9430DN-24, and AD9430DN-12
support this function.

Allow high inrush current during Whether to enable the AP to allow

power-on high inrush current during power-on.
Only the AP7050DN-E,
AD9430DN-24, and AD9430DN-12
support this function.

Others

Manage VLAN Management VLAN for APs.

Dynamic blacklist aging time Aging time of a dynamic blacklist

entry.

STelnet Whether to allow or forbid STelnet

Telnet Whether to allow or forbid Telnet

Console Whether to allow or forbid console

port login.

SFTP Whether to allow or forbid SFTP login.

Indicator Whether to turn on or off AP

indicators.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 406

Parameter Description

Offline VAP management Whether to enable or disable the

offline VAP management function.

Validity time Time during which AP indicators are

off.

Antenna combined output Whether to enable or disable combined

output of antenna signals.
Only the AP9132DN supports this
function.

USB power supply Whether to enable the USB function of

the AP.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an AP system profile.
a. Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP
System Profile List page is displayed.
b. Click the name of the AP system profile that you want to modify. The AP System
Profile page is displayed.
c. Modify parameters for the AP system profile. For the parameter description, see
Table 7-32.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an AP system profile.
a. Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP
System Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP
System Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure a profile referenced in an AP system profile.
a. Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP
System Profile List page is displayed.
b. In the navigation tree, click to the left of AP System Profile to expand the AP
system profile list. Click to the left of an AP system profile name to view the
names of the profiles referenced in the AP system profile.
c. Click any profile referenced in the AP system profile. The profile configuration
page is displayed. Select a profile name from the drop-down list box and set

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 407

parameters for the referenced profile according to the parameter description table
for the specific profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
----End

7.3.3 AP Wired Port Profile

Context
An AP wired port profile allows you to manage and configure wired interfaces of APs. You
can configure wired port parameters in the AP wired port profile to facilitate AP management.

Procedure
l Create an AP wired port profile.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Profile.
The AP Wired Port Profile List page is displayed.
b. Click Create. The Create AP Wired Port Profile page is displayed.
c. Enter the name of the new AP wired port profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new AP wired port profile is
displayed.
e. Set parameters for creating an AP wired port profile. Table 7-33 describes the
parameters for creating an AP wired port profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 408

Table 7-33 Parameters for creating an AP wired port profile

Parameter Description

AP Wired Port Profile Name of the AP wired port profile,

which cannot be modified.

Enable Eth-Trunk Whether to enable Eth-Trunk.

Port description Port description.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 409

Parameter Description

Port mode Operating mode of a wired interface.

l root: root mode
l endpoint: endpoint mode
l middle: middle mode

User isolation mode User isolation mode on a wired

interface.
If Port mode is set to endpoint, you
need to set this parameter.

STP Whether to enable STP on the wired

interface.

STP-triggered port shutdown Whether to enable STP-triggered port

shutdown on the AP's wired interface.

Port recovery time Auto-recovery interval for an AP's

wired interface on which the STP-
triggered port shutdown function is
enabled.

DHCP trusted port Whether to enable the DHCP trusted

port function.

ND trusted port Whether to enable the ND trusted port

function.

IGMP Snooping Whether to enable IGMP snooping on

the AP's wired interface.

Address learning Whether to enable terminal address

learning on the AP's wired interface.

IP packet binding check Whether to enable IP source guard

(IPSG) on the AP's wired interface.

ARP packet binding check Whether to enable DAI on the AP's

wired interface.

Port PVID PVID of the wired interface.

Added VLAN ID ID of the VLAN to which the wired

interface is added.

Mode Mode used to add the wired interface

to a VLAN. Tagged and untagged
modes are supported.

Packet filtering

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 410

Parameter Description

Packet filtering Packet filtering type. The options are

as follows:
l L2 packet filtering
l IPv4 packet filtering
l IPv6 packet filtering

Inbound ACL IPv4 ACL used to filter incoming

packets.

Outbound ACL IPv4 ACL used to filter outgoing

packets.

Inbound ACLv6 IPv6 ACL used to filter incoming

packets.

Outbound ACLv6 IPv6 ACL used to filter outgoing

packets.

Re-marking

Re-marking Re-marking type. The options are as

follows:
l L2 re-marking
l IPv4 re-marking
l IPv6 re-marking

Inbound ACL Inbound ACL. The value is an integer

that ranges from 3000 to 3031 for IPv4
and IPv6 ACLs and from 4000 to 4031
for Layer 2 ACLs.
l 3000 to 3031: advanced ACLs
l 4000 to 4031: Layer 2 ACLs

Re-marked priority Priority type for incoming packets that

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 411

Parameter Description

Outbound ACL Outbound ACL. The value is an

integer that ranges from 3000 to 3031
for IPv4 and IPv6 ACLs and from
4000 to 4031 for Layer 2 ACLs.
l 3000 to 3031: advanced ACLs
l 4000 to 4031: Layer 2 ACLs

Re-marked priority Priority type for outgoing packets that

Storm Control

Broadcast packet rate limit Maximum broadcast traffic volume

allowed on the AP's wired interface.

Unicast packet rate limit Maximum unknown unicast traffic

volume allowed the an AP's wired
interface.

Multicast packet rate limit Maximum multicast traffic volume

allowed on the AP's wired interface.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an AP wired port profile.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Profile.
The AP Wired Port Profile List page is displayed.
b. Click the name of the AP wired port profile that you want to modify. The AP
Wired Port Profile page is displayed.
c. Modify parameters of the AP wired port profile. Table 7-33 describes the
parameters for modifying an AP wired port profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an AP wired port profile.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Profile.
The AP Wired Port Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Profile.
The AP Wired Port Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 412

b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure the profiles that are referenced by the AP wired port profile.
a. Choose Configuration > AP Config > Profile > AP > AP Wired Port Profile.
The AP Wired Port Profile List page is displayed. Click next to AP Wired
Port Profile. The AP wired port profile name is displayed. Click next to the
specified AP wired port profile to view the profiles that are referenced by the AP
wired port profile.
b. Click any profile that is referenced by the AP wired port profile and access the
configuration page of the referenced profile. Select the profile from the drop-down
list box and set parameters of the profile to configure the profile that is referenced
by the AP wired port profile. For the description about parameters in the profile,
refer to the profile page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End

7.4 Mesh

7.4.1 Mesh Whitelist Profile

Context
After a Mesh whitelist profile is applied to an AP radio, the AP radio can only set up Mesh
links with neighboring APs whose MAC addresses are in the Mesh whitelist profile.

Procedure
l Create a Mesh whitelist profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Whitelist Profile.
The Mesh Whitelist Profile List page is displayed.
b. Click Create. The Create Mesh Whitelist Profile page is displayed.
c. Enter the name of the new Mesh whitelist profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new Mesh whitelist profile is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 413

e. Maintain MAC addresses in the Mesh whitelist profile.

n Adding MAC addresses one by one
# Click Add. The Import MAC Address page is displayed.

# Enter a MAC address and click . Multiple MAC addresses can be added.
Click to delete the selected MAC address.

# Click OK
n Adding MAC addresses in batches
# Click Batch Import. The Import MAC Address page is displayed.

# Click and select the MAC file containing MAC addresses that you
want to import, and click Import.
NOTE

You can click to download the MAC file profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 414

d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a Mesh whitelist profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Whitelist Profile.
The Mesh Whitelist Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Whitelist Profile.
The Mesh Whitelist Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.4.2 Mesh Handover Profile

Context
After a Mesh handover profile is bound to a Mesh profile, the Mesh profile can provide the
fast Mesh link handover function and apply to train-ground communication scenarios.

Procedure
l Create a Mesh handover profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Handover Profile.
The Mesh Handover Profile List page is displayed.
b. Click Create. The Create Mesh Handover Profile page is displayed.
c. Enter the name of the new Mesh handover profile in Profile name.

e. Set parameters for creating a Mesh handover profile. Table 7-34 describes the
parameters for creating a Mesh handover profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 415

Table 7-34 Parameters for creating a Mesh handover profile

Parameter Description

Mesh Handover Profile Name of the Mesh handover profile,

which cannot be modified.

Position-based handover algorithm Whether to enable the location-based

enhanced link handover algorithm.
After the location-based enhanced link
handover algorithm is enabled, the
vehicle-mounted AP will switch the
active link to the nearest trackside AP
that meet handover requirements.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a Mesh handover profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Handover Profile.
The Mesh Handover Profile List page is displayed.
b. Click the name of the Mesh handover profile that you want to modify. The Mesh
handover profile configuration page is displayed.
c. Modify parameters in the Mesh handover profile. Table 7-34 describes the
parameters for modifying a Mesh handover profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a Mesh handover profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Handover Profile.
The Mesh Handover Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Handover Profile.
The Mesh Handover Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.4.3 Mesh Profile

Context
Common Mesh Network Application
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect
to a wired network through uplinks. If no wired network is available for WLAN construction,
a wired network must be constructed first, which is both time- and money- consuming. If the

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 416

positions of some APs on a WLAN need to be adjusted, the wired network must be adjusted
accordingly, increasing the difficulty in network adjustment. With Mesh technology, APs can
connect each other wirelessly, which allows flexible networking and quick network
deployment and facilitates dynamic expansion of network coverage.
As shown in Figure 7-21, APs on a Mesh network can be sorted into the following types
based on functions:
l Mesh Point (MP): a Mesh-capable node that uses IEEE 802.11 MAC and physical layer
protocols for wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. MPs can provide both Mesh
service and user access service.
l Mesh Portal Point (MPP): a Mesh point that connects the Mesh network to other types of
networks. This node provides the portal function to allow Mesh nodes to communicate
with external networks.

Figure 7-20 Mesh networking

As shown in Figure 7-21, an access terminal (AT) connects to the remote AP through a Mesh
link to provide Internet access services for downstream devices connected to the AT. The
Mesh service needs to be configured on the remote AP connected to the AT and the Fix-
Wireless-Access (FWA) mode needs to be enabled in the Mesh profile so that the AT can
connect to the AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 417

Figure 7-21 AT application

Procedure
l Create a Mesh profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Profile. The Mesh
Profile List page is displayed.
b. Click Create. The Create Mesh Profile page is displayed.
c. Enter the name of the new Mesh profile in Profile name.

e. Set parameters for creating a Mesh profile. Table 7-35 describes the parameters for
creating a Mesh profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 418

Table 7-35 Parameters for creating a Mesh profile

Parameter Description

Mesh Profile Name of the Mesh profile, which

cannot be modified.

Mesh ID Mesh ID of a Mesh profile.

FWA mode Whether the FWA mode is used.

An access terminal (AT) connects to
the remote AP through a Mesh link to
provide Internet access services for
downstream devices connected to the
AT. The Mesh service needs to be
configured on the remote AP
connected to the AT and the FWA
mode needs to be enabled in the Mesh
profile so that the AT can connect to
the AP.

FWA EDCA mode The Enhanced Distributed Channel

Access (EDCA) mode is Auto or
Manual. When Auto is specified, the
remote AP adjusts EDCA parameters
based on the number of ATs.

Link information report interval Interval at which an MP reports mesh

link information to the AC.

Maximum number of links Maximum number of Mesh links

allowed on an AP.

Link aging time Aging time of a Mesh link.

If a Mesh node cannot receive
keepalive packets from a neighboring
node for a period of time greater than
or equal to the aging time of a Mesh
link, the Mesh node considers the
Mesh link disconnected and will
reselect a link.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 419

Parameter Description

DHCP trusted interface Whether to enable the DHCP trusted

interface in the Mesh profile.
After the DHCP trusted interface is
configured on an AP, the AP receives
the DHCP OFFER, ACK, and NAK
packets sent by authorized DHCP
servers and forwards the packets to
STAs so that the STAs can obtain valid
IP addresses and go online.

ND trusted interface Whether to enable the ND trusted

interface in the Mesh profile.
After the ND trusted interface is
configured on an AP, the AP receives
the ND OFFER, ACK, and NAK
packets sent by authorized ND servers
and forwards the packets to STAs so
that the STAs can obtain valid IPv6
addresses and go online.

Area Preset EDCA parameters for different

Packet Type Packet type.

l AC_VO: Voice
l AC_VI: Video
l AC_BE: Best Effort
l AC_BK: Background

AIFSN Arbitration inter frame spacing number

(AIFSN), which determines the
channel idle time. A larger AIFSN
value indicates that the STA must wait
for a longer time and has a lower
priority.

ECWmin Exponent form of the minimum

contention window (ECWmin) and
exponent form of the maximum
contention window (ECWmax)

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 420

Parameter Description

ECWmax together determine the average backoff

time. Larger ECWmin and ECWmax
values indicate that the average backoff
time for the STA is longer and the STA
priority is lower.

TXOPLimit Transmission opportunity limit

(TXOPLimit), which determines the
maximum duration in which an STA
can occupy the channel. A larger
TXOPLimit value indicates that the
STA can occupy the channel for a
longer time.

Beacon frame rate on 2.4G radio Set the transmit rate of 2.4GHz Beacon
frames.

Beacon frame rate on 5G radio Set the transmit rate of 5 GHz Beacon
frames.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a Mesh profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Profile. The Mesh
Profile List page is displayed.
b. Click the name of the Mesh profile that you want to modify. The Mesh profile
configuration page is displayed.
c. Modify parameters in the Mesh profile. Table 7-35 describes the parameters for
modifying a Mesh profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a Mesh profile.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Profile. The Mesh
Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Mesh > Mesh Profile. The Mesh
Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure the profiles that are referenced by the Mesh profile.

A Mesh profile can reference the security profile, Mesh whitelist profile, and Mesh
handover profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 421

a. Choose Configuration > AP Config > Profile > Mesh > Mesh Profile. The Mesh
Profile List page is displayed. Click next to Mesh Profile. The Mesh profile
name is displayed. Click next to the specified Mesh profile to view the profiles
that are referenced by the Mesh profile.
b. Click any profile that is referenced by the Mesh profile and access the configuration
page of the referenced profile. Select the profile from the drop-down list box and set
parameters of the profile to configure the profile that is referenced by the Mesh
profile. For the description about parameters in the profile, refer to the profile page.
c. Click Apply. In the Info dialog box that is displayed, click OK.

----End

7.5 WDS
7.5.1 WDS Whitelist Profile

Context
After a WDS whitelist profile is applied to an AP radio, the AP radio can only set up WDS
links with neighboring APs whose MAC addresses are in the WDS whitelist profile. If no
WDS whitelist profile is applied to an AP radio, the AP radio can establish WDS links with
any neighboring APs.

Procedure
l Create a WDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WDS > WDS Whitelist Profile.
The WDS Whitelist Profile List page is displayed.
b. Click Create. The Create WDS Whitelist Profile page is displayed.
c. Enter the name of the new WDS whitelist profile in Profile name.

e. Maintain MAC addresses in the WDS whitelist profile.

n Adding MAC addresses one by one
# Click Add. The Import MAC Address page is displayed.

# Enter a MAC address and click . Multiple MAC addresses can be added.
Click to delete the selected MAC address.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 422

# Click OK
n Adding MAC addresses in batches
# Click Batch Import. The Import MAC Address page is displayed.

# Click and select the MAC file containing MAC addresses that you
want to import, and click Import.
NOTE

You can click to download the MAC file profile.

# Click Apply. In the Info dialog box that is displayed, click OK.
n Deleting MAC addresses
# Select the MAC address that you want to delete and click Delete. In the Info
dialog box that is displayed, click OK.
f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a WDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WDS > WDS Whitelist Profile.
The WDS Whitelist Profile List page is displayed.
b. Click the name of the WDS whitelist profile that you want to modify. The WDS
whitelist profile configuration page is displayed.
c. Set parameters for modifying a WDS whitelist profile. For details, see e.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a WDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WDS > WDS Whitelist Profile.
The WDS Whitelist Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 423

l Display the profile reference relationship.

a. Choose Configuration > AP Config > Profile > WDS > WDS Whitelist Profile.
The WDS Whitelist Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.5.2 WDS Profile

Procedure
l Create a WDS profile.
a. Choose Configuration > AP Config > Profile > WDS > WDS Profile. The WDS
Profile List page is displayed.
b. Click Create. The Create WDS Profile page is displayed.
c. Enter the name of the new WDS profile in Profile name.

e. Set parameters for creating a WDS profile. Table 7-36 describes the parameters for
creating a WDS profile.

Table 7-36 Parameters for creating a WDS profile

Parameter Description

WDS Profile Name of the WDS profile, which

cannot be modified.

WDS network bridge name WDS name of a WDS profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 424

Parameter Description

WDS working mode WDS working mode, which can be the

root node, middle node, or leaf node.
NOTE
After changing the WDS working mode in
a WDS profile, reset the APs using the
profile to make the changed WDS mode
take effect.

DHCP trusted interface Whether to enable the DHCP trusted

interface function.
After the DHCP trusted interface
function is enabled in a WDS profile,
the AP receives the DHCP OFFER,
ACK, and NAK packets sent by
authorized DHCP servers and forwards
the packets to STAs so that the STAs
can obtain valid IP addresses and go
online.

ND trusted interface Whether to enable the ND trusted

interface function.
After the ND trusted interface function
is enabled in a WDS profile, the AP
receives the ND OFFER, ACK, and
NAK packets sent by authorized ND
servers and forwards the packets to
STAs so that the STAs can obtain valid
IPv6 addresses and go online.

MU-MIMO Whether to enable MU-MIMO.

Tagged VLAN Tagged VLAN. To add a tagged

VLAN, enter the tagged VLAN and
click . A maximum of 256 VLANs
can be added to a WDS profile. To
delete a tagged VLAN, enter the
tagged VLAN and click .
After one or a group of VLANs is
added to a WDS profile in tagged
mode, the WDS link forwards only the
packets with these VLAN IDs from
STAs and peer APs.

Beacon frame rate on 2.4G radio Set the transmit rate of 2.4GHz Beacon
frames.

Beacon frame rate on 5G radio Set the transmit rate of 5 GHz Beacon
frames.

f. Click Apply. In the Info dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 425

l Modify a WDS profile.

a. Choose Configuration > AP Config > Profile > WDS > WDS Profile. The WDS
Profile List page is displayed.
b. Click the name of the WDS profile that you want to modify. The WDS profile
configuration page is displayed.
c. Modify parameters in the WDS profile. Table 7-36 describes the parameters for
modifying a WDS profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a WDS profile.
a. Choose Configuration > AP Config > Profile > WDS > WDS Profile. The WDS
Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > WDS > WDS Profile. The WDS
Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.
l Configure the profiles that are referenced by the WDS profile.
A WDS profile can reference the security profile and WDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WDS > WDS Profile. The WDS
Profile List page is displayed. Click next to WDS Profile. The WDS profile
name is displayed. Click next to the specified WDS profile to view the profiles
that are referenced by the WDS profile.
b. Click any profile that is referenced by the WDS profile and access the configuration
page of the referenced profile. Select the profile from the drop-down list box and set
parameters of the profile to configure the profile that is referenced by the WDS
profile. For the description about parameters in the profile, see the profile page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End

7.6 WIDS
7.6.1 WIDS Whitelist Profile

Context
There are security risks from unauthorized devices on WLAN networks, so administrators
deploy monitoring APs to monitor the WLAN networks. After the AP working mode is set to
monitoring, the AP monitors wireless devices and reports wireless device information to an
AC. The AC can identify unauthorized devices.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 426

However, there may be APs of other vendors or other networks working in the existing signal
coverage areas. If these APs are countered, their services will be affected. To prevent this
situation, configure an authorized AP list, including an authorized MAC address list, OUI list,
and SSID list. When an unauthorized AP is detected but the AP's MAC address is in the
authorized MAC address list, the AP is an authorized AP. However, if the AP's MAC address
is not in the authorized MAC address list, the AP's OUI and SSID must be both in the
authorized OUI and SSID lists; otherwise, the AP is a rogue AP.

Procedure
l Create a WIDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Whitelist
Profile. The WIDS Whitelist Profile List page is displayed.
b. Click Create. The Create WIDS Whitelist Profile page is displayed.
c. Enter the name of the new WIDS whitelist profile in Profile name.

e. Set parameters for creating a WIDS whitelist profile. Table 7-37 describes the
parameters for creating a WIDS whitelist profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 427

Table 7-37 Parameters for creating a WIDS whitelist profile

Parameter Description

WIDS Whitelist Profile Name of the WIDS whitelist profile,

which cannot be modified.

MAC Whitelist Maintain MAC addresses in the

whitelist.
l Adding MAC addresses one by one
# Click Add. The Import MAC
Address page is displayed.
# Enter a MAC address and click
. Multiple MAC addresses can
be added. Click to delete the
selected MAC address.
# Click OK
l Adding MAC addresses in batches
# Click Batch Import. The Import
MAC Address page is displayed.

# Click and select the MAC

file containing MAC addresses that
you want to import, and click
Import.
NOTE

You can click to download the

MAC template.
# Click Apply. In the Info dialog
box that is displayed, click OK.
l Deleting MAC addresses
# Select the MAC address that you
want to delete and click Delete. In
the Info dialog box that is
displayed, click OK.

OUI Whitelist OUI to be added to the OUI whitelist.

To add an OUI, enter an OUI and click
. You can repeat the operation to
add multiple OUIs. Click to delete
the selected OUI.

SSID Whitelist SSID to be added to the SSID

whitelist. To add an SSID, enter an
SSID and click . You can repeat the
operation to add multiple SSIDs. Click
to delete the selected SSID.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 428

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a WIDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Whitelist
Profile. The WIDS Whitelist Profile List page is displayed.
b. Click the name of the WIDS whitelist profile that you want to modify. The WIDS
whitelist profile configuration page is displayed.
c. Set parameters for modifying a WIDS whitelist profile. Table 7-37 describes the
parameters for modifying a WIDS whitelist profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a WIDS whitelist profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Whitelist
Profile. The WIDS Whitelist Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Whitelist
Profile. The WIDS Whitelist Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.6.2 WIDS Spoof SSID Profile

Context
WLAN services are available in public places, such as banks and airports. Users can connect
to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and
provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to
the rogue AP, which brings security risks. To address this problem, configure a fuzzy
matching rule to identify spoofing SSIDs. The device compares a detected SSID with the
matching rule. If the SSID matches the rule, the SSID is considered a spoofing SSID. The AP
using the spoofing SSID is a rogue AP. The device then take countermeasures against the
rogue AP, forcing users to disconnect from the AP.

Procedure
l Create an SSID profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Spoof SSID
Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Click Create. The Create WIDS Spoof SSID Profile page is displayed.
c. Enter the name of the new WIDS spoof SSID profile in Profile name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 429

e. Set parameters for creating a WIDS spoof SSID profile. Table 7-38 describes the
parameters for modifying an SSID profile.

Table 7-38 Parameters for creating a WIDS spoof SSID profile

Parameter Description

WIDS Spoof SSID Profile Name of the WIDS spoof SSID profile,
which cannot be modified.

Rule for identifying spoofing SSIDs Regular expression of an SSID. After

this parameter is set, click . If a
detected SSID matches the regular
expression, the SSID is considered a
spoofing SSID. Repeat the preceding
steps to add multiple rules for
identifying spoofing SSIDs. Click
to delete the selected rule for
identifying spoofing SSIDs.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify an SSID profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Spoof SSID
Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Click the name of the WIDS spoof SSID profile that you want to modify. The
WIDS spoof SSID profile configuration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 430

c. Set parameters for modifying a WIDS spoof SSID profile. Table 7-38 describes the
parameters for modifying an SSID profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete an SSID profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Spoof SSID
Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Spoof SSID
Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.6.3 WIDS Profile

Context
A WIDS profile can be used to configure parameters for the wireless device detection, rogue
device containment, and attack detection functions.

Procedure
l Create a WIDS profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The
WIDS Profile List page is displayed.
b. Click Create. The Create WIDS Profile page is displayed.
c. Enter the name of the new WIDS profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new WIDS profile is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 431

e. Set parameters for creating a WIDS profile. Table 7-39 describes the parameters for
creating a WIDS profile.

Table 7-39 Parameters for creating a WIDS profile

Parameter Description

WIDS Profile Name of the WIDS profile, which

cannot be modified.

Interval for reporting detected WLAN Interval for reporting the detected
device information WLAN device information. The
default value is 300 seconds.

Interval for reporting all WLAN device Interval at which an AP reports all the
information detected WLAN device information.
The default value is 360 minutes.

Dynamic blacklist Whether to enable the dynamic

blacklist function. An AP can use the
dynamic blacklist to filter out the
blacklisted wireless devices to avoid
malicious attacks.

Detection interval Attack detection interval.

Threshold for the number of possible Possible attack count threshold in a

attacks detection interval. The device reports
the detected attacks when the count
threshold is exceeded.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 432

Parameter Description

Quiet period Quiet period for attack detection. The

device does not report the detected
attacks in the quiet period.

Countermeasure mode Countering mode set against rogue

devices. After the countering mode is
set, rogue devices cannot connect to
the WLAN.

STA protection whitelist Name of the STA protection whitelist.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Configure and modify the profiles referenced by a WIDS profile.

A WIDS profile can reference WIDS whitelist and WIDS spoof SSID profiles.

a. Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The
WIDS Profile List page is displayed. Click next to WIDS Profile. The system
displays names of the WIDS profiles. Click next to a WIDS profile name. The
profiles referenced by the WIDS profile are displayed in the menu navigation area.
b. Click any profile referenced by the WIDS profile. The configuration page of the
referenced profile is displayed. Select a profile name from the drop-down list box
and configure parameters of the referenced profile. For descriptions of the profile
parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a WIDS profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The
WIDS Profile List page is displayed.
b. Click the name of the WIDS profile that you want to modify. The WIDS profile
configuration page is displayed.
c. Set parameters for modifying a WIDS profile. Table 7-39 describes the parameters
for modifying a WIDS profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a WIDS profile.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The
WIDS Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The
WIDS Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 433

NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.7 WLAN Location

7.7.1 WLAN Location Profile

l Create a location profile.

a. Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
b. Click Create. The Create WLAN Location Profile page is displayed.
c. Enter the name of the new location profile in Profile name.

e. Set parameters for creating a location profile. Table 7-40 describes the parameters
for creating a location profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 434

Table 7-40 Parameters for creating a location profile

Parameter Description

WLAN Location Profile Name of the location profile, which

cannot be modified.

Source IP address of outgoing packets Source IP address in location packets

reported to the AC. This parameter
takes effect only in AeroScout and
Ekahau positioning.

AeroScout Location

Tag location Whether to enable WLAN location of

AeroScout tags.

STA location Whether to enable WLAN location of

AeroScout MUs.

Packet aggregation interval Interval of AeroScout tag location

packet aggregation and MU packet
aggregation.

Data report mode Mode in which AeroScout location

packets are reported.
l Through AC: An AP reports
AeroScout location packets to an
AC, and the AC forwards them to
the AeroScout location server.
l AP: An AP directly reports
AeroScout location packets to the
AeroScout location server without
sending them to the AC.
NOTE
Each location profile defines three location
methods: AeroScout location, Ekahau
location, and private location. If multiple
location profiles are used and the same
location method is used, Through AC can
be only specified in one profile.

Server port number Port number of the AeroScout location

server.

AC port number AC port number used to communicate

with the AeroScout location server.

Ekahau Location

Tag location Whether to enable WLAN location of

Ekahau tags.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 435

Parameter Description

Data report mode Mode in which Ekahau location

packets are reported.
l Through AC: An AP reports
Ekahau location packets to an AC,
and the AC forwards them to the
Ekahau location server.
l AP: An AP directly reports Ekahau
location packets to the Ekahau
location server without sending
them to the AC.
NOTE
Each location profile defines three location
methods: AeroScout location, Ekahau
location, and private location. If multiple
location profiles are used and the same
location method is used, Through AC can
be only specified in one profile.

Server IP/port number IP address and port number of the

Ekahau location server.

AC port number AC port number used to communicate

with the Ekahau location server.

Private Location

STA location Whether to enable STA location.

Data report interval Interval for reporting STA location

packets.

Data report mode Mode in which STA location packets

are reported.
l Through AC: An AP reports STA
location packets to an AC, and the
AC forwards them to the STA
location server.
l AP: An AP directly reports STA
location packets to the STA location
server without sending them to the
AC.
NOTE
Each location profile defines three location
methods: AeroScout location, Ekahau
location, and private location. If multiple
location profiles are used and the same
location method is used, Through AC can
be only specified in one profile.

Server IP/port number IP address and port number of the STA

location server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 436

Parameter Description

AC port number AC port number used to communicate

with the STA location server.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a location profile.
a. Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
b. Click the name of the location profile that you want to modify. The location profile
configuration page is displayed.
c. Modify parameters in the location profile. Table 7-40 describes the parameters for
modifying a location profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a location profile.
a. Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.8 Buletooth Location

7.8.1 BLE Profile

l Create a BLE profile.

a. Choose Configuration > AP Config > Profile > Bluetooth Location > BLE
Profile. The BLE Profile List page is displayed.
b. Click Create. The Create BLE Profile page is displayed.

c. Enter the name of the new BLE profile in Profile Name.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 437

e. Set parameters for creating a BLE profile. Table 7-41 describes the parameters for
creating a BLE profile.

Table 7-41 Creating a BLE profile

Item Description

BLE Profile Name of a BLE profile, which cannot

be modified.

Broadcast Whether to enable the broadcast

function of the BLE profile.

Transmit power Transmit power.

Broadcast interval Interval for sending broadcast packets.

Broadcast UUID value UUID value in a broadcast packet.

Broadcast Major value Major value in a broadcast packet.

Broadcast Minor value Minor value in a broadcast packet.

RSSI calibration value RSSI calibration value in a packet.

Monitoring surrounding BLE devices Whether to enable the function of

monitoring surrounding BLE devices.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a BLE profile.
a. Choose Configuration > AP Config > Profile > Bluetooth Location > BLE
Profile. The BLE Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 438

b. Click the name of the BLE profile that you want to modify. The BLE profile
configuration page is displayed.
c. Modify parameters of the BLE profile. Table 7-41 describes the parameters for
modifying a BLE profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a BLE profile.
a. Choose Configuration > AP Config > Profile > Bluetooth Location > BLE
Profile. The BLE Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > Bluetooth Location > BLE
Profile. The BLE Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.9 IoT
7.9.1 Serial Profile
l Create a Serial profile.
a. Choose Configuration > AP Config > Profile > IoT > Serial Profile. The Serial
Profile List page is displayed.
b. Click Create. The Create Serial Profile page is displayed.
c. Enter the name of the new Serial profile in Profile name.
To copy all parameters from another profile to the new profile, select the name of
the profile in Copy parameters from other profiles. If none is selected,
parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new Serial profile is displayed.

e. Set parameters for creating a Serial profile. Table 7-42 describes the parameters for
creating a Serial profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 439

Table 7-42 Parameters for creating a Serial profile

Parameter Description

Serial Profile Name of a serial profile, which cannot

be modified.

Baud rate Baud rate of the serial port in an IoT

slot.

Parity check type Parity check type of the serial port in

an IoT slot.

Stop bit Stop bit of the serial port in an IoT slot.

Frame format Frame format of the serial port in an

IoT slot.
l Fixed frame length: enables packet
fragmentation based on fixed frame
length.
l Start and stop flags of fixed-
length frames: enables packet
fragmentation based on start and
stop flags of fixed-length frames.

Frame length Frame length of the serial port in an

IoT slot.

Frame start flag Frame start flag of the serial port in an

IoT slot.

Frame end flag Frame end flag of the serial port in an

IoT slot.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a Serial profile.
a. Choose Configuration > AP Config > Profile > IoT > Serial Profile. The Serial
Profile List page is displayed.
b. Click the name of the Serial profile that you want to modify. The Serial profile
configuration page is displayed.
c. Modify parameters in the Serial profile. Table 7-42 describes the parameters for
modifying a Serial profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a Serial profile.
a. Choose Configuration > AP Config > Profile > IoT > Serial Profile. The Serial
Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > IoT > Serial Profile. The Serial
Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 440

b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

7.9.2 IoT Profile

l Create a IoT profile.

a. Choose Configuration > AP Config > Profile > IoT > IoT Profile. The IoT
Profile List page is displayed.
b. Click Create. The Create IoT Profile page is displayed.
c. Enter the name of the new IoT profile in Profile name.

e. Set parameters for creating a IoT profile. Table 7-43 describes the parameters for
creating a IoT profile.

Table 7-43 Parameters for creating a IoT profile

Parameter Description

IoT Profile Name of an IoT profile, which cannot

be modified.

Communication key Communication key.

Confirm key Confirm key.

IP address of a trusted host computer IP address of a trusted proxy host.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 441

Parameter Description

Mask of a trusted host computer Subnet mask of a trusted proxy host.

Host Computer Location

Server IP Address IP address of a server.

Server Port Number Port number of a server.

f. Click Apply. In the Info dialog box that is displayed, click OK.
l Modify a IoT profile.
a. Choose Configuration > AP Config > Profile > IoT > IoT Profile. The IoT
Profile List page is displayed.
b. Click the name of the IoT profile that you want to modify. The IoT profile
configuration page is displayed.
c. Modify parameters in the IoT profile. Table 7-43 describes the parameters for
modifying a IoT profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
l Delete a IoT profile.
a. Choose Configuration > AP Config > Profile > IoT > IoT Profile. The IoT
Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the Info dialog box
that is displayed, click OK.
l Display the profile reference relationship.
a. Choose Configuration > AP Config > Profile > IoT > IoT Profile. The IoT
Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship and click
Display Reference. The system displays the types and names of the objects that
reference the profile.
NOTE

Click Hide Profile Reference. The system hides the displayed results.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 442

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8 Configuration Examples

About This Chapter

8.1 WLAN Common Service Configuration Examples

8.2 WLAN Basic Networking Configuration Examples
8.3 Authentication Configuration Examples
8.4 Reliability Configuration Examples
8.5 Roaming Configuration Examples
8.6 Agile Distributed Networking Configuration Examples
8.7 High-Density Configuration Examples
8.8 Example for Configuring Vehicle-Ground Communication
8.9 Radio Resource Management Configuration Examples
8.10 Spectrum Analysis Configuration Examples
8.11 WLAN Security Configuration Examples
8.12 WLAN Location Configuration Examples
8.13 WLAN QoS Configuration Examples
8.14 WLAN Enhanced Services Configuration Examples
8.15 Common Misconfigurations

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 443

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.1 WLAN Common Service Configuration Examples

8.1.1 Example for Configuring Internal Personnel to Access the
WLAN (802.1x Authentication)
Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 444

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-1 Networking diagram for configuring 802.1x authentication

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 445

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-1 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 446

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE

The AC and server must have the same RADIUS shared key.

Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 447

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 448

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 449

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 450

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 On the AC, configure a static route to the RADIUS server.
# Choose Configuration > AC Config > IP > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 451

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
Step 5 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates VAP profile wlan-
net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-net,
802.1x profile wlan-net, RADIUS server template wlan-net, and authentication scheme
profile wlan-net.
4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 452

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 453

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Radio0. The Radio 0 Settings (2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings (5G) page is similar to the configuration of
Radio 0 and is not mentioned here.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure third-party server interconnection parameters.

l For interconnection with the Cisco ISE, see "Example for Configuring Wireless 802.1X
Authentication" in the Typical Configuration Examples-WLAN and the Cisco ISE Server
Interoperation Configuration Examples.
l For interconnection with the Aruba ClearPass, see "Example for Configuring Wireless
802.1X Authentication" in the Typical Configuration Examples-WLAN and the Aruba
ClearPass Server Interoperation Configuration Examples.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless 802.1X Authentication" in the Agile Controller-Campus Typical Configuration
Examples.
l For interconnection with other third-party servers, see the corresponding product manual.

Step 8 Verify the configuration.

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 454

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Configuration on the Windows 7 operating system:

i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

8.1.2 Example for Configuring Guests to Access the WLAN (MAC

Address-prioritized Portal Authentication)
Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 455

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-2 Networking for configuring MAC address-prioritized Portal authentication

Data Planning

Table 8-2 AC data planning

Item Data

Managemen VLAN100
t VLAN for
APs

Service VLAN101
VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 456

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

AC's source VLANIF100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: CN
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: open

RADIUS Name of the RADIUS authentication scheme: wlan-net

authenticati Name of the RADIUS accounting scheme: wlan-net
on
parameters Name of the RADIUS server template: wlan-net
l IP address: 10.23.102.1
l Authentication port number: 1812
l Shared key: Huawei123

Portal l Name: wlan-net

server l IP address: 10.23.103.1
template
l Destination port number in the packets that the AC sends to the Portal
server: 50200
l Portal shared key: Huawei123

Portal l Name: wlan-net

access l Referenced profile: Portal server template wlan-net
profile

MAC Name:wlan-net
access
profile

Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server(8.8.8.8)
profile

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 457

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Authenticati l Name: wlan-net

on Profile l Referenced profile: Portal access profile wlan-net, MAC access profile
wlan-net, RADIUS server template wlan-net, authentication-free rule
profile default_free_rule and authentication scheme wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profile: SSID profile wlan-net, security profile wlan-net and
Authentication profile wlan-net

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 458

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 459

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 460

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 461

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure a static route.
1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.
Step 5 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE

Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.

# Configure a RADIUS server profile.

1. Choose Configuration > Security > AAA > RADIUS. The RADIUS Server Profile
page is displayed.
2. Click Create. In the Create RADIUS Server Profile dialog box that is displayed, set
Profile name to wlan-net ang Key to Huawei123.

3. Click OK.
# Create an authentication scheme and configure the RADIUS authentication mode.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Scheme. The Authentication Scheme List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 462

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Click Create. In the Create Authentication Scheme dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new authentication scheme profile is
displayed. Set the authentication mode to RADIUS.

4. Click Apply. In the Info dialog box that is displayed, click OK.
# Create an authentication scheme and configure the RADIUS authentication mode.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Scheme. The Authentication Scheme List page is displayed.
2. Click Create. In the Create Accounting Scheme dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new accounting scheme profile is
displayed.Set the accounting mode to RADIUS and the accounting interval to 15
minutes.

4. Click Apply. In the Info dialog box that is displayed, click OK.
Step 6 Specify network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication-
free Rule Profile.The Authentication-free Rule Profile List page is displayed.
2. Click default_free_rule. The parameter setting page of the new authentication-free rule
profile is displayed.
3. Select Authentication-free Rule in Control mode. The Authentication-free Rule List
is displayed.
4. Click Create. The Create Authentication-free Rule page is displayed.Configure the IP
address for the DNS server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 463

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

5. Click OK.
Step 7 Configure a MAC access profile for MAC address-prioritized Portal authentication.
1. Choose Configuration > AP Config > Profile > Wireless Service > MAC
Authentication Profile. The MAC Authentication Profile List page is displayed.
2. Click Create. In the Create MAC Authentication Profile dialog box that is displayed,
set Profile name to wlan-net.
3. Click OK. The parameter setting page of the new MAC authentication profile is
displayed. Set User name mode to MAC address and MAC address to Without
hyphen (-).

4. lick Apply. In the Info dialog box that is displayed, click OK.
Step 8 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
1. Choose Configuration > AP Config > Profile > Wireless Service > Portal Profile. The
Portal Profile List page is displayed.
2. Click Create. In the Create Portal Profile dialog box that is displayed, set Profile
name to wlan-net.
3. Click OK. The parameter setting page of the new Portal profile is displayed. Configure
the server for Portal authentication as the external Portal server, and set the
authentication mode to Layer 2 authentication.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 464

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Click Apply. In the Info dialog box that is displayed, click OK.

Step 9 Configure a Portal server template.

NOTE

l Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
l Configure parameters carried in the URL, which must be the same as those on the authentication server.

1. Choose Configuration > Security > AAA > External Portal Server. The External
Portal Server page is displayed.
2. Click Create in the Portal Authentication Server List. Set parameters such as Server
name, Server IP Shared key, Packet port number and URL in the displayed Create
Authentication Server window.

3. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 465

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 10 Configure the authentication profile wlan-net.

# Create an authentication profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Profile. The Authentication Profile List page is displayed.
2. Click Create. In the Create Authentication Profile dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new authentication profile is displayed.
4. Click Apply. In the Info dialog box that is displayed, click OK.
# Apply the Portal profile, MAC access profile, RADIUS server profile, authentication
scheme, accounting scheme and authentication-free rule profile to the authentication profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Profile. The Authentication Profile List page is displayed.
2. Click to the left of Authentication Profile List in the navigation tree to expand the
authentication profile list. Click to the left of the authentication profile name to view
the names of other profiles referenced in the authentication profile.
3. Click Portal Profile and choose Portal profile named wlan-net in the displayed page.
4. Click Apply. In the Info dialog box that is displayed, click OK.
5. Apply the MAC access profile wlan-net, RADIUS server profile wlan-net,
authentication scheme wlan-net, accounting scheme wlan-net and authentication-free
rule profile default_free_rule to the authentication profile. The configuration is similar
to the configuration of applying a Portal profile, and is not mentioned here.
Step 11 Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Security Profile.
The Security Profile List page is displayed.
2. Click Create. In the Create Security Profile dialog box that is displayed, set Profile
name to wlan-net.
3. Click OK. The parameter setting page of the new security profile is displayed and set the
security policy to Open.

4. Click Apply. In the Info dialog box that is displayed, click OK.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
1. Choose Configuration > AP Config > Profile > Wireless Service > SSID Profile. The
SSID Profile List page is displayed.
2. Click Create. In the Create SSID Profile dialog box that is displayed, set Profile name
to wlan-net.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 466

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK. The parameter setting page of the new SSID profile is displayed and set the
SSID name to.wlan-net.

4. Click Apply. In the Warning dialog box that is displayed, click OK. In the Info dialog
box that is displayed, click OK.
# Create VAP profile wlan-net and configure the data forwarding mode and service VLANs.
1. Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile. The
VAP Profile List page is displayed.
2. Click Create. In the Create VAP Profile dialog box that is displayed, set Profile name
to wlan-net.
3. Click OK. The parameter setting page of the new VAP profile is displayed. Configure
service VLANs and the data forwarding mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 467

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Click Apply. In the Info dialog box that is displayed, click OK.
# Apply the security profile, SSID profile, and authentication profile to the VAP profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile. The
VAP Profile List page is displayed. Click to the left of VAP Profile in the
navigation tree to expand the VAP profile list. Click to the left of the the
authentication profile name to view the names of other profiles referenced in the VAP
profile.
2. Click SSID Profile and choose Portal profile named wlan-net in the displayed page.
3. Click Apply. In the Info dialog box that is displayed, click OK.
4. Apply the security profile wlan-net and authentication profilewlan-netto the VAP
profile.
# Add an AP.
1. Choose Configuration > Fast Config > AP.
2. Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. On the AP List tab page, click Add. The Add AP page is displayed.

4. Set Mode to Batch Import and click to download the AP template file to your local
computer.
5. Fill in the AP template file with AP information according to the following example. To
add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 468

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Click an AP group name. The AP group configuration page is displayed.

3. Click VAP Configuration on the left. The VAP Profile List page is displayed.
4. Click Add. The Add VAP Profile page is displayed. Apply VAP profile wlan-net to
radio 0 and radio 1.

5. ClickOK.
Step 13 Configure third-party server interconnection parameters.
For interconnection with the Agile Controller-Campus, see "Example for Configuring Portal
Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless
Users" in the Agile Controller-Campus Typical Configuration Examples.
For interconnection with other third-party servers, see the corresponding product manual.
Step 14 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 469

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.

----End

8.1.3 Example for Configuring High-Density WLAN Services

Service Requirements
The WLAN of a stadium needs to provide access for a large number of users; therefore, APs
are placed in close proximity, causing severe interference. The IT department of the stadium
requires that the interference be eliminated to maximize Internet experience for users.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 470

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-3 Networking diagram for configuring a high-density WLAN

IP
Network

Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
Management VLAN: VLAN10, VLAN100
Service VLAN: VLAN pool

GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1

AP: area_2 AC

VLANIF100
10.23.100.1/24

STA

Data Planning

Table 8-3 Data planning

Item Data

Management VLAN for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch (SwitchB) functions
as a DHCP server to assign IP addresses to
STAs.

IP address pool for APs 10.23.10.2-10.23.10.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 471

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile default, and 5G radio
profile wlan-radio5g

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net, security profile wlan-net, and traffic
profile wlan-traffic

RRM profile l Name: wlan-rrm

l Automatic channel calibration: disabled
l Automatic power calibration: disabled

2G radio profile l Name: wlan-radio2g

l Referenced profile: RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profile: RRM profile wlan-
rrm

Traffic profile l Name: wlan-traffic

Configuration Roadmap
The configuration roadmap is as follows:

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 472

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Fast Config to configure system parameters for the AC.
4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 8-4.

Table 8-4 Adjustment recommendations

Adjustm Purpose Recommendation
ent Item

Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.

Remove To make an AP offer Increase the maximum number of access

the limit wireless services to more users to 128 for an SSID profile.
on the users.
number of
access
users

Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time

User To prevent mobile terminals Enable user isolation on the AC.

isolation from exchanging a large
number of ARP packets.

Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 473

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Adjustm Purpose Recommendation

ent Item

Adjust To reduce interference l Channel: Prevent adjacent APs from

AP between APs. working on overlapping channels. It is
channel recommended that you configure
and channels 1, 9, 5, and 13 in a high-
power density WLAN environment.
l Power: Minimize AP power while
ensuring that the RSSI is greater than
-65 dBm at the edge of the AP's
coverage area.

Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.

Enable To ensure that wireless Enable airtime fair scheduling.

airtime channel resources can be
fair equally allocated to users.
schedulin
g

Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold

Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent

Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI

Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set

Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.

Configure To improve the network Configure the short preamble. If some

the short synchronization legacy NICs exist on the network, disable
preamble performance. the short preamble function.
for a radio

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 474

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Adjustm Purpose Recommendation

ent Item

Adjust To improve user experience. Set the EDCA parameters of AC_BE

EDCA packets as follows:
parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l STA:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3

7. Deliver the WLAN services to the APs and verify the configuration.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] quit

# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 475

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit

# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit

# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit

Step 3 Create VLANs.

1. Choose Configuration > AC Config > VLAN > VLAN.
2. Click Create. The Create VLAN page is displayed.
3. In Create VLAN, set VLAN ID to 101 and click OK.
4. Create VLAN 102 in the same way.
Step 4 Configure system parameters for the AC.
1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 476

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 477

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure the global IP address pool huawei.
– Subnet address: 10.23.10.0
– Vendor-defined: sub-option value 3; sub-option parameter ascii; IP address
10.23.100.1
– Gateway IP: 10.23.10.1
– Address pool interface: VLANIF 100

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 478

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 479

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 6 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 7 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 480

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 481

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 8 Adjust WLAN high-density parameters.
1. Adjust VAP profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP Profile
List page is displayed.
# Click the VAP profile wlan-net. On the VAP profile configuration page that is
displayed, enable band steering.

# Click Apply. In the dialog box that is displayed, click OK.

2. Adjust SSID profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > SSID Profile in Profile Management. The SSID Profile
List page is displayed.
# Click the SSID profile wlan-net. The SSID profile configuration page is displayed. Set
the maximum number of users to 128 and association aging time to 1 minute. Configure

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 482

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

EDCA parameters for AC_BE packets of STAs as follows: AIFSN: 3; ECWmin: 7;

ECWmax: 10

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a traffic profile and adjust traffic profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > Traffic Profile in Profile Management. The Traffic
Profile List page is displayed.
# Click Create. On the Create Traffic Profile page that is displayed, enter the profile
name wlan-traffic and click OK. The traffic profile configuration page is displayed.
# Set the user isolation mode to All isolation, the upstream and downstream rate limits
to 1000 kbit/s and 2000 kbit/s for STAs, respectively.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 483

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. The Radio 0 Settings page is displayed. Set the AP channel to 20-MHz
channel 1 and transmit power to 127 dBm. The configuration of Radio 1 is similar to the
configuration of Radio 0, and is not mentioned here.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 484

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

5. Configure the AP to work in dual-5G mode. This step is only for APs that support
switching between 2.4G and 5G radios.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.

# Click Radio 0. The Radio 0 Settings page is displayed. Enable the dual-5G mode. In
the dialog box that is displayed, click OK.

# Click Apply. In the dialog box that is displayed, click OK.

6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this step if the
AP has been configured to work in dual-5G mode. Go to the next step to create the 5G
radio profile and bind the 5G radio profile to radio 0.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Perform the following configurations:

– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 ms.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 485

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Enable the short preamble function.

– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 11 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 486

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 0. The profiles under Radio 0 are displayed.

# Click 2G Radio Profile. On the 2G radio profile configuration page that is displayed,
set 2G Radio Profile to wlan-radio2g and click Apply. In the dialog box that is
displayed, click OK.
7. Create a 5G radio profile and adjust 5G radio profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > 5G Radio Profile in Profile Management. The 5G
Radio Profile List page is displayed.
# Click Create. On the Create 5G Radio Profile page that is displayed, enter the profile
name wlan-radio5g and click OK. The 5G radio profile configuration page is displayed.
# Perform the following configurations:
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 ms.
– Enable the short preamble function.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 6 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 487

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 1. The profiles under Radio 1 are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 488

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click 5G Radio Profile. On the 5G radio profile configuration page that is displayed,
set 5G Radio Profile to wlan-radio5g and click Apply. In the dialog box that is
displayed, click OK.

# Click next to Radio 2. The profiles under Radio 2 are displayed.

# Click 5G Radio Profile. On the 5G radio profile configuration page that is displayed,
set 5G Radio Profile to wlan-radio5g and click Apply. In the dialog box that is
displayed, click OK.
8. Create the RRM profile and adjust RRM profile parameters.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.

# Disable automatic channel and power calibration functions; enable airtime fair
scheduling; enable smart roaming; configure the SNR-based roaming trigger mode, and
set the SNR threshold to 15 dB.

# Click Apply. In the dialog box that is displayed, click OK.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the VAP profile are displayed.

# To bind the RRM profile to the radio profile, click RRM Profile. On the RRM profile
configuration page that is displayed, set RRM Profile to wlan-rrm and click Apply. In
the dialog box that is displayed, click OK. Bind the RRM profile to the 5G radio profile
wlan-radio5g. The details are not provided here.

Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 489

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

----End

8.1.4 Example for Configuring WLAN Backhaul

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 490

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: WDS root, middle, and leaf
l Backhaul radio: 5 GHz
l Service data forwarding mode: direct forwarding

Figure 8-4 Networking for configuring common WDS services

Internet

Router
GE1/0/0
Management VLAN：VLAN 100 10.23.101.2/24
Service VLAN：VLAN 101
GE0/0/3
GE0/0/2
Switch_A AC
GE0/0/1
GE0/0/1

AP_3 AP_2 AP_1

(leaf) (middle) (root) GE0/0/2

Switch_B
GE0/0/1

Area C Area B Area A

: Wireless
STA STA STA virtual link

Data Planning

Table 8-5 AP data planning

AP Type MAC Address

AP_1 AP8130DN 60de-4474-9640

AP_2 AP8130DN dcd2-fc04-b500

AP_3 AP8130DN dcd2-fc96-e4c0

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 491

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Table 8-6 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs. Switch_A
functions as a DHCP server to assign IP
addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

AC's source interface address VLANIF 100

WDS mode l AP_1: root

l AP_2: middle
l AP_3: leaf

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Wireless service security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

WDS link security profile l Name: wds-security

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Password: a1234567

WDS whitelist profile l Name: root-to-middle

l AP MAC address: MAC address of the
middle node

l Name: middle-to-leaf
l AP MAC address: MAC address of the
leaf node

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 492

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

WDS profile l Name: wds-root

l WDS name: wlan-wds
l WDS working mode: root
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

l Name: wds-middle
l WDS name: wlan-wds
l WDS working mode: middle
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

AP group l Name: ap-group1

l Root APs, such as AP AP_1, are added
to the group.
l Referenced profiles: WDS profile wds-
root, VAP profile wlan-net, and
regulatory domain profile default

l Name: ap-group2
l Middle APs, such as AP AP_2, are
added to the group.
l Referenced profiles: WDS profile wds-
middle, VAP profile wlan-net, and
regulatory domain profile default

l Name: ap-group3
l Leaf APs, such as AP AP_3, are added
to the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 493

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure root node AP_1 to go online on the AC.

a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WDS services so that APs in Area B and Area C can go online through WDS
wireless virtual links.
4. Configure WLAN service parameters for STAs to access the WLAN.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 494

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_B-GigabitEthernet0/0/2] port link-type trunk

[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit

# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit

Step 2 Configure the DHCP server to assign IP addresses to STAs.

# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 495

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 496

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 497

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure WLAN services.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Copy AP group parameters.

# Choose Configuration > AP Config > AP Group > AP Group.

# Click Create. The Create AP Group page is displayed.

# Enter AP group name ap-group2, and copy parameters from AP group ap-group1.
Click OK. Create AP group ap-group3 in the same way.

Step 5 Configure the root node.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 498

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Create security profile wds-security and configure the security policy.

# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > Security Profile in Profile Management. The Security
Profile List page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter profile
name wds-security and click OK. The security profile configuration page is displayed.
# Set the security policy to WPA2+PSK+AES.

# Click Apply.
2. Configure WDS service parameters for the root node. Set the channel parameters of
Radio 1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Click the AP ID. The AP customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 1. The Radio 1 Settings page is displayed. On the Radio 1 Settings page,
set the channel parameters of Radio 1 to 40+ MHz and 157. Set the bridge distance to 4.

# Click Apply.
3. Create WDS whitelist profile root-to-middle and add the MAC address of the middle
AP to the WDS whitelist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 499

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose WDS > WDS Whitelist Profile in Profile Management. The WDS Whitelist
Profile List page is displayed.

# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter
profile name root-to-middle and click OK. The WDS whitelist profile configuration
page is displayed.

# Click Add to configure the WDS whitelist.

# Click OK.
4. Create WDS profile wds-root and configure the WDS working mode and tagged VLAN.

# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.

# Click Create. On the Create WDS Profile page that is displayed, enter profile name
wds-root and click OK. The WDS profile configuration page is displayed.

# Set the WDS working mode and tagged VLAN.

NOTE

In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.

# Click Apply.
5. Bind security profile wds-security to WDS profile wds-root.

# Click next to WDS profile wds-root in Profile Management. The profiles

referenced by the WDS profile are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 500

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# To bind the security profile to the WDS profile, click Security Profile. On the security
profile configuration page that is displayed, set Security Profile to wds-security and
click Apply.
6. Bind WDS profile wds-root and WDS whitelist profile root-to-middle to the AP group
ap-group1.

# Choose Configuration > AP Config > AP Group > AP Group.

# Click AP group name ap-group1 in the AP group list and choose WDS > WDS
Profile. The WDS Profile List page is displayed.

# Click Add. On the Add WDS Profile page that is displayed, set WDS profile name to
wds-root.

# Click OK.

# Click AP group name ap-group1 in the AP group list and choose WDS > WDS
Whitelist Profile. The WDS Whitelist Profile List page is displayed.

# Click Add. On the Add WDS Whitelist Profile page that is displayed, set WDS
whitelist profile name to root-to-middle.

# Click OK.

Step 6 Configure the middle node.

1. Create WDS whitelist profile middle-to-leaf and add the MAC address of the leaf AP to
the WDS whitelist.

# Choose WDS > WDS Whitelist Profile in Profile Management. The WDS Whitelist
Profile List page is displayed.

# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter
profile name middle-to-leaf and click OK. The WDS whitelist profile configuration
page is displayed.

# Click Add to configure the WDS whitelist.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 501

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure WDS service parameters for the middle node. Configure Radio 0 to switch to
the 5 GHz frequency band. Set the channel parameters of Radio 0 to 40+ MHz and 157.
Set the coverage distance to 4. Set the channel parameters of Radio 1 to 40+ MHz and
149. Set the bridge distance to 4.

# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.

# Click the AP ID. The AP customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Radio 0. The Radio 0 Settings page is displayed. On the Radio 0 Settings page,
set the channel parameters of Radio 0 to 40+ MHz and 157. Set the bridge distance to 4.

# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.

# Click Create. On the Create WDS Profile page that is displayed, enter profile name
wds-middle, select WDS profile wds-root in Copy parameters from other profiles,
and click OK. The WDS profile configuration page is displayed.

# Set WDS working mode to middle, retain the default settings of other parameters, and
click Apply.
4. Refer to the configuration procedure of the root node to bind WDS profile wds-middle
to security profile wds-security.
5. Refer to the configuration procedure of the root node to bind WDS profile wds-middle
and WDS whitelist profile middle-to-leaf to AP group ap-group2.

Step 7 Configure the leaf node.

1. Create the WDS profile wds-leaf and configure the WDS working mode and tagged
VLAN.

# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 502

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. On the Create WDS Profile page that is displayed, enter profile name
wds-leaf select WDS profile wds-root in Copy parameters from other profiles, and
click OK. The WDS profile configuration page is displayed.
# Set WDS working mode to leaf, retain the default settings of other parameters, and
click Apply.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio 1. Set
Channel to 40+ MHz and 149, and Coverage distance to 4.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
3. Bind security profile wds-security to WDS profile wds-leaf, and WDS profile wds-leaf
to AP group ap-group3 according to the procedures in the root node configuration.
Step 8 Add APs in batches.
# Choose Configuration > AP Config > AP Config > AP Info.
# In AP List, click Add. The Add AP page is displayed.

# Set Add mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# Click OK.
Step 9 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 503

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings (2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings (5G) page is similar to the configuration of
Radio 0 and is not mentioned here.

# Click Apply. In the dialog box that is displayed, click OK.

Step 10 Verify the configuration.
1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If so, the
APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and check
WDS information. After the WDS links are successfully established, you can view
detailed information about the WDS links on the page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 504

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
4. The WLAN with the SSID wlan-net is available.
5. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

6. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 505

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.1.5 Example for Configuring Rail Transportation WLAN

Services
Service Requirements
To reduce network deployment costs and better serve passengers, a rail transportation
enterprise wants to use WLAN technology to implement vehicle-ground communications and
expects that multicast servers on the ground network can deliver multimedia information
services to passengers.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 506

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-5 Networking for configuring vehicle-ground fast link handover

Internet
GE1/0/0
Router IP: 10.23.200.1/24
Network management
IP：10.23.224.2
MAC：286e-d488-12cd
GE1/0/5
VLANIF200: 10.23.200.2/24
GE1/0/4
Multicast source GE1/0/3 GE1/0/6
AC
IP：10.23.224.3 GE0/0/1
GE1/0/1 GE1/0/2
MAC：286e-d488-b6ab
Switch_A Management VLAN：VLANIF 100
MAC： IP: 10.23.100.1/24
GE1/0/2 GE1/0/2
707b-e8e9-d328
Switch_B Switch_C
GE1/0/1 GE1/0/1

Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP

（L1_001）（L1_003）（L1_010）（L1_150）（L1_160）（L1_170）

MAC: 286e-d488-d359 MAC: 286e-d488-d270

Vehicle- mounted terminal_1 Vehicle- mounted terminal_2

Trackside AP Trackside AP
（in the rear） GE0/0/1 GE0/0/1 （in the front）

Forward direction

：active Mesh link

：candidate Mesh link

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 507

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-7 AP data planning

AP Type MAC Address

Trackside AP AP9132DN 0046-4b59-1d10

(L1_001)

Trackside AP AP9132DN 0046-4b59-1d20

(L1_003)

Trackside AP AP9132DN 0046-4b59-1d30

(L1_010)

Trackside AP AP9132DN 0046-4b59-1d40

(L1_150)

Trackside AP AP9132DN 0046-4b59-1d50

(L1_160)

Trackside AP AP9132DN 0046-4b59-1d60

(L1_170)

......

Vehicle-mounted AP9132DN 0046-4b59-2e10

AP (in the front)

Vehicle-mounted AP9132DN 0046-4b59-2e20

AP (in the rear)

.......

Table 8-8 AC data planning

Item Data

Management VLAN VLAN 100

Multicast service VLAN VLAN 101

Service VLAN for STAs VLAN 200

DHCP server l Configure the AC as a DHCP server to assign IP

addresses to trackside APs.
l Configure Switch_A as a DHCP server to assign IP
addresses to vehicle-mounted terminals.

AC's source interface VLANIF 100: 10.23.100.1/24

address

Gateway address IP address of VLANIF 101 on Switch_A: 10.23.224.1/24

IP address pool for APs 10.23.100.2-10.23.100.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 508

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for vehicle- 10.23.224.4-10.23.224.254/24

mounted terminals

AP group to which Name: mesh-mpp

trackside APs belong

IDs of trackside APs l Trackside AP (L1_001): 1

l Trackside AP (L1_003): 2
l Trackside AP (L1_010): 3
l Trackside AP (L1_150): 101
l Trackside AP (L1_160): 102
l Trackside AP (L1_170): 103

Security profile l Name: sp01

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Authentication key: a1234567

AP system profile l Name: mesh-sys

l Mesh role: mesh-portal

Mesh profile Trackside APs:

l Name: mesh-net
l Identifier: mesh-net
Vehicle-mounted APs:
l Name: mesh-net
l Identifier: mesh-net

Mesh handover profile Trackside APs:

l Name: hand-over
Vehicle-mounted APs:
l Name: hand-over

Mesh whitelist on trackside Name: whitelist01

APs Add MAC addresses of all vehicle-mounted APs on trains
running on the rail to the whitelist according to actual
situations.

Mesh whitelist on vehicle- Name: whitelist01

mounted APs Add MAC addresses of all trackside APs along the rail line
to the whitelist according to actual situations.

MAC address of the l Gateway: 707b-e8e9-d328

proxied ground device l Network management device: 286e-d488-12cd
l Multicast source: 286e-d488-b6ab

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 509

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

MAC address of the l Vehicle-mounted terminal_1: 286e-d488-d359

proxied vehicle-mounted l Vehicle-mounted terminal_2: 286e-d488-d270
device

Multicast group 225.1.1.1-225.1.1.3

Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE

l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.

Procedure
Step 1 Configure switches.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 510

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Configure Switch_A. Create VLAN 101 and VLAN 200, add interfaces GE0/0/1 to
GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from VLAN 101
to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add GE0/0/5 to
VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow packets from
VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets
from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit

2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted devices.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[Switch_A-Vlanif101] quit

3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1

4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.200.1 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 511

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.

# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).

# Configure other interfaces connected to trackside APs on Switch_B according to

GE0/0/1: allow packets from VALN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit

# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100.

# Configure other interfaces connected to trackside APs on Switch_C according to

GE0/0/1: allow packets from VALN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit

6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to

properly forward multicast data.

# Enable IGMP snooping globally on Switch_A.

[Switch_A] igmp-snooping enable

# Enable IGMP snooping in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
[Switch_A-vlan101] quit

# Configure multicast group filter policies on Switch_A.

[Switch_A] acl 2000
[Switch_A-acl-basic-2000] rule permit source 225.1.1.1 0
[Switch_A-acl-basic-2000] rule permit source 225.1.1.2 0

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 512

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_A-acl-basic-2000] rule permit source 225.1.1.3 0

[Switch_A-acl-basic-2000] quit

# Apply the multicast group filter policies in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A-vlan101] quit
[Switch_A] quit

# Complete multicast configuration on Switch_B and Switch_C according to the

multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.

NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.

[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 513

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 514

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 3 Configure trackside APs

1. Choose Configuration > Fast Config > Mesh.
2. Create the AP group mesh-mpp for the MPPs.

# In AP Group List, click Create. The Create AP Group page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 515

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the AP group name to mesh-mpp and click OK.

3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-mpp.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the password type to PASS-PHRASE, and enter and
confirm the password a1234567.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 516

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# In AP Group List, select the AP group mesh-mpp.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually Add and manually add MPPs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Click OK. The APs are
added as MPPs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 517

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > AP Config > AP Info.

# Select APs with AP ID of 1, 2, 3, 101, 102, and 103, and click Deploy. Change AP
Name to L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170 for the APs
respectively. Click OK. The AP names are changed.

5. Configure a Mesh handover profile.

# Choose Configuration > AP Config > Profile.

# Choose Mesh > Mesh Handover Profile in Profile Management. The Mesh
Handover Profile page is displayed.

# Click Create. On the Create Mesh Handover Profile page that is displayed, enter
profile name hand-over and click OK. The Mesh profile configuration page is
displayed.

# Set Position-based handover algorithm to ON.

# Click Apply.
6. Configure a Mesh profile.

# Choose Configuration > AP Config > Profile.

# Choose Mesh > Mesh Profile in Profile Management. Click Create. On the page that
is displayed, set Profile name to mesh-net and Mesh ID to mesh-net, and click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 518

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > Profile.

# Choose Mesh > Mesh Profile > Mesh-net > Mesh Handover Profile in Profile
Management, select Mesh handover profile hand-over, and click Apply.

7. Configure the AP's wired port profile.

# Choose Configuration > AP Config > Profile.
# Choose AP > AP Wired Port Profile in Profile Management. The AP Wired Port
Profile List page is displayed.
# Click Create. The Create AP Wired Port Profile page is displayed. Set the profile
name to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# Set Port mode to endpoint, add the wired port to VLAN 101 in tagged mode, and set
the Port PVID to 101.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 519

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8. Bind the wired port profile to the wired port GE0 of mesh-mpp.
# Choose Configuration > AP Config > AP Group.
# On the AP list page, select the AP group mesh-mpp. The configuration page of mesh-
mpp is displayed.
# Choose AP > AP Wired Port Settings. The page for referencing the wired port profile
is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 520

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
Step 4 Configure a vehicle-mounted AP
NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of the
train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the vehicle-
mounted AP in the front.
1. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
from VLAN 101 to pass through, and set the PVID of GE0/0/1 to VLAN 101.
# Choose Configuration > Interface > VLAN. On the VLAN tab, click Create. On the
Create VLAN page that is displayed, set VLAN ID to 101.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 521

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.

# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.

# Click OK.
2. Create a security profile and configure the security policy.

# Choose Configuration > WLAN Service > Profile > Wireless Service > Security
Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 522

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create and create security profile sp01.

# In Security Settings, set the password type to PASS-PHRASE, and enter and confirm
the password a1234567.

# Click Apply.
3. Create a Mesh whitelist profile.

# Choose Configuration > WLAN Service > Profile > Mesh > Mesh Whitelist
Profile. Click Create and create Mesh whitelist whitelist01.

# Click whitelist01 and add members to the MAC address whitelist. In this example,
MAC addresses 0046-4b59-1d10, 0046-4b59-1d20, 0046-4b59-1d30, 0046-4b59-1d40,
0046-4b59-1d50, and 0046-4b59-1d60 are added.

# Click Apply.

# Add MAC addresses of all trackside APs along the rail line to the Mesh whitelist of
vehicle-mounted APs on the other trains according to the preceding configuration
procedure.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 523

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Configure a Mesh handover profile.

# Choose Configuration > WLAN Service > Profile > Mesh > Mesh Handover
Profile.

# Click Create and create Mesh handover profile hand-over. Click OK. The Mesh
profile configuration page is displayed.

# Set Position-based handover algorithm to ON and Moving direction to forward.

Click Apply.

5. Configure a Mesh profile.

# Create Mesh profile mesh-net and bind it to the security profile and Mesh handover
profile.

# Choose Configuration > WLAN Service > Profile > Mesh > Mesh Profile.

# Click Create and create Mesh profile mesh-net, bind the Mesh profile to security
profile sp01 and click Apply, bind the Mesh profile to handover profile hand-over and
click Apply.
6. Configure Mesh parameters to take effect on radios of vehicle-mounted APs.

# Choose Configuration > WLAN Service > Wireless Service > Radio 1 > Radio
Management. Click Radio Management. On the Radio 1 Settings page that is
displayed, set channel parameters to 40+MHz and 157. Click Apply.

# Choose Configuration > WLAN Service > Wireless Service > Radio 1 > Mesh >
Mesh Profile. Bind Mesh profile mesh-net and click Apply.

# Choose Configuration > WLAN Service > Wireless Service > Radio 1 > Mesh >
Mesh Whitelist Profile. Bind Mesh whitelist profile whitelist01 and click Apply.

Step 5 Add proxied devices on the vehicle-mounted AP

# Add proxied ground devices. Add MAC addresses of Switch_A, network management
device, and multicast source on the vehicle-mounted AP.

# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground Device.
Click Create and add MAC addresses of proxied ground devices. In this example, MAC
addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-b6ab are added.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 524

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Config > Proxied Device > Proxied Device > Proxied Vehicle-mounted Device.
Click Create and add MAC addresses of proxied vehicle-mounted devices. In this example,
MAC addresses 286e-d488-d359 and 286e-d488-d270 are added.

Step 6 Configure IGMP snooping on the vehicle-mounted AP

# Choose Config > IGMP-Snooping > IGMP-Snooping.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

Step 7 Verify the configuration

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to view
Mesh link information. If Mesh links are set up successfully, information about Mesh
links is displayed.

2. Verify the configuration on the vehicle-mounted AP.

# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.
# Choose Maintenance > Train To Ground COMM > Vehicle-Mounted AP Field
Strength to view field strength of the vehicle-mounted AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 525

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Maintenance > Train To Ground COMM > Vehicle-Mounted AP Roaming

Trace to view the roaming trace of the vehicle-mounted AP.

----End

8.1.6 Example for Configuring Agile Distributed Wi-Fi Services

Service Requirements
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.

Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 526

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-6 Networking for configuring an agile distributed WLAN

Data Planning

Table 8-9 AC data planning

Item Data

DHCP The AC functions as a DHCP server to assign IP addresses to central APs,

server RUs, and STAs.

IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs

IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 527

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN pool
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Configuration Roadmap

1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the central APs and RUs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Deliver WLAN services to the central APs and RUs and verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 528

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure system parameters for the AC.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 529

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Add GigabitEthernet0/0/2 to VLAN 101 in tagged mode in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 530

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Configure an IP address pool on VLANIF 101 in the same way.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 531

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 532

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– AP name: central_AP
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 4 Configure the RU channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 533

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 5 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 534

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.1.7 Example for Configuring WLAN IoT Services (Infant

Protection)
Service Requirements
When configuring WLAN services, hospitals need to install signal receiving apparatus in
areas that need to be controlled. If an infant wears a harmless electronic label that can send
radio signals, the signal receiving apparatus can receive radio signals sent from the electronic
label. In this way, the locations of infants can be monitored and tracked in real time,
protecting infants from being stolen through timely alarms.

Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
l Working mode of the AP radio: normal

Figure 8-7 Networking for configuring WLAN infant protection services

Host
computerRouter

Ap:area_1

GE0/0/1 GE0/0/3
GE0/0/1
SwitchB
RFID GE0/0/2 GE0/0/4
RFID Tag Ap:area_2 SwitchA GE0/0/2
AP with an RFID GE0/0/3
GE0/0/1
card insterted
AC
Ap:area_3

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 535

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-10 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, and 5G
radio profile wlan-radio-5g

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 536

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Serial profile l Name: wlan-serial

l Serial port baud rate: 19200 bit/s
l Parity bit: odd
l Stop bit: 2 bits
l Format for serial frames: frame-start-
stop
l Frame length: 270 bytes
l Start flag byte for serial frames: bb
l Stop flag byte for serial frames: cc

IoT profile l Name: wlan-iot

l IP address of the host computer:
10.23.100.254
l Port number of the host computer: 3000
l Shared key: aabb0011@11

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the internal network of
hospitals through the WLAN.
2. Configure APs to communicate with RFID cards.
3. Configure APs to communicate with the host computer.
4. On the host computer, add IP addresses of the APs and configure the same shared keys
as those on the APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 537

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the host computer.
Configure a controller server and a dedicated server applicable to the infant protection system.
For details, see the documents for the server.

Step 2 Configure the AC and switches so that the AC and APs can transmit CAPWAP packets.

# Configure SwitchA (access switch). Add GE0/0/1 to GE0/0/4 on SwitchA to VLAN 100
(management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit

# Configure SwitchB (aggregation switch). Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN
100 (management VLAN) and GE0/0/2 and GE0/0/3 on SwitchB to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 3 Configure system parameters for the AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 538

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.
# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

# Click OK
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Configure Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 539

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Configure an IP address pool on VLANIF 101 in the same way.
# Click Next. The Configure AC page is displayed.
5. Configure the AC's source address and AP authentication mode.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 540

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

6. Confirm the configuration.
On the Confirm Settings page, confirm that the settings are correct and click Finish.
Step 4 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 541

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure WLAN air scan.

1. Configure the air scan profile.

# Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.

# Click Create and create an air scan profile wlan-air-scan. Click OK.

# Set Probe channel set to Country code channels.

# Click Apply.
2. Configure the 2G radio profile and apply the air scan profile to the 2G radio profile.

# Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

# Click Create and create a 2G radio profile wlan-radio-2g. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 542

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
3. Configure the 5G radio profile and apply the air scan profile to the 5G radio profile.
# Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed.
# Click Create and create a 5G radio profile wlan-radio-5g. Click OK.

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
4. Apply the radio profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose Radio Management > Radio 0 > 2G Radio Profile on the profile navigation
bar. Set 2G Radio Profile to wlan-radio-2g. Click Apply. In the displayed dialog box,
click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile on the profile navigation
bar. Set 5G Radio Profile to wlan-radio-5g. Click Apply. In the displayed dialog box,
click OK.
Step 6 Configure the APs to communicate with RFID cards and the host computer.
1. Create a serial profile.
# Choose Configuration > AP Config > Profile > IoT > Serial Profile. The Serial
Profile List page is displayed.
# Click Create and create a serial profile wlan-serial. Click OK.
# Set communication parameters and packet fragmentation parameters for the serial port.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 543

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Configure the IP address and port number for the host computer, and set security
communication parameters.

# Click Apply.
3. Apply the serial profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose IoT > Card1 > Serial Profile. Select Self-defined on the profile navigation
bar. Set Serial Profile to wlan-serial.

# Click Apply.
4. Apply the IoT profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose IoT > Card1 > IoT on the profile navigation bar. Set BLE Profile to wlan-
ble.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 544

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.

Step 7 On the host computer, add IP addresses of the APs and configure the same shared keys as
those on the APs.

Step 8 Verify the configuration.

1. Check that the VAPs have been successfully created on AP radios.

# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.
2. Check the availability of the location function.

# On the host computer, obtain the location information about infants.

----End

8.1.8 Example for Configuring WLAN Location (Wi-Fi Terminal

Location)

Service Requirements
Administrators need to collect radio signals sent from Wi-Fi terminals through APs. The
collected radio signals are sent to the location server for location calculation, allowing users to
obtain the location of the Wi-Fi terminals through maps, tables, or reports.

Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
l Working mode of the AP radio: normal
l Location server: eSight

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 545

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-8 Networking for configuring Wi-Fi terminal location services

eSight Server
/1
0/0
GE area_1
GE0/0/2 GE0/0/1
GE0/0/2
GE0/0/4 Wi-Fi
GE area_2
0/0 terminals
AC SwitchA /3
Positioning
Server
area_3

Data Planning

Table 8-11 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.3-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, 5G
radio profile wlan-radio-5g, and
location profile wlan-location

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 546

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Location profile l Name: wlan-location

l Wi-Fi terminal location: enabled
l Mode in which an AP reports data: AC
l Destination IP address and port number
through which an AP reports channel
scan information: 10.23.100.2/32180
l Port number through which the AC
reports location information: 10001

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure Wi-Fi terminal location so that APs can receive configurations sent from the
location server and send collected Wi-Fi terminal information to the location server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 547

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Obtain and install eSight.
To obtain the eSight product documentation, visit http://support.huawei.com/enterprise and
choose Support > Enterprise Networking > eSight & Controller > eSight > eSight
Network. Obtain and install eSight following the guide of the document.
Step 2 Configure the switch so that the AC and APs can transmit CAPWAP packets.
# Configure SwitchA (access switch). Add GE0/0/1 to GE0/0/4 on SwitchA to VLAN 100
(management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit

Step 3 Configure system parameters for the AC.

NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on the
interface connecting the AC to APs. If port isolation is not configured, many broadcast packets will be
transmitted in the VLAN or WLAN users on different APs can directly communicate at Layer 2.
1. Choose Configuration > Fast Config > AC.
2. Configure the Ethernet interfaces.
# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 548

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Add GigabitEthernet0/0/2 to VLAN 100 in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 549

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 550

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 551

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Configure WLAN air scan.
1. Configure the air scan profile.
# Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.
# Click Create and create an air scan profile wlan-air-scan. Click OK.
# Set Probe channel set to Country code channels.

# Click Apply.
2. Configure the 2G radio profile and apply the air scan profile to the 2G radio profile.
# Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.
# Click Create and create a 2G radio profile wlan-radio-2g. Click OK.

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 552

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Apply the radio profile to an AP group.

# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose Radio Management > Radio 0 > 2G Radio Profile on the profile navigation
bar. Set 2G Radio Profile to wlan-radio-2g. Click Apply. In the displayed dialog box,
click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile on the profile navigation
bar. Set 5G Radio Profile to wlan-radio-5g. Click Apply. In the displayed dialog box,
click OK.
Step 6 Configure Wi-Fi terminal location.
1. Configure the terminal location function.
# Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
# Click Create and create a location profile wlan-location. Click OK.
# Configure terminal location parameters.

# Click Apply.
2. Apply the location profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose WLAN Location > WLAN Location Profile. Set WLAN Location Profile
to wlan-location.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 553

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.

Step 7 Configure eSight.

1. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.

# Choose Business > WLAN Management > Region Monitor from the main menu.

# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.

# Right-click Add Region in the region topology view.

# Click OK.
2. Add APs in ap_region_1.

# Choose Region Topology > ap_region_1 in Resource, or double-click ap_region_1

in the view on the right. The location view of ap_region_1 is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 554

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Right-click ap_region_1 and choose Add AP from the shortcut menu. Select the APs
that need to perform the location and click Confirm.

NOTE
The APs that perform the location cannot be less than three. Otherwise, Wi-Fi terminals cannot be
accurately located.
3. Set the background and scale for ap_region_1.
# Right-click ap_region_1 and choose Set Background for Subnet from the shortcut
menu.
# Select the background based on actual conditions. Click Apply Background.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 555

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.

# Right-click ap_region_1 and choose Set Scale from the shortcut menu. Set the start
point, end point, and actual distance between the two points.eSight automatically selects
the background and scale.

# In the ap_region_1 view, properly place each AP on the background.

# In the ap_region_1 view, click .

4. Enable the location function of eSight.

# Choose Region Topology > ap_region_1 in Resource, or right-click ap_region_1 in

the view on the right and choose Enable WIFI Location from the shortcut menu. In the
dialog box that is displayed, click OK.

Step 8 Verify the configuration.

1. Check that the VAPs have been successfully created on AP radios in the AC web system.

# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.

# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.
2. View the location result on eSight.

# Click in the ap_region_1 view on the right. Click on the topology

toolbar to select information to be displayed in the topology.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 556

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Select the Wi-Fi terminals or heat maps to be displayed in the topology on the
Terminal Location tab.

----End

8.1.9 Example for Configuring Rogue Device Detection and

Containment
Service Requirements
An enterprise branch needs to deploy WLAN services for mobile office so that branch users
can access the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks. For
example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the WLAN to
establish connections with STAs to intercept enterprise information, posing great threats to the
enterprise network. To prevent such attack, the detection and containment function can be
configured for authorized APs. In this way, the AC can detect rogue AP area_2 (neither
managed by the AC nor in the authorized AP list), preventing STAs from associating with the
rogue AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 557

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-9 Networking for configuring rogue device detection and containment

Data Planning

Table 8-12 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 558

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, and WIDS profile wlan-wids
l Working mode of the AP radio: normal
l Rogue device detection and containment: enabled

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

WIDS l Name: wlan-wids

profile l Rogue device containment mode: containment against rogue APs using
spoofing SSIDs

Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE

In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 559

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 560

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 561

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 562

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 563

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 564

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 565

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure rogue device detection and containment.
1. Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0. The radio 0 configuration page is displayed.
# Configure radio 0 to work in normal mode, and enable rogue device detection and
containment.

# Click Apply. In the Info dialog box that is displayed, click OK.
# Configure radio 1 to work in normal mode, and enable rogue device detection and
containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
# Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The WIDS
Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 566

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. The Create WIDS Profile page is displayed.

# Enter the name of the new WIDS profile wlan-wids in Profile name, and click OK.
The parameter setting page of the new WIDS profile is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.

# Click Apply. In the Info dialog box that is displayed, click OK.
3. # Bind WIDS profile wlan-wids to AP group ap-group1.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.

# Click next to WIDS, and select WIDS Profile. On the WIDS profile configuration
page, set WIDS Profile to wlan-wids.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 7 Verify the configuration.
Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.
l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 567

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.2 WLAN Basic Networking Configuration Examples

8.2.1 Example for Configuring Layer 2 Direct Forwarding in
Inline Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.

Figure 8-10 Networking for configuring Layer 2 direct forwarding in inline mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 568

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-13 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 569

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 570

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router] vlan batch 101

[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 571

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. Add GigabitEthernet0/0/2 to VLAN 101 in tagged mode in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 572

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 573

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure WLAN services.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 574

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 4 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 575

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 576

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.2.2 Example for Configuring Layer 2 Tunnel Forwarding in

Figure 8-11 Networking for configuring Layer 2 tunnel forwarding in inline mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 577

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-14 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 578

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 579

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router] vlan batch 101

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 580

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. Configure GigabitEthernet0/0/2, and add the interface to VLAN 101 in
tagged mode in the same way.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 581

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 582

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 583

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 4 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 584

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 585

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.2.3 Example for Configuring Layer 2 Direct Forwarding in

Bypass Mode

Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding

Figure 8-12 Networking for configuring Layer 2 direct forwarding in bypass mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 586

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-15 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 587

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 588

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] vlan batch 100 101

[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 589

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 590

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 591

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure WLAN services.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 592

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 593

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 594

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.2.4 Example for Configuring Layer 2 Tunnel Forwarding in

Bypass Mode

Figure 8-13 Networking for configuring Layer 2 tunnel forwarding in bypass mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 595

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-16 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: CN
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 596

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 597

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 598

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 599

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 600

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 601

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Enable radio calibration to allow APs to automatically select the optimal channels.
1. Create an RRM profile and configure automatic channel and power calibration.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 602

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

2. Create an air scan profile and configure the scan channel set, scan interval, and scan
duration.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > Air Scan Profile in Profile Management. The Air
Scan Profile List page is displayed.
# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.
# Enable air scan and configure the probe channel set, scan interval, and scan duration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 603

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# To bind the air scan profile to the radio profile, click Air Scan Profile. On the air scan
profile configuration page that is displayed, set Air Scan Profile to wlan-airscan and
click Apply. In the dialog box that is displayed, click OK.
4. Bind the radio profile to the AP group.
# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.
# Apply the 2G radio profile. Click 2G Radio Profile. On the 2G radio profile
configuration page that is displayed, set 2G Radio Profile to wlan-radio2g and click
Apply. In the dialog box that is displayed, click OK.
5. Enable radio calibration.
# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.

# Radio calibration stops one hour after the radio calibration is manually triggered.
# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.On the Radio Calibration page, set Calibration mode to
Scheduled and set the calibration time to 3:00 am.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 604

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

8.2.5 Example for Configuring Layer 3 Direct Forwarding in

Inline Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 605

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Networking Requirements
l AC networking mode: Layer 3 inline mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding

Figure 8-14 Networking for configuring Layer 3 direct forwarding in inline mode

Data Planning

Table 8-17 AC data planning

Item Data

Management VLAN for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 606

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net, 2G radio profile wlan-radio2g, and
5G radio profile wlan-radio5g

Regulatory domain profile l Name: default

l Country code: China
l Calibration channel set: calibration
bandwidth and channels for 2.4 GHz and
5 GHz radios

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-airscan

l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM profile l Name: wlan-rrm

l Automatic channel calibration: enabled
l Automatic power calibration: enabled

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 607

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

2G radio profile l Name: wlan-radio2g

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 608

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit

Step 2 Configure a DHCP server to allocate IP addresses to APs and STAs.

# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit

# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 609

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] interface vlanif 101

[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit

Step 3 Create VLANs.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100, VLAN 101, and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 610

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Add GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in tagged mode in the same
way.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 611

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 612

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 613

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 6 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 7 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 614

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 615

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 8 Enable radio calibration to allow APs to automatically select the optimal channels.
1. Create an RRM profile and configure automatic channel and power calibration.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 616

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Apply the 2G radio profile. Click 2G Radio Profile. On the 2G radio profile
configuration page that is displayed, set 2G Radio Profile to wlan-radio2g and click
Apply. In the dialog box that is displayed, click OK.
5. Enable radio calibration.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 617

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 9 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 618

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.2.6 Example for Configuring Layer 3 Tunnel Forwarding in

Inline Mode

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.

Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 619

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-15 Networking for configuring Layer 3 tunnel forwarding in inline mode

Data Planning

Table 8-18 AC data planning

Item Data

Management VLANs for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net, 2G radio profile wlan-radio2g, and
5G radio profile wlan-radio5g

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 620

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Regulatory domain profile l Name: default

l Country code: China
l Calibration channel set: calibration
bandwidth and channels for 2.4 GHz and
5 GHz radios

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-airscan

l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM profile l Name: wlan-rrm

l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio profile l Name: wlan-radio2g

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 621

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Select Fast Config to configure system parameters for the AC.

4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 622

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit

Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit

Step 3 Create VLANs.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 623

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 624

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. # Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF
102 to 10.23.102.1/24 in the same way.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Configure the DHCP server to assign IP addresses to APs. Click Create on the
Configure DHCP page. The Create DHCP Address Pool page is displayed.
# Configure the global IP address pool huawei.
– Subnet address: 10.23.10.0
– Vendor-defined: sub-option value 3; sub-option parameter ascii; IP address
10.23.100.1
– Gateway IP: 10.23.10.1
– Address pool interface: VLANIF 100

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 625

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Configure the DHCP server to assign IP addresses to STAs. Configure an IP address
pool on VLANIF 101.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 626

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. Configure an IP address pool on VLANIF 102 in the same way.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 627

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK.
Step 6 Configure static routes.
1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.
Step 7 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 628

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 629

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

2. Create an air scan profile and configure the scan channel set, scan interval, and scan
duration.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > Air Scan Profile in Profile Management. The Air
Scan Profile List page is displayed.

# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.

# Enable air scan and configure the probe channel set, scan interval, and scan duration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 630

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

# Radio calibration stops one hour after the radio calibration is manually triggered.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.On the Radio Calibration page, set Calibration mode to
Scheduled and set the calibration time to 3:00 am.

# Click Apply. In the dialog box that is displayed, click OK.

Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 631

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.2.7 Example for Configuring Layer 3 Direct Forwarding in

Bypass Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.

Networking Requirements
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 632

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Service data forwarding mode: direct forwarding

Figure 8-16 Networking for configuring Layer 3 direct forwarding in bypass mode

Data Planning

Table 8-19 AC data planning

Item Data

Management VLANs for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

IP address pool for APs 10.23.10.2-10.23.10.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 633

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 634

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– In direct forwarding mode, you are advised to configure multicast packet

suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 635

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router] vlan batch 101 102

[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit

Step 3 Create VLANs.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 636

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 637

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 638

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 639

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 6 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 7 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 640

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 641

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 8 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 642

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 643

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.2.8 Example for Configuring Layer 3 Tunnel Forwarding in

Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding

Figure 8-17 Networking for configuring Layer 3 tunnel forwarding in bypass mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 644

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-20 AC data planning

Item Data

Management VLAN for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs.

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

VLAN pool l Name: sta-pool

l VLANs in the VLAN pool: VLAN 101
and VLAN 102

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Configuration Roadmap
The configuration roadmap is as follows:

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 645

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Fast Config to configure system parameters for the AC.
4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 646

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] vlan batch 10 100 101 102

[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit

Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure DHCP relay on SwitchB.

[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit

Step 3 Create VLANs.

1. Choose Configuration > AC Config > VLAN > VLAN.
2. Click Create. The Create VLAN page is displayed.
3. In Create VLAN, set VLAN ID to 101 and click OK.
4. Create VLAN 102 in the same way.

Step 4 Configure system parameters for the AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 647

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 ,VLAN 101 and VLAN 102 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 648

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 649

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 650

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 6 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 7 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 651

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 652

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 8 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 653

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 654

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.2.9 Example for Configuring NAT Traversal Between the AC

and APs
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC. Therefore, NAT traversal is
configured between the AC and APs to save the enterprise's public IP addresses.

Networking Requirements
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding

Figure 8-18 Networking for configuring NAT traversal between the AC and APs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 655

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-21 AC data planning

Item Data

Management VLAN for APs VLAN 200

Service VLAN for STAs VLAN 101

DHCP server Router_1 functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface address VLANIF 200: 10.23.200.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

NAT Outbound Router_1: translates the private IP addresses

in the network segment 10.23.100.0/24 to
the public IP addresses in the network
segment 2.2.2.1.

Static NAT Router_2: translates the private IP addresses

in the network segment 10.23.200.1 to the
public IP addresses in the network segment
3.3.3.3.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 656

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Context
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure NAT for address translation.
3. Select Fast Config to configure system parameters for the AC.
4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Deliver WLAN services to the APs and verify the configuration.

Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 657

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101

[Switch-GigabitEthernet0/0/3] quit

# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
<HUAWEI> system-view
[HUAWEI] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit

# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2

# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<HUAWEI> system-view
[HUAWEI] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 3.3.3.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit

# Configure a default route with the next hop address 3.3.3.2 on Router_2.
[Router_2] ip route-static 0.0.0.0 0.0.0.0 3.3.3.2

Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs. The AC's
source interface address is translated into the public IP address 3.3.3.3 after NAT mapping.
[Router_1] dhcp enable
[Router_1] interface vlanif 100
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1-Vlanif100] quit
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 3.3.3.3
[Router_1-ip-pool-ap] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] dhcp select interface
[Router_1-Vlanif101] quit

Step 3 Configure NAT.

# Configure outbound NAT on Router_1.
[Router_1] acl 2000
[Router_1-acl-basic-2000] rule 5 permit source 10.23.100.0 0.0.0.255
[Router_1-acl-basic-2000] rule 10 permit source 10.23.101.0 0.0.0.255
[Router_1-acl-basic-2000] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] nat outbound 2000
[Router_1-GigabitEthernet0/0/1] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 658

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Configure static NAT on Router_2.

[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1
[Router_2-GigabitEthernet0/0/1] quit

Step 4 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 200 in tagged mode.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 659

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 200 to 10.23.200.1/24.

# Click OK.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Next on the Configure DHCP page. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish.
Step 5 Configure static routes.
1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table to create a static route.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 660

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK.
Step 6 Configure WLAN service parameters.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 661

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 7 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 662

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 663

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.2.10 Example for Configuring VPN Traversal Between the AC

and APs

APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.

Networking Requirements
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding

Figure 8-19 Networking for configuring VPN traversal between the AC and APs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 664

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-22 AC data planning

Item Data

WLAN service data planning on the AC

Management VLAN for APs VLAN 200

Service VLAN for STAs VLAN 101

DHCP server Router_1 functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface address VLANIF 200: 10.23.200.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

IPSec data planning on Router_2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 665

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IKE parameters l IKE version: IKEv1

l Negotiation mode: main
l Peer IP address: 202.138.162.1
l Authentication mode: pre-shared key
authentication
l Pre-shared key: huawei@1234
l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l DH group number: group14

IPSec parameters l Security protocol: ESP

l ESP negotiation mode: main
l ESP authentication algorithm:
SHA2-256
l ESP encryption algorithm: AES-128
l Encapsulation mode: tunnel

IPSec policy Connection name: map1

l Interface name: gigabitethernet 0/0/1
l Networking mode: branch site
l Connection number: 10
l ACL number: 3101

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 666

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Configure WLAN service parameters for STAs to access the WLAN.

Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit

# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
202.138.162.2/24, set the IP address of GE0/0/1 to 202.138.162.1/24.
<HUAWEI> system-view
[HUAWEI] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet 1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 202.138.162.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit

# Configure a default route with the next hop address 202.138.162.2 on Router_1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 667

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router_1] ip route-static 0.0.0.0 255.255.255.0 202.138.162.2

# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
<HUAWEI> system-view
[HUAWEI] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface gigabitethernet 1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 202.138.163.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit

# Configure a default route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.
[Router_2] ip route-static 10.23.100.0 255.255.255.0 202.138.163.2
[Router_2] ip route-static 202.138.162.0 255.255.255.0 202.138.163.2

Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
[Router_1] dhcp enable
[Router_1] interface vlanif 100
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1-Vlanif100] quit
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 10.23.200.1
[Router_1-ip-pool-ap] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] dhcp select interface
[Router_1-Vlanif101] quit

Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination
10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit

# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination
10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit

Step 4 Configure IPSec.

1. Create an IPSec proposal on Router_2 and Router_1.
# Create an IPSec proposal on Router_2.
[Router_2] ipsec proposal tran1
[Router_2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_2-ipsec-proposal-tran1] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 668

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Create an IPSec proposal on Router_1.

[Router_1] ipsec proposal tran1
[Router_1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_1-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_1-ipsec-proposal-tran1] quit

2. Create IKE peers on Router_2 and Router_1.

# Create an IKE proposal on Router_2.
[Router_2] ike proposal 5
[Router_2-ike-proposal-5] authentication-algorithm sha2-256
[Router_2-ike-proposal-5] encryption-algorithm aes-128
[Router_2-ike-proposal-5] dh group14
[Router_2-ike-proposal-5] quit

# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit

# Create an IKE proposal on Router_1.

[Router_1] ike proposal 5
[Router_1-ike-proposal-5] authentication-algorithm sha2-256
[Router_1-ike-proposal-5] encryption-algorithm aes-128
[Router_1-ike-proposal-5] dh group14
[Router_1-ike-proposal-5] quit

# Configure an IKE peer on Router_1, and configure the pre-shared key and peer ID
based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit

3. Create IPSec policies on Router_2 and Router_1.

# Configure an IPSec policy in IKE negotiation mode on Router_2.
[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit

# Configure an IPSec policy in IKE negotiation mode on Router_1.

[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit

4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ipsec policy map1
[Router_2-GigabitEthernet0/0/1] quit

# Apply the IPSec policy to the interface of Router_1.

[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ipsec policy use1
[Router_1-GigabitEthernet0/0/1] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 669

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 5 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 200 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 670

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 200 to 10.23.200.1/24.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish.
Step 6 Configure WLAN service parameters.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 671

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 672

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 7 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 673

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Verify the configuration.
# Click Console on the upper right corner to check that packets are encrypted.
Run the display ike sa command on Router_2, and the following information is displayed:
<Router_2> display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
16 202.138.162.1 0 RD|ST v1:2
14 202.138.162.1 0 RD|ST v1:1

Number of SA entries : 2

Number of SA entries of all cpu : 2

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

----End

8.2.11 Example for Configuring Common WDS Services

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 674

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-20 Networking for configuring common WDS services

Internet

Router
GE1/0/0
Management VLAN：VLAN 100 10.23.101.2/24
Service VLAN：VLAN 101
GE0/0/3
GE0/0/2
Switch_A AC
GE0/0/1
GE0/0/1

AP_3 AP_2 AP_1

(leaf) (middle) (root) GE0/0/2
Switch_B
GE0/0/1

Area C Area B Area A

: Wireless
STA STA STA virtual link

Data Planning

Table 8-23 AP data planning

AP Type MAC Address

AP_1 AP8130DN 60de-4474-9640

AP_2 AP8130DN dcd2-fc04-b500

AP_3 AP8130DN dcd2-fc96-e4c0

Table 8-24 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs. Switch_A
functions as a DHCP server to assign IP
addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 675

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for STAs 10.23.101.3-10.23.101.254/24

AC's source interface address VLANIF 100

WDS mode l AP_1: root

l AP_2: middle
l AP_3: leaf

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Wireless service security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

WDS link security profile l Name: wds-security

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Password: a1234567

WDS whitelist profile l Name: root-to-middle

l AP MAC address: MAC address of the
middle node

l Name: middle-to-leaf
l AP MAC address: MAC address of the
leaf node

WDS profile l Name: wds-root

l WDS name: wlan-wds
l WDS working mode: root
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 676

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

l Name: wds-middle
l WDS name: wlan-wds
l WDS working mode: middle
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

AP group l Name: ap-group1

l Root APs, such as AP AP_1, are added
to the group.
l Referenced profiles: WDS profile wds-
root, VAP profile wlan-net, and
regulatory domain profile default

l Name: ap-group2
l Middle APs, such as AP AP_2, are
added to the group.
l Referenced profiles: WDS profile wds-
middle, VAP profile wlan-net, and
regulatory domain profile default

l Name: ap-group3
l Leaf APs, such as AP AP_3, are added
to the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 677

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure WDS services so that APs in Area B and Area C can go online through WDS
wireless virtual links.
4. Configure WLAN service parameters for STAs to access the WLAN.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 678

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_A] vlan batch 100 to 101

[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit

Step 2 Configure the DHCP server to assign IP addresses to STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 679

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 680

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 681

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure WLAN services.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Copy AP group parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click Create. The Create AP Group page is displayed.
# Enter AP group name ap-group2, and copy parameters from AP group ap-group1.
Click OK. Create AP group ap-group3 in the same way.
Step 5 Configure the root node.
1. Create security profile wds-security and configure the security policy.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > Security Profile in Profile Management. The Security
Profile List page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter profile
name wds-security and click OK. The security profile configuration page is displayed.
# Set the security policy to WPA2+PSK+AES.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 682

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
2. Configure WDS service parameters for the root node. Set the channel parameters of
Radio 1 to 40+ MHz and 157. Set the bridge distance to 4.

# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.

# Click the AP ID. The AP customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Radio 1. The Radio 1 Settings page is displayed. On the Radio 1 Settings page,
set the channel parameters of Radio 1 to 40+ MHz and 157. Set the bridge distance to 4.

# Click Apply.
3. Create WDS whitelist profile root-to-middle and add the MAC address of the middle
AP to the WDS whitelist.

# Choose WDS > WDS Whitelist Profile in Profile Management. The WDS Whitelist
Profile List page is displayed.

# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter
profile name root-to-middle and click OK. The WDS whitelist profile configuration
page is displayed.

# Click Add to configure the WDS whitelist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 683

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
4. Create WDS profile wds-root and configure the WDS working mode and tagged VLAN.
# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter profile name
wds-root and click OK. The WDS profile configuration page is displayed.
# Set the WDS working mode and tagged VLAN.

NOTE

# Click Apply.
5. Bind security profile wds-security to WDS profile wds-root.

# Click next to WDS profile wds-root in Profile Management. The profiles

referenced by the WDS profile are displayed.
# To bind the security profile to the WDS profile, click Security Profile. On the security
profile configuration page that is displayed, set Security Profile to wds-security and
click Apply.
6. Bind WDS profile wds-root and WDS whitelist profile root-to-middle to the AP group
ap-group1.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click AP group name ap-group1 in the AP group list and choose WDS > WDS
Profile. The WDS Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 684

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Add. On the Add WDS Profile page that is displayed, set WDS profile name to
wds-root.

# Click OK.
# Click AP group name ap-group1 in the AP group list and choose WDS > WDS
Whitelist Profile. The WDS Whitelist Profile List page is displayed.
# Click Add. On the Add WDS Whitelist Profile page that is displayed, set WDS
whitelist profile name to root-to-middle.

# Click OK.
Step 6 Configure the middle node.
1. Create WDS whitelist profile middle-to-leaf and add the MAC address of the leaf AP to
the WDS whitelist.
# Choose WDS > WDS Whitelist Profile in Profile Management. The WDS Whitelist
Profile List page is displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter
profile name middle-to-leaf and click OK. The WDS whitelist profile configuration
page is displayed.
# Click Add to configure the WDS whitelist.

# Click OK.
2. Configure WDS service parameters for the middle node. Configure Radio 0 to switch to
the 5 GHz frequency band. Set the channel parameters of Radio 0 to 40+ MHz and 157.
Set the coverage distance to 4. Set the channel parameters of Radio 1 to 40+ MHz and
149. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Click the AP ID. The AP customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 685

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Radio 0. The Radio 0 Settings page is displayed. On the Radio 0 Settings page,
set the channel parameters of Radio 0 to 40+ MHz and 157. Set the bridge distance to 4.

# Set the channel parameters of Radio 1 to 40+ MHz and 149. Set the coverage distance
to 4. The configuration for the middle node is similar to that for the root node, and is not
mentioned here.
3. Create WDS profile wds-middle and configure the WDS working mode and tagged
VLAN.
# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter profile name
wds-middle, select WDS profile wds-root in Copy parameters from other profiles,
and click OK. The WDS profile configuration page is displayed.
# Set WDS working mode to middle, retain the default settings of other parameters, and
click Apply.
4. Refer to the configuration procedure of the root node to bind WDS profile wds-middle
to security profile wds-security.
5. Refer to the configuration procedure of the root node to bind WDS profile wds-middle
and WDS whitelist profile middle-to-leaf to AP group ap-group2.
Step 7 Configure the leaf node.
1. Create the WDS profile wds-leaf and configure the WDS working mode and tagged
VLAN.
# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter profile name
wds-leaf select WDS profile wds-root in Copy parameters from other profiles, and
click OK. The WDS profile configuration page is displayed.
# Set WDS working mode to leaf, retain the default settings of other parameters, and
click Apply.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio 1. Set
Channel to 40+ MHz and 149, and Coverage distance to 4.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
3. Bind security profile wds-security to WDS profile wds-leaf, and WDS profile wds-leaf
to AP group ap-group3 according to the procedures in the root node configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 686

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 8 Add APs in batches.

# Choose Configuration > AP Config > AP Config > AP Info.
# In AP List, click Add. The Add AP page is displayed.

# Set Add mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# Click OK.
Step 9 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 687

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 688

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

6. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 689

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.2.12 Example for Configuring Back-to-Back WDS

Service Requirements
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: WDS back-to-back
l Backhaul radio: 5 GHz radio

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 690

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-21 Networking for configuring back-to-back WDS

Switch_A
GE0/0/2 GE0/0/3
AC Network
GE0/0/1 GE1/0/0
GE0/0/1 Router
10.23.101.2/24
Management VLAN：VLAN 100 GE0/0/2
Service VLAN：VLAN 101
Switch_B
GE0/0/1
AP_1 Area A
(root)

AP_2 Area B
(leaf)
GE0/0/2
Switch_C

GE0/0/1

AP_3
(root)

AP_4 Area C
(leaf)

VLAN101

：Wireless
virtual link

Data Planning

Table 8-25 AP data planning

AP Name Type MAC Address

AP_1 AP8130DN dcd2-fcf6-76a0

AP_2 AP8130DN 60de-4474-9640

AP_3 AP8130DN dcd2-fc04-b500

AP_4 AP8130DN 60de-4476-e360

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 691

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Table 8-26 AC data planning

Item Data

Management VLAN for VLAN 100

APs

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to assign IP addresses to

APs, and Switch_A functions as a DHCP server to assign IP
addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

IP address of the AC's VLANIF 100: 10.23.100.1/24

source interface

WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
referenced WDS whitelist wds-list2, permitting access only
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist

WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf

WDS name wds-net

WDS whitelist l wds-list1: contains MAC address of AP_2 and is bound to

AP_1
l wds-list2: contains MAC address of AP_4 and is bound to
AP_3

Radio used by WDS Radio 1 (AP_1 and AP_2):

l Bandwidth: 40 MHz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Bandwidth: 40 MHz-plus
l Channel: 149
l Radio coverage distance parameter: 4 (unit: 100 m)

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 692

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Security profile l Name: wds-sec

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Password: a1234567

AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. If a wired interface of AP_4 is connected
to a Layer 2 network, a wired port profile needs to be
configured for AP_4. Therefore, AP_2 and AP_4 are added
to two separate AP groups.

Configuration Roadmap
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 693

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 694

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure the DHCP server to assign IP addresses to STAs.

Step 3 Configure AC system parameters.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 695

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 696

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure the AP groups used by WDS nodes.
1. Create the AP group wds-root1 for the root node AP_1.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click Create. The Create AP Group page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 697

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Enter the AP group name wds-root1 and click OK.

2. According to the preceding configuration procedure, create the AP group wds-root2 for
the root node AP_3, AP group wds-leaf1 for the leaf node AP_2, and AP group wds-
leaf2 for the leaf node AP_4.
Step 5 Add APs in batches.
# Choose Configuration > AP Config > AP Config > AP Info.
# In AP List, click Add. The Add AP page is displayed.

# Set Add mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.

NOTE

l If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
l If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
l If you need to adjust radio parameters of an AP, such as the AP channel after importing the data, choose
Configuration > AP Config > AP Config and click AP ID of the AP in the AP list. On the
configuration page of the AP, select Radio Management.

# Click next to Import AP File, select the AP template file, and click Import.
# Click OK.

Step 6 Configure WDS profiles.

1. Configure the WDS profile wds-net1 for the root node AP_1.
# Choose Configuration > AP Config > Profile.
# Choose WDS > WDS Profile in Profile Management. The WDS Profile List page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 698

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. On the Create WDS Profile page that is displayed, set Profile name to
wds-net1 and click OK. The WDS profile configuration page is displayed.

# Set WDS network bridge name, WDS working mode, and Tagged VLAN.

NOTE

# Click Apply.
2. Configure the WDS profile wds-net2 for AP_3 according to the configuration procedure
of the WDS profile wds-net1.

If the WDS profile wds-net2 is the same as the WDS profile wds-net1, you do not need
to create the WDS profile wds-net2. AP_3 and AP_1 can share the WDS profile wds-
net1.
3. Configure the WDS profile wds-net3 for AP_2 and AP_4 according to the configuration
procedure of the WDS profile wds-net1.

– In the WDS profile wds-net3, set WDS working mode to leaf.

– The value of WDS network bridge name in the WDS profile wds-net3 must be
the same as that in the WDS profile wds-net1, which is wds-net in this
configuration example.

Step 7 Configure WDS whitelist profiles.

1. Configure the WDS whitelist profile wds-list1 for AP_1 to permit access only from
AP_2 over the WDS link.

# Choose Configuration > AP Config > Profile.

# Choose WDS > WDS Whitelist Profile in Profile Management. The WDS Whitelist
Profile List page is displayed.

# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1 and click OK. The configuration page of the WDS whitelist
profile is displayed.

# Click Add to add the MAC address of AP_2 60de-4474-9640 to the profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 699

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. According to the configuration procedure of the WDS whitelist profile wds-list1,

configure the WDS whitelist profile wds-list2 for AP_3 and add the MAC address of
AP_4 60de-4476-e360 to the profile.

Step 8 Configure the security profile used by WDS profiles.

# Choose Configuration > AP Config > Profile.

# Choose Wireless Service > Security Profile in Profile Management. The Security Profile
List page is displayed.

# Click Create to create the security profile wds-sec used by WDS profiles, and click OK.
The security profile configuration page is displayed.

# Set Security policy to WPA2, Authentication policy to PSK, Encryption mode to AES,
and Password type to PASS-PHRASE, and configure the password for the security profile.

# Click Apply.

Step 9 Configure WDS service parameters.

1. Configure WDS service parameters for AP group wds-root1. Set parameters for Radio
1. Set Channel to 40+ MHz and 157, and Coverage distance to 4.
NOTE

On a WDS network, radios used to create WDS links must work on the same channel.

# Choose Configuration > AP Config > AP Group.

# In AP Group List, select the AP group ap-group1. The AP group configuration

page is displayed. Choose Radio Management from the navigation tree, and click
Radio 1. The Radio 1 settings(5G) page is displayed.

# Set Channel to 40+ MHz and 157, and WDS/Mesh bridge distance(0.1km) to 4.

# Click Apply. WDS service parameters are configured for AP group wds-root1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 700

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure WDS service parameters for AP group wds-root2 similarly. Set parameters
for Radio 1. Set Channel to 40+ MHz and 149, and WDS/Mesh bridge
distance(0.1km) to 4.
3. Configure WDS service parameters for AP group wds-leaf1 similarly. Set parameters for
Radio 1. Set Channel to 40+ MHz and 157, and WDS/Mesh bridge distance(0.1km)
to 4.
4. Configure WDS service parameters for AP group wds-leaf2 similarly. Set parameters for
Radio 1. Set Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km)
to 4.

Step 10 Bind the security profile to WDS profiles.

# Choose Configuration > AP Config > Profile.

# Choose WDS > WDS Profile in Profile Management and expand the WDS profile wds-
net1, wds-net2, and wds-net3, respectively. Select Security Profile. The page for referencing
the security profile is displayed.

# Set Security Profile to the security profile wds-sec and click Apply. The security profile is
bound to the WDS profile.

Step 11 Configure the AP's wired port profile.

# Choose Configuration > AP Config > Profile.

# Choose AP > AP Wired Port Profile in Profile Management. The AP Wired Port Profile
List page is displayed.

# Click Create. The Create AP Wired Port Profile page is displayed. Set the profile name to
wired-port and click OK. The configuration page of the wired port profile is displayed.

# Set Port mode to endpoint, add the wired port to VLAN 101 in tagged mode, and set the
Port PVID to 101. This example assumes that the downlink network of AP_4's wired port
GE0 transmits service traffic of VLAN 101.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 701

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 12 Bind related profiles to the AP radio to make the WDS service take effect.
1. Bind the WDS whitelist profile to radio 1 of AP_1.

# Choose Configuration > AP Config > AP Config. The AP list page is displayed.

# Set AP ID to 1 and click 1. The configuration page of AP_1 is displayed.

# Choose WDS > WDS Whitelist Profile. The WDS whitelist profile list page is
displayed. Click Add. The page for adding the WDS whitelist profile is displayed.

# Set WDS whitelist profile name to wds-list1 and Radio to 1.

# Click OK.
2. According to the configuration procedure of AP_1, bind the WDS whitelist profile wds-
list2 to radio 1 of AP_3.
3. Bind the WDS profile to radio 1 of AP_1.

# Choose Configuration > AP Config > AP Config. The AP list page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 702

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set AP ID to 1 and click 1. The configuration page of AP_1 is displayed.

# Choose WDS > WDS Profile. The WDS profile list page is displayed. Click Add. The
page for adding the WDS profile is displayed.
# Set WDS profile name to wds-net1 and Radio to 1.

# Click OK.
4. According to the configuration procedure of AP_1, bind the WDS profile wds-net2 to
radio 1 of AP_3 and WDS profile wds-net3 to AP_2 and AP_4.
5. Bind the wired port profile to the wired port GE0 of AP_4.
# Choose Configuration > AP Config > AP Config. The AP list page is displayed.
# In the AP list page, set AP ID to 4 and click 4. The configuration page of AP_4 is
displayed.
# Choose AP > AP Wired Port Settings. The page for binding the wired port profile is
displayed.
# Set GE0 Profile to the wired port profile wired-port.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 703

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.

Step 13 Verify the configuration.

1. # Choose Configuration > AP Config > AP Config. The AP list page is displayed. If
the AP status is normal, the APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and check
WDS information. After the WDS links are successfully established, you can view
detailed information about the WDS links on the page.

----End

8.2.13 Example for Configuring Common Mesh Services

Service Requirements
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh portal-node
l Backhaul radio: 5 GHz radio

Figure 8-22 Networking for configuring mesh services

Network
Router
Management VLAN：VLAN 100 10.23.101.2/24
Service VLAN：VLAN 101 GE1/0/0
GE0/0/3
GE0/0/2
Switch_A
GE0/0/1
AP_3 AP_2 AP_1 GE0/0/1
(MP) AC
(MP) (MPP) GE0/0/2
GE0/0/1

Switch_B
Area C Area B Area A
：Mesh link

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 704

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-27 AP data planning

AP Type MAC Address

area_1 AP8130DN 60de-4476-e360

area_2 AP8130DN dcd2-fc04-b500

area_3 AP8130DN 60de-4474-9640

Table 8-28 AC data planning

Item Data

Management VLAN for VLAN 100

APs

DHCP server The AC functions as a DHCP server to assign IP addresses to

APs, and Switch_A functions as a DHCP server to assign IP
addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

AC's source interface VLANIF 100: 10.23.100.1/24

Mesh profile name Name: mesh-net

Mesh role l area_1: mesh-portal (MPP)

l area_2: mesh-node (MP)
l area_3: mesh-node (MP)

Mesh ID Name: mesh-net

Mesh whitelist Name: mesh-list

AP system profile Name: mesh-sys

Radio used by Mesh Radio 1:

services l Bandwidth: 40 MHz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)

Security profile l Name: mesh-sec

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Password: a1234567

AP group l mesh-mpp: area_1

l mesh-mp: area_2 and area_3

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 705

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on Switch_A to VLANs 100 and 101, and GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 706

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_A-GigabitEthernet0/0/1] port link-type trunk

[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit

Step 2 Configure AC system parameters.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 707

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 708

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 3 Configure MPPs.

1. Choose Configuration > Fast Config > Mesh.
2. Create the AP group ap-group1 for the MPP.

# In AP Group List, click Create. The Create AP Group page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 709

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Enter the AP group name ap-group1 and click OK.

3. Configure Mesh parameters for the MPP.
# In AP Group List, select the AP group ap-group1.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the password type to PASS-PHRASE, and enter and
confirm the password a1234567.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 710

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
4. Add MPPs.

# In AP Group List, select the AP group ap-group1.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Manually Add and manually add MPPs.

# Click OK.

# Choose Configuration > AP Config > AP Config > AP Info.

# Select the node with AP ID 1, click Modify, and set AP Name to area_1. Click OK.

Step 4 Configure the MP.

1. Choose Configuration > Fast Config > Mesh.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 711

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create the AP group ap-group2 for the MP.

# In AP Group List, click Create. The Create AP Group page is displayed.
# Enter the AP group name ap-group2 and click OK.
3. Configure Mesh parameters for the MP.
# In AP Group List, select the AP group ap-group2.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-node.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the password type to PASS-PHRASE, and enter and
confirm the password a1234567.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 712

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
4. Add MPs.

# In AP Group List, select the AP group ap-group2.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Manually Add and manually add MPs.

# Click OK.

# Choose Configuration > AP Config > AP Config > AP Info.

# Select the nodes with AP ID 2 and AP ID 3, click Modify, and set AP Name to
area_2 and area_3 respectively. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 713

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 5 Verify the configuration.

1. Choose Configuration > Fast Config > Mesh. In AP Group List, select ap-group1
and ap-group2 to check whether the AP status is normal. If so, the APs have gone
online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh link
information. After the Mesh links are successfully established, you can view detailed
information about the Mesh links on the page.

----End

8.2.14 Example for Configuring Dual-MPP Mesh Services

Service Requirements
If an enterprise needs to provide wireless network access services for different areas, multiple
Mesh Portal Points (MPPs) can be configured to work on different channels. This can reduce
MP contention for wireless channels, thus improving coverage performance.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul node: dual Mesh portal-node
l Backhaul radio: 5 GHz radio

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 714

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-23 Networking for configuring dual-MPP Mesh services

Network
Router
10.23.101.2/24
GE1/0/0
GE0/0/3
Switch_A GE0/0/2
AC
GE0/0/1
Management VLAN：VLAN 100 GE0/0/1
Service VLAN：VLAN 101
GE0/0/3
Switch_B
GE0/0/1 GE0/0/2

AP_1 AP_2 Area A

(MPP) (MPP)

AP_3 AP_4 Area B

(MP) (MP)

：Mesh link

Data Planning

Table 8-29 AP data planning

AP Name Type MAC Address

AP_1 AP8130DN 60de-4474-9640

AP_2 AP8130DN dcd2-fc04-b500

AP_3 AP8130DN dcd2-fc96-e4c0

AP_4 AP8130DN 1047-80ac-cc60

Table 8-30 AC data planning

Item Data

Management VLAN for VLAN 100

APs

DHCP server The AC functions as a DHCP server to assign IP addresses to

APs, and Switch_A functions as a DHCP server to assign IP
addresses to STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 715

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for APs 10.23.100.2-10.23.100.254/24

AC's source interface VLANIF 100: 10.23.100.1/24

Mesh profile name Name: mesh-net

Mesh role l AP_1: mesh-portal (MPP)

l AP_2: mesh-portal (MPP)
l AP_3: mesh-node (MP)
l AP_4: mesh-node (MP)

Mesh ID Name: mesh-net

Mesh whitelist Name: mesh-list

AP system profile Name: mesh-sys

Radio used by Mesh Radio 1:

services l Bandwidth: 40 MHz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)

Security profile l Name: mesh-sec

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Password: a1234567

AP group l mesh-mpp: AP_1 and AP_2

l mesh-mp: AP_3 and AP_4

Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 716

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– In tunnel forwarding mode, you are advised to configure multicast packet

suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Context
NOTE

During the configuration of a Mesh network with multiple MPPs, to enable MPs to set up wireless links with
multiple MPPs simultaneously, configure the MPPs to work on the same channel.

Procedure
Step 1 Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on Switch_A to VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit

# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/2 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] port-isolate enable
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/3
[Switch_B-GigabitEthernet0/0/3] port link-type trunk
[Switch_B-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/3] quit

Step 2 Configure AC system parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 717

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 718

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 719

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 3 Configure MPPs.
1. Choose Configuration > Fast Config > Mesh.
2. Create the AP group mesh-mpp for the MPPs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-mpp and click OK.
3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-mpp.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the password type to PASS-PHRASE, and enter and
confirm the password a1234567.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 720

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added.

# After configuring Mesh parameters, click Apply.

4. Add MPPs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 721

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# In AP Group List, select the AP group mesh-mpp.

# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually Add and manually add MPPs.

# In this example, APs with MAC addresses 60de-4474-9640 and dcd2-fc04-b500 are
added. Set AP ID to 1 and 2 for the APs respectively. Click OK. The APs are added as
MPPs.
# Choose Configuration > AP Config > AP Config > AP Info.
# Select APs with AP ID of 1 and 2, and click Modify. Change AP Name to AP_1 and
AP_2 for the APs respectively. Click OK. The AP names are changed.

Step 4 Configure MPs.

1. Choose Configuration > Fast Config > Mesh.
2. Create the AP group mesh-mp for the MPs.
# In AP Group, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-mp and click OK.
3. Configure Mesh parameters for the MPs.
# In AP Group List, select the AP group mesh-mp.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-node.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the password type to PASS-PHRASE, and enter and
confirm the password a1234567.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 722

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added.

# After configuring Mesh parameters, click Apply.

4. Add MPs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 723

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# In AP Group List, select the AP group mesh-mp.

# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually Add and manually add MPs.

# In this example, APs with MAC addresses dcd2-fc96-e4c0 and 1047-80ac-cc60 are
added. Set AP ID to 3 and 4 for the APs respectively. Click OK. The APs are added as
MPs.
# Click OK.
# Choose Configuration > AP Config > AP Config > AP Info.
# Select APs with AP ID of 3 and 4, and click Modify. Change AP Name to AP_3 and
AP_4 for the APs respectively. Click OK. The AP names are changed.

Step 5 Verify the configuration.

1. Choose Configuration > Fast Config > Mesh. In AP Group List, select mesh-mpp
and mesh-mp to check whether the status of APs in the AP list is normal. If the AP
status is normal, the APs have gone online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information and check information
about Mesh links. After the WDS links are successfully established, you can view details
about the WDS links on the following page.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 724

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.3 Authentication Configuration Examples

8.3.1 Example for Configuring External Portal Authentication
Service Requirements
To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: External Portal authentication
l Security policy: open

Figure 8-24 Networking for configuring external Portal authentication

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 725

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-31 AC data planning

Item Data

Managemen VLAN100
t VLAN for
APs

Service VLAN101
VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

AC's source VLANIF100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: CN
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: open

RADIUS Name of the RADIUS authentication scheme: wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 726

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Portal l Name: wlan-net

server l IP address: 10.23.103.1
template
l Destination port number in the packets that the AC sends to the Portal
server: 50200
l Portal shared key: Huawei123

Portal l Name: wlan-net

access l Referenced profile: Portal server template wlan-net
profile

Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile

Authenticati l Name: wlan-net

on Profile l Referenced profile: Portal access profile wlan-net, RADIUS Server
profile wlan-net, authentication-free rule profile default_free_rule and
authentication scheme wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profile: SSID profile wlan-net, security profile wlan-net and
Authentication profile wlan-net

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure external Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
d. Configure an authentication profile to manage external Portal authentication
configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 727

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 728

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router-GigabitEthernet1/0/0] port link-type trunk

[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 729

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 730

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure a static route.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 731

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK.

Step 5 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE

Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.

# Configure a RADIUS server profile.

3. Click OK.

# Create an authentication scheme and configure the RADIUS authentication mode.

1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Scheme. The Authentication Scheme List page is displayed.
2. Click Create. In the Create Authentication Scheme dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new authentication scheme profile is
displayed. Set the authentication mode to RADIUS.

4. Click Apply. In the Info dialog box that is displayed, click OK.

# Create an authentication scheme and configure the RADIUS authentication mode.

1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Scheme. The Authentication Scheme List page is displayed.
2. Click Create. In the Create Accounting Scheme dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new accounting scheme profile is
displayed.Set the accounting mode to RADIUS and the accounting interval to 15
minutes.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 732

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

5. Click OK.
Step 7 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
1. Choose Configuration > AP Config > Profile > Wireless Service > Portal Profile. The
Portal Profile List page is displayed.
2. Click Create. In the Create Portal Profile dialog box that is displayed, set Profile
name to wlan-net.
3. Click OK. The parameter setting page of the new Portal profile is displayed. Configure
the server for Portal authentication as the external Portal server, and set the
authentication mode to Layer 2 authentication.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 733

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Click Apply. In the Info dialog box that is displayed, click OK.

Step 8 Configure a Portal server template.

NOTE

3. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 734

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 9 Configure the authentication profile wlan-net.

# Create an authentication profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Profile. The Authentication Profile List page is displayed.
2. Click Create. In the Create Authentication Profile dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new authentication profile is displayed.
4. Click Apply. In the Info dialog box that is displayed, click OK.
# Apply the Portal profile, RADIUS server profile, authentication scheme, accounting scheme
and authentication-free rule profile to the authentication profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Profile. The Authentication Profile List page is displayed.
2. Click to the left of Authentication Profile List in the navigation tree to expand the
authentication profile list. Click to the left of the the authentication profile name to
view the names of other profiles referenced in the authentication profile.
3. Click Portal Profile and choose Portal profile named wlan-net in the displayed page.
4. Click Apply. In the Info dialog box that is displayed, click OK.
5. Apply the RADIUS server profile wlan-net, authentication scheme wlan-net,
accounting scheme wlan-net and authentication-free rule profile default_free_rule to
the authentication profile. The configuration is similar to the configuration of applying a
Portal profile, and is not mentioned here.
Step 10 Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Security Profile.
The Security Profile List page is displayed.
2. Click Create. In the Create Security Profile dialog box that is displayed, set Profile
name to wlan-net.
3. Click OK. The parameter setting page of the new security profile is displayed and set the
security policy to Open.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 735

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK. The parameter setting page of the new SSID profile is displayed and set the
SSID name to.wlan-net.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 736

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

6. Click next to Import AP File, select the AP template file, and click Import.
7. On the page that displays the template import result, click OK.
Step 11 Configure an AP group and bind a VAP profile to the AP group.
# Creat an AP Group
# Bind VAP profiles to the AP group.
1. Choose Configuration > AP Config > AP Group > AP Group. The AP Group page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 737

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Click an AP group name. The AP group configuration page is displayed.

3. Click VAP Configuration on the left. The VAP Profile List page is displayed.
4. Click Add. The Add VAP Profile page is displayed. Apply VAP profile wlan-net to
radio 0 and radio 1.

5. ClickOK.
Step 12 Configure third-party server interconnection parameters.
For interconnection with the Agile Controller-Campus, see "Example for Configuring Portal
Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless
Users" in the Agile Controller-Campus Typical Configuration Examples.
For interconnection with other third-party servers, see the corresponding product manual.
Step 13 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 738

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

----End

8.3.2 Example for Configuring Built-in Portal Authentication for

Local Users
Service Requirements
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: built-in Portal authentication
l Security policy: open

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 739

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-25 Networking for configuring built-in Portal authentication for local users

Data Planning

Table 8-32 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs. The default
gateway address of STAs is 10.23.101.2.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

AC's source interface VLANIF100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-
net and regulatory domain profile
default

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 740

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open

Local user l User name: guest

l Password: guest@123

Authentication scheme l Name: wlan-net

l Authentication scheme: local

Portal access profile l Name: wlan-net

l The built-in Portal server is used.
– Server IP: 10.23.101.1
– SSL policy: default_policy
– Port number: 20000

Authentication-free rule profile l Name: default_free_rule

l Authentication-free resource: IP address
of the DNS server (8.8.8.8)

Authentication Profile l Name: wlan-net

l Referenced profile: Portal access profile
wlan-net, Authentication-free rule
profile default_free_rule, authentication
scheme wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profile: SSID profile wlan-
net, security profile wlan-net and
Authentication profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 741

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

5. Select Fast Config to configure WLAN services on the AC. On the web platform, the
HTTPS service is enabled and an SSL policy is applied. When configuring a built-in
Portal server, configure the same SSL policy for the built-in Portal server.
6. Specify network resources accessible to authentication-free users.
7. Complete service verification.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 742

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 743

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 744

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure a static route.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 745

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK.

Step 5 Configure WLAN services.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, security policy, authentication
mode, and built-in portal server on the Create SSID page. Click Add User, and enter the
user name and password for authentication. Set the address of the built-in Portal server to
the gateway address of STAs. The built-in Portal server and web platform have the same
SSL policy but different port numbers.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-
net, Portal profile wlan-net, and authentication scheme wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 746

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 6 Specify network resources accessible to authentication-free users.
1. Add the IP address of the DNS server in the default authentication-free rule profile
default_free_rule.
# Choose Configuration > AP Config > Profile > Wireless Service > Authentication-
free Rule Profile > default_free_rule.
# Click Create. The Create Authentication-free Rule page is displayed.
# Add the IP address of the DNS server.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 747

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Bind the authentication-free rule profile default_free_rule to the authentication profile

wlan-net.

# Choose Configuration > Security > AAA > Authentication Profile. The
Authentication Profile page is displayed.

# Click next to wlan-net. Click Authentication-free Rule Profile and select

default_free_rule in the configuration page of the authentication-free rule profile.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Verify the configuration.

1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

3. When a user browses a web page, the browser automatically redirects the user to the
Portal authentication page. After entering the correct user name and password, the user
passes the authentication and can access the web page.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 748

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.3.3 Example for Configuring MAC Address-prioritized Portal

Authentication

Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.

Figure 8-26 Networking for configuring MAC address-prioritized Portal authentication

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 749

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-33 AC data planning

Item Data

Managemen VLAN100
t VLAN for
APs

Service VLAN101
VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

AC's source VLANIF100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: CN
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: open

RADIUS Name of the RADIUS authentication scheme: wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 750

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Portal l Name: wlan-net

server l IP address: 10.23.103.1
template
l Destination port number in the packets that the AC sends to the Portal
server: 50200
l Portal shared key: Huawei123

Portal l Name: wlan-net

access l Referenced profile: Portal server template wlan-net
profile

MAC Name:wlan-net
access
profile

Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server(8.8.8.8)
profile

Authenticati l Name: wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profile: SSID profile wlan-net, security profile wlan-net and
Authentication profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 751

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 752

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 753

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 754

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure a static route.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 755

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK.

Step 5 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE

Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.

# Configure a RADIUS server profile.

3. Click OK.

# Create an authentication scheme and configure the RADIUS authentication mode.

4. Click Apply. In the Info dialog box that is displayed, click OK.

# Create an authentication scheme and configure the RADIUS authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 756

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 757

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Click Apply. In the Info dialog box that is displayed, click OK.
Step 9 Configure a Portal server template.
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 758

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Click OK.
Step 10 Configure the authentication profile wlan-net.
# Create an authentication profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Profile. The Authentication Profile List page is displayed.
2. Click Create. In the Create Authentication Profile dialog box that is displayed, set
Profile name to wlan-net.
3. Click OK. The parameter setting page of the new authentication profile is displayed.
4. Click Apply. In the Info dialog box that is displayed, click OK.
# Apply the Portal profile, MAC access profile, RADIUS server profile, authentication
scheme, accounting scheme and authentication-free rule profile to the authentication profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Authentication
Profile. The Authentication Profile List page is displayed.
2. Click to the left of Authentication Profile List in the navigation tree to expand the
authentication profile list. Click to the left of the authentication profile name to view
the names of other profiles referenced in the authentication profile.
3. Click Portal Profile and choose Portal profile named wlan-net in the displayed page.
4. Click Apply. In the Info dialog box that is displayed, click OK.
5. Apply the MAC access profile wlan-net, RADIUS server profile wlan-net,
authentication scheme wlan-net, accounting scheme wlan-net and authentication-free

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 759

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

rule profile default_free_rule to the authentication profile. The configuration is similar

to the configuration of applying a Portal profile, and is not mentioned here.
Step 11 Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile.
1. Choose Configuration > AP Config > Profile > Wireless Service > Security Profile.
The Security Profile List page is displayed.
2. Click Create. In the Create Security Profile dialog box that is displayed, set Profile
name to wlan-net.
3. Click OK. The parameter setting page of the new security profile is displayed and set the
security policy to Open.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 760

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Click Create. In the Create VAP Profile dialog box that is displayed, set Profile name
to wlan-net.
3. Click OK. The parameter setting page of the new VAP profile is displayed. Configure
service VLANs and the data forwarding mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 761

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

6. Click next to Import AP File, select the AP template file, and click Import.
7. On the page that displays the template import result, click OK.
Step 12 Configure an AP group and bind a VAP profile to the AP group.
# Creat an AP Group
# Bind VAP profiles to the AP group.
1. Choose Configuration > AP Config > AP Group > AP Group. The AP Group page is
displayed.
2. Click an AP group name. The AP group configuration page is displayed.
3. Click VAP Configuration on the left. The VAP Profile List page is displayed.
4. Click Add. The Add VAP Profile page is displayed. Apply VAP profile wlan-net to
radio 0 and radio 1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 762

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. The WLAN with the SSID wlan-net is available.

2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 763

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.3.4 Example for Configuring 802.1X Authentication

Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 764

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-27 Networking diagram for configuring 802.1x authentication

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 765

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-34 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 766

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

The AC and server must have the same RADIUS shared key.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 767

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 768

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 769

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 770

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 771

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 772

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 773

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure third-party server interconnection parameters.

Step 8 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 774

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Configuration on the Windows 7 operating system:

----End

8.3.5 Example for Configuring MAC Address Authentication

Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 775

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-28 Networking diagram for configuring MAC address authentication

Internet

Router

GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA

Management VLAN：VLAN 100

Service VLAN：VLAN 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 776

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-35 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

MAC access profile Name: wlan-net

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: MAC
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open system authentication

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 777

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE

The AC and server must have the same RADIUS shared key.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 778

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 779

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 780

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 781

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 782

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
Step 5 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to CHINA and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates VAP profile wlan-
net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-net,
MAC authentication profile wlan-net, RADIUS server template wlan-net, and
authentication scheme profile wlan-net.
4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 783

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 784

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure third-party server interconnection parameters.

l For interconnection with the Cisco ISE, see "Example for Configuring MAC Address
Authentication" in the Typical Configuration Examples-WLAN and the Cisco ISE Server
Interoperation Configuration Examples.
l For interconnection with the Aruba ClearPass, see "Example for Configuring MAC
Address Authentication" in the Typical Configuration Examples-WLAN and the Aruba
ClearPass Server Interoperation Configuration Examples.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless AC Address Authentication" in the Agile Controller-Campus Typical
Configuration Examples.
l For interconnection with other third-party servers, see the corresponding product manual.

Step 8 Verify the configuration.

l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
l After dumb terminals associate with the WLAN, run the display access-user access-
type mac-authen command on the AC. The command output shows that user huawei
using the mac-authen authentication mode has successfully gone online.
[AC] display access-user access-type mac-authen
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 785

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.3.6 Example for Configuring MAC Authentication for Local

Users
Service Requirements
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.

Figure 8-29 Networking for configuring MAC authentication for local users

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 786

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-36 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs. The default
gateway address of STAs is 10.23.101.2.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

AC's source interface VLANIF 100:10.23.100.1/24

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: CN

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: open

Local authentication parameters Name of the local authentication scheme:

wlan-net
User name, password, and access type of the
local user (STA1 is taken as an example.):
l User name: 0011-2233-4455
l Password: guest@123
l Access type: MAC

MAC access profile l Name: wlan-net

l User name and password for MAC
address authentication: A MAC address
is used as the user name and the
password is guest@123.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 787

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Authentication profile l Name: wlan-net

l Referenced profile: MAC access profile
wlan-net and authentication scheme
wlan-net

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profile: SSID profile wlan-
net, security profile wlan-net and
Authentication profile wlan-net

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the AP to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring a security
policy, select MAC address authentication and local authentication. When adding a local
user, ensure that the user name is the same as the MAC address of the user, and the
password is the same as that configured in the MAC access profile. Configure the
planned password in the MAC access profile.
5. Complete service verification.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 788

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 789

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 790

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 791

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure WLAN services.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, security policy, authentication
mode, and access mode on the Create SSID page. Click Add User, and enter the user
name and password for authentication.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 792

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, security profile wlan-net, authentication profile wlan-
net, and MAC authentication profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure MAC authentication profile.

# Choose Configuration > Security > AAA > Authentication Profile. Expand the
authentication profile wlan-net, click MAC Authentication Profile named wlan-net, and set
the authentication password.

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Verify the configuration.

1. The STAs automatically access the WLAN with the SSID wlan-net.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 793

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.3.7 Example for Configuring the RADIUS Server and AC to

Deliver User Group Rights to Users
Service Requirements
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1X+AES

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 794

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-30 Networking for configuring user authorization based on user groups

Internet

Router

GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1

GE0/0/2

SwitchA
GE0/0/1

STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 795

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-37 Data planning on the AC

Configuration Item Data

Management VLAN VLAN 100

Service VLAN VLAN 101

AC's source interface VLANIF 100: 10.23.100.1/24

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP
server to assign IP addresses to STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for the STAs 10.23.101.2-10.23.101.254/24

RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net

802.1x access profile l Name: wlan-net

l Authentication mode: EAP

Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net

AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1X+AES

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 796

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net

User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure a user group.
6. Configure third-party server interconnection parameters.
NOTE

The AC and server must have the same RADIUS shared key.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 797

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 798

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1

Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 799

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 800

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 801

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 802

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 803

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure a user group.
1. Configure an ACL.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. On the Create Advanced ACL page that is displayed, configure an
ACL.

# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3001. On the Add Rule page that is displayed, add an
ACL rule.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 804

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. On the Advanced ACL Settings page that is displayed, add another ACL
rule.

# Click OK.
2. Configure a user group.
# Choose Configuration > Security > User Group > User Group. The User Group
page is displayed.
# Click Create. On the Create User Group page that is displayed, set User group
name and bind an ACL.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 805

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

Step 8 Configure third-party server interconnection parameters.

l For interconnection with the Cisco ISE, see "EExample for Configuring User
Authorization Based on User Groups" in the Typical Configuration Examples-WLAN and
the Cisco ISE Server Interoperation Configuration Examples.
l For interconnection with the Aruba ClearPass, see "Example for Configuring User
Authorization Based on User Groups" in the Typical Configuration Examples-WLAN and
the Aruba ClearPass Server Interoperation Configuration Examples.
l For interconnection with other third-party servers, see the corresponding product manual.

Step 9 Verify the configuration.

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 806

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

mode, set the identity authentication mode to User authentication, and click
OK.

----End

8.4 Reliability Configuration Examples

8.4.1 Example for Configuring Dual-link Backup (Global
Configuration Mode)

Service Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be used to improve data transmission reliability.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding

Figure 8-31 Networking for configuring dual-link backup

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 807

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-38 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The switch functions as a DHCP server to

assign IP addresses to APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.4-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AC1's management IP address VLANIF 100: 10.23.100.2/24

AC2's management IP address VLANIF 100: 10.23.100.3/24

Active AC AC1
Local priority: 0

Standby AC AC2
Local priority: 1

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 808

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Roadmap
1. Configure network interworking of the AC1, AC2, and other network devices. Configure
the switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.

Procedure
Step 1 Configure the switch.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and configure
the interfaces to allow packets of VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 809

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch] interface gigabitethernet 0/0/4

[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit

Configure the DHCP function on the switch to assign IP addresses to APs and STAs.

# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit

# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit

NOTE

You are advised to configure port isolation on GE0/0/1 and GE0/0/4 of the switch. If port isolation is not
configured, unnecessary broadcast packets will be transmitted in the VLANs or WLAN users connected to
different APs can directly communicate at Layer 2.

Step 2 Configure AC1.

1. Choose Configuration > Fast Config > AC.

2. Configure Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface directly connected to the
AP to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 810

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.2/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 811

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Click Next.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 3 Configure WLAN services on AC1.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Setting tab.
# Set Country code to China and click Apply.
# Click Create in SSID Setting. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 812

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 4 Configure AC2.

# Configure basic parameters for AC2 according to the configurations of AC1.

# On the Configure Virtual Interface page, set the IP address 10.23.100.3/24 for VLANIF
100 and set other parameters according to those of AC1.

Step 5 Configure WLAN services on AC2.

# Configure WLAN services on AC2 according to the configurations of AC1.

# Configure the same parameters for AC2 as those of AC1.

Step 6 Configure dual-link backup on AC1 and AC2.

1. Configure dual-link backup on AC1.

# On AC1, choose Configuration > Reliability Config > Reliability Config. The
Reliability Config page is displayed.

# Set Backup Mode to Dual-link cold backup, AC dual-link backup status and AC
dual-link switchover status to ON and configure Local priority and IP address of the
backup AC. Set IP address of the backup AC to 10.23.100.3 (AC2's IP address).

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 813

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE
A smaller value of Local priority indicates a higher local priority.

# Click Apply. In the dialog box that is displayed, click OK.

2. Configure dual-link backup on AC2.

# Configure AC2 according to the configuration procedure of AC1.

# Set Local priority to 1, and IP address of the backup AC to 10.23.100.2 (IP address
of AC1). The other configurations are the same as those of AC1.
NOTE

By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the APs are
restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs. Choose
Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs and make the dual-link
backup function take effect.

Step 7 Verify the configuration.

The WLAN with SSID wlan-net is available for STAs connected to AP1 and AP2, and the
STAs can connect to the WLAN and go online properly.

When the link between an AP and AC1 fails, AC2 takes over the active role. This ensures
service stability.

----End

8.4.2 Example for Configuring Dual-Link Hot Standby (HSB) for

ACs

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
that dual-link backup be used to implement AC hot standby (HSB) to improve data
transmission reliability.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 814

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-32 Networking for configuring dual-link HSB for ACs

Data Planning

Table 8-39 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

AC's backup VLAN VLAN 102

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 815

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP server The router functions as a DHCP server to

assign IP addresses to APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.4-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AC1's management IP address VLANIF 100: 10.23.100.2/24

AC2's management IP address VLANIF 100: 10.23.100.3/24

Active AC AC1
Local priority: 0

Standby AC AC2
Local priority: 1

IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241

IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.2/24
and standby channels of AC2 Port number: 10241

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 816

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Roadmap
1. Configure network interworking of the APs, ACs, and other network devices.
2. Configure basic WLAN services to ensure that users can access the enterprise network.
3. Configure global dual-link backup on the AC.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in batches. When AC1 is faulty, AC2 takes over the job
of AC1. User services are not interrupted.

Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the AP and ACs can exchange CAPWAP
packets.
NOTE

In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.

# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 817

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchA-GigabitEthernet0/0/2] port link-type trunk

[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# Add GigabitEthernet0/0/1 (connecting to SwitchA) of SwitchB, GigabitEthernet0/0/2

(connecting to AC1) of SwitchB, and GigabitEthernet0/0/3 (connecting to AC2) of SwitchB
to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/3] quit

Step 2 Configure SwitchB and Router to communicate with each other.

# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit

Step 3 Configure Router to assign IP addresses to the STA and AP.

<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 818

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 4 Configure AC1.

1. Choose Configuration > Fast Config > AC.

2. Configure Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100, VLAN 101, and VLAN 102 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface directly connected to the
AP to management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 819

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.2/24.

# Click OK.

# Repeat the preceding steps and set the IP address of VLANIF 102 to 10.23.102.1/24.

# Click Next. The Configure DHCP page is displayed.

4. Click Next.
5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure WLAN services on AC1.

1. Choose Configuration > Fast Config > AP.
2. Create an AP group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 820

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 821

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Configure AC2.

# Configure basic parameters on AC2 according to the configurations of AC1.

# On the Configure Virtual Interface page, set IP addresses of VLANIF 100 and VLANIF
102 to 10.23.100.3/24 and 10.23.102.2/24, respectively. Other parameter settings are the same
as those on AC1.

Step 7 Configure WLAN services on AC2.

# Configure WLAN services on AC2 according to the configuration procedure on AC1. The
parameter settings on AC2 are the same as those on AC1.

Step 8 Configure dual-link HSB on AC1 and AC2.

1. Configure AC1.

# On AC1, choose Configuration > Reliability Config > Reliability Config. The
Reliability Config page is displayed.

# Click HSB Config.

# In HSB Channel 0, set Local IP address to 10.23.102.1, Peer IP address to

10.23.102.2, Local port to 10241, Remote port to 10241, Backhaul times to 5, and
Intervals to 3.

# Click Apply. In the dialog box that is displayed, click OK.

# On the Reliability Config page, set Backup mode to Dual-link hot backup, AC
dual-link backup status and AC dual-link switchover status to ON, Local priority to
0, IP address of the backup AC to the AC2 IP address 10.23.100.3, and HSB channel
to 0. Select User access and AP for HSB service.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 822

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure AC2 according to the configuration procedure of AC1. When configuring the
HSB tunnel, set Local IP address to 10.23.102.2 and Peer IP address to 10.23.102.1
(AC1's IP address). When configuring the backup parameters, set Local priority to 1,
and IP address of the backup AC to 10.23.100.2 (AC1's IP address). The other
configurations are similar to those of AC1.
NOTE

By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the APs
are restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs. Choose
Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs. After the APs are
restarted, the dual-link backup function takes effect.

Step 9 Verify the configuration.

The WLAN with the SSID wlan-net is available for STAs connected to AP1, and these STAs
can connect to the WLAN and go online properly.
When the link between an AP and AC1 fails, AC2 takes over the active role. User services are
not interrupted.

----End

8.4.3 Example for Configuring VRRP to Implement AC Hot

Standby

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
that VRRP be used to implement AC hot standby (HSB) to improve data transmission
reliability.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 823

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-33 Configuring VRRP to implement AC hot standby (direct forwarding)

Data Planning

Table 8-40 AC Data Planning

Item Configuration

AC1's source interface VLANIF 100: 10.23.100.3/24

AC2's source interface VLANIF 100: 10.23.100.3/24

Virtual IP address of the 10.23.100.3/24

management VRRP group

Virtual IP address of the service 10.23.101.3/24

VRRP group

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 824

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Configuration

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and
security profile wlan-net

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and
regulatory domain profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA

AP's gateway VLANIF 100: 10.23.100.3/24

IP address pool for the AP 10.23.100.4 to 10.23.100.254/24

STA's gateway VLANIF 101: 10.23.101.3/24

IP address pool for STA 10.23.101.4 to 10.23.101.254/24

IP addresses and port numbers for IP address: VLANIF 102, 10.23.102.1/24

the active and standby channels Port number: 10241
of AC1

IP addresses and port numbers for IP address: VLANIF 102, 10.23.102.2/24

the active and standby channels Port number: 10241
of AC2

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 825

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
NOTE

Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.

Procedure
Step 1 Establish a cluster through cluster cards.
# Configure the cluster connection mode, cluster ID, cluster priority on SwitchB so that
SwitchB functions as the master switch. The configuration of SwitchC is similar to the
configuration of SwitchB, and is not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

# Enable the cluster function on SwitchB and restart SwitchB. The configuration of SwitchC
is similar to the configuration of SwitchB, and is not mentioned here.
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is reboote
d. The next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the cluster through the console interface of any MPU and run the display device
command to check the card status of two member switches in the cluster. The following
information indicates that the cluster has been established.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 826

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

<SwitchB> display device

Chassis 1 (Master Switch)
S9706's Device status:
Slot Sub Type Online Power Register Status Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present - Unregistered - NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Abnormal NA
FAN2 - - Present - Unregistered - NA
Chassis 2 (Standby Switch)
S9706's Device status:
Slot Sub Type Online Power Register Status Role
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA

# Run the display css channel command to check the channel status of the cluster. The
following information shows that cluster channels are Up, indicating that the cluster is
successfully established.
<SwitchB> display css channel
CSS link-down-delay: 0ms

Chassis 1 || Chassis 2
================================================================================
Num [SRUC HG] [VS08 Port(Status)] || [VS08 Port(Status)] [SRUC HG]
1 1/1 0/12 -- 1/1/0/1(UP 10G) ---||--- 2/1/0/1(UP 10G) -- 2/1 0/12
2 1/1 0/16 -- 1/1/0/2(UP 10G) ---||--- 2/1/0/2(UP 10G) -- 2/1 0/16
3 1/1 0/13 -- 1/1/0/3(UP 10G) ---||--- 2/1/0/3(UP 10G) -- 2/1 0/13
4 1/1 0/17 -- 1/1/0/4(UP 10G) ---||--- 2/1/0/4(UP 10G) -- 2/1 0/17
5 1/1 0/14 -- 1/1/0/5(UP 10G) ---||--- 2/1/0/5(UP 10G) -- 2/1 0/14
6 1/1 0/18 -- 1/1/0/6(UP 10G) ---||--- 2/1/0/6(UP 10G) -- 2/1 0/18
7 1/1 0/15 -- 1/1/0/7(UP 10G) ---||--- 2/1/0/7(UP 10G) -- 2/1 0/15
8 1/1 0/19 -- 1/1/0/8(UP 10G) ---||--- 2/1/0/8(UP 10G) -- 2/1 0/19

Step 2 Configure SwitchA, SwitchB and SwitchC so that CAPWAP packets can be transmitted
between the AP and ACs.
NOTE

If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.

# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 827

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchA-GigabitEthernet0/0/2] port link-type trunk

[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 that connects SwitchB to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE1/1/0/1 that connects SwitchB to AC1 to VLAN 100 and VLAN 101.
The configuration of SwitchC is similar to the configuration of SwitchB, and is not mentioned
here.
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 1/1/0/1
[SwitchB-GigabitEthernet1/1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet1/1/0/1] quit
[SwitchB] interface gigabitethernet 1/1/0/2
[SwitchB-GigabitEthernet1/1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/1/0/2] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet1/1/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet1/1/0/2] quit

Step 3 Configure AC1.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add it to
VLAN 100 (management VLAN) and VLAN 101 (service VLAN) in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 828

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.
# On the GigabitEthernet0/0/2 page, perform configurations according to the
configuration procedure on the GigabitEthernet0/0/1 page. The parameter settings are
the same as those on the GigabitEthernet0/0/1 page, except that GigabitEthernet0/0/2 is
added to VLAN 102 (backup VLAN) in tagged mode.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 829

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Repeat the preceding procedure to set IP addresses of VLANIF 101 and VLANIF 102
to 10.23.101.1/24 and 10.23.102.1/24, respectively.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool for VLANIF 100.

# Click OK.
# Repeat the preceding procedure to configure IP address pools for VLANIF 101.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 830

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN services on AC1.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 831

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Configure AC2.
# Configure basic parameters on AC2 according to the configurations of AC1. On the
Configure Virtual Interface page, set IP addresses of VLANIF 100, VLANIF 101, and
VLANIF 102 to 10.23.100.2/24, 10.23.101.2/24, and 10.23.102.2/24, respectively. Other
parameter settings are the same as those on AC1.
Step 6 Configure WLAN services on AC2.
# Configure WLAN services on AC2 according to the configuration procedure on AC1. The
parameter settings on AC2 are the same as those on AC1.
Step 7 Configure VRRP on AC1 to implement AC HSB.
1. Create a management VRRP group.
# Choose Configuration > Reliability Config > Reliability Config > VRRP List. The
VRRP List page is displayed.
# Click Create. The Create VRRP Group page is displayed.
# Set the parameters as follows:
– VLANIF/IP: VLAN 100
– VRID: 1
– VRRP type: mVRRP group

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 832

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Virtual IP address: 10.23.100.3

– Preemption delay: 1800
– Priority: 120

# Click OK.
2. Create a service VRRP group.
# On the VRRP List page, click Create. The Create VRRP Group page is displayed.
# Set the parameters as follows:
– VLANIF/IP: VLAN 101
– VRID: 2
– VRRP type: VRRP group
– Virtual IP address: 10.23.101.3
– Preemption delay: 1800
– VRID of the mVRRP group: 1

# Click OK.
3. Configure an HSB service.
# On AC1, choose Configuration > Reliability Config > Reliability Config > HSB
Config. The HSB Config page is displayed.
# Set the parameters as follows:
– Local IP address: 10.23.102.1
– Peer IP address: 10.23.102.2
– Local port: 10241
– Remote port: 10241
– Backhaul times: 3

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 833

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Interval: 6

# Click Apply. In the dialog box that is displayed, click OK.

4. Configure an HSB group.
# On AC1, choose Configuration > Reliability Config > Reliability Config > HSB
Config. The HSB Config page is displayed.
# Set the parameters as follows:
– HSB channel: 0
– HSB service: DHCP, User access, and AP
– VRID: 1

# Click Apply. In the dialog box that is displayed, click OK.

5. Configure VRRP HSB.
# On the Reliability Config page, set Backup mode to VRRP hot backup.
# Set the parameters as follows:
– HSB: ON
– HSB group: 0
– Recovery delay: 30

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Configure VRRP on AC2 to implement AC HSB.
# Configure AC2 according to the configuration procedure of AC1. When configuring the
HSB channel, set Local IP address to 10.23.102.2 and Peer IP address to 10.23.102.1. Set
other parameters on AC2 to be the same as those on AC1.
Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 834

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

The WLAN with the SSID wlan-net is available for STAs connected to the AP, and these
STAs can connect to the WLAN.
When detecting a fault on the link connected to AC1, the AP instructs AC2 to take the active
role. User services are not interrupted.

----End

8.4.4 Example for Configuring N+1 Backup for ACs in the Same
Network Segment

Service Requirements
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 835

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-34 Networking for configuring N+1 backup

Data Planning

Table 8-41 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

VLAN 102

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 836

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP server Switch_1 functions as a DHCP server to

assign IP addresses to APs and STAs.
STAs' gateway:
l 10.23.101.1/24
l 10.23.102.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.5-10.23.100.254/24

IP address pool for STAs STA1: 10.23.101.3-10.23.101.254/24

STA2: 10.23.102.3-10.23.102.254/24

AC's source interface VLANIF 100

AC_1's management IP address VLANIF 100: 10.23.100.2/24

AC_2's management IP address VLANIF 100: 10.23.100.3/24

AC_3's management IP address VLANIF 100: 10.23.100.4/24

AP group AC_1 (active AC):

l Name: ap-group1
l Referenced profiles: AP system profile
ap-system, VAP profile wlan-net, and
regulatory domain profile default

AC_2 (active AC):

l Name: ap-group2
l Referenced profiles: AP system profile
ap-system1, VAP profile wlan-net1, and
regulatory domain profile default

AC_3 (standby AC):

l Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group2
– Referenced profiles: AP system
profile ap-system1, VAP profile
wlan-net1, and regulatory domain
profile default

Regulatory domain profile l Name: default

l Country code: China

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 837

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

SSID profile AC_1:

l Name: wlan-net
l SSID name: wlan-net

AC_2:
l Name: wlan-net1
l SSID name: wlan-net1

AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1

Security profile AC_1:

l Name: wlan-net
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

AC_2:
l Name: wlan-net1
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

AC_3:
l Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
l Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567

VAP profile AC_1:

l Name: wlan-net
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 838

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC_1:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1

AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1

AP system profile l AC_1: ap-system

l AC_2: ap-system1
l AC_3: ap-system and ap-system1

Global priority AC_1: 6

AC_2: 6
AC_3: 5

Individual priority AP1: 3

AP2: 3

Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 839

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the switches to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 to 102
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_1-GigabitEthernet0/0/2] quit
[Switch_1] interface gigabitethernet 0/0/3
[Switch_1-GigabitEthernet0/0/3] port link-type trunk
[Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/3] quit
[Switch_1] interface gigabitethernet 0/0/4
[Switch_1-GigabitEthernet0/0/4] port link-type trunk
[Switch_1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/4] quit

# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 840

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_2] vlan batch 100 to 102

[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_2-GigabitEthernet0/0/1] port-isolate enable
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_2-GigabitEthernet0/0/2] port-isolate enable
[Switch_2-GigabitEthernet0/0/2] quit
[Switch_2] interface gigabitethernet 0/0/3
[Switch_2-GigabitEthernet0/0/3] port link-type trunk
[Switch_2-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_2-GigabitEthernet0/0/3] quit

NOTE

You are advised to configure port isolation on GE0/0/1 and GE0/0/2 that connect Switch_2 to the APs. If port
isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on
different APs can directly communicate at Layer 2.

Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit
[Switch_1] interface vlanif 101
[Switch_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch_1-Vlanif101] dhcp select interface
[Switch_1-Vlanif101] quit
[Switch_1] interface vlanif 102
[Switch_1-Vlanif102] ip address 10.23.102.1 255.255.255.0
[Switch_1-Vlanif102] dhcp select interface
[Switch_1-Vlanif102] quit

Step 3 Configure AC_1.

1. Choose Configuration > Fast Config > AC.

2. Configure Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 841

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

If the AC and AP are directly connected, set the default VLAN of the interface directly connected to the
AP to management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.2/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 842

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure DHCP page is displayed.
4. Click Next.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN services on AC_1.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Setting tab.
# Set Country code to China and click Apply.
# Click Create in SSID Setting. The Create SSID page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 843

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the SSID name, forwarding mode, service VLAN, and security policy.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure AP priority on AC_1.

1. # Choose Configuration > AP Config > Profile Management. The Profile
Management page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 844

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. # Choose AP > AP System Profile. In AP System Profile List, click Create. The
Create AP System Profile page is displayed. Enter the profile name ap-system and
click OK.
3. # Click Dual-link Configuration and set AC priority to 3.

4. # Click Apply.
Step 6 Bind the AP system profile to the AP group.
1. # Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.
2. # Click ap-group1 and choose AP > AP System Profile.
3. # On the configuration page of the AP system profile, set AP System Profile to ap-
system.
4. # Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure basic WLAN services and the AP priority for AC_2.
# Configure basic parameters for AC_2 according to the configurations of AC_1.
# On AC_2,
l set the IP address of VLANIF 100 to 10.23.100.3/24.
l On the Create AP Group page, set AP group name to ap-group2.
l On the Create SSID page, set the SSID name to wlan-net1.
l Enter the profile name ap-system1 on the Create AP System Profile page.
l Set other parameters similarly as those of AC_1.
Step 8 Configure basic WLAN services and IP address of the standby AC for AC_3.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 845

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Configure basic WLAN services on AC_3.

# Configure AC_3 according to the configuration procedure of AC_1 and set the IP
address of VLANIF 100 to 10.23.100.4/24.
2. Configure basic services for AC_3: choose Configuration > Fast Config > AP.
3. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK. Create the AP group ap-group2 in the
similar way.
4. Set service parameters for AP groups.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# On the Create SSID page, set the SSID name to wlan-net and configure the
forwarding mode, service VLAN, and security policy. The configuration is similar to that
of AC_1.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
# Configure the AP group ap-group2 in the similar way. Set the SSID name to wlan-
net1 and service VLAN to 102. After the configuration is complete, the system creates
the VAP profile wlan-net1, SSID profile wlan-net1, and security profile wlan-net1.
5. Add APs.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Import APs on AC_1 and AC_2 to AC_3 in batches.
6. Set the IP address of the standby AC.
# Choose Configuration > AP Config > Profile Management. The Profile
Management page is displayed.
# Choose AP > AP System Profile. In AP System Profile List, click Create. The
Create AP System Profile page is displayed. Enter the profile name ap-system and
click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 846

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# In Profile Management, choose AP > AP System Profile > ap-system. The AP

System Profile: ap-system page is displayed.

# Click Dual-link Configuration and set IP address of the backup AC to 10.23.100.2.

# Click Apply.

# Create the AP system profile ap-system1 and set IP address of the backup AC to
10.23.100.3.

# Refer to the configuration of AC_1 to bind the AP system profile ap-system to AP

group ap-group1 and ap-group2 to AP group ap-system1.

Step 9 Enable N+1 backup on AC_1, AC_2, and AC_3.

1. On AC_1, configure the IP address of the standby AC and AC's global priority for N+1
backup.
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the
same, the AC that connects to more APs is the active AC. If the ACs connect to the same number of
APs, the AC that connects to more STAs is the active AC. If the ACs connect to the same number of
STAs, the AC with a smaller IP address is the active AC.

# On AC_1, choose Configuration > Reliability Config > Reliability Config. The
Reliability Config page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 847

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Backup Mode to Dual-link cold backup, AC dual-link backup status and AC
dual-link switchover status to ON and configure Local priority and IP address of the
backup AC. Set Local priority to 6 and IP address of the backup AC to 10.23.100.4
(AC_3's IP address).

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Maintenance > AP Maintenance > AP Restart to restart all APs, so that the
N+1 backup function can take effect.
NOTE
By default, N+1 backup is enabled. You need to restart all APs on the active AC. After the APs are
restarted, N+1 backup takes effect.
2. Configure AC_2 according to the configuration procedure of AC_1. The configuration
parameters and operations are the same.

3. Configure the global priority of AC_3 for N+1 backup.

# On AC_3, choose Configuration > Reliability Config > Reliability Config. The
Reliability Config page is displayed.

# Set Backup Mode to Dual-link cold backup and Local priority to 5.

# Click Apply. In the dialog box that is displayed, click OK.

NOTE

By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the APs
are restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs. Choose
Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs. After the APs are
restarted, the dual-link backup function takes effect.

Step 10 Verify the configuration.

The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs connected to the APs,
and these STAs can connect to the WLAN and go online normally.

When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.

----End

8.4.5 Example for Configuring N+1 Backup for ACs in Different

Network Segments

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 848

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.

Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode: Router_3 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 849

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-35 Networking for configuring N+1 backup

Data Planning

Table 8-42 AC data planning

Item Data

Management VLAN for APs AC_1 (active AC): VLAN 99

AC_2 (active AC): VLAN 100

Service VLAN for STAs AC_1: VLAN 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 850

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC_2: VLAN 102

DHCP server Router_3 functions as a DHCP server to

assign IP addresses to APs and STAs.
STAs' gateway:
l STA_1: 10.23.101.1/24
l STA_2: 10.23.102.1/24
APs' gateway:
l AP_1: 10.23.99.1/24
l AP_2: 10.23.100.1/24

IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24

AP_2: 10.23.100.2-10.23.100.254/24

IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24

STA2: 10.23.102.2-10.23.102.254/24

AC's source interface AC_1: VLANIF 201

AC_2: VLANIF 202
AC_3: VLANIF 203

AC_1's management IP address VLANIF 201: 10.23.201.1/24

AC_2's management IP address VLANIF 202: 10.23.202.1/24

AC_3's management IP address VLANIF 203: 10.23.203.1/24

AP group AC_1: (active AC):

l Name: ap-group1
l Referenced profiles: AP system profile
ap-system, VAP profile wlan-net, and
regulatory domain profile default

AC_2: (active AC):

l Name: ap-group2
l Referenced profiles: AP system profile
ap-system, VAP profile wlan-net1, and
regulatory domain profile default

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 851

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC_3 (standby AC):

l Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group2
– Referenced profiles: AP system
profile ap-system, VAP profile wlan-
net1, and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile AC_1:

l Name: wlan-net
l SSID name: wlan-net

AC_2:
l Name: wlan-net1
l SSID name: wlan-net1

AC_3:
l Name: wlan-net
l SSID name: wlan-net
l Name: wlan-net1
l SSID name: wlan-net1

Security profile AC_1, AC_3:

l Name: wlan-net
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567
AC_2, AC_3:
l Name: wlan-net1
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

AP system profile AC_3 (standby AC): ap-system and ap-

system1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 852

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile AC_1:

l Name: wlan-net
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

AC_2:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1

Global priority: AC_1: 0

AC_2: 0
AC_3: 5

Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 853

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the routers and switches to communicate with each other.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
<HUAWEI> system-view
[HUAWEI] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit

# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 854

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to AC_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit

# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to AC_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.
# Configure Router_1 as a DHCP relay agent.
[Router_1] dhcp enable
[Router_1] interface vlanif 99
[Router_1-Vlanif99] dhcp select relay
[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] dhcp select relay
[Router_1-Vlanif101] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif101] quit

# Configure Router_2 as a DHCP relay agent.

[Router_2] dhcp enable
[Router_2] interface vlanif 100
[Router_2-Vlanif100] dhcp select relay
[Router_2-Vlanif100] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif100] quit
[Router_2] interface vlanif 102
[Router_2-Vlanif102] dhcp select relay
[Router_2-Vlanif102] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif102] quit

# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.

NOTE

In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 855

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24

[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit

Step 3 Configure AC_1.

1. Choose Configuration > Fast Config > AC.

2. Configure Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 201 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 856

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 201 to 10.23.201.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 857

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Click Next.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN services on AC_1.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Setting tab.
# Set Country code to China and click Apply.
# Click Create in SSID Setting. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 858

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Configure basic WLAN services and AP priority for AC_2.
# Configure basic parameters for AC_2 according to the configurations of AC_1.
# On AC_2,
l Create VLAN 102 and VLAN 202.
l Set the IP address of VLANIF 202 to 10.23.202.1/24. Refer to the AC_1 configuration
for the detailed procedure.
l Create the AP group ap-group2.
l Configure the SSID name wlan-net1.
l Set other parameters according to the configuration of AC_1.
Step 6 Configure basic WLAN services and IP address of the standby AC for AC_3.
1. Create VLAN 101, VLAN 102, and VLAN 203. See AC_1 for the detailed configuration
procedure.
2. Configure AC_3 according to the configuration procedure of AC_1 and set the IP
address of VLANIF 203 to 10.23.203.1/24.
3. Configure basic services for AC_3: choose Configuration > Fast Config > AP.
4. Create an AP group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 859

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK. Create the AP group ap-group2 in the
similar way.
5. Set service parameters for AP groups.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# On the Create SSID page, set the SSID name to wlan-net and configure the
forwarding mode, service VLAN, and security policy. The configuration is similar to that
of AC_1.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
# Configure the AP group ap-group2 in the similar way. Set the SSID name to wlan-
net1 and service VLAN to 102. After the configuration is complete, the system creates
the VAP profile wlan-net1, SSID profile wlan-net1, and security profile wlan-net1.
6. Add APs.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Import APs on AC_1 and AC_2 to AC_3 in batches.
7. Set the IP address of the standby AC.
# Choose Configuration > AP Config > Profile Management. The Profile
Management page is displayed.
# Choose AP > AP System Profile. In AP System Profile List, click Create. The
Create AP System Profile page is displayed. Enter the profile name ap-system and
click OK.

# In Profile Management, choose AP > AP System Profile > ap-system. The AP

System Profile: ap-system page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 860

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Dual-link Configuration and set IP address of the backup AC to 10.23.201.1.

# Click Apply.

# Create the AP system profile ap-system1 and set IP address of the backup AC to
10.23.202.1.
8. Bind the AP system profile to the AP group.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# Click ap-group1 and choose AP > AP System Profile.

# On the configuration page of the AP system profile, set AP System Profile to ap-
system.

# Click Apply. In the dialog box that is displayed, click OK.

# Bind the AP system profile ap-system1 to the AP group ap-group2 in the similar way.

Step 7 Enable N+1 backup on AC_1, AC_2, and AC_3.

1. # On AC_1, configure the IP address of the standby AC and AC's global priority for N+1
backup.
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the
same, the AC that connects to more APs is the active AC. If the ACs connect to the same number of
APs, the AC that connects to more STAs is the active AC. If the ACs connect to the same number of
STAs, the AC with a smaller IP address is the active AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 861

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On AC_1, choose Configuration > Reliability Config > Reliability Config. The
Reliability Config page is displayed.
# Set Backup mode to Dual-link cold backup, and AC dual-link switchover status to
ON, and configure Local priority and IP address of the backup AC. Set IP address of
the backup AC to 10.23.203.1 (IP address of AC_3).

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Maintenance > AP Maintenance > AP Restart > Restart All to restart all
APs, so that the N+1 backup function can take effect.
NOTE
By default, N+1 backup is enabled. You need to restart all APs on the active AC. After the APs are
restarted, N+1 backup takes effect.
2. # Configure AC_2 according to the configuration procedure of AC_1. The configuration
parameters and operations are the same.
3. # Configure the global priority of AC_3 for N+1 backup.
# On AC_3, choose Configuration > Reliability Config > Reliability Config. The
Reliability Config page is displayed.
# Set Backup Mode to Dual-link cold backup and Local priority to 5.

# Click Apply. In the dialog box that is displayed, click OK.

NOTE

By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the APs
are restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs. Choose
Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs. After the APs are
restarted, the dual-link backup function takes effect.

Step 8 Verify the configuration.

The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs connected to the APs,
and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 862

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.5 Roaming Configuration Examples

8.5.1 Example for Configuring Inter-VLAN Layer 3 Roaming
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. To differentiate department management, employees are assigned different
subnets by department. Furthermore, users' services are not affected during roaming in the
coverage area.

Networking Requirement
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 863

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-36 Networking for configuring inter-VLAN Layer 3 roaming

Data Planning

Table 8-43 AC data planning

Item Data

Management VLANs for APs VLAN 10 and VLAN 100

Service VLAN for STAs l area_1: VLAN 101

l area_2: VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 864

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs l area_1: 10.23.101.3-10.23.101.254/24

l area_2: 10.23.102.3-10.23.102.254/24

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g

l Name: ap-group2
l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g

Regulatory domain profile l Name: default

l Country code: China
l Calibration channel set: calibration
bandwidth and channels for 2.4 GHz and
5 GHz radios

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

l Name: wlan-net
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 865

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Air scan profile l Name: wlan-airscan

l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM profile l Name: wlan-rrm

l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio profile l Name: wlan-radio2g

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 866

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1 and GE0/0/3 is VLAN
10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 867

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router-GigabitEthernet1/0/0] port link-type trunk

[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 868

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 869

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure the global IP address pool huawei.
– Subnet address: 10.23.10.0
– Vendor-defined: sub-option value 3; sub-option parameter ascii; IP address
10.23.100.1
– Gateway IP: 10.23.10.1
– Address pool interface: VLANIF 100

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 870

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 871

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 5 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.

# Create the AP group ap-group2 in the same way.

NOTE

The following example configures the AP group ap-group1. The configuration of AP group ap-group2
is the same as that of AP group ap-group1.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to CHINA and click Apply.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 872

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 873

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 874

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 7 Configure WLAN services.

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.

----End

8.5.2 Example for Configuring Intra-VLAN Roaming

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 875

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Networking Requirement
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding

Figure 8-37 Networking for configuring intra-VLAN roaming

IP
Network

Router
GE1/0/0
VLANIF101
10.23.101.2

GE0/0/3
GE0/0/1
SwitchB
GE0/0/2
GE0/0/1 AC
VLANIF101
10.23.100.1/24
GE0/0/2

GE0/0/1 GE0/0/3
SwitchA

AP： AP：
area_1 area_2

Roaming

STA STA

Management VLAN: VLAN 100

Service VLAN：VLAN 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 876

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-44 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: CN
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 877

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 878

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 879

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB] dhcp enable

[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 880

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 881

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 882

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 883

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 884

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 885

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 886

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.

----End

8.5.3 Example for Configuring Inter-AC Layer 2 Roaming

Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 887

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-38 Networking for configuring inter-AC Layer 2 roaming

Data Planning

Table 8-45 AC data planning

Item Data

DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server

IP address 10.23.100.3-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 888

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: CN
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Mobility l Name: mobility

group l Members: AC_1 and AC_2

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 889

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.

NOTE

During AP deployment, you can manually specify the working channels of the APs according to network
planning or configure the radio calibration function to enable the APs to automatically select the optimal
channels.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 890

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100

[Switch_1-GigabitEthernet0/0/2] quit

# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit

Step 2 Configure system parameters for AC_1.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 891

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Add GigabitEthernet0/0/2 to VLAN 100 and VLAN 101 in tagged mode in the same
way.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 892

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Configure an IP address pool on VLANIF 101 and specify that the IP address
10.23.101.2 cannot be assigned to STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 893

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 3 Configure system parameters for AC_2.
Configure AC_2 according to the configuration of AC_1. The following lists configuration
differences between AC_1 and AC_2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 894

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Set the IP addresses of VLANIF 100 and VLANIF 101 to 10.23.100.2/24 and
10.23.101.2/24 respectively.
l Do not configure the DHCP address pool.

Step 4 Configure WLAN services on AC_1.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 895

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– AP MAC address: 60de-4476-e360

– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Configure WLAN services on AC_2.
Configure WLAN services on AC_2 according to the configuration of AC_1. The following
lists configuration differences between AC_1 and AC_2.
l Add the AP6010DN-AGN with MAC address dcd2-fc04-b500 on AC_2, set the AP
name to area_2, and add the AP to the AP group ap-group1.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels.
1. Create an RRM profile and configure automatic channel and power calibration.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 896

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.

# Enable air scan and configure the probe channel set, scan interval, and scan duration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 897

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

# Radio calibration stops one hour after the radio calibration is manually triggered.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure WLAN roaming on AC_1.

1. Choose Configuration > AC Config > Basic > Inter-AC Roaming. The Inter-AC
Roaming page is displayed.
2. Click Create. On the Create Mobility Group page that is displayed, configure WLAN
roaming.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 898

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Create a mobility group and add AC_1 and AC_2 to the mobility group.

# Click Create. The Create Mobility Group page is displayed.

# Set Mobility group name to mobility and add AC_1 and AC_2 to the mobility group.

Click OK. The Inter-AC Roaming page is displayed.

4. Click Apply.

Step 8 Configure WLAN roaming on AC_2.

The configuration is similar to that of AC_1 and is not mentioned here.

Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 899

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.

----End

8.5.4 Example for Configuring Inter-AC Layer 3 Roaming

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. To differentiate department management, employees are assigned different
subnets by department. Furthermore, users' services are not affected during roaming in the
coverage area.

Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode:
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
– AC_2 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
l Service data forwarding mode: direct forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 900

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-39 Networking for configuring inter-AC Layer 3 roaming

Data Planning

Table 8-46 AC data planning

Item Data

DHCP AC_1 functions as a DHCP server to allocate IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to allocate IP addresses to STAs and APs
connected to it.

IP address 10.23.100.2-10.23.100.254/24
pool for the 10.23.200.2-10.23.200.254/24
APs

IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 901

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC_1's VLANIF 100: 10.23.100.1/24

source
interface
address

AC_2's VLANIF 200: 10.23.200.1/24

source
interface
address

AP group l Name: ap-group1

l Referenced profile: VAP profile wlan-vap1 and regulatory domain
profile default

l Name: ap-group2
l Referenced profile: VAP profile wlan-vap2 and regulatory domain
profile default

Regulatory l Name: default

domain l Country code: CN
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net1

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

l Name: wlan-net2
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 902

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Mobility l Name: mobility

group l Members: AC_1 and AC_2

NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 903

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 101
[Switch_1] interface GigabitEthernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/2] quit

# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default VLAN
of GE0/0/1 is VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 200 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 200
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/2] quit

# Configure Router.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/1] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0
[Router-GigabitEthernet0/0/2] quit

Step 2 Configure inter-AC interworking.

# On AC_1, add GE0/0/2 to VLAN 100.
[AC_1] interface gigabitethernet 0/0/2
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC_1-GigabitEthernet0/0/1] quit

# On AC_1, configure a route to AC_2 with the next hop as Router's VLANIF 100 so that
AC_1 and AC_2 can communicate with each other.
[AC_1] ip route-static 10.23.200.0 24 10.23.100.2

# On AC_2, add GE0/0/2 to VLAN 200.

[AC_2] interface gigabitethernet 0/0/2
[AC_2-GigabitEthernet0/0/1] port link-type trunk

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 904

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 200

[AC_2-GigabitEthernet0/0/1] quit
# On AC_2, configure a route to AC_1 with the next hop as Router's VLANIF 200 so that
AC_1 and AC_2 can communicate with each other.
[AC_2] ip route-static 10.23.100.0 24 10.23.200.2

Step 3 Configure system parameters for AC_1.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

– If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP
to management VLAN 100.
– Add GigabitEthernet0/0/2 to VLAN 100 in tagged mode in the same way.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 905

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 906

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

# Click OK.
# Configure an IP address pool on VLANIF 101.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 907

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure system parameters for AC_2.
Configure AC_2 according to the configuration of AC_1. The following lists configuration
differences between AC_1 and AC_2.
l Create VLAN 200 and VLAN 102 on AC_2 and add GigabitEthernet0/0/1 to the two
VLANs in tagged mode.
l Add GigabitEthernet0/0/2 to VLAN 200 in tagged mode.
l Set the IP addresses of VLANIF 200 and VLANIF 101 to 10.23.200.1/24 and
10.23.102.1/24 respectively.
l Configure an IP address pool on VLANIF 200 and VLANIF 102.
Step 5 Configure WLAN services on AC_1.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 908

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Configure WLAN services on AC_2.

Configure WLAN services on AC_2 according to the configuration of AC_1. The following
lists configuration differences between AC_1 and AC_2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 909

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Create the AP group ap-group2 on AC_2.

l Add the AP6310SN-GN with MAC address dcd2-fc04-b500 on AC_2. Set the AP name
to area_2 and add the AP to the AP group ap-group2.
l Create the VAP profile wlan-vap2 on AC_2.
l In the VAP profile wlan-vap2, set the service VLAN to VLAN 102. The settings of
other parameters are the same as those in the VAP profile wlan-vap1.
Step 7 Configure inter-AC interworking.
NOTE

Configure static routes on AC_1 and AC_2 in the same way. This example provides only the static route
configured on AC_1. On AC_2, the route to AC_1 needs to be configured with the next hop as Router's
VLANIF 200.
1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table to create a static route.

3. Click OK.
Step 8 Configure WLAN roaming on AC_1.
1. Choose Configuration > AC Config > Basic > Inter-AC Roaming. The Inter-AC
Roaming page is displayed.
2. Click Create. On the Create Mobility Group page that is displayed, configure WLAN
roaming.

3. Create a mobility group and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility and add AC_1 and AC_2 to the mobility group.

Click OK. The Inter-AC Roaming page is displayed.

4. Click Apply.
Step 9 Configure WLAN roaming on AC_2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 910

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

The configuration is similar to that of AC_1 and is not mentioned here.

Step 10 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User List,
select the STA of which you want to view the roaming tracks and click Roaming Track.
The roaming tracks of the STA are displayed.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 911

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.6 Agile Distributed Networking Configuration

Examples
8.6.1 Example for Configuring an Agile Distributed WLAN
Service Requirements
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 912

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-40 Networking for configuring an agile distributed WLAN

Data Planning

Table 8-47 AC data planning

Item Data

DHCP The AC functions as a DHCP server to assign IP addresses to central APs,

server RUs, and STAs.

IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs

IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 913

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN pool
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Configuration Roadmap

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 914

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure system parameters for the AC.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 915

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Add GigabitEthernet0/0/2 to VLAN 101 in tagged mode in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 916

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Configure an IP address pool on VLANIF 101 in the same way.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 917

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure WLAN services.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 918

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– AP name: central_AP
– AP group: ap-group1
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 919

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 920

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.7 High-Density Configuration Examples

8.7.1 Example for Configuring High-Density WLAN Services
Service Requirements
The WLAN of a stadium needs to provide access for a large number of users; therefore, APs
are placed in close proximity, causing severe interference. The IT department of the stadium
requires that the interference be eliminated to maximize Internet experience for users.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 921

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-41 Networking diagram for configuring a high-density WLAN

IP
Network

Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
Management VLAN: VLAN10, VLAN100
Service VLAN: VLAN pool

GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1

AP: area_2 AC

VLANIF100
10.23.100.1/24

STA

Data Planning

Table 8-48 Data planning

Item Data

Management VLAN for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch (SwitchB) functions
as a DHCP server to assign IP addresses to
STAs.

IP address pool for APs 10.23.10.2-10.23.10.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 922

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile default, and 5G radio
profile wlan-radio5g

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net, security profile wlan-net, and traffic
profile wlan-traffic

RRM profile l Name: wlan-rrm

l Automatic channel calibration: disabled
l Automatic power calibration: disabled

2G radio profile l Name: wlan-radio2g

l Referenced profile: RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profile: RRM profile wlan-
rrm

Traffic profile l Name: wlan-traffic

Configuration Roadmap
The configuration roadmap is as follows:

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 923

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Table 8-49 Adjustment recommendations

Adjustm Purpose Recommendation
ent Item

Remove To make an AP offer Increase the maximum number of access

the limit wireless services to more users to 128 for an SSID profile.
on the users.
number of
access
users

Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time

User To prevent mobile terminals Enable user isolation on the AC.

isolation from exchanging a large
number of ARP packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 924

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Adjustm Purpose Recommendation

ent Item

Adjust To reduce interference l Channel: Prevent adjacent APs from

Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.

Enable To ensure that wireless Enable airtime fair scheduling.

airtime channel resources can be
fair equally allocated to users.
schedulin
g

Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold

Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent

Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI

Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set

Configure To improve the network Configure the short preamble. If some

the short synchronization legacy NICs exist on the network, disable
preamble performance. the short preamble function.
for a radio

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 925

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Adjustm Purpose Recommendation

ent Item

Adjust To improve user experience. Set the EDCA parameters of AC_BE

EDCA packets as follows:
parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l STA:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3

7. Deliver the WLAN services to the APs and verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 926

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit

Step 3 Create VLANs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 927

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 928

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 929

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 930

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 6 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 7 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 931

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 932

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 933

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

EDCA parameters for AC_BE packets of STAs as follows: AIFSN: 3; ECWmin: 7;

ECWmax: 10

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 934

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 935

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

5. Configure the AP to work in dual-5G mode. This step is only for APs that support
switching between 2.4G and 5G radios.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.

# Click Radio 0. The Radio 0 Settings page is displayed. Enable the dual-5G mode. In
the dialog box that is displayed, click OK.

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Perform the following configurations:

– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 ms.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 936

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– Enable the short preamble function.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 937

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 0. The profiles under Radio 0 are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 938

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 1. The profiles under Radio 1 are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 939

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click 5G Radio Profile. On the 5G radio profile configuration page that is displayed,
set 5G Radio Profile to wlan-radio5g and click Apply. In the dialog box that is
displayed, click OK.

# Click next to Radio 2. The profiles under Radio 2 are displayed.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.

# Disable automatic channel and power calibration functions; enable airtime fair
scheduling; enable smart roaming; configure the SNR-based roaming trigger mode, and
set the SNR threshold to 15 dB.

# Click Apply. In the dialog box that is displayed, click OK.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the VAP profile are displayed.

Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 940

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

----End

8.8 Example for Configuring Vehicle-Ground

Communication

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 941

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.8.1 Example for Configuring Vehicle-Ground Fast Link

Handover
Service Requirements
To reduce network deployment costs and better serve passengers, a rail transportation
enterprise wants to use WLAN technology to implement vehicle-ground communications and
expects that multicast servers on the ground network can deliver multimedia information
services to passengers.

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 942

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-42 Networking for configuring vehicle-ground fast link handover

Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP

（L1_001）（L1_003）（L1_010）（L1_150）（L1_160）（L1_170）

MAC: 286e-d488-d359 MAC: 286e-d488-d270

Vehicle- mounted terminal_1 Vehicle- mounted terminal_2

Trackside AP Trackside AP
（in the rear） GE0/0/1 GE0/0/1 （in the front）

Forward direction

：active Mesh link

：candidate Mesh link

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 943

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-50 AP data planning

AP Type MAC Address

Trackside AP AP9132DN 0046-4b59-1d10

(L1_001)

Trackside AP AP9132DN 0046-4b59-1d20

(L1_003)

Trackside AP AP9132DN 0046-4b59-1d30

(L1_010)

Trackside AP AP9132DN 0046-4b59-1d40

(L1_150)

Trackside AP AP9132DN 0046-4b59-1d50

(L1_160)

Trackside AP AP9132DN 0046-4b59-1d60

(L1_170)

......

Vehicle-mounted AP9132DN 0046-4b59-2e10

AP (in the front)

Vehicle-mounted AP9132DN 0046-4b59-2e20

AP (in the rear)

.......

Table 8-51 AC data planning

Item Data

Management VLAN VLAN 100

Multicast service VLAN VLAN 101

Service VLAN for STAs VLAN 200

DHCP server l Configure the AC as a DHCP server to assign IP

addresses to trackside APs.
l Configure Switch_A as a DHCP server to assign IP
addresses to vehicle-mounted terminals.

AC's source interface VLANIF 100: 10.23.100.1/24

address

Gateway address IP address of VLANIF 101 on Switch_A: 10.23.224.1/24

IP address pool for APs 10.23.100.2-10.23.100.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 944

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for vehicle- 10.23.224.4-10.23.224.254/24

mounted terminals

AP group to which Name: mesh-mpp

trackside APs belong

IDs of trackside APs l Trackside AP (L1_001): 1

l Trackside AP (L1_003): 2
l Trackside AP (L1_010): 3
l Trackside AP (L1_150): 101
l Trackside AP (L1_160): 102
l Trackside AP (L1_170): 103

Security profile l Name: sp01

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
l Authentication key: a1234567

AP system profile l Name: mesh-sys

l Mesh role: mesh-portal

Mesh profile Trackside APs:

l Name: mesh-net
l Identifier: mesh-net
Vehicle-mounted APs:
l Name: mesh-net
l Identifier: mesh-net

Mesh handover profile Trackside APs:

l Name: hand-over
Vehicle-mounted APs:
l Name: hand-over

Mesh whitelist on trackside Name: whitelist01

APs Add MAC addresses of all vehicle-mounted APs on trains
running on the rail to the whitelist according to actual
situations.

Mesh whitelist on vehicle- Name: whitelist01

mounted APs Add MAC addresses of all trackside APs along the rail line
to the whitelist according to actual situations.

MAC address of the l Gateway: 707b-e8e9-d328

proxied ground device l Network management device: 286e-d488-12cd
l Multicast source: 286e-d488-b6ab

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 945

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

MAC address of the l Vehicle-mounted terminal_1: 286e-d488-d359

proxied vehicle-mounted l Vehicle-mounted terminal_2: 286e-d488-d270
device

Multicast group 225.1.1.1-225.1.1.3

l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.

Procedure
Step 1 Configure switches.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 946

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 947

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Configure other interfaces connected to trackside APs on Switch_B according to

# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100.

# Configure other interfaces connected to trackside APs on Switch_C according to

6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to

properly forward multicast data.

# Enable IGMP snooping globally on Switch_A.

[Switch_A] igmp-snooping enable

# Enable IGMP snooping in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
[Switch_A-vlan101] quit

# Configure multicast group filter policies on Switch_A.

[Switch_A] acl 2000
[Switch_A-acl-basic-2000] rule permit source 225.1.1.1 0
[Switch_A-acl-basic-2000] rule permit source 225.1.1.2 0

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 948

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch_A-acl-basic-2000] rule permit source 225.1.1.3 0

[Switch_A-acl-basic-2000] quit

# Apply the multicast group filter policies in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A-vlan101] quit
[Switch_A] quit

# Complete multicast configuration on Switch_B and Switch_C according to the

multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.

[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 949

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 950

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 3 Configure trackside APs

1. Choose Configuration > Fast Config > Mesh.
2. Create the AP group mesh-mpp for the MPPs.

# In AP Group List, click Create. The Create AP Group page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 951

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the AP group name to mesh-mpp and click OK.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 952

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 953

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > AP Config > AP Info.

5. Configure a Mesh handover profile.

# Choose Configuration > AP Config > Profile.

# Choose Mesh > Mesh Handover Profile in Profile Management. The Mesh
Handover Profile page is displayed.

# Click Create. On the Create Mesh Handover Profile page that is displayed, enter
profile name hand-over and click OK. The Mesh profile configuration page is
displayed.

# Set Position-based handover algorithm to ON.

# Click Apply.
6. Configure a Mesh profile.

# Choose Configuration > AP Config > Profile.

# Choose Mesh > Mesh Profile in Profile Management. Click Create. On the page that
is displayed, set Profile name to mesh-net and Mesh ID to mesh-net, and click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 954

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > Profile.

# Choose Mesh > Mesh Profile > Mesh-net > Mesh Handover Profile in Profile
Management, select Mesh handover profile hand-over, and click Apply.

7. Configure the AP's wired port profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 955

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 956

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 957

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.

# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.

# Click OK.
2. Create a security profile and configure the security policy.

# Choose Configuration > WLAN Service > Profile > Wireless Service > Security
Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 958

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create and create security profile sp01.

# In Security Settings, set the password type to PASS-PHRASE, and enter and confirm
the password a1234567.

# Click Apply.
3. Create a Mesh whitelist profile.

# Choose Configuration > WLAN Service > Profile > Mesh > Mesh Whitelist
Profile. Click Create and create Mesh whitelist whitelist01.

# Click Apply.

# Add MAC addresses of all trackside APs along the rail line to the Mesh whitelist of
vehicle-mounted APs on the other trains according to the preceding configuration
procedure.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 959

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Configure a Mesh handover profile.

# Choose Configuration > WLAN Service > Profile > Mesh > Mesh Handover
Profile.

# Click Create and create Mesh handover profile hand-over. Click OK. The Mesh
profile configuration page is displayed.

# Set Position-based handover algorithm to ON and Moving direction to forward.

Click Apply.

5. Configure a Mesh profile.

# Create Mesh profile mesh-net and bind it to the security profile and Mesh handover
profile.

# Choose Configuration > WLAN Service > Profile > Mesh > Mesh Profile.

# Choose Configuration > WLAN Service > Wireless Service > Radio 1 > Mesh >
Mesh Profile. Bind Mesh profile mesh-net and click Apply.

# Choose Configuration > WLAN Service > Wireless Service > Radio 1 > Mesh >
Mesh Whitelist Profile. Bind Mesh whitelist profile whitelist01 and click Apply.

Step 5 Add proxied devices on the vehicle-mounted AP

# Add proxied ground devices. Add MAC addresses of Switch_A, network management
device, and multicast source on the vehicle-mounted AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 960

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 6 Configure IGMP snooping on the vehicle-mounted AP

# Choose Config > IGMP-Snooping > IGMP-Snooping.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

Step 7 Verify the configuration

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to view
Mesh link information. If Mesh links are set up successfully, information about Mesh
links is displayed.

2. Verify the configuration on the vehicle-mounted AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 961

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Maintenance > Train To Ground COMM > Vehicle-Mounted AP Roaming

Trace to view the roaming trace of the vehicle-mounted AP.

----End

8.9 Radio Resource Management Configuration Examples

8.9.1 Example for Configuring Dynamic Load Balancing
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. The enterprises also need to prevent one AP radio from being heavily loaded.
Furthermore, users' services are not affected during roaming in the coverage area. A VLAN
pool serves as a service VLAN to prevent insufficient IP address resource or IP address
resource waste, reducing the number of users in a VLAN and reducing the broadcast domain.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 962

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-43 Networking for configuring dynamic load balancing

Data Planning

Table 8-52 AC data planning

Item Data

Management VLANs for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 963

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

RRM profile l Name: wlan-rrm

l Start threshold for dynamic load
balancing: 15
l Load difference threshold for dynamic
load balancing: 25%

2G radio profile l Name: wlan-radio2g

l Referenced profile: RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profile: RRM profile wlan-
rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 964

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Select Fast Config to configure the APs to go online on the AC.

5. Select Fast Config to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
7. Configure dynamic load balancing to prevent one AP from being heavily loaded.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLANs 100, 101, and 102. The default
VLAN of GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 965

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 966

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 967

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 968

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 969

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 5 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 6 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 970

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 971

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 7 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 972

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Configure dynamic load balancing.

1. In the RRM profile, enable dynamic load balancing, and set the start threshold for
dynamic load balancing to 15 and load difference threshold to 25%.

# Choose Configuration > AP Cnfig > Profile.

# Choose Radio Management > RRM profile in Profile Management. The RRM
Profile list page is displayed.

# Click an RRM profile. The RRM profile configuration page is displayed.

# In the RRM profile, enable dynamic load balancing, and set the start threshold for
dynamic load balancing to 15 and load difference threshold to 25%.

# Click Apply. In the dialog box that is displayed, click OK.

Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 973

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a new STA requests to connect to AP area_1, the AC uses a dynamic load
balancing algorithm to redirect the STA to the AP with a light load according to the
information reported by APs.

----End

8.9.2 Example for Configuring Static Load Balancing

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. The enterprises also need to prevent one AP radio from being heavily loaded.
Furthermore, users' services are not affected during roaming in the coverage area. A VLAN
pool serves as a service VLAN to prevent insufficient IP address resource or IP address
resource waste, reducing the number of users in a VLAN and reducing the broadcast domain.

Networking Requirements
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 974

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– The aggregation switch (SwitchB) functions as a DHCP server to assign IP

addresses to STAs.
l Service data forwarding mode: direct forwarding

Figure 8-44 Networking for Configuring Static Load Balancing

Data Planning

Table 8-53 AC data planning

Item Data

Management VLANs for APs VLAN 10 and VLAN 100

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 975

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Static load balancing group l Name: wlan-static

l Start threshold for load balancing: 10
l Load difference threshold for load
balancing: 5%

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Fast Config to configure system parameters for the AC.
4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
7. Configure static load balancing to prevent one AP from being heavily loaded.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 976

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 977

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Configure DHCP relay on SwitchB.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 978

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 979

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 980

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 981

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 5 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 6 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 982

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 983

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 7 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 984

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Configure static load balancing.

1. Create the static load balancing group wlan-static and set the start threshold for static
load balancing to 10 and load difference threshold to 5%.

# Choose Configuration > AP Config > AP Group > Static Load Balancing Group.
The Static Load Balancing Group page is displayed.

# Click Create. On the page that is displayed, enter the profile name wlan-static, and set
the start threshold for static load balancing to 10 and load difference threshold to 5%.
Add AP area_1 and AP area_2 to the static load balancing group.

# Click OK. In the dialog box that is displayed, click OK.

Step 9 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 985

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP with a light load based on the configured load
balancing group.

----End

8.9.3 Example for Configuring Band Steering

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 986

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– The aggregation switch (SwitchB) functions as a DHCP server to assign IP

addresses to STAs.
l Service data forwarding mode: tunnel forwarding

Figure 8-45 Networking for configuring Layer 2 tunnel forwarding in bypass mode

Data Planning

Table 8-54 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 987

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 988

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure the band steering function and proper band steering parameters so that STAs
can preferentially access the 5 GHz frequency band.

# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 989

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 990

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 991

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 992

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 993

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 994

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.

# Enable air scan and configure the probe channel set, scan interval, and scan duration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 995

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure the band steering function.
1. Enable the band steering function in the VAP profile wlan-net. By default, the band
steering function is enabled.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP Profile
List page is displayed.
# Click wlan-net. The VAP profile page is displayed.
# Enable the band steering function on the VAP profile page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 996

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. # Create the RRM profile wlan-rrm. In the RRM profile, configure load balancing
between radios to prevent heavy load on a single radio. Set the start threshold for load
balancing between radios to 15, and the load difference threshold to 25%.
# Choose Configuration > AP Config > Profile Management.
# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Set the start threshold for load balancing between radios to 15, and the load difference
threshold to 25% on the RRM profile configuration page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 997

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
NOTE

If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.

# Choose Configuration > AP Config > Profile Management.

# Choose Radio Management > 2G Radio Management in Profile Management. The
2G Radio Management List page is displayed.
# Click Create. On the Create 2G Radio Management page that is displayed, enter the
profile name wlan-radio2g and click OK. The 2G radio profile configuration page is
displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.
# To bind the RRM profile to the radio profile, click RRM Profile. On the RRM profile
configuration page that is displayed, set RRM Profile to wlan-rrm and click Apply. In
the dialog box that is displayed, click OK.
4. # Bind the 2G radio profile wlan-radio2g to the AP group ap-group1.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.
# Click ap-group1 in AP Group.

# Click next to Radio Management. The profiles referenced by Radio

Management are displayed.

# Click next to Radio 0. The profiles referenced by Radio 0 are displayed.

# To bind the 2G radio profile, click 2G Radio Profile. On the 2G radio profile
configuration page, set 2G Radio Profile to wlan-radio2g and click Apply. On the
dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 998

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 7 Verify the configuration.

----End

8.9.4 Example for Configuring Smart Roaming

Service Requirements
To ensure optimal user experience, a stadium requires that users associate with the nearest
APs when moving on the stadium stand. Furthermore, users' services are not affected during
roaming in the coverage area. A VLAN pool serves as a service VLAN to prevent insufficient
IP address resource or IP address resource waste, reducing the number of users in a VLAN
and reducing the broadcast domain.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 999

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-46 Networking for configuring smart roaming

IP
Network

Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
Management VLAN: VLAN10, VLAN100
Service VLAN: VLAN pool

GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1

AP: area_2 AC

VLANIF100
10.23.100.1/24

STA

Data Planning

Table 8-55 AC data planning

Item Data

Management VLANs for APs VLAN 10 and VLAN 100

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1000

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

IP address pool for APs 10.23.10.2-10.23.10.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24

AC's source interface address VLANIF 100: 10.23.100.1/24

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-
net and regulatory domain profile
default
l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net, security profile wlan-net, and traffic
profile wlan-traffic

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1001

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

RRM profile l Name: wlan-rrm

l Automatic channel calibration: enabled
l Automatic power calibration: enabled
l Smart roaming threshold type: SNR-
based and rate percentage-based
l SNR threshold for smart roaming: 30
l Rate percentage threshold for smart
roaming: 30

2G radio profile l Name: wlan-radio2g

l Referenced profile: RRM profile wlan-
rrm

5G radio profile l Name: wlan-radio5g

l Referenced profile: RRM profile wlan-
rrm

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Fast Config to configure system parameters for the AC.
4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
7. Configure smart roaming and proper smart roaming parameters to forcibly disconnect
weak-signal users (especially sticky terminals) so that the users can reconnect or roam to
APs with strong signals.

NOTE

Some terminals on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
terminals fail to roam to neighbor APs with better signals. They are called sticky terminals.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1002

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– In tunnel forwarding mode, you are advised to configure multicast packet

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLANs 10, 101, and 102. The default
VLAN of GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit

# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1003

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

# Configure DHCP relay on SwitchB.

Step 3 Create VLANs.

1. Choose Configuration > AC Config > VLAN > VLAN.
2. Click Create. The Create VLAN page is displayed.
3. In Create VLAN, set VLAN ID to 101 and click OK.
4. Create VLAN 102 in the same way.

Step 4 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1004

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1005

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1006

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1007

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 5 Configure the VLAN pool.

1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.

# Click Create. The Create VLAN Pool page is displayed.

# Configure the VLAN pool sta-pool.

– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.

Step 6 Configure static routes.

1. Choose Configuration > AC Config > IP > Route. The Route page is displayed.
2. Click Create in Static Route Configuration Table.

3. Click OK.

Step 7 Configure WLAN services.

1. Choose Configuration > Fast Config > AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1008

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1009

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 8 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1010

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 9 Configure smart roaming.

1. Create the RRM profile wlan-rrm. In the profile, enable smart roaming, configure SNR-
based and rate-based roaming trigger modes and their roaming thresholds to 30 dB and
30%, respectively.

# Choose Configuration > AP Cnfig > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile list page is displayed.

# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.

# In the RRM profile, enable smart roaming, configure SNR-based and rate-based
roaming trigger modes and their roaming thresholds to 30 dB and 30%, respectively.

# Click Apply. In the dialog box that is displayed, click OK.

Step 10 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1011

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.10 Spectrum Analysis Configuration Examples

8.10.1 Example for Configuring Spectrum Analysis
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. The enterprise is located in an open place, and the WLAN is vulnerable to interference.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1012

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-47 Networking for configuring spectrum analysis

Data Planning

Table 8-56 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1013

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, 5G radio profile wlan-radio5g,
and spectrum profile wlan-spectrum

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Air scan l Name: wlan-airscan

profile l Air scan interval: 80000 ms
l Air scan duration: 80 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1014

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Spectrum l Name: wlan-spectrum

profile l IP address of the spectrum server: 10.137.43.4
l Port number of the spectrum server: 55555
l Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to send
data to the spectrum server: 5001
l Aging time of non-Wi-Fi devices on an AC during spectrum analysis: 5
minutes

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send
alarms to the AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1015

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1016

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1017

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1018

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1019

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Configure spectrum analysis.
1. Set spectrum analysis parameters.
# Choose Configuration > AP Config > Profile.
# Choose AP > AP System Profile in Profile Management. The AP System Profile
List page is displayed.
# Click Create. The Create AP System Profile page is displayed. Enter the profile
name wlan-spectrum and click OK. On the ap system profile configuration page that is
displayed, set related parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1020

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

2. Create an air scan profile and configure the scan channel set, scan interval, and scan
duration.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > Air Scan Profile in Profile Management. The Air
Scan Profile List page is displayed.

# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.

# Enable air scan and configure the probe channel set, scan interval, and scan duration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1021

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# To bind the air scan profile to the radio profile, click Air Scan Profile. On the air scan
profile configuration page that is displayed, set Air Scan Profile to wlan-airscan and
click Apply. In the dialog box that is displayed, click OK.
4. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.

# Click Radio 0. On the Radio 0 Settings page that is displayed, set the radio
parameters.

# Click Apply. In the dialog box that is displayed, click OK. The 5G radio configuration
is similar and not provided here.

# Click next to Radio 0. The profiles under Radio 0 are displayed.

Step 6 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1022

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. # View AP spectrum on the web platform to learn AP channel interference in
deployment sites.
a. Choose Monitoring > Spectrum Analysis. The Radio List page is displayed.

b. Select an AP and click Start.

c. In the AP radio list, click View Drawing in the Operation column. The related
spectrum charts are displayed. A maximum of four spectrum charts can be
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1023

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

d. Select your desired spectrum chart from the drop-down list box in the upper left
corner. You can select Lower or Upper on the spectrum charts of a 5G radio to
view spectrum charts of different frequencies.
e. The Real-Time FFT chart shows that the signal strength of interference is mostly
within the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click
Modify, set the signal strength scope at both ends of the color bar, and click Apply.
The Swept Spectrogram chart shows that channel 149 has the most severe
interference.

f. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1024

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.11 WLAN Security Configuration Examples

8.11.1 Example for Configuring Rogue Device Detection and
Containment
Service Requirements
An enterprise branch needs to deploy WLAN services for mobile office so that branch users
can access the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks. For
example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the WLAN to
establish connections with STAs to intercept enterprise information, posing great threats to the
enterprise network. To prevent such attack, the detection and containment function can be
configured for authorized APs. In this way, the AC can detect rogue AP area_2 (neither
managed by the AC nor in the authorized AP list), preventing STAs from associating with the
rogue AP.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1025

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-48 Networking for configuring rogue device detection and containment

Data Planning

Table 8-57 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1026

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, and WIDS profile wlan-wids
l Working mode of the AP radio: normal
l Rogue device detection and containment: enabled

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

WIDS l Name: wlan-wids

profile l Rogue device containment mode: containment against rogue APs using
spoofing SSIDs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1027

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1028

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1029

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1030

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1031

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1032

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1033

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1034

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. The Create WIDS Profile page is displayed.

----End

8.11.2 Example for Configuring Attack Detection

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1035

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

To ensure network stability and security, network administrators can configure attack
detection and dynamic blacklist to prevent flood attacks and brute force PSK cracking.
Detected attack devices are added to the dynamic blacklist, and packets from them are
discarded, preventing attacks.

Figure 8-49 Networking for configuring attack detection

Data Planning

Table 8-58 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1036

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, WIDS profile wlan-wids, and AP system profile wlan-system
l Attack detection type of the AP radio: brute force PSK cracking attack
detection for WPA2-PSK authentication and flood attack detection

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1037

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

WIDS l Name: wlan-wids

profile l Interval for brute force PSK cracking attack detection: 70s
l Quiet time for brute force PSK cracking attack detection: 700s
l Maximum number of key negotiation failures allowed within a brute
force PSK cracking attack detection period: 25
l Flood attack detection interval: 70s
l Quiet time for flood attack detection: 700s
l Flood attack detection threshold: 350
l Dynamic blacklist: enabled

AP system l Name: wlan-system

profile l Aging time of a dynamic blacklist: 200s

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1038

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1039

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1040

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1041

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1042

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1043

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure the attack detection function.
1. Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0. The radio 0 configuration page is displayed.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection on radio 0.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1044

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the Info dialog box that is displayed, click OK.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection on radio 1 in the same way.
2. Create WIDS profile wlan-wids, and set parameters for attack detection.
# Choose Configuration > AP Config > Profile > WIDS > WIDS Profile. The WIDS
Profile List page is displayed.
# Click Create. The Create WIDS Profile page is displayed.
# Enter the name of the new WIDS profile wlan-wids in Profile name, and click OK.
The parameter setting page of the new WIDS profile is displayed.
# Set parameters for the brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection WPA2-PSK. Enable the dynamic blacklist
function.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1045

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the Info dialog box that is displayed, click OK.

Step 7 Create AP system profile wlan-system, and set the aging time of the dynamic blacklist.

# Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP System
Profile List page is displayed.

# Click Create. The Create AP System Profile page is displayed.

# Enter the name of the new AP system profile wlan-system in Profile name, and click OK.
The parameter setting page of the new AP system profile is displayed.

# Set the aging time of the dynamic blacklist to 200 seconds.

Step 8 Bind WIDS profile wlan-wids and AP system profile wlan-system to AP group ap-group1.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page is
displayed.

# Click AP group ap-group1. The AP group configuration page is displayed.

# Click next to WIDS, and select WIDS Profile. On the WIDS profile configuration
page, set WIDS Profile to wlan-wids, and click Apply. In the dialog box that is displayed,
click OK.

# Click next to AP, and select AP System Profile. On the AP system profile
configuration page, set AP System Profile to wlan-system, and click Apply. In the dialog
box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1046

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 9 Verify the configuration.

Choose Monitoring > WIDS and view attack detection result in the Attack Detection area.

l Click a number in the attack detection result list to view details.

l Click View Dynamic Blacklist. The View Dynamic Blacklist page is displayed.

----End

8.11.3 Example for Configuring the STA Blacklist and Whitelist

Service Requirements
An enterprise needs to provide WLAN services for management personnel so that they can
connect to the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.

Due to a small number of management personnel in the enterprise, MAC addresses of their
STAs can be added to a STA whitelist. In this manner, STAs of other employees cannot
connect to the WLAN.

In addition, network administrators have detected unauthorized access of some STAs and
need to deny access of them. The administrators can add MAC addresses of these STAs to the
blacklist, while other authorized STAs can still connect to the WLAN.

Figure 8-50 Networking for configuring the STA blacklist and whitelist

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1047

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-59 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, and AP system profile wlan-system

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and STA whitelist profile sta-whitelist

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1048

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

STA l Name: sta-whitelist

whitelist l STAs added to the STA whitelist: STA1 (0011-2233-4455) and STA2
profile (0011-2233-4466)

STA l Name: sta-blacklist

blacklist l STAs added to the STA blacklist: STA3 (0011-2233-4477) and STA4
profile (0011-2233-4488)

AP system l Name: wlan-system

profile l Referenced profile: STA blacklist profile sta-blacklist

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.

NOTE

The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1049

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1050

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1051

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1052

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1053

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1054

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure a STA whitelist for VAPs.
1. Configure STA whitelist profile sta-whitelist and add MAC addresses of STA1 and
STA2 to the whitelist.
# Choose Configuration > AP Config > Profile > Wireless Service > STA Whitelist
Profile. The STA Whitelist Profile List page is displayed.
# Click Create. The Create STA Whitelist Profile page is displayed.
# Enter the name of the new STA whitelist profile sta-whitelist in Profile name, and
click OK. The parameter setting page of the new STA whitelist profile is displayed.
# Click Add. The Add MAC Address page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1055

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Add MAC addresses of STA1 and STA2 to the whitelist.

# Click OK.
2. Bind STA whitelist profile sta-whitelist to VAP profile wlan-net to enable the whitelist
to take effect on VAPs.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# Select AP group ap-group1 in the AP group list. Click next to VAP

Configuration and then click next to wlan-net.

# Click STA Blacklist And Whitelist Profile. On the STA blacklist and whitelist profile
page, select Whitelist, and set the STA whitelist profile to sta-whitelist.

# Click Apply. In the Info dialog box that is displayed, click OK.

Step 7 Configure a global STA blacklist.

1. Configure STA blacklist profile sta-blacklist and add MAC addresses of STA3 and
STA4 to the blacklist.

# Choose Configuration > AP Config > Profile > Wireless Service > STA Blacklist
Profile. The STA Blacklist Profile List page is displayed.

# Click Create. The Create STA Blacklist Profile page is displayed.

# Enter the name of the new STA blacklist profile sta-blacklist in Profile name, and
click OK. The parameter setting page of the new STA blacklist profile is displayed.

# Click Add. The Add MAC Address page is displayed.

# Add MAC addresses of STA3 and STA4 to the blacklist.

# Click OK.
2. Create AP system profile wlan-system.

# Choose Configuration > AP Config > Profile > AP > AP System Profile. The AP
System Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1056

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. The Create AP System Profile page is displayed.

# Enter the name of the new AP system profile wlan-system in Profile name. Click OK.
3. Bind STA blacklist profile sta-blacklist to AP system profile wlan-system to enable the
blacklist to take effect on APs.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# Select AP group ap-group1 in the AP group list. Click next to AP and then click
next to AP System Profile.

# Click STA Blacklist And Whitelist Profile. On the STA blacklist and whitelist profile
page, select Blacklist, and set the STA blacklist profile to sta-blacklist.

# Click Apply. In the Info dialog box that is displayed, click OK.
4. # Bind AP system profile wlan-system to AP group ap-group1.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# Select AP group ap-group1 in the AP group list. Click next to AP, and select AP
System Profile.

# On the AP system profile configuration page, set AP System Profile to wlan-system.

# Click Apply. In the Info dialog box that is displayed, click OK.

Step 8 Verify the configuration.

The WLAN with SSID wlan-net is available for STAs connected to the AP.

STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the WLAN.

----End

8.12 WLAN Location Configuration Examples

8.12.1 Example for Configuring AeroScout Tag-based WLAN
Location Services

Service Requirements
When configuring WLAN services, administrators need to collect radio signals sent from
devices with AeroScout tags through APs. The collected radio signals are sent to the
AeroScout location server for location calculation, allowing users to obtain the location of all
materials in a warehouse through maps, tables, or reports.

Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1057

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Service data forwarding mode: tunnel forwarding

l Working mode of the AP radio: normal
l Location server: AeroScout tag location server

Figure 8-51 Networking for configuring AeroScout tag-based WLAN location services

/1
0/0
GE area_1
GE0/0/2 GE0/0/1
GE0/0/2 RFID

GE0/0/4 Ekahau
GE area_2
Ekahau 0/0 tag
AC SwitchA /3
Positioning
Server

area_3

Data Planning

Table 8-60 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, 5G
radio profile wlan-radio-5g, and
location profile wlan-location

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1058

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Location profile l Name: wlan-location

l AeroScout tag location: enabled
l Source IP address of packets:
10.23.100.1
l Mode in which an AP reports tag
information: AC
l Port through which an AP reports tag
information: 1144
l Port number through which the AC
reports location information: 10001

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure AeroScout tag location so that APs can receive configurations sent from the
AeroScout location server and send information collected from devices with AeroScout
tags to the AeroScout location server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1059

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the AeroScout location server.

Perform location configurations on the AeroScout location server. For details, see the
documents for the AeroScout location server.

Step 2 Configure the switch so that the AC and APs can transmit CAPWAP packets.

Step 3 Configure system parameters for the AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1060

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.
# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

# Click OK.
# Add GigabitEthernet0/0/2 to VLAN 100 in the same way.
# Click Next. The Configure Virtual Interface page is displayed.
3. Configure the virtual interfaces.
# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1061

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1062

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1063

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure WLAN air scan.

1. Configure the air scan profile.

# Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.

# Click Create and create an air scan profile wlan-air-scan. Click OK.

# Set Probe channel set to Country code channels.

# Click Apply.
2. Configure the 2G radio profile and apply the air scan profile to the 2G radio profile.

# Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

# Click Create and create a 2G radio profile wlan-radio-2g. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1064

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
4. Apply the radio profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose Radio Management > Radio 0 > 2G Radio Profile on the profile navigation
bar. Set 2G Radio Profile to wlan-radio-2g. Click Apply. In the displayed dialog box,
click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile on the profile navigation
bar. Set 5G Radio Profile to wlan-radio-5g. Click Apply. In the displayed dialog box,
click OK.
Step 6 Configure AeroScout tag location.
1. Create a location profile.
# Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
# Click Create and create a location profile wlan-location. Click OK.
# Configure AeroScout tag location parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1065

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
2. Apply the location profile to an AP group.

# Choose Configuration > AP Config > AP Group > AP Group and click AP group
ap-group1.

# Choose WLAN Location > WLAN Location Profile and set WLAN Location
Profile to wlan-location.

# Click Apply.

Step 7 Verify the configuration.

1. Check that the VAPs have been successfully created on AP radios.

# On the AeroScout location server, obtain location information about devices with
AeroScout tags.

----End

8.12.2 Example for Configuring AeroScout MU-based WLAN

Location Services

Service Requirements
When configuring WLAN services, administrators need to collect radio signals sent from
STAs through APs. The collected radio signals are sent to the AeroScout location server for
location calculation, allowing users to obtain the location of the STAs through maps, tables, or
reports.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1066

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-52 Networking for configuring AeroScout MU-based WLAN location services

/1
0/0
GE area_1
GE0/0/2 GE0/0/1
GE0/0/2
GE0/0/4 MU
GE area_2
AeroScoutP 0/0
AC SwitchA /3
ositioning
Server

area_3

Data Planning

Table 8-61 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, 5G
radio profile wlan-radio-5g, and
location profile wlan-location

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1067

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Location profile l Name: wlan-location

l AeroScout MU location: enabled
l Source IP address of packets:
10.23.100.1
l Mode in which an AP reports tag
information: AC
l Server port number: 1144
l Port number through which the AC
reports location information: 10001

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure AeroScout MU location so that APs can receive configurations sent from the
AeroScout location server and send collected MU information to the AeroScout location
server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1068

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– In tunnel forwarding mode, you are advised to configure multicast packet

Procedure
Step 1 Configure the AeroScout location server.

Perform location configurations on the AeroScout location server. For details, see the
documents for the AeroScout location server.

Step 2 Configure the switch so that the AC and APs can transmit CAPWAP packets.

Step 3 Configure system parameters for the AC.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1069

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1070

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1071

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1072

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure WLAN air scan.

1. Configure the air scan profile.

# Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.

# Click Create and create an air scan profile wlan-air-scan. Click OK.

# Set Probe channel set to Country code channels.

# Click Apply.
2. Configure the 2G radio profile and apply the air scan profile to the 2G radio profile.

# Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

# Click Create and create a 2G radio profile wlan-radio-2g. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1073

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
4. Apply the radio profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose Radio Management > Radio 0 > 2G Radio Profile on the profile navigation
bar. Set 2G Radio Profile to wlan-radio-2g. Click Apply. In the displayed dialog box,
click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile on the profile navigation
bar. Set 5G Radio Profile to wlan-radio-5g. Click Apply. In the displayed dialog box,
click OK.
Step 6 Configure AeroScout MU location.
1. Create a location profile.
# Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
# Click Create and create a location profile wlan-location. Click OK.
# Configure AeroScout MU location parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1074

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
2. Apply the location profile to an AP group.

# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.

# Choose WLAN Location > WLAN Location Profile. Set WLAN Location Profile
to wlan-location.

# Click Apply.

Step 7 Verify the configuration.

1. Check that the VAPs have been successfully created on AP radios.

# On the AeroScout location server, obtain the MU location information.

----End

8.12.3 Example for Configuring Ekahau Tag-based WLAN

Location Services

Service Requirements
When configuring WLAN services, administrators need to collect radio signals sent from
devices with Ekahau tags through APs. The collected radio signals are sent to the Ekahau
location server for location calculation, allowing users to obtain the location of the devices
with Ekahau tags through maps, tables, or reports.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1075

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-53 Networking for configuring Ekahau tag-based WLAN location services

0/ 0/1
GE area_1
GE0/0/2 GE0/0/1
GE0/0/2 RFID

GE0/0/4 Ekahau
GE area_2
Ekahau 0/0 tag
AC SwitchA /3
Positioning
Server

area_3

Data Planning

Table 8-62 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.3-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, 5G
radio profile wlan-radio-5g, and
location profile wlan-location

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1076

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Location profile l Name: wlan-location

l Ekahau tag location: enabled
l Source IP address of packets:
10.23.100.1
l Mode in which an AP reports tag
information: AC
l Destination IP address and port number
through which an AP reports tag
information: 10.23.100.2/8569
l Port number through which the AC
reports location information: 10001

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure Ekahau tag location so that APs can receive configurations sent from the
Ekahau location server and send information collected from devices with Ekahau tags to
the Ekahau location server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1077

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

– In direct forwarding mode, you are advised to configure multicast packet

Procedure
Step 1 Configure the Ekahau location server.
Perform location configurations on the Ekahau location server. For details, see the documents
for the Ekahau location server.
Step 2 Configure the switch so that the AC and APs can transmit CAPWAP packets.
# Configure SwitchA (access switch). Add GE0/0/1 to GE0/0/4 on SwitchA to VLAN 100
(management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit

Step 3 Configure system parameters for the AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1078

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1079

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1080

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1081

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure WLAN air scan.

1. Configure the air scan profile.

# Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.

# Click Create and create an air scan profile wlan-air-scan. Click OK.

# Set Probe channel set to Country code channels.

# Click Apply.
2. Configure the 2G radio profile and apply the air scan profile to the 2G radio profile.

# Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

# Click Create and create a 2G radio profile wlan-radio-2g. Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1082

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.
4. Apply the radio profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose Radio Management > Radio 0 > 2G Radio Profile on the profile navigation
bar. Set 2G Radio Profile to wlan-radio-2g. Click Apply. In the displayed dialog box,
click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile on the profile navigation
bar. Set 5G Radio Profile to wlan-radio-5g. Click Apply. In the displayed dialog box,
click OK.
Step 6 Configure Ekahau tag location.
1. Create a location profile.
# Choose Configuration > AP Config > Profile > WLAN Location > WLAN
Location Profile. The WLAN Location Profile List page is displayed.
# Click Create and create a location profile wlan-location. Click OK.
# Configure Ekahau tag location parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1083

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.
2. Apply the location profile to an AP group.

# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.

# Choose WLAN Location > WLAN Location Profile on the profile navigation bar.
Set WLAN Location Profile to wlan-location.

# Click Apply.

Step 7 Verify the configuration.

1. Check that the VAPs have been successfully created on AP radios.

# On the Ekahau location server, obtain the location information about devices with
Ekahau tags.

----End

8.12.4 Example for Configuring Wi-Fi Terminal Location Services

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1084

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-54 Networking for configuring Wi-Fi terminal location services

eSight Server
/1
0/0
GE area_1
GE0/0/2 GE0/0/1
GE0/0/2
GE0/0/4 Wi-Fi
GE area_2
0/0 terminals
AC SwitchA /3
Positioning
Server
area_3

Data Planning

Table 8-63 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.3-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, 5G
radio profile wlan-radio-5g, and
location profile wlan-location

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1085

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Location profile l Name: wlan-location

Configuration Roadmap

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1086

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1087

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Add GigabitEthernet0/0/2 to VLAN 100 in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1088

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1089

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1090

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.
# Set Air Scan Profile to wlan-air-scan.
# Click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1091

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Apply the radio profile to an AP group.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1092

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply.

Step 7 Configure eSight.

1. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.

# Choose Business > WLAN Management > Region Monitor from the main menu.

# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.

# Right-click Add Region in the region topology view.

# Click OK.
2. Add APs in ap_region_1.

# Choose Region Topology > ap_region_1 in Resource, or double-click ap_region_1

in the view on the right. The location view of ap_region_1 is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1093

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Right-click ap_region_1 and choose Add AP from the shortcut menu. Select the APs
that need to perform the location and click Confirm.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1094

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.

# In the ap_region_1 view, properly place each AP on the background.

# In the ap_region_1 view, click .

4. Enable the location function of eSight.

# Choose Region Topology > ap_region_1 in Resource, or right-click ap_region_1 in

the view on the right and choose Enable WIFI Location from the shortcut menu. In the
dialog box that is displayed, click OK.

Step 8 Verify the configuration.

1. Check that the VAPs have been successfully created on AP radios in the AC web system.

# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.

# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.
2. View the location result on eSight.

# Click in the ap_region_1 view on the right. Click on the topology

toolbar to select information to be displayed in the topology.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1095

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Select the Wi-Fi terminals or heat maps to be displayed in the topology on the
Terminal Location tab.

----End

8.12.5 Example for Configuring Bluetooth Location Services

Service Requirements
When configuring WLAN services, administrators in the shopping mall need to obtain
information about BLE devices such as UUID and RSSI calibration. Such information
obtained by BLE broadcast frames sent from BLE devices can be sent to the location server.
When customers find a BLE device through Bluetooth terminals, obtained information will be
reported to the location server. The server then uses a location app to provide customers with
services such as navigation and shopping guide through the location algorithm.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1096

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-55 Networking for configuring Bluetooth location services

eSight Server
APP Application Server

GE0/0/1 GE0/0/1
BLE Device
GE0/0/2 GE0/0/2
AC Switch AP：area_1
A
Location Server BLE Device

Bluetooth
terminel
Bluetooth signal
BLE Device

Data Planning

Table 8-64 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
and BLE profile wlan-ble

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1097

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

BLE profile l Name: wlan-ble

l Bluetooth monitoring: enabled

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the WLAN in shopping
malls and scanned BLE information can be sent to the location server.
2. Configure Bluetooth location to ensure that APs can detect BLE devices and send
scanned BLE information to the location server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1098

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure the switch so that the AC and APs can transmit CAPWAP packets.
# Configure SwitchA (access switch). Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100
(management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

Step 3 Configure system parameters for the AC.

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1099

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Add GigabitEthernet0/0/2 to VLAN 100 in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1100

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1101

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1102

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 5 Configure the Bluetooth location function.
1. Create a location profile.
# Choose Configuration > AP Config > Profile > Bluetooth Location > BLE Profile.
The BLE Profile List page is displayed.
# Click Create and create a BLE profile wlan-ble. Click OK.
# On the Monitoring surrounding BLE devices page, enable Bluetooth monitoring.
NOTE

If independent BLE devices are deployed on the WLAN, it is optional to enable Broadcast.
Otherwise, you must enable Broadcast.
Enable Broadcast, Transmit power (dBm), Broadcast interval (ms), and RSSI calibration value
(dBm). You can modify the default settings of these parameters. It is optional whether other parameters
are configured.
Only the AP4050DN-E supports Bluetooth broadcast.

# Click Apply.
2. Add a location monitoring device.
# Choose Configuration > Other Services > BLE. The Global Settings page is
displayed.
# Click Create. Set Creation mode to MAC address segment.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1103

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Configure the start MAC address and end MAC address.

# Click OK.
3. Apply the location profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.
# Choose Bluetooth Location > BLE Profile on the profile navigation bar. Set BLE
Profile to wlan-ble.

# Click Apply.
Step 6 Configure eSight.
1. Access the eSight login page and create a region. In this example, the region created is
ap_region_1.
# Choose Business > WLAN Management > Region Monitor from the main menu.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1104

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Region Topology in Resource, and click on the topology toolbar to enter the
editing mode.
# Right-click Add Region in the region topology view.

# Click OK.
2. Add a Beacon frame in ap_region_1.
# Choose Region Topology > ap_region_1 in Resource, or double-click ap_region_1
in the view on the right. The location view of ap_region_1 is displayed.

# Right-click ap_region_1 and choose Add Beacon from the shortcut menu. Add
Beacon information and click Confirm.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1105

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Set the background and scale for ap_region_1.

# Right-click ap_region_1 and choose Set Background for Subnet from the shortcut
menu.

# Select the background based on actual conditions. Click Apply Background.

NOTE
The background image is a floor plan of the physical network that is in GIF, JPG, JPEG, or PNG
format.

# Right-click ap_region_1 and choose Set Scale from the shortcut menu. Set the start
point, end point, and actual distance between the two points. eSight automatically selects
the background and scale.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1106

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# In the ap_region_1 view, properly place each AP on the background.

# In the ap_region_1 view, click .

4. Enable Bluetooth location of eSight.
# Choose Region Topology > ap_region_1 in Resource. Alternatively, right-click
ap_region_1 in the view on the right and choose Enable Bluetooth Location from the
shortcut menu. In the dialog box that is displayed, click Yes.
Step 7 Verify the configuration.
1. Check that the VAPs have been successfully created on AP radios in the AC web system.
# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.
2. View the location result on eSight.

# Click in the ap_region_1 view on the right. Click on the topology

toolbar to select information to be displayed in the topology.
# Select the Beacon devices to be displayed in the topology on the Beacon Device tab.

# Install a Bluetooth location app (typically provided by a location server vendor) on the
Bluetooth terminal, such as a smartphone. Enable the Bluetooth function and view
location information on the location app.

----End

8.12.6 Example for Configuring WLAN Infant Protection Services

Service Requirements
When configuring WLAN services, hospitals need to install signal receiving apparatus in
areas that need to be controlled. If an infant wears a harmless electronic label that can send
radio signals, the signal receiving apparatus can receive radio signals sent from the electronic
label. In this way, the locations of infants can be monitored and tracked in real time,
protecting infants from being stolen through timely alarms.

Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1107

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Service data forwarding mode: tunnel forwarding

l Working mode of the AP radio: normal

Figure 8-56 Networking for configuring WLAN infant protection services

Host
computerRouter

Ap:area_1

GE0/0/1 GE0/0/3
GE0/0/1
SwitchB
RFID GE0/0/2 GE0/0/4
RFID Tag Ap:area_2 SwitchA GE0/0/2
AP with an RFID GE0/0/3
GE0/0/1
card insterted
AC
Ap:area_3

Data Planning

Table 8-65 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Referenced profiles: regulatory domain
profile default, VAP profile wlan-net,
2G radio profile wlan-radio-2g, and 5G
radio profile wlan-radio-5g

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1108

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net

Air scan profile l Name: wlan-air-scan

l Probe channel set: country code channels

2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

5G radio profile l Name: wlan-radio-5g

l Referenced profile: air scan profile
wlan-air-scan

Serial profile l Name: wlan-serial

IoT profile l Name: wlan-iot

l IP address of the host computer:
10.23.100.254
l Port number of the host computer: 3000
l Shared key: aabb0011@11

Configuration Roadmap

1. Configure basic WLAN services so that users can connect to the internal network of
hospitals through the WLAN.
2. Configure APs to communicate with RFID cards.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1109

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure APs to communicate with the host computer.

4. On the host computer, add IP addresses of the APs and configure the same shared keys
as those on the APs.

Procedure
Step 1 Configure the host computer.
Configure a controller server and a dedicated server applicable to the infant protection system.
For details, see the documents for the server.
Step 2 Configure the AC and switches so that the AC and APs can transmit CAPWAP packets.
# Configure SwitchA (access switch). Add GE0/0/1 to GE0/0/4 on SwitchA to VLAN 100
(management VLAN).
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1110

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchA-GigabitEthernet0/0/4] port link-type trunk

[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/4] quit

Step 3 Configure system parameters for the AC.

NOTE
In this example, tunnel forwarding is used to transmit data. If direct forwarding is used, configure port
isolation on the interface connecting the AC to APs. If port isolation is not configured, many broadcast
packets will be transmitted in the VLAN or WLAN users on different APs can directly communicate at Layer
2.
1. Choose Configuration > Fast Config > AC.
2. Configure the Ethernet interfaces.
# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.

NOTE

If the AC and APs are directly connected, set the default VLAN of the interface connected to the APs to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1111

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Configure Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1112

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1113

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1114

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Configure WLAN air scan.

1. Configure the air scan profile.

# Choose Configuration > AP Config > Profile > Radio Management > Air Scan
Profile. The Air Scan Profile List page is displayed.

# Click Create and create an air scan profile wlan-air-scan. Click OK.

# Set Probe channel set to Country code channels.

# Click Apply.
2. Configure the 2G radio profile and apply the air scan profile to the 2G radio profile.

# Choose Configuration > AP Config > Profile > Radio Management > 2G Radio
Profile. The 2G Radio Profile List page is displayed.

# Click Create and create a 2G radio profile wlan-radio-2g. Click OK.

# Click next to the 2G radio profile wlan-radio-2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed. Click Air Scan Profile.

# Set Air Scan Profile to wlan-air-scan.

# Click Apply.
3. Configure the 5G radio profile and apply the air scan profile to the 5G radio profile.

# Choose Configuration > AP Config > Profile > Radio Management > 5G Radio
Profile. The 5G Radio Profile List page is displayed.

# Click Create and create a 5G radio profile wlan-radio-5g. Click OK.

# Click next to the 5G radio profile wlan-radio-5g in Profile Management. The

profiles referenced by the 5G radio profile are displayed. Click Air Scan Profile.

# Set Air Scan Profile to wlan-air-scan.

# Click Apply.
4. Apply the radio profile to an AP group.

# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1115

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Radio Management > Radio 0 > 2G Radio Profile on the profile navigation
bar. Set 2G Radio Profile to wlan-radio-2g. Click Apply. In the displayed dialog box,
click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile on the profile navigation
bar. Set 5G Radio Profile to wlan-radio-5g. Click Apply. In the displayed dialog box,
click OK.
Step 6 Configure the APs to communicate with RFID cards and the host computer.
1. Create a serial profile.
# Choose Configuration > AP Config > Profile > IoT > Serial Profile. The Serial
Profile List page is displayed.
# Click Create and create a serial profile wlan-serial. Click OK.
# Set communication parameters and packet fragmentation parameters for the serial port.

# Click Apply.
2. Create an IoT profile.
# Choose Configuration > AP Config > Profile > IoT > IoT Profile. The IoT Profile
List page is displayed.
# Click Create and create an IoT profile wlan-iot. Click OK.
# Configure the IP address and port number for the host computer, and set security
communication parameters.

# Click Apply.
3. Apply the serial profile to an AP group.
# Choose Configuration > AP Config > AP Group > AP Group. Click AP group ap-
group1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1116

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose IoT > Card1 > Serial Profile. Select Self-defined on the profile navigation
bar. Set Serial Profile to wlan-serial.

# Click Apply.
Step 7 On the host computer, add IP addresses of the APs and configure the same shared keys as
those on the APs.
Step 8 Verify the configuration.
1. Check that the VAPs have been successfully created on AP radios.
# Choose Monitoring > SSID > VAP to check the VAP state. If the Status field is
displayed as on, the VAPs have been successfully created on AP radios.
2. Check the availability of the location function.
# On the host computer, obtain the location information about infants.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1117

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.13 WLAN QoS Configuration Examples

8.13.1 Example for Configuring WMM and Priority Mapping

Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video service traffic be forwarded preferentially to improve user experience in these
services.

Figure 8-57 Networking for configuring WMM and priority mapping

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1118

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-66 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net
l EDCA parameters: specified to provide higher priorities for voice and
video services

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1119

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and traffic profile wlan-traffic

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l EDCA parameters: specified to provide higher priorities for voice and
video services
l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l EDCA parameters: specified to provide higher priorities for voice and
video services
l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Traffic l Name: wlan-traffic

profile l Downlink mapping mode: DSCP
l Uplink mapping mode: 802.11e
l Priority mapping: specified to provide higher priorities for voice and
video services

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
3. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1120

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1121

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router] vlan batch 101

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1122

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1123

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1124

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1125

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1126

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1127

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure the WMM function.
1. In the radio profile, enable the WMM function and set EDCA parameters on APs to
enable voice and video services to preferentially use network bandwidth.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G
Radio Profile List page is displayed.
# Enable the WMM function, select scenario Voice and video, and retain the default
settings of EDCA parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1128

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. In the SSID profile, enable the WMM function and set EDCA parameters on STAs to
enable voice and video services to preferentially use network bandwidth.
Choose Configuration > AP Config > Profile.
# Choose Wireless Service > SSID Profile > wlan-net in Profile Management. The
SSID profile configuration page is displayed.
# Select scenario Voice and video and retain the default settings of EDCA parameters.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1129

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 7 Configuring priority mapping.

This example requires that voice and video packets have the highest priority so that these
packets are preferentially transmitted. By default, the uplink and downlink mapping modes on
the air interface are 802.11e and DSCP, respectively. The uplink and downlink priority
mapping on the air interface can ensure that voice and video packets have the highest tunnel
DSCP priority. Therefore, you do not need to modify default priority mapping.

To change the default priority mapping, for example, to enable video packets with a higher
priority than voice packets, you can refer to this step.

1. Create traffic profile wlan-traffic and configure priority mapping in the profile.

# Choose Configuration > AP Config > Profile > Wireless Service > Traffic Profile.
The Traffic Profile List page is displayed.

# Click Create. The Create Traffic Profile page is displayed.

# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.

# Configure priority mapping and set the mapped priority of video packets higher than
that of the voice packets.

NOTE

By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or
5.
In the following figure, the DSCP priorities of video packets are 48 and 56, and those of the voice
packets are 32 and 40. Based on the settings, video packets will be preferentially transmitted.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1130

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the Info dialog box that is displayed, click OK.
2. Bind traffic profile wlan-traffic to VAP profile wlan-net.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# In the AP group list, click the AP group ap-group1, click next to VAP
Configuration, and click next to wlan-net

# Click Traffic Profile. On the configuration page of the authentication profile, set
Traffic Profile to wlan-traffic.

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Checking the Configuration

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1131

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. Run the display radio-2g-profile name wlan-radio2g command on the AC to check the
EDCA settings on APs in the 2G radio profile. The EDCA parameter priorities of
AC_VI and AC_VO packets are higher than those of AC_BE and AC_BK packets.
Therefore, voice and video services are enabled to preferentially use wireless channels.
The configuration in the 5G radio profile is similar to that in the 2G radio profile and is
not mentioned here.
6. Run the display ssid-profile name wlan-net command on the AC to check the EDCA
settings on STAs in the SSID radio profile. The EDCA parameter priorities of AC_VI
and AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore,
voice and video services are enabled to preferentially use wireless channels.
7. Run the display traffic-profile name wlan-traffic command on the AC to check the
priority mapping configuration in the traffic radio profile. The DSCP priorities of

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1132

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

AC_VI and AC_VO packets are higher than those of AC_BE and AC_BK packets.
Therefore, voice and video services will be preferentially transmitted.

----End

8.13.2 Example for Configuring Traffic Policing

To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s

Figure 8-58 Networking for configuring traffic policing

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1133

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-67 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and traffic profile wlan-traffic

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1134

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Traffic l Name: wlan-traffic

profile l Uplink rate limit of a single STA: 2 Mbit/s
l Uplink rate limit of all STAs on a VAP: 30 Mbit/s

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1135

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1136

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.
# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1137

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1138

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1139

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1140

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1141

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1142

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure traffic policing.

1. Create traffic profile wlan-traffic. Set the uplink rate limit of a single AP to 2 Mbit/s and
the total uplink rate limit of all STAs on the VAP to 30 Mbit/s.

# Choose Configuration > AP Config > Profile > Wireless Service > Traffic Profile.
The Traffic Profile List page is displayed.

# Click Create. The Create Traffic Profile page is displayed.

# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.

# Set the uplink rate limit to 2 Mbit/s for STAs and to 30 Mbit/s for VAPs.

# Click Apply. In the Info dialog box that is displayed, click OK.
2. Bind traffic profile wlan-traffic to VAP profile wlan-net.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# In the AP group list, click the AP group ap-group1, click next to VAP
Configuration, and click next to wlan-net

# Click Traffic Profile. On the configuration page of the authentication profile, set
Traffic Profile to wlan-traffic.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Verify the configuration.

1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1143

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. The WLAN with the SSID wlan-net is available.

3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

----End

8.13.3 Example for Configuring Airtime Fair Scheduling

The administrator requires that multiple users on the network be able to fairly use network
bandwidth to improve overall user experience.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1144

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-59 Networking for configuring airtime fair scheduling

Data Planning

Table 8-68 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1145

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled
l Airtime fair scheduling: enabled

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1146

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1147

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1148

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1149

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1150

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1151

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1152

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1153

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1154

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure airtime fair scheduling.
1. Enter RRM profile wlan-rrm and enable airtime fair scheduling.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > RRM Profile > wlan-rrm in Profile Management.
The RRM profile configuration page is displayed.
# Enable airtime fair scheduling in the RRM profile.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1155

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

----End

8.13.4 Example for Configuring ACL-based Packet Filtering

To control network traffic, the administrator requires that packets with source IP address
10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Networking Requirements
l AC networking mode: Layer 2 bypass mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1156

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l DHCP deployment mode:

– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding

Figure 8-60 Networking for configuring ACL-based packet filtering

Data Planning

Table 8-69 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1157

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and traffic profile wlan-traffic

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1158

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Traffic l Name: wlan-traffic

profile l Configuration of ACL-based IPv4 packet filtering

Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure ACL-based packet filtering in a traffic profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1159

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchA] interface gigabitethernet 0/0/2

[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1160

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1161

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1162

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1163

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1164

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. On the Create Air Scan Profile page that is displayed, enter the profile
name wlan-airscan and click OK. The air scan profile configuration page is displayed.

# Enable air scan and configure the probe channel set, scan interval, and scan duration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1165

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure ACL-based packet filtering.
1. Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and
destination IPv4 address 10.23.101.11 to pass.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL dialog box that is displayed, set the ACL
name to ACL3001 and ACL number to 3001. Click OK.
# Click Add Rule in the new ACL.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1166

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
2. Create traffic profile wlan-traffic and apply the ACL to it.
# Choose Configuration > AP Config > Profile > Wireless Service > Traffic Profile.
The Traffic Profile List page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# Set the Packet filtering to IPv4 packet filtering and configure ACL 3001 to filter
incoming packets.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1167

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the Info dialog box that is displayed, click OK.
3. Bind traffic profile wlan-traffic to VAP profile wlan-net.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

# In the AP group list, click the AP group ap-group1, click next to VAP
Configuration, and click next to wlan-net
# Click Traffic Profile. On the configuration page of the authentication profile, set
Traffic Profile to wlan-traffic.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1168

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

----End

8.13.5 Example for Configuring Optimization for Voice and Video

Services
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video services of QQ and WeChat have a higher priority to ensure good user
experience in these QQ and WeChat services.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1169

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-61 Networking for configuring optimization for voice and video services

Data Planning

Table 8-70 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1170

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
NOTE
The configuration of optimization for voice and video services supports only
tunnel forwarding.
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1171

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Voice and l Applied protocols: QQ and WeChat

video
optimizatio
n

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1172

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1173

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1174

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1175

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1176

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1177

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G

Radio Profile List page is displayed.

# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1178

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure optimization for voice and video services.
1. Enable the security engine.
NOTE

After the security engine is enabled, the system automatically loads the default signature database.

# Choose Configuration > Security > Attack Defense. The Attack Defense page is
displayed.
# Set Security Engine to ON.
2. Enable optimization for voice and video services on QQ and WeChat.
# Choose Configuration > Other Services > SAC > Voice And Video Optimization.
The Voice And Video Optimization page is displayed.
# Set Voice optimization and Video optimization to ON.
# Set the applications' Voice optimization and Video optimization to OFF except qq
and weixin.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1179

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

NOTE
By default, dynamic optimization for voice and video services is enabled for all applications in
Application Detection Optimization List. To modify the status of the function for an application,
select the application and set Voice optimization and Video optimization to ON or OFF.

Step 7 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1180

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. After optimization for voice and video services is configured and successfully delivered,
if you have configured voice and video calls, run the display video-aware-list and
display voice-aware-list commands on the AC to check information about voice and
video sessions on the specified STA or in the specified radio of the specified AP.

----End

8.13.6 Example for Configuring Priorities for Lync Packets

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The administrator requires that voice and video packets of the Lync software have a higher
priority than desktop sharing and file transfer packets to ensure good user experience in voice
and video services.

Networking Requirements
l AC networking mode: Layer 2 bypass mode

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1181

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l DHCP deployment mode:

Figure 8-62 Networking for configuring priorities for Lync packets

Data Planning

Table 8-71 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1182

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
NOTE
The configuration of priorities for Lync packets supports only tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and UCC profile wlan-ucc

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1183

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

UCC profile l Name: wlan-ucc

l 802.1p priority of Lync voice packets: 6
l 802.1p priority of Lync video packets: 5
l 802.1p priority of Lync desktop sharing packets: 4
l 802.1p priority of Lync file transfer packets: 3

Lync server 9000

port number

Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure priorities for Lync packets to set higher priorities for voice and video packets
than those of desktop sharing and file transfer packets.
3. Configure the AC to interact with the Lync server.

Procedure
Step 1 Configure the network devices.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1184

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1185

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1186

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1187

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1188

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1189

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1190

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1191

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure priorities for Lync packets.

1. Create UCC profile wlan-ucc and configure priorities for Lync packets.

Choose Configuration > AP Config > Profile.

# Choose Wireless Service > UCC Profile in Profile Management. The UCC Profile
List page is displayed.

# Click Create. On the Create UCC Profile page that is displayed, enter profile name
wlan-ucc and click OK. The UCC profile configuration page is displayed.

# Configure priorities for Lync packets according to the following figure.

# Click Apply. In the dialog box that is displayed, click OK.

2. Bind UCC profile wlan-ucc to VAP profile wlan-net.

Choose Configuration > AP Config > AP Group > AP Group. The AP Group page is
displayed.

# Click AP group ap-group1. Click in front of VAP Configuration and then in

front of wlan-net.

# Click UCC Profile. On the page that is displayed, set UCC Profile to wlan-ucc.

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Configure the AC to interact with the Lync server.

Choose Configuration > Other Services > SAC > Lync. The Lync page is displayed.

# On the Lync page, set Lync listener to ON, Type to Http, and Http port to 9000.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1192

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Lync server.
l You need to specify the IP address of the AC for the Lync server and the port number of the Lync server.

# Click Apply. In the dialog box that is displayed, click OK.

Step 8 Verify the configuration.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1193

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.14 WLAN Enhanced Services Configuration Examples

8.14.1 Example for Configuring WLAN-based E-schoolbag
Service Requirements
E-schoolbag is a digital teaching method. In a class, teachers and students use smart terminals
such as PCs, tablets, and mobile phones to participate in teaching and learning activities
online.
A teacher can teach students in multiple classrooms without space limitation.
To ensure successful teaching activities, AP4030TNs are used to deploy basic WLAN
services to support access of many students and provide sufficient bandwidth.
The AP4030TN has three radios: radios 0, 1, and 2. Radio 0 and radio 2 can switch between
2.4 GHz and 5 GHz while radio 1 operates on the 5 GHz band. By default, radio 0 works on
the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency band. If all radios are used
for WLAN coverage services, the default frequency bands for radios are recommended. If
some radios are used for air scan, run the frequency { 2.4g | 5g } command in the AP radio
view or AP group radio view to switch the frequency band of the radios.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1194

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-63 Networking for configuring the WLAN-based e-schoolbag service

Data Planning

Table 8-72 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1195

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net
l Maximum number of users: 128
l EDCA parameters for AC_BE packets on STAs
– AIFSN: 3
– ECWmin: 7
– ECWmax: 10

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Band steering: enabled
l Broadcast flood detection: enabled
l Rate threshold for broadcast flood detection: 50 pps
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and traffic profile wlan-traffic

RRM l Name: wlan-rrm

profile l Automatic channel calibration: disabled
l Automatic power calibration: disabled
l Airtime fair scheduling: enabled

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1196

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

2G radio l Name: wlan-radio2g

profile l RTS-CTS operation mode: rts-cts
l RTS-CTS threshold: 1400 bytes
l Beacon interval: 160 ms
l Short preamble: enabled
l GI mode: short
l 802.11bg basic rate: 6, 9, 12, 18, 24, 36, 48, 54, in Mbit/s
l Multicast rate: 11 Mbit/s
l EDCA parameters for AC_BE packets on APs:
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6
l Referenced profile: RRM profile wlan-rrm

5G radio l Name: wlan-radio5g

profile l RTS-CTS operation mode: rts-cts
l RTS-CTS threshold: 1400 bytes
l Beacon interval: 160 ms
l Short preamble: enabled
l GI mode: short
l Multicast rate: 6 Mbit/s
l EDCA parameters for AC_BE packets on APs:
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6
l Referenced profile: RRM profile wlan-rrm

Traffic l Name: wlan-traffic

profile l Uplink rate limit for a STA: 4000 kbit/s
l Downlink rate limit for a STA: 4000 kbit/s

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure AC system parameters.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Adjust network parameters for e-schoolbag.
6. Deliver the WLAN services to the APs and verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1197

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100, and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1198

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 and VLAN 101 in tagged mode.
NOTE

If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1199

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1200

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1201

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1202

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Adjust network parameters for e-schoolbag.

1. Adjust VAP profile parameters.

# Choose Configuration > AP Config > Profile.

# Choose Wireless Service > VAP Profile in Profile Management. The VAP Profile
List page is displayed.

# Click VAP profile wlan-net. The VAP profile modification page is displayed. Enable
the band steering function and the broadcast flood attack function and configure the rate
threshold for broadcast flood detection.

# Click Apply. In the dialog box that is displayed, click OK.

2. Adjust SSID profile parameters.

# Choose Configuration > AP Config > Profile.

# Choose Wireless Service > SSID Profile in Profile Management. The SSID Profile
List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1203

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click the SSID profile wlan-net. The SSID profile configuration page is displayed. Set
the maximum number of users to 128. Set EDCA parameters for AC_BE packets on
STAs as follows: AIFSN to 3, ECWmin to 7, and ECWmax to 10.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a traffic profile and adjust traffic profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > Traffic Profile in Profile Management. The Traffic
Profile List page is displayed.
# Click Create. On the Create Traffic Profile page that is displayed, enter the profile
name wlan-traffic and click OK. The traffic profile configuration page is displayed.
# Set the user isolation mode to All isolation, the upstream and downstream rate limits
to 4000 kbit/s and 4000 kbit/s for STAs, respectively.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1204

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

# Click next to the VAP profile wlan-net in Profile Management. The profiles
referenced by the VAP profile are displayed.
# To bind the traffic profile to the VAP profile, click Traffic Profile. On the traffic
profile configuration page that is displayed, set Traffic Profile to wlan-net and click
Apply. In the dialog box that is displayed, click OK.
4. Create a 2G radio profile and adjust 2G radio profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G
Radio Profile List page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Perform the following configurations:
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 ms.
– Enable the short preamble function.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 11 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1205

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 0. The profiles under Radio 0 are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1206

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click 2G Radio Profile. On the 2G radio profile configuration page that is displayed,
set 2G Radio Profile to wlan-radio2g and click Apply. In the dialog box that is
displayed, click OK.
5. Create a 5G radio profile and adjust 5G radio profile parameters.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > 5G Radio Profile in Profile Management. The 5G
Radio Profile List page is displayed.
# Click Create. On the Create 5G Radio Profile page that is displayed, enter the profile
name wlan-radio5g and click OK. The 5G radio profile configuration page is displayed.
# Perform the following configurations:
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 ms.
– Enable the short preamble function.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 6 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1207

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 1. The profiles under Radio 1 are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1208

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click 5G Radio Profile. On the 5G radio profile configuration page that is displayed,
set 5G Radio Profile to wlan-radio5g and click Apply. In the dialog box that is
displayed, click OK.

# Click next to Radio 2. The profiles under Radio 2 are displayed.

# Click 5G Radio Profile. On the 5G radio profile configuration page that is displayed,
set 5G Radio Profile to wlan-radio5g and click Apply. In the dialog box that is
displayed, click OK.
6. Create the RRM profile and adjust RRM profile parameters.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.

# # Disable automatic channel and power calibration functions; enable airtime fair
scheduling.

# Click Apply. In the dialog box that is displayed, click OK.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the VAP profile are displayed.

Step 6 Set the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Config > AP Info. The AP List
page is displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1209

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio 0. The Radio 0 Settings page is displayed. Set the AP channel to 20-MHz
channel 6 and transmit power to 127 dBm.

# Click Radio 1 and Radio 2 to set the channel to 20-MHz channel 149 and 20-MHz channel
153 respectively and transmit power to 127 dBm. The configuration is similar to the
configuration of Radio 0.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1210

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.14.2 Example for Configuring WLAN Hotspot2.0 Services

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1211

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l Service data forwarding mode: direct forwarding

Figure 8-64 Networking for configuring WLAN Hotspot2.0 services

Data Planning

Table 8-73 Data planning on the AC

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.
The aggregation switch (Switch_B)
functions as a DHCP server to assign IP
addresses to STAs. The default gateway
address of STAs is 10.23.101.2.

IP address pool for APs 10.23.100.2-10.23.100.254/24

IP address pool for STAs 10.23.101.3-10.23.101.254/24

AC's source interface address VLANIF 100: 10.23.101.1/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1212

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AP group l Name: ap-group1

l Country code: China
l Referenced profile: VAP profile wlan-
net

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA2-802.1x-AES

Authentication profile l Name: wlan-net

l Access authentication mode: 802.1x

Hotspot2.0 profile Hotspot2.0 profile

l Name: wlan-net
l Network type: free public network
l Internet access: supported
l Venue type and name: Assembly and
Coffee Shop
l HESSID: 60de-4476-e360
l IP address availability: available
l Network authentication type: acceptance
l P2P cross connection: disabled
l Cellular network profile: wlan-net
– 46000
l Roaming consortium profile: wlan-net
– 50-6f-9a
l NAI realm profile: wlan-net
– www.mobileA.com
l Network connection capability profile:
wlan-net
– HTTP service: enabled
l Operator domain profile: wlan-net
– www.mobileA.com
l Operator name profile: wlan-net
– eng, mobileA
l Venue name profile: wlan-net
– eng, Coffee
l Operating class profile: wlan-net
– 81

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1213

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-
net, security profile wlan-net,
authentication profile wlan-net, and
Hotspot2.0 profile wlan-net

STA user name and password l User name: huawei

l Password: huawei123

RADIUS server l IP address: 10.23.102.1

l Port number: 1812
l Shared key: huawei123

Configuration Roadmap
1. Select Fast Config to configure the APs to go online on the AC.
2. Select Fast Config to configure WLAN services on the AC. When configuring the
security policy, select 802.1x and RADIUS authentication, and set the RADIUS server
parameters.
3. In Profile Management, change the security policy to WPA2, and complete the
Hotspot2.0 service configuration based on the data planning.
4. Complete service verification.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1214

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101

[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1215

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1216

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

# Click OK.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1217

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to China and click Apply.

# Click Create in SSID Settings. The Create SSID page is displayed.

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1218

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1219

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure Hotspot2.0 services.
1. Choose Configuration > AP Config > Profile. In Profile Management, choose
Wireless Service > Security Profile > wlan-net, set the security policy to WPA2, and
click Apply.

2. In Profile Management, expand Wireless Service and select Cellular Network Profile.
Create the cellular network profile wlan-net, set PLMN ID, and click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1220

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Select Roaming Consortium Profile. Create the roaming consortium profile wlan-net,
set Roaming Consortium OI, and click Apply.

4. Select NAI Realm Profile. Create the NAI realm profile wlan-net, set Realm name,
and click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1221

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

5. Select Network Connection Capability Profile. Create the network connection

capability profile wlan-net, set HTTP to ON, and click Apply.

6. Select Operator Domain Profile. Create the operator domain profile wlan-net, set
Domain name, and click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1222

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

7. Select Operator Name Profile. Create the operator name profile wlan-net, set Carrier
friendly name, and click Apply.

8. Select Venue Name Profile. Create the venue name profile wlan-net, set Area name,
and click Apply.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1223

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

9. Select Operating Class Profile. Create the operating class profile wlan-net, set
Frequency band indication No., and click Apply.

10. Select Hotspot2.0 Profile. Create the Hotspot2.0 profile wlan-net, set related
parameters, and click Apply.

11. In Profile Management, choose Wireless Service > VAP Profile > wlan-net. Click
Hotspot2.0 Profile and select wlan-net, and click Apply.
12. Expand Hotspot2.0 Profile. Select the profile to be referenced by the Hotspot2.0 profile
and click Apply.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1224

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. The WLAN with the SSID wlan-net is available.

3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.14.3 Example for Configuring Service Holding upon WLAN

CAPWAP Link Disconnection

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The enterprise requires that data forwarding be not affected even when the AC is faulty to
improve data transmission reliability.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1225

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding

Figure 8-65 Networking for configuring service holding upon WLAN CAPWAP link
disconnection

Data Planning

Table 8-74 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server Switch functions as a DHCP server to assign IP

addresses to APs and STAs.

IP address pool for APs 10.1.1.3-10.1.1.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1226

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for STAs 10.1.2.3-10.1.2.254/24

Gateway address for APs 10.1.1.1/24

Gateway address for STAs 10.1.2.1/24

AC source interface VLANIF 100: 10.1.1.2/24

AP group l Name: ap-group1

l Referenced profiles: AP system profile ap-system,
VAP profile wlan-net, and regulatory domain
profile default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and
security profile wlan-net

AP system profile l Name: ap-system

l Service holding upon CAPWAP link
disconnection: enabled

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
6. Deliver the WLAN services to the APs and verify the configuration.

Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1227

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 8.15.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure
Step 1 Configure the network devices.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.1.2.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.1.2.2 24
[Router-Vlanif101] quit

Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1228

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Switch] dhcp enable

[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] quit

# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1229

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.1.1.2/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1230

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed. You do not need to configure
DHCP on the AC.
# Click Next. The Configure AC page is displayed.
4. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

5. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN service parameters.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1231

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Create an AP system profile and configure service holding upon link disconnection.
1. Create an AP system profile.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1232

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose AP > AP System Profile in Profile Management. The AP System Profile

List page is displayed.

# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name ap-system and click OK. The AP system profile configuration page is
displayed.

# On the AP system profile configuration page, enable service holding upon link
disconnection.

# Click Apply. In the dialog box that is displayed, click OK.

2. Bind the radio profile to the AP group.

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to AP. The
profiles are displayed.

# Click AP System Profile. On the AP system profile configuration page that is

displayed, set AP System Profile to ap-system and click Apply. In the dialog box that is
displayed, click OK.

Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1233

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 7 Verify the configuration.
The WLAN with the SSID wlan-net is available, and STAs can access the WLAN normally.
When the CAPWAP link is disconnected due to an AC fault, service data forwarding of STAs
in Area A is not affected.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1234

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.14.4 Example for Configuring Channel Switching Without

Service Interruption

The enterprise requires that WLAN services not be interrupted even when the APs change
their working channels.

Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding

Figure 8-66 Networking for configuring channel switching without service interruption

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1235

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-75 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

DHCP server Switch functions as a DHCP server to assign IP

addresses to APs and STAs.

IP address pool for APs 10.1.1.3-10.1.1.254/24

IP address pool for STAs 10.1.2.3-10.1.2.254/24

Gateway address for APs 10.1.1.1/24

Gateway address for STAs 10.1.2.1/24

AC's source interface address VLANIF 100: 10.1.1.2/24

AP group l Name: ap-group1

l Referenced profiles: 2G radio profile wlan-
radio2g, 5G radio profile wlan-radio5g, VAP
profile wlan-net, and regulatory domain profile
default

Regulatory domain profile l Name: default

l Country code: China

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and
security profile wlan-net

2G radio profile l Name: wlan-radio2g

l Channel switch announcement: enabled
l Channel switch announcement mode: continue-
transmitting

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1236

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

5G radio profile l Name: wlan-radio5g

l Channel switch announcement: enabled
l Channel switch announcement mode: continue-
transmitting

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.
6. Deliver the WLAN services to the APs and verify the configuration.

Procedure
Step 1 Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1237

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On Switch, configure VLANIF 100 to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch-Vlanif100] quit

# On Switch, configure VLANIF 101 to assign IP addresses to STAs.

[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1238

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Click Next. The Configure DHCP page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1239

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Configure DHCP.
# On the Configure DHCP page, click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN service parameters.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1240

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 5 Create radio profiles and configure channel switching without service interruption.
1. Create radio profiles.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1241

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > 2G Radio Profile in Profile Management. The 2G
Radio Profile List page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Enable channel switching announcement and configure the AP to continue transmitting
data on the current channel when the channel is switched.

# Click Apply. In the dialog box that is displayed, click OK.

2. Bind the radio profile to the AP group.
# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed.

# Click next to Radio 0. 2G Radio Profile is displayed. Click 2G Radio Profile. On

the 2G radio profile configuration page that is displayed, set 2G Radio Profile to wlan-
radio2g and click Apply. In the dialog box that is displayed, click OK.
Step 6 Verify the configuration.
The WLAN with the SSID wlan-net is available, and STAs can access the WLAN properly.
When the channel of AP1 or AP2 is changed, service data forwarding of STAs in Area A is
not affected.
----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1242

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.14.5 Example for Configuring an AP to Go Online Using a Static

IP Address

Service Requirements
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.

Networking Requirements
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)

Figure 8-67 Networking for configuring an AP to go online using a static IP address

Data Planning

Table 8-76 AC data planning

Item Data

Management VLAN for APs VLAN 100

AC's source interface address 10.23.100.1/24

AP's static IP address 10.23.100.100/24

AP group Name: ap-group1

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure global parameters on the AC.
3. Configure the AP authentication mode.
4. Configure static IP addresses for the APs and enable the APs to go online.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1243

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1244

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1245

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Next on the Configure DHCP page. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 3 Configure a static IP address for the AP.
1. Choose Configuration > AC Config > IP > DHCP Address Pool.
2. Create an IP address pool on VLANIF 100 and bind a static IP address to the AP.
# Click Create. The Create DHCP Address Pool page is displayed.
# Configure the VLANIF 100 address pool and bind an IP address to the AP.
NOTE

When the IP address in the interface address pool is statically bound to a MAC address, the IP address
must be in the range of IP addresses that can be assigned dynamically.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1246

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
Step 4 Create an AP group.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click Create. The Create AP Group page is displayed.
# Set AP group name to ap-group1 and click OK.
Step 5 Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your local
computer.
# Fill in the AP template file with AP information according to the following example. To add
multiple APs, fill in the file with information of the APs.
l AP MAC address: 60de-4476-e360
l AP SN: 210235419610CB002287

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1247

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

l AP name: area_1
l AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
Step 6 Verify the configuration.
After the configuration is complete, you can check online information about the AP with the
IP address 10.23.100.100 in AP List.

----End

8.14.6 Example for Configuring the Soft GRE Service

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A wired network has been deployed in an area. To provide more convenient network
access services, administrators need to deploy a wireless network in this area. To facilitate the
unified management of wired and wireless users, administrators also need to use the existing
wired access gateway ME60 for authentication and accounting of wireless users.

Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
l Service data forwarding mode: soft GRE forwarding

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1248

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-68 Networking for configuring the soft GRE service

Data Planning

Table 8-77 AC data planning

Item Data

Switch data planning

DHCP Switch functions as a DHCP server to assign IP addresses to APs.

server

IP address 10.23.100.3-10.23.100.254/24
pool for
APs

AC data planning

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1249

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: open system authentication

Soft GRE l Name: wlan-soft

profile l Destination address of the soft GRE tunnel: 10.23.200.1

VAP profile l Name: wlan-net

l Forwarding mode: soft GRE forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and soft GRE profile wlan-soft

ME60 data planning

DHCP The ME60 functions as a DHCP server to assign IP addresses to STAs.

server

IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

VE Virtual-Ethernet2/0/0
interface for
soft GRE

Soft GRE l Name: group1

group l Virtual-Ethernet2/0/0 is referenced.

Destination l Name: Loopback 1

address of l IP address: 10.23.200.1/24
the soft
GRE tunnel l The soft GRE group group1 is referenced.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1250

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

RADIUS l Server group: radius1

server l Server IP address: 172.168.20.1
parameters
l Authentication port number: 1812
l Accounting port number: 1813
l Shared key: 123456
l RADIUS accounting scheme: radius
l RADIUS authentication scheme: radius
l Domain: aaadomain1

Configuration Roadmap
1. Configure network interworking of the AC, APs, ME60, and other network devices.
2. Configure the ME60, soft GRE tunnel, and authentication and accounting functions.
3. Select Fast Config to configure AC system parameters.
4. Select Fast Config to configure the APs to go online on the AC.
5. Select Fast Config to configure WLAN services on the AC.
6. Deliver the WLAN service to the AP and verify the configuration.

NOTE

l In this example, the ME60 in V600R008C10 are used. The actual configuration may vary depending on
versions.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1251

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.

# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and VLAN
199, respectively. Create VLANIF 199 and set its IP address to 10.23.199.2/24.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101 199
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 199
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 199
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface vlanif 199
[Switch-Vlanif199] ip address 10.23.199.2 24
[Switch-Vlanif199] quit

# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a route to
10.23.100.0/24.
<HUAWEI> system-view
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2

Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.

# Configure Switch as a DHCP server to assign IP addresses to APs, and configure a route to
10.23.200.0/24.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.2 24
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.1
[Switch-Vlanif100] quit
[Switch] ip route-static 10.23.200.0 24 10.23.199.1

# Configure the ME60 as a DHCP server to assign IP addresses to STAs.

[ME60] dhcp enable
[ME60] ip pool sta-pool bas local
[ME60-ip-pool-sta-pool] gateway 10.23.101.1 24
[ME60-ip-pool-sta-pool] section 1 10.23.101.3 10.23.101.254
[ME60-ip-pool-sta-pool] option 43 ip 10.23.101.1
[ME60-ip-pool-sta-pool] quit

Step 3 Configure the soft GRE tunnel on the ME60.

# Create a VE interface to support soft GRE.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1252

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[ME60] interface virtual-ethernet 2/0/0

[ME60-Virtual-Ethernet2/0/0] soft-gre enable
[ME60-Virtual-Ethernet2/0/0] quit

# Create a soft GRE group.

[ME60] soft-gre group group1
[ME60-softgre-group-group1] master virtual-ethernet 2/0/0
[ME60-softgre-group-group1] quit

# Configure an IP address for the loopback interface and bind the soft GRE group to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit

Step 4 Configure RADIUS authentication and accounting on the ME60.

# Configure a RADIUS server profile, an AAA authentication and accounting scheme, and
domain information.
[ME60] radius-server group radius1
[ME60-radius-radius1] radius-server authentication 172.168.20.1 1812
[ME60-radius-radius1] radius-server accounting 172.168.20.1 1813
[ME60-radius-radius1] radius-server shared-key 123456
[ME60-radius-radius1] quit
[ME60] aaa
[ME60-aaa] authentication-scheme radius
[ME60-aaa-authen-radius] authentication-mode radius
[ME60-aaa-authen-radius] quit
[ME60-aaa] accounting-scheme radius
[ME60-aaa-accounting-radius] accounting-mode radius
[ME60-aaa-accounting-radius] quit
[ME60-aaa] domain aaadomain1
[ME60-aaa-domain-aaadomain1] ip-pool sta-pool
[ME60-aaa-domain-aaadomain1] authentication-scheme radius
[ME60-aaa-domain-aaadomain1] accounting-scheme radius
[ME60-aaa-domain-aaadomain1] radius-server group radius1
[ME60-aaa-domain-aaadomain1] quit
[ME60-aaa] quit

Step 5 Configure the BAS interface on the ME60.

# Create a BAS interface and configure the BAS interface type and authentication mode.
Configure the user VLAN and service VLAN as the same VLAN.
[ME60] interface virtual-ethernet 2/0/0.1
[ME60-Virtual-Ethernet2/0/0.1] user-vlan 101
[ME60-Virtual-Ethernet2/0/0.1-vlan-101-101] bas
[ME60-Virtual-Ethernet2/0/0.1-bas] access-type layer2-subscriber default-domain
authentication aaadomain1
[ME60-Virtual-Ethernet2/0/0.1-bas] authentication-method bind

Step 6 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1253

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1254

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# On the Configure DHCP page, click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 7 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1255

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to CHINA and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1256

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

5. Create a soft GRE profile.

# Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.

# Click Create. The Create SoftGRE Profile page is displayed.

# Enter the name of the new soft GRE profile in Profile name.

# Click OK. Set the destination IPv4 address of the soft GRE tunnel to 10.23.200.1.

# Click Apply.
6. Change the VAP forwarding mode to Soft-GRE.

# Choose Configuration > AP Config > Profile.

# Choose Wireless Service > VAP Profile in Profile. The VAP Profile List page is
displayed.

# Select VAP profile wlan-net. On the VAP profile configuration page that is displayed,
set Forwarding mode to SoftGRE, and SoftGRE profile to wlan-soft.

# Click Apply.

Step 8 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1257

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1258

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Step 9 Verify the configuration.

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

----End

8.14.7 Example for Configuring the Bonjour Gateway

Departments 1 and 2 belong to VLAN 101 and VLAN 102 respectively, and each department
has a Bonjour-compliant printer. The enterprise requires that the Apple terminals discover
services provided by all printers in the enterprise using Bonjour.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1259

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Figure 8-69 Networking for configuring the Bonjour gateway

Data Planning

Table 8-78 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN101, VLAN102

VLAN for
STAs

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1260

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB (aggregation switch) functions as a DHCP server to assign IP
addresses to STAs. The default gateway addresses for STAs in Department 1
and 2 are 10.23.101.2 and 10.23.102.2, respectively.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.4-10.23.101.254/24
pool for 10.23.102.4-10.23.102.254/24
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net1, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

l Name: ap-group2
l Referenced profiles: VAP profile wlan-net2, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

Regulatory l Name: default

domain l Country code: China
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios

SSID l Name: wlan-net1

profile l SSID name: wlan-net1

Security l Name: wlan-net1

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net1

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net1 and security profile wlan-
net1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1261

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

l Name: wlan-net2
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-net1 and security profile wlan-
net1

Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms

RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled

2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

5G radio l Name: wlan-radio5g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

Parameters l VLAN 101:

for the – Service discovery interval: 100
Bonjour
gateway – Source IP address for sending mDNS requests: IP address of
VLANIF 101 on the AC 10.23.101.3/24
l VLAN 102:
– Service discovery interval: 100
– Source IP address for sending mDNS requests: IP address of
VLANIF 102 on the AC 10.23.102.3/24

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the Bonjour gateway on the AC to allow service discovery across VLANs.
NOTE

If mobile terminals with Apple iOS V6.0 or later dynamically obtain IP addresses using the DHCP server, the
server needs to specify the IP address of the DNS server for the terminals. Choose Configuration > AC
Config > IP > DHCP Address Pool > Create. Configure the IP address for the DNS server in Create
DHCP Address Pool.

Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1262

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA (access switch) to VLAN 100. The
default VLAN of GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
andGE0/0/3 to VLAN 101 and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1263

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102

[SwitchB-GigabitEthernet0/0/3] quit

# On the router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and VLANIF 102 to
10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit

Step 2 Configure the DHCP server to assign IP addresses to STAs and set gateway addresses for
STAs.
# Configure VLANIF 101 and VLANIF 102 on SwitchB to assign IP addresses to STAs, and
specify 10.23.101.2 and 10.23.102.2 as the default gateway addresses for STAs in Department
1 and 2, respectively.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server excluded-ip-address 10.23.101.3
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] dhcp server excluded-ip-address 10.23.102.3
[SwitchB-Vlanif102] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100, VLAN 101 and VLAN 102 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1264

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1265

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the IP addresses of VLANIF 101 and VLANIF 102 to 10.23.101.3/24 and
10.23.102.3/24, respectively in the same way. Configure the IP addresses of VLANIF
101 and VLANIF 102 as the source IP addresses for sending mDNS requests.

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.

On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.

Step 4 Configure WLAN services.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1266

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. Choose Configuration > Fast Config > AP.

2. Create AP group ap-group1 and perform the service configuration.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net1, SSID profile wlan-net1, and security profile wlan-net1.
3. Create AP group ap-group2.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group2 and click OK.
4. Create VAP profile wlan-net2 and perform the service configuration.
# Choose Configuration > AP Config > Profile > Wireless Service > VAP Profile. The
VAP Profile List page is displayed.
# Click Create. The Create VAP Profile page is displayed.
# Enter the name of the new VAP profile wlan-net2 in Profile name. Copy the
parameters of wlan-net1 and click OK. The parameter setting page of the new VAP
profile is displayed.
# Set the service VLAN ID to 102.
# Click Apply. In the Info dialog box that is displayed, click OK.
5. # Bind VAP profile wlan-net2 to AP group ap-group2.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1267

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click AP group ap-group2. The AP Group configuration page is displayed.

# Click VAP Configuration in AP Group configuration. The VAP Profile List page is
displayed.
# On the VAP Profile List page, click Add. The Add VAP Profile page is displayed.
# Set VAP profile name to wlan-net2, set WLAN ID, and select a radio.

6. Add an AP.
# Choose Configuration > Fast Config > AP.
# Click ap-group1 in AP Group List. On the AP List tab page, click Add. The Add AP
page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information about the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Add area_2 to AP group ap-group2 in the same way.
Step 5 Enable radio calibration to allow APs to automatically select the optimal channels.
1. Create an RRM profile and configure automatic channel and power calibration.
# Choose Configuration > AP Config > Profile.
# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1268

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Create. On the Create RRM Profile page that is displayed, enter the profile
name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.

# Click Apply. In the dialog box that is displayed, click OK.

3. Create a radio profile and bind the RRM profile and air scan profile to the radio profile.
NOTE

The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

# Choose Configuration > AP Config > Profile.

# Click next to the 2G radio profile wlan-radio2g in Profile Management. The

profiles referenced by the 2G radio profile are displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1269

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Choose Configuration > AP Config > AP Group > AP Group.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles are displayed. Click next to Radio 0. 2G Radio Profile
is displayed.

# Bind 2G radio profile wlan-radio2g to AP group ap-group2 in the same way.

5. Enable radio calibration.

# Choose Configuration > AC Config > Basic > Radio Calibration. The Radio
Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.

# Radio calibration stops one hour after the radio calibration is manually triggered.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1270

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Configure the Bonjour gateway function on the AC.
1. Enable the Bonjour gateway function.
# Choose Configuration > Other Services > Bonjour. Set Bonjour gateway to ON in
Global Settings.

# Click Apply.
2. Set the interval for discovering services.
# In Specify Device to Discover VLANs, click Create. The Create Scheduled Service
Discovery page is displayed.
# Set Service discovery interval of VLAN 101 and VLAN 102 to 100.

# Click OK.
Step 7 Verify the configuration.
Printers and Apple terminals can detect the WLAN with SSID wlan-net.
You can find the print service in VLAN 101 and VLAN 102 on the Apple terminals.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1271

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.14.8 Example for Configuring CAC Based on the Number of

Multicast Group Memberships
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The multicast source for video conferences is deployed on the enterprise network to provide
enterprise video conferencing services. The multicast source address ranges from 225.1.1.1 to
225.1.1.5. To restrict the access of employees when the number of multicast group
memberships reaches the maximum, administrators need to configure CAC based on the
number of multicast group memberships, ensuring the conference access quality.

Figure 8-70 Networking for configuring CAC based on the number of multicast group
memberships

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1272

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-79 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, and traffic profile wlan-traffic

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Traffic l Name: wlan-traffic

profile l Maximum number of multicast group memberships for a VAP: 20

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1273

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to control the
access of multicast users.

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1274

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[Router] interface gigabitethernet 1/0/0

[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1275

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1276

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1277

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure services for the AP group.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1278

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 4 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

# Choose Radio Management > RRM Profile in Profile Management. The RRM
Profile List page is displayed.

# Click default. On the default RRM profile page that is displayed, disable the automatic
channel and power calibration functions.

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1279

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 5 Configure CAC based on the number of multicast group memberships.

1. Create a traffic profile.

# Choose Configuration > AP Config > Profile > Wireless Service > Traffic Profile.
The Traffic Profile List page is displayed.

# Click Create. The Create Traffic Profile page is displayed.

# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.

# Enable the function of converting multicast packets into unicast packets and the
function of sending packets to all users in unicast mode when broadcast or multicast
packets fail to be converted into unicast packets. Enable IGMP snooping and set the
number of multicast group memberships for a VAP to 20.

# Click Apply. In the Info dialog box that is displayed, click OK.
2. Bind the traffic profile to the AP group.

# Choose Configuration > AP Config > AP Group > AP Group. The AP Group page
is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1280

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# In the AP group list, click AP group ap-group1, click next to VAP Configuration,
and click next to wlan-net
# Click Traffic Profile. On the configuration page of the authentication profile, set
Traffic Profile to wlan-traffic.
# Click Apply. In the dialog box that is displayed, click OK.
Step 6 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.1.

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC to view the
configuration and usage of multicast CAC of the VAP.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1281

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.14.9 Example for Interconnecting an AC with a Network

Management Server
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The administrator of a network wants to deploy a network management server to easily
manage the network topology and devices in a visualized way, thus improving operation
experience and management efficiency.

Figure 8-71 Networking for interconnecting an AC with a network management server

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1282

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-80 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1283

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address 10.23.1.1
of the
network
managemen
t server

SNMP SNMP V2C

version
running on
the network
managemen
t server

Name of the NetCenter

network
managemen
t server

Name of the trap

host
sending trap
messages

MIB view public_view

private_view

Read-only public123
community
name

Read-write private123
community
name

Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Fast Config to configure system parameters for the AC.
3. Select Fast Config to configure the APs to go online on the AC.
4. Select Fast Config to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure SNMP.
– Set the SNMP version on the AC to SNMPv2c.
– Configure access rights so that the network management server can manage
network devices.
– Configure the network management server.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1284

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

The SNMP version running on the network management server must be consistent with that configured on
the AC.

Procedure
Step 1 Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1285

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2

[SwitchB-Vlanif101] quit

Step 3 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1286

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Next. The Configure Virtual Interface page is displayed.

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK.

# Click Next. The Configure DHCP page is displayed.

4. Configure DHCP.

# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.

# Configure an IP address pool on VLANIF 100.

# Click OK.

# Click Next. The Configure AC page is displayed.

5. Configure the AC.

# Configure the AC's source address and AP authentication mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1287

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 4 Configure WLAN service parameters.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure WLAN services.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1288

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Add an AP.
# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1289

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

2. Manually configure the AP channel and power.

# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.

# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.

# Click next to Radio Management. The profiles under Radio Management are
displayed.

# Click Apply. In the dialog box that is displayed, click OK.

Step 6 Set the SNMP version on the AC.

1. Choose Maintenance > AC Maintenance > SNMP > Global Configuration. The
Global Configuration page is displayed.
2. Enable the SNMP agent function and set the SNMP version.

3. Click Apply. In the Info dialog box that is displayed, click OK.

Step 7 Create a MIB view.

1. Choose Maintenance > AC Maintenance > SNMP > MIB View. The MIB View page
is displayed.
2. Click Create. The Create MIB Rule page is displayed.
3. Create the MIB view public_view, exclude the private subtree, include the internet
subtree, and click OK.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1290

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Create the MIB view private_view, include the mgmt subtree, and click OK.

Step 8 Create the read and write community names.

1. Choose Maintenance > AC Maintenance > SNMP > Community/Group
Management. The Community/Group Management page is displayed.
2. Click Create. The Create Community page is displayed.
3. Create the read-only community name pubilc123, set the MIB view to public_view, and
click OK.

4. Create the read-write community name private123, set the MIB view to private_view,
and click OK.

NOTE

The read-only and read-write community names must be consistent with those configured on the network
management server.

Step 9 Configure network management server information.

1. Choose Maintenance > AC Maintenance > SNMP > Trap Setting. The Trap Setting
page is displayed.
2. Click Create in Destination host receiving traps. The Create Trap Destination Host
page is displayed.
3. Set parameters of the destination host to which the traps are sent.
Set the transfer protocol to SNMPv2c, the name of the host that generates the traps to
trap, name of the destination host to Netcenter, and the IP address of the destination
host to 10.23.1.1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1291

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Click OK.
Step 10 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24.

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1292

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

8.14.10 Example for Configuring Wireless Packet Obtaining

Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
When devices carrying multiple services become faulty, maintenance personnel need to obtain
packets for accurate cause analysis.

Figure 8-72 Networking for configuring wireless packet obtaining

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1293

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Data Planning

Table 8-81 AC data planning

Item Data

Managemen VLAN 100

t VLAN for
APs

Service VLAN 101

VLAN for
STAs

DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

AC's source VLANIF 100: 10.23.100.1/24

interface
address

AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

Regulatory l Name: default

domain l Country code: China
profile

SSID l Name: wlan-net

profile l SSID name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1294

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

Wireless l SFTP server IP address: 10.23.10.1

packet l SFTP user name: huawei
obtaining
configuratio l SFTP password: huawei123
n

Configuration Roadmap

1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure global parameters for obtaining packets, including the maximum length,
saving mode, upload mode, and server.
3. Configure a packet filtering rule.
4. Enable the wireless packet obtaining function.

Step 2 Configure system parameters for the AC.

1. Choose Configuration > Fast Config > AC.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1295

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100 in tagged mode.
NOTE

If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.

# Click OK. Configure GigabitEthernet0/0/2, and add the interface to VLAN 101 in
tagged mode in the same way.

# Click Next. The Configure Virtual Interface page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1296

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 in the same way.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Create on the Configure DHCP page. The Create DHCP Address Pool page is
displayed.
# Configure an IP address pool on VLANIF 100.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1297

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish. In
the dialog box that is displayed, click OK.
Step 3 Configure WLAN services.
1. Choose Configuration > Fast Config > AP.
2. Create an AP group.
# Click Create in AP Group List. In the Create AP Group dialog box that is displayed,
set AP group name to ap-group1 and click OK.
3. Configure services for the AP group.
# Click ap-group1 in AP Group List and click the Service Settings tab.
# Set Country code to China and click Apply. In the dialog box that is displayed, click
OK.
# Click Create in SSID Settings. The Create SSID page is displayed.
# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1298

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set Mode to Batch Import and click to download the AP template file to your
local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC address: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE

Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.

# Choose Configuration > AP Config > Profile.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1299

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click Apply. In the dialog box that is displayed, click OK.

Step 5 Check wireless service configurations.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.1.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1300

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

Step 6 Configure wireless packet obtaining.

1. Choose Diagnosis > Diagnosis Tool > Wireless Packet Obtaining. The Wireless
Packet Obtaining page is displayed.
2. Configure global parameters.

# In Global Settings, configure the length, storage mode, and upload mode of the
obtained packets, as well as global information about the server.

# Click Apply. In the dialog box that is displayed, click OK.

3. Configure the filtering rule.

# Click Create in Filter Rule Profile Management.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1301

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the Create Filter Rule page that is displayed, set the source MAC address of the
packets to be obtained to 14cf-9208-9abf.

# Click OK.
4. Enable the wireless packet obtaining function.

# Click Start.

# In the Wireless Packet Obtaining dialog box that is displayed, set AP name, Radio
ID, Filter rule profile, and Channel of the AP on which wireless packets need to be
obtained.

# Click OK.
5. Upload the file.

# Click Stop to stop packet obtaining.

# Select the file to be uploaded in the packet obtaining list and click Upload File.

# In the dialog box that is displayed, click OK.

Step 7 Verify the configuration.

After the packet obtaining file is uploaded to the SFTP server, you can check the obtained
packets on the server.

----End

8.14.11 Example for Configuring an AC as a DHCP Relay Agent

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1302

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Networking Requirements
As shown in Figure 8-73, the AC connects to the egress gateway Router of the campus
network and connects to the AP through the access switch.

The customer needs to deploy a WLAN with SSID wlan-net so that users can access the
network anytime anywhere. At the same time, the customer needs to configure the AC as a
DHCP relay agent and the Router as a DHCP server to assign IP addresses to the AP and
STAs.

Figure 8-73 Networking diagram

Management VLAN: VLAN 100
Service VLAN: VLAN Pool
VLANIF100
10.23.100.1/24
GE0/0/1 GE0/0/2 IP
Network

GE0/0/1 GE0/0/2
AP Access Router
STA AC
area_1 switch

Data Preparation

Table 8-82 Network data planning

Item Interface VLAN

Access switch GE0/0/1 100, 101, and 102

GE0/0/2 100, 101, and 102

AC GE0/0/1 100, 101, and 102

GE0/0/2 200

Router GE1/0/0 200

Table 8-83 Service data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN pool

DHCP server The Router functions as the DHCP server

for the AP and STAs.

IP address pool for APs 10.23.100.2-10.23.100.254/24

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1303

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

Item Data

IP address pool for STAs 10.23.101.2-10.23.101.254/24

10.23.102.2-10.23.102.254/24

VLAN pool l Name: sta-pool

l VLANs in the VLAN pool: VLAN 101
and VLAN 102

AC's source interface VLANIF 100

AP group l Name: ap-group1

l Country code: CHINA
l Referenced profile: VAP profile wlan-
net

SSID profile l Name: wlan-net

l SSID name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLANs in the VLAN
pool
l Referenced profile: SSID profile wlan-
net and security profile wlan-net

Configuration Roadmap
The configuration roadmap is as follows:
1. Select Fast Config to configure the AP to go online on the AC.
2. Configure DHCP relay.
3. Select Fast Config to configure WLAN services on the AC.
4. Deliver the WLAN services to the AP and verify the configuration.

Procedure
Step 1 Configure the switches and router.

# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 (default VLAN of GE0/0/1),
VLAN101, and VLAN102.

# On the AC, add GE0/0/1 to VLAN 100, VLAN 101, and VLAN 102, and GE0/0/2 to
VLAN 200.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1304

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# On the AC, create VLANIF 100, VLANIF 101, and VLANIF 102 with the IP addresses
10.23.100.1/24, 10.23.101.1/24, and 10.23.102.1/24, respectively.
# Add GE1/0/0 of the Router to VLAN 200. Create VLANIF 200 with the IP address
10.45.200.2/24.
# Configure IP address pools ap-pool, sta-pool1, and sta-pool2 on the Router, and configure
the Router to assign IP addresses to the AP from ap-pool and to STAs from sta-pool1 and
sta-pool2. The gateway of ap-pool is 10.23.100.1 and its network segment is
10.23.100.2-10.23.100.254/24. The gateway of sta-pool1 is 10.23.101.1 and its network
segment is 10.23.101.2-10.23.101.254/24. The gateway of sta-pool2 is 10.23.102.1 and its
network segment is 10.23.102.2-10.23.102.254/24.
# Configure a static route on the Router, with the destination address 0.0.0.0/0 and next hop
address 10.45.200.1.
Step 2 Configure the AC.
1. Choose Configuration > Fast Config > AC.

2. Configure the Ethernet interfaces.

# On the Configure Ethernet Interface page, click GigabitEthernet0/0/1 and add the
interface to VLAN 100, VLAN 101, and VLAN 102 in tagged mode.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1305

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.

# Add GigabitEthernet0/0/2 to VLAN 200 in tagged mode in the same way.

# Click Next.
3. Configure the virtual interfaces.

# On the Configure Virtual Interface page, click Create. The Create Virtual
Interface page is displayed.

# Set the IP address of VLANIF 100 to 10.23.100.1/24.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1306

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Click OK.
# Set the IP addresses of VLANIF 101, VLANIF 102, and VLANIF 200 to
10.23.101.1/24, 10.23.102.1/24, and 10.45.200.1/24 in the same way.
# Click Next. The Configure DHCP page is displayed.
4. Configure DHCP.
# Click Next. The Configure AC page is displayed.
5. Configure the AC.
# Configure the AC's source address and AP authentication mode.

NOTE

You can click Add AP to add an AP and then modify the AP group to which the AP belongs.
Alternatively, you can create an AP group first and then add APs to the AP group.

# Click Next. The Confirm Settings page is displayed.

6. Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and click Finish.
Step 3 Configure the VLAN pool.
1. # Choose Configuration > AC Config > VLAN > VLAN Pool. The VLAN Pool page
is displayed.
2. Create a VLAN pool.
# Click Create. The Create VLAN Pool page is displayed.
# Configure the VLAN pool sta-pool.
– VLAN assignment mode: Hash
– VLAN ID: VLAN 101 and VLAN 102

3. Click OK.
Step 4 Configure DHCP relay.
1. Choose Configuration > AC Config > IP > DHCP Relay. The DHCP Relay page is
displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1307

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

2. Click Create in DHCP Server Group List to create a DHCP server group.

3. Click OK.
4. Click Create in DHCP Relay List to configure DHCP relay on VLANIF 100.

5. Click OK.
6. Configure DHCP relay on VLANIF 101 and VLANIF 102 in the same way.

Step 5 Configure WLAN services.

# Click ap-group1 in AP Group List and click the Service Settings tab.

# Set Country code to CHINA and click Apply.

# Click Create in SSID Settings. The Create SSID page is displayed.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1308

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

# Set the SSID name, forwarding mode, service VLAN, and security policy on the
Create SSID page.

# Click OK. After the configuration is complete, the system creates the VAP profile
wlan-net, SSID profile wlan-net, and security profile wlan-net.
4. Add an AP.

# On the AP List tab page, click Add. The Add AP page is displayed.

# Set Mode to Batch Import and click to download the AP template file to your
local computer.

# Click next to Import AP File, select the AP template file, and click Import.

# On the page that displays the template import result, click OK.

Step 6 Verify the configuration.

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1309

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

1. The WLAN with the SSID wlan-net is available.

2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 or
10.23.102.x/24 and its gateway address is 10.23.101.1 or 10.23.102.1.

3. Choose Monitoring > User. On the User Statistics tab page, select AP Name from the
User List drop-down list box. Enter area_1 and click . You can see that the STA goes
online successfully and check the STA's IP address.

----End

8.15 Common Misconfigurations

8.15.1 Multicast Packet Suppression Is Not Configured, Causing

Slow Network Access of STAs

Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large amount of abnormal multicast traffic is received on the
network side, the air interfaces may be congested, and STAs may suffer from slow network

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1310

Copyright © Huawei Technologies Co., Ltd.
Huawei Access Controllers
Web Platform Configuration Guide 8 Configuration Examples

access. You are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.

Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit

b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit

c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit

d. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
[SwitchA-GigabitEthernet0/0/1] quit

l Configure multicast packet suppression in tunnel forwarding mode.

a. Create the traffic profile test and set the maximum traffic volume of multicast
packets in the profile.
<AC6605> system-view
[AC6605] wlan
[AC6605-wlan-view] traffic-profile name test
[AC6605-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 100 //Set the maximum traffic volume of multicast packets to
100 pps. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[AC6605-wlan-traffic-prof-test] quit

b. Bind the traffic profile to the VAP profile.

[AC6605-wlan-view] vap-profile name test
[AC6605-wlan-vap-prof-test] traffic-profile test
[AC6605-wlan-vap-prof-test] quit

----End

Issue 06 (2017-01-20) Huawei Proprietary and Confidential 1311

Jomres Manual PDF
0% (1)
Jomres Manual PDF
417 pages
B311-221 10.0.1.1 (H187SP60C983) Firmware Release Notes
100% (1)
B311-221 10.0.1.1 (H187SP60C983) Firmware Release Notes
11 pages
Principles of Computer Security: CompTIA Security+ and Beyond Lab Manual (Exam SY0-601)
From Everand
Principles of Computer Security: CompTIA Security+ and Beyond Lab Manual (Exam SY0-601)
Jonathan S. Weissman
No ratings yet
Eudemon200E-B&C&F&X & Eudemon1000E-X V300R001 Configuration Guide-CLI 01
No ratings yet
Eudemon200E-B&C&F&X & Eudemon1000E-X V300R001 Configuration Guide-CLI 01
3,797 pages
B310s-22TCPU-V200R001B321D03SP00C00 Firmware - Release - Notes
No ratings yet
B310s-22TCPU-V200R001B321D03SP00C00 Firmware - Release - Notes
14 pages
Learn JAVASCRIPT in Arabic 2021 (81 To 120)
No ratings yet
Learn JAVASCRIPT in Arabic 2021 (81 To 120)
72 pages
01-02 Comprehensive Configuration Examples PDF
No ratings yet
01-02 Comprehensive Configuration Examples PDF
330 pages
MA5616 Configuration Guide (V800R307C00 - 01)
100% (1)
MA5616 Configuration Guide (V800R307C00 - 01)
306 pages
IPO R11 Offer Document FP2 Nov 2021 V 1 - 6
No ratings yet
IPO R11 Offer Document FP2 Nov 2021 V 1 - 6
160 pages
Perry's Chemical Engineers' Handbook, 8th Ed PDF
35% (40)
Perry's Chemical Engineers' Handbook, 8th Ed PDF
50 pages
Ma5612configurationguidev800r308c0004 120820003950 Phpapp02
100% (1)
Ma5612configurationguidev800r308c0004 120820003950 Phpapp02
488 pages
Fiberhome Gpon An5506 04f Manual
No ratings yet
Fiberhome Gpon An5506 04f Manual
48 pages
Configure Nodeb Through Cme
No ratings yet
Configure Nodeb Through Cme
9 pages
Huawei Smartax Ma5616 Hardware Description v800r310c0002 - 2
No ratings yet
Huawei Smartax Ma5616 Hardware Description v800r310c0002 - 2
164 pages
UA5000 V100R019C01 Product Description
No ratings yet
UA5000 V100R019C01 Product Description
105 pages
Msan Ua5000
No ratings yet
Msan Ua5000
33 pages
Cacti 0.8 Beginner's Guide
From Everand
Cacti 0.8 Beginner's Guide
Thomas Urban
No ratings yet
600-35ns01-A - Honeywell 35 Series NVR Network Security Guide-0728
No ratings yet
600-35ns01-A - Honeywell 35 Series NVR Network Security Guide-0728
25 pages
CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration
No ratings yet
CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration
459 pages
HUAWEI USG6000E Series V600 Hardware Guide
No ratings yet
HUAWEI USG6000E Series V600 Hardware Guide
287 pages
HCCDP_Solution_Archi_note.txt
No ratings yet
HCCDP_Solution_Archi_note.txt
1 page
HCIA-Access V2.5 Lab Guide-محول
100% (1)
HCIA-Access V2.5 Lab Guide-محول
128 pages
HCIA-Storage V4.5 Exam Outline
No ratings yet
HCIA-Storage V4.5 Exam Outline
3 pages
FTTX Solution Configuration Guide (V100R007 - 02) PDF
No ratings yet
FTTX Solution Configuration Guide (V100R007 - 02) PDF
411 pages
CCU Monitoring Solution PDF
100% (1)
CCU Monitoring Solution PDF
20 pages
NCE Campus
No ratings yet
NCE Campus
20 pages
UA5000 Configuration Guide PVM CLI V100R017 08 PDF
No ratings yet
UA5000 Configuration Guide PVM CLI V100R017 08 PDF
401 pages
HUAWEI IdeaHub S2 OPS Configuration
No ratings yet
HUAWEI IdeaHub S2 OPS Configuration
14 pages
20410D 00 PDF
No ratings yet
20410D 00 PDF
18 pages
Reference Material
No ratings yet
Reference Material
116 pages
HUAWEI IdeaHub S2 2.1 Product Overview
No ratings yet
HUAWEI IdeaHub S2 2.1 Product Overview
42 pages
SMS Comands List 2017-03-06
No ratings yet
SMS Comands List 2017-03-06
3 pages
Administration-Guide Open Bee OCS
No ratings yet
Administration-Guide Open Bee OCS
7 pages
TaiShan 2280 Server V100R001 User Guide 09 PDF
No ratings yet
TaiShan 2280 Server V100R001 User Guide 09 PDF
213 pages
UA5000 Configuration Guide-PVM CLI (V100R017 - 08)
100% (5)
UA5000 Configuration Guide-PVM CLI (V100R017 - 08)
401 pages
ZLT X100 PRO Datasheet - V1.0
No ratings yet
ZLT X100 PRO Datasheet - V1.0
10 pages
How To Connect An HTML Page To A Microsoft Access Database
No ratings yet
How To Connect An HTML Page To A Microsoft Access Database
6 pages
Firmware Version V4.2 Released For S7-1200 CPUs
No ratings yet
Firmware Version V4.2 Released For S7-1200 CPUs
2 pages
ملخص لكل ما تم دراسته في JS-part1
100% (1)
ملخص لكل ما تم دراسته في JS-part1
347 pages
CloudEngine S5700, S6700 Switches Configuration Examples (V600)
No ratings yet
CloudEngine S5700, S6700 Switches Configuration Examples (V600)
758 pages
Xibo Step by Step Guide To Adding PowerPoint
No ratings yet
Xibo Step by Step Guide To Adding PowerPoint
4 pages
Packet Tracer 6.1 Tutorial - IP Telephony Advanced Configuration
No ratings yet
Packet Tracer 6.1 Tutorial - IP Telephony Advanced Configuration
6 pages
Ma5600 Multi Service Access Module Operation and Maintenance
No ratings yet
Ma5600 Multi Service Access Module Operation and Maintenance
48 pages
Cisco Meraki MR36 Installation Guide
No ratings yet
Cisco Meraki MR36 Installation Guide
1 page
LTE OMC Functions Introduction
No ratings yet
LTE OMC Functions Introduction
46 pages
Routing and Switching Technology Question Library: Haina
100% (1)
Routing and Switching Technology Question Library: Haina
150 pages
Lab1 Switch
No ratings yet
Lab1 Switch
6 pages
Huawei Campus Switch S5735-V2 Series Products Introduction Live Training-2023.2.21
No ratings yet
Huawei Campus Switch S5735-V2 Series Products Introduction Live Training-2023.2.21
32 pages
Graduation Project 1 PDF
100% (1)
Graduation Project 1 PDF
43 pages
F18 Installation Guide V1.1
No ratings yet
F18 Installation Guide V1.1
2 pages
T Rec Y.1540 201607 I!!pdf e
No ratings yet
T Rec Y.1540 201607 I!!pdf e
57 pages
NAP 16P - Manual de Instalación - Huawei
No ratings yet
NAP 16P - Manual de Instalación - Huawei
36 pages
RB951-series - User Manuals - MikroTik Documentation
No ratings yet
RB951-series - User Manuals - MikroTik Documentation
4 pages
OneSpan Authentication Server - Installation and Configuration - Exercises
No ratings yet
OneSpan Authentication Server - Installation and Configuration - Exercises
212 pages
MCSA Windows Server 2012 R2 Complete Study Guide: Exams 70-410, 70-411, 70-412, and 70-417
From Everand
MCSA Windows Server 2012 R2 Complete Study Guide: Exams 70-410, 70-411, 70-412, and 70-417
William Panek
No ratings yet
Information technology audit The Ultimate Step-By-Step Guide
From Everand
Information technology audit The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Wireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDF
No ratings yet
Wireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDF
846 pages
Wireless Access Controller (AC and Fit AP) V200R020C10 Web-Based Configuration Guide
No ratings yet
Wireless Access Controller (AC and Fit AP) V200R020C10 Web-Based Configuration Guide
843 pages
Wireless Access Controller (AC and Fit AP) V200R022C00 Web-Based Configuration Guide
No ratings yet
Wireless Access Controller (AC and Fit AP) V200R022C00 Web-Based Configuration Guide
913 pages
AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 Web-Based Configuration Guide
No ratings yet
AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 Web-Based Configuration Guide
1,068 pages
MA5616 Configuration Guide (V800R308C01 - 02)
No ratings yet
MA5616 Configuration Guide (V800R308C01 - 02)
583 pages
Oracle® Identity Manager: Connector Guide For IBM Lotus Notes and Domino
No ratings yet
Oracle® Identity Manager: Connector Guide For IBM Lotus Notes and Domino
111 pages
Fs Idx30 2023 01
No ratings yet
Fs Idx30 2023 01
4 pages
Creating An Iar Embedded Workbench Project For Ti Halcogen Generated Files
No ratings yet
Creating An Iar Embedded Workbench Project For Ti Halcogen Generated Files
5 pages
Lefdef WN
No ratings yet
Lefdef WN
16 pages
Full Engineer S Guide To Technical Writing 1st Edition Kenneth G. Budinski Ebook All Chapters
100% (7)
Full Engineer S Guide To Technical Writing 1st Edition Kenneth G. Budinski Ebook All Chapters
84 pages
Working in Tellabs 6300 Manager Vol. 1
No ratings yet
Working in Tellabs 6300 Manager Vol. 1
72 pages
Amazon Annual Report 2011
No ratings yet
Amazon Annual Report 2011
88 pages
Untitled
No ratings yet
Untitled
410 pages
Transmissible Spongiform Encephalopathy (TSE) & Genetically Modified Organisms (GMO) Certificate
No ratings yet
Transmissible Spongiform Encephalopathy (TSE) & Genetically Modified Organisms (GMO) Certificate
1 page
8 Legal and Regulatory Feasibility Study
No ratings yet
8 Legal and Regulatory Feasibility Study
16 pages
39_4_Rai_1739596592
No ratings yet
39_4_Rai_1739596592
44 pages
Clearline v. Cooper B-Line - Joint Pre-Trial Order
No ratings yet
Clearline v. Cooper B-Line - Joint Pre-Trial Order
115 pages
IPR - Project - Sem V
No ratings yet
IPR - Project - Sem V
22 pages
Practice Makes Perfect: English Conversation Jean Yates download
100% (1)
Practice Makes Perfect: English Conversation Jean Yates download
54 pages
TRADE MARKS IN SUMMARY
No ratings yet
TRADE MARKS IN SUMMARY
23 pages
Ipr P Ii Mid Important Questions-26-03-2024
No ratings yet
Ipr P Ii Mid Important Questions-26-03-2024
10 pages
Download Practical Entity Framework: Database Access for Enterprise Applications 1st Edition Brian L. Gorman ebook All Chapters PDF
No ratings yet
Download Practical Entity Framework: Database Access for Enterprise Applications 1st Edition Brian L. Gorman ebook All Chapters PDF
55 pages
H 046 010452 00 Z6 Z8 Series Service Manual English
No ratings yet
H 046 010452 00 Z6 Z8 Series Service Manual English
175 pages
Bakson Homeopathy
No ratings yet
Bakson Homeopathy
2 pages
xpr7000 8-900 Service Manual 68009652001 A BSM Mol PDF
No ratings yet
xpr7000 8-900 Service Manual 68009652001 A BSM Mol PDF
120 pages
Scripting
No ratings yet
Scripting
88 pages
Manual de Instrucciones: SLR Cámara Digital
No ratings yet
Manual de Instrucciones: SLR Cámara Digital
215 pages
Royalty Rates Software Artificial Intelligence
No ratings yet
Royalty Rates Software Artificial Intelligence
302 pages
Instant ebooks textbook The Peace Protestors Symon Hill download all chapters
No ratings yet
Instant ebooks textbook The Peace Protestors Symon Hill download all chapters
46 pages
ICJ24 Contest Official Rules De028e9e890f
No ratings yet
ICJ24 Contest Official Rules De028e9e890f
15 pages
ZT400 Series
No ratings yet
ZT400 Series
234 pages
Buy ebook Handmade in India Crafts of India 1st Edition M.P. Ranjan cheap price
100% (10)
Buy ebook Handmade in India Crafts of India 1st Edition M.P. Ranjan cheap price
29 pages
Conrad v. CA
No ratings yet
Conrad v. CA
1 page
Instagram v. Zhou Complaint PDF
No ratings yet
Instagram v. Zhou Complaint PDF
16 pages