Wireless Access Controller(AC and Fit AP)

CLI-based Configuration Guide 22 Reliability Configuration Guide

22 Reliability Configuration Guide

This document describes AP reliability features, including the principles,

configuration procedures, and configuration examples.

22.1 Overview of Reliability

This chapter describes the levels of reliability requirements, measurement
specifications, and implemented technologies.
As networks rapidly develop and applications become diversified, various value-
added services such as IPTV and video conferencing are widely used. Network
disconnections may affect many services and cause losses. Demands for network
infrastructure reliability are increasing.
In real-world applications, many network failures and service interruptions are
caused by non-technical factors. An effective way to enhance system reliability is
to improve fault tolerance capabilities of the system, speed up fault recovery, and
reduce impact of faults on services.

NOTE

In real-world applications, the AC6800V must be deployed in redundancy mode to ensure WLAN
service reliability.

22.1.1 Levels of Reliability Requirements

There are three requirement levels according to the objective and implementation.
Table 22-1 lists three levels of reliability requirements.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3184

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-1 Levels of reliability requirements

Level Objective Implementation

1 Fewer faults in the ● Hardware: simplified

system software and circuit design,
hardware improved production
technique, and
reliability test
● Software: software
reliability design and
test

2 No impact on the system Device and link

when a fault occurs redundancy design,
switchover policy, and
switchover success rate

3 Rapid recovery from a Fault detection,

fault that affects the diagnosis, isolation, and
system recovery

The reliability requirements at level 1 need to be considered during network

device design and production; the reliability requirements at level 2 need to be
considered during network architecture design; the reliability requirements at level
3 are met using reliability technologies according to the network architecture and
service characteristics during network deployment.

22.1.2 Reliability Metrics

The Mean Time Between Failures (MTBF) and Mean Time to Repair (MTTR) are
used to evaluate system reliability.

MTBF
The MTBF refers to the average time (usually expressed in hours) when a
component or a device works without any failure. A larger value of the MTBF
indicates higher reliability.

MTTR
The MTTR refers to the average time that a component or a device will take to
recover from any failure. MTTR also involves device management and customer
service, and is an important specification for device maintenance.
MTTR = Fault detection time + Hardware replacement time + System initialization
time + Link recovery time + Route convergence time + Forwarding recovery time
A smaller value of MTTR indicates higher reliability.

22.1.3 Reliability Technologies

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3185

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Network reliability can be improved by increasing the MTBF or reducing the

MTTR. Faults caused by various factors are inevitable, so fault recovery
technologies are important. The following reliability technologies are mainly used
to reduce the MTTR and meet level 3 reliability requirements.
Reliability technologies fall into fault detection technologies and protection
switching technologies.

Fault Detection Technologies

Fault detection technologies focus on fault detection and diagnosis. BFD is a
universal fault detection technology and can detect faults at any layer. Ethernet
OAM is a link-layer fault detection technology. Table 22-2 describes the fault
detection technologies.

Table 22-2 Fault detection technologies

Technology Description Link

BFD Bidirectional Forwarding 22.7 BFD Configuration

Detection (BFD) is a
unified detection
mechanism independent
of media and protocols,
and is used to rapidly
detect link faults and
monitor IP connectivity.

EFM EFM monitors network 22.8 EFM Configuration

faults and is for use on
last-mile Ethernet access
links to users on the
network. EFM needs to
be enabled on the two
directly connected
devices so that EFM can
monitor the link
between the two devices.

Protection Switching Technologies

Protection switching technologies focus on network recovery, and backs up
hardware, link, and routing information and perform fast switching to ensure
service continuity. Table 22-3 describes protection switching technologies.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3186

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-3 Protection switching technologies

Technology Description Link

VRRP The Virtual Router 22.9 VRRP

Redundancy Protocol Configuration
(VRRP) is a fault-tolerant
protocol that allows the
device to provide the
default link when the
default becomes faulty
on LANs with multicast
or broadcast capabilities.
VRRP prevents network
interruptions caused by
the fault of the single
link.

HSB, available in two Hot standby backup 22.3 HSB Configuration

modes: (HSB) provides a unified
● Dual-link HSB backup mechanism for
service modules. When
● VRRP HSB the master device
becomes faulty, the
backup device takes over
services on the master
service, which improves
network reliability.

Dual-Link Cold Backup Dual-link cold backup Dual-Link Backup

allows two ACs on an AC Configuration
+ Fit AP network to
manage APs
simultaneously. The APs
set up CAPWAP links
with both ACs, between
which one AC functions
as the active AC to
provide services for the
APs and the other works
as the standby AC. When
the active AC fails or the
CAPWAP link between
the active AC and AP
become faulty, the
standby AC replaces the
active AC to manage APs
and provide services. To
ensure that both ACs
provide the same
services, perform same
service configurations on
the active and standby
ACs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3187

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Technology Description Link

N+1 Backup N+1 backup uses one N+1 Backup

standby AC to provide Configuration
backup services for
multiple ACs on an AC +
Fit AP network. When
the network runs
properly, an AP sets up a
capwap link only with
the active AC. When the
active AC fails or the
CAPWAP link becomes
faulty, the standby AC
replaces the active AC to
manage APs. The
standby AC establishes a
CAPWAP link with the
AP to provide services.

22.2 Comparison of Backup Modes

The device supports hot-standby (HSB), dual-link cold backup, and N+1 backup
modes. Table 22-4 compares the three backup modes.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3188

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-4 Comparing the three backup modes

Item VRRP HSB Dual-Link Dual-Link N+1 Backup
HSB Cold Backup

Implementati The active An AP sets up An AP sets up An AP sets up

on and standby an active and an active and a CAPWAP
ACs have a standby a standby link with only
independent CAPWAP link CAPWAP link one AC.
IP addresses, with the with the ACs do not
which are active and active and back up or
virtualized standby ACs, standby ACs, synchronize
into one using respectively. respectively. information.
VRRP. APs set The active AC ACs do not If a master AC
up CAPWAP backs up only back up or fails, APs
links with this STA synchronize connected to
virtual IP information information. it set up
address. and If the active CAPWAP links
The active AC synchronizes AC fails, APs with the
backs up such connected to backup AC
information information it switch to that takes
about APs, to the the standby over services.
STAs, and standby AC links and the
CAPWAP through the standby AC
links, and HSB service. If takes over
synchronizes the active AC services.
such fails, APs
information connected to
to the it switch to
standby AC the standby
through the links and the
HSB service. If standby AC
the active AC takes over
fails, the services.
standby AC
takes over
services.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3189

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item VRRP HSB Dual-Link Dual-Link N+1 Backup

HSB Cold Backup

Switchover The The AP status The AP status The AP status

speed switchover switchover is switchover is switchover is
speed is fast, slow and slow and slow and
with little occurs only occurs only occurs only
impact on when when when
services. The CAPWAP link CAPWAP link CAPWAP link
configuration disconnection disconnection disconnection
of the VRRP timeout is timeout is timeout is
preemption detected. detected. detected. APs
delay After the AP STAs need to and STAs
implements a status is go online need to go
faster switched, again, and online again,
switchover STAs do not services are and services
than other need to go interrupted are
backup offline and for a short interrupted
modes. online again. period of for a short
time. period of
time, which is
longer than
the service
interruption
period in
dual-link cold
backup mode.

Deployment VRRP is a Supported Supported Supported

of active and Layer 2
standby ACs protocol and
at different does not
places support
deployment
of active and
standby ACs
at different
places.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3190

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item VRRP HSB Dual-Link Dual-Link N+1 Backup

HSB Cold Backup

Constraints The models The models The software The software

and software and software versions of versions of
versions of versions of the active and the active and
the active and the active and standby ACs standby ACs
standby ACs standby ACs must be the must be the
must be the must be the same. No same. No
same. same. constraint is constraint is
A standby AC A standby AC placed on the placed on the
can provide can provide AC model. AC model.
backup backup A standby AC A backup AC
services only services only can provide can provide
for one active for one active backup backup
AC. AC. services only services for
for one active multiple
AC. master ACs,
reducing
device
investment.

Applicable Scenarios that Scenarios that Scenarios that Scenarios that

scope require high require high have low have low
reliability, reliability and reliability reliability and
without the AC requirements low cost
need for AC deployment requirements
deployment at different
at different places
places

22.3 HSB Configuration

This chapter describes how to configure hot standby backup (HSB). HSB provides
a unified backup mechanism for service modules. When the master device
becomes faulty, the backup device takes over services on the master service, which
improves network reliability.

22.3.1 Overview of HSB

Definition
Hot-standby backup (HSB) is a feature that improves network reliability through
redundancy between two devices. After the two devices determine the master and
backup roles, the master device forwards service packets and the backup device
monitors status of the master device. The master device periodically sends its
status information and data to be backed up to the backup device. When the
master device fails, the backup device takes over the services immediately.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3191

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Purpose
On a WLAN, an AC can manage several hundreds of APs. If the AC becomes faulty,
services of all the APs that associate with the AC are interrupted. The reliability of
ACs greatly affects HA of the network.
The AC hot-standby backup (HSB) function can solve this problem. This function
has two modes: HSB+VRRP and HSB+dual-link backup. HSB supports batch
backup and real-time backup between the two access devices. Before link
switching, the standby device synchronizes information from the active device.
When the active device fails, service traffic is immediately switched to the standby
device without interrupting services. This improves connection availability. Dual-
link backup or VRRP can fast detect whether the active AC is faulty so that the
standby AC can become the new active AC in a timely manner. This function
ensures user service continuity.

22.3.2 Understanding HSB

22.3.2.1 Backup Modes

The HSB solution provides two networking modes: active/standby mode and load
balancing mode.

Active/Standby Mode (Using VRRP Hot Standby)

As shown in Figure 22-1, AC1 and AC2 form a VRRP group. AC1 is the master
device and AC2 is the backup device. When AC1 is working normally, it processes
all services and transmits session information to AC2 through the HSB channel.
AC2 does not process services and only backs up session information.

Figure 22-1 HSB in active/standby mode (master device is working normally)

AC2 Backup

AP1 STA1

Network
Switch

AC1 Master STA2

AP2

Traffic of AP1
Traffic of AP2
HSB channel

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3192

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

When AC1 fails, AC2 starts to process services, as shown in Figure 22-2. Because
session information is backed up on AC2, new sessions can be set up without
interrupting the current session. This improves network reliability.

Figure 22-2 HSB in active/standby mode (master device fails)

AC2 Backup

AP1 STA1

Network
Switch

AC1 Master STA2

AP2

Traffic of AP1
Traffic of AP2

HSB channel

When the original master device (AC1) recovers, it becomes the master in
preemption mode. In non-preemption mode, AC1 retains in Backup state.

Load Balancing Mode (Using Dual-link Hot Standby)

As shown in Figure 22-3, the AP establishes CAPWAP tunnels with two ACs and
differentiates the active and standby ACs based on the priorities of the CAPWAP
packets delivered by the two ACs. A hot-standby backup (HSB) tunnel is
established between the two ACs. AC1 is the master device for AP1 and AC2 is the
backup device. AC1 processes all service traffic from AP1 and transmits session
information to AC2 through the HSB channel. AC2 does not process service traffic
from AP1 and only backs up session information. For AP2, AC2 is the master
device and AC1 is the backup device. AC2 processes all service traffic from AP2
and transmits session information to AC1 through the HSB channel. AC1 does not
process service traffic from AP2 and only backs up session information.
On the network, AC1 forwards service traffic from AP1 and AC2 forwards service
traffic from AP2. In this way, service traffic is load balanced on the network.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3193

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-3 HSB in load balancing mode (both devices are working normally)

AC2

AP1 STA1

Network
Switch

AC1 STA2
AP2

Traffic of AP1
Traffic of AP2

HSB channel

When AC1 fails, service traffic from AP1 is automatically switched to AC2 to
ensure nonstop service forwarding, as shown in Figure 22-4. Service traffic from
AP2 is still forwarded by AC2.

Figure 22-4 HSB in load balancing mode (a master device fails)

AC2

AP1 STA1

Network
Switch

AC1 STA2
AP2

Traffic of AP1
Traffic of AP2

HSB channel

When the original master device (AC1) recovers, service traffic can be switched
back to the master device or retained on the backup device, depending on the
configuration.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3194

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.3.2.2 HSB Implementation

HSB implementation involves data synchronization and traffic switching. Data

synchronization is performed to ensure consistent information on the master and
backup devices when the two devices are working normally. Traffic switching is
performed to ensure non-stop service forwarding when the master device fails or
recovers.
For more information, see Huawei CloudCampus WLAN Reliability Technology
White Paper.

Data Synchronization
When the master device fails, service traffic can be switched to the backup device
only if the backup device has the same session entries as the master device. If the
session entries on the master and backup devices are different, sessions may be
interrupted during traffic switching. Therefore, a mechanism is required to
synchronize session information to the backup device when session entries are
created or modified on the master device. The HSB service module provides data
backup, sets up an HSB channel between the master and backup devices and
maintains link status of the HSB channel. Session information is synchronized
through the HSB channel.
The device provides the following data synchronization modes:
● Batch backup
During operation, the master device may save a large number of session
entries. After a backup device is added to the network and HSB is configured
on the two devices, the master device synchronizes all the session entries to
the backup device at one time. This is a batch backup process.
● Real-time backup
When the master device generates new session entries or modifies existing
session entries, it synchronizes new or modified session entries to the backup
device in real time. This is a real-time backup process.
● Periodic backup
To ensure that entries on the master and backup devices are consistent, the
backup device checks whether session entries are the same as those on the
master device every 30 minutes. If session entries are inconsistent, the session
entries on the master device are updated to the backup device. This is a
periodic backup process.

Traffic Switching
Two HSB modes are available depending on the traffic switching mode:
● VRRP HSB: VRRP is used to implement traffic switching. VRRP HSB is
applicable in active/standby mode.
● Dual-link HSB: Two links are used to implement traffic switching. Dual-link
HSB is applicable in active/standby and load balancing modes.
Traffic switching through VRRP
An HSB group is bound to a VRRP group. The two devices determine the master/
backup state based on the VRRP status and maintain the same state in the HSB

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3195

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

group. The HSB group monitors the status of the HSB channel and bound VRRP
group. When the status of the HSB channel and bound VRRP group changes, the
HSB group instructs service modules to switch traffic to the backup link.
As shown in Figure 22-5, VRRP is configured on AC1 and AC2. In the VRRP group,
AC1 is the master device and AC2 is the backup device. For details about VRRP, see
22.9.2 Understanding VRRP. According to the VRRP status of the two routers,
AC1 becomes the master device in the HSB group, and AC2 becomes the backup
device. The HSB service synchronizes session information from AC1 to AC2.

Figure 22-5 Traffic switching through VRRP (before switching)

AC2 Backup

AP1 STA1

Network
Switch

AC1 Master STA2

AP2

Traffic of AP1
Traffic of AP2
HSB Tunnel

When AC1 fails, as shown in Figure 22-6, the VRRP group selects a new master
based on the VRRP priorities of the devices. AC2 then becomes the master device,
and service traffic is switched to AC2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3196

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-6 Traffic switching through VRRP (after switching)

AC2 Backup

AP1 STA1

Network
Switch

AC1 Master STA2

AP2

Traffic of AP1
Traffic of AP2
HSB Tunnel

Traffic switching through link backup

As shown in Figure 22-7, each AP sets up links with two ACs. For AP1, the link to
AC1 is the master link and the link to AC2 is the backup link. AC1 is the master
device and forwards all service traffic from AP1. The HSB service synchronizes
session information from AC1 to AC2. For AP2, the link to AC2 is the master link
and the link to AC1 is the backup link. AC2 is the master device and forwards all
service traffic from AP2. The HSB service synchronizes session information from
AC2 to AC1.

Figure 22-7 Traffic switching through link backup (before switching)

AC2

AP1 STA1

Network
Switch

AC1 STA2
AP2

Traffic of AP1
Traffic of AP2
HSB Tunnel

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3197

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

When AC1 fails, as shown in Figure 22-8, AP1 transmits service traffic through the
backup link after it detects the failure of AC1. Service traffic of AP1 is then
forwarded by AC2.

Figure 22-8 Traffic switching through link backup (after switching)

AC2

AP1 STA1

Network
Switch

AC1 STA2
AP2

Traffic of AP1
Traffic of AP2
HSB Tunnel

22.3.3 Application Scenarios for HSB

22.3.3.1 Using HSB to Improve Wireless Access Service Reliability

To reduce impact of single-point failures on a wireless access network, a

traditional backup solution deploys two devices on an access node for backup.
Access devices on a wireless network usually run Dynamic Host Configuration
Protocol (DHCP), network admission control (NAC), and wireless local area
network (WLAN) services, which require real-time information backup from the
master device to the backup device. For example, the master DHCP device must
synchronize user status information to the backup DHCP device in real time.
Otherwise, services will be interrupted after link switching.
HSB can implement redundancy between access devices while ensuring
uninterrupted service transmission. The HSB service supports batch backup and
real-time backup between the two access devices. Before link switching, the
backup device synchronizes information from the master device. When the master
device fails, service traffic is immediately switched to the backup device without
interrupting services. This improves connection availability.
On a WLAN, HSB can use the active/standby or load balancing mode.
Figure 22-9 shows the active/standby mode. When AC1 fails, AC2 immediately
starts to provide the DHCP, NAC, and WLAN services because it has backed up all
the required information from AC1. Services are not interrupted after the link
switching.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3198

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-9 HSB between ACs (active/standby mode)

AC2 Backup
AP1's backup link
AP1 STA1

AP1's master link

Network
Switch AP2's backup link

AP2's master link

AC1 Master STA2

AP2

Figure 22-10 shows the load balancing mode, which can fully use network
resources. (The load balancing mode cannot be used for the DHCP service.) For
AP1, AC1 is the master device and AC2 is the backup device. All service traffic of
AP1 is forwarded by AC1. For AP2, AC2 is the master device and AC1 is the backup
device. All service traffic of AP2 is forwarded by AC2. Traffic of AP1 and AP2 is
load balanced between the two ACs, improving link efficiency.

Figure 22-10 HSB between ACs (load balancing mode)

AC2
AP1's backup link
AP1 STA1

AP1's master link

Network
Switch AP2's master link

AP2's backup link

AC1 STA2
AP2

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3199

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.3.4 Summary of HSB Configuration Tasks

Table 22-5 HSB configuration tasks
Scenario Description Task

Configure VRRP HSB. HSB implements service Configuring VRRP HSB

backup between two
devices. VRRP HSB is
applicable in active/
standby mode.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3200

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Scenario Description Task

Configure dual-link HSB. HSB implements service Traditional configuration

backup between two method:
devices. Dual-link HSB is 1. Configuring Dual-Link
applicable in active/ Backup (Traditional
standby and load Method)
balancing modes.
2. (Optional)
Configuring the
Active/Standby Link
Switchover Mode
3. Configuring an HSB
Service
4. Binding Services to an
HSB Service
New configuration
method:
1. Configuring Dual-Link
Backup (New
Method)
2. (Optional)
Configuring the
Active/Standby Link
Switchover Mode
3. Configuring an HSB
Service
4. Binding Services to an
HSB Service
If you need to configure
wireless configuration
synchronization, select
the new configuration
method, not the
traditional method.
Wireless configuration
synchronization can
reduce the configuration
workload and optimize
maintenance operations.
For more information,
see Wireless
Configuration
Synchronization
Configuration.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3201

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.3.5 Configuration Limitations for HSB

Note the following points when configuring hot-standby backup on the wireless
access controller:
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policies and WLAN ID) of the AP
connected to the active and standby ACs must be consistent on the two ACs;
otherwise, no guarantee is provided for user services after an active/standby
switchover between ACs.
● The models and software versions of the active and standby ACs must be the
same.
● Hot standby backup cannot be configured concurrently with dual-link cold
backup or N+1 backup.
● In an HSB scenario, note the following when upgrading a device:
– HSB allows only two ACs to back up each other. In addition, the model
and software version of the two ACs must be the same. When upgrading
the ACs, upgrade two ACs to the same target version simultaneously and
restart both ACs using the target system software.
– Services are interrupted during an upgrade of two ACs in hot standby
mode.
– If an active/standby switchover occurs during the batch AP upgrade,
some APs may fail to be upgraded. In this case, you need to perform the
upgrade again on new active AC.
– In an HSB scenario, if an AC active/standby switchover occurs when an
AP goes online or offline, information about the IP address pool and
registered AP may be inconsistent on the active and standby ACs.
● The VRRP HSB configuration must be the same on the active and standby
ACs. To add new service configuration, perform the configuration on the
standby AC first and then on the active AC to prevent active/standby
switchovers, which may result in a data backup failure on the standby AC.
● When configuring dual-link HSB, you must perform the same service
configurations on active and standby ACs. If service configurations are
different on the two ACs, services will be interrupted by an active/standby
switchover that occurs before the next information synchronization.
● In dual-link HSB mode, an active/standby switchover takes a long time.
During this process, services forwarded through tunnels are interrupted, new
users cannot go online, and online users cannot roam.
● VRRP HSB supports only the active/standby mode but not the load balancing
mode. Dual-link HSB supports both the active/standby and load balancing
modes.
● The HSB function is mutually exclusive with DTLS encryption for CAPWAP
data tunnels.
● In a dual-link HSB scenario, HSB cannot be performed for IP address
allocation information on the active/standby ACs. You are advised to
configure another device as the DHCP server.
Pay attention to the following points when deploying a DHCP server in a
VRRP HSB scenario:

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3202

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

– The DHCP server-enabled interface must be the interface where a VRRP

group is created. Otherwise, the active and standby ACs will allocate an
IP address to the user at the same time.
– The IP address pool configured on the active AC must be the same as
that on the standby AC. Otherwise, configurations of the active AC will
fail to be backed up to the standby AC.
– You must run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the active AC cannot be backed up to
the standby AC.

22.3.6 Default Settings for HSB

Table 22-6 describes the default settings for HSB.

Table 22-6 Default settings for HSB

Parameter Default Setting

HSB function Disabled

Number of times HSB detection 5

packets are retransmitted

Interval for retransmitting HSB 3 seconds

detection packets

22.3.7 Configuring HSB

Pre-configuration Tasks
Before configuring HSB, configure basic WLAN services. For details, see WLAN
Service Configuration Guide.

22.3.7.1 Configuring VRRP HSB

Pre-Configuration Tasks
Before configuring VRRP HSB, configure network layer attributes of interfaces to
ensure network connectivity.

22.3.7.1.1 Configuring a VRRP Group

Context
A VRRP group can virtualize multiple devices into one gateway and set the next
hop address of the default route on the host to the IP address of the virtual
gateway to implement gateway backup without changing the networking. After a
VRRP group is configured, traffic is forwarded through the master. If the master

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3203

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

fails, a new master is selected from the backups to forward traffic. This
implements gateway backup.
You can perform the following steps to implement basic configurations of a VRRP
group. For other configurations and precautions of a VRRP group, see VRRP
Configuration.

NOTE

When multiple VRRP groups are configured, you are advised to set parameter settings of the
VRRP groups to the same to ensure that the status of these VRRP groups is the same. If the
status of the VRRP groups is different, services in the VRRP groups that are not bound to the
HSB group will be affected after a VRRP active/standby switchover is performed in the VRRP
group bound to the HSB group.

Procedure
● Configure an VRRP group.
a. Run system-view
The system view is displayed.
b. Run interface vlanif vlan-id
The VLANIF interface view is displayed.
c. Run vrrp vrid virtual-router-id virtual-ip virtual-address
The VRRP group is created, and a virtual IP address is configured.
By default, no VRRP group is created.
d. Run vrrp vrid virtual-router-id priority priority-value
The priority of a device in the VRRP group is configured.
By default, the priority of a device in the VRRP group is 100.
----End

22.3.7.1.2 Configuring an HSB Service

Context
An HSB service establishes an HSB channel for transmitting packets of other
services and maintains the link status by notifying the HSB group of the faulty
link.
An HSB service provides the following functions:
● Establishing an HSB channel: A TCP channel is established for sending HSB
packets by setting the IP addresses and port numbers of the local and peer
devices. The HSB service provides packet sending and receiving for other
services and notifies link status changes.
● Maintaining the link status of the HSB channel: HSB packets are sent and
retransmitted to prevent long TCP interruption that is not detected by the
protocol stack. If a device does not receive an HSB packet from the peer
device within the period (retransmission interval x retransmission times), the
local device receives a message indicating the exception and then re-
establishes a channel to the peer.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3204

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● Parameters for the HSB channel must be configured on the local and remote ends at the
same time. The source IP address, destination IP address, source port, and destination port of
the local end are the destination IP address, source IP address, destination port, and source
port of the remote end, respectively.
● Parameters of HSB service packets, including the interval and packet retransmission times,
must be the same on both ends.
● Pay attention to the following points when configuring a shared key:
● Configuring a shared key for HSB service is not recommended in a secure network
environment because this configuration will degrade the HSB performance. If the
shared key is required, ensure that the same shared key is configured at both ends of
the HSB service. Inconsistent keys on both ends will cause frequent interruption of the
HSB channel.
● The key command must be configured before the service-ip-port command; otherwise,
the key command will fail to be configured.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run hsb-service service-index
An HSB service is created and the HSB service view is displayed.
By default, no HSB service is created.
Step 3 (Optional) Run key cipher key-string
The key used by the HSB devices is configured.
By default, the key used by HSB devices is not configured.
Step 4 Run service-ip-port local-ip local-ip-address peer-ip peer-ip-address local-data-
port local-port peer-data-port peer-port
The IP address and port number of an HSB channel is configured.
By default, the IP address and port number of an HSB channel are not configured.
Step 5 (Optional) Run service-keep-alive detect retransmit retransmit-times interval
interval-value
The retransmission times and interval of HSB packets are set.
The default number of retransmission times is 5, and the default retransmission
interval is 3 seconds.

----End

22.3.7.1.3 Configuring an HSB Group

Context
An HSB group instructs service modules to perform batch backup, real-time
backup, and status synchronization. The backup of services depends on the status

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3205

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

negotiation and event notification mechanisms provided by the HSB group,

synchronizing services on the master and backup devices.

An HSB group synchronizes backup information and responds to link status

changes through the HSB channel established by the HSB service. To make the
HSB group work properly, bind an HSB service to the HSB group. In addition, the
HSB group must be bound to a VRRP group to negotiate the service status based
on the VRRP status. By monitoring the changes in the bound HSB channel status
and VRRP status, the HSB group instructs service modules to perform batch
backup, real-time backup, and status synchronization.

NOTE

● When configuring the VRRP hot standby function, two ACs form a virtual AC and all the
APs connected to the ACs can communicate with the virtual AC. Therefore, the source IP
address of the AC must be the virtual IP address of the VRRP group bound to the HSB
group. You can run the capwap source ip-address command to configure the source IP
address of the AC.
● When multiple VRRP groups are configured, you are advised to set parameter settings of
the VRRP groups to the same to ensure that the status of these VRRP groups is the
same. If the status of the VRRP groups is different, services in the VRRP groups that are
not bound to the HSB group will be affected after a VRRP active/standby switchover is
performed in the VRRP group bound to the HSB group.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run hsb-group group-index

An HSB group is created and the HSB group view is displayed.

By default, no HSB group is created.

Step 3 Run bind-service service-index

An HSB service is configured for binding to the HSB group.

By default, no HSB service is bound to an HSB group.

Step 4 Run track vrrp vrid virtual-router-id interface interface-type interface-number

A VRRP group is configured for binding to the HSB group.

By default, no HSB group is bound to a VRRP group.

NOTE

HSB implements traffic switchover using VRRP or link backup. The HSB group configured in
this section implements traffic switchover using VRRP. To configure the HSB group run in
load balancing mode, configure the HSB group to switch traffic through link backup.

Step 5 Run quit

The system view is displayed.

Step 6 (Optional) Bind an HSB service to the HSB group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3206

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The HSB group can be bound to different HSB services to provide the backup
function, improving service reliability.

After an HSB group is enabled, services cannot be bound to the HSB group.
Therefore, bind services to an HSB group before enabling the HSB group.

● Binding the NAC service to the HSB group

Run hsb-service-type access-user hsb-group group-index
The NAC service is bound to the HSB group.
● Binding the DHCP service to the HSB group
Run hsb-service-type dhcp hsb-group group-index
The DHCP service is bound to the HSB group.
● Binding the WLAN service to the HSB group
Run hsb-service-type ap hsb-group group-index
The WLAN service is bound to the HSB group.

----End

22.3.7.1.4 Enabling an HSB Group

Context
An HSB group takes effect and notifies the service modules of status changes only
after the HSB group is enabled.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run hsb-group group-index

The HSB group view is displayed.

Step 3 Run hsb enable

The HSB group is enabled.

NOTICE

Before APs go online on active and standby ACs, you need to add the APs offline
on the two ACs. If you add APs offline on the standby AC but the APs have gone
online on the active AC, the status of these APs displays as fault. You need to run
the undo hsb enable command in the HSB group view of the standby AC to
disable the HSB function and then run the hsb enable command to enable the
HSB function so that information on the active AC is backed up to the standby AC.
The status of the APs on the standby AC displays as standby.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3207

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.3.7.1.5 Verifying the HSB Configuration

Procedure
● Run the display hsb-group group-index command to view information about
the HSB group.
● Run the display hsb-service service-index command to view information
about the HSB service.
----End

22.3.7.2 Configuring Dual-Link HSB

Pre-Configuration Tasks
Before configuring dual-link HSB, configure network layer attributes of interfaces
to ensure network connectivity.

22.3.7.2.1 Configuring Dual-Link Backup (Traditional Method)

Context
Dual-link backup can be configured using either of the following methods:
● Global configuration: The dual-link backup parameters are configured in the
AC's WLAN view and delivered to all APs except the specified APs. You can use
this method to batch enable dual-link backup.
● AP-specific configuration: The dual-link backup parameters are configured in
the AC's AP system profile view and apply to all APs using the AP system
profile. The AP-specific configuration takes precedence over global
configuration on the AC.
The following configurations must be performed on both the active and standby
ACs.

NOTE
If wireless configuration synchronization is required, you cannot configure dual-link backup
using the traditional method. Only the new method for configuring dual-link backup is allowed.
For details, see 22.3.7.2.2 Configuring Dual-Link Backup (New Method).

Pre-configuration Tasks
Before configuring dual-link backup, configure basic WLAN services on the active
and standby ACs (For details, see 8 WLAN Service Configuration Guide). The
WLAN service configuration of the active and standby ACs must be consistent on
the two ACs.

Procedure
● Global configuration
a. Run system-view

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3208

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The system view is displayed.

b. (Optional) Run capwap echo { interval interval-value | times times-
value } *
The CAPWAP heartbeat interval and number of CAPWAP heartbeat
detections are configured.
By default, the CAPWAP heartbeat detection interval is 25s and the
number of CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat
detection interval is 25s and the number of CAPWAP heartbeat
detections is 3.

NOTE

● To configure dual-link backup on a WDS or mesh network, set the CAPWAP

heartbeat interval to 25 seconds and set the number of heartbeat packet
transmissions to at least 6. If this configuration is not performed, the AC
sends heartbeat packets 3 times at an interval of 25 seconds by default. This
may cause unstable WDS or mesh link status and result in user access
failures.
● If you set the CAPWAP heartbeat detection interval and the number of
CAPWAP heartbeat detections smaller than the default values, the CAPWAP
link reliability is degraded. Exercise caution when you set the values. The
default values are recommended.
c. Run wlan
The WLAN view is displayed.
d. Run ac protect protect-ac { ip-address | ipv6 ipv6-address }
The IP address of the standby AC is configured.
By default, no standby AC IP address is configured in the WLAN view.
e. Run ac protect priority priority
The priority of the local AC is configured.
By default, the AC priority in the WLAN view is 0.

NOTE

● The priority of the standby AC must be smaller than that of the active AC.
● A smaller value indicates a higher priority.
f. Run undo ac protect restore disable
Revertive switching is enabled.
By default, global revertive switching is enabled.

NOTE

If global revertive switching is disabled on the original active AC, traffic of an AP

cannot be switched back to the original active AC when the link between the
original active AC and the AP restores.
g. (Optional) Run ac protect alarm-restrain enable
AP fault alarm suppression is enabled.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3209

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

By default, AP Fault alarm suppression is disabled.

h. Run ac protect enable

By default, dual-link backup is disabled.

i. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } }

APs are restarted to make the dual-link backup configurations take effect.

NOTE

● If the dual-link backup function is disabled, running the ac protect enable

command restarts online APs. After the APs are restarted, the dual-link
backup function takes effect.
● If the dual-link backup function is enabled, running the ac protect enable
command does not restart online APs. You need to run the ap-reset { all | ap-
name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type
{ type type-name | type-id type-id } } command to restart the APs and make
the dual-link backup function take effect. You can also manually restart the
APs to make the dual-link backup function take effect.
● If an AP goes online after dual-link backup is configured, you do not need to
restart the AP.
● AP-specific configuration
a. Run system-view

The system view is displayed.

b. (Optional) Run capwap echo { interval interval-value | times times-
value } *
The CAPWAP heartbeat interval and number of CAPWAP heartbeat
detections are configured.

By default, the CAPWAP heartbeat detection interval is 25s and the

number of CAPWAP heartbeat detections is 6.

By default, If dual-link backup is enabled, the CAPWAP heartbeat

detection interval is 25s and the number of CAPWAP heartbeat
detections is 3.

NOTE

● To configure dual-link backup on a WDS or mesh network, set the CAPWAP

heartbeat interval to 25 seconds and set the number of heartbeat packet
transmissions to at least 6. If this configuration is not performed, the AC
sends heartbeat packets 3 times at an interval of 25 seconds by default. This
may cause unstable WDS or mesh link status and result in user access
failures.
● If you set the CAPWAP heartbeat detection interval and the number of
CAPWAP heartbeat detections smaller than the default values, the CAPWAP
link reliability is degraded. Exercise caution when you set the values. The
default values are recommended.
c. Run wlan

The WLAN view is displayed.

d. Run ap-system-profile name profile-name

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3210

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

An AP system profile is created and the AP system profile view is

displayed.
By default, the system provides the AP system profile default.
e. Run protect-ac { ip-address ip-address | ipv6-address ipv6-address }
The IP address of the standby AC is configured.
By default, no standby AC's IP address is configured in the AP system
profile view.
f. Run priority priority-level
The priority of the local AC is configured.
By default, no AC priority is configured in the AP system profile view.

NOTE

● The priority of the standby AC must be smaller than that of the active AC.
● If priorities have been configured for the two ACs to which an AP connects,
the AC with higher priority becomes the active AC.
g. Run quit
Return to the WLAN view.
h. Run undo ac protect restore disable
Revertive switching is enabled.
By default, global revertive switching is enabled.

NOTE

If global revertive switching is disabled on the original active AC, traffic of an AP

cannot be switched back to the original active AC when the link between the
original active AC and the AP restores.
i. (Optional) Run ac protect alarm-restrain enable
AP fault alarm suppression is enabled.
By default, AP Fault alarm suppression is disabled.
j. Run ac protect enable
By default, dual-link backup is disabled.
k. The AP system profile is bound to an AP group.

▪ Binding an AP system profile to an AP group.

1) Run the ap-group name group-name command to enter the AP
group view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP group.
By default, the AP system profile default is bound to an AP
group.

▪ Binding an AP system profile to an AP.

1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name
command to enter the AP view.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3211

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

2) Run the ap-system-profile profile-name command to bind the

AP system profile to the AP.
By default, no AP system profile is bound to an AP.
l. Run quit
Return to the WLAN view.
m. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.

NOTE

● If the dual-link backup function is disabled, running the ac protect enable

command restarts online APs. After the APs are restarted, the dual-link
backup function takes effect.
● If the dual-link backup function is enabled, running the ac protect enable
command does not restart online APs. You need to run the ap-reset { all | ap-
name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type
{ type type-name | type-id type-id } } command to restart the APs and make
the dual-link backup function take effect. You can also manually restart the
APs to make the dual-link backup function take effect.
● If an AP goes online after dual-link backup is configured, you do not need to
restart the AP.

----End

22.3.7.2.2 Configuring Dual-Link Backup (New Method)

Context
Traditionally, dual-link backup is configured by specifying IP addresses of the
active and standby ACs on each other and configuring AC priorities. The active and
standby ACs are then determined based on the priority. To simplify configuration
logic, the new configuration method allows you to specify the same primary and
backup ACs for APs on the active and standby ACs. The active AC is specified as
the primary AC, and the standby AC as the backup AC.
The following configurations must be performed on both the active and standby
ACs.

NOTE

You cannot configure dual-link backup in both the traditional and new methods. Otherwise, the
dual-link backup function cannot take effect.
If wireless configuration synchronization is required, you cannot configure dual-link backup
using the traditional method. Only the new method for configuring dual-link backup is allowed.
Wireless configuration synchronization can help reduce the configuration workload and
optimize maintenance operations. For details, see 22.6 Wireless Configuration
Synchronization Configuration.

Pre-configuration Tasks
Before configuring dual-link backup, configure basic WLAN services on the active
and standby ACs (For details, see 8 WLAN Service Configuration Guide). The

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3212

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

WLAN service configuration of the active and standby ACs must be consistent on
the two ACs.

Procedure
Step 1 Run system-view
The system view is displayed.

Step 2 (Optional) Run capwap echo { interval interval-value | times times-value } *

The CAPWAP heartbeat interval and number of CAPWAP heartbeat detections are
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection
interval is 25s and the number of CAPWAP heartbeat detections is 3.

NOTE

● To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat
interval to 25 seconds and set the number of heartbeat packet transmissions to at least
6. If this configuration is not performed, the AC sends heartbeat packets 3 times at an
interval of 25 seconds by default. This may cause unstable WDS or mesh link status and
result in user access failures.
● If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat detections smaller than the default values, the CAPWAP link reliability is
degraded. Exercise caution when you set the values. The default values are
recommended.

Step 3 Run wlan

The WLAN view is displayed.
Step 4 Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is displayed.
Step 5 Run primary-access { ip-address ip-address | ipv6-address ipv6-address }
A primary AC IP address is configured.
By default, no primary AC IP address is configured.
Step 6 Run backup-access { ip-address ip-address | ipv6-address ipv6-address }
A backup AC IP address is configured.
By default, no backup AC IP address is configured.
Step 7 Run quit
Return to the WLAN view.
Step 8 Run undo ac protect restore disable
Revertive switching is enabled.
Step 9 (Optional) Run ac protect alarm-restrain enable

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3213

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

AP Fault alarm suppression is enabled.

By default, AP Fault alarm suppression is disabled.
Step 10 Run ac protect enable
By default, dual-link backup is disabled.
Step 11 The AP system profile is bound to an AP group.
● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.
Step 12 Run quit
Return to the WLAN view.
Step 13 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.

NOTE

● If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
● If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function
take effect.
● If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.

----End

22.3.7.2.3 (Optional) Configuring the Active/Standby Link Switchover Mode

Context
In dual-link cold backup or hot standby scenarios, an AP simultaneously sets up
active and standby links with active and standby ACs, respectively. If the active link
is faulty, the AP switches service traffic to the standby link and goes online on the

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3214

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

standby AC. When the active link recovers, the AP detects that this link has a
higher priority than the other one and triggers a revertive switchover. After 20
Echo intervals, the AP switches service traffic back to the active AC.
● To enable an AP to preferentially switch service traffic to the active link, set
the active/standby link switchover mode to the priority mode.
● To allow an AP to use a link with high network stabilization, set the active/
standby link switchover mode to the network stabilization mode. When the
condition for triggering an active/standby link switchover is met, the AP
preferentially switches service traffic to the link on a network with higher
stabilization. In this case, whether an active/standby link switchover is
performed is only related to the network stabilization of links but not related
to the active and standby roles of links. You can run the ac protect link-
switch packet-loss { gap-threshold gap-threshold | start-threshold start-
threshold } command to configure the condition for triggering an active/
standby link switchover.
In dual-link cold backup and hot standby scenarios, the network stabilization of
active and standby links is determined based on the Echo packet loss rate. The
active/standby link switchover is performed when the following conditions are
met:
1. APs collect statistics about the specified number of Echo packets forwarded
through the link in use at each interval and find that the calculated packet
loss rate is higher than the packet loss rate start threshold.
2. The packet loss rate of the link in use is higher than that of the other link,
and the difference between the two links' packet loss rates is higher than the
packet loss rate difference threshold.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run ac protect link-switch mode { priority | network-stabilization }
The active/standby link switchover mode is configured.
By default, the active/standby link switchover mode is the priority mode.
Step 5 Run ac protect link-switch packet-loss echo-probe-time echo-probe-time
The number of Echo probe packets sent within a statistics collection interval is
configured.
By default, the number of Echo packets sent within a statistics collection interval is
20.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3215

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

This configuration is supported only when the active/standby link switchover

mode is set to the network stabilization mode using the ac protect link-switch
mode network-stabilization command.
Step 6 Run ac protect link-switch packet-loss { gap-threshold gap-threshold | start-
threshold start-threshold }
The packet loss rate start and difference thresholds for an active/standby link
switchover are configured.
By default, the packet loss rate start and difference thresholds for an active/
standby link switchover are 20% and 15%, respectively.
This configuration is supported only when the active/standby link switchover
mode is set to the network stabilization mode using the ac protect link-switch
mode network-stabilization command.
Step 7 Run quit
Return to the WLAN view.
Step 8 Bind the AP system profile to the AP group.
● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.

----End

Verifying the Configuration

● Run the display ap-system-profile { all | name profile-name } command to
check the configurations related to the active/standby link switchover mode.

22.3.7.2.4 Configuring an HSB Service

Context
An HSB service establishes an HSB channel for transmitting packets of other
services and maintains the link status by notifying the HSB group of the faulty
link.
An HSB service provides the following functions:
● Establishing an HSB channel: A TCP channel is established for sending HSB
packets by setting the IP addresses and port numbers of the local and peer

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3216

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

devices. The HSB service provides packet sending and receiving for other
services and notifies link status changes.
● Maintaining the link status of the HSB channel: HSB packets are sent and
retransmitted to prevent long TCP interruption that is not detected by the
protocol stack. If a device does not receive an HSB packet from the peer
device within the period (retransmission interval x retransmission times), the
local device receives a message indicating the exception and then re-
establishes a channel to the peer.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run hsb-service service-index

An HSB service is created and the HSB service view is displayed.

Step 3 Run service-ip-port local-ip local-ip-address peer-ip peer-ip-address local-data-

port local-port peer-data-port peer-port

An HSB channel is established.

The channel parameters must be set at the local device and the peer device. The
destination IP address and port number of the local device must be the same as
the IP address and port number of the peer device.

Step 4 (Optional) Run service-keep-alive detect retransmit retransmit-times interval

interval-value
The retransmission times and interval of HSB packets are set.

● By default, the HSB packet retransmission interval is 3 seconds and

retransmission times is 5.
● The HSB packet parameters, including retransmission interval and
retransmission times, must be set the same on both ends.

----End

22.3.7.2.5 Binding Services to an HSB Service

Context
HSB can be bound to different HSB services to provide the backup function,
improving service reliability. An HSB service provides an HSB channel between the
master device and backup device to back up and synchronize information. To
switch traffic using link backup, bind services to an HSB service.

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3217

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 2 Bind services to an HSB service.

● Bind the WLAN service to an HSB service.
Run hsb-service-type ap hsb-service service-number
The WLAN service is bound to the HSB service.
● Bind the NAC service to an HSB service.
Run hsb-service-type access-user hsb-service service-index
The NAC service is bound to the HSB service.

----End

22.3.7.2.6 Verifying the Dual-Link HSB Configuration

Procedure
● Run the display hsb-service service-index command to view information
about the HSB service.
● Run the display ac protect command to check the dual-link backup status,
active/standby AC switch back status, as well as AC priority and the standby
AC's IP address in the WLAN view.
● Run the display ap-system-profile { all | name profile-name } command to
check the AC priority and the standby AC's IP address in the AP system profile
view.
----End

22.3.8 Configuration Examples for HSB

22.3.8.1 Example for Configuring Dual-Link HSB in Load Balancing Mode

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires dual-link HSB to improve data transmission reliability, and load balancing
on the active and standby ACs.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The router functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3218

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-11 Networking diagram for configuring dual-Link HSB in load balancing
mode for ACs

Data Planning

Table 22-7 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

AC's backup VLAN VLAN 102

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3219

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

DHCP server The router functions as a DHCP server

to assign IP addresses to APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.4-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AC1's management IP address VLANIF 100: 10.23.100.2/24

AC2's management IP address VLANIF 100: 10.23.100.3/24

Active and standby ACs AC1 serves as the active AC for AP1
and the standby AC for AP2.
AC2 serves as the active AC for AP2
and the standby AC for AP1.

IP addresses and port numbers for the IP address: VLANIF 102, 10.23.102.1/24
active and standby channels of AC1 Port number: 10241

IP addresses and port numbers for the IP address: VLANIF 102, 10.23.102.2/24
active and standby channels of AC2 Port number: 10241

AP group ● Name: ap-group1

● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, and AP system
profile ap-system1

● Name: ap-group2
● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, and AP system
profile ap-system2

AP system profile ● Name: ap-system1

● Active AC: AC1
● Standby AC: AC2

● Name: ap-system2
● Active AC: AC2
● Standby AC: AC1

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3220

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

Configuration Roadmap
1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure the APs to go online and configure basic WLAN services.
3. Configure dual-link HSB in load balancing mode.
4. Configure HSB on the ACs so that the WLAN and NAC services on the active
AC are backed up to the standby AC in real time and in batches. If the active
AC is faulty, the standby AC takes over services of the active AC, ensuring user
service continuity.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3221

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● Dual-link backup cannot back up DHCP information. When the AC functions
as the DHCP server to assign IP addresses to APs and STAs, APs and STAs
need to re-obtain IP addresses if the active AC is faulty. It is recommended
that Router function as the DHCP server. If the AC must be used as the DHCP
server, configure address pools containing different IP addresses on the active
and standby ACs to prevent IP address conflicts.

Procedure
Step 1 Configure the switches and Router.

# Set the PVID of GE0/0/1 and GE0/0/2 on SwitchA to management VLAN 100,
and add the interfaces to VLAN 100 and VLAN 101. Add GE0/0/3 on SwitchA
connected to SwitchB to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] port-isolate enable
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE0/0/1 on SwitchB connected to SwitchA to VLAN 100 and VLAN 101. Add
GE0/0/2 (connected to AC1) and GE0/0/3 (connected to AC2) on SwitchB to VLAN
100 and VLAN 102. Add GE0/0/4 on SwitchB connected to Router to VLAN 100
and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit

# Add GE0/0/1 on Router connected to SwitchB to VLAN 100 and VLAN 101.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3222

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit

Step 2 Configure the communication between AC1, AC2, and Router.

# Add GE0/0/1 on AC1 to the service VLAN 101 and backup VLAN 102.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 to 102
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 on AC2 to VLAN 101 and VLAN 102.

<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 to 102
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.3 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC2-GigabitEthernet0/0/1] quit

Step 3 Configure Router to assign IP addresses to STAs and APs.

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3223

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[Router-Vlanif101] dhcp select global

[Router-Vlanif101] quit

Step 4 Configure the APs to go online.

NOTE

Only the configurations on AC1 are provided here. The configurations on AC2 are the same
as those on AC1.

# Create AP groups ap-group1 and ap-group2.

[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2] quit

# Create a regulatory domain profile, configure the country code for AC1 in the
profile, and apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group2] quit
[AC1-wlan-view] quit

# Configure the source interface for AC1.

[AC1] capwap source interface vlanif 100

# Import AP1 and AP2 offline on AC1, and add AP1 to the AP group ap-group1
and AP2 to the AP group ap-group2.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC1-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1] quit

# After the APs are powered on, run the display ap all command to check the AP
states. If the State field displays nor, the APs have gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3224

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

ID MAC Name Group IP Type State STA Uptime ExtraInfo

--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 31S -
1 60de-4476-e380 area_2 ap-group2 10.23.100.253 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 2

Step 5 Configure WLAN service parameters.

NOTE

Only the configurations on AC1 are provided here. The configurations on AC2 are the same as
those on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and
radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group2] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group2] quit

Step 6 Configure dual-link HSB in load balancing mode on AC1 and AC2.
# On AC1, configure AC1 as the active AC for AP1 and the standby AC for AP2,
and AC2 as the active AC for AP2 and the standby AC for AP1.
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
[AC1-wlan-view] ap-system-profile name ap-system1
[AC1-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-ap-system1] quit
[AC1-wlan-view] ap-system-profile name ap-system2
[AC1-wlan-ap-system-prof-ap-system2] primary-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-ap-system2] backup-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-ap-system2] quit
[AC1-wlan-view] ap-group name ap-group1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3225

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-wlan-ap-group-ap-group1] ap-system-profile ap-system1

[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] ap-group name ap-group2
[AC1-wlan-ap-group-ap-group2] ap-system-profile ap-system2
[AC1-wlan-ap-group-ap-group2] quit

# On AC2, configure AC1 as the active AC for AP1 and the standby AC for AP2,
and AC2 as the active AC for AP2 and the standby AC for AP1. The configuration
method on AC2 is the same as that on AC1.

# Restart the APs on AC1 and AC2, and deliver the dual-link HSB configuration to
the APs.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit
[AC2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC2-wlan-view] quit

Step 7 Configure the HSB function.

# Create HSB service 0 on AC1, and configure the IP addresses and port numbers
for the active and standby channels.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] quit

# Bind the WLAN and NAC services to AC1.

[AC1] hsb-service-type ap hsb-service 0
[AC1] hsb-service-type access-user hsb-service 0

# Create HSB service 0 on AC2, and configure the IP addresses and port numbers
for the active and standby channels.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] quit

# Bind the WLAN and NAC services to AC2.

[AC2] hsb-service-type ap hsb-service 0
[AC2] hsb-service-type access-user hsb-service 0

Step 8 Verify the configuration.

# Run the display ac protect command on AC1 and AC2 to view dual-link HSB
information.
[AC1] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC :-
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC2] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC :-
Priority :0
Protect restore : enable

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3226

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

...
------------------------------------------------------------

# Run the display ap-system-profile name ap-system1 command on AC1 and

the display ap-system-profile name ap-system2 command on AC2 to view
information about the active and standby ACs.
[AC1] display ap-system-profile name ap-system1
------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.100.2
Backup AC : 10.23.100.3
...
------------------------------------------------------------
[AC1] display ap-system-profile name ap-system2
------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.100.3
Backup AC : 10.23.100.2
...
------------------------------------------------------------
[AC2] display ap-system-profile name ap-system1
------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.100.2
Backup AC : 10.23.100.3
...
------------------------------------------------------------
[AC2] display ap-system-profile name ap-system2
------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.100.3
Backup AC : 10.23.100.2
...
------------------------------------------------------------

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB
service status. The value of the Service State field is Connected, which indicates
that the HSB channels are set up.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
Shared-key :-
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3227

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Access-user
Shared-key :-
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to AP1, and
these STAs can connect to the WLAN.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC1. When AP1 detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. AP1 goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
AP1 automatically goes online on AC1.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3228

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

port link-type trunk

port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

● Router configuration file

#
sysname Router
#
vlan batch 100 to 101
#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup function.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3229

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-8 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.2 255.255.255.0 ip address 10.23.100.3 255.255.255.0
# #
interface Vlanif102 interface Vlanif102
ip address 10.23.102.1 255.255.255.0 ip address 10.23.102.2 255.255.255.0
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 100 102 port trunk allow-pass vlan 100 102
# #
capwap source interface vlanif100 capwap source interface vlanif100
# #
hsb-service 0 hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip service-ip-port local-ip 10.23.102.2 peer-ip
10.23.102.2 local-data-port 10241 peer-data- 10.23.102.1 local-data-port 10241 peer-data-
port 10241 port 10241
# #
hsb-service-type access-user hsb-service 0 hsb-service-type access-user hsb-service 0
# #
hsb-service-type ap hsb-service 0 hsb-service-type ap hsb-service 0
# #
wlan wlan
ac protect enable ac protect enable
security-profile name wlan-net security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^ security wpa-wpa2 psk pass-phrase %^
%#A>0:F8{q)0PWFAON0*rK\{&<S>}oK#% %#A>0:F8{q)0PWFAON0*rK\{&<S>}oK#%
{]c~egp*.%^%# aes {]c~egp*.%^%# aes
ssid-profile name wlan-net ssid-profile name wlan-net
ssid wlan-net ssid wlan-net
vap-profile name wlan-net vap-profile name wlan-net
service-vlan vlan-id 101 service-vlan vlan-id 101
ssid-profile wlan-net ssid-profile wlan-net
security-profile wlan-net security-profile wlan-net
regulatory-domain-profile name default regulatory-domain-profile name default
ap-system-profile name ap-system1 ap-system-profile name ap-system1
primary-access ip-address 10.23.100.2 primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3 backup-access ip-address 10.23.100.3
ap-system-profile name ap-system2 ap-system-profile name ap-system2
primary-access ip-address 10.23.100.3 primary-access ip-address 10.23.100.3
backup-access ip-address 10.23.100.2 backup-access ip-address 10.23.100.2
ap-group name ap-group1 ap-group name ap-group1
ap-system-profile ap-system1 ap-system-profile ap-system1
radio 0 radio 0
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
radio 1 radio 1
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
ap-group name ap-group2 ap-group name ap-group2
ap-system-profile ap-system2 ap-system-profile ap-system2
radio 0 radio 0
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
radio 1 radio 1
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360 ap-sn ap-id 0 ap-mac 60de-4476-e360 ap-sn
210235554710CB000042 210235554710CB000042
ap-name area_1 ap-name area_1
ap-group ap-group1 ap-group ap-group1
ap-id 1 ap-mac 60de-4476-e380 ap-sn ap-id 1 ap-mac 60de-4476-e380 ap-sn
210235554710CB000043 210235554710CB000043
ap-name area_2 ap-name area_2
ap-group ap-group2 ap-group ap-group2

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3230

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

AC1 AC2
# #
return return

22.3.8.2 Example for Configuring Dual-Link HSB in Active/Standby Mode

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires dual-link HSB to improve data transmission reliability.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The router functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3231

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-12 Networking for configuring dual-link HSB for ACs

Data Planning

Table 22-9 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

AC's backup VLAN VLAN 102

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3232

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

DHCP server The router functions as a DHCP server

to assign IP addresses to APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.4-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AC1's management IP address VLANIF 100: 10.23.100.2/24

AC2's management IP address VLANIF 100: 10.23.100.3/24

Active AC AC1
Local priority: 0

Standby AC AC2
Local priority: 1

IP addresses and port numbers for the IP address: VLANIF 102, 10.23.102.1/24
active and standby channels of AC1 Port number: 10241

IP addresses and port numbers for the IP address: VLANIF 102, 10.23.102.2/24
active and standby channels of AC2 Port number: 10241

AP group ● Name: ap-group1

● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3233

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Configuration Roadmap
1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure basic WLAN services to ensure that users can access the enterprise
network.
3. Configure global dual-link backup on the ACs.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1
are backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes
over services from AC1. User services are not interrupted.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● Dual-link backup cannot back up DHCP information. When the AC functions
as the DHCP server to assign IP addresses to APs and STAs, APs and STAs
need to re-obtain IP addresses if the active AC is faulty. It is recommended
that Router function as the DHCP server. If the AC must be used as the DHCP
server, configure address pools containing different IP addresses on the active
and standby ACs to prevent IP address conflicts.

Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can
exchange CAPWAP packets.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the
interface to VLAN 100 and VLAN 101. Add GE0/0/2 of SwitchA to VLAN 100 and
VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3234

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[SwitchA] vlan batch 100 101

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 (connecting to SwitchA) of SwitchB to VLAN 100 and VLAN 101.
Add GE0/0/2 (connecting to AC1) of SwitchB, and GE0/0/3 (connecting to AC2) of
SwitchB to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/3] quit

# Add GE0/0/1 (connecting to SwitchB) of AC1 to VLAN 100.

<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 (connecting to SwitchB) of AC2 to VLAN 100.

<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit

Step 2 Configure the communication between AC1, AC2, and Router.

# Add GE0/0/1 of AC1 to backup VLAN 102.
[AC1] vlan batch 101 102
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 of AC2 to VLAN 102.

[AC2] vlan batch 101 102
[AC2] interface vlanif 100

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3235

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC2-Vlanif100] ip address 10.23.100.3 24

[AC2-Vlanif100] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/1] quit

# Add GE0/0/2 and GE0/0/3 of SwitchB to VLAN 102 and add GE0/0/4 of SwitchB
connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit

Step 3 Configure Router to assign IP addresses to STAs and APs.

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit

Step 4 Configure WLAN service parameters on AC1 and AC2.

NOTE

Only the configurations on AC1 are provided here. The configurations on AC2 are the same
as those on AC1.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3236

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

1. Configure system parameters for AC1.

[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source interface vlanif 100
[AC1] wlan

2. Configure AC1 to manage APs.

[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

3. Configure WLAN service parameters on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

[AC1-wlan-view] security-profile name wlan-net

[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3237

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0
and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit

Step 5 Configure dual-link backup on AC1 and AC2.

# Configure the AC1 priority and AC2 IP address on AC1 to implement dual-link
backup.
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0

# Configure the AC2 priority and AC1 IP address on AC2 to implement dual-link
backup.
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
[AC2-wlan-view] ac protect protect-ac 10.23.100.2 priority 1
[AC2-wlan-view] quit

# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit

Step 6 Configure the hot standby function.

# Create HSB service 0 on AC1 and configure the IP addresses and port numbers
for the active and standby channels.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] quit

# Bind the WLAN and NAC services to AC1.

[AC1] hsb-service-type ap hsb-service 0
[AC1] hsb-service-type access-user hsb-service 0

# Create HSB service 0 on AC2 and configure the IP addresses and port numbers
for the active and standby channels.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] quit

# Bind the WLAN and NAC services to AC2.

[AC2] hsb-service-type ap hsb-service 0
[AC2] hsb-service-type access-user hsb-service 0

Step 7 Verify the configuration.

# Run the display ac protect command on AC1 and AC2 to view dual-link backup
information.
[AC1] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.3

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3238

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC2] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.2
Priority :1
Protect restore : enable
...
------------------------------------------------------------

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB
service status. The value of the Service State field is Connected, which indicates
that the HSB channels are set up.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
Shared-key :-
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
Shared-key :-
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to AP1, and
these STAs can connect to the WLAN.

# Simulate an active AC fault by restarting the active AC to verify the backup

configuration. Restart AC1. When AP1 detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. AP1 goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.

# After AC1 recovers from the restart, an active/standby switchback is triggered.

AP1 automatically goes online on AC1.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3239

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
● Router configuration file
#
sysname Router
#
vlan batch 100 to 101
#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3240

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

port link-type trunk

port trunk allow-pass vlan 100 to 101
#
return
● Comparison between AC1 and AC2 configuration files (The information in
bold is settings about the two-node backup function.)

Table 22-10 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.2 255.255.255.0 ip address 10.23.100.3 255.255.255.0
# #
interface Vlanif102 interface Vlanif102
ip address 10.23.102.1 255.255.255.0 ip address 10.23.102.2 255.255.255.0
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 100 102 port trunk allow-pass vlan 100 102
# #
capwap source interface vlanif100 capwap source interface vlanif100
# #
hsb-service 0 hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip service-ip-port local-ip 10.23.102.2 peer-ip
10.23.102.2 local-data-port 10241 peer-data- 10.23.102.1 local-data-port 10241 peer-data-
port 10241 port 10241
# #
hsb-service-type access-user hsb-service 0 hsb-service-type access-user hsb-service 0
# #
hsb-service-type ap hsb-service 0 hsb-service-type ap hsb-service 0
# #
wlan wlan
ac protect enable protect-ac 10.23.100.3 ac protect enable protect-ac 10.23.100.2
priority 0 priority 1
security-profile name wlan-net security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^ security wpa-wpa2 psk pass-phrase %^
%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y- %#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes fNA<TAP&}F%^%# aes
ssid-profile name wlan-net ssid-profile name wlan-net
ssid wlan-net ssid wlan-net
vap-profile name wlan-net vap-profile name wlan-net
service-vlan vlan-id 101 service-vlan vlan-id 101
ssid-profile wlan-net ssid-profile wlan-net
security-profile wlan-net security-profile wlan-net
regulatory-domain-profile name default regulatory-domain-profile name default
ap-group name ap-group1 ap-group name ap-group1
radio 0 radio 0
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
radio 1 radio 1
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
sn 210235554710CB000042 sn 210235554710CB000042
ap-name area_1 ap-name area_1
ap-group ap-group1 ap-group ap-group1
# #
return return

22.3.8.3 Example for Configuring VRRP HSB (Direct Forwarding)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3241

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires VRRP HSB to improve data transmission reliability.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
● Switch cluster: A cluster is set up using a CSS card, containing SwitchB and
SwitchC at the core layer. SwitchB is the active switch and SwitchC is the
standby switch.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3242

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-13 Configuring VRRP HSB (direct forwarding)

Internet

Router
GE0/0/2
VLAN102
AC1 AC2

GE0/0/1
VLAN100-101

GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10

GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101

GE0/0/1 SwitchA
VLAN100-101

AP

STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
: Service VRRP
: mVRRP
:Eth-Trunk

Data Planning

Table 22-11 AC Data Planning

Item Configuration

AC1's source interface VLANIF 100: 10.23.100.3/24

AC2's source interface VLANIF 100: 10.23.100.3/24

Virtual IP address of the 10.23.100.3/24

management VRRP group

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3243

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Configuration

Virtual IP address of the 10.23.101.3/24

service VRRP group

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net
and security profile wlan-net

AP group ● Name: ap-group1

● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK+AES
● Password: a1234567

DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA

AP's gateway VLANIF 100: 10.23.100.3/24

IP address pool for the AP 10.23.100.4 to 10.23.100.254/24

STA's gateway VLANIF 101: 10.23.101.3/24

IP address pool for STA 10.23.101.4 to 10.23.101.254/24

IP addresses and port IP address: VLANIF 102, 10.23.102.1/24

numbers for the active and Port number: 10241
standby channels of AC1

IP addresses and port IP address: VLANIF 102, 10.23.102.2/24

numbers for the active and Port number: 10241
standby channels of AC2

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a cluster between SwitchB and SwitchC through cluster cards to

improve the core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3244

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

3. Configure basic WLAN services to ensure that users can access the Internet
through WLAN.
4. Configure a VRRP group on AC1 and AC2 and configure a high priority for
AC1 as the active device to forward traffic, and a low priority for AC2 as the
standby device.
5. Configure the hot standby (HSB) function so that service information on AC1
is backed up to AC2 in batches in real time, ensuring seamless service
switchover from the active device to the standby device.

NOTE

Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned to clients in the DHCP
address pools must be consistent.

Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3245

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[SwitchB] set css mode css-card

[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card
connection for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3246

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On

Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off

The command output shows card status and CSS status of both member switches,
indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3247

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can
be transmitted between the AP and ACs.
NOTE

If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting
to the AP). If port isolation is not configured, many broadcast packets will be transmitted in
the VLANs or WLAN users on different APs can directly communicate at Layer 2.

# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN

100 and add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on
SwitchA connected to SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on
SwitchA connected to SwitchC to Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101,
respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3248

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[CSS-GigabitEthernet2/1/0/2] undo port link-type

[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit

# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit

Step 3 Configure AC1 to communicate with AC2.

# Add GE0/0/2 on AC1 (connecting to AC2) to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 (connecting to AC1) to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Step 4 Configure a DHCP server.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3249

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.

# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
10.23.100.1 and 10.23.101.1 have been assigned to the master AC; 10.23.100.2 and
10.23.101.2 have been assigned to the backup AC; 10.23.100.3 and 10.23.101.3
have been assigned as VRRP virtual IP addresses. You need to specify these IP
addresses as those that cannot be automatically assigned to clients from the
interface address pools of the master and backup ACs.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.1 10.23.101.3
[AC1-Vlanif101] quit

The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC1] vrrp recover-delay 60

# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and
set the preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC1-Vlanif101] quit

# Create HSB service 0 on AC1, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management
VRRP group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3250

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Step 6 Configure VRRP on AC2 to implement AC hot standby.

# Set the recovery delay of the VRRP group to 60 seconds.
[AC2] vrrp recover-delay 60

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create a service VRRP group on AC2.

[AC2] interface vlanif 101
[AC2-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC2-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC2-Vlanif101] quit

# Create HSB service 0 on AC2, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management
VRRP group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3251

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC2] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those
on AC1. An AP in normal state on the active AC is in standby state on AC2.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

2. Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

3. Configure WLAN service parameters on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

[AC1-wlan-view] security-profile name wlan-net

[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3252

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0
and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Step 8 Verify the configuration.

# After the configurations are complete, run the display vrrp command on AC1
and AC2. The command output displays that the State field of AC1 is Master and
that of AC2 is Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00

Vlanif101 | Virtual Router 2

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2005-07-30 23:45:50 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00
[AC2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3253

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 02:11:07 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

Vlanif101 | Virtual Router 2

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2005-07-31 00:32:33 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB
service status. The command output displays that the Service State field is
Connected, indicating that the HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB
group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3254

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Vrrp Interface : Vlanif100

Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to AP, and these
STAs can connect to the WLAN.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC1. When AP detects a fault on the link connected to AC1,
AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. AP goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
AP automatically goes online on AC1.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3255

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

port trunk allow-pass vlan 100 to 101

port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return

● CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/2
eth-trunk 10
#
interface GigabitEthernet2/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup function.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3256

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-12 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vrrp recover-delay 60 vrrp recover-delay 60
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
dhcp enable dhcp enable
# #
dhcp server database enable dhcp server database enable
dhcp server database recover dhcp server database recover
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.1 255.255.255.0 ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3 vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1 admin-vrrp vrid 1
vrrp vrid 1 priority 120 dhcp select interface
vrrp vrid 1 preempt-mode timer delay 1800 dhcp server excluded-ip-address 10.23.100.1
dhcp select interface 10.23.100.3
dhcp server excluded-ip-address 10.23.100.1 #
10.23.100.3 interface Vlanif101
# ip address 10.23.101.2 255.255.255.0
interface Vlanif101 vrrp vrid 2 virtual-ip 10.23.101.3
ip address 10.23.101.1 255.255.255.0 vrrp vrid 2 track admin-vrrp interface
vrrp vrid 2 virtual-ip 10.23.101.3 Vlanif100 vrid 1 unflowdown
vrrp vrid 2 preempt-mode timer delay 1800 dhcp select interface
vrrp vrid 2 track admin-vrrp interface dhcp server excluded-ip-address 10.23.101.1
Vlanif100 vrid 1 unflowdown 10.23.101.3
dhcp select interface #
dhcp server excluded-ip-address 10.23.101.1 interface Vlanif102
10.23.101.3 ip address 10.23.102.2 255.255.255.0
# #
interface Vlanif102 interface GigabitEthernet0/0/1
ip address 10.23.102.1 255.255.255.0 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/1 port trunk allow-pass vlan 100 to 101
port link-type trunk #
undo port trunk allow-pass vlan 1 interface GigabitEthernet0/0/2
port trunk allow-pass vlan 100 to 101 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/2 port trunk allow-pass vlan 102
port link-type trunk #
undo port trunk allow-pass vlan 1 capwap source ip-address 10.23.100.3
port trunk allow-pass vlan 102 #
# hsb-service 0
capwap source ip-address 10.23.100.3 service-ip-port local-ip 10.23.102.2 peer-ip
# 10.23.102.1 local-data-port 10241 peer-data-
hsb-service 0 port 10241
service-ip-port local-ip 10.23.102.1 peer-ip service-keep-alive detect retransmit 3
10.23.102.2 local-data-port 10241 peer-data- interval 6
port 10241 #
service-keep-alive detect retransmit 3 hsb-group 0
interval 6 track vrrp vrid 1 interface Vlanif100
# bind-service 0
hsb-group 0 hsb enable
track vrrp vrid 1 interface Vlanif100 #
bind-service 0 hsb-service-type access-user hsb-group 0
hsb enable #
# hsb-service-type dhcp hsb-group 0
hsb-service-type access-user hsb-group 0 #
# hsb-service-type ap hsb-group 0
hsb-service-type dhcp hsb-group 0 #
# wlan
hsb-service-type ap hsb-group 0 security-profile name wlan-net
# security wpa-wpa2 psk pass-phrase %^

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3257

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

AC1 AC2
wlan %#G.DGWgjG./fvyr*oM)KMgc*sR}!
security-profile name wlan-net GUWLa"%G_E.^B%^%# aes
security wpa-wpa2 psk pass-phrase %^ ssid-profile name wlan-net
%#G.DGWgjG./fvyr*oM)KMgc*sR}! ssid wlan-net
GUWLa"%G_E.^B%^%# aes vap-profile name wlan-net
ssid-profile name wlan-net service-vlan vlan-id 101
ssid wlan-net ssid-profile wlan-net
vap-profile name wlan-net security-profile wlan-net
service-vlan vlan-id 101 regulatory-domain-profile name default
ssid-profile wlan-net ap-group name ap-group1
security-profile wlan-net radio 0
regulatory-domain-profile name default vap-profile wlan-net wlan 1
ap-group name ap-group1 radio 1
radio 0 vap-profile wlan-net wlan 1
vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
radio 1 sn 210235554710CB000042
vap-profile wlan-net wlan 1 ap-name area_1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- ap-group ap-group1
sn 210235554710CB000042 #
ap-name area_1 return
ap-group ap-group1
#
return

22.3.8.4 Example for Configuring VRRP HSB (Tunnel Forwarding)

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires VRRP HSB to improve data transmission reliability.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: tunnel forwarding
● Switch cluster: A cluster is set up using a CSS card, containing SwitchB and
SwitchC at the core layer. SwitchB is the active switch and SwitchC is the
standby switch.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3258

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-14 Configuring VRRP HSB (tunnel forwarding)

Internet

Router
GE0/0/2
VLAN102
AC1 AC2

GE0/0/1
VLAN100-101

GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100 VLAN100

Eth-Trunk10

GE0/0/2 GE0/0/3
VLAN100 VLAN100

GE0/0/1 SwitchA
VLAN100

AP

STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
: Service VRRP
: mVRRP
: Eth-Trunk

Data Planning

Table 22-13 AC Data Planning

Item Configuration

AC1's source interface VLANIF 100: 10.23.100.3/24

AC2's source interface VLANIF 100: 10.23.100.3/24

Virtual IP address of the 10.23.100.3/24

management VRRP group

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3259

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Configuration

Virtual IP address of the 10.23.101.3/24

service VRRP group

VAP profile ● Name: wlan-net

● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net
and security profile wlan-net

AP group ● Name: ap-group1

● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK+AES
● Password: a1234567

DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA

AP's gateway VLANIF 100: 10.23.100.3/24

IP address pool for the AP 10.23.100.4 to 10.23.100.254/24

STA's gateway VLANIF 101: 10.23.101.3/24

IP address pool for STA 10.23.101.4 to 10.23.101.254/24

IP addresses and port IP address: VLANIF 102, 10.23.102.1/24

numbers for the active and Port number: 10241
standby channels of AC1

IP addresses and port IP address: VLANIF 102, 10.23.102.2/24

numbers for the active and Port number: 10241
standby channels of AC2

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a cluster between SwitchB and SwitchC through cluster cards to

improve the core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3260

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

3. Configure basic WLAN services to ensure that users can access the Internet
through WLAN.
4. Configure a VRRP group on AC1 and AC2 and configure a high priority for
AC1 as the active device to forward traffic, and a low priority for AC2 as the
standby device.
5. Configure the hot standby (HSB) function so that service information on AC1
is backed up to AC2 in batches in real time, ensuring seamless service
switchover from the active device to the standby device.

NOTE

Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned to clients in the DHCP
address pools must be consistent.

Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3261

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[SwitchB] set css mode css-card

[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card
connection for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3262

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On

Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off

The command output shows card status and CSS status of both member switches,
indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3263

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can
be transmitted between the AP and ACs.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN
100 and add GE0/0/1 to VLAN 100. Add GE0/0/2 on SwitchA connected to SwitchB
to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to Eth-
Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101,
respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3264

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit

# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit

Step 3 Configure AC1 to communicate with AC2.

# Add GE0/0/2 on AC1 (connecting to AC2) to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 (connecting to AC1) to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Step 4 Configure AC1 as the DHCP server to assign IP addresses to the AP and STA. The
configurations on AC2 are similar to those on AC1. 10.23.100.1 and 10.23.101.1
have been assigned to the master AC; 10.23.100.2 and 10.23.101.2 have been
assigned to the backup AC; 10.23.100.3 and 10.23.101.3 have been assigned as
VRRP virtual IP addresses. You need to specify these IP addresses as those that
cannot be automatically assigned to clients from the interface address pools of
the master and backup ACs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3265

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.1 10.23.101.3
[AC1-Vlanif101] quit

Step 5 Configure VRRP on AC1 to implement AC hot standby.

# Set the recovery delay of the VRRP group to 30 seconds.
[AC1] vrrp recover-delay 30

# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and
set the preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC1-Vlanif101] quit

# Create HSB service 0 on AC1, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management
VRRP group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3266

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Step 6 Configure VRRP on AC2 to implement AC hot standby.

# Set the recovery delay of the VRRP group to 30 seconds.

[AC2] vrrp recover-delay 30

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create a service VRRP group on AC2.

[AC2] interface vlanif 101
[AC2-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC2-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC2-Vlanif101] quit

# Create HSB service 0 on AC2, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management
VRRP group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3267

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those
on AC1. An AP in normal state on the active AC is in standby state on AC2.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

2. Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

3. Configure WLAN service parameters on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

[AC1-wlan-view] security-profile name wlan-net

[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3268

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net

[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0
and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Step 8 Verify the configuration.

# After the configurations are complete, run the display vrrp command on AC1
and AC2. The command output displays that the State field of AC1 is Master and
that of AC2 is Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00

Vlanif101 | Virtual Router 2

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2005-07-30 23:45:50 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00
[AC2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3269

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Backup-forward : disabled
Create time : 2005-07-31 02:11:07 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

Vlanif101 | Virtual Router 2

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2005-07-31 00:32:33 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB
service status. The command output displays that the Service State field is
Connected, indicating that the HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB
group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3270

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

DHCP
AP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to AP, and these
STAs can connect to the WLAN.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC1. When AP detects a fault on the link connected to AC1,
AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. AP goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
AP automatically goes online on AC1.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3271

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
return

● CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/2
eth-trunk 10
#
interface GigabitEthernet2/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup function.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3272

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-14 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vrrp recover-delay 30 vrrp recover-delay 30
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
dhcp enable dhcp enable
# #
dhcp server database enable dhcp server database enable
dhcp server database recover dhcp server database recover
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.1 255.255.255.0 ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3 vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1 admin-vrrp vrid 1
vrrp vrid 1 priority 120 dhcp select interface
vrrp vrid 1 preempt-mode timer delay 1800 dhcp server excluded-ip-address 10.23.100.1
dhcp select interface 10.23.100.3
dhcp server excluded-ip-address 10.23.100.1 #
10.23.100.3 interface Vlanif101
# ip address 10.23.101.2 255.255.255.0
interface Vlanif101 vrrp vrid 2 virtual-ip 10.23.101.3
ip address 10.23.101.1 255.255.255.0 vrrp vrid 2 track admin-vrrp interface
vrrp vrid 2 virtual-ip 10.23.101.3 Vlanif100 vrid 1 unflowdown
vrrp vrid 2 preempt-mode timer delay 1800 dhcp select interface
vrrp vrid 2 track admin-vrrp interface dhcp server excluded-ip-address 10.23.101.1
Vlanif100 vrid 1 unflowdown 10.23.101.3
dhcp select interface #
dhcp server excluded-ip-address 10.23.101.1 interface Vlanif102
10.23.101.3 ip address 10.23.102.2 255.255.255.0
# #
interface Vlanif102 interface GigabitEthernet0/0/1
ip address 10.23.102.1 255.255.255.0 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/1 port trunk allow-pass vlan 100 to 101
port link-type trunk #
undo port trunk allow-pass vlan 1 interface GigabitEthernet0/0/2
port trunk allow-pass vlan 100 to 101 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/2 port trunk allow-pass vlan 102
port link-type trunk #
undo port trunk allow-pass vlan 1 capwap source ip-address 10.23.100.3
port trunk allow-pass vlan 102 #
# hsb-service 0
capwap source ip-address 10.23.100.3 service-ip-port local-ip 10.23.102.2 peer-ip
# 10.23.102.1 local-data-port 10241 peer-data-
hsb-service 0 port 10241
service-ip-port local-ip 10.23.102.1 peer-ip service-keep-alive detect retransmit 3
10.23.102.2 local-data-port 10241 peer-data- interval 6
port 10241 #
service-keep-alive detect retransmit 3 hsb-group 0
interval 6 track vrrp vrid 1 interface Vlanif100
# bind-service 0
hsb-group 0 hsb enable
track vrrp vrid 1 interface Vlanif100 #
bind-service 0 hsb-service-type access-user hsb-group 0
hsb enable #
# hsb-service-type dhcp hsb-group 0
hsb-service-type access-user hsb-group 0 #
# hsb-service-type ap hsb-group 0
hsb-service-type dhcp hsb-group 0 #
# wlan
hsb-service-type ap hsb-group 0 security-profile name wlan-net
# security wpa-wpa2 psk pass-phrase %^

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3273

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

AC1 AC2
wlan %#G.DGWgjG./fvyr*oM)KMgc*sR}!
security-profile name wlan-net GUWLa"%G_E.^B%^%# aes
security wpa-wpa2 psk pass-phrase %^ ssid-profile name wlan-net
%#G.DGWgjG./fvyr*oM)KMgc*sR}! ssid wlan-net
GUWLa"%G_E.^B%^%# aes vap-profile name wlan-net
ssid-profile name wlan-net forward-mode tunnel
ssid wlan-net service-vlan vlan-id 101
vap-profile name wlan-net ssid-profile wlan-net
forward-mode tunnel security-profile wlan-net
service-vlan vlan-id 101 regulatory-domain-profile name default
ssid-profile wlan-net ap-group name ap-group1
security-profile wlan-net radio 0
regulatory-domain-profile name default vap-profile wlan-net wlan 1
ap-group name ap-group1 radio 1
radio 0 vap-profile wlan-net wlan 1
vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
radio 1 sn 210235554710CB000042
vap-profile wlan-net wlan 1 ap-name area_1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- ap-group ap-group1
sn 210235554710CB000042 #
ap-name area_1 return
ap-group ap-group1
#
return

22.3.9 Troubleshooting HSB

22.3.9.1 Information on the Master Device Fails to Be Backed up to the

Backup Device

Fault Description
After HSB is configured, the HSB channel cannot be established and information
on the master device fails to be backed up to the backup device.

The possible causes are:

● The parameter settings on active and standby channels are different.
● The source IP addresses and port numbers at the local and remote ends are
different.
● The retransmission count and interval of HSB packets are different on the two
devices.

Procedure
Step 1 Run the display hsb-service service-index command in any view to check whether
HSB channel parameters are the same on the local and remote devices.

● If the source IP addresses and port numbers at the local and remote ends are
different, run the service-ip-port local-ip local-ip-address peer-ip peer-ip-
address local-data-port local-port peer-data-port peer-port command to set
them consistent.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3274

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● If the retransmission count and interval of HSB packets are different on the
two devices, run the service-keep-alive detect retransmit retransmit-times
interval interval-value command to set the same values at both ends.

----End

22.4 Dual-Link Cold Backup Configuration

This chapter describes how to configure the dual-link cold backup function to
improve network reliability.

22.4.1 Overview of Dual-Link Cold Backup

Definition
Dual-link cold backup allows two ACs on an AC + Fit AP network to manage APs
simultaneously. The APs set up CAPWAP links with both ACs, between which one
AC functions as the active AC to provide services for the APs while the other works
as the standby AC. When the active AC fails or the CAPWAP link between the
active AC and AP become faulty, the standby AC replaces the active AC to manage
APs and provide services. To ensure that both ACs provide the same services, it is
recommended that the same service configurations be performed on the active
and standby ACs.

Purpose
Usually, an AC controls and manages massive APs and STAs on an AC + Fit AP
network. Once the CAPWAP link between the AC and AP is disconnected, the AC is
unable to provide services for STAs. Dual-link cold backup reduces the impact of a
CAPWAP link failure on the STAs, improving network reliability.

22.4.2 Understanding Dual-Link Cold Backup

In the AC + Fit AP networking, the AC manages and controls the WLAN services of
users. An AC may control hundreds of APs and tens of thousands of STAs. If the
CAPWAP link between the AC and AP becomes faulty, the services of all users
connected to the AC are interrupted, therefore, the AC must be highly reliable.
As shown in Figure 22-15, an active AC and a standby AC are deployed on the
WLAN. The AP establishes tunnels with the two ACs (CAPWAP Tunnel Setup),
and periodically exchanges CAPWAP packets with ACs to monitor link status. The
active AC controls access from STAs. If the AP detects a fault on the link between
AP and active AC, the AP requests the standby AC to trigger an Active/Standby
Switchover. The standby AC then becomes the active AC to control access of STAs.
After the original active AC is restored, the AP requests the active and standby ACs
to perform Revertive Switchover. The restored AC becomes the active AC again.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3275

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-15 Dual-link cold backup networking diagram

Active Standby
AC AC

Switch

CA

l
ne
PW

un
pt
AP

cku
pri
ma

ba
ry

AP
tun

PW
ne

CA
l

AP

STA STA

Dual-Link CAPWAP Tunnel Setup

1. Setting up the first tunnel
The procedure for setting up the first tunnel is the same as the procedure for
setting up a CAPWAP tunnel, except that the active AC needs to be selected in
the Discovery phase. Only the Discovery phase is described in this section. For
description of other phases, see "CAPWAP Tunnel Establishment" in 8.2.3 AP
Online Process.
a. After the dual-link cold backup function is enabled in Discovery phase,
the AP sends a Discovery Request message in unicast or broadcast mode:

▪ If the IP addresses of active and standby ACs have been allocated in

static, DHCP, or DNS mode, the AP sends the Discovery Request
message in unicast mode to request connections with the ACs.

▪ If no IP addresses are allocated to ACs or there is no response to the

unicast packet, the AP sends another Discovery Request message in
broadcast mode to discover the ACs that can be associated with the
AP.
b. In unicast or broadcast mode, ACs working properly will return Discovery
Response messages to the AP. The Discovery Response messages contain
the IP addresses of primary and backup ACs, dual-link backup flags,
priorities, loads, and IP addresses of the ACs.
c. After receiving the Discovery Response message, the AP selects an active
AC based on IP addresses of primary and backup ACs, AC priorities, loads,
and IP addresses, and sets up a CAPWAP primary tunnel with the active
AC. The AP selects the active AC in the following sequence:
i. Check primary ACs on the AP. If there is only one primary AC, the AP
selects it as the active AC. If there are multiple primary ACs, the AP
selects the AC with the lowest load as the active AC. If the loads are

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3276

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

the same, the AP selects the AC with the smallest IP address as the
active AC.
Compare AC loads, that is, numbers of access APs and STAs. The AP
selects the AC with the lowest load as the active AC. The number of
allowed APs is compared ahead of the number of allowed STAs.
When the numbers of allowed APs are the same on ACs, the AP
selects the AC that can connect more STAs as the active AC.
NOTE

The number of allowed APs is calculated using the following formula: Number of
allowed APs = Maximum number of access APs - Number of online APs.
The number of allowed STAs is calculated following the formula: Number of
allowed STAs = Maximum number of access STAs - Number of online STAs.
ii. If there is no primary AC, check backup ACs. If there is only one
backup AC, the AP selects this AC as the active AC. If there are
multiple backup ACs, the AP selects the AC with the lowest load as
the active AC. If the loads are the same, the AP selects the AC with
the smallest IP address as the active AC.
iii. If there is no primary AC, compare AC priorities. The AP selects the
AC with the smaller priority value as the active AC.
iv. If the AC priorities are the same, the AP selects the AC with the
lowest load as the active AC.
v. When the loads are the same, compare the ACs' IP addresses, and
select the AC with the smaller IP address as the active AC.
2. Setting up the second tunnel with the other AC
To prevent repeated service configuration delivery, the AP starts to set up the
second tunnel only after the configuration of the first tunnel is complete.
a. The AP sends a Discovery Request message to the other AC in unicast
mode.
b. The AC returns a Discovery Response message containing the IP
addresses of primary and backup ACs, dual-link backup flag, load, and
priority to the AP.
c. The AP knows that the dual-link backup function is enabled after
receiving the Discovery Response message, and saves the priority of the
AC.
NOTE

If the priority of this AC is higher than the priority of the other AC, the AP performs
an active/standby switchover only after the tunnel is set up.
d. The AP sends a Join Request message, notifying the AC that the
configurations have been delivered. After receiving the Join Request
message, the AC sets up a CAPWAP tunnel with the AP but does not
deliver configurations to the AP.
e. After the second tunnel is set up, the AP selects the active and standby
ACs again based on the tunnel priorities.

Active/Standby Switchover
After setting up tunnels with the active and standby ACs, the AP sends Echo
messages to monitor tunnel status. The Echo messages contain the active/standby

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3277

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

status of the tunnels. When the AP detects that the primary tunnel has failed, it
sends an Echo Request message with the active flag to the standby AC. After
receiving the Echo Request message, the standby AC becomes the active AC, and
the AP transfers STA data to this AC.

Revertive Switchover
The AP periodically sends Discovery Request messages to check whether the
original primary tunnel recovers. If the original primary tunnel has recovered, the
AP switches STA data back to this tunnel after a delay because this tunnel has a
higher priority than the other one. To prevent frequent switchovers caused by
network flapping, the AP requests ACs to perform revertive switchover after 20
Echo intervals, and then sends STA data to the new active AC.

22.4.3 Application Scenarios for Dual-Link Cold Backup

22.4.3.1 Application of Dual-Link Cold Backup

1+1 Dual-Link Cold Backup

In the AC+FIT AP network architecture, the AC manages and controls WLAN
services for wireless users in a centralized manner. One AC usually controls
hundreds of APs and over ten thousand STAs. When a fault occurs on the AC or
the link between the AC and AP fails, the services of all users connected to the AC
are interrupted. If dual-link cold backup is enabled, the standby AC controls the
WLAN services for wireless users when a fault occurs on the active AC or the link
between the active AC and AP fails. This reduces service interruption time.
As shown in Figure 22-16, AC1 and AC2 provide dual links for STAs. AC1 is the
active device, serving AP1 and AP2. AC2 is the standby device. Each AP sets up a
CAPWAP tunnel with AC1 and AC2 respectively. When the APs detect that AC1
fails, the CAPWAP tunnels between APs and AC2 become the active tunnels, and
AC2 becomes the active AC. After AC1 recovers, it becomes the active AC or still
functions as the standby AC depending on the configuration.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3278

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-16 1+1 dual-link cold backup networking diagram

AC1 AC2

Switch

AP1 AP2

CAPWAP primary tunnel

STA STA STA STA CAPWAP backup tunnel

22.4.4 Summary of Dual-Link Cold Backup Configuration

Tasks
Table 22-15 lists the dual-link cold backup configuration tasks.

Table 22-15 Dual-link cold backup configuration tasks

Scenario Description Task

Configure dual-link cold The traditional 22.4.7 Configuring

backup in the traditional configuration mode is Dual-Link Cold Backup
mode. supported. (Traditional Method)
22.4.9 (Optional)
Configuring the Active/
Standby Link
Switchover Mode

Configure dual-link cold The new configuration 22.4.8 Configuring

backup in a new mode. mode enables more Dual-Link Cold Backup
simple operations. (New Method)
22.4.9 (Optional)
Configuring the Active/
Standby Link
Switchover Mode

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3279

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.4.5 Configuration Limitations for Dual-Link Cold Backup

Note the following points when configuring dual-link cold backup on the wireless
access controller:
● WLAN service configurations (all WLAN profiles, including the radio profile,
traffic profile, and security profile) of the AP connected to the active and
standby ACs must be consistent on the two ACs; otherwise, no guarantee is
provided for user services after an active/standby switchover between ACs.
● The active and standby ACs can be of different models, and their software
versions need to match AP versions. ACs based on switches cannot work in
dual-link cold backup mode with independent WLAN AC series. For example,
dual-link cold backup cannot be configured between the S12700+X1E card
and the ACU2 or AC6605.
● Dual-link cold backup cannot be configured concurrently with N+1 backup or
hot standby backup.
● When an active/standby switchover is implemented between two ACs, STAs
using open system authentication remain connected to APs while STAs using
other authentication modes are disconnected and need to go online again by
default.
● When the network environment is poor with a high packet loss ratio, if
configuration changes on the AC fail to be properly delivered to APs while an
active/standby switchover is implemented, changed configurations cannot
take effect on the APs. To make changed configurations take effect, restore
the configurations on the backup AC to those before the change, change the
configurations, and deliver them to APs. It is recommended that the network
be optimized to reduce the packet loss ratio.

22.4.6 Default Settings for Dual-Link Cold Backup

Table 22-16 Default settings for dual-link cold backup

Parameter Default Setting

AC's global priority 0

AC priority based on APs None

CAPWAP heartbeat interval 25 seconds

Number of CAPWAP heartbeat 3

packet transmissions

Revertive switching in dual-link Enabled

backup mode

Dual-link backup Disabled

22.4.7 Configuring Dual-Link Cold Backup (Traditional

Method)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3280

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Context
Dual-link cold backup can be configured using either of the following methods:
● Global configuration: The dual-link backup parameters are configured in the
AC's WLAN view and delivered to all APs except the specified APs. You can use
this method to batch enable dual-link backup.
● AP-specific configuration: The dual-link backup parameters are configured in
the AC's AP system profile view and apply to all APs using the AP system
profile. The AP-specific configuration takes precedence over global
configuration on the AC.
The following configurations must be performed on both the active and standby
ACs.

Pre-configuration Tasks
Before configuring dual-link cold backup, configure basic WLAN services on the
active and standby ACs (For details, see 8 WLAN Service Configuration Guide).

Procedure
● Global configuration
a. Run system-view
The system view is displayed.
b. (Optional) Run capwap echo { interval interval-value | times times-
value } *
The CAPWAP heartbeat interval and number of CAPWAP heartbeat
detections are configured.
By default, the CAPWAP heartbeat detection interval is 25s and the
number of CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat
detection interval is 25s and the number of CAPWAP heartbeat
detections is 3.

NOTE

● To configure dual-link backup on a WDS or mesh network, set the CAPWAP

heartbeat interval to 25 seconds and set the number of heartbeat packet
transmissions to at least 6. If this configuration is not performed, the AC
sends heartbeat packets 3 times at an interval of 25 seconds by default. This
may cause unstable WDS or mesh link status and result in user access
failures.
● If you set the CAPWAP heartbeat detection interval and the number of
CAPWAP heartbeat detections smaller than the default values, the CAPWAP
link reliability is degraded. Exercise caution when you set the values. The
default values are recommended.
c. Run wlan
The WLAN view is displayed.
d. Run ac protect protect-ac { ip-address | ipv6 ipv6-address }
The IP address of the standby AC is configured.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3281

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

By default, no standby AC IP address is configured in the WLAN view.

e. Run ac protect priority priority

The priority of the local AC is configured.

By default, the AC priority in the WLAN view is 0.

NOTE

● The priority of the standby AC must be smaller than that of the active AC.
● A smaller value indicates a higher priority.
f. Run undo ac protect restore disable

Revertive switching is enabled.

By default, global revertive switching is enabled.

NOTE

If global revertive switching is disabled on the original active AC, traffic of an AP

cannot be switched back to the original active AC when the link between the
original active AC and the AP restores.
g. (Optional) Run ac protect cold-backup kickoff-station

STAs using open system authentication are configured to disconnect from

APs when an active/standby AC switchover is implemented.

By default, STAs using open system authentication remain connected to

APs when an active/standby AC switchover is implemented.
h. (Optional) Run ac protect alarm-restrain enable

AP fault alarm suppression is enabled.

By default, AP Fault alarm suppression is disabled.

i. Run ac protect enable

By default, dual-link backup is disabled.

j. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } }

APs are restarted to make the dual-link backup configurations take effect.

NOTE

● If the dual-link backup function is disabled, running the ac protect enable

command restarts online APs. After the APs are restarted, the dual-link
backup function takes effect.
● If the dual-link backup function is enabled, running the ac protect enable
command does not restart online APs. You need to run the ap-reset { all | ap-
name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type
{ type type-name | type-id type-id } } command to restart the APs and make
the dual-link backup function take effect. You can also manually restart the
APs to make the dual-link backup function take effect.
● If an AP goes online after dual-link backup is configured, you do not need to
restart the AP.
● AP-specific configuration

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3282

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

a. Run system-view
The system view is displayed.
b. (Optional) Run capwap echo { interval interval-value | times times-
value } *
The CAPWAP heartbeat interval and number of CAPWAP heartbeat
detections are configured.
By default, the CAPWAP heartbeat detection interval is 25s and the
number of CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat
detection interval is 25s and the number of CAPWAP heartbeat
detections is 3.

NOTE

● To configure dual-link backup on a WDS or mesh network, set the CAPWAP

heartbeat interval to 25 seconds and set the number of heartbeat packet
transmissions to at least 6. If this configuration is not performed, the AC
sends heartbeat packets 3 times at an interval of 25 seconds by default. This
may cause unstable WDS or mesh link status and result in user access
failures.
● If you set the CAPWAP heartbeat detection interval and the number of
CAPWAP heartbeat detections smaller than the default values, the CAPWAP
link reliability is degraded. Exercise caution when you set the values. The
default values are recommended.
c. Run wlan
The WLAN view is displayed.
d. Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is
displayed.
By default, the system provides the AP system profile default.
e. Run protect-ac { ip-address ip-address | ipv6-address ipv6-address }
The IP address of the standby AC is configured.
By default, no standby AC's IP address is configured in the AP system
profile view.
f. Run priority priority-level
The priority of the local AC is configured.
By default, no AC priority is configured in the AP system profile view.

NOTE

● The priority of the standby AC must be smaller than that of the active AC.
● If priorities have been configured for the two ACs to which an AP connects,
the AC with higher priority becomes the active AC.
g. Run quit
Return to the WLAN view.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3283

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

h. Run undo ac protect restore disable

Revertive switching is enabled.

By default, global revertive switching is enabled.

NOTE

If global revertive switching is disabled on the original active AC, traffic of an AP

cannot be switched back to the original active AC when the link between the
original active AC and the AP restores.
i. (Optional) Run ac protect cold-backup kickoff-station

STAs using open system authentication are configured to disconnect from

APs when an active/standby AC switchover is implemented.

By default, STAs using open system authentication remain connected to

APs when an active/standby AC switchover is implemented.
j. (Optional) Run ac protect alarm-restrain enable

AP fault alarm suppression is enabled.

By default, AP Fault alarm suppression is disabled.

k. Run ac protect enable

By default, dual-link backup is disabled.

l. The AP system profile is bound to an AP group.

▪ Binding an AP system profile to an AP group.

1) Run the ap-group name group-name command to enter the AP
group view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP group.
By default, the AP system profile default is bound to an AP
group.

▪ Binding an AP system profile to an AP.

1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name
command to enter the AP view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP.
By default, no AP system profile is bound to an AP.
m. Run quit

Return to the WLAN view.

n. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } }

APs are restarted to make the dual-link backup configurations take effect.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3284

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● If the dual-link backup function is disabled, running the ac protect enable

command restarts online APs. After the APs are restarted, the dual-link
backup function takes effect.
● If the dual-link backup function is enabled, running the ac protect enable
command does not restart online APs. You need to run the ap-reset { all | ap-
name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type
{ type type-name | type-id type-id } } command to restart the APs and make
the dual-link backup function take effect. You can also manually restart the
APs to make the dual-link backup function take effect.
● If an AP goes online after dual-link backup is configured, you do not need to
restart the AP.

----End

Verifying the Configuration

● Run the display ac protect command to check the dual-link backup status,
active/standby AC switch back status, as well as AC priority and the standby
AC's IP address in the WLAN view.
● Run the display ap-system-profile { all | name profile-name } command to
check the AC priority and the standby AC's IP address in the AP system profile
view.

22.4.8 Configuring Dual-Link Cold Backup (New Method)

Context
Traditionally, dual-link cold backup is configured by specifying IP addresses of the
active and standby ACs on each other and configuring AC priorities. The active and
standby ACs are then determined based on the priority. To simplify configuration
logic, the new configuration method allows you to specify the same primary and
backup ACs for APs on the active and standby ACs. The active AC is specified as
the primary AC, and the standby AC as the backup AC.

The following configurations must be performed on both the active and standby
ACs.

NOTE

You cannot configure dual-link cold backup in both the traditional and new methods. Otherwise,
the dual-link cold backup function cannot take effect.

Pre-configuration Tasks
Before configuring dual-link cold backup, configure basic WLAN services on the
active and standby ACs (For details, see 8 WLAN Service Configuration Guide).

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3285

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 2 (Optional) Run capwap echo { interval interval-value | times times-value } *

The CAPWAP heartbeat interval and number of CAPWAP heartbeat detections are
configured.

By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.

By default, If dual-link backup is enabled, the CAPWAP heartbeat detection

interval is 25s and the number of CAPWAP heartbeat detections is 3.

NOTE

● To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat
interval to 25 seconds and set the number of heartbeat packet transmissions to at least
6. If this configuration is not performed, the AC sends heartbeat packets 3 times at an
interval of 25 seconds by default. This may cause unstable WDS or mesh link status and
result in user access failures.
● If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat detections smaller than the default values, the CAPWAP link reliability is
degraded. Exercise caution when you set the values. The default values are
recommended.

Step 3 Run wlan

The WLAN view is displayed.

Step 4 Run ap-system-profile name profile-name

An AP system profile is created and the AP system profile view is displayed.

Step 5 Run primary-access { ip-address ip-address | ipv6-address ipv6-address }

A primary AC IP address is configured.

By default, no primary AC IP address is configured.

Step 6 Run backup-access { ip-address ip-address | ipv6-address ipv6-address }

A backup AC IP address is configured.

By default, no backup AC IP address is configured.

Step 7 Run quit

Return to the WLAN view.

Step 8 Run undo ac protect restore disable

Revertive switching is enabled.

Step 9 (Optional) Run ac protect cold-backup kickoff-station

STAs using open system authentication are configured to disconnect from APs
when an active/standby AC switchover is implemented.

Step 10 (Optional) Run ac protect alarm-restrain enable

AP Fault alarm suppression is enabled.

By default, AP Fault alarm suppression is disabled.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3286

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 11 Run ac protect enable

By default, dual-link backup is disabled.

Step 12 The AP system profile is bound to an AP group.

● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.

Step 13 Run quit

Return to the WLAN view.

Step 14 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }

APs are restarted to make the dual-link backup configurations take effect.

NOTE

● If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
● If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function
take effect.
● If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.

----End

Verifying the Configuration

● Run the display ac protect command to check the dual-link backup status,
active/standby AC switch back status, as well as AC priority and the standby
AC's IP address in the WLAN view.
● Run the display ap-system-profile { all | name profile-name } command to
check the AC priority and the standby AC's IP address in the AP system profile
view.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3287

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.4.9 (Optional) Configuring the Active/Standby Link

Switchover Mode

Context
In dual-link cold backup or hot standby scenarios, an AP simultaneously sets up
active and standby links with active and standby ACs, respectively. If the active link
is faulty, the AP switches service traffic to the standby link and goes online on the
standby AC. When the active link recovers, the AP detects that this link has a
higher priority than the other one and triggers a revertive switchover. After 20
Echo intervals, the AP switches service traffic back to the active AC.
● To enable an AP to preferentially switch service traffic to the active link, set
the active/standby link switchover mode to the priority mode.
● To allow an AP to use a link with high network stabilization, set the active/
standby link switchover mode to the network stabilization mode. When the
condition for triggering an active/standby link switchover is met, the AP
preferentially switches service traffic to the link on a network with higher
stabilization. In this case, whether an active/standby link switchover is
performed is only related to the network stabilization of links but not related
to the active and standby roles of links. You can run the ac protect link-
switch packet-loss { gap-threshold gap-threshold | start-threshold start-
threshold } command to configure the condition for triggering an active/
standby link switchover.
In dual-link cold backup and hot standby scenarios, the network stabilization of
active and standby links is determined based on the Echo packet loss rate. The
active/standby link switchover is performed when the following conditions are
met:
1. APs collect statistics about the specified number of Echo packets forwarded
through the link in use at each interval and find that the calculated packet
loss rate is higher than the packet loss rate start threshold.
2. The packet loss rate of the link in use is higher than that of the other link,
and the difference between the two links' packet loss rates is higher than the
packet loss rate difference threshold.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run ac protect link-switch mode { priority | network-stabilization }
The active/standby link switchover mode is configured.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3288

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

By default, the active/standby link switchover mode is the priority mode.

Step 5 Run ac protect link-switch packet-loss echo-probe-time echo-probe-time

The number of Echo probe packets sent within a statistics collection interval is
configured.

By default, the number of Echo packets sent within a statistics collection interval is
20.

This configuration is supported only when the active/standby link switchover

mode is set to the network stabilization mode using the ac protect link-switch
mode network-stabilization command.

Step 6 Run ac protect link-switch packet-loss { gap-threshold gap-threshold | start-

threshold start-threshold }

The packet loss rate start and difference thresholds for an active/standby link
switchover are configured.

By default, the packet loss rate start and difference thresholds for an active/
standby link switchover are 20% and 15%, respectively.

This configuration is supported only when the active/standby link switchover

mode is set to the network stabilization mode using the ac protect link-switch
mode network-stabilization command.

Step 7 Run quit

Return to the WLAN view.

Step 8 Bind the AP system profile to the AP group.

● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.

----End

Verifying the Configuration

● Run the display ap-system-profile { all | name profile-name } command to
check the configurations related to the active/standby link switchover mode.

22.4.10 Configuration Examples for Dual-Link Cold Backup

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3289

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.4.10.1 Example for Configuring Dual-link Cold Backup (Global

Configuration Mode)

Service Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data
transmission reliability.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The switch functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Figure 22-17 Networking for configuring dual-link cold backup

Data Planning

Table 22-17 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3290

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

DHCP server The switch functions as a DHCP server

to assign IP addresses to APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.4-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AC1's management IP address VLANIF 100: 10.23.100.2/24

AC2's management IP address VLANIF 100: 10.23.100.3/24

Active AC AC1
Local priority: 0

Standby AC AC2
Local priority: 1

AP group ● Name: ap-group1

● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

Configuration Roadmap
1. Configure network interworking of AC1, AC2, and other network devices.
Configure the switch as a DHCP server to assign IP addresses to APs and STAs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3291

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2.
Ensure that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC.
When dual-link backup is enabled, all APs are restarted. After dual-link
backup configurations are complete, the standby AC replaces the active AC to
manage APs if the CAPWAP tunnel between the active AC and APs is
disconnected.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● Dual-link backup cannot back up DHCP information. When the AC functions
as the DHCP server to assign IP addresses to APs and STAs, APs and STAs
need to re-obtain IP addresses if the active AC is faulty. It is recommended
that the switch function as the DHCP server. If the AC must be used as the
DHCP server, configure address pools containing different IP addresses on the
active and standby ACs to prevent IP address conflicts.

Procedure
Step 1 Configure the switch and ACs to enable the ACs to communicate with the APs.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the
switch. Set the link type of GE0/0/1 and GE0/0/4 that connect the switch to the
APs to trunk and PVID of the interfaces to 100, and configure the interfaces to
allow packets of VLAN 100 and VLAN 101 to pass through. Set the link type of
GE0/0/2 and GE0/0/3 on the switch to trunk, and configure the interfaces to allow
packets of VLAN 100 to pass through.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3292

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit

# Add GE0/0/1 that connects AC1 to the switch to VLAN 100.

<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 that connects AC2 to the switch to VLAN 100.

<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit

Step 2 Configure the DHCP function on the switch to assign IP addresses to APs and
STAs.
NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.

# Configure VLANIF 100 to use the interface address pool to assign IP addresses
to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit

# Configure VLANIF 101 to use the interface address pool to assign IP addresses
to STAs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3293

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[Switch] interface vlanif 101

[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit

Step 3 Configure basic WLAN services on AC1.

1. Configure the APs to go online.
# Create an AP group to which the APs with the same configuration can be
added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

# Configure the AC's source interface.

[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC1-Vlanif100] quit
[AC1] capwap source interface vlanif 100

# Import the APs offline on the AC and add the APs to the AP group ap-
group1. Assume that the APs' MAC addresses are 60de-4476-e360 and
60de-4474-9640. Configure names for the APs based on the APs' deployment
locations, so that you can know where the APs are deployed from their
names. For example, if the AP with MAC address 60de-4476-e360 is deployed
in area 1, name the AP area_1, the AP with MAC address 60de-4474-9640 is
deployed in area 2, name the AP area_2.
NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC1-wlan-ap-1] ap-name area_2
[AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3294

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# After the APs are powered on, run the display ap all command to check
the AP state. If the State field displays nor, the APs have gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.253 AP5030DN nor 0 10S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 2

2. Configure WLAN service parameters.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0
and radio 1 of the APs.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit

Step 4 Configure basic WLAN services on AC2.

# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the source interface of AC2.
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC2-Vlanif100] quit
[AC2] capwap source interface vlanif 100
[AC2] wlan

Step 5 Configure dual-link backup on AC1 and AC2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3295

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Configure the AC1 priority and AC2 IP address on AC1. Enable dual-link backup
and revertive switchover globally, and restart all APs to make the dual-link backup
function take effect.
NOTE

By default, dual-link backup is disabled, and running the ac protect enable command restarts
all APs. After the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs.
You need to run the ap-reset command on the active AC to restart all APs and make the dual-
link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

# Configure the AC2 priority and AC1 IP address on AC2.

[AC2-wlan-view] ac protect protect-ac 10.23.100.2 priority 1
[AC2-wlan-view] undo ac protect restore disable
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

Step 6 Verify the configuration.

Run the display ac protect command on the active and standby ACs to check the
dual-link information and priority on the two ACs.
[AC1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.3
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.2
Priority :1
Protect restore : enable
...
------------------------------------------------------------

# Simulate an active AC fault by restarting the active AC to verify the backup

configuration. Restart AC1. When AP1 detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, AP1 goes online on AC2. Run the display ap all
command on AC2. The command output shows that the AP status changes from
standby to normal.

# After AC1 recovers from the restart, an active/standby switchback is triggered.

AP1 automatically goes online on AC1.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3296

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup function.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3297

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-18 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vlan batch 100 to 101 vlan batch 100 to 101
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.2 255.255.255.0 ip address 10.23.100.3 255.255.255.0
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 100 port trunk allow-pass vlan 100
# #
capwap source interface vlanif100 capwap source interface vlanif100
# #
wlan wlan
ac protect enable protect-ac 10.23.100.3 ac protect enable protect-ac 10.23.100.2
security-profile name wlan-net priority 1
security wpa-wpa2 psk pass-phrase %^ security-profile name wlan-net
%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A security wpa-wpa2 psk pass-phrase %^
%^%# aes %#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A
ssid-profile name wlan-net %^%# aes
ssid wlan-net ssid-profile name wlan-net
vap-profile name wlan-net ssid wlan-net
service-vlan vlan-id 101 vap-profile name wlan-net
ssid-profile wlan-net service-vlan vlan-id 101
security-profile wlan-net ssid-profile wlan-net
regulatory-domain-profile name default security-profile wlan-net
ap-group name ap-group1 regulatory-domain-profile name default
radio 0 ap-group name ap-group1
vap-profile wlan-net wlan 1 radio 0
radio 1 vap-profile wlan-net wlan 1
vap-profile wlan-net wlan 1 radio 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- vap-profile wlan-net wlan 1
sn 210235554710CB000042 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
ap-name area_1 sn 210235554710CB000042
ap-group ap-group1 ap-name area_1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap- ap-group ap-group1
sn 210235419610D2000097 ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-
ap-name area_2 sn 210235419610D2000097
ap-group ap-group1 ap-name area_2
# ap-group ap-group1
return #
return

22.4.10.2 Example for Configuring Dual-link Cold Backup (AP-Specific

Configuration Mode)

Service Requirements
An enterprise deploys WLAN area A to provide WLAN services. The enterprise
requires that dual-link backup be used to improve data transmission reliability.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The switch functions as a DHCP server to assign IP
addresses to APs and STAs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3298

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Service data forwarding mode: direct forwarding

Figure 22-18 Networking diagram for configuring dual-link backup

Data Planning

Table 22-19 Data planning

Item Data

Management VLAN for the AP VLAN 100

Service VLAN for the STA VLAN 101

DHCP server Switch functions as the DHCP server

for the AP and STA.
STA's gateway: 10.23.101.1/24
AP's gateway: 10.23.100.1/24

IP address pool for the AP 10.23.100.4-10.23.100.254/24

IP address pool for the STA 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

Management IP address of AC1 VLANIF 100: 10.23.100.2/24

Management IP address of AC2 VLANIF 100: 10.23.100.3/24

Active AC AC1
Local priority: 0

Standby AC AC2
Local priority: 1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3299

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AP group ● Name: ap-group1

● Referenced profile: VAP profile
wlan-net and regulatory domain
profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

Configuration Roadmap
1. Set up connections between the AC1, AC2, and other network devices.
Configure the switch as a DHCP server to allocate IP addresses to APs and
STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2.
Ensure that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC.
When dual-link backup is enabled, all APs are restarted. After dual-link
backup configurations are complete, the standby AC replaces the active AC to
manage APs if the CAPWAP tunnel between the active AC and APs is
disconnected.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3300

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

– In direct forwarding mode, you are advised to configure multicast packet

suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● Dual-link backup cannot back up DHCP information. When the AC functions
as the DHCP server to assign IP addresses to APs and STAs, APs and STAs
need to re-obtain IP addresses if the active AC is faulty. It is recommended
that the switch function as the DHCP server. If the AC must be used as the
DHCP server, configure address pools containing different IP addresses on the
active and standby ACs to prevent IP address conflicts.

Procedure
Step 1 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the
switch. Set the link type of GE0/0/1 that connects the switch to the APs to trunk
and PVID of the interface to 100, and configure the interface to allow packets of
VLAN100 and VLAN101 to pass. Set the link type of GE0/0/2 and GE0/0/3 on the
switch to trunk, and configure the interfaces to allow packets of VLAN100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit

# Add GE0/0/1 that connects the AC1 to the switch to VLAN100.

<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3301

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Add GE0/0/1 that connects the AC2 to the switch to VLAN100.

<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit

Step 2 Configure the DHCP function on the switch to allocate IP addresses to APs and
STAs.
NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.

# Configure VLANIF100 to use the interface address pool to allocate IP addresses

to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit

# Configure VLANIF101 to use the interface address pool to allocate IP addresses

to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit

Step 3 Configure basic WLAN services on AC1.

1. Configure the AP to go online.
# Create an AP group to which the APs with the same configuration can be
added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

# Configure the AC's source interface.

[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 24

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3302

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-Vlanif100] quit
[AC1] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to the AP group ap-
group1. In this example, the AP's MAC address is 60de-4476-e360. Configure
a name for the AP based on the AP's deployment location, so that you can
know where the AP is located. For example, if the AP with MAC address
60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the
AP state. If the State field displays nor, the AP has gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
2. Configure WLAN service parameters.
# Create the security profile wlan-net and set the security policy in the
profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create the VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3303

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net

[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile wlan-net to the AP group and apply the profile to
radio 0 and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit

Step 4 Configure basic WLAN services on AC2.

# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.

# Configure the source interface of AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC2-Vlanif100] quit
[AC2] capwap source interface vlanif 100
[AC2] wlan

Step 5 Configure dual-link backup on AC1 and AC2.

# On AC1, configure the AC1 priority and AC2 IP address in the AP system profile
view to implement dual-link backup.
NOTE

● The AC priority configuration determines the active and standby ACs. One with higher
priority functions as the active AC, and the other functions as the standby AC. A smaller
value indicates a higher priority. When the AC priorities are the same, the AC with the
maximum number of allowed APs is selected as the active AC. When the numbers of
allowed APs are the same, the AC with the maximum number of allowed STAs is selected as
the active AC. When the numbers of allowed APs and STAs are the same, the AC with a
smaller IP address is selected as the active AC.
● In this example, dual-link backup is configured using the AP-specific configuration method.
You can also use the global configuration method to configure dual-link backup in the
WLAN view.
[AC1-wlan-view] ap-system-profile name ap-system1
[AC1-wlan-ap-system-prof-ap-system1] priority 0
[AC1-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-ap-system1] quit

# Bind the AP system profile to the AP group view.

[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] ap-system-profile ap-system1
[AC1-wlan-ap-group-ap-group1] quit

# On AC1, enable dual-link backup and revertive switchover globally, and restart
all APs to make the dual-link backup function take effect.
NOTE

By default, dual-link backup is disabled, and running the ac protect enable command restarts
all APs. After the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs.
You need to run the ap-reset command on the active AC to restart all APs and make the dual-
link backup function take effect.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3304

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-wlan-view] undo ac protect restore disable

[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

# On AC2, configure the AC2 priority and AC1 IP address in the AP system profile
view to implement dual-link backup.
[AC2-wlan-view] ap-system-profile name ap-system1
[AC2-wlan-ap-system-prof-ap-system1] priority 1
[AC2-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.2
[AC2-wlan-ap-system-prof-ap-system1] quit

# Bind the AP system profile to the AP group view.

[AC2-wlan-view] ap-group name ap-group1
[AC2-wlan-ap-group-ap-group1] ap-system-profile ap-system1
[AC2-wlan-ap-group-ap-group1] quit

# Enable dual-link backup and revertive switching globally for AC2.

[AC2-wlan-view] undo ac protect restore disable
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

Step 6 Verify the configuration.

Run the display ac protect and display ap-system-profile command on the
active and standby ACs to check the dual-link information and priority on the two
ACs.
[AC1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC :-
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC1-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :0
Protect AC IP address : 10.23.100.3
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------
[AC2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC :-
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :1
Protect AC IP address : 10.23.100.2
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------

# Simulate an active AC fault by restarting the active AC to verify the backup

configuration. Restart AC1. When AP detects a fault on the link connected to AC1,
AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3305

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# During the restart of AC1, services on the STAs are not interrupted. AP goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.
# During the restart of AC1, AP goes online on AC2. Run the display ap all
command on AC2. The command output shows that the AP status changes from
standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
AP automatically goes online on AC1.

----End

Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup function.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3306

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-20 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vlan batch 100 to 101 vlan batch 100 to 101
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.2 255.255.255.0 ip address 10.23.100.3 255.255.255.0
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 100 port trunk allow-pass vlan 100
# #
capwap source interface vlanif100 capwap source interface vlanif100
# #
wlan wlan
ac protect enable ac protect enable
security-profile name wlan-net security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^ security wpa-wpa2 psk pass-phrase %^
%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A %#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A
%^%# aes %^%# aes
ssid-profile name wlan-net ssid-profile name wlan-net
ssid wlan-net ssid wlan-net
vap-profile name wlan-net vap-profile name wlan-net
service-vlan vlan-id 101 service-vlan vlan-id 101
ssid-profile wlan-net ssid-profile wlan-net
security-profile wlan-net security-profile wlan-net
regulatory-domain-profile name default regulatory-domain-profile name default
ap-system-profile name ap-system1 ap-system-profile name ap-system1
priority 0 priority 1
protect-ac ip-address 10.23.100.3 protect-ac ip-address 10.23.100.2
ap-group name ap-group1 ap-group name ap-group1
ap-system-profile ap-system1 ap-system-profile ap-system1
regulatory-domain-profile default regulatory-domain-profile default
radio 0 radio 0
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
radio 1 radio 1
vap-profile wlan-net wlan 1 vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
sn 210235554710CB000042 sn 210235554710CB000042
ap-name area_1 ap-name area_1
ap-group ap-group1 ap-group ap-group1
# #
return return

22.5 N+1 Backup Configuration

This chapter describes how to configure N+1 backup of ACs to improve network
reliability and reduces device purchase costs.

22.5.1 Overview of N+1 Backup

Definition
N+1 backup uses one standby AC to provide backup services for multiple ACs on
an AC + Fit AP network. When the network runs properly, an AP sets up a capwap
link only with the active AC. When the active AC fails or the CAPWAP link

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3307

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

becomes faulty, the standby AC replaces the active AC to manage APs. The
standby AC establishes a CAPWAP link with the AP to provide services.

Purpose
In public places where a large number of users exist in a large area, many APs are
deployed and managed by multiple ACs to provide free-of-charge WLAN access
services. It is common for some large enterprises have branches in different areas.
These enterprises deploy ACs in each branch to manage APs, providing WLAN
access and e-mail services. These services require only low network reliability and
allow for temporary service interruption.

In some cases, the existing network cannot provide reliable network services. If an
AC fails, services on the AC are interrupted. To improve network reliability, an
additional AC is required to provide backup services. The network administrator
expects to use an AC as a backup of all ACs to reduce costs.

In dual-link cold backup mode, each active AC has an independent standby AC.
Unlike dual-link cold backup, N+1 backup uses a standby AC to provide backup
services for multiple ACs, which reduces device purchase costs.

22.5.2 Understanding N+1 Backup

Many ACs are available on an N+1 backup network. An AP performs Active/
Standby AC Selection and selects the AC with the highest priority as the active
AC to establish a CAPWAP link. When the active AC or the CAPWAP link fails, an
Active/Standby Switchover is triggered, and the standby AC then becomes the
active AC, which improves WLAN reliability. After the original active AC or link
recovers, a Revertive Switchover is implemented to release resources on the
standby AC. The standby AC becomes available again and continues to offer
backup services.

Active/Standby AC Selection
The procedure for setting up a CAPWAP link in AC N+1 backup networking is
similar to the procedure for setting up a CAPWAP link in common scenarios,
except that the AP needs to select the AC with the highest priority as the active AC
in Discovery phase. For details, see CAPWAP Tunnel Establishment in 8.2.3 AP
Online Process.

In Discovery phase, an AP sends a Discovery Request packet to find available ACs.

After receiving the packet, the AC return a Discovery Response packet containing
the IP addresses of primary and backup AC, N+1 backup flag, AC priorities, loads,
and IP addresses. Based on the information contained in the Discovery Response
packet, the AP selects an active AC to set up a CAPWAP link. The AP selects the
active AC according to the following rules:
1. Check primary ACs on the AP. If there is only one primary AC, the AP selects it
as the active AC. If there are multiple primary ACs, the AP selects the AC with
the lowest load as the active AC. If the loads are the same, the AP selects the
AC with the smallest IP address as the active AC.
Compare AC loads, that is, numbers of access APs and STAs. The AP selects
the AC with the lowest load as the active AC. The number of allowed APs is
compared ahead of the number of allowed STAs. When the numbers of

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3308

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

allowed APs are the same on ACs, the AP selects the AC that can connect
more STAs as the active AC.
NOTE

The number of allowed APs is calculated using the following formula: Number of allowed
APs = Maximum number of access APs - Number of online APs.
The number of allowed STAs is calculated following the formula: Number of allowed STAs
= Maximum number of access STAs - Number of online STAs.
2. If there is no primary AC, check backup ACs. If there is only one backup AC,
the AP selects this AC as the active AC. If there are multiple backup ACs, the
AP selects the AC with the lowest load as the active AC. If the loads are the
same, the AP selects the AC with the smallest IP address as the active AC.
3. If there is no backup AC, compare AC priorities and select the AC with a
smaller priority value as the active AC. A smaller priority value indicates a
higher priority. For details, see AC Priorities.
4. If the AC priorities are the same, the AP selects the AC with the lowest load as
the active AC.
5. Compare the ACs' IP addresses when the AC loads are the same, and select
the AC with the smallest IP address as the active AC.

NOTE
When planning an AC N+1 backup network, ensure that the active AC can be selected based on
AC priorities so that all APs can go online on the predefined active AC. Otherwise, the APs select
the active AC based on loads and IP addresses, and may not go online on the predefined active
AC. Alternatively, ensure that a specified primary AC or backup AC is selected as the active AC.

AC Priority
An AC has two types of priorities:
● Global priority: AC priority configured for all APs.
● Individual priority: AC priority configured for a single AP or APs in a specified
AP group.
When receiving a Discovery Request packet from an AP, the AC checks whether an
individual priority has been specified for the AP. If not, the AC replies with a
Discovery Response packet carrying the global priority. If so, the AC replies with a
Discovery Response packet carrying the individual priority. It is recommended that
the proper priorities be configured on the active and standby ACs to control access
of APs on the two ACs.
The following example illustrates the process of selecting an active AC. Assume
that the APs can discover all ACs in Figure 22-19.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3309

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-19 Active AC selection

Standby AC_3

Global priority: 5

Active AC_1 Active AC_2

Switch

Global priority: 6 Global priority: 6

Individual priority for Individual priority for
AP_1: 3 AP_301: 3

... ...

AP_1 AP_300 AP_301 AP_700

CAPWAP link
between AP and
active AC

1. In Discovery phase, AP_1 sends a Discovery Request packet to all ACs.

2. Each AC returns a Discovery Response packet containing its priority. Before
making a reply, the AC first checks whether an individual priority has been
configured for the AP. If so, the AC returns the individual priority. If not, the
AC returns the global priority. As shown in Figure 22-19, AC_1 receives a
Discovery Response packet from AP_1. On AC_1, an individual priority has
been configured only for AP_1. Therefore, AC_1 returns individual priority 3 to
AP_1. There is no individual priority for AP_1 on AC_2 and AC_3, so AC_2
returns global priority 6 and AC_3 returns global priority 5.
3. AP_1 compares AC priorities in the Discovery Response packets and selects
AC_1, which has the highest priority, as the active AC to send an association
request.
If AC_1 or the CAPWAP link between AC_1 and AP_1 fails, and no standby AC is
designated, AP_1 sends new Discovery Request packets to obtain the priorities of
the remaining ACs. AC_2 returns global priority 6 and AC_3 returns global priority
5. AP_1 compares AC priorities and selects AC_3 with a higher priority as the
standby AC to send an association request.

Active/Standby Switchover
Normally, an AP sets up a CAPWAP link only with the active AC and periodically
exchanges heartbeat packets with the active AC to monitor the link status. When

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3310

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

the AP detects a heartbeat packet transmission timeout, it considers the link

disconnected and sets up a CAPWAP link with the standby AC. The AP sets up a
CAPWAP link with the standby AC in the following situations:
● If the IP address of the standby AC is configured on the active AC, the AP sets
up a capwap link with the standby AC directly.
● If the IP address of the standby AC is not configured on the active AC, the AP
broadcasts Discovery Request packets to discover ACs and selects the standby
AC to establish a CAPWAP link.
After the CAPWAP link is established, the standby AC delivers configurations to
the AP again. To ensure that active and standby ACs deliver the same WLAN
service configurations to an AP, perform the same configurations on both ACs. In
an active/standby switchover, the AP selects the standby AC to set up a CAPWAP
link and get online, and the standby AC delivers configurations to the AP.
To ensure that the AP works properly after an active/standby switchover, the
following conditions must be met:
● The number of online APs supported by the standby AC cannot be smaller
than the number of online APs on any of the active ACs.
Assume that the standby AC supports 500 online APs. If an active AC that has
600 online APs becomes faulty, only 500 APs can go online on the standby
AC. The remaining APs are forced to go offline, and are unable to provide
services for STAs.
● The total number of online APs on all active ACs cannot exceed the
configurable number of APs on the standby AC.
The configurable number of APs refers to the maximum number of APs
supported by the AC. Assume that the configurable number of APs is 1000 on
the standby AC. If there are 300 online APs on AC_1 and 400 online APs on
AC_2, a new active AC allows a maximum of 300 online APs. That is because
the APs on all active ACs must be added on the standby AC and have their
corresponding services configured on the standby AC. In this way, the standby
AC can maintain original services for the APs of any faulty active AC.
If multiple ACs become faulty concurrently, not all APs managed by these ACs can
go online on the standby AC after the active/standby switchover. In Figure 22-20,
there are 300 online APs (from AP_1 to AP_300) on AC_1 and 400 online APs
(AP_301 to AP_700) on AC_2. AC_3 works as the standby AC and allows a
maximum of 500 online APs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3311

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-20 Active/standby switchover

Standby AC_3

Active AC_1 Switch Active AC_2

... ...

AP_1 AP_300 AP_301 AP_700

CAPWAP link between

AP and active AC

CAPWAP link between

AP and standby AC

● If AC_1 becomes faulty, 300 APs (AP_1 to AP_300) perform an active/standby

switchover and get online on AC_3. After AC_1 recovers, the APs perform a
Revertive Switchover to switch back to AC_1.
● After AC_1 recovers from the fault, AC_2 becomes faulty. 400 APs (AP_301 to
AP_700) perform an active/standby switchover and get online on AC_3. After
AC_2 recovers, the APs perform a Revertive Switchover to switch back to
AC_2.
● If AC_1 and AC_2 become faulty concurrently, the top 500 APs that associate
with AC_3 can implement an active/standby switchover and get online on
AC_3. The rest APs cannot go online on AC_3 and services on these APs are
interrupted.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3312

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● The value of N in N+1 backup depends on the configurable number of APs on the standby
AC and the number of APs managed by the N active ACs. The number of APs managed by
the N active ACs cannot exceed the configurable number of APs on the standby AC.
● The configurable number of APs refers to the maximum number of APs that can be
added to the AC.
● The number of APs managed by ACs refer to the actual number of online APs on the
AC.
● The maximum number of online APs on the standby AC is determined by the license.

Revertive Switchover
After an AP sets up a CAPWAP link with the standby AC, the AP obtains the IP
address of its active AC from the standby AC and sends Primary Discovery Request
packets at regular intervals to detect the active AC status. After the active AC
recovers, it returns a reply packet to the AP. The packet carries the AC priority.
When the AP receives the reply packet from the active AC, the AP learns that the
active AC has recovered and the active AC priority contained in the packet is
higher than the priority of the AC to which it is connected. If a revertive
switchover is enabled, a revertive switchover is triggered. To prevent frequent
switchovers caused by network flapping, the ACs perform a revertive switchover
after a delay time of 20 heartbeat intervals. As illustrated in Figure 22-21, the AP
disconnects from the current AC and sets up a new CAPWAP link with the active
AC. At the same time, the AP transfers STA data to the original active AC to
release resources on the standby AC. The standby AC then continues to provide
backup services. During a revertive switchover, the AP re-establishes a CAPWAP
link with the active AC to get online, and the active AC delivers configurations to
the AP.
If a primary or backup AC is selected as the active AC, the active AC returns a
reply packet to the AP after it recovers. The AP then learns that the active AC has
recovered from the reply packet. If a revertive switchover is enabled, a revertive
switchover is triggered.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3313

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-21 Revertive switchover

Standby AC_3

Active AC_1 Switch Active AC_2

... ...

AP_1 AP_300 AP_301 AP_700

CAPWAP link between

AP and active AC

CAPWAP link between

AP and standby AC

22.5.3 Application Scenarios for N+1 Backup

22.5.3.1 Typical Application Scenarios for N+1 Backup

APs and ACs in Different Network Segments

A large enterprise has branches in different areas. ACs are deployed in the
branches to manage APs and provide WLAN access and e-mail services. These
services provided on the WLAN require low network reliability and allow
temporary service interruption. In this scenario, the enterprise can deploy a high
performance AC at the headquarters as a standby AC to provide backup services
for active ACs in the branches. This reduces device purchase costs.
As shown in Figure 22-22, ACs of the two branches are on different network
segments. AC_1 in branch 1 and AC_2 in branch 2 respectively work as the active
AC of AP_1 and AP_2. AC_3 in the headquarters is a high performance AC and
serves as the standby AC of AP_1 and AP_2. When the network runs properly,
AP_1 and AP_2 sets up a CAPWAP link with AC_1 and AC_2 respectively. When the
CAPWAP link on AC_1 or AC_2 fails, AP_1 or AP_2 sets up a CAPWAP link with
AC_3. AC_3 replaces AC_1 or AC_2 to provide services for AP_1 or AP_2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3314

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Each AP can establish a CAPWAP link with only one AC at one time.

Figure 22-22 N+1 backup networking (APs and ACs in different network
segments)

Enterprise
headquarters Standby AC_3
10.3.1.1/24
Global priority: 5

DHCP server

Router_3

Internet

Router_1 Router_2
Active AC_1 Active AC_2
10.1.1.1/24 10.2.1.1/24
Global priority: 0 Global priority: 0

Switch_1 Switch_2

Enterprise Enterprise
branch 1 branch 2
AP_1 AP_2

STA_1 STA_2

CAPWAP link
between AP and
active AC

APs and ACs in the Same Network Segment

The waiting hall of an airport accommodates a large number of users. Multiple
ACs manage a large number of APs that provide WLAN access services. These
free-of-charge services require low network reliability and allow temporary service
interruption. In this situation, a high performance AC can be deployed as a

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3315

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

standby AC to provide backup services for other ACs. This reduces device purchase
costs.
As shown in Figure 22-23, all ACs are in the same network segment. AC_1 and
AC_2 function as the active AC of AP_1 and AP_2 respectively. AC_3 is a high
performance AC and works as the standby AC of AP_1 and AP_2. When the
network runs properly, AP_1 and AP_2 sets up a CAPWAP link with AC_1 and AC_2
respectively. When the CAPWAP link on AC_1 or AC_2 fails, AP_1 or AP_2 sets up a
CAPWAP link with AC_3. AC_3 replaces AC_1 or AC_2 to provide services for AP_1
or AP_2.
Each AP can establish a CAPWAP link with only one AC at one time.

Figure 22-23 N+1 backup networking (APs and ACs in the same network
segment)
Standby
AC_3
10.1.1.10/24
Global priority: 5

Standby Standby
AC_1 AC_2
10.1.1.1/24 10.1.1.2/24
Switch

Global priority: 6 Global priority: 6

Individual priority for Individual priority for
AP_1: 3 AP_2: 3

AP_1 AP_2
CAPWAP link
between AP and
active AC

STA STA STA STA

22.5.4 Summary of N+1 Backup Configuration Tasks

Table 22-21 lists the N+1 backup configuration tasks.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3316

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-21 N+1 backup configuration tasks

Scenario Description Method and Task

APs and ACs An AP can discover a total of New method

are located on two ACs in dynamic or static 1. 22.5.7.1 Configuring
a Layer 3 mode. In this scenario, use the Option 43 on the DHCP
network, and new method or traditional Server
an AP can method 1 for the
discover two configuration. 2. 22.5.7.4 Configuring AC
ACs through Roles (New Method)
● Using the new
DHCP Option configuration method, you 3. 22.5.7.5 Configuring
43. can directly specify the Revertive Switchover
active and standby ACs. 4. 22.5.7.6 (Optional)
The configuration logic is Configuring CAPWAP
clear and simple. This Heartbeat Detection
method is recommended in 5. 22.5.7.7 (Optional)
new N+1 backup Configuring the Active/
configuration scenarios. Standby Link Switchover
● Using traditional method 1, Mode
you can determine the 6. 22.5.7.8 Enabling N+1
active and standby ACs Backup
based on the priority. The
configuration logic is Traditional method 1
complex. This method is 1. 22.5.7.1 Configuring
applicable to N+1 backup Option 43 on the DHCP
configuration involving Server
earlier versions but not
recommended in N+1 2. 22.5.7.2 Configuring AC
backup configuration Roles (Traditional Method
scenarios. 1)

In this case, the AP needs 3. 22.5.7.5 Configuring

to select the active and Revertive Switchover
standby ACs. You only need 4. 22.5.7.6 (Optional)
to configure the priority for Configuring CAPWAP
the active AC and standby Heartbeat Detection
ACs and set the priority of 5. 22.5.7.7 (Optional)
the active AC higher than Configuring the Active/
that of the standby AC. Standby Link Switchover
Mode
6. 22.5.7.8 Enabling N+1
Backup

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3317

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Scenario Description Method and Task

APs and ACs An AP can discover more than New method

are located on two ACs in dynamic or static 1. 22.5.7.4 Configuring AC
a Layer 2 mode. In this scenario, use the Roles (New Method)
network, and new method or traditional
an AP can method 2 for the 2. 22.5.7.5 Configuring
discover more configuration. Revertive Switchover
than two ACs. ● Using the new 3. 22.5.7.6 (Optional)
configuration method, you Configuring CAPWAP
can directly specify the Heartbeat Detection
active and standby ACs. 4. 22.5.7.7 (Optional)
The configuration logic is Configuring the Active/
clear and simple. This Standby Link Switchover
method is recommended in Mode
new N+1 backup 5. 22.5.7.8 Enabling N+1
configuration scenarios. Backup
● Using traditional method 2,
you can determine the Traditional method 2
active and standby ACs 1. 22.5.7.3 Configuring AC
based on the priority. The Roles (Traditional Method
configuration logic is 2)
complex. This method is 2. 22.5.7.5 Configuring
applicable to N+1 backup Revertive Switchover
configuration involving
3. 22.5.7.6 (Optional)
earlier versions but not
Configuring CAPWAP
recommended in N+1
Heartbeat Detection
backup configuration
scenarios. 4. 22.5.7.7 (Optional)
Configuring the Active/
In this case, the AP needs
Standby Link Switchover
to select the active and
Mode
standby ACs. You need to
configure both the global 5. 22.5.7.8 Enabling N+1
and individual priorities on Backup
all active ACs so that all
APs can associate with the
predefined active or
standby AC.
Ensure that the ACs'
priorities meet the
following requirements:
active AC's individual
priority > standby AC's
global priority > active AC's
global priority.

22.5.5 Configuration Limitations for N+1 Backup

When configuring N+1 backup on ACs, pay attention to the following points:

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3318

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● The active and standby ACs must have the same WLAN service configurations
(all WLAN profiles, including the radio profile, traffic profile, and security
profile) for the same AP connected to them; otherwise, no guarantee is
provided for user services after an active/standby switchover between ACs.
● All WLAN service configurations on the active AC must also be performed on
the standby AC.
● The active and standby ACs can be of different models, and their software
versions need to match AP versions. ACs based on switches cannot work in N
+1 backup mode with independent WLAN AC series. For example, N+1 backup
cannot be configured between the S12700+X1E card and the ACU2 or
AC6605.
● N+1 backup cannot be configured concurrently with dual-link cold backup or
hot standby backup.

22.5.6 Default Settings for N+1 Backup

Table 22-22 Default settings for N+1 backup

Parameter Default Setting

AC global priority 0

AC individual priority None

CAPWAP heartbeat detection 25s

interval

Number of CAPWAP heartbeat 6

packet transmissions

Revertive switchover Enabled

N+1 backup Enabled

22.5.7 Configuring N+1 Backup

Context
N+1 backup allows multiple ACs to share one standby AC, which reduces AC
purchase costs.

Pre-configuration Tasks
Before configuring N+1 backup, configure basic WLAN services on the active and
standby ACs (For details, see 8 WLAN Service Configuration Guide).

Configuration Procedure
The following configuration tasks can be performed in any sequence. 22.5.7.8
Enabling N+1 Backup is performed after all configuration tasks are complete.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3319

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.5.7.1 Configuring Option 43 on the DHCP Server

Context
If an AP and the ACs are located in different network segments, the AP cannot
discover the ACs through broadcast after it obtains an IP address from the DHCP
server. To address this problem, configure Option 43 on the DHCP server to
advertise AC IP addresses to the AP.

After Option 43 is configured, the AP unicasts Discovery Request packets to the IP

addresses carried in Option 43. If the IP addresses specified by Option 43 do not
respond, the AP broadcasts Discovery Request packets to request IP addresses of
the ACs in the local network segment. Option 43 only needs to carry addresses of
the active and standby ACs for the AP and does not carry irrelevant active ACs' IP
addresses; otherwise, the AP may not connect to the correct AC.

Usually, an independent device is used as a DHCP server. Perform correct

configurations on the selected DHCP server. The following example uses a Huawei
router as a DHCP server.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run dhcp enable

DHCP is enabled.

By default, DHCP is disabled.

Step 3 Run ip pool ip-pool-name

The global address pool view is displayed.

Step 4 Run option 43 sub-option 2 ip-address ip-address &<1-8>

The Option 43 field is set to the IP addresses of the active AC and standby AC.

----End

22.5.7.2 Configuring AC Roles (Traditional Method 1)

Context
N+1 backup uses one standby AC to back up multiple active ACs. An AP
determines AC roles based on AC priorities. It selects the AC with a higher priority
as the active AC and the AC with a lower priority as the standby AC. The AP sets
up a connection with the AC of the specified IP address.

An AP can discover only two ACs. Therefore, you only need to configure a global
priority for each AC, so that the AP can determine the active and standby ACs by
comparing their global priorities.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3320

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
● Configure the active AC.
Perform the following configurations on the active AC:
a. Run system-view
The system view is displayed.
b. Run wlan
The WLAN view is displayed.
c. Run ac protect protect-ac { ip-address | ipv6 ipv6-address }
The standby AC's IP address is configured in the WLAN view.
By default, no standby AC IP address is configured in the WLAN view.
d. Run ac protect priority priority
The global priority of the active AC is configured in the WLAN view.
By default, the AC priority in the WLAN view is 0.

NOTE

The global priority of the standby AC must be lower than that of the active AC.
A smaller priority value indicates a higher priority.
● Configure the standby AC.
Perform the following configurations on the standby AC:
a. Run system-view
The system view is displayed.
b. Run wlan
The WLAN view is displayed.
c. Run ac protect priority priority
The global priority of the standby AC is configured.
By default, the AC priority in the WLAN view is 0.

NOTE

The global priority of the standby AC must be lower than that of the active AC.
A smaller priority value indicates a higher priority.
d. Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is
displayed.
By default, the system provides the AP system profile default.
e. Run protect-ac { ip-address ip-address | ipv6-address ipv6-address }
The active AC's IP address is configured in the AP system profile view.
By default, no standby AC's IP address is configured in the AP system
profile view.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3321

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

If multiple APs have the same active AC, configure the active AC's IP
address for the APs on the standby AC in the AP system profile, and bind
the AP system profile to an AP group.
f. Run quit
Return to the WLAN view.
g. The AP system profile is bound to an AP group.

▪ Binding an AP system profile to an AP group.

1) Run the ap-group name group-name command to enter the AP
group view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP group.
By default, the AP system profile default is bound to an AP
group.

▪ Binding an AP system profile to an AP.

1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name
command to enter the AP view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP.
By default, no AP system profile is bound to an AP.
----End

22.5.7.3 Configuring AC Roles (Traditional Method 2)

Context
N+1 backup uses one standby AC to back up multiple active ACs. An AP
determines AC roles based on AC priorities. It selects the AC with a higher priority
as the active AC and the AC with a lower priority as the standby AC. The AP sets
up a connection with the AC of the specified IP address.
An AP may discover more than two ACs. In this case, if you only configure a global
priority for each AC, the AP selects the AC with the highest global priority as the
active AC, and therefore may select an incorrect active AC.
To ensure that the AP connects to the predefined active AC or standby AC,
configure both the global priority and individual priority on the active AC, and
configure only the global priority on the standby AC. Ensure that the ACs'
priorities meet the following requirements: active AC's individual priority > standby
AC's global priority > active AC's global priority.
If a global priority and an individual priority are both configured for an AP on the
AC, the AC preferentially delivers the individual priority to the AP.

Procedure
● Configure the active AC.
Perform the following configurations on the active AC:

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3322

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

a. Run system-view

The system view is displayed.

b. Run wlan

The WLAN view is displayed.

c. Run ac protect protect-ac { ip-address | ipv6 ipv6-address }

The standby AC's IP address is configured in the WLAN view.

By default, no standby AC IP address is configured in the WLAN view.

d. Run ac protect priority priority

The global priority of the active AC is configured in the WLAN view.

By default, the AC priority in the WLAN view is 0.

NOTE

Ensure that the ACs' priorities meet the following requirements: active AC's individual
priority > standby AC's global priority > active AC's global priority.
A smaller priority value indicates a higher priority.
e. Run ap-system-profile name profile-name

An AP system profile is created and the AP system profile view is

displayed.

By default, the system provides the AP system profile default.

f. Run priority priority-level

The individual priority of the AC is configured in the AP system profile.

By default, no AC priority is configured in the AP system profile view.

NOTE

Ensure that the ACs' priorities meet the following requirements: active AC's
individual priority > standby AC's global priority > active AC's global priority.

After you configure the AC's individual priority in the AP system profile,
bind the AP system profile to an AP group.
g. Run quit

Return to the WLAN view.

h. The AP system profile is bound to an AP group.

▪ Binding an AP system profile to an AP group.

1) Run the ap-group name group-name command to enter the AP
group view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP group.
By default, the AP system profile default is bound to an AP
group.

▪ Binding an AP system profile to an AP.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3323

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name

command to enter the AP view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP.
By default, no AP system profile is bound to an AP.
● Configure the standby AC.

Perform the following configurations on the standby AC:

a. Run system-view

The system view is displayed.

b. Run wlan

The WLAN view is displayed.

c. Run ac protect priority priority

The global priority of the standby AC is configured.

By default, the AC priority in the WLAN view is 0.

NOTE

Ensure that the ACs' priorities meet the following requirements: active AC's individual
priority > standby AC's global priority > active AC's global priority.
d. Run ap-system-profile name profile-name

An AP system profile is created and the AP system profile view is

displayed.

By default, the system provides the AP system profile default.

e. Run protect-ac { ip-address ip-address | ipv6-address ipv6-address }

The active AC's IP address is configured in the AP system profile view.

By default, no standby AC's IP address is configured in the AP system

profile view.

If multiple APs have the same active AC, configure the active AC's IP
address for the APs on the standby AC in the AP system profile, and bind
the AP system profile to an AP group.
f. Run quit

Return to the WLAN view.

g. The AP system profile is bound to an AP group.

▪ Binding an AP system profile to an AP group.

1) Run the ap-group name group-name command to enter the AP
group view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP group.
By default, the AP system profile default is bound to an AP
group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3324

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

▪ Binding an AP system profile to an AP.

1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name
command to enter the AP view.
2) Run the ap-system-profile profile-name command to bind the
AP system profile to the AP.
By default, no AP system profile is bound to an AP.
----End

22.5.7.4 Configuring AC Roles (New Method)

Context
Traditionally, N+1 backup is configured by specifying IP addresses of the active and
standby ACs on each other and configuring AC priorities. The active and standby
ACs are then determined based on the priority. To simplify configuration logic, the
new configuration method allows you to specify the same primary and backup
ACs for APs on the active and standby ACs. The active AC is specified as the
primary AC, and the standby AC as the backup AC.
More than two ACs may exist on the N+1 backup network. Each AP has only one
active AC and one standby AC planned. You only need to create the same AP
system profile on the active and standby ACs, and specify active and standby ACs
as the primary and backup ACs respectively in the AP system profile.
You are advised to create different AP system profiles on different active ACs.
Otherwise, the standby AC cannot identify AP system profile configurations,
causing incorrect configurations.
The following configurations must be performed on both the active and standby
ACs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is displayed.
Step 4 Run primary-access { ip-address ip-address | ipv6-address ipv6-address }
A primary AC IP address is configured.
By default, no primary AC IP address is configured.
Step 5 Run backup-access { ip-address ip-address | ipv6-address ipv6-address }
A backup AC IP address is configured.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3325

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

By default, no backup AC IP address is configured.

Step 6 Run quit
Return to the WLAN view.
Step 7 The AP system profile is bound to an AP group.
● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.
Step 8 Run quit
Return to the WLAN view.
Step 9 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.

NOTE

● If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
● If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function
take effect.
● If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.

----End

22.5.7.5 Configuring Revertive Switchover

Context
After an active/standby AC switchover, the standby AC replaces the active AC and
sets up a CAPWAP link with the AP to provide services. The AP periodically sends
Primary Discovery Request packets to detect active AC status. If revertive
switchover is enabled on the standby AC, the AP triggers a revertive switchover

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3326

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

when it detects that the active AC recovers. The AP disconnects from the current
AC and sets up a new CAPWAP link with the active AC. Resources on the standby
AC are released and the standby AC then continues to provide backup services.
Revertive switchover needs to be enabled only on the standby AC.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run undo ac protect restore disable
Revertive switchover is enabled.
By default, global revertive switching is enabled.

NOTE
If revertive switchover is disabled on the standby AC, traffic of an AP cannot be switched
back to the original active AC even when the link between the original active AC and the
AP restores.

----End

22.5.7.6 (Optional) Configuring CAPWAP Heartbeat Detection

Context
As defined by CAPWAP, an AP and AC periodically exchange packets to maintain
connectivity of the data channel and management channel. If the AP or AC does
not receive any response from each other after CAPWAP heartbeat packets are
sent for the specified number of times, the AP and AC consider the link between
them disconnected.
Perform the following configurations on the active and standby ACs:

Procedure
Step 1 Run system-view
The system view is displayed.

Step 2 Run capwap echo { interval interval-value | times times-value } *

The CAPWAP heartbeat detection interval and number of heartbeat packet

transmissions are configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection
interval is 25s and the number of CAPWAP heartbeat detections is 3.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3327

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat
detections smaller than the default values, the CAPWAP link reliability is degraded. Exercise
caution when you set the values. The default values are recommended.

----End

22.5.7.7 (Optional) Configuring the Active/Standby Link Switchover Mode

Context
In N+1 backup scenarios, APs set up links only with the primary ACs. When a link
between an AP and a primary AC fails, the AP sets up a link with the backup AC
and goes online on the backup AC. When the primary AC is recovered, a revertive
switchover is triggered. The AP switches the link back to the primary AC after 20
echo intervals.
● To enable an AP to preferentially switch service traffic to the active link, set
the active/standby link switchover mode to the priority mode.
● To allow an AP to use a link with high network stabilization, set the active/
standby link switchover mode to the network stabilization mode. When the
condition for triggering an active/standby link switchover is met, the AP
preferentially switches service traffic to the link on a network with higher
network stabilization. In this case, whether an active/standby link switchover
is performed is only related to the network stabilization of links but not
related to the active and standby roles of links. You can run the ac protect
link-switch packet-loss { gap-threshold gap-threshold | start-threshold
start-threshold } command to configure the condition for triggering an active/
standby link switchover.
In N+1 backup scenarios, the network stabilization of the link between an AP and
the current AC is determined by the Echo packet loss rate, and that of the link
between the AP and another AC is determined by the Primary Discovery packet
loss rate. The active/standby link switchover is performed when the following
conditions are met:
1. APs collect statistics about Echo or Primary Discovery packets and find that
the calculated packet loss rate is higher than the packet loss rate start
threshold.
2. The packet loss rate of the link in use is higher than that of the other link,
and the difference between the two links' packet loss rates is higher than the
packet loss rate difference threshold.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3328

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

An AP system profile is created and the AP system profile view is displayed.

By default, the system provides the AP system profile default.

Step 4 Run ac protect link-switch mode { priority | network-stabilization }

The active/standby link switchover mode is configured.

By default, the active/standby link switchover mode is the priority mode.

Step 5 Run ac protect link-switch packet-loss echo-probe-time echo-probe-time

The number of Echo probe packets sent within a statistics collection interval is
configured.

By default, the number of Echo packets sent within a statistics collection interval is
20.

This configuration is supported only when the active/standby link switchover

mode is set to the network stabilization mode using the ac protect link-switch
mode network-stabilization command.

Step 6 Run ac protect link-switch packet-loss { gap-threshold gap-threshold | start-

threshold start-threshold }

The packet loss rate start and difference thresholds for an active/standby link
switchover are configured.

By default, the packet loss rate start and difference thresholds for an active/
standby link switchover are 20% and 15%, respectively.

This configuration is supported only when the active/standby link switchover

mode is set to the network stabilization mode using the ac protect link-switch
mode network-stabilization command.

Step 7 Run quit

Return to the WLAN view.

Step 8 Bind the AP system profile to the AP group.

● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3329

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Verifying the Configuration

● Run the display ap-system-profile { all | name profile-name } command to
check the configurations related to the active/standby link switchover mode.

22.5.7.8 Enabling N+1 Backup

Context
After all N+1 backup configurations are complete, enable N+1 backup and then
restart all APs to make the function take effect.
N+1 backup needs to be enabled on all ACs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run undo ac protect enable
N+1 backup is enabled.
By default, N+1 backup is enabled.
Step 4 (Optional) Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } }
All APs are restarted to make the N+1 backup function take effect.

NOTE

If N+1 backup is enabled, running the undo ac protect enable command does not restart
online APs. You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id
ap-id | ap-group ap-group | ap-type { type type-name | type-id type-id } } command to
restart the APs and make the N+1 backup function take effect. You can also manually
restart the APs to make the N+1 backup function take effect.
If the N+1 backup function is disabled, running the undo ac protect enable command
restarts online APs. After the APs are restarted, the N+1 backup function starts to take
effect.
If an AP goes online after N+1 backup is enabled, you do not need to restart the AP.

----End

22.5.7.9 Verifying the N+1 Backup Configuration

Procedure
● Run the display ac protect command to check the N+1 backup status, AC
revertive switchover status, the AC's global priority, and the standby AC's IP
address.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3330

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Run the display ap-system-profile { all | name profile-name } command to

check the AC's individual priority for a specific AP and the standby AC's IP
address.
----End

22.5.8 Configuration Examples for N+1 Backup

22.5.8.1 Example for Configuring N+1 Backup (APs and ACs in different
network segments)

Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the
branches to manage APs and provide WLAN access and e-mail services. These
services require low network reliability and allow temporary service interruption.
An AC is required to be a backup of all ACs to save costs. In this scenario, the
enterprise can deploy a high performance AC at the headquarters as a standby AC
to provide backup services for active ACs in the branches.

Networking Requirements
● AC networking mode: Layer 3 bypass mode
● DHCP deployment mode: Router_3 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3331

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-24 Networking for configuring N+1 backup

Data Planning

Table 22-23 AC data planning

Item Data

Management VLAN for APs AC_1 (active AC): VLAN 99

AC_2 (active AC): VLAN 100

Service VLAN for STAs AC_1: VLAN 101

AC_2: VLAN 102

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3332

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

DHCP server Router_3 functions as a DHCP server

to assign IP addresses to APs and STAs.
STAs' gateway:
● STA_1: 10.23.101.1/24
● STA_2: 10.23.102.1/24
APs' gateway:
● AP_1: 10.23.99.1/24
● AP_2: 10.23.100.1/24

IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24

AP_2: 10.23.100.2-10.23.100.254/24

IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24

STA2: 10.23.102.2-10.23.102.254/24

AC's source interface AC_1: VLANIF 201

AC_2: VLANIF 202
AC_3: VLANIF 203

AC_1's management IP address VLANIF 201: 10.23.201.1/24

AC_2's management IP address VLANIF 202: 10.23.202.1/24

AC_3's management IP address VLANIF 203: 10.23.203.1/24

AP group AC_1: (active AC):

● Name: ap-group1
● Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory domain
profile default

AC_2: (active AC):

● Name: ap-group2
● Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net1, and regulatory domain
profile default

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3333

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AC_3 (standby AC):

● Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory
domain profile default
● Name: ap-group2
– Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net1, and regulatory
domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile AC_1:

● Name: wlan-net
● SSID name: wlan-net

AC_2:
● Name: wlan-net1
● SSID name: wlan-net1

AC_3:
● Name: wlan-net
● SSID name: wlan-net
● Name: wlan-net1
● SSID name: wlan-net1

Security profile AC_1, AC_3:

● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567
AC_2, AC_3:
● Name: wlan-net1
● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

AP system profile AC_3 (standby AC): ap-system and ap-

system1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3334

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

VAP profile AC_1:

● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

AC_2:
● Name: wlan-net1
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 102
● Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1

AC_3:
● Name: wlan-net
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile
wlan-net
● Name: wlan-net1
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1

Global priority: AC_1: 0

AC_2: 0
AC_3: 5

Configuration Roadmap
1. Configure network interworking of each AC and other network devices.
Configure Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively,
and configure basic WLAN services on AC_1 and AC_2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3335

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

3. Configure AC_3 as the standby AC and configure basic WLAN services on

AC_3. Ensure that service configurations on AC_3 are the same as those on
AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC.
When N+1 backup is enabled, all APs are restarted.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.

Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0
connected to Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to
AC_1 to VLAN 201. Configure the IP address 10.23.99.1/24 for VLANIF 99,
10.23.101.1/24 for VLANIF 101 and 10.23.201.2/24 for VLANIF 201.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3336

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[Router_1] interface vlanif 101

[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit

# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as
the management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0
connected to Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to
AC_2 to VLAN 202. Configure the IP address 10.23.100.1/24 for VLANIF 100,
10.23.102.1/24 for VLANIF 102 and 10.23.202.2/24 for VLANIF 202. See Router_1
for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the
Network to VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure
the IP address 10.23.200.1/24 for VLANIF 200. Configure the IP address
10.23.203.2/24 for VLANIF 203. See Router_1 for the detailed configuration
procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to
Router_1 and GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the
PVID of GE0/0/1 is VLAN 99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit

# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to
Router_2 and GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the
PVID of GE0/0/1 is VLAN 100. See Switch_1 for the detailed configuration
procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to
Router_1 to VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.1 255.255.255.0
[AC_1-Vlanif201] quit

# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to
Router_2 to VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202.
See AC_1 for the detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1
connected to Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for
VLANIF 203. See AC_1 for the detailed configuration procedure.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3337

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Configure reachable routes between AP_1 and AC_3, and between AP_2 and
AC_3. Perform the configurations according to networking requirements. The
configuration procedure is not provided here.
# On AC_1, configure a route to AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2

# On AC_2, configure a route to AP_2 with the next hop as Router_2's VLANIF 202.
[AC_2] ip route-static 10.23.100.0 24 10.23.202.2

# On AC_3, configure routes to AP1 and AP2 with the next hop as Router_3's
VLANIF 203.
[AC_3] ip route-static 10.23.99.0 24 10.23.203.2
[AC_3] ip route-static 10.23.100.0 24 10.23.203.2

Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Router_1 as a DHCP relay agent.
[Router_1] dhcp enable
[Router_1] interface vlanif 99
[Router_1-Vlanif99] dhcp select relay
[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] dhcp select relay
[Router_1-Vlanif101] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif101] quit

# Configure Router_2 as a DHCP relay agent.

[Router_2] dhcp enable
[Router_2] interface vlanif 100
[Router_2-Vlanif100] dhcp select relay
[Router_2-Vlanif100] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif100] quit
[Router_2] interface vlanif 102
[Router_2-Vlanif102] dhcp select relay
[Router_2-Vlanif102] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif102] quit

# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs,
and configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3
to AP_1, and to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure
the DHCP server to assign IP address to AP_1 from the IP address pool ap_1_pool,
to AP_2 from ap_2_pool, to STA1 from sta_1_pool, and to STA2 from sta_2_pool.

NOTE

In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover
AC_2 and AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC
based on AC priority.
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3338

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24

[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
[Router_3] interface Vlanif200
[Router_3-Vlanif200] dhcp select global
[Router_3-Vlanif200] quit

Step 3 Configure basic WLAN services on AC_1.

1. Configure the APs to go online.
# Create an AP group to which the APs with the same configuration can be
added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit

# Configure the source interface of AC_1.

[AC_1] capwap source interface vlanif 201

# Import the APs offline on the AC and add the APs to the AP group ap-
group1. In this example, the AP's MAC address is 60de-4476-e360. Configure
a name for the AP based on the AP's deployment location, so that you can
know where the AP is located. For example, if the AP with MAC address
60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.

[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3339

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# After the APs are powered on, run the display ap all command to check
the AP state. If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extrainfo : Extra information
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
2. Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile to the AP group and apply the VAP profile wlan-net to
radio 0 and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit

Step 4 Configure basic WLAN services on AC_2.

# Configure basic parameters for AC_2 according to the configurations of AC_1.
# Configure the source interface of AC_2.
[AC_2] capwap source interface vlanif 202

# Create AP group ap-group2.

[AC_2] wlan
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] quit

# Import the APs offline on the AC and add the APs to the AP group ap-group2.
In this example, the AP's MAC address is 60de-4474-9640. Configure a name for

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3340

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

the AP based on the AP's deployment location, so that you can know where the
AP is located. For example, if the AP with MAC address 60de-4474-9640 is
deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit

# Create security profile wlan-net1 and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.

[AC_2-wlan-view] security-profile name wlan-net1

[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit

# Create an SSID profile and set the SSID name to wlan-net1.

[AC_2-wlan-view] ssid-profile name wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] quit

# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit

# Bind the VAP profile to the AP group and apply the VAP profile wlan-net1 to
radio 0 and radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] quit

# Set other parameters similarly as those of AC_1.

Step 5 Configure basic WLAN services on AC_3.
1. Configure the APs to go online.
# Create an AP group to which the APs with the same configuration can be
added.
[AC_3] wlan
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3341

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_3-wlan-view] regulatory-domain-profile name default

[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit

# Configure the source interface of AC_3.

[AC_3] capwap source interface Vlanif 203

NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit

# Run the display ap all command on the AC to check the AP running status.
The command output shows that the state of area_1 and area_2 is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
fault : fault [2]
Extrainfo : Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
----------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 - -
1 60de-4474-9640 area_2 ap-group2 - - fault 0 - -
----------------------------------------------------------------------------------------
Total: 2

2. Configure WLAN service parameters.

# Create security profiles wlan-net and wlan-net1, and configure security
policies.
[AC_3-wlan-view] security-profile name wlan-net
[AC_3-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3342

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_3-wlan-view] security-profile name wlan-net1

[AC_3-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net1] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit

# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit

# Create AP system profile ap-system and configure the IP address of the

standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.201.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system] quit

# Create AP system profile ap-system1 and configure the IP address of the

standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.202.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system1] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit

# Create VAP profile wlan-net1, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit

# Bind the VAP profile and AP system profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit

Step 6 Enable N+1 backup on AC_1, AC_2, and AC_3.

# On AC_1, configure the AC's global priority and IP address of AC_3.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3343

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC
with a lower priority is the standby AC. A smaller value indicates a higher priority. If the AC
priorities are the same, the AC that connects to more APs is the active AC. If the ACs connect to
the same number of APs, the AC that connects to more STAs is the active AC. If the ACs connect
to the same number of STAs, the AC with a smaller IP address is the active AC.
[AC_1-wlan-view] ac protect priority 0 protect-ac 10.23.203.1

# On AC_2, configure the AC's global priority and IP address of AC_3.

[AC_2-wlan-view] ac protect priority 0 protect-ac 10.23.203.1

# Configure the global priority of AC_3.

[AC_3-wlan-view] ac protect priority 5

# On AC_1, enable N+1 backup and restart all APs to make the function take
effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac
protect enable command. You need to run the ap-reset all command to restart all APs. After
the APs are restarted, N+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# On AC_2, enable N+1 backup and restart all APs to make the function take
effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you
run the undo ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.
[AC_3-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_3-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

Step 7 Verify the configuration.

# Run the display ac protect command on AC_1 to check N+1 backup
information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.203.1
Priority :0
Protect restore : enable
...
------------------------------------------------------------

# Run the display ac protect command on AC_2 to check N+1 backup

information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3344

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Protect state : disable

Protect AC : 10.23.203.1
Priority :0
Protect restore : enable
...
------------------------------------------------------------

# Run the display ac protect and display ap-system-profile commands on AC_3

to check N+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC :-
Priority :5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address : 10.23.201.1
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address : 10.23.202.1
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------

# The WLAN with the SSID wlan-net or wlan-net1 is available for STAs
connected to the APs, and these STAs can connect to the WLAN and go online
normally.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC_1. When AP_1 detects a fault on the link connected to
AC_1, AC_3 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# When AC_1 is restarted, AP_1 goes online on AC_3. Run the display ap all
command on AC_3. The command output shows that the AP status changes from
fault to normal.
# After AC_1 recovers from the restart, an active/standby switchback is triggered.
AP_1 automatically goes online on AC_1.

----End

Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3345

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 99
port trunk allow-pass vlan 99 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 99 101
#
return

● Switch_2 configuration file

#
sysname Switch_2
#
vlan batch 100 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
return

● AC_1 configuration file

#
sysname AC_1
#
vlan batch 101 201
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
capwap source interface vlanif201
#
wlan
ac protect protect-ac 10.23.203.1
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3346

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● AC_2 configuration file

#
sysname AC_2
#
vlan batch 102 202
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
capwap source interface vlanif202
#
wlan
ac protect protect-ac 10.23.203.1
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-group name ap-group2
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return

● AC_3 configuration file

#
sysname AC_3
#
vlan batch 101 to 102 203
#
interface Vlanif203
ip address 10.23.203.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
ip route-static 10.23.99.0 255.255.255.0 10.23.203.2
ip route-static 10.23.100.0 255.255.255.0 10.23.203.2
#
capwap source interface vlanif203
#
wlan
ac protect priority 5
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net
service-vlan vlan-id 101

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3347

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system
protect-ac ip-address 10.23.201.1
ap-system-profile name ap-system1
protect-ac ip-address 10.23.202.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
● Router_1 configuration file
#
sysname Router_1
#
vlan batch 99 101 201
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif201
ip address 10.23.201.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 99 101
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
return
● Router_2 configuration file
#
sysname Router_2
#
vlan batch 100 102 202
#
dhcp enable

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3348

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
return

● Router_3 configuration file

#
sysname Router_3
#
vlan batch 200 203
#
dhcp enable
#
ip pool ap_1_pool
gateway-list 10.23.99.1
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool ap_2_pool
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
#
ip pool sta_1_pool
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta_2_pool
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select global
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
return

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3349

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.5.8.2 Example for Configuring N+1 Backup (APs and ACs in the same
network segment)

Service Requirements
In public places where a large number of users exist in a large area, many APs are
deployed and managed by multiple ACs to provide free-of-charge WLAN access
services. These services are value-added services that require low network
reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. To meet this requirement, build an N+1 backup
wireless LAN to provide reliable services and reduce device purchase costs. ACs of
different models can work in N+1 backup mode, but versions of the ACs must be
the same.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Figure 22-25 Networking for configuring N+1 backup

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3350

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Data Planning

Table 22-24 AC data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

VLAN 102

DHCP server Switch_1 functions as a DHCP server

to assign IP addresses to APs and STAs.
STAs' gateway:
● 10.23.101.1/24
● 10.23.102.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.5-10.23.100.254/24

IP address pool for STAs STA1: 10.23.101.3-10.23.101.254/24

STA2: 10.23.102.3-10.23.102.254/24

AC's source interface VLANIF 100

AC_1's management IP address VLANIF 100: 10.23.100.2/24

AC_2's management IP address VLANIF 100: 10.23.100.3/24

AC_3's management IP address VLANIF 100: 10.23.100.4/24

AP group AC_1 (active AC):

● Name: ap-group1
● Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory domain
profile default

AC_2 (active AC):

● Name: ap-group2
● Referenced profiles: AP system
profile ap-system1, VAP profile
wlan-net1, and regulatory domain
profile default

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3351

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AC_3 (standby AC):

● Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory
domain profile default
● Name: ap-group2
– Referenced profiles: AP system
profile ap-system1, VAP profile
wlan-net1, and regulatory
domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile AC_1:

● Name: wlan-net
● SSID name: wlan-net

AC_2:
● Name: wlan-net1
● SSID name: wlan-net1

AC_3:
● Names: wlan-net and wlan-net1
● SSID names: wlan-net and wlan-
net1

Security profile AC_1:

● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

AC_2:
● Name: wlan-net1
● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3352

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AC_3:
● Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
● Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567

VAP profile AC_1:

● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

AC_1:
● Name: wlan-net1
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 102
● Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1

AC_3:
● Name: wlan-net
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile
wlan-net
● Name: wlan-net1
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3353

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AP system profile ● AC_1: ap-system

● AC_2: ap-system1
● AC_3: ap-system and ap-system1

Global priority AC_1: 6

AC_2: 6
AC_3: 5

Individual priority AP1: 3

AP2: 3

Configuration Roadmap
1. Configure network interworking of each AC and other network devices.
Configure Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively,
and configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on
AC_3. Ensure that service configurations on AC_3 are the same as those on
AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC.
When N+1 backup is enabled, all APs are restarted.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3354

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.

Procedure
Step 1 Configure the switches and ACs to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100
as the management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add
GE0/0/1 connected to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to
AC_2 to VLAN 100 and VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to
AC_3 and Switch_2 to VLAN 100, VLAN 101, and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 to 102
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_1-GigabitEthernet0/0/2] quit
[Switch_1] interface gigabitethernet 0/0/3
[Switch_1-GigabitEthernet0/0/3] port link-type trunk
[Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/3] quit
[Switch_1] interface gigabitethernet 0/0/4
[Switch_1-GigabitEthernet0/0/4] port link-type trunk
[Switch_1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/4] quit

# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and
VLAN 102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2
connected to AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and
GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100 to 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_2-GigabitEthernet0/0/1] port-isolate enable
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_2-GigabitEthernet0/0/2] port-isolate enable
[Switch_2-GigabitEthernet0/0/2] quit
[Switch_2] interface gigabitethernet 0/0/3
[Switch_2-GigabitEthernet0/0/3] port link-type trunk
[Switch_2-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_2-GigabitEthernet0/0/3] quit

# On AC_1, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 101.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 100 101
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3355

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC_1-Vlanif100] quit

# On AC_2, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC_2
[AC_2] vlan batch 100 102
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface vlanif 100
[AC_2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC_2-Vlanif100] quit

# On AC_3, add GE0/0/1 connected to Switch_1 to VLAN 100, VLAN 101, and
VLAN 102.
<AC6605> system-view
[AC6605] sysname AC_3
[AC_3] vlan batch 100 to 102
[AC_3] interface gigabitethernet 0/0/1
[AC_3-GigabitEthernet0/0/1] port link-type trunk
[AC_3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102
[AC_3-GigabitEthernet0/0/1] quit
[AC_3] interface vlanif 100
[AC_3-Vlanif100] ip address 10.23.100.4 255.255.255.0
[AC_3-Vlanif100] quit

Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs.
Switch_1 allocates IP addresses to APs from the IP address pool on VLANIF 100,
and allocates IP addresses to STA_1 and STA_2 from the IP address pool on
VLANIF 101 and VLANIF 102 respectively.
NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit
[Switch_1] interface vlanif 101
[Switch_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch_1-Vlanif101] dhcp select interface
[Switch_1-Vlanif101] quit
[Switch_1] interface vlanif 102
[Switch_1-Vlanif102] ip address 10.23.102.1 255.255.255.0
[Switch_1-Vlanif102] dhcp select interface
[Switch_1-Vlanif102] quit

Step 3 Configure basic WLAN services on AC_1.

1. Configure the APs to go online.

# Create an AP group to which the APs with the same configuration can be
added.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3356

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit

# Configure the AC's source interface.

[AC_1] capwap source interface vlanif 100

# Import the APs offline on the AC and add the APs to the AP group ap-
group1. In this example, the AP's MAC address is 60de-4476-e360. Configure
a name for the AP based on the AP's deployment location, so that you can
know where the AP is located. For example, if the AP with MAC address
60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit

# After the APs are powered on, run the display ap all command to check
the AP state. If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
2. Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3357

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_1-wlan-view] security-profile name wlan-net

[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit

# Create AP system profile ap-system and configure the AP's individual

priority.
[AC_1-wlan-view] ap-system-profile name ap-system
[AC_1-wlan-ap-system-prof-ap-system] priority 3
Warning: This action will take effect after resetting AP.
[AC_1-wlan-ap-system-prof-ap-system] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile and AP system profile to the AP group and apply the
VAP profile wlan-net to radio 0 and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_1-wlan-ap-group-ap-group1] quit

Step 4 Configure basic WLAN services and AP priority for AC_2.

# Configure basic parameters for AC_2 according to the configurations of AC_1.
# Configure the source interface of AC_2.
[AC_2] capwap source interface vlanif 100
[AC_2] wlan

# Create AP group ap-group2.

[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] quit

# Import the APs offline on the AC and add the APs to the AP group ap-group2.
In this example, the AP's MAC address is 60de-4474-9640. Configure a name for
the AP based on the AP's deployment location, so that you can know where the
AP is located. For example, if the AP with MAC address 60de-4474-9640 is
deployed in area 2, name the AP area_2.
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit

# Create security profile wlan-net1 and set the security policy in the profile.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3358

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_2-wlan-view] security-profile name wlan-net1

[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit

# Create an SSID profile and set the SSID name to wlan-net1.

[AC_2-wlan-view] ssid-profile name wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] quit

# Create AP system profile ap-system1 and configure the AP priority.

[AC_2-wlan-view] ap-system-profile name ap-system1
[AC_2-wlan-ap-system-prof-ap-system1] priority 3
Warning: This action will take effect after resetting AP.
[AC_2-wlan-ap-system-prof-ap-system1] quit

# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit

# Bind the VAP profile and AP system profile to the AP group and apply the VAP
profile wlan-net1 to radio 0 and radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_2-wlan-ap-group-ap-group2] quit

# Set other parameters similarly as those of AC_1.

Step 5 Configure basic WLAN services on AC_3.

1. Configure the APs to go online.

# Create an AP group to which the APs with the same configuration can be
added.
[AC_3] wlan
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3359

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit

# Configure the AC's source interface.

[AC_3] capwap source interface vlanif 100

NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit

# After the APs are powered on, run the display ap all command to check
the AP state. The command output shows that the status of the APs is both
fault.
[AC_3-wlan-view] display ap all
Total AP information:
fault : fault [2]
Extrainfo : Extra information
P : insufficient power supply
----------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
----------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - AP5030DN fault 0 - -
1 60de-4474-9640 area_2 ap-group2 - AP5030DN fault 0 - -
----------------------------------------------------------------------------------------------------
Total: 2

2. Configure WLAN service parameters.

# Create security profiles wlan-net and wlan-net1, and configure security
policies.
[AC_3-wlan-view] security-profile name wlan-net
[AC_3-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net] quit
[AC_3-wlan-view] security-profile name wlan-net1
[AC_3-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net1] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit

# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3360

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Create AP system profile ap-system and configure the IP address of the

standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.100.2
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system] quit

# Create AP system profile ap-system1 and configure the IP address of the

standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system1] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit

# Create VAP profile wlan-net1, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit

# Bind the VAP profile and AP system profile to the AP group and apply the
VAP profile wlan-net to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit

Step 6 Enable N+1 backup on AC_1, AC_2, and AC_3.

# On AC_1, configure the AC's global priority and IP address of AC_3.
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC
with a lower priority is the standby AC. A smaller value indicates a higher priority. If the AC
priorities are the same, the AC that connects to more APs is the active AC. If the ACs connect to
the same number of APs, the AC that connects to more STAs is the active AC. If the ACs connect
to the same number of STAs, the AC with a smaller IP address is the active AC.
[AC_1-wlan-view] ac protect priority 6 protect-ac 10.23.100.4

# On AC_2, configure the AC's global priority and IP address of AC_3.

[AC_2-wlan-view] ac protect priority 6 protect-ac 10.23.100.4

# Configure the global priority of AC_3.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3361

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_3-wlan-view] ac protect priority 5

# On AC_1, enable N+1 backup and restart all APs to make the function take
effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac
protect enable command. You need to run the ap-reset all command to restart all APs. After
the APs are restarted, N+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# On AC_2, enable N+1 backup and restart all APs to make the function take
effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you
run the undo ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.
[AC_3-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_3-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

Step 7 Verify the configuration.

# Run the display ac protect and display ap-system-profile commands on AC_1
to check N+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority :6
Protect restore : enable
...
------------------------------------------------------------
[AC_1-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority :3
Protect AC IP address :-
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------

# Run the display ac protect and display ap-system-profile commands on AC_2

to check N+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority :6
Protect restore : enable
...

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3362

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

------------------------------------------------------------
[AC_2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :3
Protect AC IP address :-
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------

# Run the display ac protect and display ap-system-profile commands on AC_3

to check N+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC :-
Priority :5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address : 10.23.100.2
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address : 10.23.100.3
Primary AC :-
Backup AC :-
...
------------------------------------------------------------------------------

# The WLAN with the SSID wlan-net or wlan-net1 is available for STAs
connected to the APs, and these STAs can connect to the WLAN and go online
normally.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC_1. When AP_1 detects a fault on the link connected to
AC_1, AC_3 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# When AC_1 is restarted, AP_1 goes online on AC_3. Run the display ap all
command on AC_3. The command output shows that the AP status changes from
fault to normal.
# After AC_1 recovers from the restart, an active/standby switchback is triggered.
AP_1 automatically goes online on AC_1.

----End

Configuration Files
● Switch_1 configuration file
#
sysname Switch_1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3363

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
return
● Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
return
● AC_1 configuration file
#
sysname AC_1
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface GigabitEthernet0/0/1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3364

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

port link-type trunk

port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
ac protect protect-ac 10.23.100.4 priority 6
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-system-profile name ap-system
priority 3
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return

● AC_2 configuration file

#
sysname AC_2
#
vlan batch 100 102
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
capwap source interface vlanif100
#
wlan
ac protect protect-ac 10.23.100.4 priority 6
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system1
priority 3
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3365

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● AC_3 configuration file

#
sysname AC_3
#
vlan batch 100 to 102
#
interface Vlanif100
ip address 10.23.100.4 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
capwap source interface vlanif100
#
wlan
ac protect priority 5
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system
protect-ac ip-address 10.23.100.2
ap-system-profile name ap-system1
protect-ac ip-address 10.23.100.3
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return

22.5.8.3 Example for Configuring N+1 Backup and VRRP HSB (APs and ACs in
Different Network Segments)

Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the
branches to manage APs and provide WLAN access and e-mail services. These

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3366

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

services require low network reliability and allow temporary service interruption.
An AC is required to be a backup of all ACs to save costs. In this scenario, the
enterprise can deploy a high-performance AC at the headquarters as a standby AC
to provide backup services for active ACs at the branches. To further improve
reliability of ACs, VRRP HSB can be configured for each AC.

Networking Requirements
● AC networking mode: Layer 3 bypass mode
● DHCP deployment mode: Router_3 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Figure 22-26 Networking for configuring N+1 backup and VRRP HSB
Enterprise
headquarters
GE0/0/2
AC_3b AC_3
GE0/0/2
GE0/0/1 GE0/0/1

Eth2/0/2 Eth2/0/1
Router_3
VLANIF200:
10.23.200.1/24
Eth2/0/0

Internet

AC_1b AC_2b

GE0/0/1 GE0/0/1
GE0/0/2 Eth2/0/2 Eth2/0/2 GE0/0/2
GE0/0/2 GE0/0/2
Eth2/0/1 Eth2/0/1
Router_1 Router_2
GE0/0/1 GE0/0/1
AC_1 Eth2/0/0 Eth2/0/0 AC_2

GE0/0/2 GE0/0/2
Switch_1 Switch_2

GE0/0/1 GE0/0/1
Enterprise branch 1 Enterprise branch 2

AP_1 AP_2

Management VLAN: 99 Management VLAN: 100

Service VLAN: 101 Service VLAN: 102

STA_1 STA_2

: VRRP

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3367

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Data Planning

Table 22-25 AC data planning

Item Data

Active and standby ACs in N+1 backup ● The VRRP group consisting of AC_1
mode and AC_1b functions as an active
AC in N+1 backup mode.
● The VRRP group consisting of AC_2
and AC_2b functions as an active
AC in N+1 backup mode.
● The VRRP group consisting of AC_3
and AC_3b functions as the standby
AC in N+1 backup mode.

Management VLAN for APs AC_1 and AC_1b: VLAN 99

AC_2 and AC_2b: VLAN 100

Service VLAN for STAs AC_1 and AC_1b: VLAN 101

AC_2 and AC_2b: VLAN 102

DHCP server Router_3 functions as a DHCP server

to assign IP addresses to APs and STAs.
STAs' gateway:
● STA_1: 10.23.101.1/24
● STA_2: 10.23.102.1/24
APs' gateway:
● AP_1: 10.23.99.1/24
● AP_2: 10.23.100.1/24

IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24

AP_2: 10.23.100.2-10.23.100.254/24

IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24

STA2: 10.23.102.2-10.23.102.254/24

AC_1's source IP address 10.23.201.1/24

AC_2's source IP address 10.23.202.1/24

AC_3's source IP address 10.23.203.1/24

AP group AC_1 and AC_1b:

● Name: ap-group1
● Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory domain
profile default

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3368

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AC_2 and AC_2b:

● Name: ap-group2
● Referenced profiles: AP system
profile ap-system1, VAP profile
wlan-net1, and regulatory domain
profile default

AC_3 and AC_3b:

● Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory
domain profile default
● Name: ap-group2
– Referenced profiles: AP system
profile ap-system1, VAP profile
wlan-net1, and regulatory
domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile AC_1 and AC_1b:

● Name: wlan-net
● SSID name: wlan-net

AC_2 and AC_2b:

● Name: wlan-net1
● SSID name: wlan-net1

AC_3 and AC_3b:

● Name: wlan-net
● SSID name: wlan-net
● Name: wlan-net1
● SSID name: wlan-net1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3369

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

Security profile AC_1, AC_1b, AC_3, and AC_3b:

● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567
AC_2, AC_2b, AC_3, and AC_3b:
● Name: wlan-net1
● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

AP system profile ap-system:

● Primary AC: 10.23.201.1
● Secondary AC: 10.23.203.1
ap-system1:
● Primary AC: 10.23.202.1
● Secondary AC: 10.23.203.1

VAP profile AC_1 and AC_1b:

● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

AC_2 and AC_2b:

● Name: wlan-net1
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 102
● Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3370

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

AC_3 and AC_3b:

● Name: wlan-net
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile
wlan-net
● Name: wlan-net1
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1

Global priority: AC_1 and AC_1b: 0

AC_2 and AC_2b: 0
AC_3 and AC_3b: 5

IP address and port number of the ● IP address of VLANIF 111:

HSB channel between AC_1 and AC_1b 10.23.111.1/24 (AC_1) and
10.23.111.2/24 (AC_1b)
● Port number: 10241

IP address and port number of the ● IP address of VLANIF 111:

HSB channel between AC_2 and AC_2b 10.23.111.3/24 (AC_2) and
10.23.111.4/24 (AC_2b)
● Port number: 10241

IP address and port number of the ● IP address of VLANIF 111:

HSB channel between AC_3 and AC_3b 10.23.111.5/24 (AC_3) and
10.23.111.6/24 (AC_3b)
● Port number: 10241

Configuration Roadmap
1. Configure network interworking of each AC and other network devices.
Configure Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure a VRRP group on AC_1 and AC_1b, on AC_2 and AC_2b, as well as
on AC_3 and AC_3b, respectively.
3. Configure the VRRP group consisting of AC_1 and AC_1b as the active AC of
AP_1 and the VRRP group consisting of AC_2 and AC_2b as the active AC of
AP_2, and configure basic WLAN services on the active ACs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3371

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

4. Configure AC_3 and AC_3b as the standby ACs of AP_1 and AP_2, and
configure basic WLAN services on the standby ACs. Ensure that service
configurations on standby ACs and are the same as those on the active ACs.
5. Configure N+1 backup on the active ACs first and then on the standby ACs.
When N+1 backup is enabled, all APs are restarted.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.

Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0
connected to Switch_1 to VLAN 99 and VLAN 101, and add Eth2/0/1 and Eth2/0/2
connected to AC_1 and AC_1b respectively to VLAN 201. Configure the IP address
10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and 10.23.201.2/24
for VLANIF 201.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface ethernet 2/0/2
[Router_1-Ethernet2/0/2] port link-type trunk

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3372

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[Router_1-Ethernet2/0/2] port trunk allow-pass vlan 201

[Router_1-Ethernet2/0/2] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit

# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as
the management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0
connected to Switch_2 to VLAN 100 and VLAN 102, and add Eth2/0/1 and
Eth2/0/2 connected to AC_2 and AC_2b respectively to VLAN 202. Configure the IP
address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102 and
10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration
procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the
Network to VLAN 200, and add Eth2/0/1 and Eth2/0/2 connected to AC_3 and
AC_3b respectively to VLAN 203. Configure the IP address 10.23.200.1/24 for
VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203. See Router_1
for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to
Router_1 and GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the
PVID of GE0/0/1 is VLAN 99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit

# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to
Router_2 and GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the
PVID of GE0/0/1 is VLAN 100. See Switch_1 for the detailed configuration
procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to
Router_1 to VLAN 201. Configure the IP address 10.23.201.3/24 for VLANIF 201.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.3 255.255.255.0
[AC_1-Vlanif201] quit

# Configure AC_1b in the same way of configuring AC_1. The difference is that IP
address 10.23.201.4/24 needs to be configured for VLANIF 201 on AC_1b.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3373

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to
Router_2 to VLAN 202. Configure the IP address 10.23.202.3/24 for VLANIF 202.
See AC_1 for the detailed configuration procedure.
# Configure AC_2b in the same way of configuring AC_2. The difference is that IP
address 10.23.202.4/24 needs to be configured for VLANIF 202 on AC_2b.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1
connected to Router_3 to VLAN 203. Configure the IP address 10.23.203.3/24 for
VLANIF 203. See AC_1 for the detailed configuration procedure.
# Configure AC_3b in the same way of configuring AC_3. The difference is that IP
address 10.23.203.4/24 needs to be configured for VLANIF 203 on AC_3b.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's
VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2

# Configure AC_1b in the same way.

# Configure the route between AC_2 and AP_2 with the next hop as Router_2's
VLANIF 202.
[AC_2] ip route-static 10.23.100.0 24 10.23.202.2

# Configure AC_2b in the same way.

# On AC_3, configure routes to AP1 and AP2 with the next hop as Router_3's
VLANIF 203.
[AC_3] ip route-static 10.23.99.0 24 10.23.203.2
[AC_3] ip route-static 10.23.100.0 24 10.23.203.2

# Configure AC_3b in the same way.

Step 2 Configure network interworking between ACs in each VRRP group.
# Create VLAN 111 on AC_1, add GE0/0/2 on AC_1 connected to AC_1b to VLAN
111, and set the IP address of VLANIF 111 to 10.23.111.1/24.
[AC_1] vlan batch 111
[AC_1] interface gigabitethernet 0/0/2
[AC_1-GigabitEthernet0/0/2] port link-type trunk
[AC_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 111
[AC_1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC_1-GigabitEthernet0/0/2] quit
[AC_1] interface vlanif 111
[AC_1-Vlanif111] ip address 10.23.111.1 255.255.255.0
[AC_1-Vlanif111] quit

# Configure AC_1b, AC_2, AC_2b, AC_3, and AC_3b in the same way. The
difference relies on the IP address of VLANIF 111.
● VLANIF 111 on AC_1b: 10.23.111.2/24
● VLANIF 111 on AC_2b: 10.23.111.3/24
● VLANIF 111 on AC_2b: 10.23.111.4/24
● VLANIF 111 on AC_3b: 10.23.111.5/24
● VLANIF 111 on AC_3b: 10.23.111.6/24
Step 3 Configure a DHCP server to assign IP addresses to APs and STAs.
# Configure Router_1 as a DHCP relay agent.
[Router_1] dhcp enable
[Router_1] interface vlanif 99

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3374

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[Router_1-Vlanif99] dhcp select relay

[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] dhcp select relay
[Router_1-Vlanif101] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif101] quit

# Configure Router_2 as a DHCP relay agent.

[Router_2] dhcp enable
[Router_2] interface vlanif 100
[Router_2-Vlanif100] dhcp select relay
[Router_2-Vlanif100] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif100] quit
[Router_2] interface vlanif 102
[Router_2-Vlanif102] dhcp select relay
[Router_2-Vlanif102] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif102] quit

# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs,
and configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3
to AP_1, and to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure
the DHCP server to assign IP address to AP_1 from the IP address pool ap_1_pool,
to AP_2 from ap_2_pool, to STA1 from sta_1_pool, and to STA2 from sta_2_pool.

NOTE

In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover
AC_2 and AP_2 can discover AC_1, which will cause APs to connect to a correct AC based on the
AC priority.
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
[Router_3] interface Vlanif200
[Router_3-Vlanif200] dhcp select global
[Router_3-Vlanif200] quit

Step 4 Configure VRRP HSB.

# Configure VRRP HSB on AC_1.
[AC_1] vrrp recover-delay 60
[AC_1] interface vlanif 201

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3375

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_1-Vlanif201] vrrp vrid 1 virtual-ip 10.23.201.1

[AC_1-Vlanif201] vrrp vrid 1 priority 120
[AC_1-Vlanif201] vrrp vrid 1 preempt-mode timer delay 1800
[AC_1-Vlanif201] admin-vrrp vrid 1
[AC_1-Vlanif201] quit
[AC_1] hsb-service 0
[AC_1-hsb-service-0] service-ip-port local-ip 10.23.111.1 peer-ip 10.23.111.2 local-data-port 10241 peer-
data-port 10241
[AC_1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_1-hsb-service-0] quit
[AC_1] hsb-group 0
[AC_1-hsb-group-0] bind-service 0
[AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 201
[AC_1-hsb-group-0] quit
[AC_1] hsb-service-type access-user hsb-group 0
[AC_1] hsb-service-type ap hsb-group 0
[AC_1] hsb-service-type dhcp hsb-group 0
[AC_1] hsb-group 0
[AC_1-hsb-group-0] hsb enable
[AC_1-hsb-group-0] quit

# Configure VRRP HSB on AC_1b.

[AC_1b] vrrp recover-delay 60
[AC_1b] interface vlanif 201
[AC_1b-Vlanif201] vrrp vrid 1 virtual-ip 10.23.201.1
[AC_1b-Vlanif201] admin-vrrp vrid 1
[AC_1b-Vlanif201] quit
[AC_1b] hsb-service 0
[AC_1b-hsb-service-0] service-ip-port local-ip 10.23.111.2 peer-ip 10.23.111.1 local-data-port 10241
peer-data-port 10241
[AC_1b-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_1b-hsb-service-0] quit
[AC_1b] hsb-group 0
[AC_1b-hsb-group-0] bind-service 0
[AC_1b-hsb-group-0] track vrrp vrid 1 interface vlanif 201
[AC_1b-hsb-group-0] quit
[AC_1b] hsb-service-type access-user hsb-group 0
[AC_1b] hsb-service-type ap hsb-group 0
[AC_1b] hsb-service-type dhcp hsb-group 0
[AC_1b] hsb-group 0
[AC_1b-hsb-group-0] hsb enable
[AC_1b-hsb-group-0] quit

# Configure VRRP HSB on AC_2.

[AC_2] vrrp recover-delay 60
[AC_2] interface vlanif 202
[AC_2-Vlanif202] vrrp vrid 1 virtual-ip 10.23.202.1
[AC_2-Vlanif202] vrrp vrid 1 priority 120
[AC_2-Vlanif202] vrrp vrid 1 preempt-mode timer delay 1800
[AC_2-Vlanif202] admin-vrrp vrid 1
[AC_2-Vlanif202] quit
[AC_2] hsb-service 0
[AC_2-hsb-service-0] service-ip-port local-ip 10.23.111.3 peer-ip 10.23.111.4 local-data-port 10241 peer-
data-port 10241
[AC_2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_2-hsb-service-0] quit
[AC_2] hsb-group 0
[AC_2-hsb-group-0] bind-service 0
[AC_2-hsb-group-0] track vrrp vrid 1 interface vlanif 202
[AC_2-hsb-group-0] quit
[AC_2] hsb-service-type access-user hsb-group 0
[AC_2] hsb-service-type ap hsb-group 0
[AC_2] hsb-service-type dhcp hsb-group 0
[AC_2] hsb-group 0
[AC_2-hsb-group-0] hsb enable
[AC_2-hsb-group-0] quit

# Configure VRRP HSB on AC_2b.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3376

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_2b] vrrp recover-delay 60

[AC_2b] interface vlanif 202
[AC_2b-Vlanif202] vrrp vrid 1 virtual-ip 10.23.202.1
[AC_2b-Vlanif202] admin-vrrp vrid 1
[AC_2b-Vlanif202] quit
[AC_2b] hsb-service 0
[AC_2b-hsb-service-0] service-ip-port local-ip 10.23.111.4 peer-ip 10.23.111.3 local-data-port 10241
peer-data-port 10241
[AC_2b-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_2b-hsb-service-0] quit
[AC_2b] hsb-group 0
[AC_2b-hsb-group-0] bind-service 0
[AC_2b-hsb-group-0] track vrrp vrid 1 interface vlanif 202
[AC_2b-hsb-group-0] quit
[AC_2b] hsb-service-type access-user hsb-group 0
[AC_2b] hsb-service-type ap hsb-group 0
[AC_2b] hsb-service-type dhcp hsb-group 0
[AC_2b] hsb-group 0
[AC_2b-hsb-group-0] hsb enable
[AC_2b-hsb-group-0] quit

# Configure VRRP HSB on AC_3.

[AC_3] vrrp recover-delay 60
[AC_3] interface vlanif 203
[AC_3-Vlanif203] vrrp vrid 1 virtual-ip 10.23.203.1
[AC_3-Vlanif203] vrrp vrid 1 priority 120
[AC_3-Vlanif203] vrrp vrid 1 preempt-mode timer delay 1800
[AC_3-Vlanif203] admin-vrrp vrid 1
[AC_3-Vlanif203] quit
[AC_3] hsb-service 0
[AC_3-hsb-service-0] service-ip-port local-ip 10.23.111.5 peer-ip 10.23.111.6 local-data-port 10241 peer-
data-port 10241
[AC_3-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_3-hsb-service-0] quit
[AC_3] hsb-group 0
[AC_3-hsb-group-0] bind-service 0
[AC_3-hsb-group-0] track vrrp vrid 1 interface vlanif 203
[AC_3-hsb-group-0] quit
[AC_3] hsb-service-type access-user hsb-group 0
[AC_3] hsb-service-type ap hsb-group 0
[AC_3] hsb-service-type dhcp hsb-group 0
[AC_3] hsb-group 0
[AC_3-hsb-group-0] hsb enable
[AC_3-hsb-group-0] quit

# Configure VRRP HSB on AC_3b.

[AC_3b] vrrp recover-delay 60
[AC_3b] interface vlanif 203
[AC_3b-Vlanif203] vrrp vrid 1 virtual-ip 10.23.203.1
[AC_3b-Vlanif203] admin-vrrp vrid 1
[AC_3b-Vlanif203] quit
[AC_3b] hsb-service 0
[AC_3b-hsb-service-0] service-ip-port local-ip 10.23.111.6 peer-ip 10.23.111.5 local-data-port 10241
peer-data-port 10241
[AC_3b-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC_3b-hsb-service-0] quit
[AC_3b] hsb-group 0
[AC_3b-hsb-group-0] bind-service 0
[AC_3b-hsb-group-0] track vrrp vrid 1 interface vlanif 203
[AC_3b-hsb-group-0] quit
[AC_3b] hsb-service-type access-user hsb-group 0
[AC_3b] hsb-service-type ap hsb-group 0
[AC_3b] hsb-service-type dhcp hsb-group 0
[AC_3b] hsb-group 0
[AC_3b-hsb-group-0] hsb enable
[AC_3b-hsb-group-0] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3377

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Use virtual IP addresses of VRRP groups to configure static routes based on

actual network conditions. The configuration procedure is not provided here.
● Enable AP_1 to communicate with the VRRP group consisting of AC_3 and
AC_3b.
● Enable AP_2 to communicate with the VRRP group consisting of AC_3 and
AC_3b.

Step 5 Configure basic WLAN services on AC_1. Configure basic WLAN services on AC2 in
the similar way. The difference is that when an AP is in normal state on AC_1, it is
in standby state on AC_2.
1. Configure the APs to go online.

# Create an AP group to which the APs with the same configuration can be
added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit

# Configure the source IP address of AC_1.

[AC_1] capwap source ip-address 10.23.201.1

# Import the APs offline on the AC and add the APs to the AP group ap-
group1. In this example, the AP's MAC address is 60de-4476-e360. Configure
a name for the AP based on the AP's deployment location, so that you can
know where the AP is located. For example, if the AP with MAC address
60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.

[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit

# After the APs are powered on, run the display ap all command to check
the AP state. If the State field displays nor, the APs have gone online.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3378

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_1-wlan-view] display ap all

Total AP information:
nor : normal [1]
Extrainfo : Extra information
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1
2. Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit

# Create AP system profile ap-system and specify the IP address of the

backup AC.
[AC_1-wlan-view] ap-system-profile name ap-system
[AC_1-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1
[AC_1-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1
[AC_1-wlan-ap-system-prof-ap-system] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile and AP system profile to the AP group and apply the
VAP profile wlan-net to radio 0 and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_1-wlan-ap-group-ap-group1] quit

Step 6 Configure basic WLAN services on AC_2. Configure basic WLAN services on AC_2b
in the same way.
# Configure basic parameters for AC_2 according to the configurations of AC_1.
# Configure the source IP address of AC_2.
[AC_2] capwap source ip-address 10.23.202.1

# Create AP group ap-group2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3379

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC_2] wlan
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] quit

# Import the APs offline on the AC and add the APs to the AP group ap-group2.
In this example, the AP's MAC address is 60de-4474-9640. Configure a name for
the AP based on the AP's deployment location, so that you can know where the
AP is located. For example, if the AP with the MAC address of 60de-4474-9640 is
deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit

# Create security profile wlan-net1 and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.

[AC_2-wlan-view] security-profile name wlan-net1

[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit

# Create an SSID profile and set the SSID name to wlan-net1.

[AC_2-wlan-view] ssid-profile name wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] quit

# Create AP system profile ap-system1 and specify the IP address of the backup
AC.
[AC_2-wlan-view] ap-system-profile name ap-system1
[AC_2-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1
[AC_2-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1
[AC_2-wlan-ap-system-prof-ap-system1] quit

# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit

# Bind the VAP profile and AP system profile to the AP group and apply the VAP
profile wlan-net1 to radio 0 and radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_2-wlan-ap-group-ap-group2] quit

# Set other parameters similarly as those of AC_1.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3380

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 7 Configure basic WLAN services on AC_3. Configure basic WLAN services on AC_3b
in the same way.
1. Configure the APs to go online.
# Create an AP group to which the APs with the same configuration can be
added.
[AC_3] wlan
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] quit

# Create a regulatory domain profile, configure the AC country code in the

profile, and apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit

# Configure the source IP address of AC_3.

[AC_3] capwap source ip-address 10.23.203.1

NOTE

The default AP authentication mode is MAC address authentication. If the default settings
are retained, you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit

# Run the display ap all command on the AC to check the AP running status.
The command output shows that the state of area_1 and area_2 is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
fault : fault [2]

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3381

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Extrainfo : Extra information

P : insufficient power supply
----------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
----------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 - -
1 60de-4474-9640 area_2 ap-group2 - - fault 0 - -
----------------------------------------------------------------------------------------
Total: 2

2. Configure WLAN service parameters.

# Create security profiles wlan-net and wlan-net1, and configure security
policies.
[AC_3-wlan-view] security-profile name wlan-net
[AC_3-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net] quit
[AC_3-wlan-view] security-profile name wlan-net1
[AC_3-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net1] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit

# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit

# Create AP system profile ap-system and configure the IP address of the

standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] primary-access ip-address 10.23.201.1
[AC_3-wlan-ap-system-prof-ap-system] backup-access ip-address 10.23.203.1
[AC_3-wlan-ap-system-prof-ap-system] quit

# Create AP system profile ap-system1 and configure the IP address of the

standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] primary-access ip-address 10.23.202.1
[AC_3-wlan-ap-system-prof-ap-system1] backup-access ip-address 10.23.203.1
[AC_3-wlan-ap-system-prof-ap-system1] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit

# Create VAP profile wlan-net1, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3382

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Bind the VAP profile and AP system profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit

Step 8 Enable N+1 backup on AC_1, AC_2, and AC_3. Enable N+1 backup on AC_1b,
AC_2b, and AC_3b in the same way.
# On AC_1, enable N+1 backup and restart all APs to make the function take
effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac
protect enable command. You need to run the ap-reset all command to restart all APs. After
the APs are restarted, N+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# On AC_2, enable N+1 backup and restart all APs to make the function take
effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you
run the undo ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.
[AC_3-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_3-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y

Step 9 Verify the configuration.

# Run the display ac protect and display ap-system-profile commands on AC_1
to check N+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC :-
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC_1-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address :-

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3383

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Primary AC : 10.23.201.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------

# Run the display ac protect and display ap-system-profile1 commands on

AC_2 to check N+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC :-
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC_2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.202.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------

# Run the display ac protect and display ap-system-profile commands on AC_3

to check N+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC :-
Priority :0
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.201.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority :-
Protect AC IP address :-
Primary AC : 10.23.202.1
Backup AC : 10.23.203.1
...
------------------------------------------------------------------------------

# The WLAN with the SSID wlan-net or wlan-net1 is available for STAs
connected to the APs, and these STAs can connect to the WLAN and go online
normally.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC_1. When AP_1 detects a fault on the link connected to
AC_1, AC_1b takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3384

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# During the restart of AC_1, services on the STAs are not interrupted. AP_1 goes
online on AC_1b. Run the display ap all command on AC_1b. The command
output shows that the AP status changes from standby to normal.
# After AC_1 recovers from the restart, an active/standby switchback is triggered.
AP_1 automatically goes online on AC_1.
# Restart AC_1 and AC_2. When AP_1 detects a fault on the links connected to
AC_1 and AC_1b, AC_3 takes the active role, ensuring service stability.
# During the restart of AC_1 and AC_1b, services on the STAs are not interrupted.
AP_1 goes online on AC_3. Run the display ap all command on AC_3. The
command output shows that the AP status changes from fault to normal.
# After AC_1 and AC_1b recover from the restart, an active/standby switchback is
triggered. AP_1 automatically goes online on AC_1.

----End

Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 99
port trunk allow-pass vlan 99 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 99 101
#
return

● Switch_2 configuration file

#
sysname Switch_2
#
vlan batch 100 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
return

● AC_1 configuration file

#
sysname AC_1
#
vrrp recover-delay 60
#
vlan batch 101 111 201
#

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3385

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

interface Vlanif111
ip address 10.23.111.1 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.201.1
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
capwap source ip-address 10.23.201.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.1 peer-ip 10.23.111.2 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
● AC_1b configuration file
#
sysname AC_1b
#
vrrp recover-delay 60
#
vlan batch 101 111 201

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3386

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
interface Vlanif111
ip address 10.23.111.2 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.4 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.201.1
admin-vrrp vrid 1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
capwap source ip-address 10.23.201.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.2 peer-ip 10.23.111.1 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
● AC_2 configuration file
#
sysname AC_2
#
vrrp recover-delay 60
#
vlan batch 102 111 202
#

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3387

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

interface Vlanif111
ip address 10.23.111.3 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.202.1
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
capwap source ip-address 10.23.202.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.3 peer-ip 10.23.111.4 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif202
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system1
primary-access ip-address 10.23.202.1
backup-access ip-address 10.23.203.1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
● AC_2b configuration file
#
sysname AC_2b
#
vrrp recover-delay 60
#
vlan batch 102 111 202

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3388

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
interface Vlanif111
ip address 10.23.111.4 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.4 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.202.1
admin-vrrp vrid 1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.100.0 255.255.255.0 10.23.202.2
#
capwap source ip-address 10.23.202.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.4 peer-ip 10.23.111.3 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif202
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system1
primary-access ip-address 10.23.202.1
backup-access ip-address 10.23.203.1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
● AC_3 configuration file
#
sysname AC_3
#
vrrp recover-delay 60
#
vlan batch 101 to 102 111 203
#

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3389

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

interface Vlanif111
ip address 10.23.111.5 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.203.1
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.99.0 255.255.255.0 10.23.203.2
ip route-static 10.23.100.0 255.255.255.0 10.23.203.2
#
capwap source ip-address 10.23.203.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.5 peer-ip 10.23.111.6 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#uE[\Gj>>7~!wliJGW1YWgYpkKO*>S<J'^\:QFb-Z%^%# aes
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#I/\D&_J<3Q\XPh#DL)5V^:1+.$8o@6uuo3/mLXEK%^%#
aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-system-profile name ap-system1
primary-access ip-address 10.23.202.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3390

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

vap-profile wlan-net wlan 1

ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
● AC_3b configuration file
#
sysname AC_3b
#
vrrp recover-delay 60
#
vlan batch 101 to 102 111 203
#
interface Vlanif111
ip address 10.23.111.6 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.4 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.203.1
admin-vrrp vrid 1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 111
#
ip route-static 10.23.99.0 255.255.255.0 10.23.203.2
ip route-static 10.23.100.0 255.255.255.0 10.23.203.2
#
capwap source ip-address 10.23.203.1
#
hsb-service 0
service-ip-port local-ip 10.23.111.6 peer-ip 10.23.111.5 local-data-port 10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif201
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#uE[\Gj>>7~!wliJGW1YWgYpkKO*>S<J'^\:QFb-Z%^%# aes
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#I/\D&_J<3Q\XPh#DL)5V^:1+.$8o@6uuo3/mLXEK%^%#
aes
ssid-profile name wlan-net
ssid wlan-net
ssid-profile name wlan-net1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3391

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

ssid wlan-net1
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system
primary-access ip-address 10.23.201.1
backup-access ip-address 10.23.203.1
ap-system-profile name ap-system1
primary-access ip-address 10.23.202.1
backup-access ip-address 10.23.203.1
ap-group name ap-group1
ap-system-profile ap-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return

● Router_1 configuration file

#
sysname Router_1
#
vlan batch 99 101 201
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif201
ip address 10.23.201.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 99 101
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 201
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 201

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3392

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
return
● Router_2 configuration file
#
sysname Router_2
#
vlan batch 100 102 202
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 202
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 202
#
return
● Router_3 configuration file
#
sysname Router_3
#
vlan batch 200 203
#
dhcp enable
#
ip pool ap_1_pool
gateway-list 10.23.99.1
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool ap_2_pool
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
#
ip pool sta_1_pool
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta_2_pool
gateway-list 10.23.102.1
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select global
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3393

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 203
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 203
#
return

22.6 Wireless Configuration Synchronization

Configuration

22.6.1 Overview of Wireless Configuration Synchronization

Definition
Wireless configuration synchronization indicates that configurations are
automatically synchronized between two ACs.

Purpose
VRRP HSB or dual-link HSB is often deployed on ACs to improve network
reliability. HSB requires consistent WLAN service configurations on the master AC
and backup master AC. In real-world scenarios, there may be hundreds or
thousands of lines of WLAN service configurations, leading to a heavy
configuration workload.
Wireless configuration synchronization allows configuring WLAN services on only
one of the two ACs, ensures that these configurations are automatically
synchronized to the other AC, and so greatly reduces the configuration workload.
In addition, this function facilitates configuration maintenance because all
configurations are synchronized between the two ACs.

22.6.2 Understanding Wireless Configuration Synchronization

Basic Concepts
In VRRP HSB and dual-tunnel HSB scenarios, wireless configuration
synchronization implements automatic configuration synchronization between the
master AC and backup master AC. Configurations that can be automatically
synchronized are public configurations, while those that cannot be automatically
synchronized are private configurations.
● Common public configurations include:
– Configurations of roaming and wireless services including radio, SSID,
WLAN security, radio resource management, and positioning

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3394

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

– Configurations of NAC and AAA, including MAC authentication, 802.1X

authentication, external Portal authentication, AAA authentication,
RADIUS authentication, and TACACS authentication, excluding access
user configuration and built-in Portal configuration used for local
authentication
– Configurations required by wireless services, including VLAN pool, time-
range, ACL, free-rule, QoS, and passthrough-domain
– URL filtering, signature database upgrade, intrusion prevention, antivirus,
and Smart Application Control (SAC) configurations
● Common private configurations include:
– VLAN, interface, IP address, routing, DHCP, DNS, and IPSec configurations
– Wired configurations including basic configuration, device management,
interface management, network interconnection, and network
management configurations
– Wireless configuration synchronization, CAPWAP, backup, and AP online
parameter configurations
– Access user configuration and built-in Portal authentication used for local
authentication
– AP upgrade configurations, including the upgrade file, mode, and task,
FTP server, SFTP server, and maximum number of APs that can be
concurrently upgraded
For more details about public and private configurations, see 22.6.4
Configuration Notes.

Wireless Configuration Synchronization in VRRP HSB Scenarios

In Figure 22-27, AC1 and AC2 construct a VRRP HSB network. To implement
wireless configuration synchronization in VRRP HSB scenarios, two roles, master
AC and backup master AC, must be specified so that the master AC can
synchronize wireless configurations to the backup master AC.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3395

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-27 VRRP HSB scenario

Network

Inter-AC CAPWAP
tunnel
AC1 AC2
Master AC Backup master AC

Switch

AP AP

STA STA

1. AC1 and AC2 are bound to the same VRRP backup group and are elected as
the master AC and backup master AC. For details about VRRP principles, see
22.9.2.3 VRRP Implementation in the Configuration Guide - Reliability
Configuration - VRRP Configuration.
The master AC and backup AC in VRRP HSB are elected using a VRRP backup
group through VRRP negotiation. VRRP HSB and wireless configuration
synchronization can use the same or different VRRP backup groups. Therefore,
there is no mapping between the master/backup AC roles and master/backup
master AC roles.
2. The master AC and backup master AC establish an inter-AC CAPWAP tunnel
to transmit wireless configuration synchronization data.
3. Any public configuration performed on the master AC will be synchronized in
real time to the backup master AC over the CAPWAP tunnel.
4. If public configurations are performed on either AC when the inter-AC
CAPWAP tunnel fails, after the CAPWAP tunnel recovers, the system will
detect that the configurations are not synchronized and prompts you to
manually trigger wireless configuration synchronization.

Wireless Configuration Synchronization in Dual-Tunnel HSB Scenarios

In Figure 22-28, AC1 and AC2 construct a dual-tunnel HSB network. To
implement wireless configuration synchronization in the dual-tunnel HSB scenario,
two roles, master AC and local AC, must be specified so that the master AC can
synchronize wireless configurations to the local AC.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3396

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-28 Dual-tunnel HSB scenario

Network

Inter-AC CAPWAP
tunnel
AC1 AC2
Master AC Local AC

Switch

AP AP

STA STA

1. The master AC and local AC are manually specified.

There is no mapping between the active/standby AC roles in dual-tunnel HSB
and master/backup master AC roles.
2. The master AC and local AC establish an inter-AC CAPWAP tunnel to transmit
wireless configuration synchronization data.
3. Any public configuration performed on the master AC will be synchronized in
real time to the local AC over the CAPWAP tunnel.
4. If public configurations are performed on either AC when the inter-AC
CAPWAP tunnel fails, after the CAPWAP tunnel recovers, the system will
detect that the configurations are not synchronized and prompts you to
manually trigger wireless configuration synchronization.

22.6.3 Application Scenarios for Wireless Configuration

Synchronization

Wireless Configuration Synchronization in VRRP HSB Scenarios

In Figure 22-29, AC1 and AC2 form a VRRP backup group to improve users'
network connection reliability. However, the same WLAN services must be
manually configured on the active and standby ACs, making operation and
maintenance difficult.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3397

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Wireless configuration synchronization in VRRP HSB scenarios allows public

configurations on the master AC to be automatically synchronized to the backup
master AC, reducing operation and maintenance workload.

Figure 22-29 Wireless configuration synchronization in VRRP HSB scenarios

Network

Inter-AC CAPWAP
tunnel
AC1 AC2
Master AC Backup master AC

Switch

AP AP

STA STA

Wireless Configuration Synchronization in Dual-Link HSB Scenarios

As shown in Figure 22-30, AC1 and AC2 work in dual-link HSB mode to improve
users' network connection reliability. However, the same WLAN services must be
manually configured on the active and standby ACs, making operation and
maintenance difficult.
Wireless configuration synchronization in dual-link HSB scenarios allows public
configurations on the master AC to be automatically synchronized to local ACs,
reducing operation and maintenance workload.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3398

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-30 Wireless configuration synchronization in dual-link HSB scenarios

Network

Inter-AC CAPWAP
tunnel
AC1 AC2
Master AC Local AC

Switch

AP AP

STA STA

22.6.4 Configuration Notes

Feature Dependencies and Configuration Notes

● Wireless configuration synchronization supports VRRP HSB and dual-link HSB
but not dual-link cold standby or N+1 backup.
● Wireless configuration synchronization requires that all ACs be the same
model and use the same software version.
● For common public and private configurations, see Basic Concepts in 22.6.2
Understanding Wireless Configuration Synchronization.
Existing public configurations can be displayed using the display current-
configuration sync command in any view, but the default parameter settings
are not displayed.
Specific public configuration commands can be displayed using the display
common-commands view view-name command in the diagnostic view, and
the public configuration commands supported in different views can be
displayed by specifying the view-name parameter in these views.
The display common-commands view view-name command can also display
upgrade compatible commands, which cannot be manually executed.
● During wireless configuration synchronization, configurations of the
operations, including restarting ACs or APs, upgrading ACs or APs, querying or
clearing information, and performing a ping or RF-ping operation, are not
synchronized, but the operations of saving configurations are synchronized.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3399

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● If an active/standby switchover occurs during wireless configuration

synchronization between the master AC and backup master AC, the
configurations that have not been synchronized from the master AC to the
backup master AC are lost and need to be manually reconfigured on the new
master AC.
● The backup master AC or local AC has the public configurations (including the
time-range and ACL) required by wired services. If these configurations are
modified because of wireless configuration synchronization, wired services will
be affected. It is recommended that you configure wired and wireless services
independently.
● In wireless configuration synchronization scenarios, if an active/standby
switchover occurs within 30 minutes after configurations are modified, some
users may get offline.
● Configuration of source-ip and nas-ip in template:
In the wireless configuration synchronization scenario, the source-ip and nas-
ip are not allowed to be configured based on the template. The following
commands are involved:
– Run the radius-attribute nas-ip ip-address, radius-attribute nas-ipv6
ipv6-address, radius-server accounting { ipv4-address | ipv6-address }
port source ip-address { ipv4-address | ipv6-address }, and radius-server
authentication { ipv4-address | ipv6-address } port source ip-address
{ ipv4-address | ipv6-address } commands in the RADIUS server template
view.
– Run the hwtacacs-server source-ip ip-address command in the
HWTACACS server template view.
– Run the source-ip ip-address command in the Portal server profile view.
Before enabling wireless configuration synchronization, delete the template
configuration on the master AC. For example, the radius-server accounting
command has been executed to configure the source IPv4 address of the
accounting server to 10.1.1.1. The detailed configuration is as follows:
<AC6605> system-view
[AC6605] radius-server template group1
[AC6605-radius-group1] radius-server accounting 10.1.2.1 1813 source ip-address 10.1.1.1
To delete this source IP address, run the following commands:
<AC6605> system-view
[AC6605] radius-server template group1
[AC6605-radius-group1] radius-server accounting 10.1.2.1 1813

To enable the source-ip and nas-ip function, run the related commands in the
system view. The following commands are involved:
– radius-attribute nas-ip ip-address
– radius-attribute nas-ipv6
– radius-server source ip-address { ipv4-address | ipv6-address }
– hwtacacs-server source-ip ip-address
– web-auth-server source-ip ip-address
The configuration in the system view needs to be manually configured on the
backup master AC and local AC.
● Authorized VLAN configuration note:
Before configuring authorized VLAN, configure the VLAN on backup master
AC and local AC; otherwise, configuration or user authorization may fail.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3400

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● In wireless configuration synchronization scenarios, the STA location service

does not allow the source IP address for an AC to send packets to a location
server to be configured using the source (location profile view) command.
To configure the source IP address, run the location source command.
● In wireless configuration synchronization scenarios, the Bluetooth location
service does not allow the source IP address for an AC to send packets to a
location server to be configured using the source (BLE profile view)
command. To configure the source IP address, run the ble source command.
● When 1K public configuration entries are to be synchronized in the buffer of
the master AC, no more public configurations can be performed. You can
continue with the configuration only after several seconds.

22.6.5 Configuring Wireless Configuration Synchronization

22.6.5.1 Configuring Wireless Configuration Synchronization in VRRP HSB

Scenarios

Prerequisites
Before configuring wireless configuration synchronization in VRRP HSB scenarios,
complete the following tasks: Note that WLAN services do not need to be
consistent on the active and standby ACs. The WLAN services will be synchronized
using the wireless configuration synchronization function.

● Configuring VRRP HSB

Context
During wireless configuration synchronization in VRRP HSB scenarios, two ACs are
bound to the same VRRP group. VRRP selects the master AC and backup master
AC through negotiation, and establishes an inter-AC CAPWAP tunnel using the
local and peer IP addresses configured on the ACs. The master AC then
synchronizes wireless configurations and data to the backup master AC via the
CAPWAP tunnel.

It is recommended that wireless configuration synchronization and VRRP HSB use

the same VRRP group. In this way, the active AC becomes the master AC, and
public configurations configured on the master AC are automatically synchronized
to the backup master AC.

After the master AC and backup master AC are configured, manually trigger
wireless configuration synchronization to ensure consistent public configurations
on the two ACs. Any subsequent public configurations on the master AC will be
automatically synchronized to the backup master AC.

Procedure
Step 1 Configure the master AC and backup master AC. The local and peer IP addresses
configured on the master AC are the peer and local IP addresses configured on the
backup master AC, respectively.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3401

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

1. Run the system-view command to enter the system view.

2. Run the wlan command to enter the WLAN view.
3. Run master controller
The master controller view is displayed.
4. Run master-redundancy peer-ip ip-address ipv4-address1 local-ip ip-
address ipv4-address2 psk psk
The local and peer IP addresses of the AC are set.
By default, no local or peer IP address is configured for the AC.
The psk values configured on the master AC and backup master AC must be
the same.
5. Run master-redundancy track-vrrp vrid vrid interface interface-type
interface-number
VRRP is enabled to track the status of an interface to negotiate the master AC
and backup master AC roles.
By default, VRRP is disabled from tracking the status of an interface to
negotiate the master AC and backup master AC roles.
Step 2 Manually trigger wireless configuration synchronization on the master AC.
1. Run the system-view command to enter the system view.
2. Run synchronize-configuration
Wireless configuration synchronization is triggered.

----End

22.6.5.2 Configuring Wireless Configuration Synchronization in Dual-Link

HSB Scenarios

Prerequisites
Before configuring wireless configuration synchronization in dual-link hot standby
(HSB) scenarios, complete the tasks below. Note that WLAN service consistency is
not required on the active and standby ACs. The WLAN services will be
synchronized between them through wireless configuration synchronization.
● Configuring Dual-Link HSB

NOTE

When you configure dual-link HSB, you must run the primary-access and backup-access
commands to configure the active and standby ACs.

Context
To implement wireless configuration synchronization in dual-link HSB scenarios,
you need to manually specify the master AC and local AC and specify each other's
IP address on the two ACs. In this manner, the master AC and local AC can be
identified correctly to establish a CAPWAP tunnel, over which wireless
configuration synchronization data is transmitted between the two ACs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3402

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

After the master AC and local AC are configured, manually enable wireless
configuration synchronization to ensure consistent public configurations on the
two ACs. Any subsequent public configurations on the master AC will be
automatically synchronized to the local AC.

NOTE

The psk values configured on the master AC and local AC must be the same so that inter-AC
CAPWAP tunnel can be properly established.
Each master AC can only have the unique IP address specified for the local AC, and each local
AC can only have the unique IP address specified for the master AC. The configured IP address
cannot be the IP address of the master or local AC.

Procedure
Step 1 Configure wireless configuration synchronization on the master AC.
1. Run the system-view command to enter the system view.
2. Run the wlan command to enter the WLAN view.
3. Run master controller
The master controller view is displayed.
4. Run local-controller ip-address ipv4-address psk psk
An IP address is specified for a local AC.
By default, no IP address is set for a local AC on a master AC.
Step 2 Configure wireless configuration synchronization on a local AC.
1. Run the system-view command to enter the system view.
2. Run the wlan command to enter the WLAN view.
3. Run master-controller ip-address ipv4-address psk psk
The current AC is configured as a local AC and an IP address is set for the
master AC.
By default, the current AC is the master AC and no IP address is set for it.
Step 3 Manually trigger wireless configuration synchronization on the master AC.
1. Run the system-view command to enter the system view.
2. Run synchronize-configuration
Wireless configuration synchronization is triggered.

----End

22.6.5.3 Verifying the Wireless Configuration Synchronization Configuration

Procedure
● Check the configuration of wireless configuration synchronization in VRRP
HSB scenarios on the master AC and backup master AC.
– Run the display sync-configuration master-redundancy command to
view the configuration of wireless configuration synchronization on the
master AC or backup master AC.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3403

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

– Run the display sync-configuration status command to view the status

of wireless configuration synchronization on the master AC or backup
master AC.
– Run the display current-configuration sync command to view the public
configurations that take effect on the ACs.
● Check the configuration of wireless configuration synchronization in dual-link
HSB scenarios on the master AC and local AC.
– Run the display sync-configuration status command to view the status
of wireless configuration synchronization on the master AC or local AC.
– Run the display current-configuration sync command to view the public
configurations that take effect on the ACs.

----End

22.6.6 Maintaining Wireless Configuration Synchronization

Context
If a command related to public configurations is executed on the master AC
during daily maintenance, the AC displays the following message:
Warning: After configuration synchronization is enabled, if the local controller or backup controller has
inconsistent configuration
s from the master controller, you must manually synchronize them.
It indicates that configurations on ACs are inconsistent. In this case, manually
trigger wireless configuration synchronization.

Causes of inconsistent configurations may include:

● During a CAPWAP tunnel failure between the master AC and local AC or
between the master AC and backup master AC, a public configuration
command is executed on any of the ACs. After the CAPWAP tunnel is restored,
the ACs detect inconsistent configurations.
● During configuration synchronization between the master AC and local AC, if
the CAPWAP tunnel fails, wireless configuration synchronization is not
complete. After the CAPWAP tunnel is restored, the ACs detect inconsistent
configurations.

Procedure
● Run the synchronize-configuration command in the system view to
manually trigger wireless configuration synchronization.

----End

22.6.7 Configuration Examples for Wireless Configuration

Synchronization

22.6.7.1 Example for Configuring Wireless Configuration Synchronization in

Dual-Link HSB Scenarios

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3404

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Service Requirements
To ensure that services are running normally, an enterprise wants to improve
network reliability while reducing the configuration maintenance workload.
Wireless configuration synchronization can be deployed in dual-link HSB to meet
this requirement. This solution frees active and standby ACs from location
restrictions and allows both ACs to be flexibly deployed.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The router functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3405

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-31 Networking diagram for configuring dual-link HSB

Data Planning

Table 22-26 AC Data planning

Item Data

Management VLAN for APs VLAN 100

Service VLAN for STAs VLAN 101

AC's backup VLAN VLAN 102

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3406

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

DHCP server The Router functions as the DHCP

server for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

IP address pool for APs 10.23.100.4-10.23.100.254/24

IP address pool for STAs 10.23.101.2-10.23.101.254/24

AC's source interface VLANIF 100

AC1's management IP address VLANIF 100: 10.23.100.2/24

AC2's management IP address VLANIF 100: 10.23.100.3/24

Active AC AC1

Standby AC AC2

Master AC AC1

Local AC AC2

AP group ● Name: ap-group1

● Referenced profile: VAP profile
wlan-net and regulatory domain
profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net

AP system profile ● Name: wlan-net

● Primary AC's IP address: 10.23.100.2
● Backup AC's IP address: 10.23.100.3

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3407

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Configuration Roadmap
1. Configure network interworking of the AC1, AC2, and other network devices.
Configure the Router as a DHCP server to assign IP addresses to APs and
STAs.
2. Configure basic WLAN services on AC1 and only private WLAN service
parameters on AC2.
3. Configure AC1 as the active AC and AC2 as the standby AC. Configure dual-
link HSB on the active AC first and then on the standby AC. When dual-link
HSB is enabled, all APs are restarted.
4. Configure wireless configuration synchronization in the dual-link HSB
scenarios.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.

Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can
exchange CAPWAP packets.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the
interface to VLAN 100 and VLAN 101. Add GE0/0/2 of SwitchA to VLAN 100 and
VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3408

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100

[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 (connecting to SwitchA) of SwitchB to VLAN 100 and VLAN 101.
Add GE0/0/2 (connecting to AC1) of SwitchB, and GE0/0/3 (connecting to AC2) of
SwitchB to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/3] quit

# Add GE0/0/1 (connecting to SwitchB) of AC1 to VLAN 100.

<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 (connecting to SwitchB) of AC2 to VLAN 100.

<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit

Step 2 Configure the communication between AC1, AC2, and Router.

# Add GE0/0/1 of AC1 to backup VLAN 102.
[AC1] vlan batch 101 102
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 of AC2 to VLAN 102.

[AC2] vlan batch 101 102
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.3 24
[AC2-Vlanif100] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3409

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC2] interface vlanif 102

[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/1] quit

# Add GE0/0/2 and GE0/0/3 of SwitchB to VLAN 102 and add GE0/0/4 of SwitchB
connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit

Step 3 Configure Router to assign IP addresses to STAs and APs.

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit

Step 4 Configure basic WLAN services on AC1.

1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3410

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-wlan-view] ap-group name ap-group1

[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source interface vlanif 100
[AC1] wlan

2. Configure AC1 to manage APs.

[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

3. Configure WLAN service parameters on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

[AC1-wlan-view] security-profile name wlan-net

[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0
and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3411

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 5 Configure private WLAN service parameters on AC2.

# Configure the source interface of AC2.
[AC2] capwap source interface vlanif 100
[AC2] wlan

Step 6 Configure dual-link backup for AC1 and AC2.

# On AC1, configure the IP address of the primary AC as the source IP address of
AC1, and the IP address of the backup AC as the source IP address of AC2.
NOTE

By default, dual-link backup is disabled, and running the ac protect enable command restarts
all APs. After the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs.
You need to run the ap-reset command on the active AC to restart all APs and make the dual-
link backup function take effect.
[AC1-wlan-view] ap-system-profile name wlan-net
[AC1-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-wlan-net] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

# Configure dual-link backup on AC2.

[AC2-wlan-view] undo ac protect restore disable
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y

# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit

Step 7 Configure the hot standby function.

# Create HSB service 0 on AC1 and configure the IP addresses and port numbers
for the active and standby channels.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] quit

# Bind the WLAN and NAC services to AC1.

[AC1] hsb-service-type ap hsb-service 0
[AC1] hsb-service-type access-user hsb-service 0

# Create HSB service 0 on AC2 and configure the IP addresses and port numbers
for the active and standby channels.
[AC2-wlan-view] quit
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] quit

# Bind the WLAN and NAC services to AC2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3412

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC2] hsb-service-type ap hsb-service 0

[AC2] hsb-service-type access-user hsb-service 0

Step 8 Configure the master AC and local AC.

# Configure AC1 as the master AC and specify the IP address of a local AC.
[AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] local-controller ip-address 10.23.100.3 psk H@123456
[AC1-master-controller] quit

# Configure AC2 as a local AC and specify the IP address of the master AC.
[AC2] wlan
[AC2-wlan-view] master-controller ip-address 10.23.100.2 psk H@123456

Step 9 Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless

configuration synchronization status. The command output displays cfg-
mismatch. Wireless configuration synchronization must be manually triggered
from the master AC to the local AC. Wait until the local AC completes automatic
restart.
[AC1-wlan-view] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------
10.23.100.3 Local AC6605 V200R010C00 cfg-mismatch(config check fail) -
----------------------------------------------------------------------------------------------------
Total: 1
[AC1-wlan-view] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to conti
nue? [Y/N]:y

Step 10 Verify the configuration.

# Run the display sync-configuration status command on the master AC and

local AC to view the wireless configuration synchronization status. If the status is
up, the wireless configuration synchronization function is properly working.
[AC1-wlan-view] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.100.3 Local AC6605 V200R010C00 up 2017-09-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1
[AC2-wlan-view] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.100.2 Master AC6605 V200R010C00 up 2017-09-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1

# When public configurations are modified on the master AC, the public
configurations are automatically synchronized to the local AC. When the AP
detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. This ensures service stability.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3413

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Simulate an active AC fault by restarting the active AC to verify the backup

configuration. Restart AC1. When AP1 detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. AP1 goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
AP1 automatically goes online on AC1.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

● SwitchB configuration file

#
sysname SwitchB
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

● Router configuration file

#
sysname Router
#
vlan batch 100 to 101

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3414

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup and wireless configuration
synchronization functions. The information in italic is public configurations
automatically synchronized from AC1 to AC2.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3415

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-27 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.2 255.255.255.0 ip address 10.23.100.3 255.255.255.0
# #
interface Vlanif102 interface Vlanif102
ip address 10.23.102.1 255.255.255.0 ip address 10.23.102.2 255.255.255.0
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 100 102 port trunk allow-pass vlan 100 102
# #
capwap source interface vlanif100 capwap source interface vlanif100
# #
hsb-service 0 hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip service-ip-port local-ip 10.23.102.2 peer-ip
10.23.102.2 local-data-port 10241 peer-data- 10.23.102.1 local-data-port 10241 peer-data-
port 10241 port 10241
# #
hsb-service-type access-user hsb-service 0 hsb-service-type access-user hsb-service 0
# #
hsb-service-type ap hsb-service 0 hsb-service-type ap hsb-service 0
# #
wlan wlan
ac protect enable ac protect enable
security-profile name wlan-net security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^ security wpa-wpa2 psk pass-phrase %^
%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y- %#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes fNA<TAP&}F%^%# aes
ssid-profile name wlan-net ssid-profile name wlan-net
ssid wlan-net ssid wlan-net
vap-profile name wlan-net vap-profile name wlan-net
service-vlan vlan-id 101 service-vlan vlan-id 101
ssid-profile wlan-net ssid-profile wlan-net
security-profile wlan-net security-profile wlan-net
regulatory-domain-profile name default regulatory-domain-profile name default
ap-system-profile name wlan-net ap-system-profile name wlan-net
primary-access ip-address 10.23.100.2 primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3 backup-access ip-address 10.23.100.3
ap-group name ap-group1 master-controller ip-address 10.23.100.2 psk
ap-system-profile wlan-net %^%#mh|sYMl/}'U|"W/rBd
radio 0 \9HICmNy{,BIi0c^F:z;V#%^%#
vap-profile wlan-net wlan 1 ap-group name ap-group1
radio 1 ap-system-profile wlan-net
vap-profile wlan-net wlan 1 radio 0
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- vap-profile wlan-net wlan 1
sn 210235554710CB000042 radio 1
ap-name area_1 vap-profile wlan-net wlan 1
ap-group ap-group1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
master controller sn 210235554710CB000042
local-controller ip-address 10.23.100.3 psk ap-name area_1
%^%#/ ap-group ap-group1
q6ITBsonPkeDGXiV;!'^htAMm[n"(Z{^ES|5[^. #
%^%# return
#
return

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3416

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.6.7.2 Example for Configuring Wireless Configuration Synchronization in

VRRP HSB Scenarios

Service Requirements
To ensure that services are running normally, an enterprise wants to improve
network reliability while reducing the configuration maintenance workload.
Wireless configuration synchronization can be deployed in VRRP HSB to meet this
requirement. In this solution, the master and backup ACs are often deployed in the
same location, and the service switchover is fast and has higher reliability than
dual-link HSB.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
● Switch cluster: A cluster is set up using a CSS card, containing SwitchB and
SwitchC at the core layer. SwitchB is the active switch and SwitchC is the
standby switch.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3417

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-32 Networking for configuring wireless configuration synchronization in

VRRP HSB scenarios (direct forwarding)

Internet

Router
GE0/0/2
VLAN102
AC1 AC2

GE0/0/1
VLAN100-101

GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10

GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101

GE0/0/1 SwitchA
VLAN100-101

AP

STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
: Service VRRP
: mVRRP
:Eth-Trunk

Data Planning

Table 22-28 AC data planning

Item Data

AC1's source interface Virtual IP address: 10.23.100.3/24

AC2's source interface Virtual IP address: 10.23.100.3/24

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3418

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Data

Virtual IP address of the 10.23.100.3/24

management VRRP group

Virtual IP address of the 10.23.101.3/24

service VRRP group

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net
and security profile wlan-net

AP group ● Name: ap-group1

● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK+AES
● Password: a1234567

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs and STAs.

APs' gateway VLANIF 100: 10.23.100.3/24

IP address pool for APs 10.23.100.4 to 10.23.100.254/24

STAs' gateway VLANIF 101: 10.23.101.3/24

IP address pool for STAs 10.23.101.4 to 10.23.101.254/24

IP addresses and port IP address of VLANIF 102: 10.23.102.1/24

numbers for the active and Port number: 10241
standby channels of AC1

IP addresses and port IP address of VLANIF 102: 10.23.102.2/24

numbers for the active and Port number: 10241
standby channels of AC2

Configuration Roadmap
1. Configure a cluster between SwitchB and SwitchC through cluster cards to
improve the core layer reliability and configure SwitchB as the master switch.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3419

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

2. Set up connections between the AP, ACs, and other network devices.
3. Configure a VRRP group on AC1 and AC2 and configure a high priority for
AC1 as the active device to forward traffic, and a low priority for AC2 as the
standby device.
4. Configure basic WLAN services to ensure that users can access the Internet
through WLAN.
5. Configure the hot standby (HSB) function so that service information on AC1
is backed up to AC2 in batches in real time, ensuring seamless service
switchover from the active device to the standby device.
6. Configure the wireless configuration synchronization function in VRRP HSB
scenarios.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● Check whether loops occur on the wired network. If loops occur, configure
MSTP on corresponding NEs.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned to clients in the DHCP
address pools must be consistent.

Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3420

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card
connection for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3421

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

S12708's Device status:

Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On

Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off

The command output shows card status and CSS status of both member switches,
indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3422

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

32 1/14/0/8 10G 10G 2/14/0/8

--------------------------------------------------------------------------------

The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can
be transmitted between the AP and ACs.
NOTE

If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting
to the AP). If port isolation is not configured, many broadcast packets will be transmitted in
the VLANs or WLAN users on different APs can directly communicate at Layer 2.

# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN

100 and add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on
SwitchA connected to SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on
SwitchA connected to SwitchC to Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101,
respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3423

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit

# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit

Step 3 Configure AC1 to communicate with AC2.

# Add GE0/0/2 on AC1 (connecting to AC2) to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 (connecting to AC1) to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3424

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 4 Configure a DHCP server.

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.

# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
10.23.100.1 and 10.23.101.1 have been assigned to the master AC; 10.23.100.2 and
10.23.101.2 have been assigned to the backup AC; 10.23.100.3 and 10.23.101.3
have been assigned as VRRP virtual IP addresses. You need to specify these IP
addresses as those that cannot be automatically assigned to clients from the
interface address pools of the master and backup ACs.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.1 10.23.101.3
[AC1-Vlanif101] quit

The configuration for AC2 is similar to that for AC1 and is not mentioned here.

Step 5 Configure VRRP on AC1 to implement AC hot standby.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC1] vrrp recover-delay 60

# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and
set the preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC1-Vlanif101] quit

# Create HSB service 0 on AC1, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3425

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management
VRRP group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Step 6 Configure VRRP on AC2 to implement AC hot standby.

# Set the recovery delay of the VRRP group to 60 seconds.
[AC2] vrrp recover-delay 60

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create a service VRRP group on AC2.

[AC2] interface vlanif 101
[AC2-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC2-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC2-Vlanif101] quit

# Create HSB service 0 on AC2, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management
VRRP group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3426

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Step 7 Configure WLAN services on AC1.

1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

2. Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

3. Configure WLAN service parameters on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

[AC1-wlan-view] security-profile name wlan-net

[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3427

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1-wlan-view] ssid-profile name wlan-net

[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0
and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Step 8 Configure private WLAN services on AC2.

# Configure the source address of AC2.
[AC2] capwap source ip-address 10.23.100.3

Step 9 Configure the wireless configuration synchronization function in VRRP HSB

scenarios.
# Configure the wireless configuration synchronization function on AC1.
[AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address
10.23.102.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit

# Configure the wireless configuration synchronization function on AC2.

[AC2] wlan
[AC2-wlan-view] master controller
[AC2-master-controller] master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address
10.23.102.2 psk H@123456
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC2-master-controller] quit
[AC2-wlan-view] quit

Step 10 Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless
configuration synchronization status. The command output displays cfg-
mismatch. Wireless configuration synchronization must be manually triggered
from the master AC to the backup master AC. Wait until the backup master AC
completes automatic restart.
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------
10.23.102.2 Backup AC6605 V200R010C00 cfg-mismatch(config check fail) -
----------------------------------------------------------------------------------------------------
Total: 1
[AC1] synchronize-configuration

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3428

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to conti
nue? [Y/N]:y

Step 11 Verify the configuration.

1. Verify VRRP.
# After the configurations are complete, run the display vrrp command on
AC1 and AC2. In the command output, the State field of AC1 is Master and
that of AC2 is Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:22
Last change time : 2016-11-17 16:58:25

Vlanif101 | Virtual Router 2

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:35
Last change time : 2016-11-17 16:58:38
[AC2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00

Vlanif101 | Virtual Router 2

State : Backup
Virtual IP : 10.23.101.3

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3429

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Master IP : 0.0.0.0
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB
service status. In the command output, the Service State field is Connected,
indicating that the HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB
group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3430

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
AP
DHCP
---------------------------------------------------------

2. Verify wireless configuration synchronization.

# Run the display sync-configuration status command on the master AC
and backup master AC to view the wireless configuration synchronization
status. If the status is up, the wireless configuration synchronization function
is properly working.
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.102.2 Backup AC6605 V200R010C00 up 2017-09-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1
[AC2] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.23.102.1 Master AC6605 V200R010C00 up 2017-09-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1

3. The WLAN with SSID wlan-net is available for STAs connected to AP, and
these STAs can connect to the WLAN.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC1. When AP detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.
# During the restart of AC1, services on the STAs are not interrupted. AP goes
online on AC2. Run the display ap all command on AC2. The command
output shows that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is
triggered. AP automatically goes online on AC1.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3431

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return

● CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/2
eth-trunk 10
#
interface GigabitEthernet2/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup and wireless configuration
synchronization functions. The information in italic is public configurations
automatically synchronized from AC1 to AC2.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3432

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-29 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vrrp recover-delay 60 vrrp recover-delay 60
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
dhcp enable dhcp enable
# #
dhcp server database enable dhcp server database enable
dhcp server database recover dhcp server database recover
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.1 255.255.255.0 ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3 vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1 admin-vrrp vrid 1
vrrp vrid 1 priority 120 dhcp select interface
vrrp vrid 1 preempt-mode timer delay 1800 dhcp server excluded-ip-address 10.23.100.1
dhcp select interface 10.23.100.3
dhcp server excluded-ip-address 10.23.100.1 #
10.23.100.3 interface Vlanif101
# ip address 10.23.101.2 255.255.255.0
interface Vlanif101 vrrp vrid 2 virtual-ip 10.23.101.3
ip address 10.23.101.1 255.255.255.0 vrrp vrid 2 track admin-vrrp interface
vrrp vrid 2 virtual-ip 10.23.101.3 Vlanif100 vrid 1 unflowdown
vrrp vrid 2 preempt-mode timer delay 1800 dhcp select interface
vrrp vrid 2 track admin-vrrp interface dhcp server excluded-ip-address 10.23.101.1
Vlanif100 vrid 1 unflowdown 10.23.101.3
dhcp select interface #
dhcp server excluded-ip-address 10.23.101.1 interface Vlanif102
10.23.101.3 ip address 10.23.102.2 255.255.255.0
# #
interface Vlanif102 interface GigabitEthernet0/0/1
ip address 10.23.102.1 255.255.255.0 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/1 port trunk allow-pass vlan 100 to 101
port link-type trunk #
undo port trunk allow-pass vlan 1 interface GigabitEthernet0/0/2
port trunk allow-pass vlan 100 to 101 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/2 port trunk allow-pass vlan 102
port link-type trunk #
undo port trunk allow-pass vlan 1 capwap source ip-address 10.23.100.3
port trunk allow-pass vlan 102 #
# hsb-service 0
capwap source ip-address 10.23.100.3 service-ip-port local-ip 10.23.102.2 peer-ip
# 10.23.102.1 local-data-port 10241 peer-data-
hsb-service 0 port 10241
service-ip-port local-ip 10.23.102.1 peer-ip service-keep-alive detect retransmit 3
10.23.102.2 local-data-port 10241 peer-data- interval 6
port 10241 hsb-group 0
service-keep-alive detect retransmit 3 track vrrp vrid 1 interface Vlanif100
interval 6 bind-service 0
# hsb enable
hsb-group 0 #
track vrrp vrid 1 interface Vlanif100 hsb-service-type access-user hsb-group 0
bind-service 0 #
hsb enable hsb-service-type dhcp hsb-group 0
# #
hsb-service-type access-user hsb-group 0 hsb-service-type ap hsb-group 0
# #
hsb-service-type dhcp hsb-group 0 wlan
# security-profile name wlan-net
hsb-service-type ap hsb-group 0 security wpa-wpa2 psk pass-phrase %^%#l{2<
# +jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3433

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

AC1 AC2
wlan %# aes
security-profile name wlan-net ssid-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#l{2< ssid wlan-net
+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^ vap-profile name wlan-net
%# aes service-vlan vlan-id 101
ssid-profile name wlan-net ssid-profile wlan-net
ssid wlan-net security-profile wlan-net
vap-profile name wlan-net regulatory-domain-profile name default
service-vlan vlan-id 101 ap-group name ap-group1
ssid-profile wlan-net radio 0
security-profile wlan-net vap-profile wlan-net wlan 1
regulatory-domain-profile name default radio 1
ap-group name ap-group1 vap-profile wlan-net wlan 1
radio 0 ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-
vap-profile wlan-net wlan 1 sn 21500826402SF6902787
radio 1 ap-name area_1
vap-profile wlan-net wlan 1 ap-group ap-group1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap- master controller
sn 21500826402SF6902787 master-redundancy track-vrrp vrid 1
ap-name area_1 interface Vlanif100
ap-group ap-group1 master-redundancy peer-ip ip-address
master controller 10.23.102.1 local-ip ip-address 10.23.102.2
master-redundancy track-vrrp vrid 1 psk %^%#7KXNDf(-X/No\4)i&z|./
interface Vlanif100 NQ@)WDlUT'`K33Mef47%^%#
master-redundancy peer-ip ip-address #
10.23.102.2 local-ip ip-address 10.23.102.1 return
psk %^%#`P0}*pN+2P=Qf
%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#
#
return

22.7 BFD Configuration

This chapter describes how to configure bidirectional forwarding detection (BFD)
to allow network devices to quickly detect faults.

NOTE

On the ACU2, only the VLANIF interface can be bound to the BFD session. The ACU2 does
not support binding between the BFD session and the XGE or Eth-Trunk interface.

22.7.1 Overview of BFD

Definition
Bidirectional Forwarding Detection (BFD) is a unified detection mechanism used to
rapidly detect link faults and monitor IP connectivity.

Purpose
A network device must detect a communications fault between adjacent devices
quickly so that the upper layer protocol can rectify the fault and prevent a service
interruption. In practice, hardware detection is used to detect link faults. For
example, Synchronous Digital Hierarchy (SDH) alarms are used to report link
faults. However, not all media can provide the hardware detection mechanism.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3434

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Applications use the Hello mechanism of the upper-layer routing protocol to

detect faults. The detection duration is more than 1 second, which is too long for
some applications. If no routing protocol is deployed on a small-scale Layer 3
network, the Hello mechanism cannot be used.

BFD provides fast fault detection independent of media and routing protocols. It
has the following advantages:

● Rapidly detects link faults between neighboring network devices. The detected
faults may occur on interfaces, data links, or forwarding engines.
● Provides uniform detection for all media and protocol layers in real time.

Benefits
BFD rapidly detects link faults and monitors IP connectivity, helping you improve
network performance. Adjacent systems can quickly detect communication faults
so that a standby channel can be created immediately to restore communication
and ensure network reliability.

22.7.2 Understanding BFD

BFD Implementation
Two network devices establish a BFD session to detect the forwarding path
between them and serve upper-layer applications. BFD does not provide neighbor
discovery. Instead, BFD obtains neighbor information from the upper-layer
application BFD serves to establish a BFD session. After the BFD session is set up,
the local device periodically sends BFD packets. If the local device does not receive
a response from the peer system within the detection time, it considers the
forwarding path faulty. BFD then notifies the upper-layer application for
processing. The following uses association between OSPF and BFD as an example
to describe the BFD session setup process.

Figure 22-33 BFD session setup

1
OSPF OSPF neighbors OSPF
2 3 2
BFD neighbors

AC1 AC2

As shown in Figure 22-33, OSPF and BFD are configured on SwitchA and SwitchB.
The BFD session setup process is as follows:

1. OSPF uses the Hello mechanism to discover neighbors and establishes a

neighbor relationship.
2. OSPF notifies BFD of neighbor information including source and destination
addresses.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3435

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

3. BFD sets up a BFD session based on received neighbor information.

4. After the BFD session is set up, BFD starts to detect link faults and rapidly
responds to link faults.

Figure 22-34 BFD detecting link faults

4
OSPF neighbors
OSPF OSPF
3 2 3
BFD neighbors
1

AC1 AC2

As shown in Figure 22-34:

1. The detected link is faulty.

2. BFD rapidly detects the link fault and the BFD session becomes Down.
3. BFD notifies the local OSPF process that the neighbor is unreachable.
4. The local OSPF process ends the OSPF neighbor relationship.

BFD Session Establishment Modes

BFD sessions can be set up statically and dynamically. Static and dynamic BFD
sessions differ in that local and remote discriminators are configured in different
modes. BFD uses local and remote discriminators in control packets to
differentiate BFD sessions.

● Statically establishing a BFD session

BFD session parameters, including the local and remote discriminators, are
specified using commands. Then a request for BFD session establishment is
distributed manually.
● Dynamically establishing a BFD session
When a BFD session is set up dynamically, the system processes the local and
remote discriminators as follows:
– Dynamically allocated local discriminator
When an application triggers dynamic setup of a BFD session, the system
allocates a value as the local discriminator of the BFD session. Then the
local system sends a BFD control packet with Remote Discriminator as 0
to the remote system to negotiate on the BFD session.
– Self-learned remote discriminator
When one end of a BFD session receives a BFD control packet with
Remote Discriminator as 0, this end checks the BFD control packet. If the
packet matches the local BFD session, this end learns the value of Local
Discriminator in the received BFD control packet to obtain the remote
discriminator.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3436

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

BFD Detection Mechanism

Two systems set up a BFD session and periodically send BFD control packets along
the path between them. If one system does not receive BFD control packets within
a specified period, the system considers that a fault has occurred on the path.

BFD provides the Asynchronous mode. In asynchronous mode, two systems

periodically send BFD control packets to each other. If one system receives no
packets consecutively, the system considers the BFD session Down.

BFD Session Management

The BFD session has the following status: Down, Init, Up, and AdminDown. The
State field of a BFD control packet shows the session status. The system changes
the session status based on the local session status and the received session status
of the peer. The BFD state machine implements a three-way handshake for BFD
session setup or deletion to ensure that the two systems detect the status change.
The following uses BFD session setup as an example to describe the state machine
transition process.

Figure 22-35 BFD session setup

AC1 AC2

DOWN Sta: Down DOWN

Sta: Down

DOWN => INIT

DOWN => INIT Sta: Init
Sta: Init

INIT => UP
Sta: Up INIT => UP
Sta: Up

1. AC1 and AC2 start BFD state machines respectively. The initial state of BFD
state machine is Down. AC1 and AC2 send BFD control packets with the State
field as Down. If BFD sessions are configured statically, the values of Remote
Discriminator in BFD packets are specified. If BFD sessions are configured
dynamically, the value of Remote Discriminator is set to 0.
2. After receiving the BFD packet with the State field as Down, AC2 switches the
session status to Init and sends a BFD packet with State field as Init.
3. After the local BFD session status of AC2 changes to Init, AC2 no longer
processes the received BFD packets with the State field as Down.
4. The BFD session status change on AC is similar to that on AC2.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3437

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

5. After receiving the BFD packet with the State field as Init, AC2 changes the
local BFD session status to Up.
6. The BFD session status change on AC1 is similar to that on AC2.

22.7.3 Summary of BFD Configuration Tasks

The device supports the following BFD features: BFD session setup, BFD detection
mode, single-hop and multi-hop BFD, BFD session with automatically negotiated
parameters, BFD Echo function, association, and change of BFD parameters.
Table 22-30 describes the BFD configuration tasks.

Table 22-30 BFD configuration tasks

Scenario Description Task

Configure single-hop Single-hop BFD fast 22.7.5.1 Configuring

BFD detects faults on the Single-Hop BFD
directly connected link.

Configure multi-hop BFD Multi-hop BFD fast 22.7.5.2 Configuring

detects faults on the Multi-Hop BFD
indirectly connected link.

Configure static BFD When the peer device 22.7.5.3 Configuring

with automatically uses dynamic BFD and Static BFD with
negotiated the local device wants to Automatically
discriminators communicate with the Negotiated
peer device and detect Discriminators
static routes, create a
BFD session with
automatically negotiated
discriminators. This
function is mainly used
in scenarios where static
routes are used to
implement Layer 3
connectivity.

Configure the BFD Echo Among two directly 22.7.5.4 Configuring the
function connected devices, one BFD Echo Function
device supports BFD,
whereas the other device
does not support BFD. To
rapidly detect forwarding
failures between the two
devices, the BFD Echo
function is configured on
the BFD-supporting
device.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3438

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Scenario Description Task

Configure BFD Association between BFD 22.7.5.5 Configuring

association and other protocols BFD Association
improves upper-layer
application performance
and fast detects faults
on links.

Adjust BFD parameters You can adjust BFD 22.7.5.6 Adjusting BFD
parameters so that the Parameters
BFD session can fast
detect faults on links.

22.7.4 Default Settings for BFD

Table 22-31 Default BFD settings

Parameter Default Setting

Global BFD Disabled

interval for sending BFD control 30 ms

packets

interval for receiving BFD control 30 ms

packets

Local detection multiplier 3

WTR time 0 min

Delay before a BFD session becomes 0 min

Up

Priority of BFD packets 7

22.7.5 Configuring BFD

22.7.5.1 Configuring Single-Hop BFD

Single-hop BFD fast detects faults on the directly connected link.

Pre-configuration Tasks
Before configuring single-hop BFD, complete the following tasks:

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3439

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Configuring link layer protocol parameters for interfaces to ensure that the
link layer protocol status on the interfaces is Up
● Configuring an IP address for the Layer 3 interface

Configuration Process

Figure 22-36 Single-hop BFD configuration process

Enable global BFD

Configure default multicast

IP address for BFD

Establish a BFD session

Set local and remote

discriminators

Mandatory
Optional

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run bfd

BFD is enabled globally and the BFD view is displayed.

By default, BFD is disabled globally.

Step 3 (Optional) Run default-ip-address ip-address

The default multicast IP address for BFD is configured.

By default, BFD uses the multicast IP address 224.0.0.184.

NOTE

If multiple BFD sessions exist on a path, for example, Layer 3 interfaces are connected
through Layer 2 switching devices that support BFD, configure different default multicast IP
addresses for the devices where different BFD sessions are established. In this manner, BFD
packets can be correctly forwarded.

Step 4 Run quit

Return to the system view.

Step 5 Run the following commands as required.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3440

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● On a Layer 3 interface that has an IP address configured, run bfd session-

name bind peer-ip ip-address interface interface-type interface-number
[ source-ip ip-address ]
A BFD binding is configured.
NOTE

– When creating a single-hop BFD session for the first time, bind the single-hop BFD
session to the peer IP address and the local address. To modify a configured BFD
session, delete it and recreate a new one.
– When the BFD configuration items are created, the system checks only the format
of the IP address. The BFD session cannot be established if an incorrect peer IP
address or source IP address is bound.
– When BFD and URPF are used together, URPF checks the source IP address of the
received BFD packets. You must bind the correct source IP address to the BFD
session to prevent BFD packets from being discarded incorrectly.
– BFD cannot detect route switching. If the bound peer IP address change causes
route switching, BFD does not perform re-negotiation unless forwarding fails on
the original link.
● On a Layer 2 interface, Layer 3 interface, run bfd session-name bind peer-ip
default-ip interface interface-type interface-number [ source-ip ip-address ]
Multicast BFD is created.
NOTE

When creating a multicast BFD session on a Layer 3 interface, configure an IP address

for the interface so that the protocol layer becomes Up. Otherwise, the BFD session
cannot become Up.
When creating a multicast BFD session on a Layer 2 interface, configure a PVID on the
interface to ensure that BFD packets can be transmitted at Layer 2.

Step 6 Run discriminator local discr-value

The local discriminator is set.
Step 7 Run discriminator remote discr-value
The remote discriminator is set.

NOTE

● The local discriminator of the local system must be the same as the remote
discriminator of the remote system; the remote discriminator of the local system must
be the same as the local discriminator of the remote system. Otherwise, BFD sessions
cannot be established. After the local discriminator and the remote discriminator are
configured, you cannot modify them.
● If a BFD session is bound to the default multicast address, the local discriminator and
the remote discriminator must be different.

Step 8 Run commit

The configuration is committed.

----End

22.7.5.2 Configuring Multi-Hop BFD

Multi-hop BFD fast detects faults on the indirectly connected link.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3441

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Pre-configuration Tasks
Before configuring multi-hop BFD, complete the following task:

● Configuring a routing protocol to ensure reachability at the network layer

Configuration Process

Figure 22-37 Multi-hop BFD configuration process

Enable global BFD

Establish a BFD session

Set local and remote

discriminators

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run bfd

BFD is enabled globally and the BFD view is displayed.

Step 3 Run quit

Return to the system view.

Step 4 Run bfd session-name bind peer-ip ip-address [ source-ip ip-address ]

A BFD session is created and the peer IP address is specified.

NOTE

● When creating a multi-hop BFD session, you must bind the BFD session to the peer IP
address.
● When the BFD configuration items are created, the system checks only the format of
the IP address. The BFD session cannot be established if an incorrect peer IP address or
source IP address is bound.
● When BFD and URPF are used together, URPF checks the source IP address of the
received BFD packets. You must bind the correct source IP address to the BFD session to
prevent BFD packets from being discarded incorrectly.

Step 5 Run discriminator local discr-value

The local discriminator is set.

Step 6 Run discriminator remote discr-value

The remote discriminator is set.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3442

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

The local discriminator of the local system must be the same as the remote discriminator of
the remote system; the remote discriminator of the local system must be the same as the
local discriminator of the remote system. Otherwise, BFD sessions cannot be established.
After the local discriminator and the remote discriminator are configured, you cannot
modify them.

Step 7 Run commit

The configuration is committed.

----End

22.7.5.3 Configuring Static BFD with Automatically Negotiated

Discriminators

When the peer device uses dynamic BFD and the local device wants to
communicate with the peer device and detect static routes, create a BFD session
with automatically negotiated discriminators. This function applies to networks
that use static routes to implement Layer 3 connectivity.

Pre-configuration Tasks
Before configuring a BFD session with automatically negotiated discriminators,
complete the following task:

● Configuring an IP address for the Layer 3 interface

Configuration Process

Figure 22-38 Configuring static BFD with automatically negotiated discriminators

Enable global BFD

Establish a BFD session

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run bfd

BFD is enabled globally and the BFD view is displayed.

By default, BFD is disabled globally.

Step 3 Run quit

Return to the system view.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3443

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 4 Run bfd session-name bind peer-ip ip-address [ interface interface-type

interface-number ] source-ip ip-address auto
A BFD session with automatically negotiated discriminators is created.

NOTE

● You must specify a source IP address.

● You must specify the peer IP address, which cannot be a multicast IP address.

Step 5 Run commit

The configuration is committed.

----End

22.7.5.4 Configuring the BFD Echo Function

The BFD echo function detects fast detect faults on directly connected links.

Pre-configuration Tasks
Before configuring the BFD echo function, complete the following tasks:

● Connecting interfaces properly

● Correctly configuring IP addresses for Layer 3 interfaces

Configuration Process

Figure 22-39 Configuration process of the BFD echo function

Enable global BFD

Establish a BFD session

with echo function

Set local and remote

discriminators

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run bfd

BFD is enabled globally and the BFD view is displayed.

Step 3 Run quit

Return to the system view.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3444

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 4 Run bfd session-name bind peer-ip peer-ip interface interface-type interface-
number [ source-ip ip-address ] one-arm-echo

A BFD session supporting the BFD echo function is configured.

NOTE

● The BFD echo function is only applicable to single-hop BFD sessions.

● BFD cannot detect route switching. If the bound peer IP address changes, BFD does not
perform negotiation again.

Step 5 Run discriminator local discr-value

The discriminator for the BFD session is configured.

You can only configure the local discriminator because the BFD echo function is
only configured on one device supporting BFD.

Step 6 Run commit

The configuration is committed.

----End

22.7.5.5 Configuring BFD Association

Association between BFD and other protocols improves protocol switching

performance and reduces service traffic loss.

Applications Associated with BFD

● BFD for OSPF: See 7.22.6.8 Configuring BFD for OSPF.
● BFD for IS-IS: See 7.24.5.9.1 Configuring Static BFD for IS-IS and 7.24.5.9.2
Configuring Dynamic BFD for IS-IS.
● BFD for BGP: See 7.26.5.7.2 Configuring BFD for BGP.
● BFD for VRRP: See 22.9.6.3.2 Configuring Association Between VRRP and
the Interface Status.
● BFD for PIM: See 7.30.7.8 Configuring PIM BFD.

22.7.5.5.1 Configuring Association Between the BFD Session and the Interface
Status

Pre-configuration Tasks
Before associating the BFD session with interface status, complete the following
task:

● Connecting interfaces properly

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3445

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Configuration Process

Figure 22-40 Association between the BFD session and the interface status

Enable global BFD

Configure default multicast

IP address for BFD

Establish a BFD session

Set local and remote

discriminators

Configure association
between the BFD session
status and the interface
status

Mandatory
Optional

Context
If a transmission device exists on a direct link, BFD detects a link fault faster than
a link protocol on an interface. The link protocol status of a trunk or VLANIF
interface depends on the link protocol status of member interfaces.
To help BFD rapidly report the detection result to the application, a BFD status
attribute is added to the interface management module of each interface. This
attribute indicates the status of the BFD session that is bound to the interface. The
system obtains the interface status based on the link status, protocol status, and
BFD status on the interface, and then reports the interface status to the
application.
This function is only used on the single-hop BFD session that is bound to an
outbound interface and uses the default multicast address.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bfd
BFD is enabled globally and the BFD view is displayed.
Step 3 (Optional) Run default-ip-address ip-address
The default multicast IP address for BFD is configured.
By default, BFD uses the multicast IP address 224.0.0.184.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3446

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

If multiple BFD sessions exist on a path, for example, Layer 3 interfaces are connected
through Layer 2 switching devices that support BFD, configure different default multicast IP
addresses for the devices where different BFD sessions are established. In this manner, BFD
packets can be correctly forwarded.

Step 4 Run quit

Return to the system view.
Step 5 Run bfd session-name bind peer-ip default-ip interface interface-type interface-
number [ source-ip ip-address ]
A BFD session is created.

NOTE

When creating a multicast BFD session on a Layer 2 interface, configure a PVID on the
interface to ensure that BFD packets can be transmitted at Layer 2.

Step 6 Run discriminator local discr-value

The local discriminator of the BFD session is configured.
Step 7 Run discriminator remote discr-value
The remote discriminator of the BFD session is configured.

NOTE

● The local discriminator of the local system must be the same as the remote
discriminator of the remote system; the remote discriminator of the local system must
be the same as the local discriminator of the remote system. Otherwise, BFD sessions
cannot be established. After the local discriminator and the remote discriminator are
configured, you cannot modify them.
● If a BFD session is bound to the default multicast address, the local discriminator and
the remote discriminator must be different.

Step 8 Run process-interface-status [ sub-if ] [ reboot-no-impact ]

The BFD session status is associated with the bound interface status.
By default, the BFD session status is not associated with the interface status. That
is, the change of the BFD session status does not affect the interface status.
Step 9 Run commit
The configuration is committed.

NOTE

● The BFD session does not report the BFD status to the bound interface immediately
after the commit command is executed because the BFD session may not be set up or
not Up. This prevents the BFD session from reporting an incorrect state to the interface.
When the BFD status changes, the BFD session reports the BFD status to the interface
to trigger the interface status change.
● If the process-interface-status [ sub-if ] [ reboot-no-impact ] command has been
saved in the configuration file, the initial interface status must be Down after the device
restarts; therefore, the BFD session reports a Down state to the interface.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3447

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.7.5.6 Adjusting BFD Parameters

Pre-configuration Tasks
Before adjusting BFD parameters, complete the following task:
● Creating a BFD session

22.7.5.6.1 Adjusting the BFD Detection Time

Context
When you set up a BFD session, you can adjust the minimum interval for sending
BFD packets, minimum interval for receiving BFD packets, and local detection
multiplier based on the network situation and performance requirements.
To reduce usage of system resources, when a BFD session is detected in Down
state, the system adjusts the minimum interval for receiving BFD packets and the
minimum interval for sending BFD packets to random values greater than 1000
ms. When the BFD session becomes Up, the configured intervals are restored.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bfd bfd-name
The BFD session view is displayed.
Step 3 Run min-tx-interval interval
The minimum interval for sending BFD packets is set.
By default, the minimum interval for sending BFD packets is 30 ms.
Step 4 Run min-rx-interval interval
The minimum interval for receiving BFD packets is set.
By default, the minimum interval for receiving BFD packets is 30 ms.

NOTE

To reduce usage of system resources, when a BFD session is detected in Down state, the
system adjusts the minimum interval for receiving BFD packets and the minimum interval
for sending BFD packets to random values greater than 1000 ms. When the BFD session
becomes Up, the configured intervals are restored.

Step 5 Run detect-multiplier multiplier

The local detection multiplier is set.
By default, the local detection multiplier is 3.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3448

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.7.5.6.2 Setting the WTR Time of a BFD Session

Context
If a BFD session flaps, an active/standby switchover is frequently performed on the
application associated with the BFD session. To prevent the problem, set the WTR
time of the BFD session. When the BFD session changes from Down to Up, BFD
reports the change to the upper layer application only after the WTR timer times
out.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bfd bfd-name
The BFD session view is displayed.
Step 3 Run wtr wtr-value
The WTR time is set.
By default, the WTR time is 0, indicating that the status change of a BFD session is
reported immediately.

NOTE

If the WTR time is set, set the same WTR time at both ends. Otherwise, when the BFD
session status changes at one end, applications at both ends detect different BFD session
statuses.

----End

22.7.5.6.3 Configuring the Description for a BFD Session

Context
To differentiate BFD sessions, configure the description for BFD sessions.

NOTE

The description (BFD session view) command is valid for only static BFD sessions, and is
invalid for dynamic BFD sessions and BFD sessions with automatically negotiated
parameters.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bfd bfd-name
The BFD session view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3449

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 3 Run description description

The description of the BFD session is configured.

By default, the description of a BFD session is empty.

----End

22.7.5.6.4 Setting the Delay Before a BFD Session Becomes Up

Context
In practice, some devices determine whether to switch traffic based on the BFD
session status. Because the routing protocol becomes Up after the interface
becomes Up, routes may be not found when services are switched back, causing
traffic loss. Therefore, the interval between the time when the routing protocol
becomes Up and the time when the interface becomes Up must be eliminated.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run bfd

Global BFD is enabled and the BFD view is displayed.

Step 3 Run delay-up time

A delay before a BFD session is set.

By default, the delay before a BFD session becomes Up is 0.

----End

22.7.5.6.5 Configuring BFD Session Flapping Suppression

Context
If link quality is poor, BFD results in frequent service switchover. You can configure
link flapping suppression times to prevent frequent service switchover, protecting
link resources and reducing link resource consumption.

Do not configure both the dampening timer-interval and wtr commands.

Otherwise, the BFD session recovery period becomes long.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run bfd

The BFD view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3450

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 3 Run dampening timer-interval maximum maximum-milliseconds initial initial-

milliseconds secondary secondary-milliseconds
BFD session flapping suppression timers are configured.
BFD session flapping suppression timers start by default. The default initial,
secondary, and maximum BFD session flapping suppression timer values are 2000
ms, 5000 ms, and 12000 ms, respectively.
After the dampening timer-interval command is run:
1. When a BFD session flaps for the first time, the initial BFD session flapping
suppression timer starts. If the BFD session flaps again before the initial BFD
session flapping suppression timer expires, BFD session renegotiation is
triggered after the initial BFD session flapping suppression timer expires.
2. After the initial BFD session flapping suppression timer ends, the secondary
BFD session flapping suppression timer starts. If the BFD session flaps before
the secondary BFD session flapping suppression timer expires, BFD session
renegotiation is triggered after the secondary BFD session flapping
suppression timer expires. After that, the timer value is secondary-
milliseconds x 2(n-1), where n is the number of times that the secondary BFD
session flapping suppression timer starts.
3. After the timer value of secondary-milliseconds x 2(n-1) is greater than or
equal to the value specified by maximum-milliseconds, the BFD session uses
the value specified by maximum-milliseconds as a flapping suppression three
consecutive times. After that, the BFD session flapping suppression is
recalculated based on Step a.

NOTE

The configured maximum BFD session flapping suppression timer value must be greater than
the configured initial or secondary BFD session flapping suppression timer value. Otherwise, the
configuration fails.

----End

22.7.5.6.6 Setting the Global TTL Value

Context
When devices running different versions interwork with each other, the TTL values
and detection modes on both ends of the BFD session are different and BFD
packets are discarded. You can set the global TTL value to enable the Huawei
device to interwork with each other in different versions, with upgraded devices,
and with non-Huawei devices.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bfd
BFD is enabled globally on the local node and the BFD view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3451

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 3 Run peer-ip peer-ip mask-length ttl { single-hop | multi-hop } ttl-value

The TTL value of BFD control packets is set.

NOTE

● The TTL value of BFD packets varies with the BFD session type. By default, for a static
BFD session, the TTL value of a single-hop BFD packet is 255 and the TTL value of a
multi-hop BFD packet is 254. For a dynamic BFD session, the TTL value of a single-hop
BFD packet is 255 and the TTL value of a multi-hop BFD packet is 253.
● After the TTL value in multi-hop BFD packets is configured, you must configure the
same peer IP address, mask length longer than the mask length for the TTL value in
multi-hop BFD packets, and TTL value in single-hop BFD packets. This is because the
TTL value in multi-hop BFD packets affects dynamic single-hop BFD sessions.

----End

22.7.5.6.7 Setting the Priority of BFD Packets

You can change the priority of BFD packets to:

● Detect whether packets with different priorities on a link can be forwarded.
● Ensure that BFD packets with a higher priority are forwarded first.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bfd bfd-name
The BFD session view is displayed.
Step 3 Run tos-exp tos-value
The priority of BFD packets is set.
By default, the priority of BFD packets is 7, representing the highest priority. The
value 0 is the lowest priority.

----End

22.7.5.6.8 Setting the Interval for Sending Traps

Context
If the BFD module is enabled with the SNMP alarm function, the NMS will receive
BFD Up or Down messages. If the BFD session flaps, the NMS receives a large
number of traps. In this case, BFD traps need to be suppressed. Run the snmp-
agent bfd trap-interval command to set the interval at which traps are sent to
prevent overflow of traps.

Procedure
Step 1 Run system-view

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3452

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The system view is displayed.

Step 2 Run bfd

BFD is enabled globally and the BFD view is displayed.

Step 3 Run snmp-agent bfd trap-interval interval

The interval at which traps are sent is set.

By default, the interval at which traps are sent is 120s.

----End

22.7.5.7 Verifying the BFD Configuration

Procedure
● Run the display bfd interface [ interface-type interface-number ] command
to check the BFD-enabled interface.
● Run the display bfd session { all | static | discriminator discr-value |
dynamic | peer-ip { default-ip | peer-ip } | static-auto } [ verbose ]
command to view information about the BFD session.
● Run the display bfd statistics command to check global BFD statistics.
● Run the display bfd statistics session { all | static | dynamic | discriminator
discr-value | peer-ip default-ip | peer-ip peer-ip | static-auto } command to
check BFD session statistics.

----End

22.7.6 Clearing BFD Session Statistics

Context
Before viewing BFD statistics within a specified period, run the reset bfd statistics
command to clear existing statistics.

NOTICE

Deleted BFD statistics cannot be restored. Exercise caution when you use this
command.

Procedure
● Run the reset bfd statistics { all | discriminator discr-value } command in
the user view to clear BFD session statistics.

----End

22.7.7 Configuration Examples for BFD

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3453

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.7.7.1 Example for Configuring Single-hop BFD for Detecting Faults on a

Layer 2 Link

Networking Requirements
As shown in Figure 22-41, AC and Switch are connected through a Layer 2
interface. Faults on the link between AC and Switch need to be fast detected.

Figure 22-41 Single-hop BFD for detecting faults on a Layer 2 link

GE0/0/1 GE0/0/1

AC Switch

Configuration Roadmap
The configuration roadmap is as follows:

Configure BFD sessions on AC and Switch to detect faults on the link between AC
and Switch.

Procedure
Step 1 Configure single-hop BFD on AC.

# Enable BFD on AC.

[AC] bfd
[AC-bfd] quit

# Create a BFD session on AC.

[AC] bfd atob bind peer-ip default-ip interface gigabitethernet 0/0/1

[AC-bfd-session-atob] discriminator local 1
[AC-bfd-session-atob] discriminator remote 2
[AC-bfd-session-atob] commit
[AC-bfd-session-atob] quit

Step 2 Configure single-hop BFD on Switch.

The configuration of Switch is similar to that of AC. The local and remote
discriminators of the BFD session must be respectively set to 2 and 1.

Step 3 Configure interfaces that connect the AC and switch to ensure transmission of BFD
packets at Layer 2.

# Configure the AC.

[AC] vlan 10
[AC-vlan10] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[AC-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 10
[AC-GigabitEthernet0/0/1] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3454

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Configure the interface on the switch. The configuration method is the same as
that on the AC.
Step 4 Verify the configuration.
After the configuration is complete, run the display bfd session all verbose
command on AC and Switch. You can see that a single-hop BFD session is set up
and its status is Up.
The display on AC is used as an example.
[AC] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 64 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet0/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 1/0

# Run the shutdown command on GE0/0/1 of AC to simulate a link fault.

[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] shutdown
[AC-GigabitEthernet0/0/1] quit

After the configuration is complete, run the display bfd session all verbose
command on AC and Switch. You can see that a single-hop BFD session is set up
and its status is Down. The display on AC is used as an example.
[AC] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 64 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet0/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 13000 Actual Rx Interval (ms): 13000
Local Detect Multi :3 Detect Interval (ms) : -
Echo Passive : Disable Acl Number :-

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3455

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Destination Port : 3784 TTL : 255

Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : Control Detection Time Expired
Bind Application : No Application Bind
Session TX TmrID : 16402 Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 0/1

----End

Configuration Files
● Configuration file of AC
#
sysname AC
#
bfd
#
interface GigabitEthernet0/0/1
shutdown
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
bfd atob bind peer-ip default-ip interface GigabitEthernet0/0/1
discriminator local 1
discriminator remote 2
commit
#
return

22.7.7.2 Example for Configuring Single-Hop BFD on a VLANIF Interface

Networking Requirements

As shown in Figure 22-42, the AC connects to the switch through a VLANIF

interface. Faults on the link between the AC and switch need to be fast detected.

Figure 22-42 Networking diagram for configuring single-hop BFD on a VLANIF

interface
VLANIF100 VLANIF100
10.1.1.5/24 10.1.1.6/24
GE0/0/1 GE0/0/1
AC Switch

Configuration Roadmap
The configuration roadmap is as follows:
Configure BFD sessions on the AC and switch to detect faults on the link between
the AC and switch.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3456

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
Step 1 On the AC and switch, create VLANs, configure GE0/0/1 interfaces as hybrid
interfaces, and add GE0/0/1 interfaces to VLANs. The configuration details are not
mentioned here.
Step 2 Configure IP addresses for VLANIF interfaces so that the AC and switch can
communicate at Layer 3. The configuration details are not mentioned here.
Step 3 Configure single-hop BFD.
# Enable BFD and create a BFD session on the AC.
<AC6605> system-view
[AC6605] sysname AC
[AC] bfd
[AC-bfd] quit
[AC] bfd atob bind peer-ip 10.1.1.6 interface vlanif 100
[AC-bfd-session-atob] discriminator local 1
[AC-bfd-session-atob] discriminator remote 2
[AC-bfd-session-atob] commit
[AC-bfd-session-atob] quit

# Enable BFD and create a BFD session on the switch. The configuration of the
switch is similar to that of the AC. The peer IP address of the BFD session must be
set to 10.1.1.5, and the local and remote discriminators of the BFD session must
be respectively set to 2 and 1.
Step 4 Verify the configuration.
After the configuration is complete, run the display bfd session all verbose
command on the AC and switch, and you can find that a single-hop BFD session is
set up and its status is Up. The command output on the AC is used as an example.
<AC> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 64 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(Vlanif100)
Bind Session Type : Static
Bind Peer IP Address : 10.1.1.6
NextHop Ip Address : 10.1.1.6
Bind Interface : Vlanif100
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 1/0

# Run the shutdown command on GE0/0/1 of AC to simulate a link fault.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3457

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC] interface gigabitethernet 0/0/1

[AC-GigabitEthernet0/0/1] shutdown
[AC-GigabitEthernet0/0/1] quit

After the configuration is complete, run the display bfd session all verbose
command on the AC and switch, and you can find that a single-hop BFD session is
set up and its status is Down. The command output on the AC is used as an
example.
<AC> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 64 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(Vlanif100)
Bind Session Type : Static
Bind Peer IP Address : 10.1.1.6
NextHop Ip Address : 10.1.1.6
Bind Interface : Vlanif100
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 13000 Actual Rx Interval (ms): 13000
Local Detect Multi :3 Detect Interval (ms) : -
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : Control Detection Time Expired
Bind Application : No Application Bind
Session TX TmrID : 16897 Session Detect TmrID : -
Session Init TmrID : 16898 Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 0/1

----End

Configuration Files
● Configuration file of the AC
#
sysname AC
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.5 255.255.255.0
#
interface GigabitEthernet0/0/1
shutdown
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
bfd atob bind peer-ip 10.1.1.6 interface Vlanif100
discriminator local 1
discriminator remote 2
commit
#
return

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3458

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.7.7.3 Example for Configuring Multi-Hop BFD

Networking Requirements
As shown in Figure 22-43, AC is indirectly connected to SwitchC. Static routes are
configured so that AC can communicate with SwitchC. Faults on the link between
AC and SwitchC need to be fast detected.

Figure 22-43 Networking diagram for configuring multi-hop BFD

GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1

10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24

VLAN 10 VLAN 20
AC SwitchB SwitchC

Configuration Roadmap
The configuration roadmap is as follows:

Configure BFD sessions on AC and SwitchC to detect the multi-hop route.

Procedure
Step 1 Add interfaces to VLANs, create VLANIF interfaces, and assign IP addresses to
VLANIF interfaces. The configuration details are not mentioned here.

Step 2 Configure a reachable static route between AC and SwitchC.

<AC6605> system-view
[AC6605] sysname AC
[AC] ip route-static 10.2.0.0 16 10.1.1.2

The configuration of SwitchC is similar to the configuration of AC, and is not

mentioned here.

Step 3 Configure multi-hop BFD.

# Create a BFD session between AC and SwitchC.

[AC] bfd
[AC-bfd] quit
[AC] bfd atoc bind peer-ip 10.2.1.2
[AC-bfd-session-atoc] discriminator local 10
[AC-bfd-session-atoc] discriminator remote 20
[AC-bfd-session-atoc] commit
[AC-bfd-session-atoc] quit

# Create a BFD session between SwitchC and AC.

The configuration of SwitchC is similar to that of AC. The peer IP address of the
BFD session must be set to 10.1.1.1, and the local and remote discriminators of
the BFD session must be respectively set to 20 and 10.

Step 4 Verify the configuration.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3459

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

After the configuration, run the display bfd session all verbose command on AC
and SwitchC. You can see that a BFD session is set up and is in Up state. Take the
display on ACas an example.
<AC> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 68 (Multi Hop) State : Up Name : atoc
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Peer IP Address
Bind Session Type : Static
Bind Peer IP Address : 10.2.1.2
Bind Interface :-
Track Interface :-
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 254
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 1/0

# Run the shutdown command on the GE0/0/1 interface of ACto simulate a link
fault.
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] shutdown
[AC-GigabitEthernet0/0/1] quit

After the configuration, run the display bfd session all verbose command on AC
and SwitchC. You can see that a multi-hop BFD session is set up and the status is
Down. Take the display on ACas an example.
<AC> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 68 (Multi Hop) State : Down Name : atoc
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Peer IP Address
Bind Session Type : Static
Bind Peer IP Address : 10.2.1.2
Bind Interface :-
Track Interface :-
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 11500 Actual Rx Interval (ms): 11500
Local Detect Multi :3 Detect Interval (ms) : -
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 254
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : Control Detection Time Expired
Bind Application : No Application Bind

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3460

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Session TX TmrID : 534 Session Detect TmrID : -

Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 0/1

----End

Configuration Files
● Configuration file of ACA
#
sysname AC
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
bfd atoc bind peer-ip 10.2.1.2
discriminator local 10
discriminator remote 20
commit
#
ip route-static 10.2.0.0 255.255.0.0 10.1.1.2
#
return

22.7.7.4 Example for Configuring Association Between the BFD Status and
the Interface Status

Networking Requirements
As shown in Figure 22-44, the AC and SwitchC connect to each other at the
network layer. SwitchA and SwitchB are Layer 2 transmission devices and are
deployed between the AC and SwitchC. Users expect that devices on both ends
can rapidly detect the fault, triggering fast route convergence.

Figure 22-44 Networking diagram of configuring association between the BFD

session status and the interface status

GE0/0/1 GE0/0/1 GE0/0/1

AC SwitchA SwitchB SwitchC

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure BFD sessions on the AC and SwitchC to detect link status.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3461

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

2. Configure association between BFD status and interface status on the AC and
SwitchC after the BFD session is Up.

Procedure
Step 1 Configure the interfaces connecting the AC and SwitchC.
# Configure the AC.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan 10
[AC-vlan10] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[AC-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 10
[AC-GigabitEthernet0/0/1] quit

# Configure the interface of SwitchC connecting to the AC. The configuration

procedure is similar to that of the AC.

NOTE

Configure a PVID on interfaces of SwitchA and SwitchB where BFD packets pass through so
that BFD packets can be transmitted at Layer 2.

Step 2 Configure single-hop BFD.

# On the AC, enable BFD and create a BFD session with SwitchC.
[AC] bfd
[AC-bfd] quit
[AC] bfd atob bind peer-ip default-ip interface gigabitethernet 0/0/1
[AC-bfd-session-atob] discriminator local 10
[AC-bfd-session-atob] discriminator remote 20
[AC-bfd-session-atob] commit
[AC-bfd-session-atob] quit

# On SwitchC, enable BFD and create a BFD session with the AC. The
configuration of SwitchC is similar to that of the AC. The local and remote
discriminators of the BFD session must be respectively set to 20 and 10.
# Run the display bfd session all verbose command on the AC and SwitchC, and
you can find that a single-hop BFD session is set up and is in Up state. The
command output on the AC is used as an example.
[AC] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 67 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet0/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3462

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Proc Interface Status : Disable Process PST : Disable

WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : Control Detection Time Expired
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 1/0

Step 3 Configure association between BFD session status and interface status.

# Configure association between the BFD session status and the interface status
on the AC.
[AC] bfd atob
[AC-bfd-session-atob] process-interface-status
[AC-bfd-session-atob] quit

# Configure association between BFD session status and interface status on

SwitchC. The configuration of SwitchC is similar to that of the AC.

Step 4 Verify the configuration.

After the configuration is complete, run the display bfd session all verbose
command on the AC and SwitchC, and you can find that the Proc Interface
Status field is Enable.

The command output on the AC is used as an example.

[AC] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 67 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet0/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Enable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : Control Detection Time Expired
Bind Application : IFNET
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 1/0

Run the shutdown command on GE0/0/1 of SwitchB to have the BFD session
Down.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3463

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[SwitchB] interface gigabitethernet 0/0/1

[SwitchB-GigabitEthernet0/0/1] shutdown
[SwitchB-GigabitEthernet0/0/1] quit

Run the display bfd session all verbose and display interface gigabitethernet
0/0/1 commands on the AC, and you can find that the status of the BFD session is
Down, and the status of GE0/0/1 is Up.
[AC] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 67 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet0/0/1
FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 12500 Actual Rx Interval (ms): 12500
Local Detect Multi :3 Detect Interval (ms) : -
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Enable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : Control Detection Time Expired
Bind Application : IFNET
Session TX TmrID : 430 Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 0/1

[AC] display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP(BFD status down)
Description:HUAWEI, AC Series, GigabitEthernet0/0/1 Interface
Switch Port, PVID : 10, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is dcd2-fcf9-b5ca
Last physical up time : 2013-08-06 14:02:50 UTC+08:00
Last physical down time : 2013-08-06 14:02:33 UTC+08:00
Current system time: 2013-08-06 21:05:10+08:00
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 22704 bits/sec,Record time: 2013-08-06 14:03:46
Output peak rate 53960 bits/sec,Record time: 2013-08-06 14:03:46

Input: 19108 packets, 2480594 bytes

Unicast: 6284, Multicast: 2890
Broadcast: 9934, Jumbo: 0
Discard: 0, Total Error: 0

CRC: 0, Giants: 0
Jabbers: 0, Throttles: 0
Runts: 0, Alignments: 0
Symbols: 0, Ignoreds: 0
Frames: 0

Output: 13634 packets, 1278722 bytes

Unicast: 5227, Multicast: 2574

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3464

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Broadcast: 5833, Jumbo: 0

Discard: 0, Total Error: 0

Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0

Input bandwidth utilization threshold : 100.00%

Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%

----End

Configuration Files
● Configuration file of the AC
#
sysname AC
#
vlan 10
#
bfd
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
bfd atob bind peer-ip default-ip interface GigabitEthernet0/0/1
discriminator local 10
discriminator remote 20
process-interface-status
commit
#
return

22.7.7.5 Example for Configuring the BFD Echo Function

Networking Requirements
As shown in Figure 22-45, the AC and switch directly connect to each other. The
AC supports the BFD function but the switch does not. Users expect that faults on
the link can be fast detected.

Figure 22-45 Networking diagram of configuring the BFD echo function

GE0/0/1 GE0/0/1
VLANIF13 VLANIF13
10.1.1.5/24 10.1.1.6/24
Single-hop
AC BFD session Switch
Supporting Not supporting
BFD BFD

Configuration Roadmap
The configuration roadmap is as follows:

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3465

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Configure the BFD echo function on the AC to detect the link between the AC
and switch.

Procedure
Step 1 Create a VLAN on both the AC and switch, configure GE0/0/1 as a trunk interface,
and add it to the VLAN.
# Configure the AC.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan 13
[AC-vlan13] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 13
[AC-GigabitEthernet0/0/1] quit

# Configure the switch. The configuration of the switch is similar to that of the
AC.
Step 2 Configure IP addresses for the VLANIF interfaces so that the AC can communicate
with the switch at Layer 3.
# Configure the AC.
[AC] interface vlanif13
[AC-Vlanif13] ip address 10.1.1.5 24
[AC-Vlanif13] quit

# Configure the switch. The configuration of the switch is similar to that of the
AC.
Step 3 Configure the BFD echo function.
# Configure the AC.
[AC] bfd
[AC-bfd] quit
[AC] bfd atob bind peer-ip 10.1.1.6 interface vlanif13 source-ip 10.1.1.5 one-arm-echo
[AC-bfd-session-atob] discriminator local 1
[AC-bfd-session-atob] commit
[AC-bfd-session-atob] quit

Step 4 Verify the configuration.

After the configuration is complete, run the display bfd session all verbose
command on AC, and you can find that a single-hop BFD session is set up and is
in Up state.
<AC> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 515 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : -
Session Detect Mode : Asynchronous One-arm-echo Mode
BFD Bind Type : Interface(Vlanif13)
Bind Session Type : Static
Bind Peer IP Address : 10.1.1.6
NextHop Ip Address : 10.1.1.6
Bind Interface : Vlanif13
Bind Source IP Address : 10.1.1.5
FSM Board Id :0 TOS-EXP :7
Echo Rx Interval (ms) : 1000

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3466

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000

Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3 DSCP :-
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------

Total UP/DOWN Session Number : 1/0

----End

Configuration Files
● Configuration file of the AC
#
sysname AC
#
vlan batch 13
#
bfd
#
interface Vlanif13
ip address 10.1.1.5 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 13
#
bfd atob bind peer-ip 10.1.1.6 interface Vlanif13 source-ip 10.1.1.5 one-arm-echo
discriminator local 1
commit
#
return

22.7.8 Troubleshooting BFD

22.7.8.1 BFD Session Cannot Become Up

Common Causes
This fault is commonly caused by one of the following:

● The link carrying the BFD session is faulty. As a result, BFD packets cannot be
exchanged.
● The BFD session flaps frequently.

Procedure
Step 1 Run the display current-configuration configuration bfd-session command to
check whether the local and remote discriminators at both ends match.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3467

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● If the local and remote discriminators at both ends match, go to step 2.

● If the local and remote discriminators at both ends do not match, run the
discriminator command to correctly configure local and remote
discriminators, and then run the display bfd session all command to check
whether the BFD session is Up.
– If the value of the State field is Up, the BFD session has been established.
– If the value of the State field is not Up, go to step 2.
Step 2 Run the display current-configuration configuration bfd-session command to
check whether the BFD detection time is longer than the delay before the BFD
session becomes Up.
Detection time = Received Detect Multi of the remote system x Max (Local RMRI/
Received DMTI) Detect Multi is the local detection multiplier, which is set by using
the detect-multiplier command. The Required Min Rx Interval (RMRI) is the
minimum interval for receiving BFD packets, which is set by using the min-rx-
interval command. The Desired Min Tx Interval (DMTI) is the minimum interval
for sending BFD packets, which is set by using the min-tx-interval command.
The link delay can be obtained using the ping or tracert mechanism.
If the BFD detection time is shorter than the delay before the BFD session
becomes Up, run the detect-multiplier, min-rx-interval, and min-tx-interval
commands to increase the BFD detection time to be longer than the delay.

----End

22.7.8.2 BFD Detection Result Affects Forwarding on an Interface

Common Causes
The BFD session is associated with the interface status.

Procedure
Step 1 Run the display interface interface-type interface-number command to check the
physical status of the interface bound to the BFD session.
● If the value of Line protocol current state is UP (BFD status down), the
interface status is affected by the BFD session status. When the BFD session
detects a link fault, the interface enters the BFD status down state. Go to
step 2.
● If the value of Line protocol current state is UP but the interface cannot
forward packets, the forwarding module is working properly.
Step 2 Run the display bfd session all command to check the BFD session status.
If the BFD session status is Down, go to step 3.
Step 3 Run the display current-configuration configuration bfd-session command to
check the BFD session configuration and check whether the process-interface-
status [ sub-if ] [ reboot-no-impact ] command is used.
If the process-interface-status [ sub-if ] [ reboot-no-impact ] command is used,
the interface enters the DOWN (BFD status down) state when the BFD session

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3468

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

detects a link fault and enters the Down state. As a result, the interface cannot
forward packets.

----End

22.7.8.3 Modified BFD Parameters Do Not Take Effect

Common Causes
After BFD session parameters are modified, the configuration is not committed.

NOTE

Saving the results of each troubleshooting step is recommended. If your troubleshooting

fails to correct the fault, you will have a record of your actions to provide Huawei technical
support personnel.

Procedure
Step 1 Run the display current-configuration configuration bfd-session command to
check the BFD session configuration and check whether the commit command is
used.
● If the commit command is used, the modified BFD parameters are
committed.
● If the commit command is not used, the modified BFD parameters are not
committed. Run the commit command to commit the configuration.

----End

22.8 EFM Configuration

This chapter describes how to configure Ethernet in the First Mile (EFM). EFM can
be enabled on both devices of a point-to-point link to monitor connectivity and
link quality.

NOTE

ACU2 does not support EFM.

22.8.1 Overview of EFM

EFM effectively improves Ethernet management and maintenance capabilities and
ensures the stable operation of networks.
Easy-to-use Ethernet techniques support good bandwidth extensibility on low-cost
hardware. With these advantages, Ethernet services and structures are the first
choice for many enterprise networks. The increasing popularity of Ethernet
applications encourages operators to use improved Ethernet OAM functions to
maintain and operate Ethernet networks.
Ethernet in the First Mile (EFM) is a type of link-level OAM technology and
defines the specifications of the Ethernet physical layer and OAM used for user

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3469

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

access. EFM provides link connectivity detection, link fault monitoring, remote
fault notification, and remote loopback for a link between two directly connected
devices.

22.8.2 Understanding EFM

22.8.2.1 Basic Concepts of EFM

OAM PDUs
EFM works at the data link layer and uses protocol packets called OAM Protocol
Data Units (PDUs). EFM devices periodically exchange OAMPDUs to report the
link status, helping network administrators effectively manage networks. Figure
22-46 shows the OAMPDU format and common types of OAMPDUs. Table 22-32
lists and describes fields in an OAMPDU.

Figure 22-46 OAMPDU format

42Bytes~1496
6Bytes 6Bytes 2Bytes 1Byte 2Bytes 1Byte Bytes 4Bytes

Destination addr Source addr Type Subtype Flags Code Data/Pad CRC

Information OAMPDU 0X00 Local info TLV Remote info TLV …

Event notification OAMPDU 0X01 seq Link event TLV …

Loopback control OAMPDU 0X04 Loopback command

Table 22-32 Fields in an OAMPDU

Field Description

Destination Destination MAC address, which is a slow protocol multicast

addr address 0x0180-C200-0002. Network bridges cannot forward
slow protocol packets. EFM OAMPDUs cannot be forwarded
over multiple devices, even if OAM is supported or enabled on
the devices.

Source addr Source address, which is a unicast MAC address of a port on

the transmit end. If no port MAC address is specified on the
transmit end, the bridge MAC address of the transmit end is
used.

Type Slow protocol type, which has a fixed value of 0x8809.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3470

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Field Description

Subtype Subtype of a slow protocol. The value is 0x03, indicating that

the slow subprotocol is EFM.

Flags Status of an EFM entity.

● Remote Stable
● Remote Evaluating
● Local Stable
● Local Evaluating
● Critical Event
● Dying Gasp
● Link Fault

Code OAMPDU type.

● 0X00: Information OAMPDU
● 0X01: Event Notification OAMPDU
● 0X04: Loopback Control OAMPDU
Table 22-33 lists common types of OAMPDUs.

Table 22-33 OAMPDU types

OAMPDU Type Description

Information ● Used to discover a remote EFM entity, initiate a

OAMPDU handshake process, and establish an EFM connection.
After the EFM connection is established, both EFM
entities periodically exchange Information OAMPDUs
to monitor link connectivity.
● Used to advertise fault information. Upon receiving a
critical link event carried in a Flags field of an
Information OAMPDU sent by the remote EFM entity,
the local EFM entity sends a trap to the NMS.

Event Notification Used to monitor links. If an errored frame event, errored

OAMPDU code period event, or errored frame second event occurs
on an interface, the interface sends an Event Notification
OAMPDU to notify the remote interface of the event.

Loopback Control Used to enable or disable the remote loopback function.

OAMPDU

Connection Modes
EFM supports two connection modes: active and passive. An EFM connection can
only be initiated by an OAM entity working in active mode. An OAM entity

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3471

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

working in passive mode waits to receive a connection request from its peer entity.
Table 22-34 lists capabilities for processing OAMPDUs in the two modes.

Table 22-34 Capabilities for processing OAMPDUs in active and passive modes
Capability Active Mode Passive Mode

Initiate a connection request by Supported Not supported

sending an Information
OAMPDU during the discovery
process

Respond to a connection Supported Supported

request during the discovery
process

Send Information OAMPDUs Supported Supported

Send Event Notification Supported Supported

OAMPDUs

Send Loopback Control Supported Not supported

OAMPDUs

Respond to Loopback Control Supported (The remote Supported

OAMPDUs EFM entity must work
in active mode.)

22.8.2.2 Basic Functions of EFM

EFM supports the following functions: OAM discovery, link monitoring, fault
notification, and remote loopback. The following example illustrates EFM
implementation on the network shown in Figure 22-47. The customer edge (CE)
is a device in a customer equipment room and PE1 is an operator device. EFM is
used to monitor the link connecting the CE to PE1, allowing an operator to
remotely monitor link connectivity and quality.

Figure 22-47 Typical EFM network

Network Side
User Side

Port 2
Port 1 PE2
CE PE1 PE3 IP/MPLS
EFM
PE4

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3472

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

EFM Discovery
During the discovery process, a local EFM entity discovers and establishes a stable
EFM connection with a remote EFM entity. Figure 22-48 shows the discovery
process.
NOTE

Two OAM entities both working in passive mode cannot establish an EFM connection
between them.

Figure 22-48 EFM discovery

CE PE1

1: Se
nd an
Initial status: Inform Initial status:
ation
discovery (active local OAMP discovery (passive
EFM DU w
mode) settin ith th mode)
g e
2: Compare the
received
with
M P DU flag Information
o n OA a nda OAMPDU with the
ti ting
s atch
r ma
4: Check whether
an Info FM set ttings m local EFM setting
end E se
the EFM setting in ote FM
3: S nd rem h er E
the received l a h e t
loca ng w
OAMPDU matches
n d icati
the local EFM i
setting. If so, the 5: P
session enters the e riod
Detect state. If not, ica
ll
repeat step 1 to to m y sen
ain d
initiate or stop tain Inform
t he at
negotiation until con ion O 6: Enter the Detect
nec A
EFM is disabled tion MPDU state, establish a
s
locally. connection, and
exchange
Information
OAMPDUs to
maintain the
connection

EFM entities at both ends of an EFM connection periodically exchange Information

OAMPDUs to monitor link connectivity. The interval at which Information
OAMPDUs are sent is also known as an interval between handshakes. If an EFM
entity does not receive any Information OAMPDU from the remote EFM entity
within the connection timeout interval, the EFM entity considers the connection
interrupted and sends a trap to the NMS. Establishing an EFM connection is a way
to monitor physical link connectivity automatically.

Link Monitoring
Monitoring Ethernet links is difficult if network performance deteriorates while
traffic is being transmitted over physical links. To resolve this problem, configure
the EFM link monitoring function that detects data link layer faults in various
environments. EFM entities that are enabled with link monitoring exchange Event
Notification OAMPDUs to monitor links.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3473

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

If an EFM entity receives a link event listed in Table 22-35, it sends an Event
Notification OAMPDU to notify the remote EFM entity of the event and also sends
a trap to an NMS. After receiving the trap on the NMS, an administrator can
determine the network status and take remedial measures as needed.

Table 22-35 Minor link events

Minor Link Description Usage Scenario

Event

Errored Symbol If the number of symbol This event helps the device
Period Event errors that occur on a device detect code errors during data
interface during a specified transmission at the physical
period of time reaches a layer.
specified upper limit, the
device generates an errored
symbol period event,
advertises the event to the
remote device, and sends a
trap to the NMS.

Errored Frame If the number of frame This event helps the device
Event errors that occur on a device detect frame errors that occur
interface during a specified during data transmission at the
period of time reaches a data link layer.
specified upper limit, the
device generates an errored
frame event, advertises the
event to the remote device,
and sends a trap to the NMS.

Errored Frame An errored frame second is a This event helps the device
Seconds one-second interval wherein detect errored frame seconds
Summary at least one frame error is that occur during data
Event detected. If the number of transmission at the data link
errored frame that occur layer.
during a specified period of
time reaches a specified
upper limit on an interface
of a device, the device
generates an errored frame
second summary event,
advertises the event to the
remote device, and sends a
trap to the NMS.

Fault Notification
After the OAM discovery process finishes, two EFM entities at both ends of an
EFM connection exchange Information OAMPDUs to monitor link connectivity.
When traffic is interrupted because the remote EFM entity fails or becomes
unavailable, the faulty EFM entity will send an Information OAMPDU carrying a

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3474

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

critical link event listed in Table 22-36 to the local EFM entity. After receiving the
notification, the local EFM entity sends a trap to the NMS. An administrator can
view the trap on the NMS to determine the link status and take measures to
rectify the fault.

Table 22-36 Critical link event

Critical Link Event Description

Link fault If a loss of signal (LoS) error occurs because a physical

link fails, the local device sends a trap to the NMS.

Dying gasp If an unexpected status change or event occurs because a

remote device or board is reset, the local device sends a
trap to the NMS.

Critical event If an unidentified critical event occurs because a fault is

detected using association between the remote EFM
entity and a specific feature, the local device sends a trap
to the NMS. Remote EFM entities can be associated with
protocols, including bidirectional forwarding detection
(BFD), connectivity fault management (CFM), and
Multiprotocol Label Switching (MPLS) OAM.

Link Loss If a loss of signal (LoS) error occurs because the interval
at which OAMPDUs are sent elapses, the local device
sends a trap to the NMS.

Remote Loopback
Figure 22-49 demonstrates the implementation of remote loopback. When a local
interface sends non-OAMPDUs to a remote interface, the remote interface loops
the non-OAMPDUs back to the local interface, not to the destination addresses of
the non-OAMPDUs. This is remote loopback. An EFM connection must be
established to implement remote loopback.

NOTE

An OAM entity that initiates a loopback request must work in active mode.

Figure 22-49 Implementation of remote loopback

All packets except EFM packets

Interface 1 Interface 2
(Active Mode) (Passive Mode)
Data Flow

After remote loopback is enabled, the device discards all the non-OAMPDUs,
causing service interruption. It is recommended that you enable remote loopback

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3475

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

to check link connectivity and quality before a new network is used or a link fault
is rectified. The results help an operator take measures to minimize the remote
loopback impact on services.
The local device computes communication quality parameters such as the packet
loss ratio on the current link based on the number of sent packets and the
number of received packets. Figure 22-50 shows the remote loopback process.

Figure 22-50 Remote loopback process

CE PE1

Loop
back
Active Con 1: Send
mode trol O a
loop AMP 2: After receiving the
back DU w
r eq u ith a OAMPDU, PE1
est r em o
te determines whether
to enter the loopback
state. If not, PE1
ica t in g discards the
U in d Loopback Control
D
M P p te d
OA e OAMPDU and
a t ion is acc forwards data frames
r m s t
In f o e q u e
e n d a n t th e r on demand. If so, PE1
3: S th a stops forwarding data
frames. Go to step 3.
4: Enter the 5: Sen
loopback state d a loo
pba c k
test p
a cket

he
e t to t
pack
7: Compare the
c k test
a
number of sent oopb tiator
o p the l ini
test packets with 6: Lo
the number of
received test
packets and
check the link
status

If the local device attempts to stop remote loopback, it sends a message to

instruct the remote device to disable remote loopback. After receiving the
message, the remote device disables remote loopback.
If remote loopback is left enabled, the remote device keeps looping back service
data, causing a service interruption. To prevent this problem, a capability can be
configured to disable remote loopback automatically after a specified timeout
interval. After the timeout interval expires, the local device automatically sends a
message to instruct the remote device to disable remote loopback.

22.8.3 Summary of EFM Configuration Tasks

After basic EFM functions are configured, EFM can work properly. To deploy
special EFM functions such as link monitoring, remote loopback, remote fault
indication, and EFM association, perform the configurations according to the
following sections.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3476

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-37 describes the EFM configuration tasks.

Table 22-37 EFM configuration tasks

Scenario Description Task

Configure basic EFM Basic EFM functions are 22.8.5.1 Configuring

functions used to monitor the link. Basic EFM Functions

Configure EFM link After link monitoring is 22.8.5.2 Configuring

monitoring configured, the network EFM Link Monitoring
administrator can detect
link layer faults in
various environments
and dynamically monitor
link quality.

Configure remote Remote loopback is used 22.8.5.3 Configuring

loopback to test link connectivity Remote Loopback on
and performance. The Initial Device

Configure remote fault Remote fault indication 22.8.5.4 Configuring

indication is used to detect remote Remote Fault
device faults and Indication
monitor Ethernet
performance.

22.8.4 Default Settings for EFM

The following table provides the default settings for EFM.

Table 22-38 Default settings for EFM

Parameter Default Setting

Global EFM Disabled

EFM on an interface Disabled

Working mode Active mode

Maximum size of an OAMPDU 128 bytes

Timeout interval at which EFM 5000 ms

OAMPDUs are received

22.8.5 Configuring EFM

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3477

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.8.5.1 Configuring Basic EFM Functions

22.8.5.1.1 Enabling EFM Globally

Context
Before configuring basic EFM functions, enable EFM globally.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run efm enable

EFM is enabled globally.

By default, EFM is disabled globally.

----End

22.8.5.1.2 (Optional) Configuring an Interface or Bridge MAC Address as the

Source MAC Address in an OAMPDU

OAMPDUs support interface or bridge MAC addresses as source MAC addresses.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run efm src-mac

An interface or bridge MAC address is configured as the source MAC address in an

OAMPDU.

By default, a bridge MAC address is used as the source MAC address in an

OAMPDU.

----End

22.8.5.1.3 (Optional) Setting the EFM Working Mode on an Interface

Context
EFM supports two connection modes: active and passive. Table 22-39 describes
the differences between the active and passive modes.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3478

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-39 Capabilities for processing OAMPDUs in active and passive modes

Action Active Mode Passive Mode

Initiate a connection request by Supported Not supported

sending an Information
OAMPDU during the discovery
process

Respond to a connection Supported Supported

request during the discovery
process

Send Information OAMPDUs Supported Supported

Send Event Notification Supported Supported

OAMPDUs

Send Loopback Control Supported Not supported

OAMPDUs

Respond to Loopback Control Supported (The Supported

OAMPDUs remote EFM entity
must work in active
mode.)

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The view of the interface at one end of the link is displayed.

Step 3 Run efm mode { active | passive }

The EFM working mode on the interface is configured.

By default, EFM on an interface works in active mode.

NOTE

● The working mode of EFM can be set on an interface only after EFM is enabled globally
and before EFM is enabled on the interface. The working mode of EFM on an interface
cannot be changed after EFM is enabled on the interface.
● When using EFM to monitor a link, ensure that either of the interfaces at both ends of
the link operates in active mode.
– If both ends of a link are configured to work in active EFM mode, link detection
can be implemented.
– If both ends of a link are configured to work in passive mode, link detection cannot
be implemented.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3479

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.8.5.1.4 (Optional) Setting EFM OAMPDU Parameters

Context
EFM entities exchange OAMPDUs periodically to report the link status. The
network administrator can set EFM OAMPDU parameters to effectively manage
networks.
EFM OAMPDU parameters include the maximum OAMPDU size and timeout
interval at which OAMPDUs are received.
● After the maximum OAMPDU size is set on an interface, the interface
considers excess EFM OAMPDUs invalid and discards them. You can adjust the
maximum size of an EFM OAMPDU so that devices can communicate.
● After setting up an EFM connection, two EFM entities exchange OAMPDUs at
a specific interval to check whether the connection is working properly. If an
EFM entity does not receive any OAMPDU from its remote EFM entity within
the interval at which OAMPDUs are received, it considers that the link is not
working properly. The network administrator can set different intervals at
which OAMPDUs are received based on user requirements. A short interval
can be set for high-priority or delay-sensitive services. A long interval can be
set for low-priority or delay-insensitive services.
Perform the following steps on the interfaces at both ends of a link.

Procedure
● Setting the maximum size of an EFM OAMPDU
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
c. Run efm packet max-size size
The maximum size of an EFM OAMPDU is set.
By default, the maximum size of an EFM OAMPDU on an interface is 128
bytes.
If the maximum EFM OAMPDU sizes configured on the interfaces at both
ends of a link are different, the interfaces negotiate the maximum EFM
OAMPDU size during the discovery process. The smaller one between the
maximum EFM OAMPDU sizes on the two ends is used.
● Setting the timeout interval at which EFM OAMPDUs are received
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
c. Run efm timeout timeout-value
The timeout interval at which EFM OAMPDUs are received is set.
By default, the timeout interval at which EFM OAMPDUs are received is
5000 ms.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3480

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The interfaces at both ends of a link must use the same timeout interval.
Otherwise, session negotiation between the two interfaces fails or the
session flaps.
NOTE

The timeout interval is set only after EFM is enabled globally but before EFM is
enabled on an interface.

----End

22.8.5.1.5 Enabling EFM on an Interface

Context
After EFM is enabled on interfaces connecting local and remote EFM entities, the
two entities start to set up an EFM connection to monitor the connectivity of the
link between them.

NOTE

Eth-Trunks do not support EFM.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
Step 3 Run efm enable
EFM is enabled on the interface.
By default, EFM is disabled on an interface.

NOTE

Before using this command, ensure that EFM has been enabled globally using the efm
enable command.

----End

22.8.5.1.6 Verifying the Configuration of Basic EFM Functions

Prerequisites
The configuration of basic EFM functions is complete.

Procedure
● Run the display efm { all | interface interface-type interface-number }
command to check the EFM configuration.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3481

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Run the display efm session { all | interface interface-type interface-

number } command to check the EFM protocol status.
----End

22.8.5.2 Configuring EFM Link Monitoring

After link monitoring is configured, the network administrator can detect link layer
faults in various environments and dynamically monitor link quality.

22.8.5.2.1 Detecting Minor Link Events

Context
If an EFM entity receives a link event, it sends an Event Notification OAMPDU to
notify the remote EFM entity of the event and also sends a trap to an NMS. After
receiving the trap on the NMS, an administrator can determine the network status
and take remedial measures as needed.

Select one or more detection methods to monitor links based on as needed.

Procedure
● Detecting errored code events
a. Run system-view
The system view is displayed.
b. Run efm enable
EFM is enabled globally.
c. Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
d. Run efm error-code period period
The period for detecting EFM errored codes is set.
By default, the period for detecting errored codes on an interface is 1
second.
e. Run efm error-code threshold threshold
The threshold for detecting EFM errored codes is set.
By default, the threshold for detecting errored codes on an interface is 1.
f. Run efm enable
EFM is enabled on the interface.
g. Run efm error-code notification enable
The interface is enabled to detect EFM errored codes.
By default, an interface is not enabled to detect EFM errored codes.
● Detecting errored frame events
a. Run system-view
The system view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3482

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

b. Run efm enable

EFM is enabled globally.
c. Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
d. Run efm error-frame period period
The period for detecting EFM errored frames is set.
By default, the period for detecting errored frames on an interface is 1
second.
e. Run efm error-frame threshold threshold
The threshold for detecting EFM errored frames is set.
By default, the threshold for detecting errored frames on an interface is 1.
f. Run efm enable
EFM is enabled on the interface.
g. Run efm error-frame notification enable
The interface is enabled to detect EFM errored frames.
By default, an interface is not enabled to detect EFM errored frames.
● Detecting errored frame seconds
a. Run system-view
The system view is displayed.
b. Run efm enable
EFM is enabled globally.
c. Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
d. Run efm error-frame-second period period
The period for detecting EFM errored frame seconds is set.
By default, the period for detecting errored frame seconds on an interface
is 60 seconds.
e. Run efm error-frame-second threshold threshold
The threshold for detecting EFM errored frame seconds is set.
By default, the threshold for detecting errored frame seconds on an
interface is 1.
f. Run efm enable
EFM is enabled on the interface.
g. Run efm error-frame-second notification enable
The interface is enabled to detect errored frame seconds.
By default, an interface is not enabled to detect errored frame seconds.

----End

22.8.5.2.2 (Optional) Associating a Minor Link Event with an Interface

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3483

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Context
Minor link events include errored symbol events, errored frame events, and errored
frame second events. If the number of code errors, errored frames, or errored
frame seconds detected by an interface on a link in the configured period reaches
or exceeds the configured threshold, the link is unavailable or has low quality. You
can associate an EFM crossing event with an interface. Then the system sets the
administrative status of the interface to Down. In this manner, all services on the
interface are interrupted.
Perform the following steps at one or two ends of a link.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
Step 3 Run efm threshold-event trigger error-down
A threshold crossing event is associated with an interface.
By default, no threshold crossing event is associated with an interface.

----End

Follow-up Procedure
After associating a threshold crossing event with an interface, configure the
interface to go administratively Up by using either of the following methods:
● Run the error-down auto-recovery command in the system view to configure
the interface to go administratively Up after the auto recovery delay.
● Run the shutdown command and then the undo shutdown command in the
interface view to restore the administrative status of the interface to Up.

22.8.5.2.3 Verifying the EFM Link Monitoring Configuration

Prerequisites
The EFM link monitoring configuration is complete.

Procedure
● Run the display efm { all | interface interface-type interface-number }
command to check the EFM configuration.
----End

22.8.5.3 Configuring Remote Loopback on The Initial Device

Remote loopback is used to test link connectivity and performance.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3484

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Remote loopback mainly tests connectivity and quality of a single link. On the
network shown in Figure 22-51, remote loopback is configured on the interface
connecting the AC to the Switch. The interface sends test packets to its remote
interface. The packet loss ratio and delay can be calculated based on returned test
packets to evaluate link connectivity and performance.

Figure 22-51 Remote loopback

All packets except EFM packets

AC Switch

(Active Mode) (Passive Mode)

Data Flow

NOTE

● Remote loopback can only be initiated by an interface in active EFM mode.

● Remote loopback affects data service forwarding. Therefore, it is recommended that you
enable remote loopback to check link connectivity and quality before a new network is
used or a link fault is rectified.
● After the undo efm enable command is executed in the system view to disable EFM, all
the EFM configuration is deleted. If remote loopback is performed on the device and
many test packets are sent, running the undo efm enable command may cause test
packets to be forwarded. As a result, network bandwidth is occupied.

Pre-configuration Tasks
Before configuring remote loopback, complete the following tasks:
● 22.8.5.1 Configuring Basic EFM Functions
● Setting the EFM mode to active for the interface that needs to be configured
with remote loopback

Procedure
Step 1 Enabling remote loopback on the device that initiates a request
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The view of an interface in active EFM mode is displayed.
3. Run efm loopback start [ timeout timeout ]
The interface is configured to initiate remote loopback.
By default, the timeout interval for remote loopback is 20 minutes. After 20
minutes, remote loopback is disabled automatically. You are advised not to set
the timeout interval to 0. If the timeout interval is set to 0, the link retains in
remote loopback state.
Remote loopback is implemented successfully only when EFM protocols at the
local end and the peer are in handshake state and EFM at the local end works

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3485

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

in active mode. You can run the display efm session { all | interface
interface-type interface-number } command to check whether the EFM status
on both devices is detect. The display efm { all | interface interface-type
interface-number } command can be used to check the EFM modes of the
interfaces at both ends of a link.
Step 2 (Optional) Configure a receiving device to ignore remote loopback requests
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.
3. Run efm loopbackignore-request
The interface is configured to ignore remote loopback requests.
If an interface is in loopback state, the interface loops back all received traffic,
causing service interruption and imposing attacks. To solve the problem,
configure the local device to ignore remote loopback requests.
By default, the local device processes remote loopback requests.
Step 3 Configuring the interface in active EFM mode to send test packets
NOTE

Only one interface can send EFM test packets at one time.

1. Run system-view
The system view is displayed.
2. Run test-packet start interface interface-type interface-number [ -c count | -
p speed | -s size ] *
The device is configured to send test packets.
By default, the size of a test packet is 64 bytes, the rate at which test packets
are sent is 1 Mbit/s, and the number of sent packets is 5. During test packet
transmission, parameters of sent test packets cannot be changed.
The outbound interface of test packets should be the interface connected to
the link to be tested.
Press Ctrl+C to stop sending test packets.
Step 4 Disabling remote loopback
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.
3. Run efm loopback stop
Remote loopback is disabled on the interface.
If remote loopback is left enabled, the remote device keeps looping back
service data, causing a service interruption. To prevent this problem, a
capability can be configured to disable remote loopback automatically after a
specified timeout interval. By default, the timeout interval for remote
loopback is 20 minutes. After the timeout interval expires, the local device
automatically sends a message to instruct the remote device to disable

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3486

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

remote loopback. To disable remote loopback manually, perform the

preceding procedures.

----End

22.8.5.4 Configuring Remote Fault Indication

Remote fault indication is used to detect remote device faults and monitor
Ethernet performance.
After EFM connections have been established, both EFM entities exchange
Information OAMPDUs. When traffic is interrupted because an EFM entity fails or
becomes unavailable, the faulty EFM entity will send an Information OAMPDU
carrying a critical link event flag to its remote EFM entity, record a log, and send
an alarm. This mechanism helps administrators to learn the link status in real time
and troubleshoot link faults promptly.
As shown in Figure 22-52, if a fault occurs on Switch B, Switch B sends an
Information OAMPDU carrying a critical link event flag to the AC. Association
between EFM and Port1 is triggered and services are switched to the backup path.
This association ensures reliable traffic transmission.

Figure 22-52 Remote fault indication and association between EFM and an
interface
SwitchA

PC AC
User Port1 IP/MPLS
Network

EFM
SwitchB

Pre-configuration Tasks
Before configuring remote fault indication, complete the following task:
● 22.8.5.1 Configuring Basic EFM Functions

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface at one end of the link is displayed.
Step 3 Run efm { critical-event | dying-gasp | link-fault | timeout } trigger error-down
Association between EFM and the interface is configured. The association will be
triggered if a remote fault occurs.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3487

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

By default, association between EFM and the interface is not triggered by a

remote fault.
The efm trigger error-down command associates an error event with an
interface. When EFM detects critical-event, dying-gasp, link-fault, or timeout
faults, the protocol status of the interface becomes Down and all services on the
interface are interrupted. Traffic will not be switched back even if the faulty link
recovers and the protocol status of the interface does not change. You need to
manually check link quality before switching traffic back to the original link.
----End

22.9 VRRP Configuration

This chapter describes how to configure Virtual Router Redundancy Protocol
(VRRP). VRRP is a fault-tolerant protocol and switches services from the master
device to the backup device when the next-hop device of the master device fails,
ensuring nonstop service transmission and reliability.

22.9.1 Overview of VRRP

Definition
The Virtual Router Redundancy Protocol (VRRP) groups multiple routing devices
into a virtual router and uses the next hop address in the default route of hosts as
the IP address of the virtual router. When the gateway becomes faulty, VRRP
selects a new gateway to transmit service traffic to ensure reliable communication.

Purpose
As networks rapidly develop and applications become diversified, various value-
added services, such as IPTV and video conferencing are widely used. Demands for
network infrastructure reliability are increasing, especially for nonstop service
transmission.
Generally, all hosts on the same network segment have the same default route
with the gateway address as the next hop address. The hosts use the default route
to send packets to the gateway and the gateway forwards the packets to other
network segments. When the gateway fails, the hosts with the same default route
cannot communicate with external networks. Configuring multiple egress
gateways is a common method to improve system reliability. However, route
selection between the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual
router without changing the networking, and uses the next hop address in the
default route of hosts as the IP address of the virtual router to implement
gateway backup. When the gateway becomes faulty, VRRP selects a new gateway
to transmit service traffic to ensure reliable communication.

Benefits
On a multicast or broadcast LAN such as an Ethernet network, VRRP provides a
highly reliable link when the gateway becomes faulty without modifying host and

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3488

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

gateway configurations. VRRP prevents network interruptions when a single link

becomes faulty.

22.9.2 Understanding VRRP

22.9.2.1 Basic Concepts of VRRP

As shown in Figure 22-53, HostA is dual-homed to AC1 and AC2 through Switch.
AC1 and AC2 constitute a VRRP group so that they are considered as a virtual
router for link redundancy.

Figure 22-53 VRRP group

Master
10.1.1.2/24 Priority:120

Switch
AC1
Internet
AC2
HostA
Gateway:10.1.1.10/24
IP Address:10.1.1.3/24
Backup
10.1.1.1/24 Priority:100

Switch Virtual Router

Internet

HostA VRRP VRID 1

Gateway:10.1.1.10/24 Virtual IP Address:10.1.1.10/24
IP Address:10.1.1.3/24 Virtual MAC Address:0000-5e00-0101

VRRP can be deployed on a network shown in Figure 22-53. VRRP involves the
following entities:

● VRRP router: device running VRRP. It may join one or more virtual routers,
AC1 and AC2 are VRRP routers.
● Virtual router: VRRP group. It consists of one master and one or more
backups. The VRRP group is used as the default gateway on a LAN. AC1 and
AC2 constitute a virtual router.
● Virtual router master: VRRP device that forwards packets. AC1 is the virtual
router master.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3489

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Virtual router backup: a group of VRRP devices that do not forward packets.
When the master device is faulty, a backup device preempts to be the new
master. AC2 is the virtual router backup.
● VRID: virtual router ID. The VRID of the virtual router composed of AC1 and
AC2 is 1.
● Virtual IP address: IP address of a virtual router. A virtual router can be
assigned one or more virtual IP addresses. Virtual IP addresses are
configurable. The virtual IP address of the virtual router composed of AC1 and
AC2 is 10.1.1.10/24.
● IP address owner: VRRP device that uses an IP address of a virtual router as
the actual interface address. If an IP address owner is available, it usually
functions as the virtual router master. The interface address of AC1 and the IP
address of the virtual router are both 10.1.1.10/24, so AC1 is the IP address
owner.
● Virtual MAC address: MAC address that is generated by the virtual router
based on the virtual router ID. A virtual router has one virtual MAC address
and is in the format of 00-00-5E-00-01-{VRID}(VRRP for IPv4) or
00-00-5E-00-02-{VRID}(VRRP for IPv6). The virtual router sends ARP Reply
packets using the virtual MAC address instead of the interface MAC address.
The VRID of the virtual router composed of AC1 and AC2 is 1, so the MAC
address of the VRRP group is 00-00-5E-00-01-01.

22.9.2.2 VRRP Packets

VRRP packets are sent to notify all backup devices in a VRRP group of the master
device priority and status.
VRRP packets are encapsulated into IP packets and sent to the VRRP IP multicast
address. In the IP packet header, the source address is the primary IP address of
the interface that sends the packets, the destination address is 224.0.0.18, the TTL
is 255, and the protocol number is 112. The primary IP address is not the virtual IP
address.
NOTE

Primary IP address: is selected from one of actual IP addresses of interfaces. Usually, it is

the first configured IP address.

VRRP has two versions: VRRPv2 and VRRPv3. VRRPv2 applies to the IPv4 network,
and VRRPv3 applies to IPv4 and IPv6 networks.
VRRP is classified into VRRP for IPv4 and VRRP for IPv6 (VRRP6) by network type.
VRRP for IPv4 supports VRRPv2 and VRRPv3, and VRRP for IPv6 supports only
VRRPv3.

VRRP Packet Formats

Figure 22-54 shows the VRRPv2 packet format, and Figure 22-55 shows the
VRRPv3 packet format.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3490

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-54 VRRPv2 packet format

0 34 7 15 23 31
Version Type Virtual Rtr ID Priority Count IP Addrs
Auth Type Adver Int Checksum
IP Address (1)

......
IP Address (n)
Authentication Data (1)
Authentication Data (2)

Figure 22-55 VRRPv3 packet format

0 3 4 7 8 15 16 23 24 31
Version Type Virtual Rtr ID Priority Count IPvX Addr

(rsvd) Max Adver Int Checksum

IPvX Address(es)

Table 22-40 lists fields in a VRRP packet.

Table 22-40 Description of fields in a VRRP packet

Field Description

VRRPv2 VRRPv3

Version VRRP protocol version. The VRRP protocol version. The

value is 2. value is 3.

Type VRRP Advertisement packet VRRP Advertisement packet

type. The value 1 indicates an type. The value 1 indicates an
Advertisement packet. Advertisement packet.

Virtual Rtr Virtual router ID. The value Virtual router ID. The value
ID (VRID) ranges from 1 to 255. ranges from 1 to 255.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3491

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Field Description

VRRPv2 VRRPv3

Priority Priority of the master in the Priority of the master in the

VRRP group. The value ranges VRRP group. The value ranges
from 0 to 255. The value 0 from 0 to 255. The value 0
indicates that the device does indicates that the device does
not participate in the VRRP not participate in the VRRP
group. The backup device can group. The backup device can
become the master become the master
immediately. The value 255 is immediately. The value 255 is
reserved for the IP address reserved for the IP address
owner. The default value is 100. owner. The default value is 100.

Count IP Number of virtual IPv4 Number of virtual IPv4 or IPv6

Addrs/ addresses in the VRRP group. addresses in the VRRP group.
Count IPvX
Addr

Auth Type Authentication mode. There are -

three authentication modes:
● 0: Non Authentication
● 1: Simple Text Password
● 2: IP Authentication Header
(MD5 authentication)

Adver Interval at which VRRP Interval at which VRRP

Int/Max Advertisement packets are sent, Advertisement packets are sent,
Adver Int in seconds. in centiseconds.

Checksum 16-bit checksum, which is used 16-bit checksum, which is used

to detect data damage in VRRP to detect data damage in VRRP
packets. packets.

IP Address/ Virtual IPv4 address in the VRRP Virtual IPv4 or IPv6 address in
IPvX group. The Count IP Addrs field the VRRP group. The Count IPvX
Address(es) determines the number of Addrs field determines the
virtual IPv4 addresses in the number of virtual IPv4 or IPv6
VRRP group. addresses in the VRRP group.

Authenticat Authentication key. This field is -

ion Data used only in simple
authentication mode and MD5
authentication mode. In other
authentication modes, this field
is filled with 0.

rsvd - Reserved. The value must be 0.

VRRPv2 and VRRPv3 have the following differences:

● Support different networks. VRRPv3 applies to IPv4 and IPv6 networks,
whereas VRRPv2 applies to only the IPv4 network.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3492

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Have different authentication functions. VRRPv3 does not support

authentication, whereas VRRPv2 supports.
NOTE
VRRPv2 reserves the authentication field in VRRP packets to be compatible with VRRP
defined in RFC 2338. VRRP authentication cannot improve security.
● Use different units for the interval at which VRRP Advertisement packets are
sent. VRRPv3 uses the centiseconds, whereas VRRPv2 uses the seconds.

VRRP Authentication
Different authentication modes and authentication keys can be set in VRRPv2
Advertisement packets:
● Non-authentication: The device does not authenticate outgoing VRRP
Advertisement packets. In addition, the device does not authenticate the
received VRRP packets. It considers all the received packets valid.
● Simple authentication: The device encapsulates the authentication mode and
authentication key into an outgoing VRRP Advertisement packet. The device
that receives the VRRP Advertisement packet compares the authentication
mode and authentication key in the packet with those configured on the
device. If the values are the same, the device considers the received VRRP
Advertisement packet valid. If the values are different, the device considers
the received VRRP Advertisement packet invalid and discards it.
● MD5 authentication: The device uses the MD5 algorithm to encrypt the
authentication key and encapsulates the key in the Authentication Data field
of an outgoing VRRP Advertisement packet. The device that receives the VRRP
Advertisement packet matches the authentication mode with the decrypted
authentication key in the packet.

22.9.2.3 VRRP Implementation

VRRP State Machine

VRRP defines three states: Initialize, Master, and Backup. Only the device in Master
state can forward packets destined for the virtual IP address.

Table 22-41 VRRP states

Status Description

Initialize VRRP is unavailable. The device in Initialize state cannot

process VRRP packets.
When a device starts or detects a fault, it enters the Initialize
state.
After receiving an interface Up message, the VRRP-enabled
device with priority 255 becomes the master and the VRRP-
enabled device with its priority less than 255 first switches to
the Backup state.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3493

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Status Description

Master The VRRP device in Master state performs the following

operations:
● Sends VRRP Advertisement packets at intervals.
● Uses the virtual MAC address to respond to ARP Request
packets destined for the virtual IP address.
● Forwards IP packets destined for the virtual MAC address.
● Processes the IP packets destined for the virtual IP address if
the device is an IP address owner. If the device is not the IP
address owner, it discards the IP packets destined for the
virtual IP address.
● Becomes the backup if the device receives a VRRP packet
with a higher priority than the VRRP priority of the device.
● Becomes the backup if the device receives a VRRP packet
with the same priority as the VRRP priority of the device
and the IP address of the local interface is smaller than the
IP address of the connected interface on the remote device.

Backup The VRRP device in Backup state performs the following

operations:
● Receives VRRP Advertisement packets from the master and
determines whether the master works properly.
● Does not respond to ARP Request packets destined for the
virtual IP address.
● Discards IP packets destined for the virtual IP address.
● Resets the Master_Down_Interval timer and does not
compare IP addresses if the received packet carries the same
priority as the device or higher priority than the device.
NOTE
Master_Down_Interval timer: If the backup does not receive
Advertisement packets after the timer expires, the backup becomes
the master. The calculation formula is as follows:
Master_Down_Interval = 3xAdvertisement_Interval + Skew_time
(offset time). Skew_Time = (256 - Priority)/256
● Sets the Skew_time (offset time) if the device receives a
VRRP packet with lower priority than the VRRP priority of
the device and the packet priority is 0. Discards the packet
with non-0 priority and becomes the master.

VRRP Working Process

The VRRP working process is as follows:
1. Devices in a VRRP group select the master based on device priorities. The
master sends gratuitous ARP packets to notify the connected device or host of
its virtual MAC address.
2. The master periodically sends VRRP Advertisement packets to all backups in
the VRRP group to advertise its configuration and running status.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3494

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

3. If the master becomes faulty, the backups in the group select a new master
based on priorities.
4. When the VRRP group status changes, a new master is used. The new master
sends gratuitous ARP packets carrying the virtual MAC address and virtual IP
address of the virtual router to update the MAC address entry on the
connected host or device. Then user traffic is switched to the new master. This
process is transparent to users.
5. When the original master recovers and is the IP address owner (priority of
255), the original master directly switches to the Master state. If the device
priority is smaller than 255, it first switches to the Backup state and its
original priority is restored.
6. If the backup has higher priority than the master, the working mode of the
backup determines whether the master is selected again.
NOTE

● Preemption mode: If the priority of a virtual router backup is higher than the
priority of the current virtual router master, the virtual router backup automatically
becomes the virtual router master.
● Non-preemption mode: As long as the virtual router master is working properly,
the backup with a higher priority cannot become the virtual router master.

To ensure that the master and backup cooperate, VRRP must be able to:
● Select the master.
● Advertise the master status.
The following describes the VRRP working process in details.
● Selecting the master
VRRP determines the device role in the virtual router based on device
priorities. The device with a higher priority is more likely to become the
master.
The VRRP-enabled device in the VRRP group first works in Initialize state.
After receiving an interface Up message, the VRRP-enabled device with
priority 255 becomes the master and the VRRP-enabled device with its priority
less than 255 first switches to the Backup state. After the
Master_Down_Interval timer expires, the VRRP-enabled device switches to the
Master state again. The device that first switches to the Master state obtains
priorities of other devices in the group by exchanging VRRP Advertisement
packets. Then the master is selected.
– If the master priority in VRRP packets is higher than or equal to the
priority of the device, the backup retains in Backup state.
– If the master priority in VRRP packets is lower than the priority of the
device, the backup in preemption mode switches to the Master state or
the backup in non-preemption mode retains in Backup state.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3495

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● If multiple devices in the group switch to the master, the devices with a lower
priority switch to the Backup state and the device with the highest priority
becomes the master after these devices exchange Advertisement packets. If
multiple devices have the same priority, the device where the interface with the
largest IP address resides is the master.
● If the device is the IP address owner, it switches to the Master state immediately
after receiving an interface Up message.
● Advertising the master status
The master periodically sends VRRP Advertisement packets to all backups in
the VRRP group to advertise its configuration and running status. The backup
determines whether the master works properly based on the received VRRP
Advertisement packets.
– When the master does not retain the Master state, for example, the
master leaves the group, it sends a VRRP Advertisement packet with
priority 0. In this manner, a backup can switch to the master immediately
without waiting for the Master_Down_Interval timer to expire. The
switchover period is called Skew time, in seconds. The value is calculated
using the following formula: Skew time = (256 - Backup priority)/256
– If the master cannot send VRRP Advertisement packets due to network
faults, the backups cannot learn the running status of the master. The
backups consider the master faulty only after the Master_Down_Interval
timer expires. Then a backup switches to the Master state.
Master_Down_Interval = 3 x Advertisement_Interval + Skew_time (in
seconds)
NOTE

If congestion occurs on an unstable network, the backup may not receive VRRP
Advertisement packets from the master within the period of Master_Down_Interval. A
backup then switches to the Master state. If the VRRP Advertisement packet from the
original master reaches the backup (new master), the new master switches to the
Backup state. In this case, the VRRP group status changes frequently. To solve the
problem, the preemption delay is used. When the Master_Down_Interval timer expires,
the backup waits for the preemption delay. If the backup does not receive a VRRP
Advertisement packet within the preemption delay, it switches to the Master state.

22.9.2.4 VRRP in Active/Standby Mode

VRRP often uses the active/standby mode, as shown in Figure 22-56. In active/
standby mode, a virtual router must be set up. The virtual router consists of a
master router and multiple backup routers.
AC1 is the master and forwards service packets. AC2 and AC3 are backup devices
and do not forward services. AC1 periodically sends VRRP Advertisement packets
to AC2 and AC3, notifying that AC1 itself works properly. If AC1 is faulty, a new
master is elected from AC2 and AC3 based on their priorities. The new master
then takes over traffic.
After AC1 recovers, it becomes the master in preemption mode. In non-
preemption mode, AC1 retains in Backup state.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3496

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-56 VRRP in active/standby mode

VRRP
AC1
Master
HostA

Internet
AC2
Backup
HostB

AC3
Backup

VRRP
AC1
Initialize
HostA

Internet
AC2
Backup
HostB

AC3 Data flow1

Master Data flow2

22.9.2.5 VRRP in Load Balancing Mode

In load balancing mode, multiple VRRP groups transmit services simultaneously, as
shown in Figure 22-57. The implementation and packet negotiation in load
balancing mode are similar to those in active/standby mode. Each VRRP group has
one master device and multiple backup devices. In load balancing mode, multiple
VRRP groups need to be set up and use different master devices. A VRRP device
can join multiple VRRP groups and has different priorities in these VRRP groups.

Multi-gateway load balancing

NOTE
Load balancing is supported when ACs work in VRRP mode; when ACs work in VRRP HSB
mode, load balancing is not supported.

Multiple VRRP backup groups with virtual IP addresses are created and specified
as gateways for different users to implement load balancing.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3497

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-57 Multi-gateway load balancing

VRRP VRID 1
Virtual IP Address:
10.1.1.111
AC1
HostA VRID1:Master
Default gateway: VRID2:Backup
10.1.1.111
AC3

Internet

HostB Data flow 1

AC2
Default gateway: Data flow 2
10.1.1.112 VRID2:Master
VRID1:Backup

VRRP VRID 2
Virtual IP Address:
10.1.1.112

As shown in Figure 22-57, two VRRP groups are configured:

● VRRP group 1: AC1 functions as the master and AC2 as the backup.
● VRRP group 2: AC2 functions as the master and AC1 as the backup.
Backup groups 1 and 2 are gateways for different hosts. Multiple VRRP groups
load balance traffic and back up each other.

22.9.2.6 mVRRP
A Switch is usually dual-homed to two ACs to improve network reliability. Multiple
VRRP groups can be configured on the two ACs to transmit various types of
services. Each VRRP group needs to maintain its own state machine; therefore, a
large number of VRRP packets are transmitted between ACs.
As shown in Figure 22-58, to decrease bandwidth and CPU resources occupied by
protocol packets, configure a VRRP group as an mVRRP group and bind other
service VRRP groups to the mVRRP group. The mVRRP group sends VRRP
Advertisement packets to determine the master and backup status for its service
VRRP groups.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3498

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-58 mVRRP networking

AC1
HostA Master

Switch
2
Service mVRRP Internet
VRRP

1 mVRRP

HostB AC2
Backup

● mVRRP Backup Group

The mVRRP backup group has all functions of a common VRRP backup group,
and determines the statuses of its member VRRP groups by sending VRRP
Advertisement packets. An mVRRP backup group can be deployed on the
same side as service VRRP backup groups or on the interfaces that directly
connect AC1 and AC2:
– When an mVRRP group functions as the gateway (mVRRP1 in Figure
22-58), the mVRRP group determines the Master and Backup status and
forwards service traffic. You must create a VRRP group and configure a
virtual IP address as the gateway address, and then configure this VRRP
group as an mVRRP group.
– When an mVRRP group does not function as the gateway (mVRRP2 in
Figure 22-58), the mVRRP group only determines the master and backup
status, and cannot forward service traffic. The mVRRP group does not
require a virtual IP address, and you can directly create an mVRRP group
on an interface. mVRRP simplifies maintenance.
● Service VRRP Backup Group
After common VRRP backup groups are bound to an mVRRP backup group,
they become service VRRP backup groups (member VRRP backup groups).
Service VRRP backup groups do not need to send VRRP packets to determine
their states. The mVRRP backup group sends VRRP packets to determine its
state and the states of all its bound service VRRP backup groups.

22.9.3 Summary of VRRP Configuration Tasks

After basic VRRP functions are configured, VRRP can work properly. To deploy
special VRRP functions such as mVRRP and VRRP association, perform the
configurations according to the following sections.
Table 22-42 describes the VRRP configuration tasks.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3499

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-42 VRRP configuration tasks

Scenario Description Task

Configure basic You can configure an IPv4 VRRP 22.9.6.1 Configuring

functions of an IPv4 group to implement gateway Basic Functions of an
VRRP group backup and ensure stable and IPv4 VRRP Group
efficient data forwarding.

Configure an IPv4 An mVRRP group can be bound 22.9.6.2 Configuring

mVRRP group to service VRRP groups and can an IPv4 mVRRP
determine the status of a Group
service VRRP group based on
the binding. mVRRP is used
when multiple VRRP groups
coexist and helps decrease the
number of VRRP packets to be
sent and minimize network
bandwidth consumption.

Configure basic You can configure an IPv6 VRRP 22.9.6.4 Configuring

functions of an IPv6 group to implement gateway Basic Functions of an
VRRP group backup and ensure stable and IPv6 VRRP Group
efficient data forwarding.

Configure an IPv6 An mVRRP6 group can be 22.9.6.5 Configuring

mVRRP group bound to service VRRP6 groups an IPv6 mVRRP
and can determine the status of Group
a service VRRP group based on
the binding. mVRRP6 is used
when multiple VRRP6 groups
coexist and helps decrease the
number of VRRP6 packets to be
sent and minimize network
bandwidth consumption.

Configure A VRRP IPv4 backup group can 22.9.6.3.1

association between be configured to track BFD Configuring
VRRP and BFD to sessions. If one of the BFD Association Between
implement a rapid sessions changes its status, the VRRP and BFD to
active/standby VRRP BFD module notifies the VRRP Implement a Rapid
switchover IPv4 backup group of the Active/Standby
change. After receiving the Switchover
notification, the VRRP IPv4
backup group rapidly performs
a master/backup VRRP
switchover.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3500

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Scenario Description Task

Configure When the uplink interface of 22.9.6.3.2

association between the master becomes faulty, Configuring
VRRP and the VRRP cannot detect the status Association Between
interface status change of interfaces not in the VRRP and the
VRRP group. This may interrupt Interface Status
services. You can associate a
VRRP group with the interface
status. When the monitored
interface is faulty, the priority of
the master is adjusted. This
triggers an active/standby
switchover and reduces the
impact of services on the uplink
interface.

Configure Because VRRP cannot detect 22.9.6.3.3

association between faults on the uplink of the VRRP Configuring
VRRP and BFD to group, services may be Association Between
monitor the uplink interrupted. You can associate a VRRP and BFD to
status VRRP group with a BFD session Monitor the Uplink
on the master so that the BFD Status
session monitors the uplink
status of the master. When the
BFD session detects faults on
the uplink, it notifies the VRRP
group that the priority of the
master needs to be decreased.
Then an active/standby
switchover is triggered
immediately. This reduces the
impact of uplink faults on
service forwarding.
BFD implements millisecond-
level detection. Association
between VRRP and BFD
provides fast active/standby
switchover.

Configuring Because VRRP cannot detect 22.9.6.3.4

Association Between faults on the uplink of a VRRP Configuring
VRRP and Routing group, services may be Association Between
to Monitor the interrupted. The VRRP group VRRP and Routing to
Uplink Status monitors the number of routes Monitor the Uplink
on the uplink forwarding path. Status
When the route is withdrawn or
becomes inactive, the master'
priority is adjusted and an
active/standby switchover is
performed. This reduces link
faults on service forwarding.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3501

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Scenario Description Task

Configuring Uplink traffic passes the master, 22.9.6.3.5

Association Between but downlink traffic is often Configuring
a VRRP Group and a transmitted through a route of Association Between
Direct Route a dynamic routing protocol. In a VRRP Group and a
this case, uplink and downlink Direct Route
traffic may be transmitted
along different paths. If the
firewall is configured for the
VRRP group to improve security,
the firewall blocks traffic that is
sent and received along
different paths. In addition, it is
difficult to monitor such traffic
and collect traffic statistics.
You can associate a VRRP group
with a direct route so that VRRP
affects route selection of a
dynamic routing protocol.
Association ensures that uplink
traffic and downlink traffic are
transmitted along the same
path.

Configure When the uplink interface of 22.9.6.6.1

association between the master becomes faulty, Configuring
VRRP6 and the VRRP cannot detect the status Association Between
interface status change of interfaces not in the VRRP6 and the
VRRP group. This may interrupt Interface Status
services. You can associate a
VRRP group with the interface
status. When the monitored
interface is faulty, the priority of
the master is adjusted. This
triggers an active/standby
switchover and reduces the
impact of services on the uplink
interface.

22.9.4 Configuration Limitations for VRRP

● After specifying a VLANIF interface as a management interface, you are
advised not to configure the IP address of the VLANIF interface as the virtual
IP address of a VRRP group. Otherwise, you may not be able to manage
devices through this virtual IP address.
● VRRP is a Layer 2 protocol that can be deployed only on a Layer 2 network.
● When multiple VRRP groups exist on the network, ensure that VRIDs on
different devices are unique. Otherwise, virtual MAC address conflicts may
occur.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3502

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● VRRP HSB supports only the active/standby mode but not the load balancing
mode.

22.9.5 Default Settings for VRRP

The following table lists the default settings for VRRP.

Table 22-43 Default settings for VRRP

Parameter Default Setting

Priority of the device in a VRRP group 100

Preemption Immediate preemption mode

Interval at which VRRP Advertisement 2s

packets are sent

Interval at which gratuitous ARP 120s

packets are sent

22.9.6 Configuring VRRP

22.9.6.1 Configuring Basic Functions of an IPv4 VRRP Group

An IPv4 VRRP group implements gateway backup and ensures stable and efficient
data forwarding.

Pre-configuration Tasks
Before configuring basic functions of an IPv4 VRRP group, complete the following
task:
● Configuring network layer attributes of interfaces to ensure network
connectivity

22.9.6.1.1 Creating a VRRP Group

Context
VRRP virtualizes multiple routing devices into a virtual router without changing
the networking, and uses the next hop address in the default route of hosts as the
IP address of the virtual router to implement gateway backup. After a VRRP group
is configured, traffic is forwarded through the master. When the master fails, a
new master is selected among backups to forward traffic. This implements
gateway backup.
If load balancing is required in addition to gateway backup, configure two or more
VRRP groups on an interface in multi-gateway load balancing mode.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3503

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTICE

If both VRRP and static ARP are configured on a VLANIF interface on a device, an
IP address mapped to a static ARP entry cannot be used as a virtual IP address. If
a VRRP virtual IP address is an IP address mapped to a static ARP entry on the
device, the device generates incorrect host routes, affecting traffic forwarding.
The virtual MAC address of a VRRP group cannot be configured as a static MAC
address or blackhole MAC address.

NOTE

It is recommended that a VRRP group be not configured on the VLANIF interface

corresponding to a Super-VLAN. This is because device performance may be affected.

Procedure
● Create a VRRP group working in master/backup mode.
a. Run system-view
The system view is displayed.
b. Run interface vlanif vlan-id
The VLANIF interface view is displayed.
c. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP group is created, and a virtual IP address is assigned to the VRRP
group.
NOTE

● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● Two devices in a VRRP group must be configured with the same VRID.
● When multiple VRRP groups exist on the network, ensure that VRIDs on
different devices are unique. Otherwise, virtual MAC address conflicts may
occur.
● Create VRRP groups working in multi-gateway load balancing mode.
If VRRP groups need to work in multi-gateway load balancing mode, repeat
the steps to configure two or more VRRP groups on the interface and assign
different VRIDs to them.

22.9.6.1.2 Setting the Device Priority in a VRRP Group

Context
The device with a higher priority in a VRRP group is more likely to become the
master. You can specify the master by setting the device priority.

Procedure
1. Run system-view
The system view is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3504

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

2. Run interface vlanif vlan-id

The VLANIF interface view is displayed.
3. Run vrrp vrid virtual-router-id priority priority-value
The device priority in a VRRP group is set.
By default, the device priority is 100. A greater value indicates a higher
priority of VRRP packets.
NOTE

● Priority 0 is reserved in the system. Priority 255 is reserved for the IP address
owner, and the priority of the IP address owner cannot be changed. The priority
that can be set for switches ranges from 1 to 254.
● When devices in a VRRP group have the same priority, if devices preempt to be the
master simultaneously, the device on an interface with the largest IP address is the
master. The device that first switches to Master state becomes the master.

22.9.6.1.3 (Optional) Configuring the VRRP Version Number

Context
IPv4 VRRP supports VRRPv2 and VRRPv3. If devices in a VRRP group use different
VRRP versions, VRRP packets may fail to be forwarded.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vrrp version { v2 | v3 }
The VRRP version number is set.
By default, VRRPv2 is used.

----End

22.9.6.1.4 (Optional) Configuring VRRP Time Parameters

Context
You can set VRRP time parameters as needed. Table 22-44 lists applicable
scenarios.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3505

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-44 Applicable scenarios of VRRP time parameters

Function Applicable Scenario

Interval at which The master in a VRRP group sends VRRP Advertisement

VRRP packets to the backup at intervals to notify that it works
Advertisement properly. After the Master_Down_Interval timer expires, the
packets are sent backup switches to the master if it does not receive VRRP
Advertisement packets.
Heavy network traffic or time differences on different devices
may result in the status change of the backup due to
timeout of VRRP packets. When packets from the original
master reach the new master, the status of the new master
changes. You can increase the interval to solve this problem.

Preemption On an unstable network, if the BFD session status monitored

delay by a VRRP group flaps frequently or the backup cannot
receive VRRP Advertisement packets within a specified
period, an active/standby switchover is frequently performed,
which causes network flapping. You can adjust the
preemption delay of the master in the VRRP group so that
the backup preempts to be the master after the delay. This
prevents frequent change of the VRRP group status.

Timeout interval To ensure that MAC address entries on the downstream

at which switch are correct, the master in the VRRP group periodically
gratuitous ARP sends gratuitous ARP packets to update MAC address entries
packets are sent on the downstream switch.
by the master

Delay in On an unstable network, frequent flapping of the BFD

recovering a session status or interface status monitored by a VRRP group
VRRP group may result in frequent switching of the VRRP group status.
After the delay in recovering a VRRP group is set, the VRRP
group does not immediately respond to an interface or BFD
session Up event. Instead, the VRRP group processes this
event after the delay in recovering a VRRP group. This
prevents frequent switching of the VRRP group status.

Procedure
● Setting the interval at which VRRP Advertisement packets are sent
a. Run system-view

The system view is displayed.

b. Run interface vlanif vlan-id

The VLANIF interface view is displayed.

c. Run vrrp vrid virtual-router-id timer advertise advertise-interval

The interval at which VRRP Advertisement packets are sent is set.

By default, the interval is 2 seconds.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3506

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Setting the preemption delay of the master

a. Run system-view

The system view is displayed.

b. Run interface vlanif vlan-id

The VLANIF interface view is displayed.

c. Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value

The preemption delay is set.

By default, the preemption delay is 0. In immediate preemption mode, a

backup can immediately preempt to be the master when its priority is
higher than the master.

You can use the vrrp vrid virtual-router-id preempt-mode disable

command to set the non-preemption mode. In non-preemption mode,
the master that works properly can retain the Master state. The backup
cannot preempt to be the master even if the priority of the master
decreases.

You can use the undo vrrp vrid virtual-router-id preempt-mode

command to restore the default preemption mode.

NOTE

It is recommended that you set the preemption delay of the backup in a VRRP
group to 0, configure the master in preemption mode, and set the preemption
delay. On an unstable network, these settings allow a period of time for status
synchronization between the uplink and downlink. If the preceding settings are
not used, two masters coexist and users devices may learn incorrect address of
the master.
● Setting the timeout interval at which gratuitous ARP packets are sent by the
master
a. Run system-view

The system view is displayed.

b. Run vrrp gratuitous-arp timeout time

The timeout interval at which gratuitous ARP packets are sent by the
master is set.

By default, the master sends gratuitous ARP packets every 120s.

NOTE

The timeout interval at which the master sends gratuitous ARP packets must be
shorter than the aging time of ARP entries on user devices.

▪ To restore the default interval at which a gratuitous ARP packet is

sent, run the undo vrrp gratuitous-arp timeout command in the
system view.

▪ If the master does not need to send gratuitous ARP packets, run the
vrrp gratuitous-arp timeout disable command in the system view.
● Setting the delay in recovering a VRRP group

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3507

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

a. Run system-view

The system view is displayed.

b. Run vrrp recover-delay delay-value

The delay in recovering a VRRP group is set.

By default, the delay in recovering a VRRP group is 0.

NOTE

● After this command is used, all VRRP groups on the device are configured
with the same delay.
● When the device in a VRRP group restarts, VRRP status flapping may occur. It
is recommended that the delay be set based on actual networking.

----End

22.9.6.1.5 (Optional) Setting the Mode in Which VRRP Packets Are Sent in a Super-
VLAN

Context
When a VRRP group is configured in a Super-VLAN, VRRP Advertisement packets
can be sent to a specified Sub-VLAN or all Sub-VLANs of the Super-VLAN. Sending
VRRP Advertisement packets to a specified Sub-VLAN efficiently saves network
bandwidth.

Prerequisites
A Super-VLAN has been configured.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface vlanif vlan-id

The VLANIF interface view is displayed.

Step 3 Run vrrp advertise send-mode { sub-vlan-id | all }

The mode in which VRRP Advertisement packets are sent in a Super-VLAN is set.

By default, the master sends VRRP Advertisement packets to a Sub-VLAN that is

Up and has the smallest VLAN ID in the Super-VLAN.

● If sub-vlan-id is specified, the master sends VRRP Advertisement packets to a

specified Sub-VLAN.
● If all is specified, the master broadcasts VRRP Advertisement packets to all
Sub-VLANs of a Super-VLAN.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3508

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTICE

If all is specified, the master broadcasts VRRP Advertisement packets to all Sub-
VLANs of a Super-VLAN. This causes bandwidth usage to increase. Therefore, do
not specify all.

----End

22.9.6.1.6 (Optional) Disabling VRRP TTL Check

Context
The system checks the TTL value in received VRRP packets, and discards VRRP
packets in which the TTL value is not 255. On a network where devices of
different vendors are deployed, if TTL check is enabled on the device, the device
may incorrectly discard valid packets. In this case, disable TTL check so that
devices of different vendors can communicate.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The VLANIF interface view is displayed.
Step 3 Run vrrp un-check ttl
The device is configured not to check the TTL value in VRRP packets.
By default, the system checks the TTL value in VRRP packets.

----End

22.9.6.1.7 (Optional) Setting the Authentication Mode of VRRP Packets

Context
Different authentication modes and authentication keys can be set in VRRPv2
Advertisement packets:
● Non-authentication: The device does not authenticate outgoing VRRP
Advertisement packets. In addition, the device does not authenticate the
received VRRP packets. It considers all the received packets valid.
● Simple authentication: The device encapsulates the authentication mode and
authentication key into an outgoing VRRP Advertisement packet. The device
that receives the VRRP Advertisement packet compares the authentication
mode and authentication key in the packet with those configured on the
device. If the values are the same, the device considers the received VRRP
Advertisement packet valid. If the values are different, the device considers
the received VRRP Advertisement packet invalid and discards it.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3509

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● MD5 authentication: The device uses the MD5 algorithm to encrypt the
authentication key and encapsulates the key in the Authentication Data field
of an outgoing VRRP Advertisement packet. The device that receives the VRRP
Advertisement packet matches the authentication mode with the decrypted
authentication key in the packet.
NOTE

Only VRRPv2 supports authentication. VRRPv3 does not support authentication. VRRPv2
reserves the authentication field in VRRP packets to be compatible with VRRP defined in
RFC 2338. VRRP authentication cannot improve security.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface vlanif vlan-id

The VLANIF interface view is displayed.

Step 3 Run vrrp vrid virtual-router-id authentication-mode { simple { key | plain key |
cipher cipher-key } | md5 md5-key }

The authentication mode in VRRP Advertisement packets is configured.

NOTE

● Devices in a VRRP group must be configured with the same authentication mode and
authentication key; otherwise, the VRRP group cannot negotiate the Master and Backup
status.
● An MD5 key can be entered in cipher text or plain text. The MD5 key in plain text is a
string of 1 to 8 characters, and the MD5 key in cipher text is a string of 24, 32 or 48
characters.

----End

22.9.6.1.8 Verifying the Configuration of Basic Functions for an IPv4 VRRP Group

Procedure
● Run either of the following commands to check the VRRP group status and
parameters:
– display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] [ brief ]
– display vrrp { interface interface-type interface-number [ virtual-router-
id ] | virtual-router-id } [ verbose ]
● Run the display vrrp protocol-information command to check VRRP
information.
● Run the display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] statistics command to check statistics about sent and received
packets of a VRRP group.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3510

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

22.9.6.2 Configuring an IPv4 mVRRP Group

An mVRRP group can be bound to VRRP groups and determine the status of its
bound VRRP groups. mVRRP helps decrease the number of VRRP packets to be
sent and minimize network bandwidth consumption.

Pre-configuration Tasks
Before configuring basic functions of an IPv4 mVRRP group, complete the
following task:
● Configuring network layer attributes of interfaces to ensure network
connectivity

22.9.6.2.1 Configuring an mVRRP Group

Context
Each VRRP group needs to maintain its own state machine. Configuring an mVRRP
group reduces bandwidth occupied by VRRP packets.

Procedure
1. Run system-view
The system view is displayed.
2. Run interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.
3. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP group is created, and a virtual IP address is assigned to the VRRP
group.
4. Run vrrp vrid virtual-router-id priority priority-value
The priority of the VRRP group is configured.
5. Run admin-vrrp vrid virtual-router-id
The VRRP group is configured as an mVRRP group.
6. Run vrrp vrid virtual-router-id timer advertise advertise-interval
The interval at which the master sends VRRP Advertisement packets is
configured.

22.9.6.2.2 (Optional) Configuring a VRRP Group and Binding the VRRP Group to an
mVRRP Group

Context
You can bind VRRP groups to an mVRRP group so that mVRRP determines the
status of the bound VRRP groups.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3511

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
1. Run system-view
The system view is displayed.
2. Run interface vlanif vlan-id
The view of the VLANIF interface where a VRRP group is configured is
displayed.
3. Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP group is created, and a virtual IP address is assigned to the VRRP
group.
Because the mVRRP group determines the status of its service VRRP groups,
you do not need to set priorities for the bound VRRP groups.
4. Run vrrp vrid virtual-router-id1 track admin-vrrp interface interface-type
interface-number vrid virtual-router-id2 unflowdown
The VRRP group is bound to an mVRRP group.
After the binding is complete, the state machine of the bound VRRP group
depends on the status of the mVRRP group. The bound VRRP group inherits
the status of the mVRRP group, and deletes its VRRP packet timeout timer
and stops sending or receiving VRRP packets.
NOTE

A VRRP backup group can only be bound to a single mVRRP backup group.

22.9.6.2.3 Verifying the IPv4 mVRRP Group Configuration

Procedure
● Run the display vrrp binding admin-vrrp [ interface interface-type1
interface-number1 ] [ vrid virtual-router-id1 ] member-vrrp [ interface
interface-type2 interface-number2 ] [ vrid virtual-router-id2 ] command to
check bindings between an mVRRP group and VRRP groups.
● Run the display vrrp admin-vrrp command to check the status of all mVRRP
groups.

----End

22.9.6.3 Configuring VRRP Association

VRRP association enables VRRP to detect faults in a timely manner and triggers an
active/standby switchover when the master or the uplink of the master becomes
faulty. VRRP association optimizes VRRP switchover and enhances network
reliability.

Pre-configuration Tasks
Before configuring basic functions of an IPv4 VRRP group, complete the following
task:
● 22.9.6.1 Configuring Basic Functions of an IPv4 VRRP Group

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3512

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

You can configure VRRP association only after basic VRRP functions are
configured.

22.9.6.3.1 Configuring Association Between VRRP and BFD to Implement a Rapid

Active/Standby Switchover

Context
When a VRRP group is faulty, the backup detects the fault and switches to the
master after the Master_Down_Interval timer expires. The switchover period is at
least 3s. During the switchover period, service traffic is still sent to the original
master, causing user traffic loss. As shown in Figure 22-59, the VRRP group is
associated with a BFD session on the backup so that the BFD session can rapidly
detect communication faults of the VRRP group. When the BFD session detects a
fault, it notifies the VRRP group that the priority of the backup needs to be
increased. Then an active/standby switchover is triggered immediately. This
millisecond-level switchover reduces traffic loss.

When the fault is rectified, the priority of the backup is restored and the original
master preempts to be the master to forward traffic.

NOTE

● A VRRP group can be associated with only a static BFD session or a static BFD session
with automatically negotiated discriminators.
● The master and backup in the VRRP group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and non-0 on the master.

Figure 22-59 Association between VRRP and BFD to implement a rapid active/
standby switchover
Master
AC1

HostA
Switch
Internet

HostB
AC2
Backup
VRRP BFD packets

Procedure
Step 1 Configure a static session or a static BFD session with automatically negotiated
discriminators. For details, see 22.7.5.1 Configuring Single-Hop BFD, 22.7.5.2
Configuring Multi-Hop BFD, or 22.7.5.3 Configuring Static BFD with
Automatically Negotiated Discriminators.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3513

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 2 Run system-view

The system view is displayed.
Step 3 Run interface vlanif vlan-id
The view of the VLANIF interface on the backup where a VRRP group is configured
is displayed.
Step 4 Run vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name
bfd-configure-name } [ increased value-increased | reduced value-reduced ]
Association between VRRP and BFD is configured.

NOTE

When associating a VRRP group with a BFD session, note the following points:
● If session-name bfd-configure-name is specified, the VRRP group can bind to only a
static BFD session with automatically negotiated discriminators.
● If bfd-session-id is specified, the VRRP group can bind to only a static BFD session.
● After the value by which the priority increases is set, ensure that the priority of the
backup is higher than the priority of the master.
● When a BFD session is associated with VRRP or static route, the system does not allow
the associated BFD session to be deleted by default. To delete the associated BFD
session, run the bfd session nonexistent-config-check disable command to disable
the device from checking whether the associated BFD session is deleted.

----End

22.9.6.3.2 Configuring Association Between VRRP and the Interface Status

Context
When the uplink interface of the master becomes faulty, VRRP cannot detect the
status change of interfaces not in the VRRP group, causing service interruption.
You can associate a VRRP group with the interface status. When the monitored
interface is faulty, the priority of the master is reduced. This triggers an active/
standby switchover and reduces the impact of services on the uplink interface.
When the fault is rectified, the priority of the original master is restored and
preempts to be the master to forward traffic.

NOTE

The master and backup in the VRRP group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and non-0 on the master.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The view of the VLANIF interface on the master where a VRRP group is configured
is displayed.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3514

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 3 Run vrrp vrid virtual-router-id track interface interface-type interface-number

[ increased value-increased | reduced value-reduced ]
Association between VRRP and the interface status is configured.
By default, when the monitored interface goes Down, the VRRP priority of the
device decreases by 10.

NOTE

● After the value by which the priority decreases is set, ensure that the priority of the
backup is higher than the priority of the master.

----End

22.9.6.3.3 Configuring Association Between VRRP and BFD to Monitor the Uplink
Status

Context
Because VRRP cannot detect faults on the uplink of a VRRP group, services may be
interrupted. As shown in Figure 22-60, a VRRP group is associated with a BFD
session on the master so that the BFD session monitors the uplink status of the
master. When the BFD session detects faults on the uplink, it notifies the VRRP
group that the priority of the master needs to be decreased. Then an active/
standby switchover is triggered immediately. This reduces the impact of uplink
faults on service forwarding.
When the fault is rectified, the priority of the original master is restored and
preempts to be the master to forward traffic.
BFD implements millisecond-level detection. Association between VRRP and BFD
provides fast active/standby switchover.

NOTE

● A VRRP group can be associated with only a static BFD session or a static BFD session
with automatically negotiated discriminators.
● The master and backup in the VRRP group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and non-0 on the master.

Figure 22-60 Association between VRRP and BFD

Master
AC1 SwitchA
HostA
Switch

Internet

RouterE
HostB AC2 SwitchB
Backup
VRRP BFD packets

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3515

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
Step 1 Configure a static BFD session or a static BFD session with automatically
negotiated discriminators. For details, see 22.7.5.1 Configuring Single-Hop BFD,
22.7.5.2 Configuring Multi-Hop BFD, and 22.7.5.3 Configuring Static BFD with
Automatically Negotiated Discriminators.

Step 2 Run system-view

The system view is displayed.

Step 3 Run interface vlanif vlan-id

The view of the VLANIF interface on the master where a VRRP group is configured
is displayed.

Step 4 Run vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name

bfd-configure-name } [ increased value-increased | reduced value-reduced ]

Association between VRRP and BFD is configured.

By default, when the monitored BFD session becomes Down, the VRRP priority
decreases by 10.

NOTE

When associating a VRRP group with a BFD session, note the following points:
● If session-name bfd-configure-name is specified, the VRRP group can bind to only a
static BFD session with automatically negotiated discriminators.
● If bfd-session-id is specified, the VRRP group can bind to only a static BFD session.
● After the VRRP group is associated with a BFD session, the BFD session type cannot be
modified. Before deleting the BFD session type, you must delete all original
configurations.
● After the value by which the priority decreases is set, ensure that the priority of the
backup is higher than the priority of the master.

----End

22.9.6.3.4 Configuring Association Between VRRP and Routing to Monitor the

Uplink Status

Context
Because VRRP cannot detect faults on the uplink of a VRRP group, services may be
interrupted. The VRRP group monitors the number of routes on the uplink
forwarding path. When the route is withdrawn or becomes inactive, the master'
priority is adjusted and an active/standby switchover is performed. This reduces
link faults on service forwarding.

When the fault is rectified, the priority of the original master is restored and
preempts to be the master to forward traffic.

During route association, link switchover depends on convergence of a routing

protocol associated with the VRRP group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3516

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● When a VRRP group is associated with a static route, the device can detect only faults
on the direct uplink. To detect faults on an indirect uplink, associate a VRRP group with
a dynamic route.
● The master and backup in the VRRP group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and non-0 on the master.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The view of the VLANIF interface on the master where a VRRP group is configured
is displayed.
Step 3 Run vrrp vrid virtual-router-id track ip route ip-address { mask-address | mask-
length } [ reduced value-reduced ]
Association between a route and a VRRP group is configured.
By default, the master' priority decreases by 10 if the associated route is
withdrawn or becomes inactive.

NOTE

After the value by which the priority decreases is set, ensure that the priority of the backup
is higher than the priority of the master.

----End

22.9.6.3.5 Configuring Association Between a VRRP Group and a Direct Route

Context
To improve network reliability, a VRRP group is often used as the gateway for
users to access external networks. Uplink traffic passes the master, but downlink
traffic is often transmitted through a route of a dynamic routing protocol. In this
case, uplink and downlink traffic may be transmitted along different paths. If the
firewall is configured for the VRRP group to improve security, the firewall blocks
traffic that is sent and received along different paths. In addition, it is difficult to
monitor such traffic and collect traffic statistics.
You can associate a VRRP group with a direct route so that VRRP affects route
selection of a dynamic routing protocol. Association ensures that uplink traffic and
downlink traffic are transmitted along the same path.

Pre-configuration Tasks
Before configuring association between a VRRP group and a direct route, complete
the following tasks:
● Configuring basic VRRP functions and creating a VRRP group

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3517

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Configuring a dynamic routing protocol to make IP routes of nodes reachable.

NOTE

After association between a VRRP group and a direct route is configured, an Interior Gateway
Protocol (IGP) protocol cannot run on the interface running VRRP. If an IGP protocol runs on the
interface, the IGP protocol cannot retain the original cost of the imported direct route. As a
result, the VRRP group cannot be associated with the direct route.

Procedure
● Configuring association between a direct route and a VRRP group
a. Run system-view
The system view is displayed.
b. Run interface vlanif vlan-id
The view of the VRRP-enabled VLANIF interface is displayed.
c. Run direct-route track vrrp vrid virtual-router-id degrade-cost cost-
value
Association between a direct route and a VRRP group is configured.
Association between the VRRP group and the direct route allows the cost
of the direct route to be adjusted based on the VRRP group status.

▪ When the VRRP group is in Master state, the cost is set to the default
value 0 (highest priority).

▪ When the VRRP group is in Backup state, the cost is specified by

cost-value (larger than the default value 0).
NOTE

A direct route on the network segment that an interface belongs to can be

associated with only one VRRP group. To associate a direct route that has been
associated with one VRRP group to another VRRP group, you must delete the
original association configuration.
d. Run quit
Return to the system view.
● Configuring a dynamic routing protocol to import the direct route

IGP protocols and BGP are mainly used. RIP does not retain the original cost
of the imported route, so OSPF, IS-IS, and BGP are used here.

– Configuring OSPF to import the direct route

i. Run system-view
The system view is displayed.
ii. Run ospf [ process-id ]
The OSPF process view is displayed.
iii. Run import-route direct
OSPF is configured to import the direct route.
iv. Run default cost inherit-metric
OSPF is configured to retain the original cost of the imported route.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3518

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● The default command has the lowest priority. When running the default
command, ensure that the apply cost command for the direct route is not
executed. Otherwise, the default command does not take effect.
● After the default cost inherit-metric command is used, the default cost
cost-value command that is executed later will overwrite the default cost
inherit-metric command.
– Configuring IS-IS to import the direct route
i. Run system-view
The system view is displayed.
ii. Run isis [ process-id ]
The IS-IS process view is displayed.
iii. Run import-route direct inherit-cost
IS-IS is configured to retain the original cost of the imported route.
– Configuring BGP to import the direct route
i. Run system-view
The system view is displayed.
ii. Run bgp as-number
The BGP process view is displayed.
iii. Run import-route direct
BGP is configured to import the direct route.
BGP retains the original cost of the imported route in the MED.
----End

22.9.6.3.6 Verifying the VRRP Association Configuration

Procedure
● Run either of the following commands to check the VRRP group status and
parameters:
– display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] [ brief ]
– display vrrp { interface interface-type interface-number [ virtual-router-
id ] | virtual-router-id } verbose
● Run the display vrrp protocol-information command to check VRRP
information.
● Run the display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] statistics command to check statistics about sent and received
packets of a VRRP group.
----End

22.9.6.4 Configuring Basic Functions of an IPv6 VRRP Group

You can configure an IPv6 VRRP group to implement gateway backup and ensure
stable and efficient data forwarding.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3519

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Pre-configuration Tasks
Before configuring basic functions of an IPv6 VRRP group, complete the following
task:
● Configuring network layer attributes of interfaces to ensure network
connectivity

22.9.6.4.1 Creating a VRRP6 Group

Context
VRRP6 virtualizes multiple routing devices into a virtual router without changing
the networking, and uses the next hop address in the default route of hosts as the
IP address of the virtual router to implement gateway backup. After a VRRP6
group is configured, traffic is forwarded through the master. When the master
fails, a new master is selected among backups to forward traffic. This ensures
device-level reliability.
If load balancing is required in addition to gateway backup, configure two or more
VRRP6 groups on an interface in single-gateway load balancing mode or multi-
gateway load balancing mode.

Procedure
Step 1 Create a VRRP6 group working in master/backup mode.
1. Run system-view
The system view is displayed.
2. Run ipv6
The IPv6 function is enabled.
3. Run interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.
4. Run ipv6 enable
IPv6 is enabled on the interface.
5. Run vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address [ link-local ]
A VRRP6 group is created, and a virtual IPv6 address is assigned to the VRRP6
group.
The first virtual IPv6 address of a VRRP6 group must be a link-local address.

NOTE

– VRRP6 groups must use different virtual IPv6 addresses. The virtual IPv6 address of
a VRRP6 group must be on the same network segment as the IP address of the
interface where the VRRP6 group is configured.
– Two devices in a VRRP6 group must be configured with the same VRID.
– VRRP6 groups on different interfaces of a device can be configured with the same
VRID.

If the device needs to be configured as the IP address owner in an IPv6 VRRP

group, configure VRRP6 on the IP address owner first, and then on the peer

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3520

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

device; otherwise, the IP addresses may conflict. If IP address conflict occurs,

perform either of the following operations:
– Disable IPv6 address conflict detection.
i. Before configuring an IP address owner, run the ipv6 nd dad
attempts value command with value of 0 to disable IPv6 address
conflict detection.
ii. Run the ipv6 address ip-address { mask | mask-length } command in
the interface view to configure an IPv6 address so that the master
becomes the IP address owner.
iii. Run the ipv6 nd dad attempts value command with value of 1 to
enable IPv6 address conflict detection.
– Restart the interface.
i. Run the shutdown command in the view of the IP address owner to
shut down the interface.
ii. Run the undo shutdown command in the view of the IP address
owner to enable the interface.

Step 2 Create VRRP6 groups working in multi-gateway load balancing mode.

If VRRP6 groups need to work in multi-gateway load balancing mode, repeat the
Create a VRRP6 group working in master/backup mode steps to configure two
or more VRRP6 groups on the interface and assign different VRIDs to them.

----End

22.9.6.4.2 Setting the Device Priority in a VRRP6 Group

Context
The device with a higher priority in a VRRP6 group is more likely to become the
master. You can specify the master by setting the device priority.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface vlanif vlan-id

A VLANIF interface is created and the VLANIF interface view is displayed.

Step 3 Run vrrp6 vrid virtual-router-id priority priority-value

The device priority in a VRRP6 group is set.

By default, the device priority is 100.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3521

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

● Priority 0 is reserved in the system. Priority 255 is reserved for the IP address owner, and
the priority of the IP address owner cannot be changed. The priority that can be set
ranges from 1 to 254.
● When devices in a VRRP6 group have the same priority, if devices preempt to be the
master simultaneously, the device on an interface with the largest IP address is the
master. The device that first switches to Master state becomes the master.

----End

22.9.6.4.3 (Optional) Configuring VRRP6 Time Parameters

Context
You can set VRRP6 time parameters as needed. Table 22-45 lists applicable
scenarios.

Table 22-45 Applicable scenarios of VRRP6 time parameters

Function Usage Scenario

Interval at The master in a VRRP6 group sends VRRP6 Advertisement

which VRRP6 packets to the backup at intervals to notify that it works
Advertisement properly. After the Master_Down_Interval timer expires, the
packets are backup switches to the master if it does not receive VRRP6
sent Advertisement packets.
Heavy network traffic or time differences on different devices
may result in the status change of the backup due to timeout
of VRRP6 packets. When packets from the original master
reach the new master, the status of the new master changes.
You can increase the interval to solve this problem.

Preemption On an unstable network, if the BFD session status monitored

delay of the by a VRRP6 group flaps frequently or the backup cannot
master receive VRRP6 Advertisement packets within a specified
period, an active/standby switchover is frequently performed,
which causes network flapping. You can adjust the preemption
delay of the master in the VRRP6 group so that the backup
preempts to be the master after the delay. This prevents
frequent change of the VRRP6 group status.

Timeout To ensure that MAC address entries on the downstream switch

interval at are correct, the master in the VRRP6 group periodically sends
which ND ND packets to update MAC address entries on the
packets are downstream switch.
sent by the
master

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3522

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Function Usage Scenario

Delay in On an unstable network, frequent flapping of the BFD session

recovering a status or interface status monitored by a VRRP6 group may
VRRP6 group result in frequent switching of the VRRP6 group status. After
the delay in recovering a VRRP6 group is set, the VRRP6 group
does not immediately respond to an interface or BFD session
Up event. Instead, the VRRP6 group processes this event after
the delay in recovering a VRRP6 group. This prevents frequent
switching of the VRRP6 group status.

Procedure
● Setting the interval at which VRRP6 Advertisement packets are sent
a. Run system-view

The system view is displayed.

b. Run interface vlanif vlan-id

A VLANIF interface is created and the VLANIF interface view is displayed.

c. Run vrrp6 vrid virtual-router-id timer advertise advertise-interval

The interval at which VRRP6 Advertisement packets are sent is set.

By default, VRRP6 Advertisement packets are sent at intervals of 2s.

NOTE

If devices in a VRRP6 group use different intervals, VRRP6 may not work.
● Setting the preemption delay of the master
a. Run system-view

The system view is displayed.

b. Run interface vlanif vlan-id

A VLANIF interface is created and the VLANIF interface view is displayed.

c. Run vrrp6 vrid virtual-router-id preempt-mode timer delay delay-value

The preemption delay is set.

By default, the preemption delay time is 0. In immediate preemption

mode, a backup can immediately preempt to be the master when its
priority is higher than the master.

You can use the vrrp6 vrid virtual-router-id preempt-mode disable

command to set the non-preemption mode. In non-preemption mode,
the master that works properly can retain the Master state. The backup
cannot preempt to be the master even if the priority of the master
decreases.

You can use the undo vrrp6 vrid virtual-router-id preempt-mode

command to restore the default preemption mode.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3523

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

It is recommended that you set the preemption delay of the backup in a VRRP6
group to 0, configure the master in preemption mode, and set the preemption
delay. On an unstable network, these settings allow a period of time for status
synchronization between the uplink and downlink. If the preceding settings are
not used, two masters coexist and users devices may learn incorrect address of
the master.
● Setting the timeout interval at which ND packets are sent by the master
a. Run system-view
The system view is displayed.
b. Run vrrp gratuitous-arp timeout time
The interval at which ND packets are sent by the master is set.
By default, the master sends an ND packet every 120s.

NOTE

The interval at which the master sends an ND packet must be shorter than the
aging time of the ND entry on each user device.

▪ To restore the default interval at which an ND packet is sent, run the

undo vrrp gratuitous-arp timeout command in the system view.

▪ To disable the master from sending ND packets, run the vrrp

gratuitous-arp timeout disable command in the system view.
● Setting the delay in recovering a VRRP6 group
a. Run system-view
The system view is displayed.
b. Run vrrp recover-delay delay-value
The delay in recovering a VRRP6 group is set.
By default, the delay in recovering a VRRP6 group is 0.

NOTE

● After this command is used, all VRRP6 groups on the device are configured
with the same delay.
● When the device in a VRRP6 group restarts, VRRP6 status flapping may occur.
It is recommended that the delay be set based on actual networking.

----End

22.9.6.4.4 (Optional) Disabling VRRP6 TTL Check

Context
The system checks the TTL value in received VRRP6 packets, and discards VRRP6
packets in which the TTL value is not 255. On a network where devices of
different vendors are deployed, if TTL check is enabled on the device, the device
may incorrectly discard valid packets. In this case, disable TTL check so that
devices of different vendors can communicate.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3524

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface vlanif vlan-id

A VLANIF interface is created and the VLANIF interface view is displayed.

Step 3 Run vrrp6 un-check hop-limit

The device is configured not to check the TTL value in VRRP6 packets.

By default, the system checks the TTL value in VRRP6 packets.

----End

22.9.6.4.5 Verifying the Configuration of Basic Functions for an IPv6 VRRP Group

Procedure
● Run the display vrrp6 [ interface interface-type interface-number ] [ vrid
virtual-router-id ] [ brief ] command to check the VRRP6 group status and
parameters.
● Run the display vrrp6 [ interface interface-type interface-number ] [ vrid
virtual-router-id ] statistics command to check statistics about sent and
received packets of a VRRP6 group.

----End

22.9.6.5 Configuring an IPv6 mVRRP Group

An mVRRP6 group can be bound to service VRRP6 groups and can determine the
status of a service VRRP group based on the binding. mVRRP6 is used when
multiple VRRP6 groups coexist and helps decrease the number of VRRP6 packets
to be sent and minimize network bandwidth consumption.

Pre-configuration Tasks
Before configuring basic functions of an IPv6 mVRRP group, complete the
following task:
● Configuring network layer attributes of interfaces to ensure network
connectivity

22.9.6.5.1 Configuring an mVRRP6 Group

Context
Each VRRP6 group needs to maintain its own state machine. Configuring an
mVRRP6 group reduces bandwidth occupied by VRRP6 packets.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3525

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The VLANIF interface view is displayed.
Step 3 Run vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address [ link-local ]
A VRRP6 group is created, and a virtual IPv6 address is assigned to the VRRP6
group.
Step 4 Run vrrp6 vrid virtual-router-id priority priority-value
The priority of the VRRP6 group is set.
Step 5 Run admin-vrrp6 vrid virtual-router-id
The VRRP6 group is configured as an mVRRP6 group.

----End

22.9.6.5.2 (Optional) Configuring a VRRP6 Group and Binding the VRRP6 Group to
an mVRRP6 Group

Context
You can bind VRRP6 groups to an mVRRP6 group so that mVRRP6 determines the
status of the bound VRRP6 groups.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The view of the VLANIF interface where a VRRP6 group is configured is displayed.
Step 3 Run vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address [ link-local ]
A VRRP6 group is created, and a virtual IPv6 address is assigned to the VRRP6
group.
Because the mVRRP6 group determines the status of its member VRRP6 groups,
you do not need to set priorities for the member VRRP6 groups.
Step 4 Run vrrp6 vrid virtual-router-id1 track admin-vrrp6 interface interface-type
interface-number vrid virtual-router-id2 unflowdown
The VRRP6 group is bound to an mVRRP6 group.
After the binding is complete, the state machine of the bound VRRP6 group
depends on the status of the mVRRP6 group. The bound VRRP6 group inherits the
status of the mVRRP6 group, and deletes its VRRP6 packet timeout timer and

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3526

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

stops sending or receiving VRRP6 packets. A VRRP6 group can be bound to only
one mVRRP6 group.

NOTE
Only one mVRRP6 group can be configured on an interface.

----End

22.9.6.5.3 Verifying the IPv6 mVRRP Group Configuration

Procedure
● Run the display vrrp6 binding admin-vrrp6 [ interface interface-type1
interface-number1 ] [ vrid virtual-router-id1 ] member-vrrp [ interface
interface-type2 interface-number2 ] [ vrid virtual-router-id2 ] command to
check bindings between an mVRRP group and VRRP groups.
● Run the display vrrp6 admin-vrrp6 command to check the status of all
mVRRP groups.

----End

22.9.6.6 Configuring VRRP6 Association

VRRP6 association enables VRRP6 to detect faults in a timely manner and triggers
an active/standby switchover when the master or the uplink of the master
becomes faulty. VRRP6 association optimizes VRRP6 switchovers and enhances
network reliability.

Pre-configuration Tasks
Before configuring VRRP6 association, complete the following task:
● 22.9.6.4 Configuring Basic Functions of an IPv6 VRRP Group

22.9.6.6.1 Configuring Association Between VRRP6 and the Interface Status

Context
When the uplink interface of the master becomes faulty, VRRP6 cannot detect the
status change of interfaces not in the VRRP6 group, causing service interruption.
You can associate a VRRP6 group with the interface status. When the monitored
interface is faulty, the priority of the master is reduced. This triggers an active/
standby switchover and reduces the impact of services on the uplink interface.

When the fault is rectified, the priority of the original master is restored and
preempts to be the master to forward traffic.

NOTE

The master and backup in the VRRP6 group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and non-0 on the master.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3527

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The view of the VLANIF interface on the master where a VRRP6 group is
configured is displayed.
Step 3 Run vrrp6 vrid virtual-router-id track interface interface-type interface-number
[ increased value-increased | reduced value-reduced ]
Association between VRRP6 and the interface status is configured.
By default, when the monitored interface goes Down, the VRRP6 priority of the
device decreases by 10.

NOTE

If the IPv4 protocol status on the monitored interface configured with an IPv4 address
changes, the priority of the master is reduced. If the IPv6 protocol status on the monitored
interface configured with an IPv6 address changes, the VRRP6 group remains unchanged.

----End

22.9.6.6.2 Verifying the VRRP6 Association Configuration

Procedure
● Run the display vrrp6 [ interface interface-type interface-number ] [ vrid
virtual-router-id ] [ brief ] command to check the VRRP6 group status and
parameters.
● Run the display vrrp6 [ interface interface-type interface-number ] [ vrid
virtual-router-id ] statistics command to check statistics about sent and
received packets of a VRRP6 group.
----End

22.9.7 Maintaining VRRP

22.9.7.1 Monitoring the VRRP Running Status

Context
During routine maintenance, you can run the following command to view VRRP
packet statistics and monitor the VRRP running status.

Procedure
● Run the display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] statistics command in any view to view statistics about sent and
received packets of a VRRP group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3528

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

● Run the display vrrp6 [ interface interface-type interface-number ] [ vrid

virtual-router-id ] statistics command in any view to view statistics about
sent and received packets of a VRRP6 group.

22.9.7.2 Clearing VRRP Packet Statistics

Context
Before recollecting statistics about VRRP packets in a period of time, clear existing
statistics.

NOTICE

The cleared statistics cannot be restored. Exercise caution when you run the reset
command.

Procedure
● Run the reset vrrp [ interface interface-type interface-number ] [ vrid
virtual-router-id ] statistics command in the user view to clear statistics
about a VRRP group.
● Run the reset vrrp6 [ interface interface-type interface-number ] [ vrid
virtual-router-id ] statistics command in the user view to clear statistics
about a VRRP6 group.

22.9.8 Configuration Examples for VRRP

22.9.8.1 Example for Configuring VRRP HSB

Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires VRRP HSB to improve data transmission reliability.

Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
● Switch cluster: A cluster is set up using a CSS card, containing SwitchB and
SwitchC at the core layer. SwitchB is the active switch and SwitchC is the
standby switch.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3529

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Figure 22-61 Configuring VRRP HSB (direct forwarding)

Internet

Router
GE0/0/2
VLAN102
AC1 AC2

GE0/0/1
VLAN100-101

GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10

GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101

GE0/0/1 SwitchA
VLAN100-101

AP

STA
Management VLAN: VLAN 100
Service VLAN: VLAN 101
: Service VRRP
: mVRRP
:Eth-Trunk

Data Planning

Table 22-46 AC Data Planning

Item Configuration

AC1's source interface VLANIF 100: 10.23.100.3/24

AC2's source interface VLANIF 100: 10.23.100.3/24

Virtual IP address of the 10.23.100.3/24

management VRRP group

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3530

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Item Configuration

Virtual IP address of the 10.23.101.3/24

service VRRP group

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net
and security profile wlan-net

AP group ● Name: ap-group1

● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default

Regulatory domain profile ● Name: default

● Country code: China

SSID profile ● Name: wlan-net

● SSID name: wlan-net

Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+PSK+AES
● Password: a1234567

DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA

AP's gateway VLANIF 100: 10.23.100.3/24

IP address pool for the AP 10.23.100.4 to 10.23.100.254/24

STA's gateway VLANIF 101: 10.23.101.3/24

IP address pool for STA 10.23.101.4 to 10.23.101.254/24

IP addresses and port IP address: VLANIF 102, 10.23.102.1/24

numbers for the active and Port number: 10241
standby channels of AC1

IP addresses and port IP address: VLANIF 102, 10.23.102.2/24

numbers for the active and Port number: 10241
standby channels of AC2

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure a cluster between SwitchB and SwitchC through cluster cards to

improve the core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3531

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

3. Configure basic WLAN services to ensure that users can access the Internet
through WLAN.
4. Configure a VRRP group on AC1 and AC2 and configure a high priority for
AC1 as the active device to forward traffic, and a low priority for AC2 as the
standby device.
5. Configure the hot standby (HSB) function so that service information on AC1
is backed up to AC2 in batches in real time, ensuring seamless service
switchover from the active device to the standby device.

NOTE

Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.

Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned to clients in the DHCP
address pools must be consistent.

Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3532

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[SwitchB] set css mode css-card

[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card
connection for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3533

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On

Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off

The command output shows card status and CSS status of both member switches,
indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3534

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can
be transmitted between the AP and ACs.
NOTE

If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting
to the AP). If port isolation is not configured, many broadcast packets will be transmitted in
the VLANs or WLAN users on different APs can directly communicate at Layer 2.

# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN

100 and add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on
SwitchA connected to SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on
SwitchA connected to SwitchC to Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101,
respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3535

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[CSS-GigabitEthernet2/1/0/2] undo port link-type

[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit

# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and
configure VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit

Step 3 Configure AC1 to communicate with AC2.

# Add GE0/0/2 on AC1 (connecting to AC2) to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 (connecting to AC1) to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Step 4 Configure a DHCP server.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3536

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

NOTE

Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.

# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
10.23.100.1 and 10.23.101.1 have been assigned to the master AC; 10.23.100.2 and
10.23.101.2 have been assigned to the backup AC; 10.23.100.3 and 10.23.101.3
have been assigned as VRRP virtual IP addresses. You need to specify these IP
addresses as those that cannot be automatically assigned to clients from the
interface address pools of the master and backup ACs.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.1 10.23.101.3
[AC1-Vlanif101] quit

The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC1] vrrp recover-delay 60

# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and
set the preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC1-Vlanif101] quit

# Create HSB service 0 on AC1, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-
data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management
VRRP group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3537

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Step 6 Configure VRRP on AC2 to implement AC hot standby.

# Set the recovery delay of the VRRP group to 60 seconds.
[AC2] vrrp recover-delay 60

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create a service VRRP group on AC2.

[AC2] interface vlanif 101
[AC2-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC2-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC2-Vlanif101] quit

# Create HSB service 0 on AC2, configure the IP addresses and port numbers for
the active and standby channels, and set the retransmission times and interval of
HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-
data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management
VRRP group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3538

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

[AC2] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those
on AC1. An AP in normal state on the active AC is in standby state on AC2.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

2. Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

3. Configure WLAN service parameters on AC1.

# Create security profile wlan-net and set the security policy in the profile.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and password to

a1234567. In actual situations, the security policy must be configured according to service
requirements.

[AC1-wlan-view] security-profile name wlan-net

[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3539

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

# Create VAP profile wlan-net, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0
and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Step 8 Verify the configuration.

# After the configurations are complete, run the display vrrp command on AC1
and AC2. The command output displays that the State field of AC1 is Master and
that of AC2 is Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00

Vlanif101 | Virtual Router 2

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2005-07-30 23:45:50 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00
[AC2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3540

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 02:11:07 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

Vlanif101 | Virtual Router 2

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2005-07-31 00:32:33 UTC+08:00
Last change time : 2005-07-31 03:40:45 UTC+08:00

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB
service status. The command output displays that the Service State field is
Connected, indicating that the HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB
group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3541

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Vrrp Interface : Vlanif100

Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R010C00
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to AP, and these
STAs can connect to the WLAN.
# Simulate an active AC fault by restarting the active AC to verify the backup
configuration. Restart AC1. When AP detects a fault on the link connected to AC1,
AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, run the save command to save the configuration file on the AC to
prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. AP goes
online on AC2. Run the display ap all command on AC2. The command output
shows that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
AP automatically goes online on AC1.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3542

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

port trunk allow-pass vlan 100 to 101

port-isolate enable group 1
#
interface GigabitEthernet0/0/2
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
return

● CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
interface Eth-Trunk10
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/2
eth-trunk 10
#
interface GigabitEthernet2/1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
return

● Comparison between AC1 and AC2 configuration files (The information in

bold is settings about the two-node backup function.)

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3543

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Table 22-47 Comparison of configuration files

AC1 AC2
# #
sysname AC1 sysname AC2
# #
vrrp recover-delay 60 vrrp recover-delay 60
# #
vlan batch 100 to 102 vlan batch 100 to 102
# #
dhcp enable dhcp enable
# #
dhcp server database enable dhcp server database enable
dhcp server database recover dhcp server database recover
# #
interface Vlanif100 interface Vlanif100
ip address 10.23.100.1 255.255.255.0 ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3 vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1 admin-vrrp vrid 1
vrrp vrid 1 priority 120 dhcp select interface
vrrp vrid 1 preempt-mode timer delay 1800 dhcp server excluded-ip-address 10.23.100.1
dhcp select interface 10.23.100.3
dhcp server excluded-ip-address 10.23.100.1 #
10.23.100.3 interface Vlanif101
# ip address 10.23.101.2 255.255.255.0
interface Vlanif101 vrrp vrid 2 virtual-ip 10.23.101.3
ip address 10.23.101.1 255.255.255.0 vrrp vrid 2 track admin-vrrp interface
vrrp vrid 2 virtual-ip 10.23.101.3 Vlanif100 vrid 1 unflowdown
vrrp vrid 2 preempt-mode timer delay 1800 dhcp select interface
vrrp vrid 2 track admin-vrrp interface dhcp server excluded-ip-address 10.23.101.1
Vlanif100 vrid 1 unflowdown 10.23.101.3
dhcp select interface #
dhcp server excluded-ip-address 10.23.101.1 interface Vlanif102
10.23.101.3 ip address 10.23.102.2 255.255.255.0
# #
interface Vlanif102 interface GigabitEthernet0/0/1
ip address 10.23.102.1 255.255.255.0 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/1 port trunk allow-pass vlan 100 to 101
port link-type trunk #
undo port trunk allow-pass vlan 1 interface GigabitEthernet0/0/2
port trunk allow-pass vlan 100 to 101 port link-type trunk
# undo port trunk allow-pass vlan 1
interface GigabitEthernet0/0/2 port trunk allow-pass vlan 102
port link-type trunk #
undo port trunk allow-pass vlan 1 capwap source ip-address 10.23.100.3
port trunk allow-pass vlan 102 #
# hsb-service 0
capwap source ip-address 10.23.100.3 service-ip-port local-ip 10.23.102.2 peer-ip
# 10.23.102.1 local-data-port 10241 peer-data-
hsb-service 0 port 10241
service-ip-port local-ip 10.23.102.1 peer-ip service-keep-alive detect retransmit 3
10.23.102.2 local-data-port 10241 peer-data- interval 6
port 10241 #
service-keep-alive detect retransmit 3 hsb-group 0
interval 6 track vrrp vrid 1 interface Vlanif100
# bind-service 0
hsb-group 0 hsb enable
track vrrp vrid 1 interface Vlanif100 #
bind-service 0 hsb-service-type access-user hsb-group 0
hsb enable #
# hsb-service-type dhcp hsb-group 0
hsb-service-type access-user hsb-group 0 #
# hsb-service-type ap hsb-group 0
hsb-service-type dhcp hsb-group 0 #
# wlan
hsb-service-type ap hsb-group 0 security-profile name wlan-net
# security wpa-wpa2 psk pass-phrase %^

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3544

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

AC1 AC2
wlan %#G.DGWgjG./fvyr*oM)KMgc*sR}!
security-profile name wlan-net GUWLa"%G_E.^B%^%# aes
security wpa-wpa2 psk pass-phrase %^ ssid-profile name wlan-net
%#G.DGWgjG./fvyr*oM)KMgc*sR}! ssid wlan-net
GUWLa"%G_E.^B%^%# aes vap-profile name wlan-net
ssid-profile name wlan-net service-vlan vlan-id 101
ssid wlan-net ssid-profile wlan-net
vap-profile name wlan-net security-profile wlan-net
service-vlan vlan-id 101 regulatory-domain-profile name default
ssid-profile wlan-net ap-group name ap-group1
security-profile wlan-net radio 0
regulatory-domain-profile name default vap-profile wlan-net wlan 1
ap-group name ap-group1 radio 1
radio 0 vap-profile wlan-net wlan 1
vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-
radio 1 sn 210235554710CB000042
vap-profile wlan-net wlan 1 ap-name area_1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap- ap-group ap-group1
sn 210235554710CB000042 #
ap-name area_1 return
ap-group ap-group1
#
return

22.9.9 Troubleshooting VRRP

22.9.9.1 Multiple Masters Coexist in a VRRP Group

Fault Description
Multiple masters exist in a VRRP group.

Procedure
Step 1 Ping masters to check network connectivity between masters.
● If the ping operation fails, check whether the network connection is correct.
● If the ping operation is successful and the TTL value of the ping packet is 255,
go to step 2.
Step 2 Run the display vrrp protocol-information command in any view to check
whether the VRRP version on each master is compatible with the mode in which
VRRP Advertisement packets are sent.
● If the version is incompatible with the mode, run the vrrp version { v2 | v3 }
command in the system view to change the version.
● If the version is compatible with the mode, go to step 3.
NOTE

● A VRRPv2 group can only send and receive VRRPv2 Advertisement packets, and discards
the received VRRPv3 Advertisement packets.
● A VRRPv3 group can send and receive both VRRPv2 and VRRPv3 Advertisement packets.
You can configure the mode in which VRRPv3 Advertisement packets are sent. The
mode can be v2-only, v3-only, or v2v3-both.

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3545

Wireless Access Controller(AC and Fit AP)
CLI-based Configuration Guide 22 Reliability Configuration Guide

Step 3 Run the display vrrp virtual-router-id command in any view to check whether the
master uses the same virtual IP address, interval at which VRRP Advertisement
packets are sent, authentication mode, and authentication key.
● If the configured virtual IP addresses are different, run the vrrp vrid virtual-
router-id virtual-ip virtual-address command to set the same virtual IP
address.
● If the intervals are different, run the vrrp vrid virtual-router-id timer
advertise advertise-interval command to set the same interval.
● If the authentication modes and authentication keys are different, run the
vrrp vrid virtual-router-id authentication-mode { simple { key | plain key |
cipher cipher-key } | md5 md5-key } command to set the same
authentication mode and authentication key.

----End

22.9.9.2 VRRP Group Status Changes Frequently

Fault Description
The VRRP group status changes frequently.

Procedure
Step 1 Run the display vrrp virtual-router-id command in any view to check whether the
VRRP group is associated with an interface, or a BFD session.
● If the VRRP group is associated with the interface, or BFD session, flapping of
the interface, or BFD session causes VRRP group status flapping. Rectify the
fault on the associated module.
● If association is not configured, go to step 2.
Step 2 Run the display vrrp virtual-router-id command in any view to check the
preemption delay of the VRRP group.
● If the preemption delay is 0, run the vrrp vrid virtual-router-id preempt-
mode timer delay delay-value command in the view of the interface where
the VRRP group is configured to set the non-0 preemption delay.
● If the preemption is not 0, go to step 3.
Step 3 Run the vrrp vrid virtual-router-id timer advertise advertise-interval command in
the view of the interface where the VRRP group is configured to set a larger
interval at which VRRP Advertisement packets are sent, or run the vrrp vrid
virtual-router-id preempt-mode timer delay delay-value command to set a larger
preemption delay.

----End

Issue 08 (2021-02-25) Copyright © Huawei Technologies Co., Ltd. 3546