Professional Documents
Culture Documents
HCNA-WLAN Experiment Guide (CLI-based) V2.0 PDF
HCNA-WLAN Experiment Guide (CLI-based) V2.0 PDF
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1、e-Learning Courses: Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e
o m
If you have the HCNA/HCNP certificate:You can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
aw
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu
arn
Content: Huawei product training material and Huawei career certification training material.
//le
Method:Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3、 Priority to participate in Huawei Online Open Class (LVC)
t t
s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
4、Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.
u
s o
eNSP :Simulate single Router&Switch device and large network.
R e
WLAN Planner :Network planning tools for WLAN AP products.
n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
ni
share exam experiences with others or be acquainted with Huawei Products.
a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
Huawei WLAN Certification Training
HCNA-WALN
Experiment Guide for WLAN /en
o m
Engineers i . c
e w
u a
ISSUE:2.0 g.h
i n
arn
//le
p :
t t
s:h
r c e
sou
Re
i n g
n
e ar
e L
or
M HUAWEI TECHNOLOGIES CO., LTD.
1
Huawei WLAN Certification Training Experiment Guide
n
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
/
All other trademarks and trade names mentioned in this document are the property of their respective
e
m
holders.
o
Notice
e i.c
w
The purchased products, services and features are stipulated by the contract made between Huawei and
u a
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
i n
rn
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
le a
recommendations in this document do not constitute a warranty of any kind, express or implied.
: //
t t p
s :h
r c e
s ou
e
RHuawei Technologies Co., Ltd.
i n g
n
ar
Address: Huawei Industrial Base
L e Bantian, Longgang
Shenzhen 518129
e
or
People's Republic of China
M
Website: http://e.huawei.com
华为专有和保密信息
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
华为专有和保密信息 1
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 2
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Overview
This document is applicable to the candidates who are preparing for the HCNA-WLAN
e n
exam and the readers who want to understand the WLAN basics, the CAPWAP protocol,
/
WLAN networking, Huawei WLAN product features, security configuration, WLAN
advanced technology, antennas, WLAN network planning and optimization, and WLAN
o m
i.c
fault troubleshooting.
w e
Description u a
g .h
i n
This experiment guide introduces the following six experiments, covering basic
n
configurations, and configurations and implementation of Layer 2 networking, security,
r
lea
Layer 3 networking, and the network management software eSight.
//
Experiment 1: AC configuration initialization
p :
This experiment involves basis operations and configurations on an AC, helping you
t t
know the AC6005 and its basic functions.
:h
Experiment 2: AP authentication and WLAN configuration process
s
This experiment lets you know basic WLAN network capabilities through basic WLAN
e
c
configurations.
r
ou
Experiment 3: WLAN security configuration
s
This experiment mainly introduces 802.1x authentication, helping you know WLAN
Re
security and the configuration process.
Experiment 4: WLAN configuration on eSight
i n g
This experiment involves how to add WLAN devices to the eSight and deliver WLAN
n
services using the configuration wizard.
ar
Experiment 5: Bypass Layer 3 networking
L e This experiment uses the AC6005 and Layer 3 networking. The Layer 3 network
e
configuration helps you comprehensively know WLAN networking modes.
or
Experiment 6: Configuration file backup and AC configuration clearance
M
This experiment describes how to back up configuration files through File Transfer
Protocol (FTP).
华为专有和保密信息 3
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Common Icons
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 4
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
experiment environment is applicable to 4 to 12 candidates.
Device Introduction
o m
e
he following table lists devices recommended for HCNA-WLAN experiments and the i.c
w
mappings between the device name, model, and software version.
//
AP AP4030DN AP4030DN V200R007C10SPC100
NMS eSight Network
p :
t
eSight Network V300R006C00SPC505
t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 5
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
eSight 1 Shared by all groups
/
o m
i.c
Radius Server 1 Shared by all groups
Huawei 3700PoE/
w e
a
1 Shared by all groups
u
Huawei 5700PoE Switch
AC6005
One for each
g .h
group
ni n
r
lea
Two for each
AP4030DN
group
: //
Laptop or desktop computer
t t
group p
One for each A desktop computer requires a
network adapter
:h
es
Four for each The twisted pair must be at least
Twisted pair
c
group 2 meters long
r
s
Console cable
ou One for each
group
Re
i n g
Each group must check whether the following devices are ready:
n
ar
One AC6005
Le Two AP4030DN
re
One laptop or desktop computer
华为专有和保密信息 6
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Experiment topology
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
Key points of bypass topology establishment:
c e
This course uses a layer 3 bypass topology. Devices are connected as follows:
r
ou
For group 1, port 8 of AC1 is connected to port 1 of the switch. AP1 is connected to port
s
10 of the switch. AP2 is connected to port 11 of the switch.
e
R
For group 2, port 8 of AC2 is connected to port 2 of the switch. AP3 is connected to port
i n g
12 of the switch. AP4 is connected to port 13 of the switch.
For group 3, port 8 of AC3 is connected to port 3 of the switch. AP5 is connected to port
n
ar
14 of the switch. AP6 is connected to port 15 of the switch.
Le
The same rule applies to all other groups.
re
For group 6, port 8 of AC6 is connected to port 6 of the switch. AP11 is connected to
华为专有和保密信息 7
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Login
Use a console cable to connect the PC to the device, run a terminal emulation program on
the PC (such as a HyperTerminal running the Windows OS), and log in to the device
through the COM port.
AC Configuration Removal
Trainees must remove previously saved configurations after the experiment is complete
n
and before devices are turned off, to avoid any impact of the configurations on the next
e
/
experiment. In addition, trainees must confirm that the device is not configured before an
experiment starts. If it is not, remove the configurations and then restart the device.
o m
i.c
You need a password to log in to the router. The login password is Admin@123 in this
experiment.
Login authentication
w e
a
Password:Admin@123
u
<AC6005>reset saved-configuration
.h
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
i n g
Clear the configuration in the device successfully.
r n
lea
To restart the controller, run the following command:
//
<AC6005>reboot
:
Info: The system is comparing the configuration, please wait.
p
configuration.
t t
Warning: All the configuration will be saved to the next startup
:h
Continue ? [y/n]:n
s
System will reboot! Continue ? [y/n]:y
e
c
Info: system is rebooting ,please wait...
r
ou
After the controller is restarted, carry out experiments.
es
R
i n g
n
e ar
e L
or
M
华为专有和保密信息 8
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Contents
n
Description ...........................................................................................................................................................3
e
/
Background Knowledge Required .........................................................................................................................4
m
Common Icons .....................................................................................................................................................4
o
i . c 12
Experiment Environment Preparation .....................................................................................................................6
e
1 Experiment 1:AC configuration initialization .......................................................................
w
a
1.1 About This Course .........................................................................................................................................12
hu
1.1.1 Objectives ..................................................................................................................................................12
g .
1.1.2 Topology ....................................................................................................................................................12
i n
1.1.3 Plan ...........................................................................................................................................................13
n
r
1.2 Experiment Task ............................................................................................................................................14
a
e
1.2.1 Configuration Procedure .............................................................................................................................14
l
//
1.3 Verification ...................................................................................................................................................17
:
tp
1.3.1 Telnet AC ...................................................................................................................................................17
h t
1.4 Reference Configuration ................................................................................................................................18
s :
1.4.1 S5700 Configuration ..................................................................................................................................18
e
cand WLAN Configuration Roadmap .................... 24
1.4.2 AC Configuration ........................................................................................................................................20
r
u
2 Experiment 2: AP Authentication
o
s
2.1 About This Course .........................................................................................................................................24
e
R
2.1.1 Objectives ..................................................................................................................................................24
i n g
2.1.2 Topology ....................................................................................................................................................24
2.1.3 Plan ...........................................................................................................................................................25
a rn
2.2 Experiment Task ............................................................................................................................................27
L e
2.2.1 Configuration Procedure .............................................................................................................................27
e
2.3 Verification ...................................................................................................................................................30
r
o
2.3.1 Checking the VAP Status .............................................................................................................................30
华为专有和保密信息 9
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
n
3.4.1 S5700 Configuration ..................................................................................................................................54
/ e
3.4.2 AC Configuration ........................................................................................................................................56
o m
4 Experiment 4: eSight WLAN Management ............................................................................ 62
i . c
4.1 About This Course .........................................................................................................................................62
e
4.1.1 Objectives ..................................................................................................................................................62
w
a
4.1.2 Topology ....................................................................................................................................................62
hu
4.1.3 Plan ...........................................................................................................................................................63
g .
4.2 Experiment Task ............................................................................................................................................64
i n
4.2.1 Configuration Procedure .............................................................................................................................64
n
r
4.3 Verification ...................................................................................................................................................81
a
l e
4.3.1 Connect an STA to the WLAN .....................................................................................................................81
: //
4.4 Reference Configuration ................................................................................................................................82
tp
4.4.1 S5700 Configuration ..................................................................................................................................82
t
h .................................................................... 91
4.4.2 AC Configuration ........................................................................................................................................85
:
s
5 Experiment 5: Layer 3 Networking Experiment
e
r c
5.1 About This Course .........................................................................................................................................91
u
5.1.1 Objectives ..................................................................................................................................................91
o
s
5.1.2 Topology ....................................................................................................................................................91
e
R
5.1.3 Plan ...........................................................................................................................................................92
i n g
5.2 Experiment Task ............................................................................................................................................93
rn
5.2.1 Configuration Procedure .............................................................................................................................93
a
5.3 Verification ...................................................................................................................................................94
e
e L
5.3.1 Verifiy the L3 Network Status ......................................................................................................................94
5.4 Reference Configuration ................................................................................................................................95
o r
5.4.1 S5700 Configuration ..................................................................................................................................95
华为专有和保密信息 10
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 11
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
ni
1.1.2 Topology r
//lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 12
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
1.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
No
AC-Switch Port AP-Switch Port
e n
/
1 AC1—G0/0/1
AP1-G0/0/10
o m
i.c
AP2-G0/0/11
AP3-G0/0/12
w e
2 AC2—G0/0/2
AP4-G0/0/13
u a
AP5-G0/0/14
g .h
3 AC3—G0/0/3
AP6-G0/0/15
ni n
r
lea
AP7-G0/0/15
//
4 AC4—G0/0/4
AP8-G0/0/16
:
t t p
AP9-G0/0/17
:h
5 AC5—G0/0/5
AP10-G0/0/18
e s
6 AC6—G0/0/6
r c AP11-G0/0/19
ou
AP12-G0/0/20
es
R
The following table describes an AC parameter configuration template.
i n g
Trainee GroupX AC Configuration
n
e ar
Console Password Admin@123
e L Device ACX
or
AP Management
VLAN:X0 IP:10.1.X0.100
VLAN
M Service VLAN
(Employee)
VLAN:X1 IP:10.1.X1.100
华为专有和保密信息 13
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
Step1 Configuring Initialization Password
/
The Software Version of AC6005 is V2R7, You need a password
o m
i.c
to log in to the AC at first time. The login password is
Admin@123 in this experiment.
Please configure the login password (maximum length 16)
w e
a
Enter password:Admin@123
u
Confirm password:Admin@123
.h
<AC6005>
lea
(management VLAN) and set the port VLAN ID (PVID) to VLANX0. Add GE0/0/8 to VLANs
X0 through X3(Connect to AC).
<Huawei>system-view
: //
[Huawei]sysname S5700
[S5700]vlan batch 10 to 13
t t p
:h
[S5700]interface GigabitEthernet0/0/10
s
[S5700-GigabitEthernet0/0/10]port link-type trunk
e
c
[S5700-GigabitEthernet0/0/10]port trunk pvid vlan 10
r
[S5700-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 13
ou
[S5700-GigabitEthernet0/0/10]quit
es
[S5700]interface GigabitEthernet0/0/11
[S5700-GigabitEthernet0/0/11]port link-type trunk
R
[S5700-GigabitEthernet0/0/11]port trunk pvid vlan 10
i n g
[S5700-GigabitEthernet0/0/11]port trunk allow-pass vlan 10 to 13
[S5700-GigabitEthernet0/0/11]quit
n
ar
[S5700]interface GigabitEthernet 0/0/1
[S5700-GigabitEthernet0/0/1]port link-type trunk
e
[S5700-GigabitEthernet0/0/1]quit
华为专有和保密信息 14
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
[S5700]interface Vlanif 12
[S5700-Vlanif12]ip address 10.1.12.1 24
[S5700-Vlanif12]quit
[S5700]interface Vlanif 13
[S5700-Vlanif13]ip address 10.1.13.1 24
[S5700-Vlanif13]quit
e n
Create VLANs X0 through X3.
/
[AC1]vlan batch 10 to 13
o m
i.c
Configure GE0/0/8 to connect to the S5700.
[AC1]interface g0/0/8
[AC1-GigabitEthernet0/0/8]port link-type trunk
w e
[AC1-GigabitEthernet0/0/8]port trunk allow-pass vlan 10 to 13
[AC1-GigabitEthernet0/0/8]quit
u a
g .h
After the configuration is complete, run the display port vlan command to check whether
the configuration is correct.
ni n
r
[AC1]display port vlan
lea
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------
GigabitEthernet0/0/1 hybrid 1
: //
-
GigabitEthernet0/0/2
GigabitEthernet0/0/3
hybrid
hybrid
t t
1
1 p -
-
:h
GigabitEthernet0/0/4 hybrid 1 -
s
GigabitEthernet0/0/5 hybrid 1 -
GigabitEthernet0/0/6
r
GigabitEthernet0/0/7
c e hybrid
access
1
4090 -
-
ou
GigabitEthernet0/0/8 trunk 1 1 10-13
s
Configure the IP address of the layer 3 interface corresponding to the VLAN.
e
R
[AC1]interface vlan 10
g
[AC1-Vlanif10]ip address 10.1.10.100 24
n i n
[AC1-Vlanif10]quit
[AC1]interface vlan 11
ar
[AC1-Vlanif11]ip address 10.1.11.100 24
L e [AC1-Vlanif11]quit
[AC1]interface vlan 12
e
or
[AC1-Vlanif12]ip address 10.1.12.100 24
[AC1-Vlanif12]quit
[AC1]interface Vlanif 13
M [AC1-Vlanif13]ip address
[AC1-Vlanif13]quit
10.1.13.100 24
华为专有和保密信息 15
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
Vlanif13 10.1.13.100/24 up up
/
Vlanif4090 172.21.11.3/16 up up
o m
i.c
Check whether the route between the AC and the layer 3 switch is reachable. The
following command output indicates that 10X.10X.10X.10X (the simulated public
network interface on the switch) cannot be pinged.
w e
[AC1]ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
u a
Request time out
Request time out
g .h
Request time out
ni n
r
Request time out
lea
Request time out
s
Configure a static route for the switch.
e
r c
[AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
ou
IP address 10X.10X.10X.10X can be pinged.
es
[AC1]ping 101.101.101.101
R
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
ing
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=254 time=1 ms
Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=254 time=1 ms
rn
Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=254 time=1 ms
a
Reply from 101.101.101.101: bytes=56 Sequence=4 ttl=254 time=1 ms
o 5 packet(s) transmitted
M
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
华为专有和保密信息 16
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
It will take several minutes to save configuration file, please
wait........
Configuration file has been saved successfully
Note: The configuration file will take effect after being activated
w e
u a
1.3 Verification g .h
ni n
r
1.3.1 Telnet AC
// lea
p :
After Configure telnet, test the telnet service on S5700。
t t
:h
<S5700>telnet 10.1.10.100
Trying 10.1.10.100 ...
Press CTRL+K to abort
e s
c
Connected to 10.1.10.100 ...
r
Warning: Telnet is not a secure protocol, and it is recommended to use
ou
Stelnet.
es
Login authentication
R
i n g
Username:huawei
n
ar
Password:
-----------------------------------------------------------------------
e
-----------------------------------------------------------------------
or
Access Type: Telnet
IP-Address : 172.21.5.155
Login AC successfully.
华为专有和保密信息 17
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
undo http server enable
undo http secure-server enable
#
undo nap slave enable
w e
#
u a
.h
aaa
g
authentication-scheme default
authorization-scheme default
accounting-scheme default
ni n
domain default
r
lea
domain default_admin
//
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
p :
#
t t
:h
interface Vlanif1
#
interface Vlanif10
e s
c
ip address 10.1.10.1 255.255.255.0
r
ou
#
interface Vlanif11
s
ip address 10.1.11.1 255.255.255.0
e
R
#
interface Vlanif12
n g
ip address 10.1.12.1 255.255.255.0
i
n
#
ar
interface Vlanif13
e
ip address 10.1.13.1 255.255.255.0
e L #
interface MEth0/0/1
or
ip address 172.21.11.1 255.255.0.0
#
M interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
华为专有和保密信息 18
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
e n
port link-type trunk
/
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
o m
i.c
#
interface GigabitEthernet0/0/11
port link-type trunk
w e
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
u a
#
interface GigabitEthernet0/0/12
g .h
#
ni n
interface GigabitEthernet0/0/13
r
lea
#
//
interface GigabitEthernet0/0/14
#
p :
t
interface GigabitEthernet0/0/15
#
t
:h
interface GigabitEthernet0/0/16
#
e s
c
interface GigabitEthernet0/0/17
#
r
ou
interface GigabitEthernet0/0/18
#
es
interface GigabitEthernet0/0/19
#
R
#
i n g
interface GigabitEthernet0/0/20
n
ar
interface GigabitEthernet0/0/21
#
L e interface GigabitEthernet0/0/22
#
e
or
interface GigabitEthernet0/0/23
#
M interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
华为专有和保密信息 19
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
1.4.2 AC Configuration
e n
/
#
o m
i.c
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
w e
#
u a
.h
undo portal url-encode enable
g
#
ssl renegotiation-rate 1
#
ni n
r
lea
vlan batch 10 to 13 4090
#
//
authentication-profile name default_authen_profile
:
authentication-profile name dot1x_authen_profile
p
t
authentication-profile name mac_authen_profile
t
:h
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
e s
lldp enable
r c
ou
#
diffserv domain default
#
es
R
radius-server template default
g
#
n
pki realm default
n i
rsa local-key-pair default
ar
enrollment self-signed
e
#
or
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
M #
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
华为专有和保密信息 20
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
e n
domain default_admin
/
authentication-scheme default
local-user admin password irreversible-
o m
i.c
cipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K%^
e
%#
local-user admin privilege level 15
local-user admin service-type ssh http
aw
local-user huawei password irreversible-cipher
u
.h
$1a$Rdtw.<{XxT$m[E}YnfM9<l9]\T7EhW67M~m$u/u6<PP~C$O&*bV$
g
local-user huawei privilege level 3
#
local-user huawei service-type telnet
ni n
r
lea
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
//
#
interface Vlanif10
p :
t t
ip address 10.1.10.100 255.255.255.0
:h
#
interface Vlanif11
e s
ip address 10.1.11.100 255.255.255.0
#
r c
ou
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
#
es
R
interface Vlanif13
g
ip address 10.1.13.100 255.255.255.0
n
#
i n
interface Vlanif4090
ar
ip address 172.21.11.3 255.255.0.0
L e #
interface GigabitEthernet0/0/1
e
or
#
interface GigabitEthernet0/0/2
#
M interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
华为专有和保密信息 21
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
stelnet server enable
/
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
o m
i.c
ssh server secure-algorithms hmac sha2_256
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
w e
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
u a
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
g .h
#
ni n
user-interface con 0
r
lea
authentication-mode password
//
set authentication password
:
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"%^
p
%#
user-interface vty 0 4
t t
:h
authentication-mode aaa
s
user privilege level 3
r c e
protocol inbound all
user-interface vty 16 20
ou
protocol inbound all
s
#
wlan
Re
traffic-profile name default
i n g
security-profile name default
security-profile name default-wds
ar
qK%aTJ_0%^%# aes
e GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
or
ssid-profile name default
vap-profile name default
华为专有和保密信息 22
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
undo ntp-service enable
/
#
return
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 23
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
ni n
Understand WLAN configuration roadmap
r
lea
Configure open system authentication
2.1.2 Topology : //
t t p
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 24
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
2.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
n
AC-Switch Port AP-Switch Port
No.
/ e
1 AC1—G0/0/1
AP1-G0/0/10
o m
i.c
AP2-G0/0/11
AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u
AP5-G0/0/14
g .h
3 AC3—G0/0/3
AP6-G0/0/15
ni n
r
lea
AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//
p :
t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
AP10-G0/0/18
e s
6 AC6—G0/0/6
r c AP11-G0/0/19
ou
AP12-G0/0/20
es
The following table describes an AC parameter configuration template.
R
ing
Country code: CN
AC Information
n
ar
WLAN source: VLAN X0
Le
AP authentication mode: mac-auth
AP Authentication
o re AP MAC address
Name: ap-groupX
M VAP ID 1: VAP profile: guestX
regulatory domain profile: domainX
AP Group VAP ID 2: VAP profile: voiceX
regulatory domain profile: domainX
VAP ID 3: VAP profile: employeeX
regulatory domain profile: domainX
Name: employeeX SSID Profile: employeeX
SSID Profile
Name: voiceX SSID Profile: voiceX
华为专有和保密信息 25
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
Referenced profile: SSID profile voiceX
Name: guestX
Forwarding mode: tunnel forwarding
o m
Service VLAN: 13
Referenced profile: SSID profile guestX ei.c
Topology: layer2 and layer 3 bypass topology
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 26
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
1. Configure the Enable layer 2 or layer 3 interconnection
/
m
access switch. between the AP and AC.
o
2. Create an AP
group. Create an AP group.
e i.c
aw
Configure the DHCP server function of the AC.
Create a regulatory domain profile.
u
.h
Configure the country code of the AC.
Configure AC Configure the authentication mode for the AP .
3. Configure the
g
management on Configure the AC source port (for establishing
AP going online.
fit APs.
n
a tunnel with the AP).
ni
r
lea
Configure the Configure the
security profile. SSID profile.
4/5. Configure Being
WLAN service
//
referred to
parameters.
p : Configure the
t
4. Configure the VAP profile.
t
VAP profile.
:h
Being referred to
e s
r c Bind the regulatory domain profile
and VAP profile to the AP group.
e
to the AP group.
R
i n g
Step2 Configuring a Switch
Continue the configuration from experiment 1, the configuration of the switch has
n
ar
been ready.
e
Step3 Configuring Basic AC Parameters
L
e
orStep4
Continue the configuration from experiment 1, the configuration of the switch has been
ready.
M Creating an AP Group
Create AP group ap-groupX.
[AC1]wlan
[AC1-wlan-view]ap-group name ap-group1
[AC1-wlan-ap-group- ap-group1]quit
华为专有和保密信息 27
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
[AC1]dhcp enable
[AC1]ip pool ap
[AC1-ip-pool-ap]network 10.1.10.0 mask 24
[AC1-ip-pool-ap]gateway-list 10.1.10.1
[AC1-ip-pool-ap]option 43 sub-option 3 ascii 10.1.10.100
[AC1-ip-pool-ap]quit
[AC1]ip pool employee
[AC1-ip-pool- employee]network 10.1.11.0 mask 24
[AC1-ip-pool- employee]gateway-list 10.1.11.1
[AC1-ip-pool- employee]quit
[AC1]ip pool voice
e n
[AC1-ip-pool- voice]network 10.1.12.0 mask 24
/
[AC1-ip-pool- voice]gateway-list 10.1.12.1
[AC1-ip-pool- voice]quit
o m
i.c
[AC1]ip pool guest
[AC1-ip-pool- guest]network 10.1.13.0 mask 24
[AC1-ip-pool- guest]gateway-list 10.1.13.1
w e
[AC1-ip-pool- guest]quit
u a
.h
Enable DHCP over all VLANIF interfaces on the AC.
[AC1]interface Vlanif 10
[AC1-Vlanif10]dhcp select global
i n g
[AC1-Vlanif10]quit
r n
lea
[AC1]interface Vlanif 11
[AC1-Vlanif11]dhcp select global
[AC1-Vlanif11]quit
: //
[AC1]interface Vlanif 12
[AC1-Vlanif12]dhcp select
t t
global p
:h
[AC1-Vlanif12]quit
s
[AC1]interface Vlanif 13
[AC1-Vlanif13]quit
r c e
[AC1-Vlanif13]dhcp select global
ou
Configure regulatory domain profile domainX.
s
e
[AC1]wlan
R
[AC1-wlan-view]regulatory-domain-profile name domain1
g
[AC1-wlan-regulatory-domain-prof-domain1]country-code CN
n i n
[AC1-wlan-regulatory-domain-prof-domain1]quit
[AC1-wlan-view]quit
or
Configure AP authentication.
AP authentication has three modes. By default, MAC authentication is used. Manually add
Import the AP offline to the AC and add two APs to AP group ap-groupX. Name the two
APs AP1 and AP2.
[AC1-wlan-view]ap-mac 4cfa-cabe-eb60 ap-id 0
[AC1-wlan-ap-0]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configurations of the
radio, Whether to continue? [Y/N]:y
华为专有和保密信息 28
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
[AC1-wlan-ap-0]ap-name ap1
[AC1-wlan-ap-0]quit
[AC1-wlan-view]ap-mac 4cfa-cabf-d0c0 ap-id 1
[AC1-wlan-ap-1]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configurations of the
radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1]ap-name ap2
After APs are added, their status will change from fault to config, and then to normal. If
the AP status does not change to normal several minutes after the AP is added, check the
configuration of VLAN, DHCP, and AP authentication.
e n
<AC1>display ap all
/
Info: This operation may take a few seconds. Please wait for a
o m
i.c
moment.done.
Total AP information:
nor : normal [2]
w
------------------------------------------------------------------------- e
ID MAC Name Group IP Type State STA Uptime
u a
.h
-------------------------------------------------------------------------
g
0 4cfa-cabe-eb60 ap1 ap-group1 10.1.10.253 AP4030DN nor 0 31S
n
1 4cfa-cabf-d0c0 ap2 ap-group1 10.1.10.254 AP4030DN nor 0 58S
ni
-------------------------------------------------------------------------
Total: 2
r
Step6 Configuring WLAN Service Parameters
// lea
Configure SSID Profile.
p :
t t
Create SSID profiles employeeX, voiceX and guestX, and set SSIDs to employeeX, voiceX
:h
and guestX, respectively.
[AC1]wlan
e s
[AC1-wlan-view]ssid-profile name employee1
r c
[AC1-wlan-ssid-prof-employee1]ssid employee1
ou
Warning: This action may cause service interruption. Continue?[Y/N]y
es
[AC1-wlan-ssid-prof-employee1]quit
[AC1-wlan-view]ssid-profile name voice1
R
[AC1-wlan-ssid-prof-employee1]ssid voice1
i n g
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-employee1]quit
n
ar
[AC1-wlan-view]ssid-profile name guest1
[AC1-wlan-ssid-prof-employee1]ssid guest1
华为专有和保密信息 29
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
[AC1-wlan-vap-prof-voice1]quit
[AC1-wlan-view]vap-profile name guest1
[AC1-wlan-vap-prof-guest1]forward-mode tunnel
[AC1-wlan-vap-prof-guest1]service-vlan vlan-id 13
[AC1-wlan-vap-prof-guest1]ssid-profile guest1
[AC1-wlan-vap-prof-guest1]quit
Configure AP groups to use the regulatory domain profile and VAP profile. When AP
group ap-groupX uses VAP profile employeeX, set VAP ID to 1. When AP group ap-
groupX uses VAP profile voiceX, set VAP ID to 2. When AP group ap-groupX uses VAP
profile.
e n
profile guestX, set VAP ID to 3. Radios 0 and 1 on the AP use the configuration of the VAP
/
m
[AC1-wlan-view]ap-group name ap-group1
o
[AC1-wlan-ap-group-ap-group1]vap-profile employee1 wlan 1 radio all
i.c
[AC1-wlan-ap-group-ap-group1]vap-profile voice1 wlan 2 radio all
e
[AC1-wlan-ap-group-ap-group1]vap-profile guest1 wlan 3 radio all
w
[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1
[AC1-wlan-ap-group-ap-group1]quit
u a
g .h
2.3 Verification
ni n
r
2.3.1 Checking the VAP Status
// lea
p :
t
The AC automatically delivers WLAN service configurations to APs. After the service
t
:h
configuration is complete, run the display vap ssid guestX and display vap ssid employeeX
commands. If the value of Status in the command output is ON, the VAPs have been
created on AP radios.
e s
r c
[AC1]display vap ssid employee1
ou
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
es
-------------------------------------------------------------------------
R
AP ID AP name RfID WID BSSID Status Auth type STA SSID
g
-------------------------------------------------------------------------
n
0
0i n ap1
ap1
0
1
1
1
4CFA-CABE-EB60 ON
4CFA-CABE-EB70 ON
Open
Open
0
0
employee1
employee1
ar
1 ap2 0 1 4CFA-CABF-D0C0 ON Open 0 employee1
e
or
Total: 4
[AC1]display vap ssid voice1
M
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
-------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
-------------------------------------------------------------------------
0 ap1 0 2 4CFA-CABE-EB61 ON Open 0 voice1
0 ap1 1 2 4CFA-CABE-EB71 ON Open 0 voice1
1 ap2 0 2 4CFA-CABF-D0C1 ON Open 0 voice1
1 ap2 1 2 4CFA-CABF-D0D1 ON Open 1 voice1
-------------------------------------------------------------------------
Total: 4
华为专有和保密信息 30
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
g
station all commands on the AC. The command output shows that the STAs are
connected to the WLANs.
ni n
r
[AC1]display station all
lea
Rf/WLAN: Radio ID/WLAN ID
//
Rx/Tx: link receive rate/link transmit rate(Mbps)
:
-------------------------------------------------------------------------
p
STA MAC
t t
AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
:h
address SSID
-------------------------------------------------------------------------
1041-7f67-01b1 1
e s
ap2 0/2 2.4G 11n 65/52 -70 12
10.1.12.254 voice1
r c
ou
-------------------------------------------------------------------------
s
Total: 1 2.4G: 1 5G: 0
e
R
On the wireless terminal, ping the IP address of the simulated public network interface on
g
the switch.
n i n
C:\Users\zWX>ping 101.101.101.101
ar
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
M
Reply from 101.101.101.101: bytes=56 Sequence=5 ttl=255 time=10 ms
华为专有和保密信息 31
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
undo http server enable
undo http secure-server enable
#
undo nap slave enable
w e
#
u a
.h
aaa
g
authentication-scheme default
authorization-scheme default
accounting-scheme default
ni n
domain default
r
lea
domain default_admin
//
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
p :
#
t t
:h
interface Vlanif1
#
interface Vlanif10
e s
c
ip address 10.1.10.1 255.255.255.0
r
ou
#
interface Vlanif11
s
ip address 10.1.11.1 255.255.255.0
e
R
#
interface Vlanif12
n g
ip address 10.1.12.1 255.255.255.0
i
n
#
ar
interface Vlanif13
e
ip address 10.1.13.1 255.255.255.0
e L #
interface MEth0/0/1
or
ip address 172.21.11.1 255.255.0.0
#
M interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
华为专有和保密信息 32
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
e n
port link-type trunk
/
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
o m
i.c
#
interface GigabitEthernet0/0/11
port link-type trunk
w e
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
u a
#
interface GigabitEthernet0/0/12
g .h
#
ni n
interface GigabitEthernet0/0/13
r
lea
#
//
interface GigabitEthernet0/0/14
#
p :
t
interface GigabitEthernet0/0/15
#
t
:h
interface GigabitEthernet0/0/16
#
e s
c
interface GigabitEthernet0/0/17
#
r
ou
interface GigabitEthernet0/0/18
#
es
interface GigabitEthernet0/0/19
#
R
#
i n g
interface GigabitEthernet0/0/20
n
ar
interface GigabitEthernet0/0/21
#
L e interface GigabitEthernet0/0/22
#
e
or
interface GigabitEthernet0/0/23
#
M interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
华为专有和保密信息 33
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
user-interface vty 16 20
#
return
2.4.2 AC Configuration
e n
/
#
o m
i.c
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
w e
#
u a
.h
undo portal url-encode enable
g
#
ssl renegotiation-rate 1
#
ni n
r
lea
vlan batch 10 to 13 4090
#
//
authentication-profile name default_authen_profile
:
authentication-profile name dot1x_authen_profile
p
t
authentication-profile name mac_authen_profile
t
:h
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
e s
lldp enable
r c
ou
#
dhcp enable
#
es
R
diffserv domain default
g
#
n
radius-server template default
n
#
i
ar
pki realm default
e
rsa local-key-pair default
e L #
enrollment self-signed
or
ssl policy default_policy type server
pki-realm default
华为专有和保密信息 34
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.10.100
#
ip pool employee
e n
gateway-list 10.1.11.1
/
#
network 10.1.11.0 mask 255.255.255.0
o m
i.c
ip pool voice
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
w e
#
ip pool guest
u a
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
g .h
#
ni n
aaa
r
lea
authentication-scheme default
//
authentication-scheme radius
authentication-mode radius
p :
t
authorization-scheme default
accounting-scheme default
t
:h
domain default
s
authentication-scheme default
e
c
domain default_admin
r
authentication-scheme default
ou
local-user admin password irreversible-
s
cipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K
%^%#
Re
local-user admin privilege level 15
i n g
local-user admin service-type ssh http
local-user huawei password irreversible-cipher
n
$1a$Rdtw.<{XxT$m[E}YnfM9<l9]\T7EhW67M~m$u/u6<PP~C$O&*bV$
ar
local-user huawei privilege level 3
L e #
local-user huawei service-type telnet
e
or
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
M interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
华为专有和保密信息 35
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
interface GigabitEthernet0/0/2
/
#
interface GigabitEthernet0/0/3
o m
i.c
#
interface GigabitEthernet0/0/4
#
w e
interface GigabitEthernet0/0/5
#
u a
interface GigabitEthernet0/0/6
#
g .h
interface GigabitEthernet0/0/7
ni n
port link-type access
r
lea
port default vlan 4090
//
stp disable
#
p :
t
interface GigabitEthernet0/0/8
port link-type trunk
t
:h
port trunk allow-pass vlan 10 to 13
#
e s
c
interface NULL0
#
r
ou
undo snmp-agent
#
es
stelnet server enable
R
undo telnet ipv6 server enable
i n g
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
n
ar
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
M #
capwap source interface vlanif10
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
%^%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
华为专有和保密信息 36
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
security-profile name default-mesh
/
m
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,-
o
GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
i.c
ssid-profile name guest1
e
ssid guest1
ssid-profile name voice1
ssid voice1
aw
ssid-profile name default
u
.h
ssid-profile name employee1
ssid employee1
vap-profile name guest1
i n g
forward-mode tunnel
r n
lea
service-vlan vlan-id 13
ssid-profile guest1
vap-profile name voice1
: //
p
service-vlan vlan-id 12
ssid-profile voice1
t t
:h
vap-profile name default
s
vap-profile name employee1
r c e
service-vlan vlan-id 11
ssid-profile employee1
ou
security-profile employee1
s
mesh-handover-profile name default
Re
mesh-profile name default
wds-profile name default
i n g
regulatory-domain-profile name default
regulatory-domain-profile name domain1
ar
rrm-profile name default
e
or
wids-spoof-profile name default
wids-profile name default
M
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
华为专有和保密信息 37
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
radio 1
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 2
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
ap-id 0 type-id 43 ap-mac 4cfa-cabe-eb60 ap-sn 21500826412SG8918066
ap-name ap1
ap-group ap-group1
e n
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
/
ap-name ap2
ap-group ap-group1
o m
i.c
provision-ap
#
dot1x-access-profile name dot1x_access_profile
w e
#
mac-access-profile name mac_access_profile
u a
#
undo ntp-service enable
g .h
#
ni n
return
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 38
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
ni
3.1.2 Topology r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 39
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
3.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
n
AC-Switch Port AP-Switch Port
No.
/ e
1 AC1—G0/0/1
AP1-G0/0/10
o m
i.c
AP2-G0/0/11
AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u
AP5-G0/0/14
g .h
3 AC3—G0/0/3
AP6-G0/0/15
ni n
r
lea
AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//
p :
t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
AP10-G0/0/18
e s
6 AC6—G0/0/6
r c AP11-G0/0/19
ou
AP12-G0/0/20
es
The following table describes an AC parameter configuration template.
R
ing
Name: ap-groupX
rn
VAP ID 1: VAP profile: guestX
regulatory domain profile: domainX
M RADIUS Server
Profile
Name: huawei Key: huawei
华为专有和保密信息 40
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
g
Security Profile voiceX .h
Name: guestX
ni n
r
Forwarding mode: tunnel forwarding
Service VLAN: 13
// lea
:
Referenced profile: SSID profile guestX
p
t
Security Profile guestX
t
:h
Topology: layer2 and layer 3 bypass topology
e s
r c
ou
es
3.2 Experiment Task
R
i n g
3.2.1 Configuration Procedure
n
e ar
Step1 Configuring WEP Authentication
e L Huawei AC supports six access security policies, every VAP Profile can apply each of
or
policies.
M Security Policy
open
Policy Explain
华为专有和保密信息 41
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
[AC1]wlan
[AC1-wlan-view]security-profile name test
[AC1-wlan-sec-prof-test]security ?
open Open system
wapi WLAN authentication and privacy infrastructure
wep Wired equivalent privacy
wpa Wi-Fi protected access
e n
wpa-wpa2 Wi-Fi protected access version 1&2
/
wpa2 Wi-Fi protected access version 2
o m
i.c
The SSID guestX used authentication type WEP share-key, set WEP key to WEP-40, and
password guest.
e
Create security profile guestX with encrypt key: guest. We can set a WEP key with three
w
a
types: WEP-40, WEP-104,WEP-128.
u
If WEP-40 is used, the WEP key is 10 hexadecimal characters or 5 ASCII characters.
g .h
If WEP-104 is used, the WEP key is 26 hexadecimal characters or 13 ASCII characters.
If WEP-128 is used, the WEP key is 32 hexadecimal characters or 16 ASCII characters.
[AC1]wlan
ni n
r
lea
[AC1-wlan-view]security-profile name guest1
[AC1-wlan-sec-prof-guest1]security wep
//
[AC1-wlan-sec-prof-guest1]security wep share-key
:
p
[AC1-wlan-sec-prof-guest1]wep key 0 wep-40 pass-phrase guest
t t
Warning: The current password is too simple. For the sake of security,
:h
you are advised to set a password containing at least two of the
following: lowercase letters a to z, uppercase letters A to Z, digits,
s
and special characters. Continue? [Y/N]:y
e
c
Warning: This action may cause service interruption. Continue?[Y/N]y
r
Info: This operation may take a few seconds, please wait.done.
ou
Bind the Security profile guestX to the VAP profile guestX.
s
[AC1]wlan
Re
[AC1-wlan-view]vap-profile name guest1
i n g
[AC1-wlan-vap-prof-guest1]security-profile guest1
[AC1-wlan-vap-prof-guest1]quit
n
ar
Checking the security profile configuration for WEP.
Le
[AC1-wlan-view]display security-profile name guest1
------------------------------------------------------------
o Encryption : WEP-40
M
------------------------------------------------------------
WEP's configuration
Key 0 : *****
Key 1 : *****
Key 2 : *****
Key 3 : *****
Default key ID : 0
------------------------------------------------------------
WPA/WPA2's configuration
PTK update : disable
PTK update interval(s) : 43200
华为专有和保密信息 42
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
------------------------------------------------------------
WAPI's configuration
CA certificate filename : -
ASU certificate filename : -
AC certificate filename : -
AC private key filename : -
WAPI source interface : -
Authentication server IP : -
WAI timeout(s) : 60
BK update interval(s) : 43200
BK lifetime threshold(%) : 70
e n
USK update method : Time-based
/
USK update interval(s)
MSK update method
: 86400
: Time-based
o m
i.c
MSK update interval(s) : 86400
Cert auth retrans count : 3
USK negotiate retrans count : 3
w e
MSK negotiate retrans count : 3
------------------------------------------------------------
u a
g .h
Run the display access-user ssid guest1 commands on the AC. The command output
shows that the STAs are connected to the SSID.
ni n
r
[AC1-wlan-view]display access-user ssid guest1
lea
----------------------------------------------------------------------
UserID Username IP address MAC Status
: //
----------------------------------------------------------------------
51 48437c4b8f16 10.1.13.252
t t p 4843-7c4b-8f16 Open
----------------------------------------------------------------------
:h
Total: 1, printed: 1
s
[AC1-wlan-view]display access-user ssid guest1
UserID Username
r c e
-----------------------------------------------------------------------
IP address MAC Status
ou
----------------------------------------------------------------------
s
54 10417f6701b1 10.1.13.254 1041-7f67-01b1 Open
Re
----------------------------------------------------------------------
Total: 1, printed: 1
n g
Run the display station sta-mac XX commands on the AC, displays status of an STA,
i
including the SSID of the WLAN to which the STA connects, online duration,
n
ar
authentication type, and vlan. Below display result shows the STA 1041-7f67-01b1
cipher type is WEP-40.
e
or
-----------------------------------------------------------------------
Station MAC-address : 1041-7f67-01b1
Station IP-address : 10.1.13.254
M Station gateway
Associated SSID
: 10.1.13.1
: guest1
Station online time(ddd:hh:mm:ss) : 000:00:18:26
The upstream SNR(dB) : 25.0
The upstream aggregate receive power(dBm) : -70.0
Station connect rate(Mbps) : 54
Station connect channel : 165
Station inactivity time(ddd:hh:mm:ss) : 000:00:00:00
Station current state
Authorized for data transfer : YES
华为专有和保密信息 43
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
PMF negotiation : No
/
Station's HT capability
Station ERP element
: Q
: 0
o m
i.c
Station capabilities : EP
Station PMF capabilities
Station VHT capabilities
: PMFC=0,PMFR=0
w e
256QAM capabilities : No
VHT explicit beamforming capabilities : No
u a
MU-MIMO capabilities
Station's RSSI(dBm)
: No
: -70
g .h
Station's radio mode : 11a
ni n
Station's AP Name : ap2
r
lea
Station's Radio ID : 1
//
Station's Authentication Method : WEP+Share
Station's Cipher Type
p :
: WEP-40
t
Station's User Name : 10417f6701b1
Station's Vlan ID
t : 13
:h
Station's Channel Band-width : 20MHz
Station's asso BSSID
e s : 4cfa-cabf-d0d2
c
Station's state : Asso with auth
r
Station's QoS Mode : WMM
ou
Station's HT Mode : -
es
Station's MCS value
Station's Short GI
: 0
: nonsupport
R
Station's roam state : Yes
i n g
Station supported band
Station support 802.11k
: 2.4G/5G
: Yes
n
ar
Station support 802.11r : No
Station support 802.11v : No
M ------------------------------------------
AP name RfID SNR RCPI
------------------------------------------
------------------------------------------
Total: 0
U-APSD list:
-------------------------------------------------------
AC-VI AC-VO AC-BE AC-BK
-------------------------------------------------------
not-support not-support not-support not-support
-------------------------------------------------------
华为专有和保密信息 44
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
Configure security profile security-profile name voice1, encryption mode TKIP, password of
PSK is voicevoice.
[AC1-wlan-view]security-profile name voice1
o m
[AC1-wlan-sec-prof-voice1]security wpa psk pass-phrase voicevoice tkip
Warning: The current password is too simple. For the sake of security,
e i.c
you are advised to set a password containing at least two of the
aw
u
following: lowercase letters a to z, uppercase letters A to Z, digits,
.h
and special characters. Continue? [Y/N]:y
g
[AC1-wlan-sec-prof-voice1]quit
i n
Configure VAP Profile voiceX bind to security profile voiceX.
n
[AC1-wlan-view]vap-profile name voice1
r
lea
[AC1-wlan-vap-prof-voice1]security-profile voice1
//
Warning: This action may cause service interruption. Continue?[Y/N]y
:
[AC1-wlan-vap-prof-voice1]quit
t t p
:h
Then the Configuration of WPA-PSK has been finished, we can test the connection.
e s
r c
s ou
Re
i n g
n
e ar
e L
or
M
C:\Users\zWX>ping 101.101.101.101
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
华为专有和保密信息 45
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
[AC1-wlan-view]display security-profile name voice1
------------------------------------------------------------
Security policy : WPA PSK
w e
Encryption : TKIP
------------------------------------------------------------
u a
WEP's configuration
g .h
Key 0
Key 1
: *****
: *****
ni n
r
lea
Key 2 : *****
Key 3 : *****
Default key ID : 0
: //
t p
------------------------------------------------------------
WPA/WPA2's configuration
t
PTK update
s :h: disable
e
PTK update interval(s) : 43200
r c
------------------------------------------------------------
ou
WAPI's configuration
es
CA certificate filename
ASU certificate filename
: -
: -
R
AC certificate filename : -
n g
AC private key filename
i
: -
n
WAPI source interface : -
ar
Authentication server IP : -
L e WAI timeout(s)
BK update interval(s)
: 60
: 43200
e
or
BK lifetime threshold(%) : 70
USK update method : Time-based
Run the display access-user ssid voice1 commands on the AC. The command output
shows that the STAs are connected to the SSID.
华为专有和保密信息 46
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Run the display station sta-mac XX commands on the AC, displays status of an STA,
including the SSID of the WLAN to which the STA connects, online duration,
e n
/
authentication type, and vlan.
[AC1-wlan-view]display station sta-mac 1041-7f67-01b1
-------------------------------------------------------------------------
o m
Station MAC-address
Station IP-address
: 1041-7f67-01b1
: 10.1.12.254
e i.c
Station gateway : 10.1.12.1
aw
Associated SSID : voice1
u
Station online time(ddd:hh:mm:ss)
The upstream SNR(dB)
: 000:00:09:21
: 32.0
g .h
The upstream aggregate receive power(dBm) : -63.0
ni n
Station connect rate(Mbps)
r: 54
lea
Station connect channel : 165
://
Station inactivity time(ddd:hh:mm:ss) : 000:00:00:00
tp
Station current state
Authorized for data transfer
t : YES
:h
QoS enabled : YES
es
ERP enabled : No
HT rates enabled
r c : No
ou
Power save mode enabled : YES
Auth reference held : No
es
UAPSD enabled : No
R
UAPSD triggerable : No
ing
UAPSD SP in progress : No
This is an ATH node : No
n
ar
WDS workaround req : No
L e WDS link
PMF negotiation
: No
: No
e
or
Station's HT capability : Q
Station ERP element : 0
M Station capabilities
Station PMF capabilities
: EP
: PMFC=0,PMFR=0
Station VHT capabilities
256QAM capabilities : No
VHT explicit beamforming capabilities : No
MU-MIMO capabilities : No
Station's RSSI(dBm) : -63
Station's radio mode : 11a
Station's AP Name : ap2
华为专有和保密信息 47
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Station's Radio ID : 1
Station's Authentication Method : WPA-PSK
Station's Cipher Type : TKIP
Station's User Name : 10417f6701b1
Station's Vlan ID : 12
Station's Channel Band-width : 20MHz
Station's asso BSSID : 4cfa-cabf-d0d1
Station's state : Asso with auth
Station's QoS Mode : WMM
Station's HT Mode : -
e n
Station's MCS value : 0 /
Station's Short GI : nonsupport
o m
i.c
Station's roam state : Yes
Station supported band
Station support 802.11k
: 2.4G/5G
: Yes
w e
Station support 802.11r : No
u a
.h
Station support 802.11v : No
Available to trigger roam
Is sticky client now
: Yes
: No
i n g
Trigger aimless roam while sticky
r n
: Yes
lea
Neighbor list:
//
------------------------------------------
AP name RfID SNR
:
RCPI
p
t t
------------------------------------------
:h
------------------------------------------
s
Total: 0
U-APSD list:
r c e
-------------------------------------------------------
ou
AC-VI AC-VO AC-BE AC-BK
es
-------------------------------------------------------
R
not-support not-support not-support not-support
i n g
-------------------------------------------------------
L
authentication server.
e
or
M
The authentication server of this experiment had set an IP address 10.254.1.100,
password: huawei, the authentication server was ready and test account: huawei,
password: Huawei@123.
Configure radius service gateway in the S5700.
[S5700] vlan batch 200
华为专有和保密信息 48
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
[AC1-radius-huawei]radius-server authentication 10.254.1.100 1812 source
/
ip-address 10.1.10.100
o m
i.c
[AC1-radius-huawei]radius-server accounting 10.254.1.100 1813 source ip-
address 10.1.10.100
[AC1-radius-huawei]radius-server shared-key cipher huawei
w e
a
[AC1-radius-huawei]undo radius-server user-name domain-included
[AC1-radius-huawei]quit
u
Configure and test AAA.
g .h
[AC1-aaa]authentication-scheme radius
ni n
r
[AC1-aaa-authen-radius]authentication-mode radius
lea
[AC1-aaa-authen-radius]quit
//
[AC-aaa] accounting-scheme radius
:
[AC-aaa-accounting-radius] accounting-mode radius
p
t
[AC-aaa-accounting- radius] accounting realtime 15
t
:h
[AC-aaa-accounting- radius] quit
s
[AC1-aaa]domain default
r c e
[AC1-aaa-domain-default]authentication-scheme radius
[AC1-aaa-domain-default]radius-server huawei
ou
[AC1]test-aaa huawei Huawei@123 radius-template huawei
s
[AC1]
Re
Info: Account test succeed.
n g
If the account test failed please ignore it first, and keep on configuring it.
i
nConfigure access profile dot1x-access-profile name employeeX。
e L [AC1-dot1x-access-profile-employee1]quit
or
Configure Authentication profile authentication-profile name employeeX。
Bind the access profile, authentication scheme, accounting scheme and radius server to
M authentication profile.
[AC1]authentication-profile name employee1
[AC1-authentication-profile-auth_dot1x]dot1x-access-profile employee1
[AC1-authentication-profile-auth_dot1x]authentication-scheme radius
[AC1-authentication-profile-auth_dot1x]accounting-scheme radius
[AC1-authentication-profile-auth_dot1x]radius-server huawei
[AC1-authentication-profile-auth_dot1x]quit
华为专有和保密信息 49
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
[AC1]wlan
[AC1-wlan-view]security-profile name employee1
[AC1-wlan-sec-prof-employee1]security wpa2 dot1x aes
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-sec-prof-employee1]quit
Configure VAP profile employee to bind the security profile and authentication profile.
[AC1]wlan
[AC1-wlan-view]vap-profile name employee1
[AC1-wlan-vap-prof-employee1]security-profile employee1
e n
[AC1-wlan-vap-prof-employee1]authentication-profile employee1
/
Warning: This action may cause service interruption. Continue?[Y/N]y
o m
i.c
[AC1-wlan-vap-prof-employee1]quit
w e
3.3 Verification u a
g .h
3.3.1 Connect an STA to the WLAN
ni n
r
lea
Connect iphone to the WLANs with SSIDs employeeX.
: //
t t p
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 50
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
3.3.2 Checking the Users Status h
s :
r c e
Check the security profile configuration.
u
<AC1>display security-profile name employee1
o
s
------------------------------------------------------------
Re
Security policy : WPA2 802.1x
g
Encryption : AES
i
PMF
n : disable
rn
------------------------------------------------------------
e a WEP's configuration
L
Key 0 : *****
e
Key 1 : *****
o r Key 2
Key 3
: *****
: *****
M Default key ID : 0
------------------------------------------------------------
WPA/WPA2's configuration
PTK update : disable
PTK update interval(s) : 43200
------------------------------------------------------------
WAPI's configuration
CA certificate filename : -
ASU certificate filename : -
华为专有和保密信息 51
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
AC certificate filename : -
AC private key filename : -
WAPI source interface : -
Authentication server IP : -
WAI timeout(s) : 60
BK update interval(s) : 43200
BK lifetime threshold(%) : 70
USK update method : Time-based
USK update interval(s) : 86400
MSK update method : Time-based
e n
MSK update interval(s) : 86400 /
Cert auth retrans count : 3
o m
i.c
USK negotiate retrans count : 3
MSK negotiate retrans count : 3
------------------------------------------------------------
w e
u a
Run the display access-user ssid XX commands on the AC. The command output shows
that the STAs are connected to the SSID.
g .h
n
<AC1>display access-user ssid employee1
ni
------------------------------------------------------------------------
r
lea
UserID Username IP address MAC Status
------------------------------------------------------------------------
://
31 huawei1 10.1.11.254 1041-7f67-01b1 Success
tp
------------------------------------------------------------------------
Total: 1, printed: 1
t
:h
Run the display station sta-mac XX commands on the AC, displays status of an STA,
s
r c e
including the SSID of the WLAN to which the STA connects, online duration,
authentication type, and vlan.
ou
<AC1>display station sta-mac 1041-7f67-01b1
s
-------------------------------------------------------------------------
e
R
Station MAC-address : 1041-7f67-01b1
g
Station IP-address : 10.1.12.254
n i n
Station gateway
Associated SSID
: 10.1.12.1
: voice1
Le
The upstream SNR(dB) : 27.0
e
The upstream aggregate receive power(dBm) : -68.0
华为专有和保密信息 52
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
UAPSD triggerable : No
UAPSD SP in progress : No
This is an ATH node : No
WDS workaround req : No
WDS link : No
PMF negotiation : No
Station's HT capability : Q
Station ERP element : 0
Station capabilities : EP
Station PMF capabilities : PMFC=0,PMFR=0
e n
Station VHT capabilities /
256QAM capabilities : No
o m
i.c
VHT explicit beamforming capabilities : No
MU-MIMO capabilities
Station's RSSI(dBm)
: No
: -68
w e
Station's radio mode : 11a
u a
.h
Station's AP Name : ap1
Station's Radio ID
Station's Authentication Method
: 1
i n g
: WPA-PSK
Station's Cipher Type
r n
: TKIP
lea
Station's User Name : 10417f6701b1
://
Station's Vlan ID : 12
Station's Channel Band-width : 20MHz
Station's asso BSSID
t tp : 4cfa-cabe-eb71
:h
Station's state : Asso with auth
es
Station's QoS Mode : WMM
c
Station's HT Mode : -
r
Station's MCS value : 0
ou
Station's Short GI : nonsupport
es
Station's roam state : No
R
Station supported band : 2.4G/5G
ing
Station support 802.11k : Yes
Station support 802.11r : No
n
ar
Station support 802.11v : No
Available to trigger roam : Yes
or Neighbor list:
M
------------------------------------------
AP name RfID SNR RCPI
------------------------------------------
------------------------------------------
Total: 0
U-APSD list:
-------------------------------------------------------
AC-VI AC-VO AC-BE AC-BK
-------------------------------------------------------
not-support not-support not-support not-support
华为专有和保密信息 53
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
undo http server enable
undo http secure-server enable
#
undo nap slave enable
w e
#
u a
.h
aaa
g
authentication-scheme default
authorization-scheme default
accounting-scheme default
ni n
domain default
r
lea
domain default_admin
//
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
p :
#
t t
:h
interface Vlanif1
#
interface Vlanif10
e s
c
ip address 10.1.10.1 255.255.255.0
r
ou
#
interface Vlanif11
s
ip address 10.1.11.1 255.255.255.0
e
R
#
interface Vlanif12
n g
ip address 10.1.12.1 255.255.255.0
i
n
#
ar
interface Vlanif13
e
ip address 10.1.13.1 255.255.255.0
e L #
interface Vlanif200
or
ip address 10.254.1.1 255.255.255.0
#
M interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
华为专有和保密信息 54
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
e n
interface GigabitEthernet0/0/9
/
#
interface GigabitEthernet0/0/10
o m
i.c
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
w e
#
interface GigabitEthernet0/0/11
u a
port link-type trunk
port trunk pvid vlan 10
g .h
port trunk allow-pass vlan 10 to 13
ni n
#
r
lea
interface GigabitEthernet0/0/12
//
#
interface GigabitEthernet0/0/13
p :
t
#
interface GigabitEthernet0/0/14
t
:h
#
s
interface GigabitEthernet0/0/15
e
c
#
r
interface GigabitEthernet0/0/16
ou
#
#
es
interface GigabitEthernet0/0/17
R
interface GigabitEthernet0/0/18
#
i n g
interface GigabitEthernet0/0/19
n
ar
#
interface GigabitEthernet0/0/20
L e #
interface GigabitEthernet0/0/21
e
or
#
interface GigabitEthernet0/0/22
M #
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port default vlan 200
#
interface NULL0
#
interface LoopBack1
ip address 101.101.101.101 255.255.24255.255
华为专有和保密信息 55
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@
protocol inbound all
e n
/
user-interface vty 16 20
#
return
o m
3.4.2 AC Configuration ei.c
aw
u
#
.h
sysname AC1
g
#
n
http secure-server ssl-policy default_policy
http server enable
ni
#
r
lea
undo portal url-encode enable
//
#
ssl renegotiation-rate 1
p :
#
t t
:h
vlan batch 10 to 13 4090
#
s
authentication-profile name default_authen_profile
e
c
authentication-profile name dot1x_authen_profile
r
ou
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
s
authentication-profile name macportal_authen_profile
e
R
authentication-profile name employee1
dot1x-access-profile employee1
n g
authentication-scheme radius
i
accounting-scheme radius
n
ar
radius-server huawei
e
#
e L lldp enable
#
or
dhcp enable
#
华为专有和保密信息 56
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
authentication-algorithm sha2-256
/
authentication-method pre-share
integrity-algorithm hmac-sha2-256
o m
i.c
prf hmac-sha2-256
#
free-rule-template name default_free_rule
w e
#
portal-access-profile name portal_access_profile
u a
#
ip pool ap
g .h
gateway-list 10.1.10.1
ni n
network 10.1.10.0 mask 255.255.255.0
r
lea
option 43 sub-option 3 ascii 10.1.10.100
//
#
ip pool employee
p :
t
gateway-list 10.1.11.1
t
network 10.1.11.0 mask 255.255.255.0
:h
#
ip pool voice
e s
c
gateway-list 10.1.12.1
r
network 10.1.12.0 mask 255.255.255.0
ou
#
es
ip pool guest
gateway-list 10.1.13.1
R
network 10.1.13.0 mask 255.255.255.0
#
i
aaa
n g
n
ar
authentication-scheme default
authentication-scheme radius
L e authentication-mode radius
authorization-scheme default
e
or
accounting-scheme default
accounting-scheme radius
M accounting-mode radius
accounting realtime 15
domain default
authentication-scheme radius
radius-server huawei
domain default_admin
authentication-scheme default
local-user admin password irreversible-
cipher %^%#uJB_C`rL0AlCEZFlUV~XbB|i7&J2GGq8<uIqvXL!Zk%|6("6{.4Sxn>e0#.K
%^%#
local-user admin privilege level 15
华为专有和保密信息 57
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
dhcp select global
/
m
#
interface Vlanif11
o
i.c
ip address 10.1.11.100 255.255.255.0
e
dhcp select global
w
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
u a
#
dhcp select global
g .h
interface Vlanif13
ni n
r
ip address 10.1.13.100 255.255.255.0
lea
dhcp select global
#
interface Vlanif4090
: //
#
ip address 172.21.11.3 255.255.0.0
t t p
:h
interface GigabitEthernet0/0/1
s
#
#
r c e
interface GigabitEthernet0/0/2
ou
interface GigabitEthernet0/0/3
s
#
#
Re
interface GigabitEthernet0/0/4
#
i n g
interface GigabitEthernet0/0/5
n
ar
interface GigabitEthernet0/0/6
#
L e interface GigabitEthernet0/0/7
port link-type access
e
or
port default vlan 4090
stp disable
M
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13
#
interface NULL0
#
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent community
read %^%#zx5kPs")cO.^IG;R6J^5nd^JU_|q",$FD,E.s%@9CaEk5yD*QDiGKR&$73e;T^
(&JH\gl'IkR|DmZ=0C%^%#
华为专有和保密信息 58
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
snmp-agent community
write %^%#bSWeA`C;H5A98pQDivZ4mR\LSzVDEHibs|Gln%zJW[vB~(`4KElv:@:;H:BMM
=5^F$Ab1,k4LJ;xbEb=%^%#
snmp-agent sys-info version v2c
snmp-agent
#
ssh client first-time enable
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
e n
/
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
o m
i.c
ssh client key-exchange dh_group14_sha1
e
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
aw
capwap source interface vlanif10
u
.h
#
user-interface con 0
authentication-mode password
i n g
set authentication password
r n
lea
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
%^%#
//
user-interface vty 0 4
authentication-mode aaa
p :
user privilege level 3
t t
:h
protocol inbound all
user-interface vty 16 20
e
protocol inbound all
s
#
r c
ou
wlan
traffic-profile name default
s
security-profile name test
e
R
security-profile name guest1
security wep share-key
i n g
wep key 0 wep-40 pass-phrase %^%#)~{E64X##X|h6647iii5.y8.)yr"2@":|):-
T.B/%^%#
n
ar
security-profile name voice1
security wpa psk pass-
华为专有和保密信息 59
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
vap-profile name default
/
vap-profile name employee1
service-vlan vlan-id 11
o m
i.c
ssid-profile employee1
security-profile employee1
authentication-profile employee1
w e
mesh-handover-profile name default
mesh-profile name default
u a
wds-profile name default
regulatory-domain-profile name default
g .h
regulatory-domain-profile name domain1
ni n
air-scan-profile name default
r
lea
rrm-profile name default
//
radio-2g-profile name default
radio-5g-profile name default
p :
t
wids-spoof-profile name default
wids-profile name default
t
:h
ap-system-profile name default
s
port-link-profile name default
e
c
wired-port-profile name default
r
serial-profile name preset-enjoyor-toeap
ou
ap-group name default
es
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
R
i n g
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
n
ar
vap-profile guest1 wlan 3
radio 1
华为专有和保密信息 60
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 61
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
华为专有和保密信息 62
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
4.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
n
AC-Switch Port AP-Switch Port
No.
/ e
1 AC1—G0/0/1
AP1-G0/0/10
o m
i.c
AP2-G0/0/11
AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u
AP5-G0/0/14
g .h
3 AC3—G0/0/3
AP6-G0/0/15
ni n
r
lea
AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//
p :
t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
AP10-G0/0/18
e s
6 AC6—G0/0/6
r c AP11-G0/0/19
ou
AP12-G0/0/20
es
R
n g
eSight Server IP
i
172.21.11.20
n
e ar
eSight Server password Name: admin Password: Huawei@123
e L
or
SNMP read only community publicRO
华为专有和保密信息 63
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
Step2 Configuring SNMP Parameters
/
Configure AC SNMP Community and static route.
o m
i.c
[AC1]snmp-agent community read publicRO
e
[AC1]snmp-agent community write privateRW
w
[AC1]snmp-agent sys-info version v2c
[AC1]ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
u a
.h
Step3 Configuring eSight Discover AC
i n g
After the PC connect to the WLAN, enter URL http://172.21.11.20:8080 to access eSight
Server, user name: admin, password: Huawei@123 (The initialized user name and
r n
password are: admin/Changeme123, you need change the initial password when you first
lea
login eSight). Should use google chrome or firefox browser.
: //
t t p
s :h
r c e
s ou
Re
i n g
n
e ar
e L After login in to eSight, select the pull-down menu“Resource”,and click “Add
or
Device”, reference below parameters.
M IP Address
Name
172.21.11.X+2
ACX
SNMP Version V2C
Read Only Community publicRO
Write Community privateRW
Telnet Authentication mode Password
Password Admin@123
华为专有和保密信息 64
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L Click”OK” when you finished, if displayed “Success”then means the configuring is
or
successed.
华为专有和保密信息 65
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 66
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
华为专有和保密信息 67
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 68
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
Configure VLANIF and DHCP Server
ni n
r
Select the pull-down menu“Business> WLAN Management> Configuration and
lea
Deployment”
: //
t t p
s :h
r c e
s ou
Re
i n g
Add devices on base configuration.
n
e ar
e L
or
M
华为专有和保密信息 69
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 70
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
Configure Channel. Click “Base configuration > Channel Configuration ”, set the allow
pass VLANs and PVID for interface group”.
华为专有和保密信息 71
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 72
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
Step1 Configuring AP Online
aw
Configure AP Authentication mode and AC Source Address.
u
Click “Global AC Configuration > AC >
g
”, select Resouce AC1”.
.h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 73
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 74
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 75
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
e i.c
aw
u
g .h
n
Create VAP profiles employeeX. Set the data forwarding mode for employeeX to tunnel
i
forwarding. Configure the service VLAN and bind the profile to the security profile and
n
SSID profile.
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 76
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L Configure AP groups ap-groupX to use the VAP profile.
or
M
华为专有和保密信息 77
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 78
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
After finish above, ap still not online. Configure the function of ssh for AC, and test the
SFTP for eSight. Username: admin, password: Changeme123.
[AC6005]ssh client first-time enable
[AC6005]sftp 172.21.0.11 31922
Please input the username:admin
Trying 172.21.0.11 ...
Press CTRL+K to abort
The server is not authenticated. Continue to access it? (y/n)[n]:y
Save the server's public key? (y/n)[n]:y
e n
/
The server's public key will be saved with the name 172.21.0.11. Please
wait...
o m
i.c
Enter password:
sftp-client>
w e
Click “System > Network Management Settings > Polling Settings”. Configure Polling
interval, make the AP online.
u a
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 79
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
c e
Check the AP Status and two Aps are online.
r
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 80
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
orVerification
4.3
M
4.3.1 Connect an STA to the WLAN
Connect STAs to the WLANs with SSIDs employeeX.
华为专有和保密信息 81
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
o m
ei.c
aw
u
g .h
ni n
r
C:\Users\zWX>ping 101.101.101.101
// lea
p :
PING 101.101.101.101: 56 data bytes, press CTRL_C to break
t t
Reply from 101.101.101.101: bytes=56 Sequence=1 ttl=255 time=7 ms
:h
Reply from 101.101.101.101: bytes=56 Sequence=2 ttl=255 time=10 ms
s
Reply from 101.101.101.101: bytes=56 Sequence=3 ttl=255 time=10 ms
e
c
Reply from 101.101.101.101: bytes=56 Sequence=4 ttl=255 time=10 ms
r
ou
Reply from 101.101.101.101: bytes=56 Sequence=5 ttl=255 time=10 ms
es
--- 101.101.101.101 ping statistics ---
R
5 packet(s) transmitted
i n g
5 packet(s) received
0.00% packet loss
n
ar
round-trip min/avg/max = 7/9/10 ms
L e
e
4.4rReference Configuration
o
M4.4.1 S5700 Configuration
#
sysname S5700
#
vlan batch 10 to 13 200
#
lldp enable
#
华为专有和保密信息 82
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
/
#
local-user admin service-type http
o m
i.c
interface Vlanif1
#
interface Vlanif10
w e
#
ip address 10.1.10.1 255.255.255.0
u a
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
g .h
#
ni n
interface Vlanif12
r
lea
ip address 10.1.12.1 255.255.255.0
//
#
interface Vlanif13
p :
t
ip address 10.1.13.1 255.255.255.0
#
t
:h
interface Vlanif200
s
ip address 10.254.1.1 255.255.255.0
e
c
#
r
interface MEth0/0/1
ou
ip address 172.21.11.1 255.255.0.0
#
es
interface GigabitEthernet0/0/1
R
port link-type trunk
#
i n g
port trunk allow-pass vlan 10 to 13
n
ar
interface GigabitEthernet0/0/2
#
L e interface GigabitEthernet0/0/3
#
e
or
interface GigabitEthernet0/0/4
#
M interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
华为专有和保密信息 83
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
interface GigabitEthernet0/0/13
/
#
interface GigabitEthernet0/0/14
o m
i.c
#
interface GigabitEthernet0/0/15
#
w e
interface GigabitEthernet0/0/16
#
u a
interface GigabitEthernet0/0/17
#
g .h
interface GigabitEthernet0/0/18
ni n
#
r
lea
interface GigabitEthernet0/0/19
//
#
interface GigabitEthernet0/0/20
p :
t
#
interface GigabitEthernet0/0/21
t
:h
#
s
interface GigabitEthernet0/0/22
e
c
#
r
interface GigabitEthernet0/0/23
ou
#
es
interface GigabitEthernet0/0/24
port link-type trunk
R
port default vlan 200
#
i n g
interface NULL0
n
ar
#
interface LoopBack1
L e #
ip address 101.101.101.101 255.255.255.255
e
or
user-interface con 0
authentication-mode password
华为专有和保密信息 84
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
4.4.2 AC Configuration
#
sysname AC1
#
http secure-server ssl-policy default_policy
http server enable
#
portal local-server ip 10.1.10.100
e n
portal local-server https ssl-policy default_policy port 2000
/
#
o m
i.c
undo portal url-encode enable
#
ssl renegotiation-rate 1
w e
#
vlan batch 10 to 13 4090
u a
#
g .h
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
ni n
r
lea
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
portal-access-profile guest1
: //
t p
authentication-profile name macportal_authen_profile
authentication-profile name guest1
t
portal-access-profile guest1
s :h
e
authentication-profile name employee1
r c
dot1x-access-profile employee1
ou
authentication-scheme radius
#
es
radius-server huawei
R
lldp enable
#
i n g
n
dhcp enable
ar
#
Le
diffserv domain default
#
华为专有和保密信息 85
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
ike proposal default
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
e n
prf hmac-sha2-256 /
#
o m
i.c
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
w e
portal local-server enable
u a
.h
#
portal-access-profile name guest1
portal local-server enable
i n g
#
r n
lea
ip pool ap
//
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
p :
t t
option 43 sub-option 3 ascii 10.1.10.100
:h
#
s
ip pool employee1
c
gateway-list 10.1.11.1
r e
network 10.1.11.0 mask 255.255.255.0
ou
dns-list 114.114.114.114
#
es
R
ip pool voice1
i n g
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
n
ar
#
ip pool guest1
L e gateway-list 10.1.13.1
or #
M
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
华为专有和保密信息 86
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
local-user guest01 privilege level 0
/
local-user guest01 service-type web
o m
i.c
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
w e
#
interface Vlanif10
u a
ip address 10.1.10.100 255.255.255.0
g .h
dhcp select global
#
ni n
r
lea
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
: //
#
interface Vlanif12
t t p
:h
ip address 10.1.12.100 255.255.255.0
s
e
dhcp select global
#
r c
ou
interface Vlanif13
es
ip address 10.1.13.100 255.255.255.0
dhcp select global
# R
n g
interface Vlanif4090
i
n
ip address 172.21.11.3 255.255.0.0
ar
#
Le
interface GigabitEthernet0/0/1
#
r e interface GigabitEthernet0/0/2
o #
M interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
华为专有和保密信息 87
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
u a
.h
snmp-agent community write %^%#atYiX7&TjG<o\Y/.2Y-
V/8bVI&sGJOTB4$0Y@{"2$306$`dp;=7cULM)*$.3Q!lXY<}!y7jZ,7BS"NNY%^%#
snmp-agent sys-info version v2c
i n g
snmp-agent
r n
lea
#
undo telnet ipv6 server enable
: //
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc
aes128 3des
t t p
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5
:h
md5_96
s
ssh server key-exchange dh_group14_sha1
e
c
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc
r
ou
aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5
md5_96
es
R
ssh client key-exchange dh_group14_sha1
#
i n g
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
n
ar
#
capwap source interface vlanif10
L e #
e user-interface con 0
or authentication-mode password
M
set authentication password
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"%^
%#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound telnet
user-interface vty 16 20
protocol inbound all
#
华为专有和保密信息 88
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
wlan
traffic-profile name default
security-profile name guest1
security-profile name voice1
security wpa psk pass-
phrase %^%#0)RfPJm>L58cY+4*K);#E~]V)7`\406bJM4syy*%%^%# tkip
security-profile name default
security-profile name employee1
security wpa2 dot1x aes
security-profile name default-wds
e n
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+-
/
qK%aTJ_0%^%# aes
o m
i.c
security-profile name default-mesh
e
security wpa2 psk pass-phrase %^%#]7|J"`LHnEQ=,-
GJS[q&>M">Qsqw;9mb8$0`_=6I%^%# aes
ssid-profile name guest1
aw
ssid guest1
u
ssid-profile name voice1
g .h
ssid voice1
ssid-profile name default
ni n
r
lea
ssid-profile name employee1
ssid employee1
vap-profile name guest1
: //
forward-mode tunnel
service-vlan vlan-id 13
t t p
ssid-profile guest1
s :h
e
security-profile guest1
r c
authentication-profile portal_authen_profile
ou
vap-profile name voice1
es
service-vlan vlan-id 12
ssid-profile voice1
R
security-profile voice1
n g
vap-profile name default
i
n
vap-profile name employee1
ar
service-vlan vlan-id 11
L e ssid-profile employee1
security-profile employee1
e
or
authentication-profile employee1
mesh-handover-profile name default
华为专有和保密信息 89
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
//
ap-group ap-group1
:
ap-id 1 type-id 43 ap-mac 4cfa-cabf-d0c0 ap-sn 21500826412SG8919901
p
ap-group ap-group1
t t
:h
provision-ap
s
#
c e
dot1x-access-profile name dot1x_access_profile
r
dot1x-access-profile name employee1
ou
#
es
mac-access-profile name mac_access_profile
#
R
#
i n g
undo ntp-service enable
n
ar
return
L e
e
or
M
华为专有和保密信息 90
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
ni
5.1.2 Topology r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 91
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
5.1.3 Plan
You must configure devices according to the plan to avoid errors. This experiment uses
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
Trunk.
The following table describes device connections.
Group
n
AC-Switch Port AP-Switch Port
No.
/ e
1 AC1—G0/0/1
AP1-G0/0/10
o m
i.c
AP2-G0/0/11
AP3-G0/0/12
w e
a
2 AC2—G0/0/2
AP4-G0/0/13
u
AP5-G0/0/14
g .h
3 AC3—G0/0/3
AP6-G0/0/15
ni n
r
lea
AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
//
p :
t t
AP9-G0/0/17
:h
5 AC5—G0/0/5
AP10-G0/0/18
e s
6 AC6—G0/0/6
r c AP11-G0/0/19
ou
AP12-G0/0/20
es
The following table describes an AC parameter configuration template.
R
n g
Trainee Group X
i
AC Configuration
n
ar
Console Port Login
Admin@123
L e Password
e Device ACX
or AP Management
VLAN:X0 IP:10.1.X0.100
M VLAN
Service VLAN
VLAN:X1 IP:10.1.X1.100
(Employee)
AC Source interface
VLANif 80X IP:10.1.20X.100
(L3 Networking)
华为专有和保密信息 92
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
Step1 Configuring a Switch
/
Configure the VLAN and Trunk on switch S5700, set the VLANIF80X ip address.
o m
i.c
[S5700]vlan batch 801
[S5700]int GigabitEthernet 0/0/1
[S5700-GigabitEthernet0/0/1]port trunk allow-pass vlan 801
w e
a
[S5700-GigabitEthernet0/0/1]quit
u
.h
[S5700]int Vlanif 801
[S5700-Vlanif801]ip address 10.1.201.1 24
[S5700-Vlanif801]quit
i n g
Step2 Configuring Basic AC Parameters
r n
lea
Update the VLAN and Trunk Configuration, and set the VLANIF80X ip address.
[AC1]vlan 801
: //
p
[AC1]interface GigabitEthernet 0/0/8
t t
[AC1-GigabitEthernet0/0/8]port trunk allow-pass vlan 801
:h
[AC1-GigabitEthernet0/0/8]quit
e s
c
[AC1-Vlanif801]ip address 10.1.201.100 24
r
[AC1-Vlanif801]quit
s ou
Modify the DHCP Option43 address to 10.1.201.100.
Re
[AC1]ip pool ap
[AC1-ip-pool-ap]display this
#
i n g
nip pool ap
ar gateway-list 10.1.10.1
Le
network 10.1.10.0 mask 255.255.255.0
e
option 43 sub-option 3 ascii 10.1.10.100
o r #
[AC1-ip-pool-ap]undo option 43
Modify VAP Profile employeeX and voiceX forwarding mode to tunnel forwarding.
[AC1]wlan
华为专有和保密信息 93
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
5.3 Verification /
o m
5.3.1 Verifiy the L3 Network Status
e i.c
aw
Then the Configuration of L3 Network has been finished, all Aps are online.
u
.h
[AC1]display ap all
g
Info: This operation may take a few seconds. Please wait for a
n
moment.done.
Total AP information:
ni
r
lea
nor : normal [2]
-------------------------------------------------------------------------
://
ID MAC Name Group IP Type State STA Uptime
tp
-------------------------------------------------------------------------
0
t
4cfa-cabe-eb60 ap1 ap-group1 10.1.10.253 AP4030DN nor 0 6S
:h
1 4cfa-cabf-d0c0 ap2 ap-group1 10.1.10.254 AP4030DN nor 1 26S
e s
-------------------------------------------------------------------------
Total: 2
r c
ou
Check the station information.
es
[AC1]display station all
R
Rf/WLAN: Radio ID/WLAN ID
i n g
Rx/Tx: link receive rate/link transmit rate(Mbps)
-------------------------------------------------------------------------
n
ar
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
Le -------------------------------------------------------------------------
re
1041-7f67-01b1 0 ap1 0/2 2.4G 11g 35/46 -64 12
o
10.1.12.254 voice1
-------------------------------------------------------------------------
华为专有和保密信息 94
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
undo http server enable
undo http secure-server enable
#
undo nap slave enable
w e
#
u a
.h
aaa
g
authentication-scheme default
authorization-scheme default
accounting-scheme default
ni n
domain default
r
lea
domain default_admin
//
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
p :
#
t t
:h
interface Vlanif1
#
interface Vlanif10
e s
c
ip address 10.1.10.1 255.255.255.0
r
ou
#
interface Vlanif11
s
ip address 10.1.11.1 255.255.255.0
e
R
#
interface Vlanif12
n g
ip address 10.1.12.1 255.255.255.0
i
n
#
ar
interface Vlanif13
e
ip address 10.1.13.1 255.255.255.0
e L #
interface Vlanif200
or
ip address 10.254.1.1 255.255.255.0
#
M interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface MEth0/0/1
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 13 801
#
华为专有和保密信息 95
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
e n
#
/
interface GigabitEthernet0/0/8
#
o m
i.c
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
w e
port link-type trunk
port trunk pvid vlan 10
u a
#
port trunk allow-pass vlan 10 to 13
g .h
interface GigabitEthernet0/0/11
ni n
port link-type trunk
r
lea
port trunk pvid vlan 10
//
port trunk allow-pass vlan 10 to 13
#
p :
t
interface GigabitEthernet0/0/12
#
t
:h
interface GigabitEthernet0/0/13
#
e s
c
interface GigabitEthernet0/0/14
#
r
ou
interface GigabitEthernet0/0/15
#
es
interface GigabitEthernet0/0/16
#
R
#
i n g
interface GigabitEthernet0/0/17
n
ar
interface GigabitEthernet0/0/18
#
L e interface GigabitEthernet0/0/19
#
e
or
interface GigabitEthernet0/0/20
#
M interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port default vlan 200
#
interface NULL0
华为专有和保密信息 96
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@;|J%=/[d[O@L[qD[Xhh~,3[~S(Zs:\Ot8H6*x_MAW=N$3[B,%@%@
user-interface vty 0 4
authentication-mode password
user privilege level 3
e n
set authentication password
cipher %@%@`KL`QN[h79h[6AS2ggdT<+Hjaz5lH\hpS4]~^/-CFvtO+Hm<%@%@ /
protocol inbound all
o m
i.c
user-interface vty 16 20
e
#
return
aw
5.4.2 AC Configuration u
g .h
n
#
sysname AC1
ni
#
r
lea
http secure-server ssl-policy default_policy
//
http server enable
#
p :
undo portal url-encode enable
t t
:h
#
ssl renegotiation-rate 1
#
e s
c
vlan batch 10 to 13 801 4090
r
ou
#
authentication-profile name default_authen_profile
s
authentication-profile name dot1x_authen_profile
e
R
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
n g
authentication-profile name macportal_authen_profile
i
authentication-profile name employee1
n
ar
dot1x-access-profile employee1
e
authentication-scheme radius
e L accounting-scheme radius
radius-server huawei
or
#
lldp enable
M #
dhcp enable
#
diffserv domain default
#
radius-server template default
radius-server template huawei
radius-server authentication 10.254.1.100 1812 source ip-address
10.1.10.100 weight 80
radius-server accounting 10.254.1.100 1813 source ip-address
10.1.10.100 weight 80
华为专有和保密信息 97
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
ike proposal default
/
encryption-algorithm aes-256
dh group2
o m
i.c
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
w e
#
prf hmac-sha2-256
u a
free-rule-template name default_free_rule
#
g .h
portal-access-profile name portal_access_profile
ni n
#
r
lea
ip pool ap
//
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
p :
t
option 43 sub-option 3 ascii 10.1.201.100
#
t
:h
ip pool employee
s
gateway-list 10.1.11.1
e
c
network 10.1.11.0 mask 255.255.255.0
#
r
ou
ip pool voice
es
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
R
i n g
ip pool guest
gateway-list 10.1.13.1
n
ar
network 10.1.13.0 mask 255.255.255.0
#
L e aaa
authentication-scheme default
e
or
authentication-scheme radius
authentication-mode radius
M authorization-scheme default
accounting-scheme default
accounting-scheme radius
accounting-mode radius
accounting realtime 15
domain default
authentication-scheme radius
radius-server huawei
domain default_admin
authentication-scheme default
华为专有和保密信息 98
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
n
interface Vlanif1
#
ip address 169.254.1.1 255.255.0.0
/ e
interface Vlanif10
o m
i.c
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
w e
a
interface Vlanif11
u
ip address 10.1.11.100 255.255.255.0
.h
dhcp select global
g
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
ni n
r
lea
dhcp select global
#
//
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
p :
dhcp select global
t t
:h
#
interface Vlanif801
e s
ip address 10.1.201.100 255.255.255.0
#
r c
ou
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
es
R
interface GigabitEthernet0/0/1
g
#
n i n
interface GigabitEthernet0/0/2
#
ar
interface GigabitEthernet0/0/3
L e #
interface GigabitEthernet0/0/4
e
or
#
interface GigabitEthernet0/0/5
#
M interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 4090
stp disable
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 13 801
华为专有和保密信息 99
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
interface NULL0
#
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent community
read %^%#zx5kPs")cO.^IG;R6J^5nd^JU_|q",$FD,E.s%@9CaEk5yD*QDiGKR&$73e;T^
(&JH\gl'IkR|DmZ=0C%^%#
snmp-agent community
write %^%#bSWeA`C;H5A98pQDivZ4mR\LSzVDEHibs|Gln%zJW[vB~(`4KElv:@:;H:BMM
=5^F$Ab1,k4LJ;xbEb=%^%#
n
snmp-agent sys-info version v2c
#
snmp-agent
/ e
ssh client first-time enable
o m
i.c
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
w e
ssh server key-exchange dh_group14_sha1
u a
.h
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
g
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ni n
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
r
lea
#
//
capwap source interface vlanif801
#
p :
user-interface con 0
t t
:h
authentication-mode password
set authentication password
s
cipher %^%#1<n6!"VC7VQQj=/vGNXG}:Eu&6zT3'C<qU9G'>N8A~"fK_+WA~0De+C]/yW"
e
c
%^%#
r
user-interface vty 0 4
ou
authentication-mode aaa
es
user privilege level 3
protocol inbound all
R
user-interface vty 16 20
#
i n g
protocol inbound all
n
ar
wlan
traffic-profile name default
M
T.B/%^%#
security-profile name voice1
security wpa psk pass-
phrase %^%#'B_NS~.4,Fh#8YX{gfeV}Ekj=<[Gi){`xT>QmnG>%^%# tkip
security-profile name default
security-profile name employee1
security wpa2 dot1x aes
security-profile name default-wds
security wpa2 psk pass-phrase %^%#CB&>,Q$BB>x\Fn"|^%qToSj.2]:%J"+-
qK%aTJ_0%^%# aes
security-profile name default-mesh
华为专有和保密信息 100
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
service-vlan vlan-id 13
/
m
ssid-profile guest1
security-profile guest1
o
i.c
vap-profile name voice1
e
forward-mode tunnel
w
service-vlan vlan-id 12
ssid-profile voice1
security-profile voice1
u a
vap-profile name default
vap-profile name employee1
g .h
service-vlan vlan-id 11
ni n
r
ssid-profile employee1
lea
security-profile employee1
authentication-profile employee1
mesh-handover-profile name default
: //
mesh-profile name default
wds-profile name default
t t p
:h
regulatory-domain-profile name default
s
regulatory-domain-profile name domain1
r c e
air-scan-profile name default
rrm-profile name default
ou
radio-2g-profile name default
s
radio-5g-profile name default
Re
wids-spoof-profile name default
wids-profile name default
i n g
ap-system-profile name default
port-link-profile name default
n
ar
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
e
or
regulatory-domain-profile domain1
radio 0
M
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 1
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
radio 2
vap-profile employee1 wlan 1
vap-profile voice1 wlan 2
vap-profile guest1 wlan 3
华为专有和保密信息 101
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
mac-access-profile name mac_access_profile
/
#
undo ntp-service enable
o m
i.c
#
Return
w e
u a
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 102
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
ni n
Backup the configuration of AC
r
lea
Reset the configuration of AC
6.1.2 Plan : //
t t p
:h
You must configure devices according to the plan to avoid errors. This experiment uses
s
group 1 as an example to illustrate rules for configuring the device name, VLAN, and
e
c
Trunk.
r
ou
The following table describes device connections.
Group
es
No.
R
AC-Switch Port AP-Switch Port
i n g
n
AP1-G0/0/10
ar
1 AC1—G0/0/1
AP2-G0/0/11
L e AP3-G0/0/12
e
or
2 AC2—G0/0/2
AP4-G0/0/13
M 3 AC3—G0/0/3
AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
4 AC4—G0/0/4
AP8-G0/0/16
AP9-G0/0/17
5 AC5—G0/0/5
AP10-G0/0/18
华为专有和保密信息 103
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
AP11-G0/0/19
6 AC6—G0/0/6
AP12-G0/0/20
Item Parameter
Management IP 172.21.11.X+2
Backup Configuration
e n
File name
acvrpcfg.zip
/
FTP account Name: ftp Password: Huawei@123
o m
FTP Directory Flash:/
e i.c
aw
u
g .h
6.2 Experiment Task
ni n
r
6.2.1 Configuration Procedure
//lea
p :
Step1 Save the Configuration
t t
:h
We can use save command to save the current configuration to the storage device.
s
<AC1>save acvrpcfg.zip
r c e
Are you sure to save the configuration to acvrpcfg.zip? (y/n)[n]:y
ou
It will take several minutes to save configuration file, please
wait........
es
Configuration file has been saved successfully
R
Note: The configuration file will take effect after being activated
i n g
Using the dir command, you can view information about the files and directories on the
storage device.
n
ar
<AC1>dir
e
Directory of sdcard:/
or
0 -rw- 1,883 May 13 2016 16:19:42 002f_sftpsync_53.xml
1 -rw- 3,266 Nov 11 2016 15:16:11 AC6005-1.cfg
华为专有和保密信息 104
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
n
FitAP6X10XN_V200R006C10SPC100.bin
18 -rw- 1,575 Jun 20 2015 08:06:29
LICQPZQ6F614HF_210235681310F6000040.dat
/ e
19 -rw- 1,253 Nov 11 2016 14:37:26 local.cer
o m
i.c
20 drw- - Nov 11 2016 19:36:33 localuser
21 drw- - Oct 11 2016 18:22:34 logfile
22 drw-
23 -rw-
- Jan 01 2013 09:49:36
59,025 Nov 12 2016 18:13:15
lost+found
w
mon_file.txte
24 drw- - Nov 12 2016 18:13:14 pmdata
u a
.h
25 -rw- 855 Aug 23 2016 15:24:27 private-data.txt
g
26 -rw- 1,260 Nov 11 2016 19:38:25 rsa_host_key.efs
27 -rw-
28 -rw-
540 Nov 11 2016 19:38:25
1,807,526 Oct 21 2015 22:54:16
ni n rsa_server_key.efs
sacrule.dat
29 drw- - Jun 20 2015 07:32:17
r security
lea
30 drw- - Nov 11 2016 14:36:45 update
//
31 -rw- 1,395 Nov 11 2016 15:08:22 vrpcfg.zip
p :
t
1,882,652 KB total (1,531,204 KB free)
t
:h
Step2 Configuring FTP Service on AC
e
[AC1]ftp server enable
s
[AC1]aaa
r c
ou
[AC1-aaa]local-user ftp password irreversible-cipher Huawei@123 ftp-
directory sdcard:/
es
[AC1-aaa]local-user ftp service-type ftp
R
[AC1-aaa]local-user ftp privilege level 15
g
Warning: This operation may affect online users, are you sure to change
n
the user privilege level ?[Y/N]y
n i
Step3 Backup the Configuration to PC
ar
Le
D:\>ftp 192.168.100.200
connect 192.168.100.200。
o User(192.168.100.200:(none)): ftp
华为专有和保密信息 105
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
Then the configuration file is backuped in the PC, find the file in D:/ and then can opent it
by notepad or wordpad.
e n
/
o m
e i.c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
Step4 Reset the Configuration
e s
After your practice finished, We need to reset the configuration of the devices before the
c
practice, so as to avoid the impacting to the practice, please following below procedures
r
ou
to reset the configuration and reboot the device.
s
<AC1>reset saved-configuration
Re
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
n g
Are you sure? (y/n)[n]:y
i
n
ar
#
e
<AC1>reboot
or
Warning: All the configuration will be saved to the next startup
configuration. Continue ? [y/n]:n
M
System will reboot! Continue ? [y/n]:y
6.3 Verification
华为专有和保密信息 106
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
o m
i.c
ssl renegotiation-rate 1
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
w e
authentication-profile name mac_authen_profile
u a
.h
authentication-profile name portal_authen_profile
g
authentication-profile name macportal_authen_profile
#
diffserv domain default
ni n
#
r
lea
radius-server template default
//
#
pki realm default
p :
rsa local-key-pair default
t t
:h
enrollment self-signed
#
s
ssl policy default_policy type server
e
pki-realm default
r c
ou
version tls1.0 tls1.1 tls1.2
ciphersuite rsa_aes_128_cbc_sha
#
es
R
ike proposal default
encryption-algorithm aes-256
n g
dh group2
i
n
authentication-algorithm sha2-256
ar
authentication-method pre-share
e
integrity-algorithm hmac-sha2-256
e L #
prf hmac-sha2-256
or
free-rule-template name default_free_rule
#
华为专有和保密信息 107
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
domain default_admin
authentication-scheme default
local-user admin password irreversible-
cipher %^%#M`4JPQpOV5o%dg<#chz:0uQcV}F#{FY6"T-
UeF>YO[l0C!OPI-!:hyJLvcXC%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
e n
/
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
o m
i.c
#
e
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
aw
#
u
.h
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
i n g
#
r n
lea
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
: //
p
#
interface NULL0
t t
:h
#
s
undo snmp-agent
#
r c e
stelnet server enable
ou
undo telnet server enable
s
undo telnet ipv6 server enable
Re
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server secure-algorithms hmac sha2_256
i n g
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ar
ssh client key-exchange dh_group14_sha1
L e #
user-interface con 0
e
or
authentication-mode password
set authentication password
cipher %^%#h'O5Y|4b&.=,loK4{<@Qo0h6R~Q>oT[2{<X+y^:,Sg*tSthkTO("UiYv~tN<
M %^%#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
华为专有和保密信息 108
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
/
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
o m
i.c
radio-2g-profile name default
e
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
aw
ap-system-profile name default
u
.h
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
i n g
ap-group name default
r n
lea
provision-ap
#
: //
dot1x-access-profile name dot1x_access_profile
p
#
t t
mac-access-profile name mac_access_profile
:h
#
s
undo ntp-service enable
#
return
r c e
s ou
Re
6.4 Reference Configuration
i n g
rn
6.4.1 Key Configuration
a
L e [AC1]ftp server enable
r e [AC1]aaa
[AC1-aaa]local-user ftp password irreversible-cipher Huawei@123 ftp-
o directory sdcard:/
华为专有和保密信息 109
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
7 Appendix
ni n
aaa
r
lea
authentication-scheme default
//
authorization-scheme default
accounting-scheme default
domain default
p :
domain default_admin
t t
:h
local-user admin password cipher %@%@5d~9:M^ipCfL\iB)EQd>3Uwe%@%@
#
e s
local-user admin service-type http
r
interface Vlanif1
c
ou
#
es
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
R
i n g
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
n
ar
#
interface Vlanif12
L e #
ip address 10.1.12.1 255.255.255.0
e
or
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
M #
interface Vlanif20
ip address 10.1.20.1 255.255.255.0
#
interface Vlanif21
ip address 10.1.21.1 255.255.255.0
#
interface Vlanif22
ip address 10.1.22.1 255.255.255.0
#
interface Vlanif23
华为专有和保密信息 110
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
interface Vlanif33
/
#
ip address 10.1.33.1 255.255.255.0
o m
i.c
interface Vlanif40
#
ip address 10.1.40.1 255.255.255.0
w e
interface Vlanif41
ip address 10.1.41.1 255.255.255.0
u a
#
interface Vlanif42
g .h
ip address 10.1.42.1 255.255.255.0
ni n
#
r
lea
interface Vlanif43
//
ip address 10.1.43.1 255.255.255.0
#
p :
t
interface Vlanif50
t
ip address 10.1.50.1 255.255.255.0
:h
#
interface Vlanif51
e s
c
ip address 10.1.51.1 255.255.255.0
#
r
ou
interface Vlanif52
#
es
ip address 10.1.52.1 255.255.255.0
R
interface Vlanif53
#
i n g
ip address 10.1.53.1 255.255.255.0
n
ar
interface Vlanif60
ip address 10.1.60.1 255.255.255.0
L e #
interface Vlanif61
e
or
ip address 10.1.61.1 255.255.255.0
#
M interface Vlanif62
#
ip address 10.1.62.1 255.255.255.0
interface Vlanif63
ip address 10.1.63.1 255.255.255.0
#
interface Vlanif200
ip address 10.254.1.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
华为专有和保密信息 111
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
#
interface Vlanif802
ip address 10.1.202.1 255.255.255.0
#
interface Vlanif803
ip address 10.1.203.1 255.255.255.0
#
interface Vlanif804
ip address 10.1.204.1 255.255.255.0
#
interface Vlanif805
e n
ip address 10.1.205.1 255.255.255.0
/
#
interface Vlanif806
o m
i.c
ip address 10.1.206.1 255.255.255.0
#
interface MEth0/0/1
w e
#
interface GigabitEthernet0/0/1
u a
port link-type trunk
port trunk allow-pass vlan 10 to 13 801
g .h
#
ni n
interface GigabitEthernet0/0/2
r
lea
port link-type trunk
//
port trunk allow-pass vlan 20 to 23 802
#
p :
t
interface GigabitEthernet0/0/3
port link-type trunk
t
:h
port trunk allow-pass vlan 30 to 33 803
#
e s
c
interface GigabitEthernet0/0/4
r
port link-type trunk
ou
port trunk allow-pass vlan 40 to 43 804
#
es
interface GigabitEthernet0/0/5
R
port link-type trunk
ing
port trunk allow-pass vlan 50 to 53 805
#
rn
interface GigabitEthernet0/0/6
L
port trunk allow-pass vlan 60 to 63 806
#
r e interface GigabitEthernet0/0/7
o #
M interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
interface GigabitEthernet0/0/11
port link-type trunk
华为专有和保密信息 112
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
e n
port trunk allow-pass vlan 20 to 23
/
#
interface GigabitEthernet0/0/14
o m
i.c
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 30 to 33
w e
#
interface GigabitEthernet0/0/15
u a
port link-type trunk
port trunk pvid vlan 30
g .h
port trunk allow-pass vlan 30 to 33
ni n
#
r
lea
interface GigabitEthernet0/0/16
//
port link-type trunk
port trunk pvid vlan 40
p :
t
port trunk allow-pass vlan 40 to 43
#
t
:h
interface GigabitEthernet0/0/17
port link-type trunk
e s
c
port trunk pvid vlan 40
r
port trunk allow-pass vlan 40 to 43
ou
#
es
interface GigabitEthernet0/0/18
port link-type trunk
R
port trunk pvid vlan 50
ing
port trunk allow-pass vlan 50 to 53
#
rn
interface GigabitEthernet0/0/19
eL
port trunk pvid vlan 50
port trunk allow-pass vlan 50 to 53
or
#
interface GigabitEthernet0/0/20
华为专有和保密信息 113
版权所有 © 华为技术有限公司
Huawei WLAN Certification Training Experiment Guide
interface GigabitEthernet0/0/23
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 200
#
interface NULL0
#
interface LoopBack1
e n
ip address 101.101.101.101 255.255.255.255
/
#
interface LoopBack2
o m
i.c
ip address 102.102.102.102 255.255.255.255
#
interface LoopBack3
w e
#
ip address 103.103.103.103 255.255.255.255
u a
interface LoopBack4
ip address 104.104.104.104 255.255.255.255
g .h
#
ni n
interface LoopBack5
r
lea
ip address 105.105.105.105 255.255.255.255
//
#
interface LoopBack6
p :
t
ip address 106.106.106.106 255.255.255.255
#
t
:h
user-interface con 0
s
authentication-mode password
e
c
set authentication password
r
cipher %@%@;($MM!"!U<_DW.Z.H!4L,$49.>!z*#!\EX>M5e+/7j&#$4<,%@%@
ou
user-interface vty 0 4
s
user-interface vty 16 20
#
return
Re
i n g
n
e ar
e L
or
M
华为专有和保密信息 114
版权所有 © 华为技术有限公司
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1、e-Learning Courses: Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e
o m
If you have the HCNA/HCNP certificate:You can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
aw
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu
arn
Content: Huawei product training material and Huawei career certification training material.
//le
Method:Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3、 Priority to participate in Huawei Online Open Class (LVC)
t t
s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
4、Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.
u
s o
eNSP :Simulate single Router&Switch device and large network.
R e
WLAN Planner :Network planning tools for WLAN AP products.
n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
ni
share exam experiences with others or be acquainted with Huawei Products.
a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1