Wireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDF

Wireless Access Controller (AC and Fit AP)
V200R019C00
Web-based Configuration Guide
Issue 03
Date 2020-03-08
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. i

Web-based Configuration Guide Contents
Contents
1 About This Document.............................................................................................................1

2 Getting Started........................................................................................................................ 3
2.1 Web Platform Overview........................................................................................................................................................ 3
2.2 Logging In to the Web Platform........................................................................................................................................ 4
2.3 Precautions for Using the Web Platform........................................................................................................................ 5
2.4 Web Page Description........................................................................................................................................................... 6
2.5 KPI Report Reference............................................................................................................................................................. 9
2.5.1 Access....................................................................................................................................................................................... 9
2.5.1.1 STA Association Success Rate....................................................................................................................................... 9
2.5.1.2 STA Authentication Success Rate................................................................................................................................ 9
2.5.1.3 Average Success Rate of Online Users................................................................................................................... 10
2.5.2 Coverage............................................................................................................................................................................... 11
2.5.2.1 Weak Coverage Ratio................................................................................................................................................... 11
2.5.2.2 Weak Coverage Ratio................................................................................................................................................... 11
2.5.2.3 Common Coverage Ratio............................................................................................................................................ 12
2.5.2.4 Superior Coverage Ratio.............................................................................................................................................. 13
2.5.3 Availability........................................................................................................................................................................... 13
2.5.3.1 Maximum Login Rate of 802.1X STAs in the Current Period.......................................................................... 13
2.5.3.2 Maximum Login Rate of Portal-authenticated STAs in the Current Period...............................................14
2.5.3.3 Maximum Length of the CAPWAP Receive Queue in the Current Period..................................................15
2.5.3.4 Maximum length of the CAPWAP Send Queue in the Current Period........................................................15
2.5.3.5 Average Latency of AP-AC Link.................................................................................................................................16
2.5.3.6 Maximum AP CPU Usage............................................................................................................................................ 16
2.5.3.7 Maximum AP Memory Usage....................................................................................................................................17
2.5.4 Capacity................................................................................................................................................................................ 18
2.5.4.1 2.4G Average Load Difference................................................................................................................................... 18
2.5.4.2 5G Average Load Difference...................................................................................................................................... 18
2.5.4.3 Neighbor Load Difference........................................................................................................................................... 19
2.5.4.4 Total association count................................................................................................................................................ 20
2.5.4.5 Average Number of Online STAs.............................................................................................................................. 20
2.5.4.6 Average Number of Active STAs............................................................................................................................... 21
2.5.4.7 Uplink Unicast Throughput........................................................................................................................................ 22
2.5.4.8 Uplink Multicast Throughput..................................................................................................................................... 22
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. ii

2.5.4.9 Uplink Broadcast Throughput....................................................................................................................................23

2.5.4.10 Downlink Unicast Throughput................................................................................................................................ 23
2.5.4.11 Downlink Multicast Throughput............................................................................................................................ 24
2.5.4.12 Downlink Broadcast Throughput........................................................................................................................... 25
2.5.4.13 Uplink Traffic Channel Occupancy Time............................................................................................................. 25
2.5.4.14 Downlink Traffic Channel Occupancy Time....................................................................................................... 26
2.5.4.15 Channel Occupancy Time of Interference Services.......................................................................................... 27
2.5.4.16 Channel High-Load Time.......................................................................................................................................... 27
2.5.5 Experience............................................................................................................................................................................ 28
2.5.5.1 Average Latency of Downlink Air Interface Queue............................................................................................28
2.5.5.2 Packet Loss Rate of Downlink Air Interface Queue........................................................................................... 28
2.5.6 Performance Gain..............................................................................................................................................................29
2.5.6.1 STA Unsteerability Rate............................................................................................................................................... 29
2.5.6.2 STA Steering Success Rate.......................................................................................................................................... 30
2.5.6.3 5G STA Proportion......................................................................................................................................................... 30
2.5.6.4 5G Access Proportion of 5G STAs............................................................................................................................. 31
2.5.6.5 Single-Stream Ratio of Upstream and Downstream......................................................................................... 32
2.5.6.6 Dual-Stream Ratio of Upstream and Downstream............................................................................................ 32
2.5.6.7 Three-Stream Ratio of Upstream and Downstream.......................................................................................... 33
2.5.6.8 Strongest Co-Channel Signal Strength................................................................................................................... 34
2.5.6.9 EDCA Collision Rate...................................................................................................................................................... 34
2.5.6.10 Packet Lost Rate of VI Queue................................................................................................................................. 35
2.5.6.11 Packet Lost Rate of VO Queue............................................................................................................................... 35
2.5.6.12 Average Latency of VI Queue..................................................................................................................................36
2.5.6.13 Average Latency of VO Queue............................................................................................................................... 37
2.5.6.14 Maximum Latency of VI Queue..............................................................................................................................37
2.5.6.15 Maximum Latency of VO Queue........................................................................................................................... 38
2.5.6.16 Packet Loss Rate of BE Queue................................................................................................................................ 38
2.5.6.17 Packet Loss Rate of BK Queue................................................................................................................................ 39
2.5.6.18 Average Latency of BE Queue.................................................................................................................................40
2.5.6.19 Average Latency of BK Queue................................................................................................................................ 40
2.5.6.20 Maximum Latency of BE Queue.............................................................................................................................41
2.5.6.21 Maximum Latency of BK Queue............................................................................................................................ 42
2.5.6.22 Average Latency of VI Queue (Power-saving Packets Are Not Counted)................................................42
2.5.6.23 Average Latency of VO Queue (Power-saving Packets Are Not Counted)..............................................43
2.5.6.24 Maximum Latency of VI Queue (Power-saving Packets Are Not Counted)............................................44
2.5.6.25 Maximum Latency of VO Queue (Power-saving Packets Are Not Counted)......................................... 44
3 Configuration Examples.......................................................................................................46
3.1 WLAN Common Service Configuration Examples..................................................................................................... 46
3.1.1 Example for Configuring Internal Personnel to Access the WLAN (802.1X Authentication)..................46
3.1.2 Example for Configuring Guests to Access the WLAN (MAC Address-prioritized Portal
Authentication)............................................................................................................................................................................. 57
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. iii

3.1.3 Example for Configuring High-Density WLAN Services....................................................................................... 68

3.1.4 Example for Configuring WLAN Backhaul................................................................................................................ 87
3.1.5 Example for Configuring Rail Transportation WLAN Services......................................................................... 101
3.1.6 Example for Configuring Agile Distributed Wi-Fi Services............................................................................... 117
3.1.7 Example for Configuring Rogue Device Detection and Containment.......................................................... 127
3.2 WLAN Basic Networking Configuration Examples................................................................................................. 137
3.2.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode............................................................ 137
3.2.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode...........................................................146
3.2.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode..........................................................156
3.2.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode........................................................ 166
3.2.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode............................................................ 177
3.2.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode...........................................................190
3.2.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode..........................................................203
3.2.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode........................................................ 214
3.2.9 Example for Configuring NAT Traversal Between the AC and APs............................................................... 225
3.2.10 Example for Configuring VPN Traversal Between the AC and APs............................................................. 235
3.2.11 Example for Configuring Hand-in-Hand WDS Services.................................................................................. 247
3.2.12 Example for Configuring Back-to-Back WDS...................................................................................................... 261
3.2.13 Example for Configuring Common Mesh Services............................................................................................ 274
3.2.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 286
3.3 Authentication Configuration Examples.....................................................................................................................298
3.3.1 Example for Configuring External Portal Authentication..................................................................................299
3.3.2 Example for Configuring Built-in Portal Authentication for Local Users.....................................................309
3.3.3 Example for Configuring MAC Address-prioritized Portal Authentication..................................................321
3.3.4 Example for Configuring Built-in Portal Access Code Authentication.......................................................... 332
3.3.5 Example for Configuring 802.1X Authentication................................................................................................. 343
3.3.6 Example for Configuring Local EAP Authentication........................................................................................... 354
3.3.7 Example for Configuring MAC Address Authentication.....................................................................................364
3.3.8 Example for Configuring MAC Authentication for Local Users.......................................................................375
3.3.9 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............. 385
3.3.10 Example for Configuring Built-in Portal WeChat Authentication................................................................ 397
3.3.11 Example for Configuring External Portal Authentication (In HACA Mode).............................................405
3.4 Reliability Configuration Examples.............................................................................................................................. 417
3.4.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios................. 417
3.4.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios.........431
3.4.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode)...................................... 443
3.4.4 Example for Configuring Dual-Link Hot Standby (HSB) for ACs................................................................... 451
3.4.5 Example for Configuring VRRP HSB......................................................................................................................... 460
3.4.6 Example for Configuring N+1 Backup (APs and ACs in different network segments)...........................472
3.4.7 Example for Configuring N+1 Backup (APs and ACs in the same network segment)........................... 485
3.5 Roaming Configuration Examples................................................................................................................................ 497
3.5.1 Example for Configuring Inter-VLAN Layer 3 Roaming..................................................................................... 497
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. iv

3.5.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 510

3.5.3 Example for Configuring Inter-AC Layer 2 Roaming.......................................................................................... 522
3.5.4 Example for Configuring Inter-AC Layer 3 Roaming.......................................................................................... 535
3.5.5 Example for Configuring Agile Distributed SFN Roaming................................................................................ 548
3.6 Agile Distributed Networking Configuration Examples........................................................................................ 560
3.6.1 Example for Configuring an Agile Distributed WLAN........................................................................................ 560
3.7 High-Density Configuration Examples........................................................................................................................ 570
3.7.1 Example for Configuring High-Density WLAN Services.....................................................................................570
3.8 Example for Configuring Vehicle-Ground Communication..................................................................................589
3.8.1 Example for Configuring Vehicle-Ground Fast Link Handover....................................................................... 589
3.9 Radio Resource Management Configuration Examples........................................................................................ 605
3.9.1 Example for Configuring Dynamic Load Balancing............................................................................................ 605
3.9.2 Example for Configuring Static Load Balancing...................................................................................................608
3.9.3 Example for Configuring Band Steering (5G-Prior Access).............................................................................. 612
3.9.4 Example for Configuring Smart Roaming.............................................................................................................. 615
3.9.5 Example for Configuring Dynamic Bandwidth Selection for the 5GHz Radio...........................................618
3.10 Spectrum Analysis Configuration Examples........................................................................................................... 620
3.10.1 Example for Configuring Spectrum Analysis....................................................................................................... 620
3.11 WLAN Security Configuration Examples.................................................................................................................. 626
3.11.1 Example for Configuring Rogue Device Detection and Containment........................................................ 626
3.11.2 Example for Configuring Attack Detection.......................................................................................................... 636
3.11.3 Example for Configuring a WPA/WPA2-PPSK Security Policy....................................................................... 646
3.11.4 Example for Configuring the STA Blacklist and Whitelist...............................................................................652
3.12 WLAN QoS Configuration Examples......................................................................................................................... 662
3.12.1 Example for Configuring WMM and Priority Mapping................................................................................... 662
3.12.2 Example for Configuring Traffic Policing............................................................................................................. 666
3.12.3 Example for Configuring Airtime Fair Scheduling............................................................................................. 669
3.12.4 Example for Configuring ACL-based Packet Filtering...................................................................................... 671
3.12.5 Example for Configuring Optimization for Voice and Video Services........................................................ 675
3.12.6 Example for Configuring Priorities for Skype4B Packets.................................................................................679
3.12.7 Example for Configuring a QoS Policy Based on Application Protocols (Direct Forwarding)........... 682
3.13 IoT Configuration Examples......................................................................................................................................... 686
3.13.1 Example for Configuring the Smart Retail IoT Solution - ESL...................................................................... 687
3.13.2 Example for Configuring the Healthcare IoT Solution.................................................................................... 697
3.13.3 Example for Configuring the Education IoT Solution - Student Health and Safety..............................708
3.13.4 Example for Configuring the Shopping Mall and Supermarket IoT Solution - Hotspot Service and
Customer Flow Analysis.......................................................................................................................................................... 717
3.13.5 Example for Configuring the Shopping Mall and Supermarket IoT Solution - Indoor Navigation..729
3.13.6 Example for Configuring the Shopping Mall and Supermarket Solution - Personnel and Asset
Management............................................................................................................................................................................... 738
3.14 WLAN Enhanced Services Configuration Examples............................................................................................. 746
3.14.1 Example for Configuring WLAN-based E-Schoolbag....................................................................................... 747
3.14.2 Example for Configuring WLAN Hotspot2.0 Services...................................................................................... 761
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. v

3.14.3 Example for Configuring Service Holding upon WLAN CAPWAP Link Disconnection......................... 776
3.14.4 Example for Configuring Channel Switching Without Service Interruption.............................................784
3.14.5 Example for Configuring the Soft GRE Service...................................................................................................792
3.14.6 Example for Configuring CAC Based on the Number of Multicast Group Memberships....................804
3.14.7 Example for Configuring an AP to Protect STAs From Obtaining Bogus IP Addresses........................ 815
3.14.8 Example for Configuring One-Click Fault Location for the AP and AC..................................................... 822
3.14.9 Example for Configuring AP Loopback................................................................................................................. 824
3.14.10 Configuring Ethernet over GRE to Enable Layer 2 Communication Between an AC and a Wireless
Gateway........................................................................................................................................................................................ 825
3.14.11 Example for Configuring an AC and APs to Report KPI Information....................................................... 834
3.14.12 Intelligent Upgrade (AC+Fit AP)........................................................................................................................... 838
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. vi

Web-based Configuration Guide 1 About This Document
1 About This Document
Overview
This document describes how to configure and maintain your device using the
web platform.
Intended Audience
This document is intended for network engineers responsible for WLAN
configuration and management. You should be familiar with basic Ethernet
knowledge and have extensive experience in network deployment and
management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a potentially hazardous

situation which, if not avoided, could
result in equipment damage, data loss,
performance deterioration, or
unanticipated results.
NOTICE is used to address practices
not related to personal injury.
NOTE Calls attention to important

information, best practices and tips.
NOTE is used to address information
not related to personal injury,
equipment damage, and environment
deterioration.
Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 1

Web-based Configuration Guide 1 About This Document
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are

optional.
{ x | y | ... } Optional items are grouped in braces and separated

by vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and

separated by vertical bars. One item is selected or
no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated

by vertical bars. A minimum of one item or a
maximum of all items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and

separated by vertical bars. Several items or no item
can be selected.
&<1-n> The parameter before the & sign can be repeated 1

to n times.
# A line starting with the # sign is comments.
The interface types, command outputs, and device models provided in this manual vary
according to device configurations and may differ from the actual information.
To obtain better user experience, you are advised to set the number of columns displayed
on the command line editor to 132 or higher.
The pages displayed on your web platform may be different from those in this document
and shall prevail.
On the web platform, you can only use a command editor of the UTF-8 encoding format to
edit Chinese characters.

Web-based Configuration Guide 2 Getting Started
2 Getting Started
About This Chapter
2.1 Web Platform Overview

2.2 Logging In to the Web Platform
2.3 Precautions for Using the Web Platform
2.4 Web Page Description
2.5 KPI Report Reference
2.1 Web Platform Overview

To help users to manage and maintain the wireless access controller, the wireless
access controller provides a built-in web server to enable a connected terminal
(for example, a PC) to access the web platform.
Figure 2-1 shows the running environment of the web platform.
Figure 2-1 Running environment of the web platform

FTP Client
Console
HTTP/HTTPS
Connection
AC PC
Web Client

The preceding figure shows the networking when a user completes initial configurations
through the console port. It is for reference only.
2.2 Logging In to the Web Platform

Before logging in to the web platform in wired connection mode, perform the
following tasks:
● The IP address of the device's access port has been configured.

● The device and your PC are properly connected.
● The device is running properly, and the HTTP and HTTPS services are correctly
configured.
● The web browser software has been installed on your PC.
● The IP address 169.254.1.1 has been configured on MEth0/0/1 of the AirEngine 9700-M,
AC6605 and AC6805 before the delivery.
● The IP address 169.254.1.1 has been configured on MEth0/0/1 of the ACU2 before the
delivery.
● The IP address 169.254.1.1 has been configured on VLANIF 1 of the AC6800V, AC6508,
AC6507S, AirEngine 9700S-S, and AC6005 before the delivery, and all GE interfaces on the
AC6508, AC6507S, AirEngine 9700S-S, AC6005 and all GE and XGE interfaces on the
AC6800V have been added to VLAN 1 by default.
● Before the device is delivered, the STelnet service has been configured on the device. The
STelnet port number is 22, and the default user name and password are respectively admin
and admin@huawei.com.
● Before the device is delivered, the HTTP and HTTPS services have been configured on the
device. The default port number is 80 for HTTP and 443 for HTTPS. The default user name
and password are respectively admin and admin@huawei.com.
Figure 2-2 show the running environment of the web platform that can be
managed and configured on your PC.
Figure 2-2 Running environment of the web platform
IP
Network
PC AC
Logging In to the AP
Step 1 Open a browser such as Internet Explorer 10.0, enter http://IP address or
https://IP address in the address box, for example, http://169.254.1.1 or https://
169.254.1.1, and press Enter. (169.254.1.1 is used as an example here. Enter the
actual IP address of the access interface.) The web platform login page is
displayed.

When a user logs in to a device through HTTP, the HTTPS login page is displayed. If the
HTTPS service is unavailable, for example, the HTTPS service is not enabled, or the HTTPS
service is enabled but not bound to an SSL policy, the incorrect page is displayed.
Step 2 Enter the login information.

1. Select a language.
The system supports English and Chinese. By default, the system uses the
same language as the browser.
2. Enter a user name and password.
The default user name and password are admin and admin@huawei.com.
3. Click Login.
To ensure security of the web platform, you are prompted to change the
password upon the first login, and log in to the web platform again.
If the login fails, the following possible causes are displayed at the same time:
● The user name or password is incorrect.: indicates that the entered user name or
password is incorrect. Click OK to check the user name and password. If they are
incorrect, enter them again.
● The user does not have the right to log in or the login right expires.: indicates that
the current online user has no permission to log in to the web platform. Contact
network administrators.
● The number of login users has reached the maximum value.: indicates that the
number of online web users reaches the upper limit. By default, the maximum number
of online web users is 5.
● The number of times the password is incorrectly entered has reached the limit, and
the user is locked.: indicates that the current login account is locked and will be
automatically unlocked after 5 minutes.
Step 3 Click Logout in the upper right corner to Log out of the web platform. The login
page is displayed.
Step 4 If you do not perform any operation within a specified duration (10 minutes by
default), you are logged out. To return to the login page, click OK.
----End
2.3 Precautions for Using the Web Platform

● The operating system required for web system login must be the Windows
7.0, Windows 8.0, Windows 8.1, or Windows 10.0.
● The web platform supports different browsers. You can log in to the web
system using the Internet Explorer 10.0, Internet Explorer 11.0, Firefox 61.0 to
Firefox 66.0, or Google Chrome 64.0 to Google Chrome 73.0 browsers. If the
version of your web browser is not supported, the web page may be displayed
incorrectly.
● When you log in to the web platform using Internet Explorer, the security
level cannot be set to High; otherwise, web pages cannot be displayed. When
accessing the web platform using the web proxy, choose Tools > Internet

Options > Advanced from the menu of Internet Explorer 8.0, and select Use
HTTP 1.1 through proxy connections. Choose Tools > Internet Options >
Security, click Custom level, and set Allow Scriptlets, Run ActiveX controls
and plug-ins, and Active scripting to Enable; otherwise, web pages cannot
be displayed. Internet Explorer 10.0 is used only as an example.
● If the message "Your browser's security settings are too high to complete this
process. See the help menu for instructions on adjusting your security
settings." is displayed during file upload, configure the Internet Explorer as
follows:
a. Choose Tools > Internet Options > Security > Custom Level.
b. Click Enable or Prompt next to Initialize and script ActiveX controls
not marked as safe for scripting.
If you click Enable, the file can be uploaded directly. If you click Prompt,
the message "An ActiveX control on this page might be unsafe to interact
with other parts of the page. Do you want to allow this interaction?" is
displayed. If you click Yes, the file can be uploaded.
c. Click Enable next to Include local directory path when uploading files
to a server.
● After the device software version changes or the HTTP/HTTPS port number is
changed, clear the browser cache before using the web platform. Otherwise,
web pages may be incorrectly displayed.
– When you log in to the web platform using the IE browser, choose Tools
> Internet Options > General, click Delete, select Temporary Internet
files and website files and Cookies and website data, and click Delete
to clear the browser cache. Here, Internet Explorer 10.0 is used as an
example.
– When you log in to the web platform using the Firefox browser, choose
Options > Privacy & Security, click Clear History, Time range to clear,
select Everything, select History and Data, and click Clear Now to clear
the browser cache. Here, Firefox 66.0 is used as an example.
– When you log in to the web platform using the Chrome browser, choose
History, click Clear browsing data, select Cookies and other site data
and Cached images and files, and click Clear browsing data to clear
the browser cache. Here, Chrome 73.0 is used as an example.
● The web platform does not support back, forward, and refresh buttons on the
browser. If you click these buttons, the web platform may return to the login
page.
2.4 Web Page Description

This section describes elements on the main page of the web platform and their
functions.
Layout
The main page of the web platform mainly includes the following areas, as shown
in Figure 2-3.

Figure 2-3 Main page of the web platform
Table 2-1 Layout

Are Name Description
a
1 Button You can click these buttons to save settings, get help
information, and log out of the platform.
2 Naviga Functions are displayed in a navigation tree.

tion The level-1 menu is on the upper left corner of the page, and
tree the level-2 menu is on the left of the page.
3 Operati You can configure functions or view function status in the

on area operation area.
Button
Buttons locate in the upper right corner of the main page.
Table 2-2 Buttons

Button Function
Save Commits the configured commands.

After modifying device configuration information on web pages, you
need to click Save to save the modification to the device
configuration file. Unsaved configuration information will be lost
after the device restarts.
Console Displays the command-line interface (CLI).

You can manage and maintain devices on the CLI.
Alarm &
You can click to quick open Alarm & Event page.
Event

Button Function
Logout Logs you out of the web platform.
To log out of the web platform, click . To log in to the web

platform, enter the user name and password.
Help Displays help-seeking page to obtain help.
Click or press F1. The help-seeking window is displayed.

If the browser automatically blocks pop-up windows, configure the
browser to allow the display of pop-up windows.
Languag Switches languages for the web platform.

e
● Click . The web page displays in English.
● Click . The web page displays in Chinese.
Common Web Platform Buttons

This section describes common web platform buttons.
Table 2-3 Common web platform buttons

Button Description
Create Displays the page for creating table entries and profiles.
Delete Deletes selected table entries or profiles.
Clear Clears table entries or profiles.
Refresh Updates information displayed on the current page.
Auto Automatically updates information displayed on the current page.

refresh
Apply Makes the current page configuration effective.
Confirm Makes the current page configuration effective.
Display Displays information of profiles that uses the current profile.

Reference
Searches for results.
Returns to the previous page from the current page.

2.5 KPI Report Reference
2.5.1 Access
2.5.1.1 STA Association Success Rate
KPI Description
This KPI indicates the STA association success rate within 30 minutes.
KPI Definition
KPI Name STA association success rate
Statistics VAP (SSID)

Object
Data Reported by APs

Source
Calculatio STA association success rate = (Number of successful association

n Formula attempts/Total number of association attempts) x 100%
Unit %
Reference 100%
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.1.2 STA Authentication Success Rate
KPI Description
This KPI indicates the STA authentication success rate in 802.1X and PSK mode
within 30 minutes.
KPI Definition
KPI Name STA authentication success rate


Object

Source
Calculatio STA authentication success rate = (Number of successful 802.1X

n Formula and PSK key negotiation attempts/Total number of successful
association attempts) x 100%
Uit %
Reference > 80%

Value
Data 30 minutes
Collection
Period
Remarks None
2.5.1.3 Average Success Rate of Online Users
KPI Description
This KPI indicates the average STA login success rate within 30 minutes.
KPI Definition
KPI Name Average success rate of online users

Object

Source
Calculatio Average success rate of online users = (Number of successful STA

n Formula login attempts/Total number of STA association attempts) x 100%
Unit %
Reference > 80%

Value
Data 30 minutes
Collection
Period
Remarks None

2.5.2 Coverage
2.5.2.1 Weak Coverage Ratio
KPI Description
This KPI indicates the ratio of wireless packets in weak coverage areas with the
RSSI less than -75 dBm within 30 minutes.
KPI Definition
KPI Name Weak coverage ratio
Statistics Radio
Object

Source
Calculatio Weak coverage ratio = (Number of wireless packets in weak

n Formula coverage ares with RSSI less than -75 dBm/Total number of
wireless packets in all areas) x 100%
Unit %
Reference < 0.5%

Value
Data 30 minutes
Collection
Period
Remarks The reported value will be multiplied by 10 before being reported.

The reported value is displayed on the device.
2.5.2.2 Weak Coverage Ratio
KPI Description
This KPI indicates the ratio of wireless packets in common coverage areas with the
RSSI in the range from -75 dBm to -65 dBm within 30 minutes.
KPI Definition
KPI Name Common coverage ratio
Statistics Radio
Object


Source
Calculatio Common coverage ratio = (Number of wireless packets in

n Formula common coverage areas with the RSSI in the range from -75 dBm
to -65 dBm/Total number of wireless packets in all areas) x 100%
Unit %
Reference < 5%
Value
Data 30 minutes
Collection
Period

2.5.2.3 Common Coverage Ratio
KPI Description
This KPI indicates the ratio of wireless packets in good coverage areas with the
RSSI in the range from -65 dBm to -50 dBm within 30 minutes.
KPI Definition
KPI Name Good coverage ratio
Statistics Radio
Object

Source
Calculatio Good coverage ratio = (Number of wireless packets in good

n Formula coverage areas with the RSSI in the range from -65 dBm to -50
dBm/Total number of wireless packets in all areas) x 100%
Unit %
Reference N/A
Value
Data 30 minutes
Collection
Period


2.5.2.4 Superior Coverage Ratio
KPI Description
This KPI indicates the ratio of wireless packets in superior coverage areas with the
RSSI greater than or equal to -50 dBm within 30 minutes.
KPI Definition
KPI Name Superior coverage ratio
Statistics Radio
Object

Source
Calculatio Superior coverage ratio = (Number of wireless packets in superior

n Formula coverage areas with the RSSI greater than or equal to -50 dBm/
Total number of wireless packets in all ares) x 100%
Unit %
Reference N/A
Value
Data 30 minutes
Collection
Period

2.5.3 Availability
2.5.3.1 Maximum Login Rate of 802.1X STAs in the Current Period
KPI Description
This KPI indicates the maximum login rate of 802.1X-authenticated STAs within 30
minutes.
KPI Definition
KPI Name Maximum login rate of 802.1X STAs in the current period
Statistics AC
Object

Data Self-owned data of the AC

Source
Calculatio Maximum online rate of 802.1X STAs in the current period =

n Formula Maximum login rate of 802.1X-authenticated STAs within 30
minutes
Unit STAs per second
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks An AC collects statistics about the STA login rate every 5 seconds.
2.5.3.2 Maximum Login Rate of Portal-authenticated STAs in the Current

Period
KPI Description
This KPI indicates the maximum login rate of Portal-authenticated STAs within 30
minutes.
KPI Definition
KPI Name Maximum login rate of Portal STAs in the current period
Statistics AC
Object

Source
Calculatio Maximum login rate of Portal STAs in the current period =

n Formula Maximum login rate of Portal-authenticated STAs within 30
minutes
Unit STAs per second
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks An AC collects statistics about the STA login rate every 5 seconds.

2.5.3.3 Maximum Length of the CAPWAP Receive Queue in the Current

Period
KPI Description
This KPI indicates the maximum length of the CAPWAP receive queue within 30
minutes.
KPI Definition
KPI Name Maximum length of the CAPWAP receive queue in the current
period
Statistics AC
Object

Source
Calculatio Maximum length of the CAPWAP receive queue in the current

n Formula period = Maximum length of the CAPWAP receive queue within 30
minutes
Unit None
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.3.4 Maximum length of the CAPWAP Send Queue in the Current Period
KPI Description
This KPI indicates the maximum length of the CAPWAP transmit queue within 30
minutes.
KPI Definition
KPI Name Maximum length of the CAPWAP send queue in the current period
Statistics AP
Object

Source

Calculatio Maximum length of the CAPWAP send queue in the current period
n Formula = Maximum length of the CAPWAP transmit queue within 30
minutes
Unit None
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.3.5 Average Latency of AP-AC Link
KPI Description
This KPI indicates the average latency of an AP-AC link within 30 minutes.
KPI Definition
KPI Name Average latency of AP-AC link
Statistics AP
Object

Source
Calculatio Average latency of AP-AC link = Total latency of Echo packets

n Formula reported by APs/Total number of Echo packets reported by APs
Unit ms
Reference < 50 ms
Value
Data 30 minutes
Collection
Period
Remarks APs periodically report Echo Request packets to an AC, calculate

the latency upon receipt of Echo Reply packets, and report the
latency to the AC. The AC then collects the latency for statistical
analysis.
2.5.3.6 Maximum AP CPU Usage

KPI Description
This KPI indicates the maximum CPU usage within 30 minutes.
KPI Definition
KPI Name Maximum AP CPU usage
Statistics AP
Object

Source
Calculatio Maximum AP CPU usage = Maximum CPU usage of an AP within

n Formula 30 minutes
Unit %
Reference < 90%

Value
Data 30 minutes
Collection
Period
Remarks An AP collects statistics about the CPU usage every 30 seconds.

The reported value will be multiplied by 10 before being reported.
2.5.3.7 Maximum AP Memory Usage
KPI Description
This KPI indicates the maximum memory usage within 30 minutes.
KPI Definition
KPI Name Maximum AP memory usage
Statistics AP
Object

Source
Calculatio Maximum AP memory usage = Maximum memory usage on an

n Formula AP within 30 minutes
Unit %
Reference < 84%

Value

Data 30 minutes
Collection
Period
Remarks An AP collects statistics on the memory usage every minute.
2.5.4 Capacity
2.5.4.1 2.4G Average Load Difference
KPI Description
This KPI indicates the average load difference of highly loaded 2.4 GHz radios
within 30 minutes.
KPI Definition
KPI Name 2.4G average load difference
Statistics AC
Object

Source
Calculatio 2.4G average load difference = Total load differences of all

n Formula neighboring highly loaded 2.4 GHz radios/Total number of highly
loaded 2.4 GHz radios participating in the statistics collection
Unit %
Reference < 15%

Value
Data 30 minutes
Collection
Period
Remarks The AC records the load difference between neighboring highly

loaded 2.4 GHz radios every 5 minutes.
Highly loaded 2.4 GHz radios include:
● 2.4 GHz radio of the AP with the CPU usage higher than or
equal to 60%
● 2.4 GHz radio with at least 20 online STAs.
2.5.4.2 5G Average Load Difference

KPI Description
This KPI indicates the average load difference of highly loaded 5 GHz radios within
30 minutes.
KPI Definition
KPI Name 5G average load difference
Statistics AC
Object

Source
Calculatio 5G average load difference = Total load differences of all

n Formula neighboring highly loaded 5 GHz radios/Total number of highly
loaded 5 GHz radios participating in the statistics collection
Unit %
Reference < 15%

Value
Data 30 minutes
Collection
Period
Remarks The AC records the load difference between neighboring highly

loaded 5 GHz radios every 5 minutes.
Highly loaded 5 GHz radios include:
● 5 GHz radio of the AP with the CPU usage higher than or equal
to 60%
● 5 GHz radio with at least 20 online STAs.
2.5.4.3 Neighbor Load Difference
KPI Description
This KPI indicates the load difference between the local and neighboring radios
within 30 minutes.
KPI Definition
KPI Name Neighbor load difference
Statistics Radio
Object

Source

Calculatio Neighbor load difference = (Total number of online STAs on the

n Formula local and neighboring radios)2/[(Total number of online STAs on
the local and neighboring radios)2 x Number of radios]
Unit %
Reference < 15%

Value
Data 30 minutes
Collection
Period
Remarks Online STAs on a radio include the STAs on the local radio and its
neighboring radios with the RSSI greater than or equal to -70
dBm.
2.5.4.4 Total association count
KPI Description
This KPI indicates the total number of association requests within 30 minutes.
KPI Definition
KPI Name Total association count

Object

Source
Calculatio Total association count = Total number of association requests

n Formula within 30 minutes
Unit None
Reference N/A
Value
Data 30min
Collection
Period
Remarks None
2.5.4.5 Average Number of Online STAs

KPI Description
This KPI indicates the average number of online STAs within 30 minutes.
KPI Definition
KPI Name Average number of online STAs

Object

Source
Calculatio Average number of online STAs = Total number of online STAs

n Formula collected for 30 times/30
Unit None
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks The AP collects the number of online STAs every minute.
2.5.4.6 Average Number of Active STAs
KPI Description
This KPI indicates the average number of active STAs within 30 minutes.
KPI Definition
KPI Name Average number of active STAs

Object

Source
Calculatio Average number of active STAs = Total number of active STAs

n Formula collected for 30 times/30
Unit None
Reference N/A
Value

Data 30 minutes
Collection
Period
Remarks The AP collects the number of active STAs (with service traffic)
every minute.
2.5.4.7 Uplink Unicast Throughput
KPI Description
This KPI indicates the uplink unicast throughput within 30 minutes.
KPI Definition
KPI Name Uplink unicast throughput

Object

Source
Calculatio Uplink unicast throughput = Total volume of uplink unicast service

n Formula
Unit Byte
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.8 Uplink Multicast Throughput
KPI Description
This KPI indicates the uplink multicast throughput within 30 minutes.
KPI Definition
KPI Name Uplink multicast throughput


Object

Source
Calculatio Uplink multicast throughput = Total volume of uplink multicast

n Formula traffic
Unit Byte
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.9 Uplink Broadcast Throughput
KPI Description
This KPI indicates the uplink broadcast throughput within 30 minutes.
KPI Definition
KPI Name Uplink broadcast throughput

Object

Source
Calculatio Uplink broadcast throughput = Total volume of uplink broadcast

n Formula traffic
Unit Byte
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.10 Downlink Unicast Throughput

KPI Description
This KPI indicates the downlink unicast throughput within 30 minutes.
KPI Definition
KPI Name Downlink unicast throughput

Object

Source
Calculatio Downlink unicast throughput = Total volume of downlink unicast

n Formula traffic
Unit Byte
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.11 Downlink Multicast Throughput
KPI Description
This KPI indicates the downlink multicast throughput within 30 minutes.
KPI Definition
KPI Name Downlink multicast throughput

Object

Source
Calculatio Downlink multicast throughput = Total volume of downlink

n Formula multicast traffic
Unit Byte
Reference N/A
Value

Data 30 minutes
Collection
Period
Remarks None
2.5.4.12 Downlink Broadcast Throughput
KPI Description
This KPI indicates the downlink broadcast throughput within 30 minutes.
KPI Definition
KPI Name Downlink broadcast throughput

Object

Source
Calculatio Downlink broadcast throughput = Total volume of downlink

n Formula broadcast traffic
Unit Byte
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.13 Uplink Traffic Channel Occupancy Time
KPI Description
This KPI indicates the channel occupancy time of the uplink service traffic within
30 minutes.
KPI Definition
KPI Name Uplink traffic channel occupancy time

Statistics Radio
Object

Source
Calculatio Uplink traffic channel occupancy time = Total channel occupancy

n Formula duration of the uplink service traffic
Unit s
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.14 Downlink Traffic Channel Occupancy Time
KPI Description
This KPI indicates the channel occupancy time of the downlink service traffic
within 30 minutes.
KPI Definition
KPI Name Downlink traffic channel occupancy time
Statistics Radio
Object

Source
Calculatio Downlink traffic channel occupancy time = Total channel

n Formula occupancy duration of the downlink service traffic
Unit s
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None

2.5.4.15 Channel Occupancy Time of Interference Services
KPI Description
This KPI indicates the channel occupancy time of air interface interference traffic
within 30 minutes.
KPI Definition
KPI Name Channel occupancy time of interference services
Statistics Radio
Object

Source
Calculatio Channel occupancy time of interference services = Total channel

n Formula occupancy duration of air interface interference traffic
Unit s
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.4.16 Channel High-Load Time
KPI Description
This KPI indicates the high-load time of a channel within 30 minutes.
KPI Definition
KPI Name Channel high-load time
Statistics Radio
Object

Source
Calculatio Channel high-load time = Total duration for the channel usage to
n Formula exceed 60% within 30 minutes
Unit s

Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks An AP calculates the channel usage every 5 seconds.
2.5.5 Experience
2.5.5.1 Average Latency of Downlink Air Interface Queue
KPI Description
This KPI indicates the average latency of the downlink air interface queue within
30 minutes.
KPI Definition
KPI Name Average latency of downlink air interface queue
Statistics Radio
Object

Source
Calculatio Average latency of downlink air interface queue = Total latency of

n Formula packets in the downlink air interface queue/Total number of
packets in the downlink air interface queue
Unit ms
Reference < 10 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.5.2 Packet Loss Rate of Downlink Air Interface Queue

KPI Description
This KPI indicates the packet loss rate of a downlink air interface queue within 30
minutes.
KPI Definition
KPI Name Packet loss rate of downlink air interface queue
Statistics Radio
Object

Source
Calculatio Packet loss rate of downlink air interface queue = (Number of

n Formula packets discarded in the downlink air interface queue/Total
number of packets sent from the downlink air interface queue) x
100%
Unit %
Reference < 10%

Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6 Performance Gain
2.5.6.1 STA Unsteerability Rate
KPI Description
This KPI indicates the STA unsteerability rate within 30 minutes.
KPI Definition
KPI Name STA unsteerability rate
Statistics AC
Object

Source

Calculatio STA unsteerability rate = Number of load balancing-triggered

n Formula steering failures/Total number of load balancing-triggered steering
attempts x 100%
Unit %
Reference < 10%

Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.2 STA Steering Success Rate
KPI Description
This KPI indicates the STA steering success rate within 30 minutes.
KPI Definition
KPI Name STA steering success rate
Statistics AC
Object

Source
Calculatio STA steering success rate = Number of load balancing-triggered

n Formula steering successes/Total number of load balancing-triggered
steering attempts x 100%
Unit %
Reference > 50%

Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.3 5G STA Proportion

KPI Description
This KPI indicates the ratio of 5G-capable STAs to all STAs within 30 minutes.
KPI Definition
KPI Name 5G STA proportion
Statistics AC
Object

Source
Calculatio 5G STA proportion = Number of 5G-capable STAs/Total number of

n Formula STAs x 100%
Unit %
Reference > 50%

Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.4 5G Access Proportion of 5G STAs
KPI Description
This KPI indicates the ratio of STAs actually connected to a 5 GHz network to all
5G-capable STAs within 30 minutes.
KPI Definition
KPI Name 5G access proportion of 5G STAs
Statistics AC
Object

Source
Calculatio 5G access proportion of 5G STAs = Number of STAs connected to a

n Formula 5 GHz network/Number of 5G-capable STAs x 100%
Unit %
Reference > 90%

Value

Data 30 minutes
Collection
Period
Remarks None
2.5.6.5 Single-Stream Ratio of Upstream and Downstream
KPI Description
This KPI indicates the packet receive/transmit ratio through a single stream within
30 minutes.
KPI Definition
KPI Name Single-stream ratio of upstream and downstream

Object

Source
Calculatio Single-stream ratio of upstream and downstream = Number of

n Formula packets received and transmitted through a single stream/Total
number of received and transmitted packets x 100%
Unit %
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.6 Dual-Stream Ratio of Upstream and Downstream
KPI Description
This KPI indicates the packet receive/transmit ratio through dual streams within 30
minutes.
KPI Definition
KPI Name Dual-stream ratio of upstream and downstream


Object

Source
Calculatio Dual-stream ratio of upstream and downstream = Number of

n Formula packets received and transmitted through dual streams/Total
Unit %
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.7 Three-Stream Ratio of Upstream and Downstream
KPI Description
This KPI indicates the packet receive/transmit ratio through three streams within
30 minutes.
KPI Definition
KPI Name Three-stream ratio of upstream and downstream

Object

Source
Calculatio Three-stream ratio of upstream and downstream = Number of

n Formula packets received and transmitted through three streams/Total
Unit %
Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None

2.5.6.8 Strongest Co-Channel Signal Strength
KPI Description
This KPI indicates the strongest co-channel signal strength within 30 minutes.
KPI Definition
KPI Name Strongest co-channel signal strength
Statistics Radio
Object

Source
Calculatio Strongest co-channel signal strength = Sum of strongest co-

n Formula channel signal strength collected for 30 times/30
Unit dBm
Reference N/A
Value
Data 30 min
Collection
Period
Remarks An AP collects the strongest co-channel signal strength every

minute.
2.5.6.9 EDCA Collision Rate
KPI Description
This KPI indicates the EDCA collision rate within 30 minutes.
KPI Definition
KPI Name EDCA collision rate
Statistics Radio
Object

Source
Calculatio EDCA collision rate = Total number of error packets of all STAs/
n Formula Total number of packets sent by the downlink queue of the radio x
100%
Unit %

Reference N/A
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.10 Packet Lost Rate of VI Queue
KPI Description
This KPI indicates the packet loss rate of a downlink air interface VI queue within
30 minutes.
KPI Definition
KPI Name Packet lost rate of VI queue
Statistics Radio
Object

Source
Calculatio Packet lost rate of VI queue = Packet loss rate of the downlink air
n Formula interface VI queue within 30 minutes
Unit %
Reference < 1%
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.11 Packet Lost Rate of VO Queue
KPI Description
This KPI indicates the packet loss rate of a downlink air interface VO queue within
30 minutes.

KPI Definition
KPI Name Packet lost rate of VO queue
Statistics Radio
Object

Source
Calculatio Packet lost rate of VO queue = Packet loss rate of the downlink air
n Formula interface VO queue within 30 minutes
Unit %
Reference < 1%
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.12 Average Latency of VI Queue
KPI Description
This KPI indicates the average latency of a downlink air interface VI queue within
30 minutes.
KPI Definition
KPI Name Average latency of VI queue
Statistics Radio
Object

Source
Calculatio Average latency of VI queue = Average latency of the downlink air

n Formula interface VI queue within 30 minutes
Unit ms
Reference < 20 ms
Value
Data 30 minutes
Collection
Period
Remarks None

2.5.6.13 Average Latency of VO Queue
KPI Description
This KPI indicates the average latency of a downlink air interface VO queue within
30 minutes.
KPI Definition
KPI Name Average latency of VO queue
Statistics Radio
Object

Source
Calculatio Average latency of VO queue = Average latency of the downlink

n Formula air interface VO queue within 30 minutes
Unit ms
Reference < 10 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.14 Maximum Latency of VI Queue
KPI Description
This KPI indicates the maximum latency of a downlink air interface VI queue
within 30 minutes.
KPI Definition
KPI Name Maximum latency of VI queue
Statistics Radio
Object

Source

Calculatio Maximum latency of VI queue = Maximum latency of the

n Formula downlink air interface VI queue within 30 minutes
Unit ms
Reference < 50 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.15 Maximum Latency of VO Queue
KPI Description
This KPI indicates the maximum latency of a downlink air interface VO queue
within 30 minutes.
KPI Definition
KPI Name Maximum latency of VO queue
Statistics Radio
Object

Source
Calculatio Maximum latency of VO queue = Maximum latency of the

n Formula downlink air interface VO queue within 30 minutes
Unit ms
Reference < 50 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.16 Packet Loss Rate of BE Queue
KPI Description
This KPI indicates the packet loss rate of a downlink air interface BE queue within
30 minutes.

KPI Definition
KPI Name Packet lost rate of BE queue
Statistics Radio
Object

Source
Calculatio Packet lost rate of BE queue = Number of packets in the BE queue

n Formula that fail to be sent over the air interface/(Number of packets in
the BE queue that fail to be sent over the air interface + Number
of packets in the BE queue that are successfully sent over the air
interface) x 100%
Unit %
Reference < 1%
Value
Data 30 minutes
Collection
Period
Remarks The air interface of an AP measures the numbers of packets in the

BE queue that are successfully sent and those that fail to be sent
over the air interface every minute.
2.5.6.17 Packet Loss Rate of BK Queue
KPI Description
This KPI indicates the packet loss rate of a downlink air interface BK queue within
30 minutes.
KPI Definition
KPI Name Packet lost rate of BK queue
Statistics Radio
Object

Source
Calculatio Packet lost rate of BK queue = Number of packets in the BK queue

n Formula that fail to be sent over the air interface/(Number of packets in
the BK queue that fail to be sent over the air interface + Number
of packets in the BK queue that are successfully sent over the air
interface) x 100%
Unit %

Reference < 1%
Value
Data 30 minutes
Collection
Period
Remarks The air interface of an AP measures the numbers of packets in the

BK queue that are successfully sent and those that fail to be sent
over the air interface every minute.
2.5.6.18 Average Latency of BE Queue
KPI Description
This KPI indicates the average latency of a downlink air interface BE queue within
30 minutes.
KPI Definition
KPI Name Average latency of BE queue
Statistics Radio
Object

Source
Calculatio Average latency of BE queue = Sum of latencies of packets

n Formula entering a downlink air interface BE queue in each minute within
30 minutes/30
Unit ms
Reference < 20 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.19 Average Latency of BK Queue
KPI Description
This KPI indicates the average latency of a downlink air interface BK queue within
30 minutes.

KPI Definition
KPI Name Average latency of BK queue
Statistics Radio
Object

Source
Calculatio Average latency of BK queue = Sum of latencies of packets

n Formula entering a downlink air interface BK queue in each minute within
30 minutes/30
Unit ms
Reference < 20 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.20 Maximum Latency of BE Queue
KPI Description
This KPI indicates the maximum latency of a downlink air interface BE queue
within 30 minutes.
KPI Definition
KPI Name Maximum latency of BE queue
Statistics Radio
Object

Source
Calculatio Maximum latency of BE queue = Maximum latency of packets

n Formula entering a downlink air interface BE queue within 30 minutes
Unit ms
Reference < 50 ms
Value
Data 30 minutes
Collection
Period

Remarks None
2.5.6.21 Maximum Latency of BK Queue
KPI Description
This KPI indicates the maximum latency of a downlink air interface BK queue
within 30 minutes.
KPI Definition
KPI Name Maximum latency of BK queue
Statistics Radio
Object

Source
Calculatio Maximum latency of BK queue = Maximum latency of packets

n Formula entering a downlink air interface BK queue within 30 minutes
Unit ms
Reference < 50 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.22 Average Latency of VI Queue (Power-saving Packets Are Not

Counted)
KPI Description
This KPI indicates the average latency of non-power-saving packets in a downlink
air interface VI queue within 30 minutes.
KPI Definition
KPI Name Average latency of VI queue(not include ps tid)
Statistics Radio
Object


Source
Calculatio Average latency of VI queue(not include ps tid) = Average latency

n Formula of non-power-saving user packets in a VI queue within 30 minutes
Unit ms
Reference < 10 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.23 Average Latency of VO Queue (Power-saving Packets Are Not

Counted)
KPI Description
This KPI indicates the average latency of non-power-saving packets in a downlink
air interface VO queue within 30 minutes.
KPI Definition
KPI Name Average latency of VO queue(not include ps tid)
Statistics Radio
Object

Source
Calculatio Average latency of VO queue(not include ps tid) = Average latency

n Formula of non-power-saving user packets in a VO queue within 30
minutes
Unit ms
Reference < 10 ms
Value
Data 30 minutes
Collection
Period
Remarks None

2.5.6.24 Maximum Latency of VI Queue (Power-saving Packets Are Not

Counted)
KPI Description
This KPI indicates the maximum latency of non-power-saving packets in a
downlink air interface VI queue within 30 minutes.
KPI Definition
KPI Name Maximum latency of VI queue(not include ps tid)
Statistics Radio
Object

Source
Calculatio Maximum latency of VI queue(not include ps tid) = Maximum

n Formula latency of non-power-saving user packets in a VI queue within 30
minutes
Unit ms
Reference < 30 ms
Value
Data 30 minutes
Collection
Period
Remarks None
2.5.6.25 Maximum Latency of VO Queue (Power-saving Packets Are Not

Counted)
KPI Description
This KPI indicates the maximum latency of non-power-saving packets in a
downlink air interface VO queue within 30 minutes.
KPI Definition
KPI Name Maximum latency of VO queue(not include ps tid)
Statistics Radio
Object

Source

Calculatio Maximum latency of VO queue(not include ps tid) = Maximum

n Formula latency of non-power-saving user packets in a VO queue within 30
minutes
Unit ms
Reference < 30 ms
Value
Data 30 minutes
Collection
Period
Remarks None

Web-based Configuration Guide 3 Configuration Examples
3 Configuration Examples
About This Chapter
3.1 WLAN Common Service Configuration Examples

3.2 WLAN Basic Networking Configuration Examples
3.3 Authentication Configuration Examples
3.4 Reliability Configuration Examples
3.5 Roaming Configuration Examples
3.6 Agile Distributed Networking Configuration Examples
3.7 High-Density Configuration Examples
3.8 Example for Configuring Vehicle-Ground Communication
3.9 Radio Resource Management Configuration Examples
3.10 Spectrum Analysis Configuration Examples
3.11 WLAN Security Configuration Examples
3.12 WLAN QoS Configuration Examples
3.13 IoT Configuration Examples
3.14 WLAN Enhanced Services Configuration Examples
3.1 WLAN Common Service Configuration Examples
3.1.1 Example for Configuring Internal Personnel to Access

the WLAN (802.1X Authentication)
Service Requirements
When users attempt to access the WLAN, they can use 802.1X clients for
authentication. After entering the correct user names and passwords, users can

connect to the Internet. Furthermore, users' services are not affected during
roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The AC functions as the DHCP server to assign IP
addresses to APs, and SwitchB functions as the DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
● WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 3-1 Networking diagram for configuring 802.1X authentication
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Data Planning
Table 3-1 Data planning on the AC

Configuration Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
DHCP server The AC functions as the DHCP server to assign

IP addresses to APs, and SwitchB functions as
the DHCP server to assign IP addresses to STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for the STAs 10.23.101.2-10.23.101.254/24
RADIUS authentication ● RADIUS server template name: wlan-net

parameters ● IP address: 10.23.103.1
● Authentication port number: 1812
● Shared key: huawei@123
● Authentication scheme: wlan-net
802.1X access profile ● Name: wlan-net

● Authentication mode: EAP
Authentication profile ● Name: wlan-net

● Bound profile and authentication scheme:
802.1X access profile wlan-net, RADIUS
server template wlan-net, and RADIUS
authentication scheme wlan-net
AP group ● Name: ap-group1

● Bound profile: VAP profile wlan-net and
regulatory domain profile default
Regulatory domain profile ● Name: default

● Country code: China
SSID profile ● Name: wlan-net

● SSID name: wlan-net
Security profile ● Name: wlan-net

● Security policy: WPA-WPA2+802.1X+AES

VAP profile ● Name: wlan-net

● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Bound profiles: SSID profile wlan-net,
security profile wlan-net, and authentication
profile wlan-net
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When
configuring the security policy, select 802.1X and RADIUS authentication, and
set the RADIUS server parameters.
5. Configure third-party server interconnection parameters.
The AC and server must have the same RADIUS shared key.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.

Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN
101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to
VLAN104. Create VLANIF 102, VLANIF 103, and VLANIF 104, and configure a
default route with the next hop of the address of Router.
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network
segment for STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure a DHCP server to assign IP addresses to STAs.

# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB-Vlanif101] dhcp select interface
Step 3 Configure system parameters for the AC.

1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.

2. Configure ports.
# Select GigabitEthernet0/0/1. Expand Batch Modify. Set Interface type to
Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and
VLAN 102.
If the AC and AP are directly connected, set the default VLAN of the interface connected to
the AP to management VLAN 100.

# Click Apply. In the dialog box that is displayed, click OK.

# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnection.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Configure the DNS server address as required.

# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.102.1.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select
Vlanif100.

# Click Next. The Confirm Settings page is displayed.

5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to

download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following

example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.

# Confirm the configuration and click Continue With Wireless Service

Configuration.
Step 5 Configure WLAN services

1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.

4. # Set Security settings to 802.1x authentication, and configure parameters of
the external RADIUS server.
5. # Click Next. The Access Control page is displayed.

6. # Set Binding the AP group to ap-group1.
7. # Click Finish.
Step 6 Set the AP channel and power.

1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio

Management are displayed.

# Click Radio 0. On the radio 0 configuration page that is displayed, disable

the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic

channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
Step 7 Configure third-party server interconnection parameters.
For the detailed configuration, see the related product documentation.
Step 8 Verify the configuration.
● The WLAN with SSID wlan-net is available for STAs connected to the AP.
● The wireless PC obtains an IP address after it associates with the WLAN.
● Use the 802.1X authentication client on a STA and enter the correct user
name and password. The STA is authenticated and can access the WLAN. You
must configure the client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties
dialog box, add SSID wlan-net, set the authentication mode to
WPA2, and encryption algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click
Properties. In the Protected EAP Properties dialog box, deselect
Validate server certificate and click Configure. In the displayed
dialog box, deselect Automatically use my Windows logon name
and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select
Manually create a network profile. Add SSID wlan-net. Set the
authentication mode to WPA2-Enterprise, and encryption algorithm
to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network
Properties page that is displayed, select the Security tab page and
click Settings. In the Protected EAP Properties dialog box, deselect

iii. On the Wireless Network Properties page, click Advanced settings.

On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
----End
3.1.2 Example for Configuring Guests to Access the WLAN

(MAC Address-prioritized Portal Authentication)
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● Authentication mode: MAC address-prioritized Portal authentication
● Security policy: open

Figure 3-2 Networking for configuring MAC address-prioritized Portal

authentication
RADIUS
Server
10.23.102.1
Port: 1812
Portal
Server IP DNS
10.23.103.1 Network Server
Port: 50200 8.8.8.8
Router
GE1/0/0
VLANIF101
Management VLAN: VLAN100 10.23.101.2
Service VLAN: VLAN101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning
Table 3-2 AC data planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
AC's VLANIF100: 10.23.100.1/24

source
interface
address

● Referenced profile: VAP profile wlan-net and regulatory domain
profile default
Regulatory ● Name: default

domain ● Country code: China
profile
SSID ● Name: wlan-net

profile ● SSID name: wlan-net
Security ● Name: wlan-net

profile ● Security policy: open
RADIUS Name of the RADIUS authentication scheme: wlan-net

authentica Name of the RADIUS accounting scheme: wlan-net
tion
parameter Name of the RADIUS server template: wlan-net
s ● IP address: 10.23.102.1
● Shared key: Huawei123
Portal ● Name: wlan-net

server ● IP address: 10.23.103.1
template
● Destination port number in the packets that the AC sends to the
Portal server: 50200
● Portal shared key: Huawei123

access ● Referenced profile: Portal server template wlan-net
profile
MAC Name:wlan-net
access
profile
Authentica ● Name: default_free_rule

tion-free ● Authentication-free resource: IP address of the DNS
rule profile server(8.8.8.8)

Item Data
Authentica ● Name: wlan-net

tion Profile ● Referenced profile: Portal access profile wlan-net, MAC access
profile wlan-net, RADIUS server template wlan-net,
authentication-free rule profile default_free_rule and
VAP ● Name: wlan-net

profile ● Forwarding mode: tunnel forwarding
● Referenced profile: SSID profile wlan-net, security profile wlan-
net and Authentication profile wlan-net
2. Select Config Wizard to configure system parameters for the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication
on the AC using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes

Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
[SwitchA] vlan batch 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
[SwitchB] vlan batch 100 101
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
[Router] vlan batch 101
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8

page is displayed.


2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type

to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.

3. Configuring network interconnections.


# Click OK. An address pool for VLANIF 100 is configured.

page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.


Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.

# Set Security settings to Portal (applicable to enterprise networks) and select
MAC address-prioritized. Under External Portal Server Configuration, set the
server name, IP address, shared-key, port number, and server URL. Under External
RADIUS Sever Configuration, set the server name, authentication server IP
address, and shared key.
# Click Next. The Access Control page is displayed.

# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile.The Profile Management page
is displayed.

2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile
> Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed,
set Rule ID to 1 and the authentication-free resource to the IP address of the
DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog
box that is displayed, click OK.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.

3. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
4. When a user opens the browser and attempts to access the network, the user
is automatically redirected to the authentication page provided by the Portal
server. After entering the correct user name and password on the page, the
user can access the network.

5. Assume that the MAC address validity period configured on the server is 60
minutes. If a user is disconnected from the wireless network for 5 minutes
and reconnects to the network, the user can directly access the network. If a
user is disconnected from the wireless network for 65 minutes and reconnects
to the network, the user will be redirected to the Portal authentication page.
----End
More Information
(Video) Example for Configuring Guests to Access the WLAN (MAC Address-
prioritized Portal Authentication)
3.1.3 Example for Configuring High-Density WLAN Services

The WLAN of a stadium needs to provide access for a large number of users;
therefore, APs are placed in close proximity, causing severe interference. The IT
department of the stadium requires that the interference be eliminated to
maximize Internet experience for users.
addresses to STAs.

Figure 3-3 Networking diagram for configuring a high-density WLAN
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
Management VLAN: VLAN10, VLAN100
Service VLAN: VLAN pool
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1
AP: area_2 AC
VLANIF100
10.23.100.1/24
STA
Data Planning
Table 3-3 Data planning

Item Data
Management VLAN for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool

● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch (SwitchB)
functions as a DHCP server to assign
IP addresses to STAs.

Item Data
IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24

● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, 2G radio profile
default, and 5G radio profile wlan-
radio5g



● Security policy: WPA-WPA2+PSK
+AES
● Password: a1234567

● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-net, security profile wlan-
net, and traffic profile wlan-traffic
RRM profile ● Name: wlan-rrm

● Airtime fair scheduling: enable
● Smart roaming: enable
2G radio profile ● Name: wlan-radio2g

● Referenced profile: RRM profile
wlan-rrm

wlan-rrm
Traffic profile ● Name: wlan-traffic
The configuration roadmap is as follows:

2. Configure a VLAN pool for service VLANs.
5. Select Config Wizard to configure WLAN services on the AC.
6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table
3-4.
Table 3-4 Adjustment recommendations

Adjustm Purpose Recommendation
ent Item
Configur To reduce the burden on Enable band steering. By default,

e 5G- the 2.4 GHz radio by band steering is enabled.
prior preferentially connecting
access 5G-capable STAs to the
5 GHz radio when a
large number of 2.4 GHz
STAs exist on the
network.
Remove To make an AP offer Increase the maximum number of

the limit wireless services to more access users to 128 for an SSID
on the users. profile.
number
of access
users
Reduce To prevent users who Set the association aging time to 1

the user frequently disconnect minute.
associati from the wireless
on aging network.
time
User To prevent mobile Enable user isolation on the AC.

isolation terminals from
exchanging a large
number of ARP packets.
Limit To prevent advantaged Limit the downstream rate of each

user STAs from occupying too STA to 2000 kbit/s in a VAP. Adjust
rates many rate sources and the upstream rate according to
deteriorating service actual situations. In this example, the
experience of upstream rate is set to 1000 kbit/s.
disadvantaged STAs.


ent Item
Adjust To reduce interference ● Channel: Prevent adjacent APs

AP between APs. from working on overlapping
channel channels. It is recommended that
and you configure channels 1, 9, 5,
power and 13 in a high-density WLAN
environment.
● Power: Minimize AP power while
ensuring that the RSSI is greater
than -65 dBm at the edge of the
AP's coverage area.
Configur To prevent weak-signal Enable smart roaming and set the

e smart STAs from degrading SNR threshold to 15 dB.
roaming user experience.
Enable To ensure that wireless Enable airtime fair scheduling.

airtime channel resources can
fair be equally allocated to
scheduli users.
ng
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to
RTS-CTS rts-cts and the RTS threshold to 1400
threshol bytes.
d
Adjust To improve the overall Set the interval for sending Beacon
the data traffic of APs. frames to 160 ms.
interval
at which
Beacon
frames
are sent
Adjust To reduce wireless Set the transmit rate of 2.4 GHz

the resource occupation of Beacon frames to 11 Mbit/s.
transmit Beacon frames and
rate of improve channel usage
2.4 GHz efficiency.
Beacon
frames
Set the To reduce extra Set the GI mode to short GI.

guard overhead and improve
interval AP transmission
(GI) efficiency.
mode to
short GI


ent Item
Configur To improve the overall Delete low rates from the basic rate
e the AP throughput. set.
basic
rate set
Configur To improve air interface Use the default values. By default,

e the efficiency. the multicast transmit rate of
multicast wireless packets is 11 Mbit/s for the
rate 2.4 GHz radio and 6 Mbit/s for the 5
GHz radio.
Configur To improve the network Configure the short preamble. If

e the synchronization some legacy NICs exist on the
short performance. network, disable the short preamble
preambl function.
e for a
radio
Dynamic To improve user Enable the dynamic EDCA parameter

EDCA experience. adjustment, and keep the default
paramet threshold for the dynamic EDCA
er Best-Effort service.
adjustme
nt
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default
VLAN of GE0/0/1 and GE0/0/3 is VLAN 10.
[SwitchA] vlan batch 10 101 102
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and
VLAN 102, GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create
VLANIF 100 and set its IP address to 10.23.100.2/24.

[SwitchB] vlan batch 10 100 101 102
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
[Router] vlan batch 101 102
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
Step 2 Configure the DHCP services to assign IP addresses to APs and STAs.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.

[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to

STAs and set the default gateways.
address pool view.


page is displayed.



to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).



# Click OK.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to
VLAN Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is
displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add
VLANs 101 and 102.
# Click OK. In the dialog box that is displayed, click OK.


# Set Security settings to Key (applicable to personnel networks) and set the
key.

# Click Finish.
Step 6 Adjust WLAN high-density parameters.
1. Adjust VAP profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP

Configuration.
# Click the VAP profile wlan-net. The VAP Profile page is displayed.
On the Advanced Configuration tab, enable band steering.

2. Adjust SSID profile parameters.


Configuration. Under it, click in front of wlan-net. Click SSID Profile. The
SSID Profile page is displayed.
# On the Advanced Configuration tab, set the maximum number of users to
128 and association aging time to 1 minute. Set the Beacon frame rate on
2.4G radio to 11 Mbps.

3. Create a traffic profile and adjust traffic profile parameters.

Configuration. Under it, click in front of wlan-net. Click Traffic Profile.
The Traffic Profile page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the profile name wlan-traffic in Profile name and click OK. The new
traffic profile configuration page is displayed.
# Set the user isolation mode to All isolation, and the upstream and
downstream rate limits to 1000 kbit/s and 2000 kbit/s for STAs, respectively.


4. Set the AP channel and power.
page is displayed.
AP Customized Settings page is displayed.
# Click next to Radio Management. The profiles in Radio Management

are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP

channel to 20-MHz channel 1 and transmit power to 127 dBm. Disable
automatic channel and power calibration functions. The configuration of
Radio1 is similar to the configuration of Radio 0, and is not mentioned here.

5. Configure the AP to work in dual-5G mode. This step is only for APs that
support switching between 2.4G and 5G radios.
# In the AP group list, click the AP group ap-group1 and click next to
Radio Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the

dual-5G mode. In the dialog box that is displayed, click OK.


6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this
step if the AP has been configured to work in dual-5G mode. Go to the next
step to create the 5G radio profile and bind the 5G radio profile to radio 0.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 11 Mbit/s.


7. Create a 5G radio profile and adjust 5G radio profile parameters.


8. Create the RRM profile and adjust RRM profile parameters.
0 > 2G Radio Profile. Click in front of 2G Radio Profile. Profiles in the 2G
radio profile are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new
RRM profile configuration page is displayed.
# On the Advanced Configuration tab, enable airtime fair scheduling, enable
the dynamic EDCA parameter adjustment, enable smart roaming; configure
the SNR-based roaming trigger mode, and set the SNR threshold to 15 dB.


# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that
is displayed, click OK.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.

5. When a large number of users connect to the network in the stadium, the
users still have good Internet experience.
----End

3.1.4 Example for Configuring WLAN Backhaul

Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Considering the high costs of wired AP deployment,
enterprises need to set up wireless distribution system (WDS) links for wireless
backhaul to provide service coverage, ensuring that enterprise users can access the
WLAN.
● AC networking mode: Layer 2 networking in bypass mode
– The aggregation switch (Switch_A) functions as a DHCP server to assign
● Wireless backhaul mode: hand-in-hand WDS
● Backhaul radio: 5 GHz
Figure 3-4 Networking diagram for configuring hand-in-hand WDS services
Internet
Router
GE1/0/0
Management VLAN:VLAN 100
VLANIF101 10.23.101.2/24
Service VLAN:VLAN 101
GE0/0/3
GE0/0/2
Switch_A AC
GE0/0/1
GE0/0/1
AP_3 AP_2 AP_1

(leaf) (root) (leaf) (root) GE0/0/2
Switch_B
GE0/0/1
Area C Area A
: Wireless virtual link

STA STA

Data Planning
Table 3-5 AP data planning

AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
AP_2 AP8130DN dcd2-fc04-b500
AP_3 AP8130DN dcd2-fc96-e4c0

Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101

assign IP addresses to APs. Switch_A
AC's source interface address VLANIF 100
WDS mode ● Radio 1 on AP_1: root

● Radio 1 on AP_2: leaf
● Radio 0 on AP_2: root

● Country code: CN

Wireless service security profile ● Name: wlan-net

+AES

Item Data

wlan-net and security profile wlan-
net
WDS link security profile ● Name: wds-security

● Security policy: WPA2+PSK+AES
● Password type: PASS-PHRASE
WDS whitelist profile ● Name: wds-list1

● AP MAC address: MAC address of
AP_2 (leaf)
● Name: wds-list2
AP_3 (leaf)
WDS profile ● Name: wds-root

● WDS name: wlan-wds
● WDS working mode: root
● Tagged VLAN: VLAN 101
● Referenced profile: security profile
wds-security
● Name: wds-leaf
● WDS working mode: leaf
wds-security

● Root APs, such as AP_1, are added
to the group.
● Referenced profiles: WDS profile
wds-root, VAP profile wlan-net,
and regulatory domain profile
default

Item Data
● Name: ap-group2
● Root and leaf APs, such as AP_2,
are added to the group.
● Referenced profiles: WDS profiles
wds-root and wds-leaf, VAP profile
wlan-net, and regulatory domain
profile default
● Name: ap-group3
● Leaf APs, such as AP_3, are added
to the group.
wds-leaf, VAP profile wlan-net,
default
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to
the group for unified configuration.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to
allow the APs to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS
wireless virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes


● Select proper antennas by following the WDS network planning and design,
and use the antenna calibration tool for calibration.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets

from VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from
VLAN 100 to pass through, and GE0/0/3 to allow packets from VLAN 101 to pass
through.
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
to 10.23.101.2/24.


Step 2 Configure the DHCP server to assign IP addresses to STAs.

# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the
interface address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
Step 3 Configure AC system parameters.

page is displayed.



3. Configure network interconnections.

# Click Create under DHCPv4 Address Pool List. Select Interface address
# Click OK.
# Click Next.

Vlanif100.


Step 4 Configure an AP to go online.
1. Configure the AP to go online.
# Click Batch Import. The Batch Import page is displayed. Click and
download the AP template file to your local PC.

example.
address is mandatory but the AP's SN is optional.
but the AP's MAC address is optional.
# Click next to Import AP file, select the AP template file, and click
Import.
# Click OK.
Configuration.
Step 5 Configure wireless services.
1. Click Create. The Basic Information page is displayed.
2. Set the SSID name, forwarding mode, and service VLAN ID.

3. Click Next. The Security Authentication page is displayed.

4. Configure the key authentication mode, AES algorithm, and key.
5. Click Next. The Access Control page is displayed.

6. Set Binding the AP group to ap-group1.
7. Click Finish. Bind the AP group ap-group3 in the same way.
Step 6 Configure the AP_1.
1. Create WDS profile wds-root and configure the WDS working mode and
tagged VLAN.
# In the AP group list, click ap-group1. Select Display all profiles. Choose
WDS > WDS Profile. The WDS Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the
profile name wds-root, set Radio to 1, and click OK.
# Choose WDS > WDS Profile > wds-root. The WDS Profile page is
displayed.
# Set WDS network bridge name, WDS working mode, and Tagged VLAN.
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If

traffic from a different service VLAN needs to be transmitted over the WDS link, set
Tagged VLAN to the service VLAN.


2. Create security profile wds-security and configure the security policy.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security
Profile page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter
the profile name wds-security and click OK. The security profile configuration
page is displayed.
# Set the key.

3. Create WDS whitelist profile wds-list1 and add the MAC address of the leaf
AP to the WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List
page is displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed,
enter the profile name wds-list1, set Radio to 1, and click OK. The WDS
Whitelist Profile List page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist
# Click Add to configure the WDS whitelist.
# Click OK.
4. Configure WDS service parameters for the root node. Set the channel
parameters of Radio1 to 40+ MHz and 157. Set the bridge distance to 4.

# Choose Configuration > AP Config > AP Config > AP Info. The AP Info
page is displayed.
# Click the AP ID 1. The AP customized settings page is displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is

displayed.
# Set the bridge distance to 4. Disable automatic channel and power

calibration. Set the channel parameters to 40+ MHz and 157. Set the bridge
distance to 4.
# Configure radio 0 in the same way. Disable automatic channel and power
calibration and set the channel parameters to 20 MHz and 6.
Step 7 Configure AP_3.

1. Create WDS profile wds-leaf and configure the WDS working mode and
tagged VLAN.
# In the AP group list, click ap-group3. Choose WDS > WDS Profile. The
WDS Profile List page is displayed.
profile name wds-leaf, set Radio to 1 and Copy parameters from other
profiles to wds-root, and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is
displayed.
# Set WDS working mode to Leaf, retain the default settings of other
parameters, and click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for
Radio1. Set Channel to 40+ MHz and 149, and WDS/Mesh bridge
distance(0.1km) to 4. Disable automatic channel and power calibration. Set
parameters for Radio0. Set Channel to 20 MHz and 11.
Configure WDS service parameters by referring to the configuration procedure

on the root node.

1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile
name wds-leaf, set Radio to 1, and click OK.
name wds-root, set Radio to 0, and click OK.
page is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz
frequency band. Set the channel parameters of Radio0 to 40+ MHz and 149.
Set the coverage distance to 4. Set the channel parameters of Radio1 to 40+
MHz and 157. Set the bridge distance to 4.
page is displayed.
# Choose Radio Management > Radio0. The Radio 0 Settings(2.4G) page is

displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Disable automatic

channel and power calibration. Set the channel parameters of Radio0 to 40+


# Set the channel parameters of Radio1 to 40+ MHz and 157. Set the
coverage distance to 4. The configuration is the same as that for Radio0, and
is not mentioned here.
1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If
so, the APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and
check WDS information. After the WDS links are successfully established, you
can view detailed information about the WDS links on the page.

----End

3.1.5 Example for Configuring Rail Transportation WLAN

Services
To reduce network deployment costs and better serve passengers, a rail
transportation enterprise wants to use WLAN technology to implement vehicle-
ground communications and expects that multicast servers on the ground network
can deliver multimedia information services to passengers.
● Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
● Backhaul radio: 5 GHz radio

Figure 3-5 Networking for configuring vehicle-ground fast link handover
Internet
GE1/0/0
Router IP: 10.23.200.1/24
Network
management
IP：10.23.224.2 GE0/0/5
MAC：286e-d488-12cd VLANIF200: 10.23.200.2/24
GE0/0/4
Multicast GE0/0/3 GE0/0/6

AC
GE0/0/1
source GE0/0/1 GE0/0/2
IP：10.23.224.3 Switch_A Management VLAN：VLANIF 100
MAC：286e-d488-b6ab MAC： IP: 10.23.100.1/24
GE0/0/2 GE0/0/2
707b-e8e9-d328
Switch_B Switch_C
GE0/0/1 GE0/0/1
Trackside Trackside Trackside Trackside Trackside Trackside

AP AP AP AP AP AP
（L1_001）（L1_003）（L1_010）（L1_150）（L1_160）（L1_170）
MAC: 286e-d488-d359 MAC: 286e-d488-d270

Vehicle- mounted terminal_1 Vehicle- mounted terminal_2
Trackside Trackside
AP AP
GE0/0/1 GE0/0/1
（in the rear）（in the front）
Forward direction
：active Mesh link

：candidate Mesh link
Data Planning
Table 3-7 AP information
AP Type MAC Address
Trackside AP AP9132DN 0046-4b59-1d10

(L1_001)

AP Type MAC Address

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
...
Vehicle-mounted AP9132DN 0046-4b59-2e10

AP (in the front)

AP (in the rear)
...

Item Data
Multicast service VLAN VLAN 101
DHCP server ● Configure the AC as a DHCP server to assign IP

addresses to trackside APs.
● Configure Switch_A as a DHCP server to assign IP
addresses to vehicle-mounted terminals.

address
Gateway address IP address of VLANIF 101 on Switch_A:

10.23.224.1/24
IP address pool for 10.23.100.2-10.23.100.254/24

trackside APs

vehicle-mounted
terminals

Item Data
AP group to which Name: mesh-mpp

trackside APs belong
IDs of trackside APs ● Trackside AP (L1_001): 1

● Trackside AP (L1_003): 2
AP wired port profile ● Name: wired-port
Security profile ● Name: sp01

● Authentication key: a1234567
Mesh profile Trackside APs:

● Name: mesh-net
● Identifier: mesh-net
Vehicle-mounted APs:
● Name: mesh-net
Mesh handover profile Trackside APs:

● Name: hand-over
● Name: hand-over
Mesh whitelist on Name: whitelist01

trackside APs Add MAC addresses of all vehicle-mounted APs on
trains running on the rail to the whitelist according
to actual situations.
MAC address of the ● Gateway: 707b-e8e9-d328

proxied ground device ● Network management device: 286e-d488-12cd
● Multicast source: 286e-d488-b6ab
MAC address of the ● Vehicle-mounted terminal_1: 286e-d488-d359

proxied vehicle- ● Vehicle-mounted terminal_2: 286e-d488-d270
mounted device
Multicast group 225.1.1.1-225.1.1.3

1. Configure the ground network to enable Layer 2 communications between
trackside APs and the AC.
2. Configure multicast services on ground network devices to enable proper
multicast data forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-
mounted APs so that the vehicle-mounted AP can set up Mesh connections
with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data
communications.
● This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and
AP9132DNs in Fat AP mode as the vehicle-mounted APs.
● Switches and routers used in this example are all Huawei products.
Configuration Notes
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and
GE0/0/4 to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200,

and configure GE0/0/5 to allow packets from VLAN 200 to pass through.
Configure GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to
pass through.
[Switch_A] vlan batch 100 101 200
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP

address of GE1/0/0 on the router as the next hop address of the default route
so that packets from the vehicle-ground communication network can be
forwarded to the egress router.
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
4. Configure an IP address for GE1/0/0 on Router and configure routes to the

internal network segment, with the next hop address 10.23.200.2.

You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and
GE0/0/1 to allow packets from VLAN 100 and VLAN 101 to pass through, and
set the PVID of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B
according to GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass
through and set their PVIDs to VLAN 100.
[Switch_B] vlan batch 100 101
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and
set the PVID of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them
to properly forward multicast data.
# Enable IGMP snooping globally on Switch_A.
[Switch_A] igmp-snooping enable
# Enable IGMP snooping in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
[Switch_A-vlan101] quit
# Configure multicast group filter policies on Switch_A.

[Switch_A] acl 2000
[Switch_A-acl-basic-2000] rule permit source 225.1.1.1 0


[Switch_A-acl-basic-2000] quit
# Apply the multicast group filter policies in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A] quit
# Complete multicast configuration on Switch_B and Switch_C according to

the multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or
Layer 3 multicast is configured, you cannot configure the fast leave function
because this function may interrupt multicast services.
[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000

page is displayed.





# Click OK.

# Click Next.
Vlanif100.

Step 3 Configure trackside APs
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group mesh-mpp for the MPPs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-mpp and click OK.
3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-mpp.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of
radio 1 to 40+MHz and channel to 157.
– In Security Settings, set the key type to PASS-PHRASE, and enter the
key a1234567.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh
nodes. In this example, MAC addresses 0046-4b59-2e10 and
0046-4b59-2e20 are added. Click OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh

whitelist whitelist01 according to the preceding procedure.

# After configuring Mesh parameters, click Apply.

4. Add MPPs
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10,
0046-4b59-1d20, 0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and
0046-4b59-1d60 are added. Set AP ID to 1, 2, 3, 101, 102, and 103 for the
APs respectively. Set the AP names to L1_001, L1_003, L1_010, L1_150,
L1_160, and L1_170, respectively. Click OK. The APs are added as MPPs.
5. Configure a Mesh profile.

# In the AP group list, click the AP group mesh-mpp. Select Display all
profiles choose Mesh > Mesh Profile. The Mesh Profile List page is
displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name
to mesh-net.
# Click OK.
6. Configure a Mesh handover profile.
# Choose Mesh > Mesh Profile > mesh-net > Mesh Handover Profile. The
Mesh Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set
Profile name to hand-over and click OK. The Mesh profile configuration
page is displayed.

# Set Position-based handover algorithm to ON.

7. Configure the AP's wired port profile.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile
management page is displayed.
# Click Create. The Create AP Wired Port Profile page is displayed. Set
Profile name to wired-port and click OK. The configuration page of the
wired port profile is displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port
mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
the Port PVID to 101.

Step 4 Configure a vehicle-mounted AP.
This example provides the detailed configuration procedure of the vehicle-mounted AP in the
front of the train. The configuration procedure of the vehicle-mounted AP in the rear is similar
to that of the vehicle-mounted AP in the front.
1. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow
packets from VLAN 101 to pass through, and set the PVID of GE0/0/1 to
VLAN 101.
# Choose Configuration > Interface > VLAN. On the VLAN tab, click Create.
On the Create VLAN page that is displayed, set VLAN ID to 101.

# Click OK.
# Choose Configuration > Interface > ETH Interface and click

GigabitEthernet0/0/1. The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in

tagged mode.
# Click OK.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is
displayed.

3. Configure a security profile.

# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page
is displayed.
# Click Create. The Create Security Profile page is displayed.
# Set Profile name to sp01 and click OK. The Security Profile page is
displayed.
# Set Security Mode to WPA2-PSK-AES, Password type to PASS-PHRASE,
and Password to a1234567.

# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh
Handover Profile page is displayed.
# Click Create and create the Mesh handover profile hand-over. Click OK.
The Mesh profile configuration page is displayed.
# Set Position-based handover algorithm to ON and Moving direction to
forward. Click Apply. In the dialog box that is displayed, click OK.
Step 5 Add proxied devices on the vehicle-mounted AP

# Add proxied ground devices. Add MAC addresses of Switch_A, network
management device, and multicast source on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground
Device. Click Create and add MAC addresses of proxied ground devices. In this
example, MAC addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-
b6ab are added, click OK.

# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-

mounted devices on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-
mounted Device. Click Create and add MAC addresses of proxied vehicle-
mounted devices. In this example, MAC addresses 286e-d488-d359 and 286e-
d488-d270 are added, click OK.
Step 6 Configure IGMP snooping on the vehicle-mounted AP
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-Snooping.

Set IGMP-Snooping to ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to
view Mesh link information. If Mesh links are set up successfully, information
about Mesh links is displayed.
2. Verify the configuration on the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information
to view Mesh link information. Displayed information is the same as that
checked on the AC.

# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP

Field Strength to view field strength of the vehicle-mounted AP.

Roaming Trace to view the roaming trace of the vehicle-mounted AP.
----End
3.1.6 Example for Configuring Agile Distributed Wi-Fi Services
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless
signal attenuation, degrading signal quality. To resolve this issue, an agile
distributed WLAN is used, with a remote unit (RU) deployed in each dormitory.
RUs are connected to a central AP, and all RUs and the central AP are centrally
managed by the AC, delivering high-quality WLAN coverage for each dormitory.
● AC networking mode: Layer 2 networking in inline mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to the central AP, RUs, and STAs.
● Uplink interfaces of a central AP have a high transmission rate, and connect
to an AC and forward service traffic of all connected RUs. Downlink interfaces
of a central AP connect to RUs. If the number of downlink interfaces of the
central AP is insufficient, one downlink interface can be connected to an
uplink interface of a PoE switch, through which RUs can connect the central
AP. This increases the number of connected RUs. For example, an
AD9431DN-24X provides four 10GE uplink interfaces numbered from 0 to 3
and 24 GE downlink interfaces numbered from 0 to 23.

Figure 3-6 Networking for configuring an agile distributed WLAN
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
GE0/0/2
VLANIF101 10.23.101.1/24
AC
VLANIF100 10.23.100.1/24
Management VLAN: VLAN100 GE0/0/1
Service VLAN: VLAN101 GE0/0/24
Central AP
GE0/0/1
GE0/0/24
Switch
GE0/0/1 GE0/0/2
RU: ru_1 RU: ru_2
STA STA STA STA
Dorm 1 Dorm 2
Data Planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to

server central APs, RUs, and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
central
APs and
RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default

domain ● Country code: CN
profile


profile ● Security policy: WPA-WPA2+PSK+AES

● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
1. Configure the AC, RUs, central APs, and network devices to communicate at
Layer 2.
3. Select Config Wizard to configure the central APs and RUs to go online on
the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the
configuration.
Configuration Notes


Procedure
to 10.23.101.2/24.
# Configure the switch to enable Layer 2 communication between the central AP

and RUs. If a Huawei switch is used, interfaces on it are added to VLAN 1 by
default and can communicate one another at Layer 2. Therefore, this
configuration is not required on the switch. If a non-Huawei switch is used,
perform the configuration to enable Layer 2 communication of uplink and
downlink interfaces.
On the network between RUs and the central AP, service packets of STAs must be properly
forwarded. In this example, the tunnel forwarding mode is used. Therefore, service VLAN packets
do not need to be permitted between the central AP and RUs. If the direct forwarding mode is
used, configure the network between the central AP and RUs to permit service VLAN packets
depending on the central AP model.
● If the central AP is a gigabit AP (such as the AD9430DN-24), such configuration is not
required on the switch. Because all service packets from RUs are first sent to the central AP
through MAC-IN-MAC tunnels, these packets need to be permitted only from the upstream
direction of the central AP.
● If the central AP is a 10GE AP (such as the AD9431DN-24X), add uplink and downlink
interfaces on the switch to the service VLAN. Because service packets are forwarded starting
from the upstream direction of RUs, these packets must be permitted from the upstream
direction of RUs.


page is displayed.


# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLAN 101 in the same way.

# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. The IP address
10.23.101.2 cannot be assigned.
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.101.2.

# Click OK.
# Click Next.
Vlanif100.

Step 3 Configure a central AP and RUs to go online.
1. Configure a central AP and RUs to go online.



– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
– If AP authentication mode is set to MAC address authentication, the AP's MAC

– If AP authentication mode is set to SN authentication, the AP's SN is mandatory
You are advised to import the radio ID, AP channel, frequency bandwidth, and power
Import.

Configuration.
# Configure the SSID name, forwarding mode, and service VLAN.
# Set Security settings to Key (applicable to personnel networks), select the

AES mode, and set the key.

# Click Finish.
Step 5 Configure the RU channel and power.

page is displayed.





----End
More Information
(Video) Example for Configuring AC and central AP Distributed Networking
3.1.7 Example for Configuring Rogue Device Detection and

Containment
An enterprise branch needs to deploy WLAN services for mobile office so that
branch users can access the enterprise network from anywhere at any time.
Furthermore, users' services are not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks.
For example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the
WLAN to establish connections with STAs to intercept enterprise information,
posing great threats to the enterprise network. To prevent such attack, the
detection and containment function can be configured for authorized APs. In this
way, the AC can detect rogue AP area_2 (neither managed by the AC nor in the
authorized AP list), preventing STAs from associating with the rogue AP.
addresses to STAs.

Figure 3-7 Networking for configuring rogue device detection and containment
IP
Network
Router
Management VLAN: VLAN100
GE1/0/0
Service VLAN: VLAN101 VLANIF101
10.23.101.2/24
Authorized AP
(area_1)
SSID: wlan-net SwitchA GE0/0/3
GE0/0/1
GE0/0/1
SwitchB
GE0/0/2
GE0/0/2
GE0/0/1
STA IP AC
Network
VLANIF100
Rougue AP 10.23.100.1/24
(area_2)
SSID:wlan-net
Data Planning
Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, and WIDS profile wlan-wids
● Working mode of the AP radio: normal
● Rogue device detection and containment: enabled

profile



wlan-net
WIDS ● Name: wlan-wids

profile ● Rogue device containment mode: containment against rogue
APs using spoofing SSIDs
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect
wireless device information and report it to the AC. In addition, APs can
contain detected rogue devices, enabling STAs to disassociate from them.
In this example, the authorized APs work in normal mode and have the detection function
enabled. In addition to transmitting WLAN service data, AP radios need to perform the
monitoring function. A transient increase in the WLAN service latency may occur, which does
not affect network access. However, if any latency-sensitive service (such as videoconferencing)
is running, it is recommended that a separate radio be used for air scan.

Configuration Notes
Procedure

to 10.23.101.2/24.
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
address pool view.

page is displayed.




# Click OK.
# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
Configuration.



# Click Finish.
page is displayed.


Step 7 Configure rogue device detection and containment.
1. Configure radio 0 of AP group ap-group1 to work in normal mode, and
enable rogue device detection and containment.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0. The Radio 0 Settings(2.4G) page
is displayed.
# Configure radio 0 to work in normal mode, and enable rogue device
detection and containment.

# Click Apply. In the Info dialog box that is displayed, click OK.
detection and containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against
rogue APs using spoofing SSIDs.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile
page is displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the
profile name wlan-wids and click OK. The WIDS profile configuration page is
displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
Choose Monitoring > WIDS. In the Device Detection area, view the detection
result.
● Click a number in the detection result list. The detected device information is
displayed in Device Detection Information.
● Select a device in the detected device list and click View Discovered APs.
Information about the APs that detect the device is displayed.

● In the list of APs that detect the device, select an AP and click View Whitelist
to view the whitelist of the AP.
----End
3.2 WLAN Basic Networking Configuration Examples
3.2.1 Example for Configuring Layer 2 Direct Forwarding in

Inline Mode
requirement of mobile office. Furthermore, users' services are not affected during
addresses to APs and STAs.
Figure 3-8 Networking for configuring Layer 2 direct forwarding in inline mode
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
Management VLAN:VLAN100 GE0/0/2

Service VLAN:VLAN101 AC
VLANIF100 GE0/0/1
10.23.100.1/24
GE0/0/2
GE0/0/1
AP Switch
STA

Data Planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs

server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile



profile ● Forwarding mode: direct forwarding
wlan-net

Configuration Notes
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The
default VLAN of GE0/0/1 is VLAN 100.
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit

to 10.23.101.2/24.

page is displayed.





# Click OK.

page is displayed.

address to 10.23.101.2.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.
# Set the SSID name, forwarding mode, and service VLAN.
key.

# Click Finish.

page is displayed.





----End
3.2.2 Example for Configuring Layer 2 Tunnel Forwarding in

Inline Mode

Figure 3-9 Networking for configuring Layer 2 tunnel forwarding in inline mode
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24

VLANIF100 GE0/0/1
10.23.100.1/24
GE0/0/2
GE0/0/1
AP Switch
STA
Data Planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs

server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile



wlan-net
Configuration Notes


Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN
of GE0/0/1 is VLAN 100.
[Switch] vlan batch 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
to 10.23.101.2/24.

page is displayed.


to Trunk and add GigabitEthernet0/0/1 to VLAN 100.


# Click OK.
page is displayed.
address to 10.23.101.2.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.


# Click Finish.

page is displayed.





----End

Bypass Mode
addresses to STAs.

Figure 3-10 Networking for configuring Layer 2 direct forwarding in bypass mode
IP
Network
Router
GE1/0/0
VLANIF101
Management VLAN: VLAN100 10.23.101.2/24
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile



wlan-net
Configuration Notes


Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101,

GE0/0/2 to VLAN100 and GE0/0/3 to VLAN 101.
to 10.23.101.2/24.


for the STAs.
address pool view.

page is displayed.



# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.
key.
# Click Finish.


page is displayed.



----End


Bypass Mode
addresses to STAs.
Figure 3-11 Networking for configuring Layer 2 tunnel forwarding in bypass mode
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning

Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

profile default, 2G radio profile wlan-radio2g, and 5G radio
profile wlan-radio5g

profile
● Calibration channel set: calibration bandwidth and channels for
2.4 GHz and 5 GHz radios



Item Data

wlan-net
Air scan ● Name: wlan-airscan

profile ● Probe channel set: calibration channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
2G radio ● Name: wlan-radio2g

profile ● Referenced profile: air scan profile wlan-airscan

Configuration Notes


Procedure
to 10.23.101.2/24.
for the STAs.

address pool view.

page is displayed.



# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.

# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.

Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.

# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Calibration Configuration, and set Calibration to ON.

2. Create radio profiles.
The following example configures a 2G radio profile. The configuration of a 5G radio

profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is

displayed.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.

# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.

4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/ Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
# Radio calibration stops one hour after the radio calibration is manually
triggered.
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.



----End

Inline Mode
roaming in the coverage area. A VLAN pool is configured as service VLANs to
prevent IP address insufficiency or waste. Furthermore, this measure can reduce
the number of users in each VLAN and the size of the broadcast domain.
addresses to STAs.

Figure 3-12 Networking for configuring Layer 3 direct forwarding in inline mode
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
VLANIF102 10.23.102.2/24
GE0/0/2
Management VLAN:VLAN10,VLAN100 AC
Service VLAN:VLAN pool VLANIF100 GE0/0/1
10.23.100.1/24
GE0/0/2
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA
STA
Data Planning
Item Data

● Name: sta-pool
and VLAN 102

SwitchB functions as a DHCP server to
assign IP addresses to STAs. The
default gateway IP addresses of STAs
are 10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

Item Data

wlan-net, 2G radio profile wlan-
radio2g, and 5G radio profile wlan-
radio5g

● Calibration channel set: calibration
bandwidth and channels for 2.4
GHz and 5 GHz radios


+AES

pool
net
Air scan profile ● Name: wlan-airscan

● Probe channel set: calibration
channels

● Referenced profiles: air scan profile
wlan-airscan

wlan-airscan


Configuration Notes
Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102.
The default VLAN of GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to
VLAN 100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.



address pool view.


page is displayed.



to Trunk and add GigabitEthernet0/0/1 to VLANs 100, 101, and 102.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add

GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.



# Click OK.
# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
displayed.
VLANs 101 and 102.

key.
# Click Finish.
and power.
mentioned here.




profile is similar.

displayed.
and scan duration.
scan duration.


triggered.



----End

Inline Mode

Figure 3-13 Networking for configuring Layer 3 tunnel forwarding in inline mode
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
VLANIF102 10.23.102.2/24
GE0/0/2
Management VLAN:VLAN10,VLAN100 AC
Service VLAN:VLAN pool VLANIF100 GE0/0/1
10.23.100.1/24
GE0/0/2
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA
STA
Data Planning

Item Data
Management VLANs for APs VLAN 10 and VLAN 100

● Name: sta-pool
and VLAN 102

assign IP addresses to APs and STAs.

10.23.102.3-10.23.102.254/24

Item Data

wlan-net, 2G radio profile wlan-
radio2g, and 5G radio profile wlan-
radio5g



+AES

● Forwarding mode: tunnel
forwarding
pool
net

channels

wlan-airscan

wlan-airscan

Configuration Notes
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to

VLAN 100. Create VLANIF 100 and set the IP address of VLANIF 100 to
10.23.100.2/24.
Step 2 Configure DHCP relay.


page is displayed.




GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF 102
to 10.23.102.1/24 in the same way.

# Create an interface address pool in the same way and select VLANIF 102.
# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
displayed.
VLANs 101 and 102.

key.
# Click Finish.
and power.
mentioned here.




profile is similar.

displayed.
and scan duration.
scan duration.


triggered.



----End

Bypass Mode
addresses to STAs.

Figure 3-14 Networking for configuring Layer 3 direct forwarding in bypass mode
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
VLANIF102 10.23.102.2/24
Management VLAN:VLAN10,VLAN100
Service VLAN：VLAN pool
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning
Item Data

● Name: sta-pool
and VLAN 102

The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

Item Data

wlan-net and regulatory domain
profile default



+AES

pool
net
Configuration Notes


Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102.
The default VLAN of GE0/0/1 is VLAN 10.



address pool view.

page is displayed.





# Click OK.


# Click OK.
page is displayed.

# Click OK.
# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.


Configuration.
displayed.
VLANs 101 and 102.

key.


# Click Finish.
page is displayed.



----End


Bypass Mode
addresses to STAs.
Figure 3-15 Networking for configuring Layer 3 tunnel forwarding in bypass mode
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
VLANIF102 10.23.102.2/24
Management VLAN:VLAN10,VLAN100
Service VLAN：VLAN pool
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning

Item Data

default gateway IP addresses of STAs
are 10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24
VLAN pool ● Name: sta-pool

and VLAN 102

profile default



+AES

forwarding
pool
net

Configuration Notes
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default


# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN

100, VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create
VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.

address pool view.


page is displayed.



to Trunk and add GigabitEthernet0/0/1 to VLANs 100, 101, and 102.


# Click OK.
# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
displayed.
VLANs 101 and 102.

key.
# Click Finish.

page is displayed.





----End

3.2.9 Example for Configuring NAT Traversal Between the AC

and APs
APs are located in an enterprise branch, while the AC is located at the

headquarters. Administrators require unified AP management by the AC.
Therefore, NAT traversal is configured between the AC and APs to save the
enterprise's public IP addresses.
● AC networking mode: NAT traversal between the AC at the headquarters and
APs in the branch
● DHCP deployment mode: Router_1 functions as a DHCP server to assign IP
Figure 3-16 Networking for configuring NAT traversal between the AC and APs
Branch Headquaters
NAT_1 NAT_2
Router_1 3.3.3.2 Router_2
DHCP Server
Option 43：3.3.3.3 Internet
GE0/0/1 GE0/0/1
GE1/0/0 2.2.2.1/24 2.2.2.2 3.3.3.1/24 GE1/0/0
GE0/0/3 GE0/0/1
Switch AC
GE0/0/1 GE0/0/2 10.23.200.1/24
area_1 area_2
STA

Data Planning

Item Data
DHCP server Router_1 functions as a DHCP server

to assign IP addresses to APs and STAs.

profile default



+AES

net
NAT Outbound Router_1: translates the private IP

addresses in the network segment
10.23.100.0/24 to the public IP
2.2.2.1.
Static NAT Router_2: translates the private IP

10.23.200.1 to the public IP addresses
in the network segment 3.3.3.3.

2. Configure NAT for address translation.
6. Verify the configuration.
Configuration Notes
Procedure
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101.
VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.


# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of
GE0/0/1 is at 2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at

3.3.3.2/24, set the IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set
its IP address to 10.23.200.2/24.
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2] interface gigabitethernet 0/0/1
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
The AC's source interface address is translated into the public IP address 3.3.3.3
after NAT mapping.
[Router_1] dhcp enable
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 3.3.3.3
[Router_1-ip-pool-ap] quit
[Router_1-Vlanif101] dhcp select interface

address pool view.
Step 3 Configure NAT.

# Configure outbound NAT on Router_1.
[Router_1] acl 2000
[Router_1-acl-basic-2000] rule 5 permit source 10.23.100.0 0.0.0.255
[Router_1-acl-basic-2000] rule 10 permit source 10.23.101.0 0.0.0.255
[Router_1-acl-basic-2000] quit
[Router_1-GigabitEthernet0/0/1] nat outbound 2000
# Configure static NAT on Router_2.

[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1

page is displayed.





page is displayed.

address to 10.23.200.2.
# Click OK.
# Click Next.

Vlanif200.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.

key.

# Click Finish.
page is displayed.




----End
3.2.10 Example for Configuring VPN Traversal Between the AC

and APs
APs are located in an enterprise branch, while the AC is located at the
headquarters. Administrators require unified AP management by the AC and
protection on traffic exchanged between the branch and headquarters. Therefore,
an IPSec tunnel is established between the branch and headquarters to protect
traffic.
● AC networking mode: IPSec tunnel between the AC at the headquarters and
APs in the branch.

Figure 3-17 Networking for configuring VPN traversal between the AC and APs
Enterprise
Enterprise
headquarters
branch
Router_1 Router_2
192.168.1.2/24 192.168.2.2/24
Internet
GE0/0/1 GE0/0/1
GE1/0/0 192.168.1.1/24 192.168.2.1/24 GE1/0/0
GE0/0/2 GE0/0/1
Switch IPSec tunnel
AC
GE0/0/1
10.23.200.1/24
AP
STA
Data Planning

Item Data
WLAN service data planning on the AC


profile default


Item Data


+AES

net
IPSec data planning on Router_2
IKE parameters ● IKE version: IKEv1

● Negotiation mode: main
● Peer IP address: 192.168.1.1
● Authentication mode: pre-shared
key authentication
● Pre-shared key: huawei@1234
● Authentication algorithm:
SHA2-256
● Encryption algorithm: AES-128
● DH group number: group14
IPSec parameters ● Security protocol: ESP

● ESP negotiation mode: main
● ESP authentication algorithm:
SHA2-256
● ESP encryption algorithm: AES-128
● Encapsulation mode: tunnel
IPSec policy Connection name: map1

● Interface name: gigabitethernet
0/0/1
● Networking mode: branch site
● Connection number: 10
● ACL number: 3101

2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to
implement communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec
tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE
peers to the IPSec policy to define the data flows to be protected and
protection method.
f. Apply the IPSec policy to the interface so that the interface can protect
traffic.
3. Configure the APs to go online.
Configuration Notes

Procedure
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is
the default VLAN of GE0/0/1.
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of
GE0/0/1 is at 192.168.1.2/24, set the IP address of GE0/0/1 to 192.168.1.1/24.
[Router_1] vlan batch 100 101
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP
address to 10.23.200.2/24. If the peer end of GE0/0/1 is at 192.168.2.2/24, set the
IP address of GE0/0/1 to 192.168.2.1/24.
[Router_2] vlan batch 200
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
# Configure a static route from Router_2 to APs with the next hop address
192.168.2.2 on Router_2.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
[Router_1-Vlanif100] dhcp select global
[Router_1] ip pool ap

[Router_1-ip-pool-ap] gateway-list 10.23.100.1

[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 10.23.200.1
[Router_1-ip-pool-ap] quit
[Router_1-Vlanif101] dhcp select interface
address pool view.
Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP
address 10.23.200.0/24) at the headquarters to the APs (IP address
10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP
address 10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the
headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit
Step 4 Configure IPSec.

1. Create an IPSec proposal on Router_2 and Router_1.
# Create an IPSec proposal on Router_2.
[Router_2] ipsec proposal tran1
[Router_2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_2-ipsec-proposal-tran1] quit
# Create an IPSec proposal on Router_1.

[Router_1] ipsec proposal tran1
[Router_1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_1-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_1-ipsec-proposal-tran1] quit
2. Create IKE peers on Router_2 and Router_1.
# Create an IKE proposal on Router_2.
[Router_2] ike proposal 5
[Router_2-ike-proposal-5] authentication-algorithm sha2-256
[Router_2-ike-proposal-5] encryption-algorithm aes-128
[Router_2-ike-proposal-5] dh group14
[Router_2-ike-proposal-5] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and
peer ID based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 192.168.1.1
[Router_2-ike-peer-spub] quit

# Create an IKE proposal on Router_1.

[Router_1] ike proposal 5
[Router_1-ike-proposal-5] authentication-algorithm sha2-256
[Router_1-ike-proposal-5] encryption-algorithm aes-128
[Router_1-ike-proposal-5] dh group14
[Router_1-ike-proposal-5] quit
# Configure an IKE peer on Router_1, and configure the pre-shared key and
peer ID based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 192.168.2.1
[Router_1-ike-peer-spua] quit
3. Create IPSec policies on Router_2 and Router_1.
# Configure an IPSec policy in IKE negotiation mode on Router_2.

[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit
# Configure an IPSec policy in IKE negotiation mode on Router_1.

[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that
the interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.

[Router_2-GigabitEthernet0/0/1] ipsec policy map1
# Apply the IPSec policy to the interface of Router_1.

[Router_1-GigabitEthernet0/0/1] ipsec policy use1

page is displayed.







page is displayed.

address to 10.23.200.2.
# Click OK.
# Click Next.

Vlanif200.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.


key.

# Click Finish.
page is displayed.





----End
3.2.11 Example for Configuring Hand-in-Hand WDS Services
requirement of mobile office. Considering the high costs of wired AP deployment,
enterprises need to set up wireless distribution system (WDS) links for wireless
backhaul to provide service coverage, ensuring that enterprise users can access the
WLAN.
● Wireless backhaul mode: hand-in-hand WDS
● Backhaul radio: 5 GHz

Figure 3-18 Networking diagram for configuring hand-in-hand WDS services
Internet
Router
GE1/0/0
Management VLAN:VLAN 100
VLANIF101 10.23.101.2/24
Service VLAN:VLAN 101
GE0/0/3
GE0/0/2
Switch_A AC
GE0/0/1
GE0/0/1
AP_3 AP_2 AP_1

(leaf) (root) (leaf) (root) GE0/0/2
Switch_B
GE0/0/1
Area C Area A
: Wireless virtual link

STA STA
Data Planning
AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
Item Data

assign IP addresses to APs. Switch_A

Item Data
AC's source interface address VLANIF 100
WDS mode ● Radio 1 on AP_1: root

● Radio 0 on AP_2: root


Wireless service security profile ● Name: wlan-net

+AES

net
WDS link security profile ● Name: wds-security

WDS whitelist profile ● Name: wds-list1

AP_2 (leaf)
● Name: wds-list2
AP_3 (leaf)
WDS profile ● Name: wds-root

● WDS working mode: root
wds-security

Item Data
● Name: wds-leaf
● WDS working mode: leaf
wds-security

● Root APs, such as AP_1, are added
to the group.
wds-root, VAP profile wlan-net,
default
● Name: ap-group2
● Root and leaf APs, such as AP_2,
are added to the group.
● Referenced profiles: WDS profiles
wds-root and wds-leaf, VAP profile
profile default
● Name: ap-group3
● Leaf APs, such as AP_3, are added
to the group.
wds-leaf, VAP profile wlan-net,
default
1. Configure root node AP_1 to go online on the AC.
2. Configure WDS services so that APs in and Area C can go online through WDS
wireless virtual links.

Configuration Notes
● Select proper antennas by following the WDS network planning and design,
and use the antenna calibration tool for calibration.
Procedure

through.


to 10.23.101.2/24.
Step 2 Configure the DHCP server to assign IP addresses to STAs.

# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the

page is displayed.



# Click OK.

# Click Next.
Vlanif100.


example.
Import.

# Click OK.

Configuration.

1. Click Create. The Basic Information page is displayed.
2. Set the SSID name, forwarding mode, and service VLAN ID.
3. Click Next. The Security Authentication page is displayed.

4. Configure the key authentication mode, AES algorithm, and key.
5. Click Next. The Access Control page is displayed.

6. Set Binding the AP group to ap-group1.
7. Click Finish. Bind the AP group ap-group3 in the same way.
Step 6 Configure the AP_1.

1. Create WDS profile wds-root and configure the WDS working mode and
tagged VLAN.
# In the AP group list, click ap-group1. Select Display all profiles. Choose
profile name wds-root, set Radio to 1, and click OK.

# Choose WDS > WDS Profile > wds-root. The WDS Profile page is
displayed.


2. Create security profile wds-security and configure the security policy.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security
the profile name wds-security and click OK. The security profile configuration
page is displayed.
# Set the key.

page is displayed.

# Click OK.
4. Configure WDS service parameters for the root node. Set the channel
parameters of Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
page is displayed.

displayed.
# Set the bridge distance to 4. Disable automatic channel and power

calibration. Set the channel parameters to 40+ MHz and 157. Set the bridge
distance to 4.
# Configure radio 0 in the same way. Disable automatic channel and power
calibration and set the channel parameters to 20 MHz and 6.

1. Create WDS profile wds-leaf and configure the WDS working mode and
tagged VLAN.

profile name wds-leaf, set Radio to 1 and Copy parameters from other
profiles to wds-root, and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is
displayed.
# Set WDS working mode to Leaf, retain the default settings of other
parameters, and click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for
Radio1. Set Channel to 40+ MHz and 149, and WDS/Mesh bridge
distance(0.1km) to 4. Disable automatic channel and power calibration. Set
parameters for Radio0. Set Channel to 20 MHz and 11.
Configure WDS service parameters by referring to the configuration procedure
on the root node.
1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.
name wds-leaf, set Radio to 1, and click OK.
name wds-root, set Radio to 0, and click OK.
page is displayed.

# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz
frequency band. Set the channel parameters of Radio0 to 40+ MHz and 149.
Set the coverage distance to 4. Set the channel parameters of Radio1 to 40+
page is displayed.
# Choose Radio Management > Radio0. The Radio 0 Settings(2.4G) page is
displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Disable automatic
channel and power calibration. Set the channel parameters of Radio0 to 40+

# Set the channel parameters of Radio1 to 40+ MHz and 157. Set the
coverage distance to 4. The configuration is the same as that for Radio0, and
is not mentioned here.
1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If
so, the APs have gone online on the AC through WDS links.



----End
3.2.12 Example for Configuring Back-to-Back WDS

On some enterprise networks, wired network deployment is restricted by
construction conditions. When obstacles exist between two networks or the
distance between them is long, APs cannot all be connected to the AC in wired
mode. Back-to-back wireless distribution system (WDS) technology can cascade
APs in wired mode as trunk bridges. This networking ensures sufficient bandwidth
on wireless links for long distance data transmission.
IP addresses to PCs.
● Wireless backhaul mode: WDS back-to-back

Figure 3-19 Networking for configuring back-to-back WDS
Switch_A
GE0/0/2 GE0/0/3
AC Network
GE0/0/1 GE1/0/0
GE0/0/1 Router
10.23.101.2/24
Management VLAN：VLAN 100 GE0/0/2
Switch_B
GE0/0/1
AP_1 Area A
(root)
AP_2 Area B
(leaf)
GE0/0/2
Switch_C
GE0/0/1
AP_3
(root)
AP_4 Area C
(leaf)
VLAN101 PC
：Wireless
virtual link
Data Planning

AP Name Type MAC Address
AP_1 AP8130DN dcd2-fcf6-76a0
AP_2 AP8130DN 60de-4474-9640
AP_4 AP8130DN 60de-4476-e360


Item Data

for APs
Service VLAN for PCs VLAN 101
DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and Switch_A functions as a DHCP
server to assign IP addresses to PCs.

APs

PCs
IP address of the AC's VLANIF 100: 10.23.100.1/24

source interface
WDS profile ● wds-net1 (WDS profile used by AP_1): WDS mode

root, referenced WDS whitelist wds-list1, permitting
access only from AP_2
● wds-net2 (WDS profile used by AP_3): WDS mode
root, referenced WDS whitelist wds-list2, permitting
access only from AP_4
● wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
WDS role ● AP_1: root

● AP_2: leaf
● AP_3: root
● AP_4: leaf
WDS name wds-net
WDS whitelist ● wds-list1: contains MAC address of AP_2 and is

bound to AP_1
● wds-list2: contains MAC address of AP_4 and is
bound to AP_3
Radio used by WDS Radio 1 (AP_1 and AP_2):

● Bandwidth: 40 MHz-plus
● Channel: 157
● WDS/Mesh bridge distance: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
● Bandwidth: 40 MHz-plus
● Channel: 149

Item Data
Security profile ● Name: wds-sec

AP group ● wds-root1: AP_1

● wds-root2: AP_3
● wds-leaf1: AP_2
● wds-leaf2: AP_4. The wired interface of AP_4 is
connected to a PC, a wired port profile needs to be
configured for AP_4. Therefore, AP_2 and AP_4 are
added to two separate AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go
online on the AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the
wired network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the
AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4
to access the network.
Configuration Notes

Procedure

through.
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow
packets VLAN 101 to pass through.
[Switch_C] vlan batch 101
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
to 10.23.101.2/24.


Step 2 Configure the DHCP server to assign IP addresses to PCs.

# Configure Switch_A as a DHCP server to assign IP addresses to PCs from the

page is displayed.



# Click OK.

# Click Next.

Vlanif100.



example.

Import.
# Click OK.
# Confirm the configuration and click Finish.
Step 5 Configure the root node AP_1.
1. Configure the WDS profile wds-net1 for the root node AP_1.
# In the AP group list, click wds-root1. Select Display all profiles choose
profile name wds-net1 and click OK.
# Choose WDS > WDS Profile > wds-net1. The WDS Profile page is
displayed.


2. Create security profile wds-sec and configure the security policy.
# Choose WDS > WDS Profile > wds-net1 > Security Profile. The Security
the profile name wds-sec and click OK. The security profile configuration
page is displayed.
# Set the key.


3. Configure the WDS whitelist profile wds-list1 for AP_1 to permit access only
from AP_2 over the WDS link.
page is displayed.
enter the profile name wds-list1 and click OK. The WDS Whitelist Profile
List page is displayed.
# Click Add to add the MAC address of AP_2 60de-4474-9640 to the profile.
# Click OK.
4. Configure WDS service parameters.
displayed.
# Disable automatic channel and power calibration. Set the channel
parameters to 40+ MHz and 157. Set the bridge distance to 4.
On a WDS network, radios used to create WDS links must work on the same channel.

Step 6 Configure the root node AP_3.

1. Configure the WDS profile wds-net2 in the AP group wds-root2. The
configuration is similar to that for the WDS profile wds-net1 in the AP group
wds-root1.
If the WDS profile wds-net2 is the same as the WDS profile wds-net1, you
do not need to create the WDS profile wds-net2. AP_3 and AP_1 can share
the WDS profile wds-net1.
2. Bind the security profile wds-sec to the AP group wds-root2.
# Enter the Security Profile page under the AP group wds-root2. The
configuration is similar to that under the AP group wds-root1.
# Set Security Profile to wds-sec and click Apply. In the dialog box that is
displayed, click OK.
3. Configure the WDS whitelist profile wds-list2 for AP_3 to permit access only
from AP_4 over the WDS link.
# Add the MAC address of AP_4 60de-4476-e360 to wds-list2. The

configuration is similar to that for the WDS whitelist profile wds-list1 under
the AP group wds-root1.
# Configure service parameters in the AP group wds-root2. The configuration

is similar to that in the AP group wds-root1. Set the channel parameters to
40+ MHz and 149. Set the bridge distance to 4.
Step 7 Configure the leaf node AP_2.

1. Configure the WDS profile wds-net3 in the AP group wds-leaf1. The
configuration is similar to that for the WDS profile wds-net1 in the AP group
wds-root1.
In the WDS profile wds-net3, set WDS working mode to Leaf.

2. Bind the security profile wds-sec to the AP group wds-leaf1. The
configuration is similar to that for binding the security profile to the AP group
wds-root2.


Step 8 Configure the leaf node AP_4.
1. Configure the WDS profile wds-net3 in the AP group wds-leaf2.
# Enter the WDS Profile List page under the AP group wds-leaf2. The
configuration is similar to that under the AP group wds-root1.
# Click Add. On the page that is displayed, set WDS profile name to wds-
net3 and click OK. In the dialog box that is displayed, click OK.
2. Bind the security profile wds-sec to the AP group wds-leaf2. The
configuration is similar to that for binding the security profile to the AP group
wds-root2.
mode to Endpoint, add the wired port to VLAN 101 in untagged mode, and
set the Port PVID to 101. This example assumes that the downlink network of
AP_4's wired port GE0 transmits service traffic of VLAN 101.

# Click OK.
1. # Choose Configuration > AP Config > AP Config. The AP list page is
displayed. If the AP status is normal, the APs have gone online on the AC
through WDS links.

3. Verify that the AP goes online and restart AP_4 to make the working mode of
the AP wired port effective. After AP_4 goes online again, verify that wired
users connected to AP_4 can access the network.
----End
3.2.13 Example for Configuring Common Mesh Services

An enterprise needs to establish Mesh wireless backhaul links in different areas to
expand wireless coverage and reduce wired deployment costs.
● Wireless backhaul mode: Mesh portal-node
Figure 3-20 Networking for configuring mesh services
Network

GE0/0/3
GE0/0/2
Switch_A
GE0/0/1
area_3 area_2 area_1 GE0/0/1
AC
(MP) (MP) (MPP) GE0/0/2
GE0/0/1
Switch_B
Area C Area B Area A
：Mesh link
Data Planning
AP Type MAC Address
area_1 AP8130DN 60de-4476-e360

AP Type MAC Address
area_2 AP8130DN dcd2-fc04-b500
area_3 AP8130DN 60de-4474-9640

Item Data

for APs

addresses to APs.

APs
Mesh profile name Name: mesh-net
Mesh role ● area_1: Mesh-portal (MPP)

● area_2: Mesh-node (MP)
● area_3: Mesh-node (MP)
Mesh ID Name: mesh-net
Radio used by Mesh Radio 1:

services ● Bandwidth: 40 MHz-plus
● Channel: 157
Security profile ● Security policy: WPA2+PSK+AES

AP group ● ap-group1: area_1

● ap-group2: area_2 and area_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go
online on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go
online on the AC through Mesh links.

Configuration Notes
● On a Mesh network, radios of APs with 802.11ac chips can interconnect only
with radios of neighbors with 802.11ac chips, and radios of APs with 802.11n
chips can interconnect only with radios of neighbors with 802.11n chips. The
following table lists types of chips used by AP models.
Table 3-27 Radio chips used by APs

AP Model Radio 0 Radio 1 Radio 2
AirEngine Mesh not Mesh not

NA
5760-10 supported supported
Mesh not Mesh not

R450D NA
supported supported
Mesh not Mesh not

R250D-E NA
supported supported
Mesh not Mesh not

R250D NA
supported supported
Mesh not Mesh not

R251D-E NA
supported supported
Mesh not Mesh not

R251D NA
supported supported

Mesh not Mesh not

R240D NA
supported supported
Mesh not Mesh not

R230D NA
supported supported
Mesh not Mesh not

AP9330DN NA
supported supported
AP9132DN 802.11n 802.11ac NA
AP9131DN 802.11n 802.11ac NA
AP9130DN 802.11ac 802.11ac NA
AP8150DN 802.11ac 802.11ac NA
AP8130DN-W 802.11ac 802.11ac NA
AP8130DN 802.11ac 802.11ac NA
AP8050DN-S 802.11ac 802.11ac NA
AP8050DN 802.11ac 802.11ac NA
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
AP8082DN 802.11ac 802.11ac NA
AP8182DN 802.11ac 802.11ac NA
AP8030DN 802.11ac 802.11ac NA
Mesh not Mesh not

AP7060DN N/A
supported supported
AP7050DN-E 802.11ac 802.11ac NA
AP7050DE 802.11ac 802.11ac NA
AP7052DE 802.11ac 802.11ac NA
AP7052DN 802.11ac 802.11ac NA
AP7152DN 802.11ac 802.11ac NA
Mesh not Mesh not

AP7030DE NA
supported supported
AP6750-10T 802.11n 802.11ac Mesh not

supported
AP6150DN 802.11ac 802.11ac NA
AP6050DN 802.11ac 802.11ac NA
AP6052DN 802.11ac 802.11ac NA

Mesh not Mesh not

AP5510-W-GP NA
supported supported
Mesh not Mesh not

WA375DD-CE NA
supported supported
AP5050DN-S 802.11ac 802.11ac NA
AP5130DN 802.11n 802.11ac NA
AP5030DN 802.11n 802.11ac NA
AP5030DN-S 802.11n 802.11ac NA
AP430-E 802.11n 802.11ac NA
AP4151DN 802.11ac 802.11ac NA
AP4130DN 802.11n 802.11ac NA
AP4051DN-S 802.11ac 802.11ac NA
AP4051DN 802.11ac 802.11ac NA
AP4050DN-S 802.11ac 802.11ac NA
AP4050DN-HD 802.11ac 802.11ac NA
AP4050DN-E 802.11ac 802.11ac NA
AP4050DN 802.11ac 802.11ac NA
Mesh not
AP4051TN 802.11n 802.11ac
supported
AP4050DE-M 802.11n 802.11ac NA
AP4050DE-M-S 802.11n 802.11ac NA
AP4050DE-B-S 802.11n 802.11ac NA
AP3050DE 802.11n 802.11ac NA
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN-E 802.11n 802.11ac NA
AP4030DN 802.11n 802.11ac NA
AP3030DN 802.11n 802.11ac NA
AP3010DN-V2 802.11n 802.11ac NA
Mesh not Mesh not

AP2050DN-S NA
supported supported

Mesh not Mesh not

AP2050DN-E NA
supported supported
Mesh not Mesh not

AP2050DN NA
supported supported
Mesh not Mesh not

AP2051DN-S NA
supported supported
Mesh not Mesh not

AP2051DN-E NA
supported supported
Mesh not Mesh not

AP2051DN NA
supported supported
Mesh not Mesh not

AP2030DN NA
supported supported
Mesh not Mesh not

AP2030DN-S NA
supported supported
AP1050DN-S 802.11ac 802.11ac NA
Mesh not Mesh not

AD9430DN-24 NA
supported supported
Mesh not Mesh not

AD9431DN-24X NA
supported supported
Mesh not Mesh not

AD9430DN-12 NA
supported supported
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of
[Switch_B] vlan batch 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 on Switch_A to VLANs 100, and GE0/0/2 to VLAN 100.

[Switch_A] vlan batch 100



page is displayed.




# Click OK.
# Click Next.

Vlanif100.



Step 3 Configure MPPs.
2. Create the AP group ap-group1 for the MPP.
# Enter the AP group name ap-group1 and click OK.
3. Configure Mesh parameters for the MPP.
# In AP Group List, select the AP group ap-group1.
radio 1 to 40+MHz, channel to 157, and WDS/Mesh bridge distance to 4.
key a1234567.
nodes. In this example, MAC addresses 60de-4476-e360,
60de-4474-9640, and dcd2-fc04-b500 area added to the Mesh whitelist.


4. Add MPPs.
# Set Mode to Manually add and manually add MPPs.
# Click OK.
Step 4 Configure the MP.

2. Create the AP group ap-group2 for the MP.

3. Configure Mesh parameters for the MP.


– Set the Mesh role to Mesh-node.
key a1234567.
nodes. In this example, MAC addresses 60de-4476-e360,
60de-4474-9640, and dcd2-fc04-b500 area added to the Mesh whitelist.


4. Add MPs.
# Set Mode to Manually add and manually add MPs.
# Click OK.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-
group1 and ap-group2 to check whether the AP status is normal. If so, the
APs have gone online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh
link information. After the Mesh links are successfully established, you can
view detailed information about the Mesh links on the page.

----End
3.2.14 Example for Configuring Dual-MPP Mesh Services

If an enterprise needs to provide wireless network access services for different
areas, multiple Mesh Portal Points (MPPs) can be configured to work on different
channels. This can reduce MP contention for wireless channels, thus improving
coverage performance.
● Wireless backhaul node: dual Mesh portal-node
Figure 3-21 Networking for configuring dual-MPP Mesh services
Network
Switch_A GE0/0/2
AC
GE0/0/1
GE0/0/1
GE0/0/3
Switch_B
GE0/0/1 GE0/0/2
AP_1 AP_2 Area A

(MPP) (MPP)
AP_3 AP_4 Area B

(MP) (MP)
：Mesh link

Data Planning

AP Name Type MAC Address
AP_1 AP8130DN 60de-4474-9640
AP_4 AP8130DN 1047-80ac-cc60

Item Data

for APs

addresses to APs.

APs
Mesh profile ● Name: mesh-net
Mesh role ● AP_1: Mesh-portal (MPP)

● AP_2: Mesh-portal (MPP)
● AP_3: Mesh-node (MP)
● AP_4: Mesh-node (MP)
Mesh ID Name: mesh-net
Regulatory domain ● Name: default

profile ● Country code: CN
Radio used by Mesh Radio 1:

services ● Bandwidth: 40 MHz-plus
● Channel: 157
Security profile ● Security policy: WPA2+PSK+AES


Item Data
AP group ● mesh-mpp: AP_1 and AP_2

● mesh-mp: AP_3 and AP_4
1. Configure network connectivity and enable APs (MPPs) in Area A to go online
on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC
through Mesh links.
Configuration Notes
● During the configuration of a Mesh network with multiple MPPs, to enable
MPs to set up wireless links with multiple MPPs simultaneously, configure the
MPPs to work on the same channel.
● On a Mesh network, radios of APs with 802.11ac chips can interconnect only
with radios of neighbors with 802.11ac chips, and radios of APs with 802.11n
chips can interconnect only with radios of neighbors with 802.11n chips. The
following table lists types of chips used by AP models.

Table 3-30 Radio chips used by APs

AirEngine Mesh not Mesh not

NA
5760-10 supported supported
Mesh not Mesh not

R450D NA
supported supported
Mesh not Mesh not

R250D-E NA
supported supported
Mesh not Mesh not

R250D NA
supported supported
Mesh not Mesh not

R251D-E NA
supported supported
Mesh not Mesh not

R251D NA
supported supported
Mesh not Mesh not

R240D NA
supported supported
Mesh not Mesh not

R230D NA
supported supported
Mesh not Mesh not

AP9330DN NA
supported supported
AP9132DN 802.11n 802.11ac NA
AP9131DN 802.11n 802.11ac NA
AP9130DN 802.11ac 802.11ac NA
AP8150DN 802.11ac 802.11ac NA
AP8130DN-W 802.11ac 802.11ac NA
AP8130DN 802.11ac 802.11ac NA
AP8050DN-S 802.11ac 802.11ac NA
AP8050DN 802.11ac 802.11ac NA
Mesh not
AP8050TN-HD 802.11ac 802.11ac
supported
AP8082DN 802.11ac 802.11ac NA
AP8182DN 802.11ac 802.11ac NA
AP8030DN 802.11ac 802.11ac NA
Mesh not Mesh not

AP7060DN N/A
supported supported
AP7050DN-E 802.11ac 802.11ac NA

AP7050DE 802.11ac 802.11ac NA
AP7052DE 802.11ac 802.11ac NA
AP7052DN 802.11ac 802.11ac NA
AP7152DN 802.11ac 802.11ac NA
Mesh not Mesh not

AP7030DE NA
supported supported
AP6750-10T 802.11n 802.11ac Mesh not

supported
AP6150DN 802.11ac 802.11ac NA
AP6050DN 802.11ac 802.11ac NA
AP6052DN 802.11ac 802.11ac NA
Mesh not Mesh not

AP5510-W-GP NA
supported supported
Mesh not Mesh not

WA375DD-CE NA
supported supported
AP5050DN-S 802.11ac 802.11ac NA
AP5130DN 802.11n 802.11ac NA
AP5030DN 802.11n 802.11ac NA
AP5030DN-S 802.11n 802.11ac NA
AP430-E 802.11n 802.11ac NA
AP4151DN 802.11ac 802.11ac NA
AP4130DN 802.11n 802.11ac NA
AP4051DN-S 802.11ac 802.11ac NA
AP4051DN 802.11ac 802.11ac NA
AP4050DN-S 802.11ac 802.11ac NA
AP4050DN-HD 802.11ac 802.11ac NA
AP4050DN-E 802.11ac 802.11ac NA
AP4050DN 802.11ac 802.11ac NA
Mesh not
AP4051TN 802.11n 802.11ac
supported
AP4050DE-M 802.11n 802.11ac NA
AP4050DE-M-S 802.11n 802.11ac NA

AP4050DE-B-S 802.11n 802.11ac NA
AP3050DE 802.11n 802.11ac NA
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN-E 802.11n 802.11ac NA
AP4030DN 802.11n 802.11ac NA
AP3030DN 802.11n 802.11ac NA
AP3010DN-V2 802.11n 802.11ac NA
Mesh not Mesh not

AP2050DN-S NA
supported supported
Mesh not Mesh not

AP2050DN-E NA
supported supported
Mesh not Mesh not

AP2050DN NA
supported supported
Mesh not Mesh not

AP2051DN-S NA
supported supported
Mesh not Mesh not

AP2051DN-E NA
supported supported
Mesh not Mesh not

AP2051DN NA
supported supported
Mesh not Mesh not

AP2030DN NA
supported supported
Mesh not Mesh not

AP2030DN-S NA
supported supported
AP1050DN-S 802.11ac 802.11ac NA
Mesh not Mesh not

AD9430DN-24 NA
supported supported
Mesh not Mesh not

AD9431DN-24X NA
supported supported
Mesh not Mesh not

AD9430DN-12 NA
supported supported
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_A to VLAN 100.

[Switch_A] vlan batch 100
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default
[Switch_B] vlan batch 100

page is displayed.





# Click OK.

# Click Next.
Vlanif100.

Step 3 Configure MPPs.
key a1234567.

nodes. In this example, MAC addresses 60de-4474-9640, dcd2-fc04-
b500, dcd2-fc96-e4c0, and 1047-80ac-cc60 are added. Click OK.

# After configuring Mesh parameters, Click Apply. In the dialog box that is
4. Add MPPs.
# Set Mode to Manually add and manually add MPPs.
# In this example, APs with MAC addresses 60de-4474-9640 and dcd2-fc04-
b500 are added. Set AP ID to 1 and 2 for the APs respectively. Click OK. The
APs are added as MPPs.
Step 4 Configure MPs.

2. Create the AP group mesh-mp for the MPs.
# Set the AP group name to mesh-mp and click OK.
3. Configure Mesh parameters for the MPs.
# In AP Group List, select the AP group mesh-mp.
– Set the Mesh role to Mesh-node.
key a1234567.

nodes. In this example, MAC addresses 60de-4474-9640, dcd2-fc04-
b500, dcd2-fc96-e4c0, and 1047-80ac-cc60 are added. Click OK.

# After configuring Mesh parameters, Click Apply. In the dialog box that is
4. Add MPs.
# In AP Group List, select the AP group mesh-mp.
# Set Mode to Manually add and manually add MPs.
# In this example, APs with MAC addresses dcd2-fc96-e4c0 and 1047-80ac-
cc60 are added. Set AP ID to 3 and 4 for the APs respectively. Click OK. The
APs are added as MPs.

1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select
mesh-mpp and mesh-mp to check whether the status of APs in the AP list is
normal. If the AP status is normal, the APs have gone online on the AC
through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information and check
information about Mesh links. After the WDS links are successfully
established, you can view details about the WDS links on the following page.
----End
3.3 Authentication Configuration Examples

3.3.1 Example for Configuring External Portal Authentication

To improve WLAN security, an enterprise uses the external Portal authentication
mode to control user access.
addresses to STAs.
● Authentication mode: External Portal authentication
Figure 3-22 Networking for configuring external Portal authentication
RADIUS
Server
10.23.102.1
Port: 1812
Portal
Server IP DNS
Port: 50200 8.8.8.8
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF100: 10.23.100.1/24

source
interface
address

profile default

profile



tion
s ● IP address: 10.23.102.1

Item Data

template

profile
Authentica ● Name:default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS server
rule profile (8.8.8.8)

tion Profile ● Referenced profile: Portal access profile wlan-net, RADIUS
Server profile wlan-net, authentication-free rule profile
default_free_rule and authentication scheme wlan-net

4. Configure WLAN services and external Portal authentication on the AC using
the WLAN configuration wizard.
Configuration Notes


Procedure
to 10.23.101.2/24.


for the STAs.

page is displayed.




page is displayed.
# Click OK.
# Click Next.

Vlanif100.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
Click Next. The Security Authentication page is displayed.

# Set Security settings to Portal (applicable to enterprise networks) and
deselect MAC address-prioritized. Under External Portal Server Configuration,

set the server name, IP address, shared-key, port number, and server URL. Under
External RADIUS Server Configuration, set the server name, Port number,
authentication server IP address, and shared key.
Click Finish.

is displayed.
page is displayed.
DNS server.
6. Click OK.



----End
3.3.2 Example for Configuring Built-in Portal Authentication

for Local Users
To improve WLAN security, an enterprise uses the Portal authentication mode. To
reduce costs, the enterprise deploys an AC as the Portal server and uses the local
authentication mode so that authentication is performed on the AC.
addresses to STAs.
● Authentication mode: built-in Portal authentication

Figure 3-23 Networking for configuring built-in Portal authentication for local
users
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data

default gateway address of STAs is
10.23.101.2.

Item Data

profile default



Local user ● User name: guest

● Password: guest@123
Authentication scheme ● Name: wlan-net

● Authentication scheme: local
Portal access profile ● Name: wlan-net

● The built-in Portal server is used.
– Server IP: 10.23.101.3
– SSL policy: default_policy
– Port number: 20000
Authentication-free rule profile ● Name: default_free_rule

● Authentication-free resource: IP
address of the DNS server (8.8.8.8)
Authentication Profile ● Name: wlan-net

● Referenced profiles: Portal access
profile wlan-net, authentication-
free rule profile default_free_rule,
and authentication scheme wlan-
net

forwarding
net, and Authentication profile
wlan-net

4. Configure WLAN services and built-in Portal authentication on the AC using
Configuration Notes
Procedure


to 10.23.101.2/24.
for the STAs.
address pool view.

page is displayed.








Configuration page is displayed. Set Interface type to Loopback, Interface
number to 1, and IP address of Loopback1 to 10.23.101.3/24.
# Click OK.
page is displayed.
# Click OK.
# Click Next.


Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.

Portal server to Built-in Portal server. Under Built-in Portal Server
Configuration, configure the server IP address and port number and set SSL
policy to default_policy. The server IP address is the IP address of a Layer 3
interface that has a reachable route to the user. In this example, 10.23.101.3 is
used as the server IP address.
# Click Manage next to Local user. The Local User page is displayed
# Click Create. The Create Local User page is displayed.
# Set Creation mode to Manually add and configure the local user name and
password.

# Click OK.
# On the Create Local User page, select the new user and click OK.
Click Finish.

is displayed.
page is displayed.
DNS server.
6. Click OK.


3. When a user browses a web page, the browser automatically redirects the
user to the Portal authentication page. After entering the correct user name
and password, the user passes the authentication and can access the web
page.

----End
3.3.3 Example for Configuring MAC Address-prioritized Portal

Authentication
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
addresses to STAs.
● Authentication mode: MAC address-prioritized Portal authentication

Figure 3-24 Networking for configuring MAC address-prioritized Portal

authentication
RADIUS
Server
10.23.102.1
Port: 1812
Portal
Server IP DNS
Port: 50200 8.8.8.8
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
AC's VLANIF100: 10.23.100.1/24

source
interface
address

profile default

profile



tion
s ● IP address: 10.23.102.1

template

profile
MAC Name:wlan-net
access
profile

tion-free ● Authentication-free resource: IP address of the DNS
rule profile server(8.8.8.8)

Item Data

tion Profile ● Referenced profile: Portal access profile wlan-net, MAC access
profile wlan-net, RADIUS server template wlan-net,
authentication-free rule profile default_free_rule and

4. Configure WLAN services and MAC address-prioritized Portal authentication
on the AC using the WLAN configuration wizard.
Configuration Notes

Procedure
to 10.23.101.2/24.
for the STAs.

page is displayed.







page is displayed.
# Click OK.
# Click Next.


Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.

# Set Security settings to Portal (applicable to enterprise networks) and select
MAC address-prioritized. Under External Portal Server Configuration, set the
server name, IP address, shared-key, port number, and server URL. Under External
RADIUS Sever Configuration, set the server name, authentication server IP
address, and shared key.

# Click Finish.
is displayed.

page is displayed.
DNS server.
6. Click OK.


5. Assume that the MAC address validity period configured on the server is 60
minutes. If a user is disconnected from the wireless network for 5 minutes
and reconnects to the network, the user can directly access the network. If a
user is disconnected from the wireless network for 65 minutes and reconnects
to the network, the user will be redirected to the Portal authentication page.
----End
More Information
(Video) Example for Configuring Guests to Access the WLAN (MAC Address-
prioritized Portal Authentication)
3.3.4 Example for Configuring Built-in Portal Access Code

Authentication
The hotel wants to provide guests with convenient network access services so that
guests only need to enter a character string on the login page for access
authentication without having to enter their user names and passwords. Guests
are allowed network access after being authenticated successfully. Considering
that the hotel scale is small, built-in Portal access code authentication can meet
the preceding requirement and local authentication can be used.
addresses to STAs.
● Authentication mode: Built-in Portal access code authentication

Figure 3-25 Configuring built-in Portal access code authentication
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.4-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface


profile


Local ● Access code 1: randomly generated, expired on 00:00:00 of

access 2019-12-30 (description: 301)
code ● Access code 2: randomly generated, expired on 00:00:00 of
2019-12-30 (description: 302)

tion ● Authentication scheme: local
scheme

access ● The built-in Portal server is used.
profile
– Server IP: 10.23.101.3


tion Profile ● Authentication-free resource: IP address of the DNS server
(8.8.8.8)

● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and Authentication profile wlan-net

4. Configure WLAN services and built-in Portal authentication on the AC using
5. Configure access code authentication parameters.
Configuration Notes
Procedure


to 10.23.101.2/24.
for the STAs.
address pool view.

page is displayed.








Configuration page is displayed. Set Interface type to Loopback, Interface
number to 1, and IP address of Loopback1 to 10.23.101.3/24.
# Click OK.
page is displayed.
# Click OK.
# Click Next.


Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.

Portal server to Built-in Portal server. Under Built-in Portal Server
Configuration, configure the server IP address and port number and set SSL
policy to default_policy. The server IP address is the IP address of a Layer 3
interface that has a reachable route to the user. In this example, 10.23.101.3 is
used as the server IP address.

Click Finish.
Step 6 Configure access code authentication.
# Choose Configuration > AP Config > Profile. The Profile Management page is
displayed.
# Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile >
Portal Profile. The Portal Profile page is displayed.
# Set Built-in Portal authentication mode to Access Code.


is displayed.
page is displayed.
DNS server.
6. Click OK.
1. The hotel receptionist prints the guest access code.
# The hotel receptionist logs in to the web platform and chooses Guest
Management > Guest Access Code.
# Click Create. The page for creating a guest access code is displayed. Click
Random, and configure the access code description and expiration time.

# Click OK. On the page that is displayed, print the access code for the user.
4. When the user browses a web page, the browser is automatically redirected
to the Portal authentication page. After entering the access code obtained
from the hotel receptionist, the user can properly access the web page.
5. Hotel IT personnel can choose Monitoring > User > Online STA Statistics. In
User List, set the search criteria to SSID, enter wlan-net, and click . You
can see that the STA goes online successfully and obtains an IP address.
----End
3.3.5 Example for Configuring 802.1X Authentication
When users attempt to access the WLAN, they can use 802.1X clients for
authentication. After entering the correct user names and passwords, users can
connect to the Internet. Furthermore, users' services are not affected during

addresses to STAs.
Figure 3-26 Networking diagram for configuring 802.1X authentication
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning











profile wlan-net
Configuration Notes

Procedure
101.
segment for STAs.

address pool view.

page is displayed.

2. Configure ports.
VLAN 102.



# Click OK.
page is displayed.
# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.


Configuration.



7. # Click Finish.

page is displayed.




name and password. The STA is authenticated and can access the WLAN. You
must configure the client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties
dialog box, add SSID wlan-net, set the authentication mode to
WPA2, and encryption algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click
Properties. In the Protected EAP Properties dialog box, deselect
to AES. Click Next.

iii. On the Wireless Network Properties page, click Advanced settings.

On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
----End
3.3.6 Example for Configuring Local EAP Authentication

The local EAP server can be used to authenticate 802.1X users if no external
authentication server is deployed.
addresses to STAs.
● Authentication mode: Built-in EAP authentication

Figure 3-27 Networking diagram for local EAP authentication
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Data Planning

Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs

Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to APs,

server and SwitchB functions as the DHCP server to assign IP addresses to
STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
the STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface

● Bound profile: VAP profile wlan-net and regulatory domain
profile default

profile


profile ● Security policy: WPA-WPA2+802.1X+AES
Local EAP EAP server template: test1

authentica Local user name and password:
tion
● User name: huawei
● Password: Huawei@123
Certificate ● CA certificate file: ca.cer

s and keys ● Local certificate file: cer.pem
● Private key file: cer.pem
● Key of the local certificate: Huawei@123

tion ● Authentication scheme: local
scheme
802.1X ● Name: wlan-net

access
profile

tion ● Bound profile and authentication scheme: 802.1X access profile
profile wlan-net, and authentication scheme wlan-net

Item Data

● Bound profiles: SSID profile wlan-net, security profile wlan-net,
and authentication profile wlan-net
4. Configure WLAN services and built-in EAP authentication on the AC using the
WLAN configuration wizard.
5. Configure local users.
Configuration Notes
Procedure

101.
segment for STAs.


address pool view.

page is displayed.

2. Configure ports.
VLAN 102.



# Click OK.
page is displayed.
# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.


Configuration.

4. # Set Security settings to 802.1X authentication, select Built-in EAP
authentication, and configure parameters of the built-in EAP server.

7. # Click Finish.
Step 6 Configure local users.
# Choose Configuration > Security > AAA > Local User. The local user
# Click Create. The Create User page is displayed.
# Configure the user name and password for a local user, and set Access mode to
802.1X. You can manually add or batch import local users. This example describes
how to manually add local users.

# Click OK.
name and password. The STA is authenticated and can access the WLAN.
----End
3.3.7 Example for Configuring MAC Address Authentication

MAC address authentication is used to authenticate dumb terminals such as
wireless network printers and wireless phones that cannot have an authentication
client installed.
addresses to STAs.
● Authentication mode: open system authentication

Figure 3-28 Networking diagram for configuring MAC address authentication
Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning



MAC access profile Name: wlan-net

MAC access profile wlan-net, RADIUS server
template wlan-net, and authentication
scheme wlan-net




● Security policy: open system authentication

profile wlan-net
configuring the security policy, select MAC and RADIUS authentication, and

Configuration Notes
Procedure
101.


segment for STAs.
address pool view.

page is displayed.



2. Configure ports.
VLAN 102.


# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.
# Set Security settings to Open (applicable to personal networks).
# Click Finish.
Step 6 Configure MAC address authentication.

1. Create the authentication profile wlan-net.

displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The

Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed,

enter the profile name wlan-net and click OK. The authentication profile
# Set Access mode to MAC authentication and Authentication mode to

RADIUS authentication.

2. Configure the MAC access profile wlan-net.

# Click in front of Authentication Profile. Under it, click MAC

Authentication. The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is
displayed, enter the profile name wlan-net and click OK. On the MAC
authentication profile configuration page that is displayed, configure the user
name format for MAC address authentication.
The user name and password used for MAC address authentication must be the same as
those configured for local authentication.

3. Configure a RADIUS server profile.
# Click in front of Authentication Profile. Under it, click RADIUS Server.

The RADIUS Server page is displayed.
# Click under RADIUS Server Profile. The RADIUS Server Profile page is
displayed.
# Click Create. On the Create RADIUS Server Profile page that is displayed,
set Profile name to wlan-net and Profile default shared key to
huawei@123.
# Click Create Server. In the Create Server Configuration dialog box that is
displayed, configure the RADIUS server parameters.

# Click OK. On the Create RADIUS Server Profile page that is displayed,
select the created RADIUS server and click OK. On the RADIUS Server Profile
page that is displayed, select the created RADIUS server profile wlan-net and
click OK.
page is displayed.




● After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the
network.
----End
3.3.8 Example for Configuring MAC Authentication for Local

Users
Dumb terminals (such as printers) in the physical access control department
cannot have an authentication client installed. To meet the enterprise's security
requirements, configure MAC address authentication on the AC and use the local
authentication mode to authenticate identities of dumb terminals.
addresses to STAs.
● Authentication mode: MAC authentication
● Security policy:open

Figure 3-29 Networking for configuring MAC authentication for local users
Data Planning
Item Data

default gateway address of STAs is
10.23.101.2.
AC's source interface VLANIF 100:10.23.100.1/24

profile default


Item Data


Local authentication parameters ● Name of the local authentication

scheme: wlan-net
● User name and password of the
local user: 0011-2233-4455 and
guest@123, respectively, which
must be consistent with those in
the MAC access profile
● Access type of the local user: MAC
MAC access profile ● Name: wlan-net

● User name and password for MAC
address authentication: A MAC
address is used as the user name
and the password is guest@123,
which must be consistent with
those in the local authentication
parameters

● Referenced profiles: MAC access
profile wlan-net and

forwarding
wlan-net, security profile wlan-net
and Authentication profile wlan-
net
3. Select Config Wizard to configure the AP to go online on the AC.
configuring a security policy, select MAC address authentication and local
authentication. When adding a local user, ensure that the user name is the

same as the MAC address of the user, and the password is the same as that
configured in the MAC access profile. Configure the planned password in the
MAC access profile.
Configuration Notes
Procedure


to 10.23.101.2/24.
for the STAs.
address pool view.

page is displayed.






page is displayed.
# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.


Configuration.

# Click Finish.
Step 6 Configure MAC authentication for local users.
displayed.
# Click Create. On the Create Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. The authentication profile
# Set Access mode to MAC authentication and Authentication mode to
Local authentication.
2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC

Authentication. The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is
displayed, enter the profile name wlan-net and click OK. On the MAC
authentication profile configuration page that is displayed, configure the user
name format for MAC address authentication.
The user name and password used for MAC address authentication must be the same as
those configured for local authentication.


3. Configure the local authentication scheme wlan-net.
# Click in front of Authentication Profile. Under it, click Local

Authentication. The Local Authentication page is displayed.
# Click Manage. The Create Local User page is displayed.
# Click Create. In the dialog box that is displayed, enter the user name and
password.
The local user name and password must be the same as those in the MAC authentication
profile.
# Click OK.Click Close.Click Apply.

1. The STAs automatically access the WLAN with the SSID wlan-net.

----End
3.3.9 Example for Configuring the RADIUS Server and AC to

Deliver User Group Rights to Users
Different user groups are created to assign network access rights to different users
when they access the WLAN through 802.1X authentication. Furthermore, users'
services are not affected during roaming in the coverage area.
● DHCP deployment mode: The AC and SwitchB function as DHCP servers to
assign IP addresses to APs and STAs, respectively.

Figure 3-30 Networking for configuring user authorization based on user groups
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Data Planning

addresses to APs, and SwitchB functions as a
DHCP server to assign IP addresses to STAs.









profile wlan-net
User group ● Name: group1

● Bound ACL number: 3001
● User group right: Only members in the user
group can access network resources on
10.23.200.0/24.


5. Configure a user group.
Configuration Notes
Procedure
101.


segment for STAs.
address pool view.


page is displayed.


2. Configure ports.

VLAN 102.



# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.




7. # Click Finish.
page is displayed.




Step 7 Configure a user group.
1. Configure an ACL.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create on the ACLv4 tab. On the Create Advanced ACL page that is
displayed, configure an ACL.
# Click OK. The Advanced ACL Settings page is displayed.

# Click Add Rule next to ACL 3001. On the Add Rule page that is displayed,
add an ACL rule.
# Click OK. On the Advanced ACL Settings page that is displayed, use the
same method to add another ACL rule.

# Click OK.
2. Configure a user group.
# Choose Configuration > Security > User Group > User Group. The User
Group page is displayed.
# Click Create. On the Create User Group page that is displayed, set User
group name and bind an ACL.
# Click OK.
● The WLAN with the SSID wlan-net is available for STAs after the
configuration is complete.
● The STAs obtain IP addresses when they successfully associate with the
WLAN.
● A user can use the 802.1X authentication client on an STA for authentication.
After entering the correct user name and password, the user is successfully
authenticated and can access resources on the network segment
10.23.200.0/24. You need to configure the 802.1X authentication client based
on the configured authentication mode PEAP.


to AES. Click Next.
iii. Click OK. On the Wireless Network Properties page, click
Advanced settings. On the Advanced settings page that is
displayed, select Specify authentication mode, set the identity
authentication mode to User authentication, and click OK.
----End
3.3.10 Example for Configuring Built-in Portal WeChat

Authentication
As shown in Figure 3-31, the AC of a shop directly connects to an AP. The shop
deploys a WLAN wlan-net to provide wireless network access for consumers. The
AC functions as a DHCP server to assign IP addresses on the network segment
10.23.101.0/24 to wireless users.
To improve its brand popularity and image, the shop allows consumers to connect
to the open Wi-Fi network using WeChat. Users can obtain access to the Internet
by WeChat authentication, without the need to enter a user name or password.
Figure 3-31 Networking diagram for configuring WeChat authentication using a

built-in Portal server
Management VLAN:
VLAN 100
Service VLAN: VLAN 101
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2

Data Planning
Item Data

access ● The built-in Portal server is used.
profile
– IP address of the built-in portal server: 10.1.1.1/24
– HTTP port number: 1025
WeChat ● WeChat official account ID: wxappid123

authentica ● WeChat official account key: huawei@123
tion
profile ● The AC automatically obtains shop information from the
WeChat server. Parameter settings of the WeChat server are:
– Default domain name: api.weixin.qq.com
– Default port number: 443
DNS IP address: 10.23.200.2

server

tion ● Bound profile and authentication scheme: Portal access profile
profile wlan-net and authentication scheme wlan-net
DHCP The central AP functions as a DHCP server to assign IP addresses

server to the RU and STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for
the AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs
AC's VLANIF100: 10.23.100.1/24

source
interface

● Bound profiles: VAP profile wlan-net and regulatory domain
profile wlan-net
Regulatory ● Name: wlan-net

profile

Item Data


profile ● Security policy: open system authentication

● Bound profiles: SSID profile wlan-net, security profile wlan-net,
and authentication profile wlan-net
4. Select Config Wizard to configure WLAN services on the AC. Configure
WeChat authentication to authenticate WeChat users.
5. Complete user service verification.
Procedure
1. Configure AC basic parameters.
Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region as required (China as an example). Set System Time

to Manual and Date and time to PC Time.

2. Configure ports.

Trunk and Default VLAN to 100, and add GigabitEthernet0/0/1 to VLAN
100 (management VLAN).

# Click Apply.

Trunk and add GigabitEthernet0/0/2 to VLAN 101 (service VLAN).
# Click Apply.
# Click Next. The Network Interconnection page is displayed.

# Under Interface Configuration, click Create. The Create Interface


# Click OK.
# Configure the address pool for VLANIF 101 in the similar way. Set the IP
address of VLANIF 101 to 10.23.101.1/24, DHCP status to ON, DHCP type to
Interface address pool, and Primary DNS serve to 10.23.200.2.
page is displayed.
# Set the destination IP address to 10.23.200.0/24 and Next hop address to
10.23.101.2 (assuming that the IP address of the uplink device is 10.23.101.2).

# Click OK.
# Click Next.
Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
Configuration.
# Set the SSID name, forwarding mode, and service VLAN ID.

# Select WeChat. Set Server IP address to 10.1.1.1 and Port number to 1025.
Configure the WeChat official account as follows:
● APP ID: wxappid123
● APP key: huawei@123


# Click Finish.
is displayed.
page is displayed.
DNS server.

6. Click OK.

● After the configuration is complete, STAs can discover the wireless network
with the SSID wlan-net.
● STAs can be assigned IP addresses after they associate with the wireless
network.
● When a user opens WeChat, the Portal authentication page is displayed
automatically on the STA. After the user can be authenticated, the user can
connect to the Internet.
----End
3.3.11 Example for Configuring External Portal Authentication

(In HACA Mode)
An enterprise deploys a cloud AC to manage users connected to the Internet and
the SDN controller as a Huawei Agile Cloud Authentication (HACA) server. The
HACA server is located on the cloud to implement functions of an external Portal
server, authentication server, and accounting server. Access users are authenticated
and charged on the HACA server through the cloud AC. This reduces routing
network maintenance costs of the enterprise.
addresses to STAs.
● AAA scheme: HACA
● Authentication mode: External Portal authentication

Figure 3-32 Networking for configuring external Portal authentication (in HACA
mode)
HACA server
(Controller) DNS server
8.8.8.8
Internet
Enterprise campus
network
Management VLAN: VLAN 100 Router
Service VLAN: VLAN 101 GE1/0/0
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA GE0/0/1
AC
VLANIF 100
10.23.100.1/24
Data Planning
Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

profile default

profile


HACA ● Name: wlan-net

template
● PKI realm name: default

profile

template

tion ● Referenced profiles: Portal access profile wlan-net,
profile authentication scheme wlan-net, authentication-free rule
profile default_free_rule, and HACA server template wlan-net

wlan-net, and authentication profile wlan-net

2. Register the AC with the SDN controller and go to the web platform of the
AC.
5. Configure WLAN services on the AC using the WLAN configuration wizard.
6. Configure HACA authentication in a VAP profile.
8. Configure the SDN controller parameters.
Procedure
to 10.23.101.2/24.


for the STAs.
address pool view.
Step 3 Register the AC with the SDN controller and add APs. For the registration
procedure, see Configuration - Cloud-based Management Configuration of AC. For
operations of adding APs, see CloudCampus Cloud Managed Campus Solution
Product Documentation.
Step 4 Log in to the SDN controller through the Internet, go to the web platform of the
AC, and remotely configure WLAN service data.
1. Select a site.
a. Choose Deploy > Site > Site Configuration from the main menu.
b. In the displayed window, select a site from the Site drop-down list box in
the upper left corner, and set the selected site as the operation object.
2. In the navigation tree on the left, choose AC(Fit AP) > Fit AP.
3. Click the name of the desired WLAN AC in the Device Name area. The WLAN
AC management page is displayed.
4. Click Open Web System in the upper right corner and the WLAN AC web
NMS page is displayed.


page is displayed.




page is displayed.
# Click OK.
# Click Next.


Vlanif100.


1. Configure an AP to go online.
# Click next to AP Group List. The page for adding an AP group is

displayed.
# Click Add. Select the AP added on the SDN controller, and add this AP to
ap-group1.
# Click OK.
# Click Next.

Configuration.

# Click Finish.
Step 8 Configure HACA authentication.


displayed.

# Set Access mode to Portal authentication and Portal option to HACA

access.

2. Configure HACA access parameters.
# Click in front of Authentication Profile. Under it, click HACA Access. The
Portal Profile page is displayed.
# Click next to Portal server group. The Portal Authentication Server

List page is displayed.
# Click Create. On the Create Portal server group page that is displayed, set
Server name to wlan-net, Server IP to 10.23.200.1, and parameters in
Redirection Setting as follows:
– AC-MAC keyword: lsw-mac

– User access URL keyword: redirect-url
– User MAC keyword: umac
– User IP address keyword: uaddress

– SSID keyword: ssid
# Click OK. In Portal Authentication Server List, select the server named
wlan-net and click OK.
3. Configure the HACA server.
# Click in front of Authentication Profile. Under it, click HACA Server.

The HACA Server page is displayed.
# On the HACA Server Template tab, click Create. The Create HACA Server
Template page is displayed. Set Profile name to wlan-net. Enable HACA
function. Set IP address to 10.23.200.1, Port number to 50301, and
Certificate name to default.


# Set HACA Server Template to wlan-net, Accounting mode to HACA
accounting, and Policy for accounting-start failures to Allow user login.

is displayed.
page is displayed.
DNS server.

6. Click OK.
Step 10 Configure the user group and users on the SDN controller.
1. Choose Admission > User Management > Users from the main menu.
2. Click Batch import uses and user groups using the Excel template.
Download the template, fill users and user groups in the document, and
upload the Excel document.
3. Click OK.
Step 11 Configure authentication parameters on the SDN controller.
1. Select a site.
a. Choose Deploy > Site > Site configuration from the main menu.
b. Select a site from the Site drop-down list box in the upper left corner and
set the site as an operation object.
2. In the navigation tree on the left, choose AC(Fit AP) > Fit AP.
3. Click Add and configure authentication parameters as follows:
– Name: wlan-net
– SSID: wlan-net, which must be the same as the SSID configured on the
AC
– Authentication mode: Open network
– Push mode: Fast
– Push page: Default customization page with user name and password
authentication
– User group: Guest

4. Click OK.

● The WLAN with the SSID wlan-net is available for STAs after the
configuration is complete.
● The STAs obtain IP addresses when they successfully associate with the
WLAN.
● When a user opens the browser and attempts to access the network, the user
----End
3.4 Reliability Configuration Examples
3.4.1 Example for Configuring Wireless Configuration

Synchronization in VRRP HSB Scenarios

To ensure that services are running normally, an enterprise wants to improve
network reliability while reducing the configuration maintenance workload.
Wireless configuration synchronization can be deployed in VRRP HSB to meet this
requirement. In this solution, the master and backup ACs are often deployed in the
same location, and the service switchover is fast and has higher reliability than
dual-link HSB.
● Switch cluster: A cluster is set up using a CSS card, containing SwitchB and
SwitchC at the core layer. SwitchB is the active switch and SwitchC is the
standby switch.

Figure 3-33 Networking for configuring wireless configuration synchronization in

VRRP HSB scenarios (direct forwarding)
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP
STA
Management VLAN: VLAN 100
: Service VRRP
: mVRRP
:Eth-Trunk
Data Planning
Item Data
AC1's source interface Virtual IP address: 10.23.100.3/24

Item Data
AC2's source interface Virtual IP address: 10.23.100.3/24
Virtual IP address of the 10.23.100.3/24

management VRRP group

service VRRP group

● Referenced profiles: SSID profile wlan-net
and security profile wlan-net

● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default



● Security policy: WPA-WPA2+PSK+AES

APs' gateway VLANIF 100: 10.23.100.3/24
IP address pool for APs 10.23.100.4 to 10.23.100.254/24
STAs' gateway VLANIF 101: 10.23.101.3/24
IP address pool for STAs 10.23.101.4 to 10.23.101.254/24
IP addresses and port IP address of VLANIF 102: 10.23.102.1/24

numbers for the active and Port number: 10241
standby channels of AC1
IP addresses and port IP address of VLANIF 102: 10.23.102.2/24

Scheduled wireless Start time of scheduled synchronization: 01:00

configuration synchronization Interval for scheduled synchronization: 1440
minutes

1. Configure a cluster between SwitchB and SwitchC through cluster cards to
improve core layer reliability and configure SwitchB as the master switch.
2. Configure network connectivity between SwitchA, SwitchB, and SwitchC.
3. Configure AC1 based on the configuration wizard. VRRP HSB and wireless
configuration synchronization are both configured based on the configuration
wizard.
4. Configure APs to go online and basic WLAN services on AC1.
5. Configure AC2 based on the configuration wizard.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
● Check whether loops occur on the wired network. If loops occur, configure
MSTP on corresponding NEs.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned to clients in the DHCP
address pools must be consistent.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.

[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
connection for SwitchC.
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
------------------------------------------------------------------------------
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)


-------------------------------------------------------------------------------
<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches,
indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7

32 1/14/0/8 10G 10G 2/14/0/8

--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Step 2 Configure SwitchA, SwitchB, and SwitchC so that the AC and APs can transmit
CAPWAP packets.
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting
to the AP). If port isolation is not configured, many broadcast packets will be transmitted in
the VLANs or WLAN users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN

100 and add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on
SwitchA connected to SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on
SwitchA connected to SwitchC to Eth-Trunk 10.
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101,
respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS-GigabitEthernet1/1/0/2] undo port link-type

[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
Step 3 Configure AC1.

page is displayed.
Region to China, System time to Manual, and Date and time to PC Time.

# Select GigabitEthernet0/0/1 and expand Modify all. Set Interface type to
VLAN 101 (service VLAN).
# Click Apply.
GigabitEthernet0/0/2 to VLAN 102 in the same way.


# Click OK.
# Click Create under DHCPv4 Address Pool List, set Address pool type to
Interface address pool, and select VLANIF100. Expand Advanced. Click to
add 10.23.100.1 to 10.23.100.3 to Excluded IP address.

# Repeat the preceding steps to configure an address pool for VLANIF 101.
Set the IP address of VLANIF 101 to 10.23.101.1/24. Add 10.23.101.1 to
10.23.101.3 to Excluded IP address.
# Click Next. The AC Backup Configuration page is displayed.
4. Configure AC backup.
# Enable HSB.

# Click Create. The Create VRID page is displayed.

# Create a management VRRP group. Set parameters as follows:
– VLANIF/IP: VLANIF 100
– VRID: 1
– VRRP type: mVRRP group
– Virtual IP address: 10.23.100.3
– Priority: 120
– Preemption delay(s): 1800
# Click OK.
# Configure a service VRRP group in the same way. Set parameters as follows:
– VRID: 2
– VRRP type: VRRP group
– VRID of the mVRRP group: 1
# Click OK.

# Configure HSB. Set parameters as follows:

– Local AC IP address: 10.23.102.1
– Peer AC IP address: 10.23.102.2
– Local port: 10241
– Remote port: 10241
– Associated VRID: 1
# Enable wireless configuration synchronization, and set PSK key.

5. Configure the source address for AC1.
# Set AC source address to IP address and set the IP address to 10.23.100.3.

Step 4 Configure APs connected to AC1.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
# Click Next.
2. Configure an AP group.
# The AP template file has AP group information added. Click Next. The
Confirm Configurations page is displayed.
Configuration.
Step 5 Configure basic WLAN services on AC1.
1. Configure WLAN services.

# Set Security settings to Key (applicable to personnel networks) and set
the key.


Click Finish.
# Configure AC2 in the same way as that for configuring AC1.
# Configure interfaces on AC2 in the same way as that on AC1.
# Configure network interconnections on AC2 in the same way as that on
AC1. The differences are as follows:
– Set IP addresses of VLANIF 100, VLANIF 101, and VLANIF 102 to
10.23.100.2/24, 10.23.101.2/24, and 10.23.102.2/24, respectively.
# Configure AC backup on AC2 in the same way as that on AC1. The
differences are as follows:
– When configuring VRRP groups, use the default values of Priority and
Preemption delay(s).
– When configuring HSB, set Local AC IP address to 10.23.102.2 and Peer
AC IP address to 10.23.102.1.
# Configure the source address for AC2 in the same way as that for AC1.
Step 7 Trigger wireless configuration synchronization manually on AC1.
# Choose Monitoring > AC > Wireless Configuration Synchronization
Information. The Wireless Configuration Synchronization Information page is
displayed. Set Auto refresh to ON.

# Click Manual synchronization under Operation. In the Confirm dialog box that
is displayed, click OK. AC2 restarts automatically.

# After AC2 restarts, check the configuration synchronization state on AC1. If
Configuration Synchronization State is Synchronization success, wireless
configuration synchronization succeeds.
# STAs associated with the AP can find the SSID wlan-net and connect to the
WLAN.
# If the link between the AP and AC1 is disconnected, AC2 becomes the active AC,
ensuring user service continuity.
----End
3.4.2 Example for Configuring Wireless Configuration

Synchronization in Dual-Link HSB Scenarios
To ensure that services are running normally, an enterprise wants to improve
network reliability while reducing the configuration maintenance workload.
Wireless configuration synchronization can be deployed in dual-link HSB to meet
this requirement. This solution frees active and standby ACs from location
restrictions and allows both ACs to be flexibly deployed.
● DHCP deployment mode: The router functions as a DHCP server to assign IP

Figure 3-34 Networking diagram for configuring dual-link HSB
Internet
Router
GE0/0/1
VLAN 100,101
GE0/0/4
VLAN 100,101
GE0/0/1 SwitchB GE0/0/1
VLAN 100,102 VLAN 100,102
GE0/0/2 GE0/0/3
AC1 VLAN 100,102 VLAN 100,102 AC2
GE0/0/1
VLAN100,101
GE0/0/2
VLAN100,101
SwitchA
GE0/0/1
VLAN100,101
AP1
STA1

AC's backup VLAN: VLAN 102
Data Planning
Table 3-41 AC Data planning

Item Data

Item Data
AC's backup VLAN VLAN 102
DHCP server The Router functions as the DHCP

server for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
AC's source interface VLANIF 100
AC1's management IP address VLANIF 100: 10.23.100.2/24
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2

profile default



+AES

net
AP system profile ● Name: wlan-net

● Primary AC's IP address: 10.23.100.2
● Backup AC's IP address: 10.23.100.3

Item Data
Scheduled wireless configuration Start time of scheduled

synchronization synchronization: 01:00
Interval for scheduled synchronization:
1440 minutes
1. Configure network interconnection. Configure Router as a DHCP server to
2. Configure AC1, APs going online, and WLAN services following the
configuration wizard.
3. Configure dual-link hot standby (HSB) on AC1.
4. Configure AC2 following the configuration wizard.
5. Configure dual-link HSB on AC2.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange
CAPWAP packets.

# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the
interface to VLAN 100 and VLAN 101. Add GE0/0/2 of SwitchA to VLAN 100 and
VLAN 101.
# Add GE0/0/1 (connecting to SwitchA) of SwitchB to VLAN 100 and VLAN 101.
Add GE0/0/2 (connecting to AC1) of SwitchB, and GE0/0/3 (connecting to AC2) of
SwitchB to VLAN 100.
[SwitchB] vlan batch 100
Step 2 Configure the communication between Router, AC1, and AC2.

# Add GE0/0/2 and GE0/0/3 of SwitchB to VLAN 102 and add GE0/0/4 of SwitchB
connecting to Router to both VLAN 100 and VLAN 101.
Step 3 Configure Router to assign IP addresses to STAs and APs.
address pool view.

[Router] dhcp enable

[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router-Vlanif100] dhcp select global

page is displayed.

to Trunk and add GigabitEthernet0/0/1 to VLAN 100 and VLAN 102.

# Click Apply.


# Click OK. VLANIF 100 is configured.
# Repeat the preceding steps to configure VLANIF 102. Set the IP address of
VLANIF 102 to 10.23.102.1/24.

# Set AC source address to VLANIF and set the IP address to Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
# Click Next.
Configuration.

key.
Click Finish.
Step 7 Configure dual-link HSB on AC1.

1. Configure IP addresses for primary and backup ACs.
# In the AP group list, click ap-group1. On the page that is displayed, click
in front of AP. Under it, click AP System Profile. The AP System Profile
page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter
the profile name wlan-net and click OK. The AP system profile configuration
page is displayed.
# On the Advanced Configuration page of the AP system profile, click in

front of Dual-Link/N+1 Backup. On the expanded page, set Primary AC IP
address to 10.23.100.2 and Backup AC IP address to 10.23.100.3.


2. Configure dual-link HSB.
# Choose Configuration > Reliability > Reliability. The Reliability page is

displayed.
# Set parameters as follows:

– Backup mode: Dual-link hot backup
– Wireless configuration synchronization: ON
– Synchronization mode: From local to peer
– PSK key: H@123456




– Set IP addresses of VLANIF 100 and VLANIF 102 to 10.23.100.3/24 and
10.23.102.2/24, respectively.
1. Configure IP addresses for primary and backup ACs.
# Click Create. On the page that is displayed, create the AP group ap-group1
and click OK.
# In the AP group list, click ap-group1. On the page that is displayed, click
in front of AP. Under it, click AP System Profile. The AP System Profile
page is displayed.
the profile name wlan-net and click OK. The AP system profile configuration
page is displayed.
# On the Advanced Configuration page of the AP system profile, click in

front of Dual-Link/N+1 Backup. On the expanded page, set Primary AC IP
address to 10.23.100.2 and Backup AC IP address to 10.23.100.3.

2. Configure dual-link HSB.
displayed.


– Backup mode: Dual-link hot backup
– Wireless configuration synchronization: ON
– Synchronization mode: From peer to local
– PSK key: H@123456
Step 10 Trigger wireless configuration synchronization manually on AC1.
# Choose Monitoring > AC > Wireless Configuration Synchronization
Information. The Wireless Configuration Synchronization Information page is
displayed. Set Auto refresh to ON.
# Click Manual synchronization under Operation. In the Confirm dialog box that
is displayed, click OK. AC2 restarts automatically.

# After AC2 restarts, check the configuration synchronization state on AC1. If
Configuration Synchronization State is Synchronization success, wireless
configuration synchronization succeeds.

# STAs associated with the AP can find the SSID wlan-net and connect to the
WLAN.
# If the link between the AP and AC1 is disconnected, AC2 becomes the active AC,
ensuring user service continuity.
----End
3.4.3 Example for Configuring Dual-link Cold Backup (Global

Configuration Mode)
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data
transmission reliability.
● DHCP deployment mode: The switch functions as a DHCP server to assign IP
Figure 3-35 Networking for configuring dual-link cold backup
Area A AC1
GE0/0/1
GE Router
0/0 GE0/0/3
STA1 AP1 /1
4
0/0/ Internet
GE
GE0/0/2
Switch
GE0/0/1
STA2 AP2
Service VLAN：VLAN 101 AC2

Data Planning
Item Data
DHCP server The switch functions as a DHCP server

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

profile default



+AES

net

1. Configure network interworking of AC1, AC2, and other network devices.
Configure the switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2.
Ensure that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC.
When dual-link backup is enabled, all APs are restarted. After dual-link
backup configurations are complete, the standby AC replaces the active AC to
manage APs if the CAPWAP tunnel between the active AC and APs is
disconnected.
Configuration Notes
Procedure
Step 1 Configure the switch.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the
switch. Set the link type of GE0/0/1 and GE0/0/4 that connect the switch to the
APs to trunk and PVID of the interfaces to 100, and configure the interfaces to
allow packets of VLAN 100 and VLAN 101 to pass through. Set the link type of
GE0/0/2 and GE0/0/3 on the switch to trunk, and configure the interfaces to allow
packets of VLAN 100 to pass through.

[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
Configure the DHCP function on the switch to assign IP addresses to APs and
STAs.
address pool view.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses
to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses
to STAs.

page is displayed.



# Click Apply.

# Click OK.
# Click Next.

Vlanif100.

Step 3 Add APs on AC1.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
Step 4 Configure WLAN services on AC1.

key.


Click Finish.
The configuration is similar to that on AC1. The difference is that the IP address of
VLANIF 100 is 10.23.100.3/24.
The configuration is similar to that on AC1.
Step 8 Configure dual-link backup on AC1 and AC2.
1. Configure dual-link backup on AC1.
# On AC1, choose Configuration > Reliability > Reliability. The Reliability
page is displayed.
# Set Backup mode to Dual-link cold backup, AC dual-link switchover
status to ON and configure Local priority and Backup AC IP address. Set
Backup AC IP address to 10.23.100.3 (AC2's IP address).
A smaller value of Local priority indicates a higher local priority.

2. Configure dual-link backup on AC2.
# The configuration is similar to that on AC1.

# Set Local priority to 1, and Backup AC IP address to 10.23.100.2 (IP

address of AC1). The other configurations are the same as those of AC1.
By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the
APs are restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs.
Choose Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs and
make the dual-link backup function take effect.

1. The WLAN with the SSID wlan-net is available for STAs connected to AP1 and
AP2, and the STAs can connect to the WLAN and go online properly.
2. When the link between an AP and AC1 fails, AC2 takes over the active role.
This ensures service stability.
----End
3.4.4 Example for Configuring Dual-Link Hot Standby (HSB)

for ACs
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires dual-link HSB to improve data transmission reliability.
● DHCP deployment mode: The router functions as a DHCP server to assign IP

Figure 3-36 Networking for configuring dual-link HSB for ACs
Internet
Router
GE0/0/1
VLAN 100,101
GE0/0/4
VLAN 100,101
GE0/0/1 SwitchB GE0/0/1
VLAN 100,102 VLAN 100,102
GE0/0/2 GE0/0/3
AC1 VLAN 100,102 VLAN 100,102 AC2
GE0/0/1
VLAN100,101
GE0/0/2
VLAN100,101
SwitchA
GE0/0/1
VLAN100,101
AP1
STA1

AC's backup VLAN: VLAN 102
Data Planning

Item Data

Item Data
AC's backup VLAN VLAN 102
DHCP server The router functions as a DHCP server

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
IP addresses and port numbers for the IP address: VLANIF 102, 10.23.102.1/24
active and standby channels of AC1 Port number: 10241
IP addresses and port numbers for the IP address: VLANIF 102, 10.23.102.2/24
active and standby channels of AC2 Port number: 10241

profile default



+AES

net

1. Configure network interworking of the APs, ACs, and other network devices.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2.
Ensure that service configurations on AC1 and AC2 are the same.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1
are backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes
over services from AC1. User services are not interrupted.
Configuration Notes
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange
CAPWAP packets.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the
interface to VLAN 100 and VLAN 101. Add GE0/0/2 of SwitchA to VLAN 100 and
VLAN 101.


# Add GE0/0/1 (connecting to SwitchA) of SwitchB to VLAN 100 and VLAN 101.
Add GE0/0/2 (connecting to AC1) of SwitchB, and GE0/0/3 (connecting to AC2) of
SwitchB to VLAN 100.
[SwitchB] vlan batch 100
Step 2 Configure the communication between Router, AC1, and AC2.

# Add GE0/0/2 and GE0/0/3 of SwitchB to VLAN 102 and add GE0/0/4 of SwitchB
connecting to Router to both VLAN 100 and VLAN 101.
Step 3 Configure Router to assign IP addresses to STAs and APs.
address pool view.
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit



page is displayed.

to Trunk and add GigabitEthernet0/0/1 to VLAN 100 and VLAN 102.

# Click Apply.


# Click OK. VLANIF 100 is configured.
# Repeat the preceding steps to configure VLANIF 102. Set the IP address of
VLANIF 102 to 10.23.102.1/24.

# Set AC source address to VLANIF and set the IP address to Vlanif100.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
# Click Next.

Configuration.
key.

Click Finish.
The configuration is similar to that on AC1. The difference is that the IP addresses
of VLANIF 100 and VLANIF 102 are 10.23.100.3/24 and 10.23.102.2/24,
respectively.

displayed.

● Backup mode: Dual-link hot backup

● Local priority: 0
● Backup AC IP address: 10.23.100.3
● AC dual-link switchover status: ON
● Local AC IP address: 10.23.102.1
● Peer AC IP address: 10.23.102.2
● Local port: 10241
● Remote port: 10241
The configuration is similar to that on AC1. The following parameter settings are
different:
● Local priority: 1
● Backup AC IP address: 10.23.100.2
● Local AC IP address: 10.23.102.2
● Peer AC IP address: 10.23.102.1
1. The WLAN with the SSID wlan-net is available for STAs connected to AP1 and
AP2, and these STAs can connect to the WLAN and go online properly.
2. When the link between an AP and AC1 fails, AC2 takes over the active role.
User services are not interrupted.
----End
3.4.5 Example for Configuring VRRP HSB
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires VRRP HSB to improve data transmission reliability.
● Switch cluster: A cluster is set up using a CSS card, containing SwitchB and
SwitchC at the core layer. SwitchB is the active switch and SwitchC is the
standby switch.

Figure 3-37 Configuring VRRP HSB (direct forwarding)
Internet
Router
GE0/0/2
VLAN102
AC1 AC2
GE0/0/1
VLAN100-101
GE1/1/0/1 GE2/1/0/1
VLAN100~101
SwitchB SwitchC
CSS
GE1/1/0/2 GE2/1/0/2
VLAN100-101 VLAN100-101
Eth-Trunk10
GE0/0/2 GE0/0/3
VLAN100-101 VLAN100-101
GE0/0/1 SwitchA
VLAN100-101
AP
STA
: Service VRRP
: mVRRP
:Eth-Trunk
Data Planning
Table 3-44 AC Data Planning
Item Configuration
AC1's source interface VLANIF 100: 10.23.100.3/24
AC2's source interface VLANIF 100: 10.23.100.3/24

Item Configuration

management VRRP group

service VRRP group


and regulatory domain profile default



DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA
AP's gateway VLANIF 100: 10.23.100.3/24
IP address pool for the AP 10.23.100.4 to 10.23.100.254/24
STA's gateway VLANIF 101: 10.23.101.3/24
IP address pool for STA 10.23.101.4 to 10.23.101.254/24
IP addresses and port IP address: VLANIF 102, 10.23.102.1/24

IP addresses and port IP address: VLANIF 102, 10.23.102.2/24

1. Configure a cluster between SwitchB and SwitchC through cluster cards to
improve the core layer reliability and configure SwitchB as the master switch.

2. Configure AC1 and AC2 using the configuration wizard.

– Set up connections between the AP, AC, and other network devices.
– Configure a VRRP group on AC1 and AC2. Configure a higher priority for
AC1 than AC2 so that AC1 functions as the master device to forward
traffic and AC2 functions as a backup device.
– Configure the hot standby (HSB) function so that service information on
AC1 is backed up to AC2 in batches and in real time, ensuring seamless
service switchover from AC1 to AC2.
– Add APs on AC1 and AC2, and configure WLAN services.
Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Configuration Notes
Procedure
Step 1 Establish a cluster through cluster cards.
connection for SwitchB.
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

connection for SwitchC.
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
------------------------------------------------------------------------------
# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
------------------------------------------------------------------------------
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
-------------------------------------------------------------------------------
Chassis 2 (Standby Switch)
-------------------------------------------------------------------------------


<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches,
indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.

Step 2 Configure SwitchA, SwitchB, and SwitchC so that the AC and APs can transmit
CAPWAP packets.
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting
to the AP). If port isolation is not configured, many broadcast packets will be transmitted in
the VLANs or WLAN users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN

100 and add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on
SwitchA connected to SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on
SwitchA connected to SwitchC to Eth-Trunk 10.
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC to VLANs 100 and 101,
respectively.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit


page is displayed.


# Select GigabitEthernet0/0/1 and expand Modify all. Set Interface type to

VLAN 101 (service VLAN).
# Click Apply.

GigabitEthernet0/0/2 to VLAN 102 in the same way.



# Click OK.
# Click Create under DHCPv4 Address Pool List, set Address pool type to
Interface address pool, and select VLANIF100. Expand Advanced. Click to
add 10.23.100.1 to 10.23.100.3 to Excluded IP address.

# Repeat the preceding steps to configure an address pool for VLANIF 101.
Set the IP address of VLANIF 101 to 10.23.101.1/24. Add 10.23.101.1 to
10.23.101.3 to Excluded IP address.
# Enable HSB.
# Click Create. The Create VRID page is displayed.
# Create a management VRRP group. Set parameters as follows:


– VRID: 1
– VRRP type: mVRRP group
– Priority: 120
# Click OK.
# Configure a service VRRP group in the same way. Set parameters as follows:
– VRID: 2
– VRRP type: VRRP group
– VRID of the mVRRP group: 1
# Click OK.
# Configure HSB. Set parameters as follows:


– Associated VRID: 1

# Set AC source address to IP address and set the IP address to 10.23.100.3.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1


Import.
# Click Next.
Configuration.

# Set Security settings to Key (applicable to personnel networks) and set
the key.


Click Finish.
– Set IP addresses of VLANIF 100, VLANIF 101, and VLANIF 102 to
10.23.100.2/24, 10.23.101.2/24, and 10.23.102.2/24, respectively.
# Configure AC backup on AC2 in the same way as that on AC1. The
differences are as follows:
– When configuring VRRP groups, use the default values of Priority and
Preemption delay(s).
– When configuring HSB, set Local AC IP address to 10.23.102.2 and Peer
AC IP address to 10.23.102.1.
1. STAs associated with the AP can find the SSID wlan-net and connect to the
WLAN.
2. If the link between the AP and AC1 is disconnected, AC2 becomes the active
AC, ensuring user service continuity.
----End
3.4.6 Example for Configuring N+1 Backup (APs and ACs in

different network segments)
A large enterprise has branches in different areas. ACs are deployed in the
branches to manage APs and provide WLAN access and e-mail services. These

services require low network reliability and allow temporary service interruption.
An AC is required to be a backup of all ACs to save costs. In this scenario, the
enterprise can deploy a high performance AC at the headquarters as a standby AC
to provide backup services for active ACs in the branches.
Figure 3-38 Networking for configuring N+1 backup
Enterprise Standby AC_3

headquarters VLANIF 203:
10.23.203.1/24
GE0/0/1
Eth2/0/1
Router_3
VLANIF200:
10.23.200.1/24
Eth2/0/0
Internet
Eth2/0/1 Eth2/0/1
Router_1 Router_2
GE0/0/1 GE0/0/1
Active AC_1 Eth2/0/0 Active AC_2
Eth2/0/0
VLANIF201: GE0/0/2 GE0/0/2 VLANIF202:
10.23.201.1/24 10.23.202.1/24
Switch_1 Switch_2
GE0/0/1 GE0/0/1
Enterprise branch 1 Enterprise branch 2
AP_1 AP_2
Management VLAN: 99 Management VLAN: 100

Service VLAN: 101 Service VLAN: 102
STA_1 STA_2

Data Planning
Item Data
Management VLAN for APs AC_1 (primary AC): VLAN 99
AC_2 (primary AC): VLAN 100
Service VLAN for STAs AC_1: VLAN 101
AC_2: VLAN 102

STAs' gateway:
● STA_1: 10.23.101.1/24
● STA_2: 10.23.102.1/24
APs' gateway:
● AP_1: 10.23.99.1/24
● AP_2: 10.23.100.1/24
IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24

AP_2: 10.23.100.2-10.23.100.254/24
IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24

STA2: 10.23.102.2-10.23.102.254/24
AC's source interface AC_1: VLANIF 201

AC_2: VLANIF 202
AC_3: VLANIF 203
AC_1's management IP address VLANIF 201: 10.23.201.1/24
AP group On AC_1 (primary AC):

● Name: ap-group1
● Referenced profiles: AP system
profile ap-system, VAP profile
profile default
On AC_2 (primary AC):

● Name: ap-group2
wlan-net1, and regulatory domain
profile default

Item Data
On AC_3 (backup AC):

● Name: ap-group1
– Referenced profiles: AP system
wlan-net, and regulatory
● Name: ap-group2
wlan-net1, and regulatory

SSID profile AC_1:

● Name: wlan-net
AC_2:
● Name: wlan-net1
● SSID name: wlan-net1
AC_3:
● Name: wlan-net
● Name: wlan-net1
Security profile AC_1, AC_3:

● Name: wlan-net
+AES
AC_2, AC_3:
● Name: wlan-net1
+AES

Item Data
VAP profile AC_1:

● Name: wlan-net
net
AC_2:
● Name: wlan-net1
wlan-net1 and security profile
wlan-net1
AC_3:
● Name: wlan-net
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile
wlan-net
● Name: wlan-net1
forwarding
wlan-net1
AP system profile On AC_1:

● Name: ap-system
– Primary AC IP address:
10.23.201.1
– Backup AC IP address:
10.23.203.1
On AC_2:
● Name: ap-system1
10.23.202.1
10.23.203.1

Item Data
On AC_3:
● Name: ap-system
10.23.201.1
10.23.203.1
10.23.202.1
10.23.203.1
1. Configure network interworking of each AC and other network devices.
Configure Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively,
and configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on
AC_3. Ensure that service configurations on AC_3 are the same as those on
AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC.
When N+1 backup is enabled, all APs are restarted.
Configuration Notes

Procedure
Step 1 Configure the routers and switches to communicate with each other.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0
connected to Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to
AC_1 to VLAN 201. Configure the IP address 10.23.99.1/24 for VLANIF 99,
10.23.101.1/24 for VLANIF 101 and 10.23.201.2/24 for VLANIF 201.
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as
the management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0
connected to Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to
AC_2 to VLAN 202. Configure the IP address 10.23.100.1/24 for VLANIF 100,
10.23.102.1/24 for VLANIF 102 and 10.23.202.2/24 for VLANIF 202. See Router_1
for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the
Network to VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure
the IP address 10.23.200.1/24 for VLANIF 200. Configure the IP address
10.23.203.2/24 for VLANIF 203. See Router_1 for the detailed configuration
procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to
Router_1 and GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the
PVID of GE0/0/1 is VLAN 99.
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit


# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to
Router_2 and GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the
PVID of GE0/0/1 is VLAN 100. See Switch_1 for the detailed configuration
procedure.
# Configure Router_1 as a DHCP relay agent.
[Router_1-Vlanif99] dhcp select relay
[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
# Configure Router_2 as a DHCP relay agent.

# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs,
and configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3
to AP_1, and to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure
the DHCP server to assign IP address to AP_1 from the IP address pool ap_1_pool,
to AP_2 from ap_2_pool, to STA1 from sta_1_pool, and to STA2 from sta_2_pool.
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover
AC_2 and AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC
based on AC priority.
address pool view.
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24

[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1

[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
Step 3 Configure AC_1.

page is displayed.



# Click Apply.


# Click OK. An address for VLANIF 201 is configured.
# Click Next.

Vlanif201.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
Step 5 Configure WLAN services on AC_1.

key.


# Click Finish.
Step 6 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The
AP System Profile page is displayed.
3. # Click Create. On the page that is displayed, set Profile name to ap-system
and click OK.
4. # On the Advanced Configuration page of the AP system profile, expand
Dual-Link/N+1 Backup. Set Configuration mode to IP address-based,
Primary AC IP address to 10.23.201.1, and Backup AC IP address to
10.23.203.1.
5. # Click Apply. In the dialog box that is displayed, click OK.

The configuration is similar to that on AC_1. The following parameters are
different:
● Add GigabitEthernet0/0/1 to VLAN 202.
● Create VLANIF 202 and set its IP address to 10.23.202.1/24.
● Add APs to ap-group2.
● When configuring WLAN services, set the SSID name to wlan-net1 and
service VLAN to 102.

● Set the AP system profile name to ap-system1 and Primary AC IP address to

10.23.202.1.
Set other parameters according to the configuration of AC_1.
different:
● Add GigabitEthernet0/0/1 to VLAN 203.
● Create VLANIF 203 and set its IP address to 10.23.203.1/24.
● Import APs on AC_1 and AC_2 to AC_3, and add the APs to ap-group1 and
ap-group2, respectively.
● When configuring WLAN services on AC_3, choose Configuration > Config
Wizard > Wireless Service and create SSIDs wlan-net and wlan-net1. Set
parameters on wlan-net to the same as those on AC_1 and parameters on
wlan-net1 to the same as those on AC_2.
● Creates AP system profiles ap-system and ap-system1 in AP groups ap-
group1 and ap-group2, respectively. Set parameters on ap-system to the
same as those on AC_1 and parameters on ap-system1 to the same as those
on AC_2.
Step 9 Enable N+1 backup on AC_1, AC_2, and AC_3.
1. Enable N+1 backup on AC_1.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability
page is displayed.
# Set Backup mode to N+1 backup, AC dual-link switchover status to ON.

# Choose Maintenance > AP Maintenance > AP Restart > Restart All to
restart all APs, so that the N+1 backup function can take effect.
By default, N+1 backup is enabled. You need to restart all APs on the primary AC. After the
APs are restarted, N+1 backup takes effect.
2. Enable N+1 backup on AC_2 and AC_3. The configuration is similar to that on
AC_1.
1. The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs
connected to the APs, and these STAs can connect to the WLAN and go online
properly.
2. When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the
primary role. This ensures accelerate service recovery.
----End

3.4.7 Example for Configuring N+1 Backup (APs and ACs in

the same network segment)
In public places where a large number of users exist in a large area, many APs are
deployed and managed by multiple ACs to provide free-of-charge WLAN access
services. These services are value-added services that require low network
reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. To meet this requirement, build an N+1 backup
wireless LAN to provide reliable services and reduce device purchase costs. ACs of
different models can work in N+1 backup mode, but versions of the ACs must be
the same.
● DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP

Figure 3-39 Networking for configuring N+1 backup
Internet
GE0/0/1 Standby AC_3
Router 10.23.100.4
Active AC_1
10.23.100.2
GE0/0/3
Switch_1
GE0/0/1
GE0/0/1 GE0/0/2
Active AC_2
GE0/0/4 10.23.100.3
GE0/0/1
Switch_2 GE0/0/3
GE0/0/1 GE0/0/2
AP_1 AP_2
STA_1 STA_2
Management VLAN: 100 Management VLAN: 100

Service VLAN: 101 Service VLAN: 102
Data Planning
Item Data

VLAN 102
DHCP server Switch_1 functions as a DHCP server

STAs' gateway:
● 10.23.101.1/24
● 10.23.102.1/24
APs' gateway: 10.23.100.1/24

Item Data
IP address pool for STAs STA1: 10.23.101.3-10.23.101.254/24

STA2: 10.23.102.3-10.23.102.254/24
AP group On AC_1 (primary AC):

● Name: ap-group1
profile default
On AC_2 (primary AC):

● Name: ap-group2
profile ap-system1, VAP profile
wlan-net1, and regulatory domain
profile default
On AC_3 (backup AC):

● Name: ap-group1
wlan-net, and regulatory
● Name: ap-group2
profile ap-system1, VAP profile
wlan-net1, and regulatory

SSID profile AC_1:

● Name: wlan-net
AC_2:
● Name: wlan-net1

Item Data
AC_3:
● Names: wlan-net and wlan-net1
● SSID names: wlan-net and wlan-
net1
Security profile AC_1:

● Name: wlan-net
+AES
AC_2:
● Name: wlan-net1
+AES
AC_3:
● Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
● Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
VAP profile AC_1:

● Name: wlan-net
net
AC_1:
● Name: wlan-net1
wlan-net1

Item Data
AC_3:
● Name: wlan-net
forwarding
wlan-net and security profile
wlan-net
● Name: wlan-net1
forwarding
wlan-net1
AP system profile On AC_1:

● Name: ap-system
10.23.100.2
10.23.100.4
On AC_2:
10.23.100.3
10.23.100.4
On AC_3:
● Name: ap-system
10.23.100.2
10.23.100.4
10.23.100.3
10.23.100.4

1. Configure network interworking of each AC and other network devices.
Configure Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the primary ACs of AP_1 and AP_2 respectively,
and configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the backup AC and configure basic WLAN services on
AC_3. Ensure that service configurations on AC_3 are the same as those on
AC_1 and AC_2.
4. Configure N+1 backup on the primary ACs first and then on the backup AC.
When N+1 backup is enabled, all APs are restarted.
Configuration Notes
Procedure
Step 1 Configure the switches to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100
as the management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add
GE0/0/1 connected to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to
AC_2 to VLAN 100 and VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to
AC_3 and Switch_2 to VLAN 100, VLAN 101, and VLAN 102.
[Switch_1] vlan batch 100 to 102

[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101

# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and
VLAN 102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2
connected to AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and
GE0/0/2 to VLAN 100.
[Switch_2] vlan batch 100 to 102
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs.
Switch_1 allocates IP addresses to APs from the IP address pool on VLANIF 100,
and allocates IP addresses to STA_1 and STA_2 from the IP address pool on
VLANIF 101 and VLANIF 102 respectively.
address pool view.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit


page is displayed.



# Click Apply.



# Click OK. An address for VLANIF 100 is configured.
# Click Next.

Vlanif100.

Step 4 Add APs on AC_1.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.

key.

# Click Finish.
Step 6 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The
3. # Click Create. On the page that is displayed, set Profile name to ap-system
and click OK.
4. # On the Advanced Configuration page of the AP system profile, expand
Dual-Link/N+1 Backup. Set Configuration mode to IP address-based,
Primary AC IP address to 10.23.100.2, and Backup AC IP address to
10.23.100.4.
Step 7 Configure basic WLAN services and the IP addresses for primary ACs and the
backup AC on AC_2.

different:
● Set the IP address of VLANIF 100 to 10.23.100.3/24.
● Add APs to ap-group2.
● Set the SSID name to wlan-net1 and service VLAN to 102.

● Set the AP system profile name to ap-system1 and Primary AC IP address to

10.23.100.3.
Set other parameters similarly as those of AC_1.
Step 8 Configure basic WLAN services and IP address of the backup AC for AC_3.

different:

● Import APs on AC_1 and AC_2 to AC_3, and add the APs to ap-group1 and
ap-group2, respectively.
● When configuring WLAN services on AC_3, choose Configuration > Config
Wizard > Wireless Service and create SSIDs wlan-net and wlan-net1. Set
parameters on wlan-net to the same as those on AC_1 and parameters on
wlan-net1 to the same as those on AC_2.
● Creates AP system profiles ap-system and ap-system1 in AP groups ap-
group1 and ap-group2, respectively. Set parameters on ap-system to the
same as those on AC_1 and parameters on ap-system1 to the same as those
on AC_2.
Step 9 Enable N+1 backup on AC_1, AC_2, and AC_3.

1. Enable N+1 backup on AC_1.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability

page is displayed.
# Set Backup mode to N+1 backup, AC dual-link switchover status to ON.
# Choose Maintenance > AP Maintenance > AP Restart > Restart All to

restart all APs, so that the N+1 backup function can take effect.
By default, N+1 backup is enabled. You need to restart all APs on the primary AC. After the
APs are restarted, N+1 backup takes effect.
2. Enable N+1 backup on AC_2 and AC_3. The configuration is similar to that on
AC_1.

1. The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs
connected to the APs, and these STAs can connect to the WLAN and go online
properly.
2. When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the
primary role. This ensures accelerate service recovery.
----End

3.5 Roaming Configuration Examples
3.5.1 Example for Configuring Inter-VLAN Layer 3 Roaming

inter-VLAN roaming in the coverage area.
Networking Requirement
addresses to STAs.

Figure 3-40 Networking for configuring inter-VLAN Layer 3 roaming
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
GE0/0/3
GE0/0/1
SwitchB
GE0/0/2
GE0/0/1 AC
GE0/0/2
GE0/0/1 GE0/0/3
SwitchA
AP： AP：
area_1 area_2
Roaming
STA STA
Management: VLAN 10, VLAN 100

Service VLAN: VLAN 101, VLAN102
Data Planning

Item Data
Service VLAN for STAs ● area_1: VLAN 101

● area_2: VLAN 102

Item Data

The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2/24 and 10.23.102.2/24.
IP address pool for STAs ● area_1:

10.23.101.3-10.23.101.254/24
● area_2:
10.23.102.3-10.23.102.254/24

wlan-radio2g, and 5G radio profile
wlan-radio5g
● Name: ap-group2
wlan-net2, regulatory domain
wlan-radio2g, and 5G radio profile
wlan-radio5g



+AES

Item Data

net
● Name: wlan-net2
net

channels

● Automatic channel calibration:
enabled
● Automatic power calibration:
enabled

wlan-airscan and RRM profile
wlan-rrm

wlan-airscan and RRM profile
wlan-rrm

Configuration Notes
Procedure
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10,
VLAN 101, and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default



address pool view.


page is displayed.






# Click OK.
# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




example. To add multiple APs, fill in the file with information of the APs. In
this example, add area_1 and area_2 to ap-group1 and ap-group2,
respectively.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1

Import.

Configuration.
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to

Single VLAN, and Service VLAN ID to 101.

key.
# Click Finish.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
# In the AP group list, click ap-group2. Click VAP Configuration. On the VAP
Profile List page, click Create. On the page that is displayed, create the VAP
profile wlan-net2 and click OK.
# In the VAP profile list, click wlan-net2. On the VAP profile configuration page,
set Service VLAN to Single VLAN and Service VLAN ID to 102, and click Apply.
In the dialog box that is displayed, click OK.
# Click in front of wlan-net2. The profiles referenced by the VAP profile are
displayed.
# Click SSID Profile. On the SSID profile configuration page that is displayed, set
SSID Profile to wlan-net and click Apply. In the dialog box that is displayed, click
OK.
# Click Security Profile. On the security profile configuration page that is

displayed, set Security Profile to wlan-net and click Apply. In the dialog box that


page is displayed.




5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User
List, select the STA of which you want to view the roaming tracks and click
Roaming Track. The roaming tracks of the STA are displayed.
----End
3.5.2 Example for Configuring Intra-VLAN Roaming

addresses to STAs.

Figure 3-41 Networking for configuring intra-VLAN roaming
IP
Network
Router
GE1/0/0
VLANIF101
10.23.101.2
GE0/0/3
GE0/0/1
SwitchB
GE0/0/2
GE0/0/1 AC
VLANIF100
10.23.100.1/24
GE0/0/2
GE0/0/1 GE0/0/3
SwitchA
AP: AP:
area_1 area_2
Roaming
STA STA

Data Planning
Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile



wlan-net



Item Data

Configuration Notes
Procedure
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN
of GE0/0/1 and GE0/0/3 is VLAN 100.


to 10.23.101.2/24.
for the STAs.
address pool view.


page is displayed.



# Click OK.
# Click Next.

Vlanif100.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.



# Click Finish.
and power.
mentioned here.




profile is similar.

displayed.
and scan duration.
scan duration.


triggered.



----End
3.5.3 Example for Configuring Inter-AC Layer 2 Roaming

● AC networking mode: AC_1 and AC_2 in a mobility group
● DHCP deployment mode: AC_1 functions as a DHCP server to assign IP

Figure 3-42 Networking for configuring inter-AC Layer 2 roaming
IP
Network
GE0/0/2 GE0/0/2
AC_1 AC_2
Inter-AC tunnel
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
Switch_1 Switch_2
GE0/0/1 GE0/0/1
AP： AP：
area_1 area_2
Roaming
STA STA

Data Planning

Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs

server and STAs.
IP address 10.23.100.3-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source ● AC_1: 10.23.100.1/24
interface
address ● AC_2: 10.23.100.2/24


profile



wlan-net


profile ● Referenced profiles: air scan profile wlan-airscan

Mobility ● Name: mobility

group ● Members: AC_1 and AC_2

6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels.
Configuration Notes
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of
[Switch_1] vlan batch 100

[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of
[Switch_2] vlan batch 100
Step 2 Configure system parameters for AC_1.

page is displayed.

2. Configure ports.


to VLANs 100 and 101 in the same way.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON
and DHCP type to Interface address pool. Exclude the IP address 10.23.100.2
from being automatically allocated.

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure
the interface address pool on VLANIF 101 in the same way. Exclude the IP
address 10.23.101.2 from being automatically allocated.
# Click Next.

Vlanif100.


Configure AC_2 according to the configuration of AC_1. The following lists

configuration differences between AC_1 and AC_2.
● Set the IP addresses of VLANIF 100 and VLANIF 101 to 10.23.100.2/24 and
10.23.101.2/24 respectively.
● Do not configure the DHCP address pool.
Step 4 Configure an AP to go online on AC_1.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.


Configuration.
Configure the AP to go online on AC_2 according to the configuration of AC_1.

The following lists configuration differences between AC_1 and AC_2:
● Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078)

on AC_2, set the AP name to area_2, and add the AP to the AP group ap-
group1.
key.
Click Finish.
The configuration for WLAN services on AC_2 is similar to that on AC_1.
and power.

mentioned here.



profile is similar.

displayed.
and scan duration.

scan duration.

triggered.


Step 9 Configure WLAN roaming on AC_1.
1. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The
Inter-AC Roaming page is displayed.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the
mobility group.
Click OK. The Inter-AC Roaming page is displayed.

The configuration is similar to that of AC_1 and is not mentioned here.


----End
3.5.4 Example for Configuring Inter-AC Layer 3 Roaming

requirement of mobile office. To differentiate department management,
employees are assigned different subnets by department. Furthermore, users'
services are not affected during roaming in the coverage area.
● AC networking mode: AC_1 and AC_2 in a mobility group
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
– AC_2 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.

Figure 3-43 Networking for configuring inter-AC Layer 3 roaming
IP
Network
GE0/0/2 GE0/0/2
AC_1 AC_2
GE0/0/1 GE0/0/2
GE0/0/1 Router GE0/0/1
Inter-AC tunnel
GE0/0/2 GE0/0/2
Switch_1 Switch_2
GE0/0/1 GE0/0/1
AP： AP：
area_1 area_2
Roaming
STA STA
Management VLAN: VLAN 100 Management VLAN: VLAN 200

Service VLAN: VLAN 101 Service VLAN: VLAN 102
Data Planning

Item Data
DHCP AC_1 functions as a DHCP server to assign IP addresses to STAs

server and APs connected to it.
AC_2 functions as a DHCP server to assign IP addresses to STAs
and APs connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for 10.23.200.2-10.23.200.254/24
APs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for 10.23.102.2-10.23.102.254/24
STAs
AC_1's VLANIF 100: 10.23.100.1/24

source
interface
address
AC_2's VLANIF 200: 10.23.200.1/24

source
interface
address
AP group AC_1:
● Name: ap-group1
AC_2:
● Name: ap-group2

profile


VAP AC_1:
profile ● Name: wlan-net
wlan-net

Item Data
AC_2:
● Name: wlan-net
wlan-net

RRM ● Name: wlan-rrm

profile ● Automatic channel calibration: enabled
● Automatic power calibration: enabled

profile ● Referenced profiles: air scan profile wlan-airscan and RRM
profile wlan-rrm

profile ● Referenced profiles: air scan profile wlan-airscan and RRM
profile wlan-rrm
Mobility ● Name: mobility

group ● Members: AC_1 and AC_2
6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels.
Configuration Notes

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default
[Switch_1] interface GigabitEthernet 0/0/1
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default
# Configure Router.
[HUAWEI] sysname Router


[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0

page is displayed.




# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to
ON and DHCP type to Interface address pool.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure
the interface address pool on VLANIF 101 in the same way.
page is displayed.
# Click OK.
# Click Next.


Vlanif100.

Configure AC_2 according to the configuration of AC_1. The following lists

configuration differences between AC_1 and AC_2.
● Create VLAN 200 and VLAN 102 on AC_2 and add GigabitEthernet0/0/1 to the
two VLANs in tagged mode.
● Add GigabitEthernet0/0/2 to VLAN 200 in tagged mode.
● Set the IP addresses of VLANIF 200 and VLANIF 102 to 10.23.200.1/24 and
10.23.102.1/24 respectively.
● Configure an IP address pool on VLANIF 200 and VLANIF 102.
● Configure the route between AC_2 and AC_1 on AC_2 with the destination
address 10.23.100.0/24 and next-hop address 10.23.200.2.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287

– AP Name: area_1
Import.

Configuration.
Configure the AP to go online on AC_2 according to the configuration of AC_1.

The following lists configuration differences between AC_1 and AC_2:
● Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078)

on AC_2, set the AP name to area_2, and add the AP to the AP group ap-
group2.
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to

Single VLAN, and Service VLAN ID to 101.
key.


Click Finish.
Configure WLAN services on AC_2 according to the configuration of AC_1. The
following lists the configuration difference between AC_1 and AC_2:
● In the VAP profile wlan-net, set the service VLAN to VLAN 102.
and power.
mentioned here.




profile is similar.

displayed.
and scan duration.
scan duration.


triggered.

1. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The
Inter-AC Roaming page is displayed.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the
mobility group.

Click OK. The Inter-AC Roaming page is displayed.

The configuration is similar to that of AC_1 and is not mentioned here.

----End
3.5.5 Example for Configuring Agile Distributed SFN Roaming

A hospital wants to deploy an agile distributed WLAN to provide WLAN access to
doctors and nurses, meeting their basic office requirements. The administrator
requires that STA roaming within the coverage area be not perceived by STAs and
do not interrupt services.
– The AC functions as a DHCP server to assign IP addresses to the central
AP and RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.

Figure 3-44 Networking for configuring agile distributed SFN roaming
Internet
Router
GE1/0/0
SwitchA GE0/0/3
GE0/0/1 GE0/0/4 Information
AC
GE0/0/2 system
GE0/0/1
GE0/0/25
Central AP
GE0/0/1 GE0/0/2
ru_1 ru_2
Roam
STA STA
Data Planning

Item Data
DHCP ● The AC functions as a DHCP server to assign IP addresses to the

server central AP and RUs.
● SwitchA functions as a DHCP server to assign IP addresses to
STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
the central
AP and
RUs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


domain ● Country: China
profile



Profile ● Forwarding mode: direct forwarding
wlan-net
Working ● ru_1: channel 6

channel of ● ru_2: channel 6
RUs
Agile Enabled
distributed
SFN
roaming
1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at
Layer 2.
3. Select Config Wizard to configure the central AP and RUs to go online on the
AC.
5. Configure agile distributed SFN roaming.

6. Deliver the WLAN services to the central AP and RUs and verify the
configuration.
Configuration Notes
● Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12
(including matching RUs) and AD9430DN-24 (including matching RUs).
RUs support agile distributed SFN roaming in the following combination
modes:
▪ Between the R230D and R240D (Note: Only the 2.4 GHz radio of the
R230D and R240D supports agile distributed SFN roaming, and the 5
GHz radio does not support.)
▪ Among the R250D, R250D-E, R251D, R251D-E and R450D

– For the central AP, after agile distributed SFN roaming is enabled, the
total number of agile distributed SFN roaming STAs on a single frequency
band (2.4 GHz or 5 GHz) of all RUs does not exceed 128, and that of
STAs associated with other VAPs on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work
on the same channel. When agile distributed SFN roaming is enabled on
the 5 GHz frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but
do not support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed
SFN roaming is not performed on Layer 3.
● Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and
5 GHz radios, it is recommended that different SSIDs be used. Otherwise,
the radio switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a
radio. If multiple VAPs are configured on a radio, it is recommended that
the total VAP rate limit on all VAPs with agile distributed SFN roaming
disabled be set to 5 Mbit/s.
If agile distributed SFN roaming is enabled on a VAP of a radio in an AP group,

the roaming tracks of all the STAs that are connected to the central AP and
associated with the radio may carry the s flag.
– Radios enabled with agile distributed SFN roaming do not support
channel scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP
groups but not based on APs.
– RUs involved in agile distributed SFN roaming need to have the following
items configured the same:
▪ SSID
▪ VAP profile and VAP ID

▪ Security policy. Agile distributed SFN roaming supports these

encryption modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA
+802.1X (EAP authentication), WPA2+802.1X (EAP authentication),
WPA-WPA2+802.1X (EAP authentication), and Portal+PSK.
Procedure
# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to
VLAN 100, and add GE0/0/3 and GE0/0/4 to VLAN 101.
# Configure an IP address for GE1/0/0 on Router.

# On SwitchA, configure VLANIF 101 to assign IP addresses to STAs, and configure

a default route with the next hop of the address of Router.
address pool view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2


page is displayed.



# Click OK.
# Click Next.

Vlanif100.





– AP SN: 210235419610CB002287

Import.
Configuration.



# Set Binding the AP group to ap-group1, and Valid radio to 0.
# Click Finish.
The automatic channel and power calibration function is enabled for radios by default. When
this function is enabled, the manual calibration configuration does not take effect. The settings
of the RU channel and power in this example are for reference only. You need to configure the
RU channel and power based on the actual country code and network planning.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click AP ID 1. The AP customized settings page for ru_1 is displayed.
# Click next to Radio Management. The profiles under Radio Management

are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-
MHz channel 6 and transmit power to 127 dBm.


# Disable the automatic channel and power calibration functions for ru_2, and set
the channel to 20-MHz channel 6 and transmit power to 127 dBm. The
configurations are the same as those for ru_2, and is not mentioned here.
Step 7 Enable agile distributed SFN roaming.
displayed.
# Click the AP group ap-group1. The AP group configuration page is displayed.
# Click in front of VAP Configuration and click wlan-net. The VAP profile
# On the Advanced Configuration page, set SFN to ON. In the dialog box that is

Step 8 Configure parameters related to agile distributed SFN roaming.
# Retain the default settings for roaming decision parameters, as shown in the
following figure.

# Set radio parameters related to roaming based on the network planning result.
The configuration is not mentioned here. The following figure shows the default
settings.



5. When a STA roams from ru_1 to ru_2, choose Monitoring > User. In User
----End
3.6 Agile Distributed Networking Configuration

Examples
3.6.1 Example for Configuring an Agile Distributed WLAN

Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless
signal attenuation, degrading signal quality. To resolve this issue, an agile
distributed WLAN is used, with a remote unit (RU) deployed in each dormitory.
RUs are connected to a central AP, and all RUs and the central AP are centrally
managed by the AC, delivering high-quality WLAN coverage for each dormitory.
addresses to the central AP, RUs, and STAs.
● Uplink interfaces of a central AP have a high transmission rate, and connect
to an AC and forward service traffic of all connected RUs. Downlink interfaces
of a central AP connect to RUs. If the number of downlink interfaces of the
central AP is insufficient, one downlink interface can be connected to an
uplink interface of a PoE switch, through which RUs can connect the central
AP. This increases the number of connected RUs. For example, an
AD9431DN-24X provides four 10GE uplink interfaces numbered from 0 to 3
and 24 GE downlink interfaces numbered from 0 to 23.

Figure 3-45 Networking for configuring an agile distributed WLAN
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2/24
GE0/0/2
VLANIF101 10.23.101.1/24
AC
VLANIF100 10.23.100.1/24
Service VLAN: VLAN101 GE0/0/24
Central AP
GE0/0/1
GE0/0/24
Switch
GE0/0/1 GE0/0/2
RU: ru_1 RU: ru_2
STA STA STA STA
Dorm 1 Dorm 2
Data Planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to

server central APs, RUs, and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
central
APs and
RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile



wlan-net
1. Configure the AC, RUs, central APs, and network devices to communicate at
Layer 2.
3. Select Config Wizard to configure the central APs and RUs to go online on
the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the
configuration.
Configuration Notes


Procedure
to 10.23.101.2/24.
# Configure the switch to enable Layer 2 communication between the central AP

and RUs. If a Huawei switch is used, interfaces on it are added to VLAN 1 by
default and can communicate one another at Layer 2. Therefore, this
configuration is not required on the switch. If a non-Huawei switch is used,
perform the configuration to enable Layer 2 communication of uplink and
downlink interfaces.
On the network between RUs and the central AP, service packets of STAs must be properly
forwarded. In this example, the tunnel forwarding mode is used. Therefore, service VLAN packets
do not need to be permitted between the central AP and RUs. If the direct forwarding mode is
used, configure the network between the central AP and RUs to permit service VLAN packets
depending on the central AP model.
● If the central AP is a gigabit AP (such as the AD9430DN-24), such configuration is not
required on the switch. Because all service packets from RUs are first sent to the central AP
through MAC-IN-MAC tunnels, these packets need to be permitted only from the upstream
direction of the central AP.
● If the central AP is a 10GE AP (such as the AD9431DN-24X), add uplink and downlink
interfaces on the switch to the service VLAN. Because service packets are forwarded starting
from the upstream direction of RUs, these packets must be permitted from the upstream
direction of RUs.


page is displayed.



# Click OK.
page is displayed.
address to 10.23.101.2.

# Click OK.
# Click Next.
Vlanif100.




– AP SN: 210235419610CB002287

Import.

Configuration.


# Click Finish.

page is displayed.





----End
More Information
(Video) Example for Configuring AC and central AP Distributed Networking
3.7 High-Density Configuration Examples
3.7.1 Example for Configuring High-Density WLAN Services

The WLAN of a stadium needs to provide access for a large number of users;
therefore, APs are placed in close proximity, causing severe interference. The IT
department of the stadium requires that the interference be eliminated to
maximize Internet experience for users.
addresses to STAs.

Figure 3-46 Networking diagram for configuring a high-density WLAN
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1
AP: area_2 AC
VLANIF100
10.23.100.1/24
STA
Data Planning

Item Data

● Name: sta-pool
and VLAN 102

The aggregation switch (SwitchB)

Item Data

10.23.102.3-10.23.102.254/24

default, and 5G radio profile wlan-
radio5g



+AES

pool
net, and traffic profile wlan-traffic

● Airtime fair scheduling: enable
● Smart roaming: enable

wlan-rrm

wlan-rrm
Traffic profile ● Name: wlan-traffic

6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table
3-54.
Table 3-54 Adjustment recommendations

ent Item
Configur To reduce the burden on Enable band steering. By default,

e 5G- the 2.4 GHz radio by band steering is enabled.
prior preferentially connecting
access 5G-capable STAs to the
5 GHz radio when a
large number of 2.4 GHz
STAs exist on the
network.
Remove To make an AP offer Increase the maximum number of

the limit wireless services to more access users to 128 for an SSID
on the users. profile.
number
of access
users
Reduce To prevent users who Set the association aging time to 1

the user frequently disconnect minute.
associati from the wireless
on aging network.
time
User To prevent mobile Enable user isolation on the AC.

isolation terminals from
exchanging a large
number of ARP packets.
Limit To prevent advantaged Limit the downstream rate of each

user STAs from occupying too STA to 2000 kbit/s in a VAP. Adjust
rates many rate sources and the upstream rate according to
deteriorating service actual situations. In this example, the
experience of upstream rate is set to 1000 kbit/s.
disadvantaged STAs.


ent Item
Adjust To reduce interference ● Channel: Prevent adjacent APs

AP between APs. from working on overlapping
channel channels. It is recommended that
and you configure channels 1, 9, 5,
power and 13 in a high-density WLAN
environment.
● Power: Minimize AP power while
ensuring that the RSSI is greater
than -65 dBm at the edge of the
AP's coverage area.
Configur To prevent weak-signal Enable smart roaming and set the

e smart STAs from degrading SNR threshold to 15 dB.
roaming user experience.
Enable To ensure that wireless Enable airtime fair scheduling.

airtime channel resources can
fair be equally allocated to
scheduli users.
ng
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to
RTS-CTS rts-cts and the RTS threshold to 1400
threshol bytes.
d
Adjust To improve the overall Set the interval for sending Beacon
the data traffic of APs. frames to 160 ms.
interval
at which
Beacon
frames
are sent
Adjust To reduce wireless Set the transmit rate of 2.4 GHz

the resource occupation of Beacon frames to 11 Mbit/s.
transmit Beacon frames and
rate of improve channel usage
2.4 GHz efficiency.
Beacon
frames
Set the To reduce extra Set the GI mode to short GI.

guard overhead and improve
interval AP transmission
(GI) efficiency.
mode to
short GI


ent Item
Configur To improve the overall Delete low rates from the basic rate
e the AP throughput. set.
basic
rate set
Configur To improve air interface Use the default values. By default,

e the efficiency. the multicast transmit rate of
multicast wireless packets is 11 Mbit/s for the
rate 2.4 GHz radio and 6 Mbit/s for the 5
GHz radio.
Configur To improve the network Configure the short preamble. If

e the synchronization some legacy NICs exist on the
short performance. network, disable the short preamble
preambl function.
e for a
radio
Dynamic To improve user Enable the dynamic EDCA parameter

EDCA experience. adjustment, and keep the default
paramet threshold for the dynamic EDCA
er Best-Effort service.
adjustme
nt
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default



address pool view.


page is displayed.






# Click OK.
# Click OK.
page is displayed.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.
displayed.
VLANs 101 and 102.


key.

# Click Finish.
Step 6 Adjust WLAN high-density parameters.

Configuration.
# Click the VAP profile wlan-net. The VAP Profile page is displayed.
On the Advanced Configuration tab, enable band steering.



Configuration. Under it, click in front of wlan-net. Click SSID Profile. The
SSID Profile page is displayed.
128 and association aging time to 1 minute. Set the Beacon frame rate on
2.4G radio to 11 Mbps.


# Set the user isolation mode to All isolation, and the upstream and
downstream rate limits to 1000 kbit/s and 2000 kbit/s for STAs, respectively.


4. Set the AP channel and power.
page is displayed.
AP Customized Settings page is displayed.
# Click next to Radio Management. The profiles in Radio Management

are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP

channel to 20-MHz channel 1 and transmit power to 127 dBm. Disable
automatic channel and power calibration functions. The configuration of
Radio1 is similar to the configuration of Radio 0, and is not mentioned here.

5. Configure the AP to work in dual-5G mode. This step is only for APs that
support switching between 2.4G and 5G radios.
# In the AP group list, click the AP group ap-group1 and click next to
Radio Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the

dual-5G mode. In the dialog box that is displayed, click OK.


6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this
step if the AP has been configured to work in dual-5G mode. Go to the next
step to create the 5G radio profile and bind the 5G radio profile to radio 0.




# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new
RRM profile configuration page is displayed.
# On the Advanced Configuration tab, enable airtime fair scheduling, enable
the dynamic EDCA parameter adjustment, enable smart roaming; configure
the SNR-based roaming trigger mode, and set the SNR threshold to 15 dB.


# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that

5. When a large number of users connect to the network in the stadium, the
users still have good Internet experience.
----End

3.8 Example for Configuring Vehicle-Ground

Communication
3.8.1 Example for Configuring Vehicle-Ground Fast Link

Handover
To reduce network deployment costs and better serve passengers, a rail
transportation enterprise wants to use WLAN technology to implement vehicle-
ground communications and expects that multicast servers on the ground network
can deliver multimedia information services to passengers.
● Wireless backhaul mode: Mesh-based vehicle-ground fast link handover

Figure 3-47 Networking for configuring vehicle-ground fast link handover
Internet
GE1/0/0
Router IP: 10.23.200.1/24
Network
management
IP：10.23.224.2 GE0/0/5
MAC：286e-d488-12cd VLANIF200: 10.23.200.2/24
GE0/0/4
Multicast GE0/0/3 GE0/0/6

AC
GE0/0/1
source GE0/0/1 GE0/0/2
IP：10.23.224.3 Switch_A Management VLAN：VLANIF 100
MAC：286e-d488-b6ab MAC： IP: 10.23.100.1/24
GE0/0/2 GE0/0/2
707b-e8e9-d328
Switch_B Switch_C
GE0/0/1 GE0/0/1
Trackside Trackside Trackside Trackside Trackside Trackside

AP AP AP AP AP AP
（L1_001）（L1_003）（L1_010）（L1_150）（L1_160）（L1_170）
MAC: 286e-d488-d359 MAC: 286e-d488-d270

Vehicle- mounted terminal_1 Vehicle- mounted terminal_2
Trackside Trackside
AP AP
GE0/0/1 GE0/0/1
（in the rear）（in the front）
Forward direction
：active Mesh link

：candidate Mesh link
Data Planning
Table 3-55 AP information
AP Type MAC Address

(L1_001)

AP Type MAC Address

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
...

AP (in the front)

AP (in the rear)
...

Item Data
Multicast service VLAN VLAN 101
DHCP server ● Configure the AC as a DHCP server to assign IP

addresses to trackside APs.
● Configure Switch_A as a DHCP server to assign IP
addresses to vehicle-mounted terminals.

address
Gateway address IP address of VLANIF 101 on Switch_A:

10.23.224.1/24

trackside APs

vehicle-mounted
terminals

Item Data
AP group to which Name: mesh-mpp

trackside APs belong
IDs of trackside APs ● Trackside AP (L1_001): 1

AP wired port profile ● Name: wired-port
Security profile ● Name: sp01

● Authentication key: a1234567
Mesh profile Trackside APs:

● Name: mesh-net
● Name: mesh-net
Mesh handover profile Trackside APs:

● Name: hand-over
● Name: hand-over
Mesh whitelist on Name: whitelist01

trackside APs Add MAC addresses of all vehicle-mounted APs on
trains running on the rail to the whitelist according
to actual situations.
MAC address of the ● Gateway: 707b-e8e9-d328

proxied ground device ● Network management device: 286e-d488-12cd
● Multicast source: 286e-d488-b6ab
MAC address of the ● Vehicle-mounted terminal_1: 286e-d488-d359

proxied vehicle- ● Vehicle-mounted terminal_2: 286e-d488-d270
mounted device
Multicast group 225.1.1.1-225.1.1.3

1. Configure the ground network to enable Layer 2 communications between
trackside APs and the AC.
2. Configure multicast services on ground network devices to enable proper
multicast data forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-
mounted APs so that the vehicle-mounted AP can set up Mesh connections
with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data
communications.
● This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and
AP9132DNs in Fat AP mode as the vehicle-mounted APs.
● Switches and routers used in this example are all Huawei products.
Configuration Notes
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and
GE0/0/4 to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200,

and configure GE0/0/5 to allow packets from VLAN 200 to pass through.
Configure GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to
pass through.
[Switch_A] vlan batch 100 101 200
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP

address of GE1/0/0 on the router as the next hop address of the default route
so that packets from the vehicle-ground communication network can be
forwarded to the egress router.
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
4. Configure an IP address for GE1/0/0 on Router and configure routes to the

internal network segment, with the next hop address 10.23.200.2.

You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and
set the PVID of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B
[Switch_B] vlan batch 100 101
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and
set the PVID of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C
[Switch_C] vlan batch 100 101
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them
to properly forward multicast data.
# Enable IGMP snooping globally on Switch_A.
[Switch_A] igmp-snooping enable
# Enable IGMP snooping in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
# Configure multicast group filter policies on Switch_A.

[Switch_A] acl 2000


[Switch_A-acl-basic-2000] quit
# Apply the multicast group filter policies in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A] quit
# Complete multicast configuration on Switch_B and Switch_C according to

the multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or
Layer 3 multicast is configured, you cannot configure the fast leave function
because this function may interrupt multicast services.
[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000

page is displayed.





# Click OK.

# Click Next.
Vlanif100.

Step 3 Configure trackside APs
radio 1 to 40+MHz and channel to 157.
key a1234567.

nodes. In this example, MAC addresses 0046-4b59-2e10 and
0046-4b59-2e20 are added. Click OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh

whitelist whitelist01 according to the preceding procedure.

# After configuring Mesh parameters, click Apply.

4. Add MPPs
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10,
0046-4b59-1d20, 0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and
0046-4b59-1d60 are added. Set AP ID to 1, 2, 3, 101, 102, and 103 for the
APs respectively. Set the AP names to L1_001, L1_003, L1_010, L1_150,
L1_160, and L1_170, respectively. Click OK. The APs are added as MPPs.

# In the AP group list, click the AP group mesh-mpp. Select Display all
profiles choose Mesh > Mesh Profile. The Mesh Profile List page is
displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name
to mesh-net.
# Click OK.
# Choose Mesh > Mesh Profile > mesh-net > Mesh Handover Profile. The
Mesh Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set
Profile name to hand-over and click OK. The Mesh profile configuration
page is displayed.

# Set Position-based handover algorithm to ON.

mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
the Port PVID to 101.

Step 4 Configure a vehicle-mounted AP.
This example provides the detailed configuration procedure of the vehicle-mounted AP in the
front of the train. The configuration procedure of the vehicle-mounted AP in the rear is similar
to that of the vehicle-mounted AP in the front.
1. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow
packets from VLAN 101 to pass through, and set the PVID of GE0/0/1 to
VLAN 101.
# Choose Configuration > Interface > VLAN. On the VLAN tab, click Create.
On the Create VLAN page that is displayed, set VLAN ID to 101.

# Click OK.
# Choose Configuration > Interface > ETH Interface and click

GigabitEthernet0/0/1. The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in

tagged mode.
# Click OK.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is
displayed.

3. Configure a security profile.

# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page
is displayed.
# Click Create. The Create Security Profile page is displayed.
# Set Profile name to sp01 and click OK. The Security Profile page is
displayed.
# Set Security Mode to WPA2-PSK-AES, Password type to PASS-PHRASE,
and Password to a1234567.

# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh
Handover Profile page is displayed.
# Click Create and create the Mesh handover profile hand-over. Click OK.
The Mesh profile configuration page is displayed.
# Set Position-based handover algorithm to ON and Moving direction to
forward. Click Apply. In the dialog box that is displayed, click OK.
Step 5 Add proxied devices on the vehicle-mounted AP

# Add proxied ground devices. Add MAC addresses of Switch_A, network
management device, and multicast source on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground
Device. Click Create and add MAC addresses of proxied ground devices. In this
example, MAC addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-
b6ab are added, click OK.

# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-

mounted devices on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-
mounted Device. Click Create and add MAC addresses of proxied vehicle-
mounted devices. In this example, MAC addresses 286e-d488-d359 and 286e-
d488-d270 are added, click OK.
Step 6 Configure IGMP snooping on the vehicle-mounted AP
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-Snooping.

Set IGMP-Snooping to ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to
view Mesh link information. If Mesh links are set up successfully, information
about Mesh links is displayed.
2. Verify the configuration on the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information
to view Mesh link information. Displayed information is the same as that
checked on the AC.


Field Strength to view field strength of the vehicle-mounted AP.

Roaming Trace to view the roaming trace of the vehicle-mounted AP.
----End
3.9 Radio Resource Management Configuration

Examples
3.9.1 Example for Configuring Dynamic Load Balancing
requirement of mobile office. The enterprises also need to prevent one AP radio
from being heavily loaded. Furthermore, users' services are not affected during
For the WLAN access configuration, see Related Topics.
As shown in Figure 3-48, before load balancing is configured, 30 users are

connected to AP area_1, and 10 users are connected to AP area_2.
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads
on the APs to prevent excessive user access to a single AP. A dynamic load
balancing group can be set up only when:
● AP area_1 and AP area_2 are managed by the same AC.
● STAs can detect SSIDs of both the APs.

Figure 3-48 Networking for configuring dynamic load balancing
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1
AP: area_2 AC
VLANIF100
10.23.100.1/24
STA
Data Planning

Item Data
RRM profile ● Name: wlan-net

● Start threshold for dynamic load
balancing: 15
● Load difference threshold for
dynamic load balancing: 25%

wlan-net

wlan-net
Configure dynamic load balancing to prevent one AP from being heavily loaded.

Configuration Notes
● Currently, the load balancing function is implemented in the STA access
phase. In scenarios with complex user service types and unstable traffic, the
expected load balancing effect cannot be achieved. In this case, you are not
advised to enable load balancing based on the channel usage.
Procedure
Step 1 Check the basic configuration of the WLAN.
1. Choose Configuration > AP Config > AP Group > AP Group, and confirm
that the AP group ap-group1 already exists.
2. Click ap-group1. Choose VAP Configuration, confirm that the VAP profile
wlan-net already exists, and check all referenced profiles.
Step 2 Configure dynamic load balancing.

1. In the RRM profile, enable dynamic load balancing, and set the start threshold
for dynamic load balancing to 15 and load difference threshold to 25%.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile.
Click Create. The Create RRM Profile page that is displayed
# Enter the profile name wlan-net and click OK. The RRM Profile page is
displayed.
# On the Advanced Configuration tab, enable dynamic load balancing, and

set the start threshold for dynamic load balancing to 15 and load difference
threshold to 25%.


The RRM Profile page is displayed. Configure dynamic load balancing for
radio 1. The configuration is similar to that of radio 0 and is not mentioned
here.
1. Choose Monitoring > User > User Distribution. The number of STAs on
different APs is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a dynamic
load balancing algorithm to redirect the STA to the AP area_2 with a light
load according to the information reported by APs.
----End
Related Topics
● 3.2.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.2.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.2.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.2.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
3.9.2 Example for Configuring Static Load Balancing

requirement of mobile office. The enterprises also need to prevent one AP radio
from being heavily loaded. Furthermore, users' services are not affected during

As shown in Figure 3-49, before load balancing is configured, 30 users are

connected to AP area_1, and 10 users are connected to AP area_2.
AP area_1 and AP area_2 form a static load balancing group to balance loads on
the APs to prevent excessive user access to a single AP. A static load balancing
group can be set up only when:
● AP area_1 and AP area_2 are managed by the same AC.
● STAs can detect SSIDs of both the APs.
Figure 3-49 Networking for configuring static load balancing
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1
AP: area_2 AC
VLANIF100
10.23.100.1/24
STA
Data Planning
Item Data
Static load balancing group ● Name: wlan-static

● Start threshold for load balancing
based on the number of users: 10
● Load difference threshold for load
balancing based on the number of
users: 5%

Configure static load balancing based on the number of users to prevent one AP
from being heavily loaded.
Configuration Notes
● Load balancing takes effect during the STA association stage. In scenarios
with complex user service types and unstable traffic, loads cannot be
balanced as expected. In this case, load balancing based on the channel
utilization is not recommended.
● If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band.
● Each load balancing group supports a maximum of 16 AP radios.
● Under the agile distributed network architecture composed of the central AP
and RUs, you only need to add radios of the RUs to a static load balancing
group.
Procedure
Step 1 Configure static load balancing.
1. Create the static load balancing group wlan-static and set the start threshold
for static load balancing to 10 and load difference threshold to 5%.
# Choose Configuration > AP Config > AP Group > Static Load Balancing
Group. The Static Load Balancing Group page is displayed.

# Click Create. On the page that is displayed, enter the profile name wlan-
static, and set the start threshold for static load balancing to 10 and load
difference threshold to 5%. Add AP area_1 and AP area_2 to the static load
balancing group.
# Click OK.
1. Choose Monitoring > User > User Distribution. The number of STAs on
different APs is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a static load
balancing algorithm to redirect the STA to the AP area_2 with a light load
based on the configured load balancing group.
----End
Related Topics

3.9.3 Example for Configuring Band Steering (5G-Prior Access)

roaming in the coverage area. To relieve pressure on the 2.4 GHz frequency band,
enable STAs to connect to the 5 GHz frequency band.
Use APs that support both 5 GHz and 2.4 GHz frequency bands.
Figure 3-50 Networking for configuring Band Steering
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data

profile ● Band steering function: enabled
wlan-net

Item Data

profile ● Start threshold for load balancing between radios: 15
● Load difference threshold for load balancing between radios: 25

profile ● Referenced profiles: RRM profile wlan-rrm
Configure the band steering function and proper band steering parameters so that
STAs can preferentially access the 5 GHz frequency band.
Configuration Notes
● Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure
the same SSID and security policy on the 5 GHz and 2.4 GHz radios.
● To allow a STA to preferentially associate with the 5 GHz radio and achieve a
better access effect, configure larger power for the 5 GHz radio than the 2.4
GHz radio.
Procedure

Step 2 Configure the band steering function.

1. Enable the band steering function in the VAP profile wlan-net. By default, the
band steering function is enabled.
# Choose VAP Configuration > wlan-net. The VAP profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function.

2. In the RRM profile, configure load balancing between radios to prevent heavy
load on a single radio. Set the start threshold for load balancing between
radios to 15, and the load difference threshold to 25%.
# Enter the profile name wlan-rrm and click OK. The RRM profile
# On the Advanced Configuration tab, set the start threshold for load
balancing between radios to 15, and the load difference threshold to 25%.
# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile >
wlan-rrm. The RRM profile configuration page is displayed. Configure inter-
frequency load balancing for radio 1. The configuration is similar to that of
radio 0 and is not mentioned here.
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with
different band steering parameters, parameters in the 2G radio profile preferentially take
effect.

# Choose Monitoring > User > User Distribution. Most STAs can connect to the 5
GHz frequency band, and users enjoy good service experience.
----End
Related Topics
3.9.4 Example for Configuring Smart Roaming

To ensure optimal user experience, a stadium requires that users associate with
the nearest APs when moving on the stadium stand. Furthermore, users' services
are not affected during roaming in the coverage area.
Figure 3-51 Networking for configuring smart roaming
IP
Network
Router
GE1/0/0
VLANIF101 10.23.101.2
VLANIF102 10.23.102.2
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP: area_1 GE0/0/3 GE0/0/2
SwitchA
STA
GE0/0/1
AP: area_2 AC
VLANIF100
10.23.100.1/24
STA

Data Planning

Item Data

● Smart roaming threshold type: SNR-
based
● SNR threshold for smart roaming:
15

wlan-rrm

wlan-rrm
Configure smart roaming and adjust smart roaming parameters to steer STAs
(especially sticky STAs) to reconnect or roam to APs with strong signals.
Some STAs on live networks have low roaming aggressiveness. As a result, they stick to the
initially connected APs regardless of whether they move far from the APs, and have weak
signals or low rates. The STAs fail to roam to neighbor APs with better signals. They are called
sticky STAs.
Configuration Notes


Procedure
Step 2 Configure smart roaming.

1. In the RRM profile wlan-rrm, enable smart roaming, configure SNR-based
roaming trigger mode and roaming threshold to 15 dB.
# Enter the profile name wlan-rrm and click OK. The RRM Profile page is
displayed.
# On the Advanced Configuration tab, enable smart roaming, configure

SNR-based roaming trigger mode and roaming threshold to 15 dB.
# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile >
wlan-rrm. The RRM Profile page is displayed. Configure smart roaming for
radio 1. The configuration is similar to that of radio 0 and is not mentioned
here.

When a large number of users in the stadium access the WLAN, they can still
enjoy good Internet experience.
----End

Related Topics
3.9.5 Example for Configuring Dynamic Bandwidth Selection

for the 5GHz Radio
Enterprise users can access the Internet through a WLAN (in non-high-density
scenarios) to meet the basic requirements of mobile office. The Dynamic
bandwidth selection (DBS) function can improve utilization of 5 GHz bandwidth
resources and expand the network capacity.
APs use the 5 GHz radio to provide wireless network coverage.
Figure 3-52 Networking diagram for configuring the DFS function
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning
Item Data
Radio list ● AP name: AP7052DN

● Radio ID: 1
● Frequency band: 5G
● Automatic frequency bandwidth adjustment: enabled
Configure the DBS function to enable APs to automatically adjust the channel
bandwidth, improving the network capacity.
Procedure
Step 2 Configure the DBS function.

● DBS based on a single AP
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning.
# In Radio List, find the 5G radio of the target AP, and click . Set Automatic
Frequency Bandwidth Adjustment to on and click .
# Click Apply.
● DBS based on an AP group
# Click the AP group name. Click a radio under Radio Management.
# Set Automatic Frequency Bandwidth Adjustment to ON.

The DBS function is supported only for 5 GHz radios. For radios supporting frequency band
switching, set Switch to 5G to ON.
Before enabling DFS, set Automatic channel optimization to ON.
# Click Apply.

When a large number of users in a stadium access the WLAN, they can still enjoy
good Internet experience.
----End
Related Topics
3.10 Spectrum Analysis Configuration Examples
3.10.1 Example for Configuring Spectrum Analysis

roaming in the coverage area. The enterprise is located in an open place, and the
WLAN is vulnerable to interference. When discovering severe interference on the
WLAN, the network administrator can detect whether non-Wi-Fi interference
exists on the WLAN through the spectrum analysis function.

Figure 3-53 Networking for configuring spectrum analysis
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
After a spectrum server is deployed on the network, the AP reports the spectrum
scanning data and sampling data to the spectrum server through the AC. Ensure
that the AC and the spectrum server can communicate with each other.
Data Planning
Item Data

profile default, 2G radio profile wlan-radio2g, 5G radio profile
wlan-radio5g, and AP system profile wlan-spectrum

profile ● Air scan interval: 8000 ms
● Air scan duration: 100 ms


Item Data

AP system ● Name: wlan-spectrum

profile ● IP address of the spectrum server: 10.137.43.4
● Port number of the spectrum server: 32181
● Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to
send data to the spectrum server: 5001
● Aging time of non-Wi-Fi devices on an AC during spectrum
analysis: 5 minutes
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and
send alarms to the AC.
Configuration Notes
● If air scan functions are enabled on a radio, the radio transmits common
WLAN services and also provides the monitoring function. A transient increase
in the WLAN service latency may occur, which does not affect network access.
However, if any latency-sensitive service (such as videoconferencing) is
running, it is recommended that a separate radio be used for air scan.
● In spectrum analysis scenarios, to obtain enough sampling data, it is
recommended that the scanning interval be set no more than 10 seconds and
the scanning duration to 100 ms.
● The channels to be scanned for spectrum analysis are fixed as all channels
supported by the corresponding country code of an AP and are irrelevant to
the configuration in an air scan profile.


Procedure
Step 1 Configure spectrum analysis.
1. Set spectrum analysis parameters.
# In the AP group list, click ap-group1. Choose AP > AP System Profile. The
# Click Create. The Create AP System Profile page is displayed. Enter the
profile name wlan-spectrum and click OK. On the ap system profile
configuration page that is displayed.
# On the Advanced Configuration tab, set related parameters.


profile is similar.

3. Create an air scan profile and configure the scan channel set, scan interval,
and scan duration.
# Choose 2G Radio Profile > Air Scan Profile. The Air Scan Profile page is
displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile

# Enable scanning, and configure the scan channel set, scan interval, and scan
duration.

4. Enable spectrum analysis on a radio.
# Click Radio 0. On the Radio 0 Settings(2.4G) page that is displayed, set
the radio parameters.
# Click Apply. In the dialog box that is displayed, click OK. The 5G radio
configuration is similar and not mentioned here.
1. View AP spectrum on the web platform to learn AP channel interference in
deployment sites.
a. Choose Monitoring > Spectrum Analysis. The Radio List page is
displayed.
b. Select an AP and click Start.

c. In the AP radio list, click View Drawing in the Operation column. The
related spectrum charts are displayed. A maximum of four spectrum
charts can be displayed.

d. Select your desired spectrum chart from the drop-down list box in the
upper left corner. You can select Lower or Upper on the spectrum charts
of a 5G radio to view spectrum charts of different frequencies.
e. The Real-Time FFT chart shows that the signal strength of interference is
mostly within the range of -80 dBm to -40 dBm. On the Swept
Spectrogram chart, click Modify, set the signal strength scope at both
ends of the color bar, and click Apply. The Swept Spectrogram chart
shows that channel 149 has the most severe interference.
f. On the Active Devices chart, click . A list of the detected non-Wi-Fi

devices is displayed.
----End
Related Topics


3.11 WLAN Security Configuration Examples
3.11.1 Example for Configuring Rogue Device Detection and

Containment
An enterprise branch needs to deploy WLAN services for mobile office so that
branch users can access the enterprise network from anywhere at any time.
The branch is located in an open place, making the WLAN vulnerable to attacks.
For example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the
WLAN to establish connections with STAs to intercept enterprise information,
posing great threats to the enterprise network. To prevent such attack, the
detection and containment function can be configured for authorized APs. In this
way, the AC can detect rogue AP area_2 (neither managed by the AC nor in the
authorized AP list), preventing STAs from associating with the rogue AP.
addresses to STAs.

Figure 3-54 Networking for configuring rogue device detection and containment
IP
Network
Router
GE1/0/0
10.23.101.2/24
Authorized AP
(area_1)
SSID: wlan-net SwitchA GE0/0/3
GE0/0/1
GE0/0/1
SwitchB
GE0/0/2
GE0/0/2
GE0/0/1
STA IP AC
Network
VLANIF100
Rougue AP 10.23.100.1/24
(area_2)
SSID:wlan-net
Data Planning
Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

profile default, and WIDS profile wlan-wids
● Working mode of the AP radio: normal
● Rogue device detection and containment: enabled

profile



wlan-net

profile ● Rogue device containment mode: containment against rogue
APs using spoofing SSIDs
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect
wireless device information and report it to the AC. In addition, APs can
contain detected rogue devices, enabling STAs to disassociate from them.
In this example, the authorized APs work in normal mode and have the detection function
enabled. In addition to transmitting WLAN service data, AP radios need to perform the
monitoring function. A transient increase in the WLAN service latency may occur, which does
not affect network access. However, if any latency-sensitive service (such as videoconferencing)
is running, it is recommended that a separate radio be used for air scan.

Configuration Notes
Procedure

to 10.23.101.2/24.
for the STAs.
address pool view.

page is displayed.




# Click OK.
# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
Configuration.



# Click Finish.
page is displayed.


Step 7 Configure rogue device detection and containment.
1. Configure radio 0 of AP group ap-group1 to work in normal mode, and
enable rogue device detection and containment.
displayed.
is displayed.
detection and containment.

detection and containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against
rogue APs using spoofing SSIDs.
page is displayed.
displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
Choose Monitoring > WIDS. In the Device Detection area, view the detection
result.
● Click a number in the detection result list. The detected device information is
displayed in Device Detection Information.
● Select a device in the detected device list and click View Discovered APs.
Information about the APs that detect the device is displayed.

● In the list of APs that detect the device, select an AP and click View Whitelist
to view the whitelist of the AP.
----End
3.11.2 Example for Configuring Attack Detection

To ensure network stability and security, network administrators can configure
attack detection and dynamic blacklist to prevent flood attacks and brute force
PSK cracking. Detected attack devices are added to the dynamic blacklist, and
packets from them are discarded, preventing attacks.
addresses to STAs.
Figure 3-55 Networking for configuring attack detection
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning

Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

profile default, WIDS profile wlan-wids, and AP system profile
wlan-system
● Attack detection type of the AP radio: brute force PSK cracking
attack detection for WPA2-PSK authentication and flood attack
detection

profile



Item Data

wlan-net

profile ● Interval for brute force PSK cracking attack detection: 70s
● Quiet time for brute force PSK cracking attack detection: 700s
● Maximum number of key negotiation failures allowed within a
brute force PSK cracking attack detection period: 25
● Flood attack detection interval: 70s
● Quiet time for flood attack detection: 700s
● Flood attack detection threshold: 350
● Dynamic blacklist: enabled
AP system ● Name: wlan-system

profile ● Aging time of a dynamic blacklist: 200s
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection so that WLAN devices can detect
attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic
blacklist and to reject packets from these devices within the aging time of the
dynamic blacklist.
Configuration Notes


Procedure
to 10.23.101.2/24.
for the STAs.

address pool view.

page is displayed.



# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.

# Click Finish.


page is displayed.


Step 7 Configure the attack detection function.
1. Enable brute force PSK cracking attack detection for WPA2-PSK authentication
and flood attack detection.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
is displayed.
# Enable brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection on radio 0.

# Enable brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection on radio 1 in the same way.
2. Create WIDS profile wlan-wids, and set parameters for attack detection.
page is displayed.
displayed. Click Advanced Configuration.
# Set parameters for the brute force PSK cracking attack detection for WPA2-
PSK authentication and flood attack detection WPA2-PSK. Enable the dynamic
blacklist function.

3. Create AP system profile wlan-system, and set the aging time of the dynamic
blacklist.
# Choose AP > AP System Profile. The AP System Profile List page is
displayed.
# Click Create. The Create AP System Profile page is displayed.
# Enter the name of the new AP system profile wlan-system in Profile
name, and click OK. The parameter setting page of the new AP system profile
is displayed. Click Advanced Configuration.
# Set the aging time of the dynamic blacklist to 200 seconds.
Choose Monitoring > WIDS and view attack detection result in the Attack
Detection area.
● Click a number in the attack detection result list to view details.
● Click View Dynamic Blacklist. The View Dynamic Blacklist page is
displayed.
----End
3.11.3 Example for Configuring a WPA/WPA2-PPSK Security

Policy
A hotel provides wireless Internet access services for guests and uses WPA/WPA2-
PSK (personal edition) as the security policy. However, this policy has low security.
All guests in the hotel use the same password for Internet access, which is
insecure. Attackers may access the network using this password without
authorization. To improve network security, the hotel can configure PPSK
authentication, so that different passwords are assigned to guests, and the
passwords are easy to manage and maintain.
PPSK authentication has no specific requirements on the networking. After setting
the security policy of an SSID to PPSK on the AC, the network administrator needs
to configure a lobby administrator account for hotel receptionists. The hotel
receptionists can use this account to log in to the AC's web platform to assign
passwords to guests for accessing the Internet.

Data Planning
Item Data
Network administrator account ● User name: admin123

● Password: admin@123
Lobby administrator account ● User name: lobby123

● Password: lobby@123
AP group ● Name: default

● Referenced profile: VAP profile
webCreate_0
SSID profile ● Name: webCreate_0

Security profile ● Name: webCreate_0

● Security policy: WPA-WPA2+PPSK
+TKIP-AES
VAP profile ● Name: webCreate_0

webCreate_0 and security profile
webCreate_0
PPSK user Method 1: automatically generating a

group of passwords
● User name: automatically
generated (For example, user
names prefixed with room2 are
automatically generated for guests
on the second floor, such as
room20001 and room20002.)
● Password: randomly generated
Method 2: manual configuration
● User name: vip
● Password: vip@wlannet
1. The network administrator configures the AC, APs, and other network devices
based on the wireless network plan to ensure network connectivity.
2. The network administrator logs in to the AC's web platform and configures
WLAN services using the configuration wizard. PPSK authentication cannot be
configured using the configuration wizard. The network administrator can
configure key authentication and then change the security policy to PPSK.

3. The network administrator creates a lobby administrator account for hotel

receptionists.
4. A hotel receptionist logs in to the AC's web platform to configure and
manage guest passwords for accessing the Internet.
For details about network interworking and WLAN service deployment, see
the WLAN basic networking configuration examples. This example focuses on
the PPSK authentication configuration.
Configuration Notes
● PPSK users are counted as local users managed by the AC. Configure a proper
number of PPSK users based on the actual user specifications of the AC
model, and delete expired and unused user accounts periodically.
● After a receptionist assigns passwords to guests, a user password list is
automatically generated. The receptionist should save this list properly. If this
list is not saved, the passwords will be displayed in ciphertext when this list is
manually exported later.
Procedure
Step 1 Set the security policy to PPSK as the network administrator.
# Choose Configuration > AP Config > AP Group. Click the AP group name. The
AP group configuration page is displayed.
Figure 3-56 AP group
# Expand the profile tree of the AP group and find Security Profile. Set
Authentication policy to PPSK and click Apply.

Figure 3-57 Security profile
Step 2 Create a lobby administrator account for hotel receptionists as the network
administrator.
# Choose Maintenance > Administrator. The administrator configuration page is
displayed.
# Click Create. Create a lobby administrator account and click OK.
Figure 3-58 Creating a lobby administrator account
Step 3 Assign passwords to guests as a receptionist.

# Use the lobby administrator account to log in to the AC's web platform and click
PPSK Management.
Figure 3-59 PPSK management
# Create users and randomly generate a group of user passwords. In this example,
user names and passwords are generated by room. Alternatively, different
passwords can be generated for each guest or STA.

Figure 3-60 Randomly generating PPSK users
# Check the passwords randomly generated for each user in the automatically
exported table. Keep the passwords secure and provide them to guests for Internet
access as needed.
Figure 3-61 PPSK user list and automatically exported PPSK table
# Create a single user, and set the user name and password.

Figure 3-62 Creating a PPSK user

# When a guest checks in, a receptionist searches for the password based on the
room number and notifies the guest of the password. The guest uses this
password to access the Internet.
# The user is displayed in online state in the user list of on the AC's web platform.
Figure 3-63 User list
----End

3.11.4 Example for Configuring the STA Blacklist and Whitelist

An enterprise needs to provide WLAN services for management personnel so that
they can connect to the enterprise network from anywhere at any time.
Due to a small number of management personnel in the enterprise, MAC
addresses of their STAs can be added to a STA whitelist. In this manner, STAs of
other employees cannot connect to the WLAN.
In addition, network administrators have detected unauthorized access of some
STAs and need to deny access of them. The administrators can add MAC addresses
of these STAs to the blacklist, while other authorized STAs can still connect to the
WLAN.
addresses to STAs.
Figure 3-64 Networking for configuring the STA blacklist and whitelist
IP
Network
Router
10.23.101.2/24
GE0/0/3
STA1 GE0/0/1
GE0/0/1
0011-2233-4455 SwitchB
GE0/0/2
STA3
0011-2233-4477 AP SwitchA GE0/0/2
GE0/0/1
STA2 AC
STA4 0011-2233-4466
VLANIF100
0011-2233-4488
10.23.100.1/24

Data Planning

Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

profile default, and AP system profile wlan-system

profile



wlan-net, and STA whitelist profile sta-whitelist

Item Data
STA ● Name: sta-whitelist

whitelist ● STAs added to the STA whitelist: STA1 (0011-2233-4455) and
profile STA2 (0011-2233-4466)
STA ● Name: sta-blacklist

blacklist ● STAs added to the STA blacklist: STA3 (0011-2233-4477) and
profile STA4 (0011-2233-4488)
AP system ● Name: wlan-system

profile ● Referenced profile: STA blacklist profile sta-blacklist
2. Configure a STA whitelist. Add MAC addresses of management personnel's
wireless terminals to the whitelist. To prevent configuration impacts on other
VAPs, configure the STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the
blacklist to prevent the STAs from associating with the AP, ensuing WLAN
network security.
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is,
the STA whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP
system profile.
Configuration Notes

Procedure
to 10.23.101.2/24.
for the STAs.

address pool view.

page is displayed.



# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.

# Click Finish.


page is displayed.


Step 7 Configure a STA whitelist for VAPs.
1. Configure STA whitelist profile sta-whitelist and add MAC addresses of STA1
and STA2 to the whitelist.
displayed.
# Choose VAP Configuration > wlan-net > STA Blacklist And Whitelist
Profile. On the STA Blacklist And Whitelist Profile page, select Whitelist.
# Click Create. The Create STA Whitelist Profile page is displayed.
# Enter the name of the new STA whitelist profile sta-whitelist in Profile
name, and click OK. The parameter setting page of the new STA blacklist
profile is displayed.
# Click Add. The Add Address page is displayed.
# Add MAC addresses of STA1 and STA2 to the whitelist.

# Click OK.
Step 8 Configure a global STA blacklist.

1. Create AP system profile wlan-system.
# Click in front of AP. Under it, click AP System Profile. The AP System
the profile name wlan-system and click OK. The AP System Profile
2. Configure STA blacklist profile sta-blacklist and add MAC addresses of STA3
and STA4 to the blacklist.
# Click in front of AP System Profile. Under it, click STA Blacklist Profile.
On the STA Blacklist Profile page, select Blacklist.
# Click Create. The Create STA Blacklist Profile page is displayed.
# Enter the name of the new STA blacklist profile sta-blacklist in Profile
name, and click OK. The parameter setting page of the new STA blacklist
profile is displayed.
# Click Add. The Add MAC Address page is displayed.
# Add MAC addresses of STA3 and STA4 to the blacklist.
# Click OK.
The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the
WLAN.
----End

3.12 WLAN QoS Configuration Examples
3.12.1 Example for Configuring WMM and Priority Mapping

After accessing the network, users encounter poor experience in voice and video
services. The administrator wants to preferentially ensure forwarding of voice and
video service traffic to improve user experience.
Figure 3-65 Networking for configuring WMM and priority mapping
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning
Item Data


profile ● Referenced profiles: traffic profile wlan-traffic

profile ● WMM: Enable

profile ● WMM: Enable
Traffic ● Name: wlan-traffic

profile ● Downstream mapping on the air interface: DSCP
● Upstream tunnel mapping on the air interface: 802.11e
● Priority mapping: specified to provide higher priorities for voice
and video services
1. Configure the WMM function so that network bandwidth is preferentially
allocated to voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video
services so that network bandwidth is preferentially allocated to these
services.
Configuration Notes


Procedure
Step 1 Configure the WMM function.
1. In the radio profile, enable the WMM function and set EDCA parameters on
APs to enable voice and video services to preferentially use network
bandwidth.

profile is similar.
# In the AP group list, click ap-group1. Click in front of Radio

Management. Under it, click in front of Radio 0. Click 2G Radio Profile.
The 2G Radio Profile page is displayed.
# On the Advanced Configuration tab, enable the WMM function, select

scenario Voice and video, and retain the default settings of EDCA parameters.
Click Apply. In the dialog box that is displayed, click OK.
Step 2 Configuring priority mapping.
This example requires that voice and video packets have the highest priority so
that these packets are preferentially transmitted. By default, the uplink and
downlink mapping modes on the air interface are 802.11e and DSCP, respectively.
The uplink and downlink priority mapping on the air interface can ensure that
voice and video packets have the highest tunnel DSCP priority. Therefore, you do
not need to modify default priority mapping.
To change the default priority mapping, for example, to enable video packets with
a higher priority than voice packets, you can refer to this step.

# In the AP group list, click ap-group1. Click in front of VAP Configuration.

Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile
page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, configure priority mapping and set the
mapped priority of video packets higher than that of the voice packets.
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set
to 4 or 5.
In the following figure, the DSCP priorities of video packets are 48 and 56, and those of the
voice packets are 32 and 40. Based on the settings, video packets will be preferentially
transmitted.

1. Normal voice and video communication improves user experience in voice and
video services.
----End
Related Topics


3.12.2 Example for Configuring Traffic Policing

To prevent STAs from maliciously occupying network resources and reduce
network congestion, the administrator requires that the uplink rate limit of each
STA be 2 Mbit/s and the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Figure 3-66 Networking for configuring traffic policing
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning

Item Data



profile ● Uplink rate limit of a single STA: 2 Mbit/s
● Uplink rate limit of all STAs on a VAP: 30 Mbit/s
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a
traffic profile to achieve traffic policing.
Configuration Notes

Procedure
Step 1 Configure traffic policing.
Create traffic profile wlan-traffic. Set the uplink rate limit of a single AP to 2
Mbit/s and the total uplink rate limit of all STAs on the VAP to 30 Mbit/s.

page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, set the uplink rate limit to 2 Mbit/s for
STAs and to 30 Mbit/s for VAPs.
1. STAs efficiently utilize network resources, reducing network congestion.
----End
Related Topics

3.12.3 Example for Configuring Airtime Fair Scheduling
The administrator requires that multiple users on the network be able to fairly use
network bandwidth to improve overall user experience.
Figure 3-67 Networking for configuring airtime fair scheduling
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning
Item Data

● Referenced profiles: 2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g

profile ● Airtime fair scheduling: enabled

Item Data


1. Enable airtime fair scheduling to ensure that multiple users on a radio can
fairly use network bandwidth to improve overall user experience.
Configuration Notes
Procedure
Step 1 Configure airtime fair scheduling.
# In the AP group list, click ap-group1. Click in front of Radio Management.

Under it, click in front of radio 0.

# Click in front of 2G Radio Profile, and click RRM Profile. Click Create. On
the page that is displayed, set Profile name to wlan-rrm and click OK. The RRM
Profile configuration page is displayed.
# Enable airtime fair scheduling in the RRM profile.

1. Users can fairly use network bandwidth, improving overall user experience.
----End
Related Topics
3.12.4 Example for Configuring ACL-based Packet Filtering
To control network traffic, the administrator requires that packets with source IP
address 10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Figure 3-68 Networking for configuring ACL-based packet filtering
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data



profile ● Configuration of ACL-based IPv4 packet filtering
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes


Procedure
Step 1 Configure ACL-based packet filtering.
1. Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and
destination IPv4 address 10.23.101.11 to pass.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL dialog box that is displayed, set
the ACL name to ACL3001 and ACL number to 3001. Click OK.
# Click Add Rule in the new ACL.
# Click OK.

2. Create traffic profile wlan-traffic and apply the ACL to it.


# Enter the traffic profile name wlan-traffic in Profile name and click OK.
The parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, expand Packet Filtering. In Inbound
ACL, click Add. Set Packet Filtering Type to IPv4 and ACL used to filter
incoming packets to ACL3001. Click to save the settings.
1. Packets with the source IP address of 10.23.101.10 and destination IP address
of 10.23.101.11 are forbidden to pass, achieving network traffic control.
----End
Related Topics

3.12.5 Example for Configuring Optimization for Voice and

Video Services
Voice, video, and data services are transmitted on the WLAN. The administrator
requires that voice and video services of QQ and WeChat have a higher priority to
ensure good user experience in these QQ and WeChat services.
Figure 3-69 Networking for configuring optimization for voice and video services
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning
Item Data

● Referenced profiles: VAP profile wlan-net, 2G radio profile
wlan-radio2g, and 5G radio profile wlan-radio5g

Item Data

Profile ● Referenced profile: SAC profile wlan-sac

profile ● Referenced profile: RRM profile wlan-net

profile ● Referenced profile: RRM profile wlan-net

profile ● Multimedia air interface optimization: enabled
SAC ● Name: wlan-sac

profile
Voice and ● Applied protocols: QQ and WeChat

video
optimizati
on
1. Enable the SAC function.
2. Configure optimization for voice and video services so that these QQ and
WeChat services have a higher priority than data services.
Configuration Notes

Procedure
Step 1 Enable the security engine.
After the security engine is enabled, the system automatically loads the default signature
database.
# Choose Configuration > Security > Attack Defense. The Attack Defense page
is displayed.
# Set Security Engine to ON. Click OK.
Step 2 # Create an SAC profile and bind it to the VAP profile mapping the AP group ap-
group1.
# In the AP group list, click the AP group name ap-group1. Click next to VAP
Configuration and next to wlan-net, and select SAC Profile.
# Click SAC Profile and enter wlan-sac in Profile name. Click OK. The SAC
Step 3 Enable optimization for voice and video services on QQ and WeChat.
# Choose Configuration > Other Services > App Identification & Optimization
> Voice&Video Optimization. The Voice & Video Optimization page is
displayed.
# Set Voice optimization and Video optimization to ON.
# Set the applications' Voice optimization and Video optimization to OFF except
qq and weixin.

By default, dynamic optimization for voice and video services is enabled for all applications in
Application Detection Optimization List. To modify the status of the function for an
application, select the application and set Voice Detection Optimization and Video Detection
Optimization to ON or OFF.
Step 4 Enable the multimedia air interface optimization function.

# In the AP group list, click the AP group name ap-group1. Click next to Radio
Management and next to Radio 0.
# Click next to 2G Radio Profile and select RRM Profile. Click Create, enter
wlan-rrm in Profile name, and then click OK. The RRM Profile configuration
page is displayed.
# On the Advanced Configuration tab, disable Dynamic EDCA and enable
Multimedia air interface optimization.
# Click next to Radio 0 and next to 5G Radio Management, and select

RRM Profile. The RRM profile configuration page is displayed.
# Click the drop-down list box next to RRM Profile and select wlan-rrm.
1. Normal voice and video communication of QQ and WeChat ensures good
user experience in voice and video services of QQ and WeChat.
----End

Related Topics
3.12.6 Example for Configuring Priorities for Skype4B Packets

The administrator requires that voice and video packets of the Skype4B software
have a higher priority than desktop sharing and file transfer packets to ensure
good user experience in voice and video services.
Figure 3-70 Networking for configuring WMM and priority mapping
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24

Data Planning
Item Data


profile ● Referenced profiles: UCC profile wlan-ucc
UCC ● Name: wlan-ucc

profile ● 802.1p priority of Skype4B voice packets: 6
● 802.1p priority of Skype4B video packets: 5
● 802.1p priority of Skype4B desktop sharing packets: 4
● 802.1p priority of Skype4B file transfer packets: 3
Skype4B 9000
server port
number
1. Configure priorities for Skype4B packets to set higher priorities for voice and
video packets than those of desktop sharing and file transfer packets.
2. Configure the AC to interact with the Skype4B server.
Configuration Notes

Procedure
Step 1 Configure priorities for Skype4B packets.

Under it, click in front of wlan-net. Click UCC Profile. The UCC Profile page is
displayed.
# Click Create. The Create UCC Profile page is displayed.
# Enter the UCC profile name wlan-ucc in Profile name and click OK. The
parameter setting page of the new UCC profile is displayed.
# Configure priorities for Skype4B packets according to the following figure.
Step 2 Configure the AC to interact with the Skype4B server.
> Skype4B. The Skype4B page is displayed.
# On the Skype4B page, set Skype4B listener to ON, Type to HTTP, and HTTP
port to 9000.

● The port number of the HTTP service specified on the AC must be consistent with the port
number on the Skype4B server.
● You need to specify the IP address of the AC for the Skype4B server and the port number of
the Skype4B server.

1. The priorities of Skype4B voice and video packets are higher than those of
Skype4B desktop sharing and file transfer packets. Therefore, users are
provided with good voice and video service experience.
----End
Related Topics
3.12.7 Example for Configuring a QoS Policy Based on

Application Protocols (Direct Forwarding)
As shown in Figure 1, an enterprise has deployed a WLAN with the direct data
forwarding mode. To regulate online behavior of employees on the network, the
administrator needs to configure QoS policies based on application protocols.
Voice, video, and data services are involved on the WLAN, including FaceTime,
SkypeForBusiness, QQ_VoIP. The administrator wants to learn the application
traffic usage to plan the network capacity and locate faults. For example, discard
FaceTime packets, specify the SkypeForBusiness priority, and limit the rate of
QQ_VoIP traffic.
For configurations of the WLAN access function, see Related Topics.

Figure 3-71 Networking for configuring QoS policies based on application

protocols
IP
Network
Router
GE1/0/0
VLANIF101
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
1. Enable the security engine and update the signature database.
2. Configure application visualization, including specifying the priority for Skype
for Business packets, discarding FaceTime packets, and limiting the rate of QQ
VoIP packets.

Item Data

● Referenced profile: VAP profile wlan-net

● Referenced profile: SAC profile wlan-sac
SAC Name: wlan-sac

profile SAC policy: Discard FaceTime packets, set the DSCP priority of
Skype for Business packets to 40, and limit the rate of QQ VoIP
packets to 1000 kbit/s.

Configuration Notes
Procedure
Step 1 Enable the security engine.
In this example, the direct data forwarding mode is used. Therefore, you need to enable the
security engine on both the AC and the AP. If tunnel forwarding is used, you only need to
enable the security engine on the AC.
> SAC > SAC Configuration.
# Enable Loading the SAC signature database on the AC.
# Disable Loading the SAC signature database on the AP. In Loading the SAC
Signature Database for APs by AP Group, enable SAC for a specified AP group.
# Click Apply.

Step 2 Update the SAC signature database.

# visit Huawei Security Center (https://isecurity.huawei.com/sec/web/
freesignature.do) and download the SAC signature databases of the AC and AP.
# Choose Maintenance > AC Maintenance > Signature DB.
# Under Signature Database List, click Local upgrade mapping AC SAC
Signature Database. In the dialog box that is displayed, click Upload. In the
dialog box that is displayed, select the corresponding SAC signature database and
click OK. In the dialog box that is displayed, click OK.
# After the update is successful, a dialog box is displayed, where you can click OK.
# The method for updating AP SAC Signature Database is similar to that for
updating the AC SAC signature database, and is not mentioned here.
Step 3 Create an SAC profile and bind it to the VAP profile corresponding to the AP group
ap-group1.
# In the AP group list, click the AP group ap-group1, click next to VAP
Configuration, click next to wlan-net, and select SAC Profile.
# Click Create, set Profile name to wlan-sac. Click OK. The page for configuring
SAC Profile is displayed.
# Under Configuration Policy, set Application protocol group to
instant_message, Application protocol to skypeforbusiness, Policy type to
Priority policy, Priority policy mode to DSCP, and the priority to 40. Click .

# Under Configuration Policy, set Application protocol group to voip,

Application protocol to qq_voip, Policy type to Rate limit policy, and Rate limit
message application strategy (Kbit/s) to 1000. Click .
# Under Configuration Policy, set Application protocol group to voip,

Application protocol to facetime, and Policy type to Drop policy. Click .
# After the policy is configured, it is displayed as follows.
Step 4 After the configuration is complete, the FaceTime service cannot be used, the
DSCP priority of the Skype for Business packets is 40, and the rate of QQ VoIP
packets is limited to 1000 kbit/s.
----End
Related Topics
3.13 IoT Configuration Examples

3.13.1 Example for Configuring the Smart Retail IoT Solution -

ESL
A supermarket wants to deploy a network to expand IoT applications while
providing the wireless network access service to display and manage commodity
prices using ESLs.
Figure 3-72 Networking diagram for configuring an ESL network
ERP
system
Router
ESL
management
AC Switch system
GE0/0/3
GE0/0/1
GE0/0/1 GE0/0/2
GE0
AP
Card
STA
ESL
Data Planning
Item Data
Managem VLAN100
ent VLAN

Item Data
Service VLAN101
VLAN
Interworki VLAN102
ng VLAN
of the ESL
managem
ent system
and ESLs
AC's VLANIF100
source
interface

server and STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for
APs
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

profile default, radio profile wlan-radio2g, AP system profile
ap-system, and AP wired port profiles wired1 and wired2

profile



wlan-net
Radio ● Name: wlan-radio2g

profile ● Time range during which the VAP is disabled as scheduled:
23:00 to 6:00

Item Data
AP system ● Name: ap-system

profile ● Connection type between IoT cards and APs: Ethernet port
AP wired ● Name: wired1

port – Working mode of the AP's wired interface: root
profile
– VLAN of the AP's wired interface: 102 (tagged)
● Name: wired2
– Working mode of the AP's wired interface: endpoint
– VLAN of the AP's wired interface: 102 (untagged)
– PVID of the AP's wired interface: 102
1. Configure network interworking of the AC, AP, and switch.
3. Configure WLAN service parameters.
4. Configure interworking between the ERP system and ESL management
system.
5. Configure interworking between the ESL management system and ESLs.
Configuration Notes

Procedure
# Configure the access switch. Add GE0/0/1 and GE0/0/2 to VLAN 100
(management VLAN) and VLAN 101 (service VLANs).

page is displayed.





# Click OK.

interface address pool on VLANIF 101 in the same way.
# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.
# Set Security settings to Key (applicable to personnel networks) select the


# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
# Click Finish.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1. Choose Radio Management > Radio 0 > 2G Radio Profile. Click Create
to create a 2G radio profile named wlan-radio2g.
# Click OK. The radio profile configuration page is displayed.
# Enable the scheduled radio disabling function and set the time range in which
radio 0 is to be automatically disabled. Click Apply.

Step 5 Configure interworking between the ERP system and ESL management system.
The detailed operations are not described here.
Step 6 Configure Layer 2 interworking between ESL cards and the ESL management
system.
1. Configure Switch.
# Add GE0/0/3 on the switch connected to the ESL management system to
VLAN 102.
# Add GE0/0/2 on the switch connected to the AP to VLAN 102.
2. Add GE0 connecting the AP to Switch to VLAN 102.
# Choose Configuration > AP Config > AP Group. In the AP group list, click
ap-group1. Then, choose AP > AP Wired Port Settings, and click GE0. The
GE0 Profile page is displayed.
# Click Create to create an AP wired port profile named wired1. Click OK.
# Click Advanced Configuration. Add GE0 to VLAN 102 in tagged mode, set
Port mode to Root, and click OK.
# Choose AP > AP System Profile. The AP System Profile page is displayed.

# Click Create to create an AP system profile named ap-system. Click OK.
# Click Advanced Configuration and set Working mode of the IoT card to
Ethernet. Click Apply.
# Select Display all profiles and choose IoT > Card 1 > AP Wired Port
Profile. The AP Wired Port Profile page is displayed.

# Click Create to create an AP wired port profile named wired2. Click OK.
# Click Advanced Configuration. Set Port PVID to 102, add the port to VLAN
102 in untagged mode, set Port mode to Endpoint, and click Apply.
3. Restart the AP.

# Choose Maintenance > AP Maintenance > AP Restart. Click Restart All to
restart all APs.
Step 7 Initialize the ESL card, register ESLs, associate ESL IDs with commodity codes, and
configure ESL services. For detailed operations, see the operation guides provided
by vendors, which are not described here.

----End
3.13.2 Example for Configuring the Healthcare IoT Solution

A hospital wants to deploy a network to expand IoT applications while providing
the wireless network access service to prevent infant abductions.
addresses to STAs.
Figure 3-73 Networking diagram for configuring the Healthcare IoT Solution
Network
Infant protection
GE0/0/1 Switch system
GE0/0/1 GE0/0/4
AC
GE0/0/2 GE0/0/3
Ward 1 Ward 2
Mobile app
RFID RFID
AP AP
receiver receiver
Infant
security tag
Exit monitor 1 Exit monitor 2
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit

Data Planning

Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to STAs.

server
AP's IP Static IP address: 10.23.100.254

address
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

domain profile domain1
● Local UDP port mapping the IoT card interface: 50200
Regulatory ● Name: domain1

profile



wlan-net

Item Data
IoT profile ● Name: wlan-iot

● IP address of the host computer: 10.23.100.254
● Port number of the host computer: 3000
● Trusted host: 10.23.102.253/255.255.255.0
● Shared key: aabb0011@11
1. Configure network interworking of the APs, switch, AC, and host computer
(on which the infant protection system is deployed).
2. Configure the AC as a DHCP server to assign IP addresses to APs.
3. Configure the APs to go online and configure WLAN services.
4. Configure parameters for the APs to communicate with RFID cards.
5. Configure parameters for the APs to communicate with the host computer.
6. Add the APs' IP addresses to the host computer and configure the same
shared key as that on the APs.
Configuration Notes

Procedure
# Configure the access switch. Add GE0/0/1 through GE0/0/3 to VLAN 100
# Add GE0/0/4 on the AC connected to the host computer to VLAN 100 and VLAN
101.

page is displayed.







# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.



# Click Finish.
group1 and select Display all profiles. Choose IoT > Card1 > IoT Profile. Click
Create to create an IoT profile named wlan-iot.
# Click OK. The IoT profile configuration page is displayed. Set parameters as
follows:
● Protocol: UDP
● Port number: 50200
● Communication key: aabb0011@11
● IP address of a trusted host computer: 10.23.102.253
● Mask of a trusted host computer: 255.255.255.0
● Host Computer Address: 10.23.100.254
● Host Computer Port Number: 3000
# Click Apply.

Step 5 Configure static IP addresses for APs.

# Choose Configuration > AP Config > AP Config. Select an AP and click Modify.
The AP modification page is displayed.
# Set AC IP address list to 10.23.100.1, IP Obtaining Mode to Static, IP Address
to 10.23.100.254, Mask to 255.255.255.0, and Gateway to 10.23.100.1.
Step 6 Add the AP's IP address to the host computer and configure the same shared key
as that on the AP.
Step 7 Configure exit monitors to connect to the network in wired mode and interwork
with the infant protection system. The detailed operations are not described here.
Step 8 Use the infant protection function according to operation methods of the infant
protection system. For details, see the operation guides provided by vendors.

----End

3.13.3 Example for Configuring the Education IoT Solution -

Student Health and Safety
A school pays much attention to health and safety of its students, and desires to
use technical methods to monitor and query students' health and safety
information.
To meet these requirements, Huawei provides the Student Health and Safety IoT
Solution that reuses the existing WLAN.
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: Configure an AC as a DHCP server to assign IP
Figure 3-74 Networking for configuring the Student Health and Safety IoT
Solution
Server
AC Switch AP
GE0/0/1 GE0/0/4
GE0/0/1 GE0/0/3
GE0/0/2 RFID
card
AP outside AP inside
the school the school
RFID RFID
card card
Student
wristband
Student Student
wristband wristband
: 433 MHz RFID radio signal
: 2.4 GHz RFID radio signal

Data Planning

Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface

server and STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

● Local TCP port mapping the IoT card interface: 50200

profile



wlan-net
IoT profile ● Name: wlan-iot

● IP address of the host computer: 10.23.200.1
● Port number of the host computer: 3000
● Trusted host: 10.23.102.253/255.255.255.0
● Shared key: aabb0011@11

1. Configure network interworking of the APs, switch, AC, and host computer.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
5. Configure communication parameters between the APs and host computer.
6. Add IP addresses of the APs to the host computer and configure the same
shared key as that on the APs.
Configuration Notes
Procedure
# Configure the access switch. Add GE0/0/1 through GE0/0/4 to VLAN 100
[Switch] vlan batch 100 to 101



page is displayed.





# Click OK.
# Click Next.
Vlanif100.




Import.


Configuration.


# Click Finish.
group1 and select Display all profiles. Choose IoT > Card1 > IoT Profile. Click
Create to create an IoT profile named wlan-iot.
# Click OK. The IoT profile configuration page is displayed.
● Protocol: TCP
● Communication key: aabb0011@11
● IP address of a trusted host computer: 10.23.102.253
● Mask of a trusted host computer: 255.255.255.0
● Host Computer Address: 10.23.200.1
● Host Computer Port Number: 3000
# Click Apply.
Step 5 Configure network interworking between the APs and server.
Configure routes based on the actual networking situation to ensure network

interworking between the APs and host computer.
Step 6 Add IP addresses of the APs to the host computer and configure the same shared
key as that on the APs.


----End

3.13.4 Example for Configuring the Shopping Mall and

Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis
To improve sales and increase profits, a shopping mall wants to promote
consumption by pushing customized advertisements to customers.
To meet these requirements, Huawei provides the hotspot service and customer
flow analysis solution. This solution provides secure and easy Wi-Fi access for
customers and improves user experience. Additionally, the shopping mall can
analyze data to find shops that customers are interested in and then push
customized advertisements to their mobile phones, promoting consumption.
Figure 3-75 Network for configuring the hotspot service and customer flow
analysis
Customer flow
analysis server
10.23.201.1
Policy configuration
RADIUS server device
10.23.200.1 10.23.200.4
Portal server DNS server

10.23.200.2 10.23.200.3
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
AP AP AP
STA

Data Planning

Item Data

tion
s ● IP address: 10.23.200.1
● Shared key: Huawei@123
SSL policy ● Name: huawei

● PKI domain: default

template
● URL: https://10.23.200.2:8445/portal
● Portal shared key: Admin@123

access ● Bound template: Portal server template wlan-net
profile


tion ● Bound profile and authentication scheme: Portal access profile
profile wlan-net, RADIUS server template wlan-net, RADIUS
authentication scheme wlan-net, and authentication-free rule
profile default_free_rule
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface

server and STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for
APs

Item Data
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

profile default, location profile wlan-location, and radio
profiles wlan-radio-2g and wlan-radio-5g

profile



wlan-net, and authentication profile wlan-net
Air scan ● Name: wlan-air-scan

profile ● Probe channel set: channels supported by the country code
2G radio ● Name: wlan-radio-2g

profile ● Referenced profile: air scan profile wlan-air-scan
5G radio ● Name: wlan-radio-5g

profile ● Referenced profile: air scan profile wlan-air-scan
Location ● Name: wlan-location

profile ● Wi-Fi terminal location: enabled
● Mode in which terminal information is reported: through the AC
● Destination IP address and port number for the AC to report
terminal information to the server: 10.23.201.1/32180
● Destination port number for APs to report terminal information
to the AC: 10001
Host Customer flow analysis server

computer IP address: 10.23.201.1
Port number: 32180

1. Configure the AC to communicate with servers.
4. Configure Portal authentication.
6. Configure communication parameters between APs and the host computer.
7. Configure APs' IP addresses on the host computer.
Configuration Notes
Procedure
Step 1 Configure the AC to communicate with servers.
Configure routes based on the actual networking to ensure network interworking
between the AC and servers.
# Configure the access switch. Add GE0/0/1 through GE0/0/4 to VLAN 100 and
VLAN 101.


page is displayed.





# Click OK.

# Click Next.

Vlanif100.





Import.
Configuration.

deselect MAC address-prioritized. Under External Portal Server Configuration,
set Server template name, Server IP address, Shared key, Port number, and
Server URL. Under External RADIUS Server Configuration, set Server template
name, Authentication server IP, Shared key, and Port number.


# Click Finish.
Step 6 Configure Portal authentication.
1. Configure the HTTPS protocol for Portal authentication.
# Choose Configuration > Security > SSL. The SSL page is displayed.
# Click Create. On the Create SSL policy page that is displayed, set SSL
policy name to huawei and Certificate name to default. Click OK.

# Choose Configuration > Security > AAA > Portal Server Global
Configuration > External Portal. The External Portal page is displayed.
# Click wlan-net under Portal Authentication Server List. Set Protocol type
to HTTP, and deselect all parameter settings under URL Option Settings.
Click OK.
# Choose Configuration > AP Config > AP Group. In the AP group list, click
ap-group1. Then, choose VAP Configuration > wlan-net > Authentication
Profile > External Portal Authentication. The Portal configuration page is
displayed.
# Set Interoperation protocol to HTTP and Primary Portal server group to
wlan-net.

# Click Set next to External Portal server global parameters. Select HTTP
protocol, set SSL policy to huawei, and click OK.
# Click Apply.
2. Configure an accounting scheme.
# Choose VAP Configuration > wlan-net > Authentication Profile >
RADIUS server. The RADIUS server configuration page is displayed.
# Enable Real-time accounting and click Apply.
3. Configure an authentication-free rule to allow users to access specified

network resources without authentication.
# Choose Configuration > AP Config > Profile, and then choose Wireless
Service > VAP Profile > wlan-net > Authentication Profile >
Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
# Set Authentication-free Rule Profile to default_free_rule and Control
mode to Authentication-free rule.
# Click Create. On the Create Authentication-free Rule page that is
displayed, set Rule ID to 1 and set Destination IP address.

# Click OK.
# Select authentication-free rule 1 and click Apply. In the dialog box that is
Step 7 Configure the air scan function.
group1. Then, choose Radio Management > Radio 0 > 2G Radio Profile. The 2G
Radio Profile page is displayed.
# Click Create to create a 2G radio profile named wlan-radio-2g. Click OK.
# Click Apply.
# Expand 2G Radio Profile. Click Air Scan Profile. The Air Scan Profile page is
displayed.
# Click Create to create an air scan profile named wlan-air-scan. Click OK.
# Set Probe channel set to Country code channels and click Apply.
# Create a 5G radio profile named wlan-radio-5g in the same way, and bind the
air scan profile wlan-air-scan to this 5G radio profile.
Step 8 Configure the Wi-Fi terminal location function.
# Select Display all profiles. Choose WLAN Location > WLAN Location Profile.
Click Create to create a location profile named wlan-location.
# Click OK. The location profile configuration page is displayed.
# Enable STA location, and set Data report mode to Through AC, Server
connection to IP, the IP address to 10.23.201.1/32180, and AC port number to
10001. Click Apply.

Step 9 Add IP addresses of the APs to the host computer and configure the same shared
key as that on the APs.
STAs can search for the WLAN with the SSID wlan-net and connect to the WLAN
through Portal authentication.
----End

Supermarket IoT Solution - Indoor Navigation
In a shopping mall with large areas and complex environment, it is difficult for
customers to find parked cars and shops. To help customers to easily find shops or
parked cars, improve customer satisfaction, and promote customers' buying
intention, the shopping mall expects to provide navigation services.
To meet these requirements of the shopping mall, Huawei provides the indoor
navigation solution. This solution provides customers with easy and secure Wi-Fi
network access and improves customers' network experience. Additionally, an
indoor navigation app is provided for customers to find shops or parked cars,
improving customer satisfaction.

● DHCP deployment mode: Configure an AC as the DHCP server to assign IP

Figure 3-76 Network for configuring indoor navigation
Location server App server
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
AP BLE device AP BLE device AP
STA
Bluetooth
signal
Data Planning
Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface

server and STAs.

Item Data
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

profile default, and BLE profile wlan-ble

profile



wlan-net
BLE Profile ● Name: wlan-ble

● Bluetooth monitoring function of APs' built-in Bluetooth
modules: enabled
● Bluetooth broadcast function of APs' built-in Bluetooth
modules: enabled
● Mode in which an AP reports data: through an AC
● Destination port number on the AC through which APs send
Bluetooth
packets: 32180
● IP address/Port number of the location server:
10.23.102.1/10001
1. Configure network interworking between the AC and location server, and
between the location server and app server.
5. Configure the Bluetooth terminal location function.

6. Configure the location server.
Configuration Notes
Procedure
Step 1 Configure network interworking between the AC and location server, and between
the location server and app server.
Configure routes based on the actual networking to ensure network interworking.
VLAN 101.



page is displayed.






# Click OK.
# Click Next.
Vlanif100.





Import.


Configuration.


# Click Finish.
group1 and select Display all profiles. Choose Bluetooth Service > BLE Profile.
Click Create to create a BLE profile named wlan-ble.
# Click OK. The BLE profile configuration page is displayed.
# Enable Broadcast and Monitoring surrounding BLE devices. Set Monitoring
mode to iBeacon, and set Data reporting mode, IPv4 address/Port number, and
AC port number. Click Apply.
# Choose Configuration > Other Services > BLE. Click Create and add MAC
addresses of BLE base stations within the AP's coverage area to the monitoring
list.

Step 6 Configure the location server.

Configure Bluetooth terminal location parameters on the location server.
A Bluetooth terminal can discover the wireless network with the SSID wlan-net,
and can associate with it after successful authentication. After opening the indoor
navigation app and obtaining location information from the app server, you can
use the car seeking and shop seeking functions.
----End

Supermarket Solution - Personnel and Asset Management
A shopping mall often suffers from asset losses or fails to find assets. To reduce
property loss and facilitate asset management, the shopping mall wants to
monitor the locations and moving tracks of assets.
To meet these requirements, Huawei offers the personnel and asset management
IoT solution.

Figure 3-77 Network for configuring the personnel and asset management IoT
solution
Location
server
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
AP AP AP
Bluetooth
Bluetooth
tag
signal
Data Planning

Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface

server and STAs.

Item Data
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

profile default, and BLE profile wlan-ble

profile



wlan-net
BLE Profile ● Name: wlan-ble

● Reporting of Bluetooth tag packets: enabled
● Domain name/Port number of the location server: testabc.com/
10001
1. Configure the AC to communicate with the location server.
5. Configure the Bluetooth tag location function.
6. Configure the location server.
Configuration Notes

Procedure
Step 1 Configure the AC to communicate with the location server.
Configure routes based on the actual networking to ensure network interworking

between the AC and location server.
VLAN 101.

page is displayed.





# Click OK.

# Click Next.

Vlanif100.




Import.

Configuration.


# Click Finish.
group1 and select Display all profiles. Choose Bluetooth Service > BLE Profile.
Click Create to create a BLE profile named wlan-ble.
# Click OK. The BLE profile configuration page is displayed.
# Enable Monitoring surrounding BLE devices, set Monitoring mode to Tag,

enable Data reporting, set Server connection to Domain name, and set Domain
name/Port number. Click Apply.

# Choose Configuration > Other Services > BLE. Click Create and add MAC
addresses of BLE base stations within the AP's coverage area to the monitoring
list.
Step 6 Configure the location server.

Configure the location server based on its usage guide.
STAs can search for the WLAN with the SSID wlan-net and connect to the WLAN
after passing authentication. Location information about personnel and assets can
be queried on the location server.
----End
3.14 WLAN Enhanced Services Configuration Examples

3.14.1 Example for Configuring WLAN-based E-Schoolbag

E-schoolbag is a digital teaching method. In a class, teachers and students use
smart terminals such as PCs, tablets, and mobile phones to participate in teaching
and learning activities online.
A teacher can teach students in multiple classrooms without space limitation.
To ensure successful teaching activities, AP4030TNs are used to deploy basic
WLAN services to support access of many students and provide sufficient
bandwidth.
The AP4051TN has three radios: radios 0, 1, and 2. Radio 0 and radio 2 can switch
between 2.4 GHz and 5 GHz while radio 1 operates on the 5 GHz band. By default,
radio 0 works on the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency
band. If all radios are used for WLAN coverage services, the default frequency
bands for radios are recommended. If some radios are used for air scan, run the
frequency { 2.4g | 5g } command in the AP radio view or AP group radio view to
switch the frequency band of the radios.
addresses to STAs.

Figure 3-78 Networking for configuring the WLAN-based e-schoolbag service
IP
Network
Router
GE1/0/0
VLANIF 101
GE0/0/3 AC
GE0/0/2
SwitchB
GE0/0/1
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
E-classroom
AP
Management VLAN:
VLAN 100
Service VLAN: VLAN
101
PC
Electronic
whiteboard
Terminals of
Terminals of students
teachers
Data Planning

Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs


Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile

● Maximum number of users: 128


● Band steering: enabled
● Broadcast flood detection: enabled
● Rate threshold for broadcast flood detection: 50 pps
wlan-net, and traffic profile wlan-traffic

profile ● Airtime fair scheduling: enabled
● Dynamic EDCA parameter adjustment: enabled

Item Data

profile ● RTS-CTS operation mode: rts-cts
● RTS-CTS threshold: 1400 bytes
● Beacon interval: 160 TUs
● Short preamble: enabled
● GI mode: short
● 802.11bg basic rate: 6, 9, 12, 18, 24, 36, 48, 54, in Mbit/s
● Multicast rate: 11 Mbit/s
● Referenced profile: RRM profile wlan-rrm

profile ● RTS-CTS operation mode: rts-cts
● RTS-CTS threshold: 1400 bytes
● Beacon interval: 160 TUs
● GI mode: short
● Multicast rate: 6 Mbit/s
● Referenced profile: RRM profile wlan-rrm

profile ● Uplink rate limit for a STA: 4000 kbit/s
● Downlink rate limit for a STA: 4000 kbit/s
5. Adjust network parameters for e-schoolbag.
Configuration Notes


Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101.
to 10.23.101.2/24.


for the STAs.
address pool view.

page is displayed.



# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.
Configuration.

key.

# Click Finish.
Step 6 Adjust network parameters for e-schoolbag.

# In the AP group list, click ap-group1. Choose VAP Configuration > wlan-
net. The VAP Profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function
and the broadcast flood attack function and configure the rate threshold for
broadcast flood detection.

# Choose VAP Configuration > wlan-net > SSID Profile. The SSID Profile
page is displayed.
128.

# Choose VAP Configuration > wlan-net > Traffic Profile. The Traffic
# Click Create. On the Create Traffic Profile page that is displayed, enter the
profile name wlan-traffic and click OK. The traffic profile configuration page
is displayed.
# Set the upstream and downstream rate limits to 4000 kbit/s and 4000 kbit/s
for STAs, respectively.


# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio



# On the 5G radio profile configuration page that is displayed, set 5G Radio
Profile to wlan-radio5g and click Apply. In the dialog box that is displayed,
click OK.
The RRM Profile page is displayed.

# Click Create. On the Create RRM Profile page that is displayed, enter the
profile name wlan-rrm and click OK. The RRM profile configuration page is
displayed.
On the Advanced Configuration tab, enable airtime fair scheduling, and

enable the dynamic EDCA parameter adjustment.
The RRM Profile page is displayed.
# On the RRM profile configuration page that is displayed, set RRM Profile to
wlan-rrm and click Apply. In the dialog box that is displayed, click OK.
# The configuration of Radio 2 is similar to that of Radio 1 and is not

mentioned here.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management

are displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel
to 20-MHz channel 6 and transmit power to 127 dBm. Disable automatic channel
and power calibration functions.

# Click Radio1 and Radio2 to set the channel to 20-MHz channel 149 and 20-
MHz channel 153 respectively and transmit power to 127 dBm. The configuration
is similar to that of Radio0.

----End
3.14.2 Example for Configuring WLAN Hotspot2.0 Services

roaming in the coverage area. On a traditional WLAN, users need to manually
select an SSID and set authentication information to access the WLAN, causing
poor user experience. To enhance user experience, Hotspot 2.0 services are
deployed using a subscriber identity module (SIM) card for authentication. In this
way, users can access the WLAN automatically without awareness.
– The aggregation switch (Switch_B) functions as a DHCP server to assign

Figure 3-79 Networking for configuring WLAN Hotspot 2.0 services
RADIUS Server
10.23.102.1/24 IP
Network
Port:1812
Router
Service VLAN:VLAN101 VLANIF101
10.23.101.2/24
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning

Item Data

The aggregation switch (Switch_B)
IP addresses to STAs. The default
gateway address of STAs is
10.23.101.2.

Item Data

wlan-net


● Security policy: WPA2-802.1X-AES

● Access authentication mode: 802.1X

Item Data
Hotspot2.0 profile Hotspot2.0 profile

● Name: wlan-net
● Network type: free public network
● Internet access: supported
● Venue type and name: Assembly
and Coffee Shop
● HESSID: 60de-4476-e360
● IP address availability: available
● Network authentication type:
acceptance
● P2P cross connection: disabled
● Cellular network profile: wlan-net
– 46000
● Roaming consortium profile: wlan-
net
– 50-6f-9a
● NAI realm profile: wlan-net
– www.mobileA.com
● Network connection capability
profile: wlan-net
– HTTP service: enabled
● Operator domain profile: wlan-net
– www.mobileA.com
● Operator name profile: wlan-net
– eng, mobileA
● Venue name profile: wlan-net
– eng, Coffee
● Operating class profile: wlan-net
– 81

net, authentication profile wlan-
net, and Hotspot2.0 profile wlan-
net
RADIUS server ● IP address: 10.23.102.1

● Shared key: huawei123

3. In Profile Management, change the security policy to WPA2, and complete
the Hotspot2.0 service configuration based on the data planning.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101,

GE0/0/2 to VLAN100 and GE0/0/3 to VLAN 101.
to 10.23.101.2/24.

Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
address pool view.

page is displayed.



# Click OK.

# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1

Import.

Configuration.
# Configure security authentication.
Click Finish.


page is displayed.



Step 7 Configure Hotspot2.0 services.

1. Choose Configuration > AP Config > AP Group > AP Group. Click ap-
group1. The AP group configuration page is displayed.
2. Choose VAP Configuration > wlan-net > Security Profile, set the security
policy to WPA2, and click Apply. In the dialog box that is displayed, click OK.
3. Choose VAP Configuration > wlan-net > Hotspot2.0 Profile. The Hotspot2.0
profile page is displayed. Click Create. On the Create Hotspot2.0 Profile

page that is displayed, set Profile name to wlan-net and click OK. Configure
parameters and click Apply. In the dialog box that is displayed, click OK.
4. Click in front of Hotspot2.0 Profile and select Cellular Network Profile.

The Cellular Network Profile page is displayed. Click Create. The Create
Cellular Network Profile page is displayed. Set Profile name to wlan-net,
and click OK. Set PLMN ID, and click Apply. In the dialog box that is
5. Select Roaming Consortium Profile, the Roaming Consortium Profile page

is displayed. Click Create. The Create Roaming Consortium Profile page is
displayed. Set Profile name to wlan-net, and click OK. Set Roaming
consortium OI, and click Apply. In the dialog box that is displayed, click OK.

6. Select NAI Realm Profile. The NAI Realm Profile page is displayed. Click
Create. The Create NAI Realm Profile page is displayed. Set Profile name to
wlan-net, and click OK. Set Realm name, and click Apply. In the dialog box
that is displayed, click OK.
7. Select Network Connection Capability Profile. The Network Connection

Capability Profile page is displayed. Click Create. The Create Network
Connection Capability Profile page is displayed. Set Profile name to wlan-
net, and click OK. Set HTTP to ON, and click Apply. In the dialog box that is
8. Select Operator Domain Profile. The Operator Domain Profile page is

displayed. Click Create, the Create Operator Domain Profile page is

displayed. Set Profile name to wlan-net, and click OK. Set Domain name,
and click Apply. In the dialog box that is displayed, click OK.
9. Select Carrier Name Profile. The Carrier Name Profile page is displayed.
Click Create. The Create Carrier Name Profile page is displayed. Set Profile
name to wlan-net, and click OK. Set Operator name, and click Apply. In the
dialog box that is displayed, click OK.
10. Select Venue Name Profile. The Venue Name Profile page is displayed. Click
Create. The Create Venue Name Profile page is displayed. Set Profile name
to wlan-net, and click OK. Set Venue name, and click Apply. In the dialog

11. Select Operating Class Profile. The Operating Class Profile page is
displayed. Click Create. The Create Operating Class Profile page is displayed.
Set Profile name to wlan-net, and click OK. Set Frequency band indication
No., and click Apply. In the dialog box that is displayed, click OK.


----End

3.14.3 Example for Configuring Service Holding upon WLAN

CAPWAP Link Disconnection
The enterprise requires that data forwarding be not affected even when the AC is
faulty to improve data transmission reliability.
● DHCP deployment mode: Switch functions as a DHCP server to assign IP
Figure 3-80 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Network
Router
GE1/0/0
Switch AC
GE0/0/2
GE0/0/1
GE0/0/1
el
nn
AP
tu
AP
W
Area A
AP
C
STA
Control packet
Data packet

Data Planning
Item Data
DHCP server Switch functions as a DHCP server to assign IP

Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24
AC source interface VLANIF 100: 10.1.1.2/24

● Referenced profiles: AP system profile ap-
system, VAP profile wlan-net, and




AP system profile ● Name: ap-system

● Service holding upon CAPWAP link
disconnection: enabled


5. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the
AC is faulty.
Configuration Notes
Procedure
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the
switch. Set the link type of GE0/0/1 that connects the switch to the APs to trunk
and PVID of the interface to 100, and configure the interface to allow packets of
VLAN 100 and VLAN 101 to pass. Set the link type of GE0/0/2 on the switch to
trunk, and configure the interface to allow packets of VLAN 100 to pass.


to 10.1.2.2/24.
address pool view.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses
to APs.
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses
to STAs.

page is displayed.






# Click Next.


Vlanif100.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.

key.

# Click Finish.
Step 6 Create an AP system profile and configure service holding upon link disconnection.
displayed.
# Choose AP > AP System Profile. The AP System Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name ap-system and click OK. The AP system profile configuration page is
displayed.

# Set Policy for service holding upon link disconnection to Holding and
prohibiting new user access.

page is displayed.




The WLAN with the SSID wlan-net is available, and STAs can access the WLAN
normally. When the CAPWAP link is disconnected due to an AC fault, service data
forwarding of STAs in Area A is not affected.
----End
3.14.4 Example for Configuring Channel Switching Without

Service Interruption
The enterprise requires that WLAN services not be interrupted even when the APs
change their working channels.
● DHCP deployment mode: Switch functions as a DHCP server to assign IP

Figure 3-81 Networking for configuring channel switching without service

interruption
IP
Network
Router
GE1/0/0
VLANIF101
10.1.2.2/24
Switch AC
GE0/0/3
GE GE0/0/1
/2
/0
0/0
E0
G
/1
Area A
AP2 AP1
STA STA
Data Planning
Item Data
DHCP server Switch functions as a DHCP server to assign IP

Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24

Item Data

● Referenced profiles: 2G radio profile wlan-
radio2g, 5G radio profile wlan-radio5g, VAP
profile wlan-net, and regulatory domain
profile default





● Channel switch announcement: enabled
● Channel switch announcement mode:
continue-transmitting

● Channel switch announcement: enabled
● Channel switch announcement mode:
continue-transmitting
5. Configure channel switching without service interruption to improve WLAN
service reliability so that services are not interrupted even when APs change
their working channels.

Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3
to VLAN 100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
to 10.23.101.2/24.
# On Switch, configure VLANIF 100 to assign IP addresses to APs.
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
# On Switch, configure VLANIF 101 to assign IP addresses to STAs.
address pool view.

page is displayed.






# Click Next.

Vlanif100.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.

key.


# Click Finish.
Step 6 Create radio profiles and configure channel switching without service interruption.
The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.

displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the
profile name wlan-radio2g and click OK. The 2G radio profile configuration page
is displayed.
# On the Advanced Configuration tab, enable channel switching announcement
and configure the AP to continue transmitting data on the current channel when
the channel is switched.


The WLAN with the SSID wlan-net is available, and STAs can access the WLAN
properly. When the channel of AP1 or AP2 is changed, service data forwarding of
STAs in Area A is not affected.
----End
3.14.5 Example for Configuring the Soft GRE Service

roaming in the coverage area. A wired network has been deployed in an area. To
provide more convenient network access services, administrators need to deploy a
wireless network in this area. To facilitate the unified management of wired and
wireless users, administrators also need to use the existing wired access gateway
ME60 for authentication and accounting of wireless users.
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
● Service data forwarding mode: soft GRE forwarding

Figure 3-82 Networking for configuring the soft GRE service
Network
ME60
GE2/0/0
GE0/0/3 AC
Switch
GE0/0/2
GE0/0/1
GE0/0/1
AP:
area_1
STA STA

Soft GRE tunnel
Data packet
Data Planning

Item Data
Switch data planning
DHCP Switch functions as a DHCP server to assign IP addresses to APs.

server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
AC data planning

Item Data
AC's VLANIF 100: 10.23.100.1/24

source
interface
address


profile


Soft GRE ● Name: wlan-soft

profile ● Destination address of the soft GRE tunnel: 10.23.200.1

profile ● Forwarding mode: soft GRE forwarding
wlan-net, and soft GRE profile wlan-soft
ME60 data planning
DHCP The ME60 functions as a DHCP server to assign IP addresses to

server STAs.
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
VE Virtual-Ethernet2/0/0
interface
for soft
GRE
Soft GRE ● Name: group1

group ● Virtual-Ethernet2/0/0 is referenced.
Destinatio ● Name: Loopback 1

n address ● IP address: 10.23.200.1/24
of the soft
GRE ● The soft GRE group group1 is referenced.
tunnel

Item Data
RADIUS ● Server group: radius1

server ● Server IP address: 10.1.1.1
parameter
s ● Authentication port number: 1812
● Accounting port number: 1813
● Shared key: 123456
● RADIUS accounting scheme: radius
● RADIUS authentication scheme: radius
● Domain: aaadomain1
1. Configure network interworking of the AC, APs, ME60, and other network
devices.
2. Configure the ME60, soft GRE tunnel, and authentication and accounting
functions.
6. Deliver the WLAN service to the AP and verify the configuration.
● In this example, the ME60 in V600R008C10 is used. The actual configuration may vary
depending on versions.
Configuration Notes


Procedure
# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and
VLAN 199, respectively. Create VLANIF 199 and set its IP address to
10.23.199.2/24.
[Switch] vlan batch 100 101 199
[Switch-Vlanif199] ip address 10.23.199.2 24
# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a

route to 10.23.100.0/24.
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2
# Configure Switch as a DHCP server to assign IP addresses to APs, and configure

a route to 10.23.200.0/24.
[Switch-Vlanif100] ip address 10.23.100.2 24
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.1
[Switch] ip route-static 10.23.200.0 24 10.23.199.1
# Configure the ME60 as a DHCP server to assign IP addresses to STAs.

address pool view.
[ME60] dhcp enable
[ME60] ip pool sta-pool bas local
[ME60-ip-pool-sta-pool] gateway 10.23.101.1 24
[ME60-ip-pool-sta-pool] section 1 10.23.101.3 10.23.101.254
[ME60-ip-pool-sta-pool] option 43 ip 10.23.101.1
[ME60-ip-pool-sta-pool] quit
Step 3 Configure the soft GRE tunnel on the ME60.
# Create a VE interface to support soft GRE.

[ME60] interface virtual-ethernet 2/0/0
[ME60-Virtual-Ethernet2/0/0] soft-gre enable
[ME60-Virtual-Ethernet2/0/0] quit
# Create a soft GRE group.

[ME60] soft-gre group group1
[ME60-softgre-group-group1] master virtual-ethernet 2/0/0
[ME60-softgre-group-group1] quit
# Configure an IP address for the loopback interface and bind the soft GRE group
to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit
Step 4 Configure RADIUS authentication and accounting on the ME60.
# Configure a RADIUS server profile, an AAA authentication and accounting

scheme, and domain information.
[ME60] radius-server group radius1
[ME60-radius-radius1] radius-server authentication 10.1.1.1 1812
[ME60-radius-radius1] radius-server accounting 10.1.1.1 1813
[ME60-radius-radius1] radius-server shared-key 123456
[ME60-radius-radius1] quit
[ME60] aaa
[ME60-aaa] authentication-scheme radius
[ME60-aaa-authen-radius] authentication-mode radius
[ME60-aaa-authen-radius] quit
[ME60-aaa] accounting-scheme radius
[ME60-aaa-accounting-radius] accounting-mode radius
[ME60-aaa-accounting-radius] quit
[ME60-aaa] domain aaadomain1
[ME60-aaa-domain-aaadomain1] ip-pool sta-pool
[ME60-aaa-domain-aaadomain1] authentication-scheme radius
[ME60-aaa-domain-aaadomain1] accounting-scheme radius
[ME60-aaa-domain-aaadomain1] radius-server group radius1
[ME60-aaa-domain-aaadomain1] quit
[ME60-aaa] quit
Step 5 Configure the BAS interface on the ME60.
# Create a BAS interface and configure the BAS interface type and authentication
mode. Configure the user VLAN and service VLAN as the same VLAN.

[ME60] interface virtual-ethernet 2/0/0.1

[ME60-Virtual-Ethernet2/0/0.1] user-vlan 101
[ME60-Virtual-Ethernet2/0/0.1-vlan-101-101] bas
[ME60-Virtual-Ethernet2/0/0.1-bas] access-type layer2-subscriber default-domain authentication
aaadomain1
[ME60-Virtual-Ethernet2/0/0.1-bas] authentication-method bind

page is displayed.




# Click Next.

Vlanif100.





– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.

# Set Authentication mode to No authentication.
Click Finish.
Step 9 Create a soft GRE profile.
# Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.
# Click Create. The Create SoftGRE Profile page is displayed.
# Enter the name of the new soft-GRE profile wlan-soft in Profile name.
# Click OK. Set the destination IPv4 address of the soft GRE tunnel to 10.23.200.1.
Step 10 Change the VAP forwarding mode to Soft-GRE.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP
Profile List page is displayed.
# Select VAP profile wlan-net. On the VAP profile configuration page that is
displayed, set Forwarding mode to SoftGRE, and SoftGRE profile to wlan-soft.


page is displayed.





----End
3.14.6 Example for Configuring CAC Based on the Number of

Multicast Group Memberships
The multicast source for video conferences is deployed on the enterprise network
to provide enterprise video conferencing services. The multicast source address
ranges from 225.1.1.1 to 225.1.1.5. To restrict the access of employees when the
number of multicast group memberships reaches the maximum, administrators
need to configure CAC based on the number of multicast group memberships,
ensuring the conference access quality.

Figure 3-83 Networking for configuring CAC based on the number of multicast
group memberships
IP Multicast source
Network 225.1.1.1-225.1.1.5
Router
GE1/0/0
VLANIF101 10.23.101.2/24

VLANIF100 GE0/0/1
10.23.100.1/24
GE0/0/2
GE0/0/1
AP Switch
STA
Data Planning
Item Data
Managem VLAN 100

ent VLAN
for APs
Service VLAN 101

VLAN for
STAs

server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

Item Data

profile default, and traffic profile wlan-traffic

profile



wlan-net

profile ● Maximum number of multicast group memberships for a VAP:
20
2. Configure multicast-to-unicast conversion to convert multicast packets into
unicast packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to
control the access of multicast users.
Configuration Notes


Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN
of GE0/0/1 is VLAN 100.
to 10.23.101.2/24.

page is displayed.







# Click OK.

page is displayed.

address to 10.23.101.2.
# Click OK.
# Click Next.

Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.


Configuration.


# Click Finish.
page is displayed.




Step 6 Configure CAC based on the number of multicast group memberships.

page is displayed.
# On the Advanced Configuration tab, enable the function of converting
multicast packets into unicast packets and the function of sending packets to all
users in unicast mode when broadcast or multicast packets fail to be converted
into unicast packets. Enable IGMP snooping and set the number of multicast
group memberships for a VAP to 20.


5. Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC

to view the configuration and usage of multicast CAC of the VAP.
----End

3.14.7 Example for Configuring an AP to Protect STAs From

Obtaining Bogus IP Addresses
An enterprise deploys WLAN area to provide WLAN services for users. The
enterprise requires that STAs not obtain incorrect IP addresses or fail to
communicate even if a bogus DHCP server is deployed on the user side to improve
WLAN security.
Figure 3-84 Networking for configuring an AP to protect STAs from obtaining

bogus IP addresses
Internet
Switch AC
GE0/0/2
GE0/0/1
GE0/0/1
AP : area_1
Area A
STA

Data planning
Item Data

assign IP addresses to STAs and APs.

● Country code: CHINA
wlan-net and AP system profile
wlan-net


+AES

forwarding
● Strict IP learning: IPv4
● Dynamic blacklist of strict IP
learning: ON
● Referenced profile: SSID profile
net
2. Configure an AP to protect STAs from obtaining bogus IP addresses to
improve network security.

Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on the switch to VLAN 100 (default VLAN of
GE0/0/1).
page is displayed.




# Click OK.
page is displayed.
address to 10.23.101.2.

# Click OK.
# Click Next.
Vlanif100.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.

Configuration.



# Click Finish.
Step 5 In a VAP profile, configure an AP to protect STAs from obtaining bogus IP
addresses.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP
Profile List page is displayed.
# Click the VAP profile wlan-net. The VAP profile configuration page is displayed.
Click Advanced Configuration. On IP Services, set IP learning to IPv4, Strict IP
learning to ON, and Dynamic blacklist of static IPv4 addresses to ON.

# Click Apply.
If a bogus DHCP server is deployed on the user side, APs discard the DHCP OFFER,
ACK, and NAK packets sent by the bogus server and report to the AC about the IP
address of the bogus DHCP server.
----End
3.14.8 Example for Configuring One-Click Fault Location for

the AP and AC
If you find that an AP is in fault state when configuring basic WLAN services, you
can use the Intelligent Diagnosis function to diagnose the fault.
Procedure
Step 1 Choose Diagnosis > Intelligent Diagnosis. The Intelligent Diagnosis page is
displayed.

Step 2 Click AP and create a realtime diagnosis task for the AP.
Step 3 Click Start Diagnosis.

After the diagnosis is complete, the system displays Diagnosis process.
Step 4 Troubleshoot the fault based on handling suggestions in the specific scenario.
----End

3.14.9 Example for Configuring AP Loopback

As shown in Figure 3-85, the AC is connected to the aggregation switch in bypass
mode. To test connectivity between the AP and Router, configure AP loopback.
Figure 3-85 Networking diagram
IP
Network
Router
GE1/0/0
VLANIF101
Management VLAN:VLAN100 10.23.101.2/24
Service VLAN:VLAN101
GE0/0/3
GE0/0/1 GE0/0/1 Aggregation
GE0/0/2 switch
AP GE0/0/2
Access switch
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Preparation
Table 3-87
Item Data
IP address pool for the AP 10.23.100.2-10.23.100.254/24
Gateway address of the AP 10.23.100.1/24
IP address of the Router 10.23.101.2/24
1. Configure wireless services on the AP. For details, see Example for
Configuring Layer 2 Tunnel Forwarding in Bypass Mode.

2. Configure AP loopback parameters and start the AP loopback test.
Procedure
Step 1 Configure a route to the AP on the Router.
Step 2 Choose Diagnosis > AP-Ping. The AP-Ping page is displayed.
Step 3 Configure AP ping parameters. After the configuration is complete, click Start to
start the AP loopback test.

The test result is displayed after the loopback test is complete. The test result
"Success count: 4; Failure count: 0" indicates that the network between the AP and
Router is reachable.
----End
3.14.10 Configuring Ethernet over GRE to Enable Layer 2

Communication Between an AC and a Wireless Gateway
As shown in Figure 3-86, an enterprise provides the Internet access service for
users through a WLAN. On the network, APs provide access to user traffic, AC_1
provides AP access and user authentication, and AC_2 serves as the user gateway
and assigns IP addresses to users. AC_1 and AC_2 are connected by an IP/MPLS
backbone network. A large number of APs are involved in this scenario. To prevent
severe resource consumption caused by frequent setup and deletion of a large
number of GRE tunnels on AC_2, an administrator configures Ethernet over GRE
(EoGRE) between AC_1 and AC_2 to implement Layer 2 communication.

Figure 3-86 Layer 2 communication between the wireless gateway and AC

implemented through EoGRE
Internet
Router
GE1/0/0
10.23.101.2/24
GE0/0/1 GE0/0/1
GE0/0/2
VLANIF10 VLANIF10
VLANIF101
10.20.1.1/24 10.30.1.1/24
10.23.101.1/24
AP CAPWAP GRE tunnel
AC_1 AC_2
GE0/0/2 Tunnel0/0/1 Tunnel0/0/1
VLAN 100和101 10.40.1.1/24 10.40.1.2/24
STA
Data Planning
Table 3-88 WLAN data planning
Item Data
Management VLAN for VLAN 100

APs

address
DHCP server AC_1 serves as a DHCP server to assign IP addresses

to APs, and AC_2 serves as a DHCP server to assign
IP address pool for APs 10.23.100.2 to 10.23.100.254/24
IP address pool for STAs 10.23.101.3 to 10.23.101.254/24

● Referenced profiles: VAP profile wlan-net and
Regulatory domain ● Name: default

profile ● Country code: China
SID profile ● Name: wlan-net


Item Data


● Forwarding mode: tunnel forwarding
● Referenced profiles: SSID profile wlan-net and
security profile wlan-net
Table 3-89 EoGRE data planning
Item Data
Tunnel interface on AC_1 ● Interface: Tunnel0/0/1

● Tunnel protocol type: GRE
● IP address: 10.40.1.1/24
● Source address: 10.20.1.1
● Destination address: 10.30.1.1
● Bound VE interface: VE0/0/1
Tunnel interface on AC_2 ● Interface: Tunnel0/0/1

● Tunnel protocol type: GRE
● IP address: 10.40.1.2/24
● Source address: 10.30.1.1
● Destination address: 10.20.1.1
● Bound VE interface: VE0/0/1
VE interface on AC_1 ● Interface type: Trunk

● Allowed VLAN: 101
VE interface on AC_2 ● Interface type: Trunk

● Allowed VLAN: 101
1. Use the configuration wizard to configure system parameters for AC_1 and
AC_2.
2. Use the configuration wizard to configure APs to go online on AC_1.
3. Use the configuration wizard to configure WLAN services on AC_1.
4. Configure Ethernet over GRE on AC_1 and AC_2.
5. Deliver services to APs and verify the configuration.

Procedure
page is displayed.


2. Configure ports.
# Select GigabitEthernet0/0/1, expand Batch Modify, set Interface type to

Trunk, and add GigabitEthernet0/0/1 to VLAN 10.
# Set Interface type of GigabitEthernet0/0/2 to Trunk, and add the

interface to VLAN 100 and VLAN 101 in the same way.



# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON
and DHCP type to Interface address pool.
# Click OK.
# Click Next.
Vlanif100.

Complete the following configurations in the same way as configuring AC_1.
● Set Interface type of GigabitEthernet0/0/1 to Trunk and add the interface
to VLAN 10. Set Interface type of GigabitEthernet0/0/2 to Trunk and add
the interface to VLAN 101.
● Set the IP address of VLANIF 101 to 10.23.101.1/24, DHCP status to ON, and
DHCP type to Interface address pool. Specify IP address 10.23.101.2 that
cannot be automatically assigned.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
Import.
Configuration.


key.

Click Finish.
Step 5 Configure Ethernet over GRE.
# The following assumes that IGP is run between all devices for communication
on the public network, the source and destination interface IP addresses of the
GRE tunnel on AC_1 is 10.20.1.1 and 10.30.1.1, respectively.
1. Configure Ethernet over GRE on AC_1.
# Choose Configuration > Other Services > VPN > GRE. The GRE page is
displayed.
# Click Create. The Create GRE page is displayed.
# Set Tunnel ID to 1, IP address/mask to 10.40.1.1/255.255.255.0, Tunnel
destination address to 10.30.1.1, Tunnel source address type to IP address,
and the tunnel source IP address to 10.20.1.1.
# Click next to VE interface bound to EoGRE. On the page that is

displayed, click Create to create Virtual-Ethernet0/0/1 and add the VE
interface to VLAN 101. Note that the VE interface must be added to the same
VLAN to which the inbound interface of user-side packets belongs.

# Click OK. In the dialog box that is displayed, click OK. On the VE interface
page that is displayed, select Virtual-Ethernet0/0/1 and click OK.
# Click OK.
2. Configure Ethernet over GRE on AC_2.
Complete the following configurations in the same way as configuring AC_1.

– Create a GRE tunnel. Set Tunnel ID to 1, IP address/mask to
10.40.1.2/255.255.255.0, Tunnel destination address to 10.20.1.1,
Tunnel source address type to IP address, and the tunnel source IP
address to 10.30.1.1.
– Create Virtual-Ethernet0/0/1 and add it to VLAN 101.
– Bind Virtual-Ethernet0/0/1 to the GRE tunnel.


----End
3.14.11 Example for Configuring an AC and APs to Report KPI

Information
In the cloud managed AC + Fit AP networking, KPI information of an AC and APs
is reported to SDN controller and CampusInsight through the WMI report
mechanism.
Some models of APs directly report KPI information, while other models of APs
transparently report KPI information through an AC. Figure 3-87 and Figure 3-88
show the two KPI information report modes.

Figure 3-87 Direct KPI information report
CloudCampus
CampusInsight
@AC-Campus Internet
AC Switch
AP1 AP2 AP3

The AC reports KPI
information
APs report KPI
information
Figure 3-88 Transparent KPI information report through an AC
CloudCampus
CampusInsight
@AC-Campus Internet
AC Switch
AP1 AP2 AP3
The AC reports KPI

information
APs report KPI
information

Data Planning
Item Data
AP group ap-group1
AP system default
profile
KPI ● The AC reports the following KPI information to SDN controller:

informatio – Destination IP address: 10.1.2.3
n reported
by the AC – Port number: 10032
● The AC reports the following KPI information to CampusInsight:
– Destination IP address: 10.2.3.4
KPI ● The AP reports the following KPI information to SDN controller:

informatio – WMI profile name: cloudmng
n reported
by an AP – Destination IP address: 10.1.2.3
● The AP reports the following KPI information to CampusInsight:
– WMI profile name: campusinsight
– Destination IP address: 10.2.3.4
1. Configure basic WLAN services so that APs can go online.
2. Configure parameters for interconnecting the AC with the WMI server.
3. Configure parameters for interconnecting APs with the WMI server using the
WMI profile and bind WMI profile to the AP group using the AP system
profile.
Configuration Notes
● KPI information to be reported by an AP depends on the AP model. For
details, see Licensing Requirements and Limitations for KPI Information
Report in CLI-based Configuration Guide.
– For an AP that directly reports KPI information, if KPI information of the
AC does not need to be reported, you can omit the step of configuring
parameters for interconnecting the AC with the WMI server.
– For an AP that transparently reports KPI information through an AC, you
must configure parameters for interconnecting the AC with the WMI
server.
● If the KPI information needs to be reported to only one WMI server, do not
configure multiple information report channels to avoid resource waste of the
target server.

● To ensure that KPI information can be successfully reported, pre-configure

network connectivity to make the AC and APs properly communicate with the
WMI server.
Procedure
Step 1 Configure basic WLAN services to make APs go online. The AP group name is ap-
group1.
Step 2 Configure parameters for interconnecting the AC with the WMI server.
1. Configure parameters for interconnecting the AC with SDN controller.
Choose Maintenance > AC Maintenance > WMI from the main menu on the
AC web NMS, configure parameters for interconnecting the AC with SDN
controller on the Channel 1 tab page, and click Apply.
Typically, the port number of SDN controller is 10032.
2. Configure parameters for interconnecting the AC with CampusInsight.

Choose Maintenance > AC Maintenance > WMI from the main menu on the
AC web NMS, configure parameters for interconnecting the AC with
CampusInsight on the Channel 2 tab page, and click Apply.
Typically, the port number of CampusInsight is 27371.
Step 3 Configure parameters for interconnecting APs with the WMI server.
1. Configure parameters for interconnecting APs with SDN controller.
# Choose Configuration > AP Config > AP Group from the main menu on
the AC web NMS, and click ap-group1 on the AP Group tab page.
# Choose AP > AP System Profile > WMI Profile (Channel 1) and click
Create to create the WMI profile cloudmng.
# Configure parameters for interconnecting APs with SDN controller
according to the data plan and click Apply.

2. Configure parameters for interconnecting APs with CampusInsight.

# Choose Configuration > AP Config > AP Group from the main menu on
the AC web NMS, and click ap-group1 on the AP Group tab page.
# Choose AP > AP System Profile > WMI Profile (Channel 2) and click
Create to create the WMI profile campusinsight.
# Configure parameters for interconnecting APs with CampusInsight
according to the data plan and click Apply.
----End
3.14.12 Intelligent Upgrade (AC+Fit AP)

Context
Huawei devices support automatic download and self-service upgrade to help you
learn about the mainstream versions of the devices and quickly perform device
upgrade and repair. After enabling the smart upgrade function on the web
platform of devices, you hereby authorize Huawei Technologies Co., Ltd. to
exchange information with your devices through the Huawei Online Upgrade
Platform (houp.huawei.com) to collect information such as device models, basic
software versions and patches, and device ESNs. The information will be used to
match the versions or patches that can be upgraded and return the information
such as the upgrade versions or patches and the download URLs of software
packages to your devices. After you confirm the upgrade, the devices will
automatically download the software packages and implement an upgrade. When

the upgrade is completed, the upgrade result will be uploaded to Huawei online
upgrade platform. You are advised to enter your email and phone number for
emergency contact upon any upgrade error. We will contact you if necessary so
that your network services can work properly after the upgrade.
Prerequisites
Intelligent upgrade requires that an AC be able to access the Huawei Online
Upgrade Platform (houp.huawei.com).
Procedure
The following example describes how to perform an intelligent upgrade of an
AC6800V.
Step 1 Log in to the web platform and access the Intelligent Upgrade page.
Step 2 After Automatic version upgrade check is enabled, the recommended target
software versions are displayed. Click Immediate Upgrade or Scheduled Upgrade
to perform an upgrade.
----End

Wireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDF

Uploaded by

Copyright:

Available Formats

Wireless Access Controller (AC and Fit AP)

Web-based Configuration Guide

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. i

1 About This Document.............................................................................................................1

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. ii

2.5.4.9 Uplink Broadcast Throughput....................................................................................................................................23

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. iii

3.1.3 Example for Configuring High-Density WLAN Services....................................................................................... 68

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. iv

3.5.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 510

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. v

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. vi

1 About This Document

Indicates a potentially hazardous

NOTE Calls attention to important

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 1

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are

{ x | y | ... } Optional items are grouped in braces and separated

[ x | y | ... ] Optional items are grouped in brackets and

{ x | y | ... }* Optional items are grouped in braces and separated

[ x | y | ... ]* Optional items are grouped in brackets and

&<1-n> The parameter before the & sign can be repeated 1

# A line starting with the # sign is comments.

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 2

About This Chapter

2.1 Web Platform Overview

2.1 Web Platform Overview

Figure 2-1 shows the running environment of the web platform.

Figure 2-1 Running environment of the web platform

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 3

2.2 Logging In to the Web Platform

● The IP address of the device's access port has been configured.

Figure 2-2 Running environment of the web platform

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 4

Step 2 Enter the login information.

2.3 Precautions for Using the Web Platform

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 5

2.4 Web Page Description

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 6

Figure 2-3 Main page of the web platform

Table 2-1 Layout

2 Naviga Functions are displayed in a navigation tree.

3 Operati You can configure functions or view function status in the

Table 2-2 Buttons

Save Commits the configured commands.

Console Displays the command-line interface (CLI).

Issue 03 (2020-03-08) Copyright © Huawei Technologies Co., Ltd. 7

Logout Logs you out of the web platform.

To log out of the web platform, click . To log in to the web

Help Displays help-seeking page to obtain help.

Click or press F1. The help-seeking window is displayed.

Languag Switches languages for the web platform.

● Click . The web page displays in Chinese.

Common Web Platform Buttons

Table 2-3 Common web platform buttons

Delete Deletes selected table entries or profiles.

Clear Clears table entries or profiles.

Refresh Updates information displayed on the current page.