Professional Documents
Culture Documents
Huawei e-Learning
https://ilearningx.huawei.com/portal/#/portal/ebg/51
Huawei Certification
http://support.huawei.com/learning/NavigationAction!createNavi?navId=_31
&lang=en
Find Training
http://support.huawei.com/learning/NavigationAction!createNavi?navId=_trai
ningsearch&lang=en
More Information
Huawei learning APP
Issue 1.00
Date 2016-03-15
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei certification provides customers with practical and professional technical certification
based on its technical strength and professional training systems, meeting customers'
requirements on WLAN technologies at different levels.
Huawei certification provides customers with a four-level certification system based on
WLAN technology characteristics and customer requirements.
Huawei Certified Network Professional-Wireless Local Area Network (HCIP-WLAN) is
intended for all WLAN engineers. Engineers passing the certification are proved to have the
following capabilities:
Have comprehensive knowledge of medium- and large-sized WLANs.
Learn WLAN theories and principles.
Can independently plan and deploy different types of WLANs for medium- and
large-sized enterprises using Huawei WLAN devices.
Are capable of maintaining and managing a WLAN to ensure stable and reliable
operation.
Huawei certification helps you start a WLAN-related career and gain overall recognition.
Overview
This document is an HCIP-WLAN-CEWA training course intended for trainees preparing for
HCIP-WLAN-CEWA examinations and readers interested in WLAN technologies. CEWA is
short for Constructing Enterprise WLAN Architecture. The topics cover large-scale WLAN
networking, secure access, high-reliability networking, advanced WLAN technologies,
antenna systems, WLAN network planning and optimization, and related troubleshooting.
Contents
The document includes five modules, covering 10 experiments, and describes configuration
and implementation of large-scale WLAN networking, radio resource management, secure
access, highly reliable networking, layer 3 roaming, and mesh technology.
Module 1
It includes experiments 1 and 2, and describes how to establish a large-scale WLAN
networking environment and perform radio calibration. This module helps you get
familiar with the HCIP-WLAN experiment environment, and master the large-scale
WLAN networking configuration and radio calibration method.
Module 2
It includes experiments 3, 4, and (optional) 5, and describes how to deploy secure
WLAN connections and configure the Agile Controller. This module helps you get
familiar with Agile Controller's application in WLAN environment, understand its basic
functions, and learn its configuration method of admission control.
Module 3
It includes experiment 6, and provides the experiment guide for roaming technologies in
large-scale WLAN networking. This module helps you learn how to configure the
roaming function in large enterprise networks.
Module 4
It includes experiments 7 and 8, introduces high-reliability configurations in WLANs,
and describes how to use the dual-AC hot-backup method to ensure WLAN availability.
This module helps you master the method of performing WLAN high-reliability
configurations and get familiar with WLAN redundancy technologies.
Module 5
It includes experiments 9 and 10 (single-MPP and dual-mesh configurations), and
describes how to use the mesh technology to implement the WLAN relay function. This
module helps you master WLAN networking methods in special scenarios.
Intended Audience
This document is intended for:
Engineers preparing for HCNA-WLAN examinations.
People who have grasped WLAN knowledge, and are familiar with Huawei switching
devices and basic data communication knowledge.
Common Icons
Networking
The experiment environment is intended for wireless engineers preparing for
HCIP-WLAN-CEWA examinations. Each experiment environment includes two to six ACs,
two to 12 APs, one core switch, one eSight server, one Agile Controller, and one AD server,
and is suitable for four to 12 trainees.
Devices
The following table lists recommended devices for each experiment environment to meet
HCIP-WLAN-CEWA experiment requirements.
Laptop or desktop computer One for each group A desktop computer requires a
network adapter.
Twisted pair Four for each group The twisted pair must be at least 2
meters long.
Console cable One for each group
Each group must check whether the following devices are ready:
One AC6005
Two AP6010DNs
One laptop or desktop computer
Four twisted pairs
One console cable
Experiment Topology
Before delivery, the MEth0/0/1 port of the AC6605 is configured with IP address 169.254.1.1
and subnet mask 255.255.0.0.
Before delivery, the MEth0/0/1 port of the ACU2 is configured with IP address 169.254.1.1
and subnet mask 255.255.0.0.
Before delivery, VLANIF1 of the AC6005 is configured with IP address 169.254.1.1 and
subnet mask 255.255.0.0. AC6005 ports GE0/0/1 to GE0/0/8 have been added to VLAN1 by
default.
The device has been configured with HTTP and HTTPS services at delivery. The default
service port No. is 80 for HTTP services and 443 for HTTPS services. The default user name
is admin, and the default password is admin@huawei.com.
Change the password upon the first login. Changing the password to Admin@123 is used as
an example in this document.
Step 3 After logging in to the web-based AC, click at the upper-right corner.
The command-line interface (CLI) is displayed. You can enter command lines to manage and
maintain the device. The login password is Admin@123. (The Firefox browser is
recommended. If the browser cannot run, select Enable for Allow previously unused
ActiveX controls to run without prompt in the Internet Options dialog box, as shown in
the following figure.)
If the Internet Explorer browser is used, the CLI is displayed only after Allow previously unused
ActiveX controls to run without prompt is set to Enable or Prompt.
On the menu bar of the browser, choose Tools > Internet Options > Security, and click Custom Level.
On the displayed page, select Enable or Prompt for Allow previously unused ActiveX controls to run
without prompt.
----End
AC Configuration Removal
Trainees must remove previously saved configurations after the experiment is complete and
before devices are turned off, to avoid any impact of the configurations on the next
experiment. In addition, trainees must confirm that the device is not configured before an
experiment starts. If it is not, remove the configurations and then restart the device.
On the CLI, enter the password Admin@123 to log in to the AC.
Login authentication
Password:Admin@123
<AC6005>reset saved-configuration
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
Contents
3 Experiment 3: Secure WLAN Access Deployment – 802.1X Admission Control ............ 60
3.1 Objectives ................................................................................................................................................................... 60
3.2 Plan ............................................................................................................................................................................. 61
3.3 Procedure .................................................................................................................................................................... 63
3.3.1 Configuring Basic AC Parameters ........................................................................................................................... 64
3.3.2 Configuring the AC as the RADIUS Client ............................................................................................................. 64
3.3.3 Creating an ACL ...................................................................................................................................................... 72
3.3.4 Configuring Agile Controller Route Connectivity ................................................................................................... 76
3.3.5 Configuring an Access Device ................................................................................................................................. 78
3.3.6 Configuring Authentication Users ........................................................................................................................... 82
3.3.7 Configuring Policy Elements ................................................................................................................................... 85
3.3.8 Configuring an Authentication Rule ........................................................................................................................ 88
3.3.9 Configuring an Authorization Result ....................................................................................................................... 99
3.3.10 Configuring an Authorization Rule ...................................................................................................................... 100
3.4 Verification ............................................................................................................................................................... 104
3.5 Reference Configuration ........................................................................................................................................... 106
4 Experiment 4: Secure WLAN Access Deployment – Portal Admission Control .......... 112
4.1 Objectives ................................................................................................................................................................. 112
4.2 Plan ........................................................................................................................................................................... 113
4.3 Procedure .................................................................................................................................................................. 116
4.3.1 Configuring Basic AC Parameters ......................................................................................................................... 116
4.3.2 Configuring the AC as the RADIUS Client ........................................................................................................... 117
4.3.3 Creating an External Portal Server ........................................................................................................................ 119
4.3.4 Configuring the Agile Controller ........................................................................................................................... 122
4.3.5 Configuring Authentication Users ......................................................................................................................... 124
4.3.6 Configuring Policy Elements ................................................................................................................................. 127
4.3.7 Configuring an Authentication Rule ...................................................................................................................... 129
4.3.8 Configuring an Authentication Result ................................................................................................................... 140
4.3.9 Configuring an Authorization Rule ........................................................................................................................ 142
4.3.10 Customizing the Portal Page ................................................................................................................................ 146
4.3.11 Configuring a Portal Page Push Policy ................................................................................................................ 154
4.4 Verification ............................................................................................................................................................... 157
4.5 Reference Configuration ........................................................................................................................................... 164
1.1 Objectives
Learn how to configure an authentication AP to go online.
Understand various wireless configuration profiles.
Learn basic WLAN configuration processes.
Learn the configuration of the wireless service set for open-system authentication.
Learn the large-scale WLAN networking mode.
1.2 Plan
You must configure devices according to the plan to avoid errors. This experiment uses group
1 as an example to illustrate rules for configuring the device name, VLAN, and Trunk.
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP12-G0/0/20
Device AC6005-X
1.3 Procedure
1.3.1 Overall Procedure
Figure 1-2 Configuration procedure of large-scale WLAN networking
2. Create an AP
group. Create an AP group.
Configure the
4. Configure the VAP profile.
VAP profile.
Being referred to
Create VLANIF80X interface on SWA to communicate with the AC. Create a LoopbackX
interface, and set its IP address to 10X.10X.10X.10X to simulate a public network interface.
Create VLANIF interfaces to function as gateways of service VLANs.
[SWA]interface Vlanif 801
[SWA-Vlanif801]ip address 10.1.201.1 24
[SWA]interface LoopBack 1
[SWA-LoopBack1]ip address 101.101.101.101 32
[SWA]interface Vlanif 10
[SWA-Vlanif10]ip address 10.1.10.1 24
[SWA-Vlanif10]quit
[SWA]interface Vlanif 11
[SWA-Vlanif11]ip address 10.1.11.1 24
[SWA-Vlanif11]quit
[SWA]interface Vlanif 12
[SWA-Vlanif12]ip address 10.1.12.1 24
[SWA-Vlanif12]quit
[SWA]interface Vlanif 13
[SWA-Vlanif13]ip address 10.1.13.1 24
[SWA-Vlanif13]quit
[SWA]interface Vlanif 14
[SWA-Vlanif14]ip address 10.1.14.1 24
[SWA-Vlanif14]quit
Configuring VLANs
Click Configuration > AC Config > VLAN.
The VLAN configuration page is displayed.
Click Batch Create.
Configure VLANIF10.
Configure VLANIF11.
Configure VLANIF12.
Configure VLANIF13.
Configure VLANIF14.
Configure VLANIF801.
Click Configuration > AC Config > IP > DHCP Address Pool. set DHCP status to ON to
enable the DHCP function, and click Create to create a DHCP address pool.
Option 43 must be configured for the AP address pool because layer 3 bypass networking is used.
Configure user address pools. VLAN11 and VLAN12 form a guest address pool, and
VLAN13 and VLAN14 form an employee address pool.
Check whether the route between the AC and a layer 3 switch is reachable. The following
command output indicates that 100.100.100.100 (the simulated public network interface on
the switch) cannot be pinged.
Log in to the web-based AC by clicking and entering user account admin and
password admin@123 as indicated by the command prompt.
[AC6005-1]ping 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
In the Static Route Configuration Table area, click Create. On the displayed Create Static
Route dialog box, specify parameter as required to configure the static route.
Set the next hop address to the IP address of interface VLANIF801 on the switch.
Click Configuration > AP Config > AP Info > Non-authorized AP List to check the
unauthorized AP list and obtain the required MAC address of an AP.
The AC MAC addresses of group 1 are cccc-8110-2260 and e8bd-d1f7-79c0. (different APs
have different MAC addresses)
Perform the following operations to add an AP.
Click Configuration > AP Config > AP Config > AP Info. Click Create, and enter the MAC
address of the AP to be added.
Check the version of the added AP, and whether the status is normal. If it is not, wait for a
moment. If this problem persists, check the configuration.
After APs are added, their status will change from fault to config, and then to normal. If the
AP status does not change to normal 5 minutes after the AP is added, check the configuration
of VLAN, DHCP, and AP authentication.
For an employee security profile, WPA2+PSK+AES authentication is used, and the password
is b1234567.
Use the default forwarding mode (direct forwarding). Changing the forwarding mode will
trigger risk notifications.
1.4 Verification
1.4.1 Checking the VAP List
Click Monitoring > SSID > VAP > VAP List.
After you enter the password, the STA is connected to WLAN employeeX.
Use the STA to ping the IP address of the simulated public network interface on the switch.
......
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 100.100.100.100 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password cipher Admin@123
user-interface vty 16 20
#
Return
1.5.2 AC Configuration
#
sysname AC6005-1
#
http secure-server ssl-policy default_policy
http server enable
#
vlan batch 10 to 14 801 4090
#
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dot1x-access-profile name dot1x_access_profile
mac-access-profile name mac_access_profile
#
vlan pool guest1
vlan 11 to 12
vlan pool employee1
vlan 13 to 14
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source interface vlanif801
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
security-profile name default-wds
security wpa2 psk pass-phrase %^%#%,[^#Q1jX;x0uO;D8$4*6&G&Im)sG$:<%2UK"=$2%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#Vov-H>mS`CYpa(!X}=.P3,tM)=J7cJ15#`4(ed)3%^%# aes
security-profile name employee1
security wpa2 psk pass-phrase b1234567 aes
security-profile name guest1
ssid-profile name guest1
ssid guest1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-pool guest1
ssid-profile guest1
security-profile guest1
vap-profile name default
vap-profile name employee1
service-vlan vlan-pool employee1
learn-client-address dhcp-strict
ssid-profile employee1
security-profile employee1
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-profile name default
ap-system-profile name default
provision-ap
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
2.1 Objectives
Learn the configuration method of WLAN radio calibration.
Learn the configuration method of WLAN data load balancing.
Learn the configuration method of WLAN channel switching without service
interruption.
Learn the configuration method of WLAN band steering.
2.2 Plan
Figure 2-1 Experiment topology
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP11-G0/0/20
Profile Configuration
Create air scan profile wlan-airscanX and configure the scan channel set, scan interval, and
scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
Create 2G radio profile radio2gX and bind RRM profile wlan-netX and air scan profile
wlan-airscanX to the 2G radio profile.
Create 5G radio profile radio5gX and bind RRM profile wlan-netX and air scan profile
wlan-airscanX to the 5G radio profile.
Bind 5G radio profile radio5gX and 2G radio profile radio2gX to AP group ap-groupX.
Click Configuration > AP Config > AP Group. Select ap-groupX for AP group
configuration, and choose Radio Management > Radio 0 > 2G Radio Profile. Select
radio2gX for 2G Radio Profile on the right pane, and click Apply.
Click Configuration > AP Config > AP Group. Select ap-groupX for AP group
configuration, and choose Radio Management > Radio 1 > 5G Radio Profile. Select
radio5gX for 5G Radio Profile on the right pane, and click Apply.
Before radio calibration is enabled, check radio information about all APs.
Set the radio calibration mode to manual and trigger radio calibration. By default, the radio
calibration mode is automatic.
Click Configuration > AC Config > Basic Config > Radio Calibration.
The interface shows that all APs work on non-overlapping channels, indicating successful
radio calibration.
Radio calibration is complete half an hour after it is manually triggered. You can use either of
the following schemes (not provided in the configuration file):
(Recommended) Set the radio calibration mode to scheduled. Configure the APs to
perform radio calibration during off-peak hours, for example, between 00:00 am and
06:00 am.
Manually fix the working channels of APs: Disable automatic channel selection and
automatic transmit power selection in the RRM profile. Manually trigger radio
calibration when new APs are added to the WLAN.
2.5.2 Verification
Click at the upper-right corner of the web-based AC. Run the display station
load-balance sta-mac command to check AP radios participating in dynamic load balancing.
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
3.1 Objectives
Learn the method of authenticating the interconnection between the AC and Agile
Controller 802.1X.
Learn how to configure Agile Controller 802.1X authentication.
Verify the configuration of Agile Controller authentication access.
3.2 Plan
Figure 3-1 Experiment topology
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP11-G0/0/20
Device AC6005-X
3.3 Procedure
Figure 3-2 Configuration procedure of the experiment
The RADIUS key must be the same as that on the RADIUS Server, set the user name to
exclude the domain name, thereby preventing incorrect account or password during
authentication.
You can click Binding Profile to view all profiles bound to the authentication profile.
After the rules are added, click besides ACL3002 to confirm the configuration.
Configure a post-authentication domain ACL for guests, not allowing guests to access
employee resources.
Have the STA to connect to SSID employeeX or guestX of the AP. Visit 10.254.1.100 using a
web browser, and enter the account and password to log in to the Agile Controller.
Click Resource > Device > Device Management. On the displayed page, click Add on the
right pane.
Configure the device IP address and RADIUS parameters (the device IP address and the IP
address of the Agile Controller must be on the same network segment. In this experiment, the
IP address of interface VLANIF1102 is used as the device IP address).
Enable RADIUS with the authentication key, accounting key, and real-time accounting
interval configured the same as those configured on the AC.
(Optional) Add a device group to facilitate device management and flexible policy delivery.
On the Device Management page, choose Device Group > Access Control, and click .
Click Resource > User > User Management. On the displayed page, click .
Create an employee user group and a guest user group. A guest user group exists by default
and is not used in this experiment.
Set Account Type to Common account. The account and password are the same as those
used for login. You can set the account and password as required.
Set Account Type to Common account. The account and password are the same as those
used for login. You can set the account and password as required.
Open the web-based AC, click to test the connectivity between the AC and Agile
Controller.
If the command output contains "Account test succeed", which indicates the connection
between the AC and Agile Controller is proper, proceed to subsequent experiments. If the test
times out, check the connectivity between the AC and Agile Controller.
This configuration allows the access of different user groups and accounts within a planned
time range. In this experiment, policy elements are only configured, and are not necessarily all
invoked.
Click Policy > Permission Control > Policy Element > Schedule. On the displayed page,
click Add on the right pane.
For employees, do not set the time range. Set the time range to 8:00 to 18:00, Monday to
Friday, for guests.
In an authentication rule, policy elements are used as match conditions. You can match a user
to the conditions one by one. If multiple authentication rules exist, match the user to
conditions according to authentication rule priorities. If all the rules are not matched, use the
default rule.
Add an employee authentication rule.
Configure an employee authentication condition and bind it to user groups.
Select SSIDs.
Access parameters are not selected in this experiment, and must be selected on the live
network. The more access parameters are selected, the longer it takes for user verification.
In the Advanced Setting tab, select Deny Access for The account does not exists and
Identity authentication failed.
Access parameters are not selected in this experiment, and must be selected on the live
network. The more access parameters are selected, the longer it takes for user verification.
In the Advanced Setting tab, select Deny Access for The account does not exists and
Identity authentication failed.
Authentication rules can be configured with different priorities. The rule with a high priority
is matched preferentially. In this experiment, the priority does not need to be configured
because only two rules are created and the priorities are the same.
Add an employee authorization result, and match the result to the employees'
post-authentication domain ACL.
Add a guest authorization result, and match the result to the guests' post-authentication
domain ACL.
The matching condition of the authorization rule is the same as that of the authentication rule.
Therefore, you can configure either rule on the live network.
The configuration for the 802.1X admission control experiment has been completed.
3.4 Verification
You can use a device with a network adapter, such as a mobile phone or a laptop, to verify the
experiment result. In this experiment, an Android mobile phone is used.
Connect the mobile phone to SSID employee1 (account: employee1, password: Admin@123)
and SSID guest1 (account: guest1, password: Admin@123).
View go-online records in RADIUS logs. Check whether the authentication rule and
authorization rule match each other.
#
dhcp enable
#
diffserv domain default
#
vlan 1103
description Connect_to_Controller
#
radius-server template default
radius-server template server1
radius-server shared-key cipher Admin@123
radius-server authentication 10.254.1.100 1812 weight 80
radius-server accounting 10.254.1.100 1813 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.1.254.100 shared-key cipher Admin@123 server-group
server1
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
acl number 3002
description employee1
rule 1 deny ip destination 10.1.11.0 0.0.0.255
rule 3 deny ip destination 10.1.12.0 0.0.0.255
rule 5 permit ip
acl number 3003
description guest1
rule 1 deny ip destination 10.1.13.0 0.0.0.255
rule 3 deny ip destination 10.1.14.0 0.0.0.255
rule 5 permit ip
#
free-rule-template name default_free_rule
#
free-rule-template name free1
free-rule 1 destination ip 10.254.1.100 mask 255.255.255.0
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100
option 43 sub-option 3 ascii 10.1.201.100
#
ip pool sta1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
excluded-ip-address 10.1.11.100
#
ip pool sta2
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
excluded-ip-address 10.1.12.100
#
ip pool sta3
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
excluded-ip-address 10.1.13.100
#
ip pool sta4
gateway-list 10.1.14.1
network 10.1.14.0 mask 255.255.255.0
excluded-ip-address 10.1.14.100
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authentication-scheme auth1
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme acco1
accounting-mode radius
accounting start-fail online
domain default
domain default_admin
local-user admin password irreversible-cipher Admin@123
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
description Management VLAN
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif1103
description Connect_to_Controller
ip address 10.254.1.99 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801 1103
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source interface vlanif801
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
calibrate enable schedule time 03:00:00
traffic-profile name default
security-profile name default
security-profile name default-wds
security wpa2 psk pass-phrase %^%#%,[^#Q1jX;x0uO;D8$4*6&G&Im)sG$:<%2UK"=$2%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#Vov-H>mS`CYpa(!X}=.P3,tM)=J7cJ15#`4(ed)3%^%# aes
security-profile name employee1
security wpa2 dot1x aes
security-profile name guest1
security wpa2 dot1x aes
ssid-profile name guest1
ssid guest1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-pool guest1
ssid-profile guest1
security-profile guest1
authentication-profile dot1x_authen_profile
vap-profile name default
vap-profile name employee1
service-vlan vlan-pool employee1
learn-client-address dhcp-strict
ssid-profile employee1
security-profile employee1
authentication-profile dot1x_authen_profile
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
air-scan-profile name wlan-airscan1
scan-period 80
scan-interval 80000
rrm-profile name default
rrm-profile name wlan-net1
band-steer balance start-threshold 15
band-steer balance gap-threshold 25
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
radio-2g-profile name default
radio-2g-profile name radio2g1
dot11bg supported-rate 1 2 5 6 9 11 12 18 24 36 48 54
dot11bg basic-rate 1 2
rrm-profile wlan-net1
air-scan-profile wlan-airscan1
radio-5g-profile name default
radio-5g-profile name radio5g1
rrm-profile wlan-net1
air-scan-profile wlan-airscan1
wids-profile name default
ap-system-profile name default
provision-ap
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
radio-2g-profile radio2g1
vap-profile employee1 wlan 1
vap-profile guest1 wlan 2
radio 1
radio-5g-profile radio5g1
vap-profile employee1 wlan 1
vap-profile guest1 wlan 2
ap-id 1 type-id 19 ap-mac cccc-8110-2260 ap-sn 210235448310C9000012
ap-name ap1
ap-group ap-group1
ap-id 2 type-id 19 ap-mac e8bd-d1f7-79c0 ap-sn 2102354196W0DC003226
ap-name ap2
ap-group ap-group1
#
undo ntp-service enable
#
return
<AC6005-1>
4.1 Objectives
Learn how to configure authentication on interconnection between the AC and Agile
Controller portal.
Learn how to configure Agile Controller portal authentication.
Verify the configuration of Agile Controller authentication access.
4.2 Plan
Figure 4-1 Experiment topology
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP11-G0/0/20
Device AC6005-X
4.3 Procedure
Figure 4-2 Configuration procedure of the experiment
Set the shared key to that on the Agile Controller, and the portal URL to
http://10.254.1.100:8080/portal.
On the URL Option Settings tab, select SSID and enter ssid. The STA will send SSIDs to the
Agile Controller. This Agile Controller will deliver different portal pages for the SSIDs.
Configure the device IP address and RADIUS parameters (the device IP address and the IP
address of the Agile Controller must be on the same network segment. In this experiment, the
IP address of interface VLANIF1102 is used as the device IP address).
Enable RADIUS with the authentication key, accounting key, and real-time accounting
interval configured the same as those configured on the AC, which is the same as experiment
3.
After RADIUS authentication parameters are configured, enable portal and configure portal
authentication parameters. The portal key must be the same as that on the AC. In this
experiment, the portal key is Admin@123.
Click Resource > User > User Management. On the displayed page, click .
Create an employee user group and a guest user group. A guest user group exists by default
and is not used in this experiment.
Set Account Type to Common account. The account and password are the same as those
used for login. You can set the account and password as required.
You do not need to create a guest user. The guest user must register with the Agile Controller.
Open the web-based AC, click to test the connectivity between the AC and
Agile Controller.
If the command output contains "Account test succeed", which indicates the connection
between the AC and Agile Controller is proper, proceed to subsequent experiments. If the test
times out, check the connectivity between the AC and Agile Controller.
For employees, do not set the time range. Set the time range to 8:00 to 18:00, Monday to
Friday, for guests.
Click Policy > Permission Control > Policy Element > SSID. On the displayed page, click
Add on the right pane.
In an authentication rule, policy elements are used as match conditions. You can match a user
to the conditions one by one. If multiple authentication rules exist, match the user to
conditions according to authentication rule priorities. If all the rules are not matched, use the
default rule.
Add an employee authentication rule.
Configure an employee authentication condition and bind it to user groups.
Select SSIDs.
Access parameters are not selected in this experiment, and must be selected on the live
network. The more access parameters are selected, the longer it takes for user verification.
In the Advanced Setting tab, select Deny Access for The account does not exists and
Identity authentication failed.
Access parameters are not selected in this experiment, and must be selected on the live
network. The more access parameters are selected, the longer it takes for user verification.
In the Advanced Setting tab, select Deny Access for The account does not exists and
Identity authentication failed.
Authentication rules can be configured with different priorities. The rule with a high priority
is matched preferentially. In this experiment, the priority does not need to be configured
because only two rules are created and the priorities are the same.
Add an employee authorization result, and match the result to the employees'
post-authentication domain ACL.
Add a guest authorization result, and match the result to the guests' post-authentication
domain ACL.
The matching condition of the authorization rule is the same as that of the authentication rule.
Therefore, you can configure either rule on the live network.
On the guest customization page, select Enable Self-register, and click Next.
Select a template among multiple default authentication templates. In this experiment, the
English account and password authentication template is used.
Customize the Authentication Page tab. On this tab, all images and texts are editable. In this
experiment, the default portal authentication page is used without any editing. After the
customization is complete, click Authentication Success Page on the left pane.
After the modification is complete, skip the User Notice Page tab (retaining the default
configurations), and click Registration Page. You can customize the information guests must
fill in for registration based on live network conditions. In this experiment, basic information,
including Account, Password, Confirm password, and Mobile phone number are selected.
By default, information guests must fill in for registration includes Account, Password,
Confirm password, Name, Email, and Mobile phone number. In this experiment, remove
Name and Email in the drop-down list box.
After the customization is complete, click Registration Success Page. Modify the title, then
click Next to start portal page customization for PCs.
Edit the authentication page on the PC, which is similar to that on the mobile phone. All texts
and images are editable. In this experiment, default settings are used. Click Authentication
Success Page.
After the customization of the Authentication Success Page tab is complete, click
Registration Page, and remove Name and Email. Then, click Registration Success Page.
After portal customization for PCs is complete, you can click Test to check the customization.
In this experiment, click Publish.
Click Next to edit the Authentication Page tab. The portal page for employees does not
include the registration page, which is different from that for guests. In this experiment, retain
default settings of the Authentication Page tab, and click Authentication Success Page.
On the Authentication Success Page tab, add authentication success information and modify
the title.
After Authentication Success Page customization is complete, click Publish. Then, check
the created portal page.
For a portal push policy, at least one push condition must be configured. The condition can be
the STA IP address range, SSID, or AP MAC address. The SSID is used in this experiment.
Select the push page for employees. Select the authentication page, simplifying login of
employees with a fixed account.
Select the push page for guests. Select the registration page.
4.4 Verification
You can use a device with a network adapter, such as a mobile phone or a laptop, to verify the
experiment result. In this experiment, an Android mobile phone is used.
Use the mobile phone to connect to SSIDs employee1 and guest1, in sequence.
Select SSID employee1, as shown in the following figure.
No DNS server exists in this experiment, and domain redirection cannot be performed. You
must enter an IP address within network segment 10.0.0.0, such as 10.1.1.1 in the browser to
open the portal page.
The redirected portal page is the configured authentication page for employees. Enter account
employee1 and password Admin@123, which are configured in experiment 3.
A message is displayed, promoting you to change the password upon the first login.
The guest registration page is displayed by default. Perform guest registration. The mobile
phone number is used as the account by default.
dhcp enable
#
diffserv domain default
#
vlan 1103
description Connect_to_Controller
#
radius-server template default
radius-server template server1
radius-server shared-key cipher Admin@123
radius-server authentication 10.254.1.100 1812 weight 80
radius-server accounting 10.254.1.100 1813 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.1.254.100 shared-key cipher Admin@123 server-group
server1
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
acl number 3002
description employee1
rule 1 deny ip destination 10.1.11.0 0.0.0.255
rule 3 deny ip destination 10.1.12.0 0.0.0.255
rule 5 permit ip
acl number 3003
description guest1
rule 1 deny ip destination 10.1.13.0 0.0.0.255
rule 3 deny ip destination 10.1.14.0 0.0.0.255
rule 5 permit ip
#
free-rule-template name default_free_rule
#
free-rule-template name free1
free-rule 1 destination ip 10.254.1.100 mask 255.255.255.0
#
url-template name urlTemplate_0
url http://10.254.1.100:8080/portal
url-parameter ssid ssid
#
web-auth-server portal1
server-ip 10.254.1.100
port 50100
shared-key cipher Admin@123
url-template urlTemplate_0
#
portal-access-profile name portal_access_profile
#
portal-access-profile name portal1
web-auth-server portal1 layer3
#
ip pool ap
gateway-list 10.1.10.1
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif1103
description Connect_to_Controller
ip address 10.254.1.99 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801 1102 to 1103
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
5.1 Objectives
Learn the method of adding, deleting, and managing users on an AD directory server.
Learn the method of configuring a template for connecting the Agile Controller and an
external source.
Learn the method of configuring a template for Agile Controller synchronization scope.
Learn the method of configuring a template for Agile Controller data mapping.
Learn the method of the Agile Controller to synchronize with an external data source.
Verify the synchronization result.
5.2 Plan
Figure 5-1 Experiment topology
After a network is reconstructed, the customer requests an efficient way to build an admission
control system. To address this issue, the Agile Controller is connected to an external data
source and uses the original authentication database, shortening the duration for deploying an
admission control system.
This experiment aims to synchronize user information on the AD directory server to the Agile
Controller using a specific structure.
Figure 5-3 Architecture of the Agile Controller after synchronizing with the AD directory server
5.3 Procedure
Figure 5-4 Procedure for connecting the Agile Controller to an external source
Create five OUs, namely HR, Marketing, Engineering, R&D, and Financial under OU HZ.
The creating procedure is similar to that for OU HZ, as shown in the following figure.
Create users.
Create users in each OU and set the password.
Create users Ann (HR), Bob (Marketing), Cary (Engineering), David (R&D), and Franklin
(Financial) under each OU as planned.
6.1 Objectives
Understand the basic principle of roaming.
Understand the basic principle of smart roaming.
Learn the configuration method of layer 3 roaming.
Learn the configuration method of smart roaming.
Verify and optimize STA roaming performance.
6.2 Plan
Huawei WLAN layer 3 roaming requires that different APs have different VAPs (different
names and VLANs) but the same SSID, authentication mode, and encryption modes. This
experiment takes groups 1 and 2 as examples to illustrate the experiment plan of layer 3
roaming. Each AC requires an AP.
X indicates the group No. and must be replaced as required, for example, the AP name of
group 1 is employee1.
6.3 Procedure
Figure 6-2 Procedure for configuring an inter-AC roaming experiment
Create VLANIF80X interface on SWA to communicate with the AC. Create interface
Loopback0 to simulate a public network interface. Create VLANIF interfaces to function as
gateways of service VLANs.
[SWA]interface Vlanif 801
[SWA-Vlanif801]ip address
10.1.201.1 24
[SWA]interface Vlanif 802
[SWA-Vlanif801]ip address 10.1.202.1 24
[SWA]interface LoopBack 0
[SWA-LoopBack0]ip address 100.100.100.100 32
[SWA]interface Vlanif 10
[SWA-Vlanif10]ip address 10.1.10.1 24
[SWA-Vlanif10]quit
[SWA]interface Vlanif 11
[SWA-Vlanif11]ip address 10.1.11.1 24
[SWA-Vlanif11]quit
[SWA]interface Vlanif 12
[SWA-Vlanif12]ip address 10.1.12.1 24
[SWA-Vlanif12]quit
[SWA]interface Vlanif 20
[SWA-Vlanif20]ip address 10.1.20.1 24
[SWA-Vlanif20]quit
[SWA]interface Vlanif 21
[SWA-Vlanif21]ip address 10.1.21.1 24
[SWA-Vlanif21]quit
[SWA]interface Vlanif 22
Click Configuration > AC Config > VLAN. On the VLAN tab, click Batch Create.
Check the status of configured VLANIF interfaces. The status of the interfaces is Unavailable
because the uplink interface does not allow VLANs to pass.
Configure interface GE0/0/8 to connect to the SWA. The interface allows VLANs to pass.
Click Configuration > AC Config > Interface. On the Interface Attribute tab, click
GigabitEthernet0/0/8.
Check whether the route between the AC and a layer 3 switch is reachable. Log in to the
web-based AC by clicking and entering user account admin and password
admin@huawei.com as indicated by the command prompt.
The IP address of the simulated public network interface on the switch cannot be pinged.
[AC1]ping 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
Set the next hop address to the IP address of interface VLANIF801 on the switch.
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/9/10 ms
Configurations on AC2
Click Maintenance > AC Maintenance > Basic. Set Device name to AC2.
Click Configuration > AC Config > VLAN. On the VLAN tab, click Batch Create.
Create VLANs X0 through X2 and VLAN80X.
Check the status of configured VLANIF interfaces. The status of the interfaces is Unavailable
because the uplink interface does not allow VLANs to pass.
Configure interface GE0/0/8 to connect to the SWA. The interface allows VLANs to pass.
Click Configuration > AC Config > Interface. On the Interface Attribute tab, click
GigabitEthernet0/0/8.
Check whether the route between the AC and a layer 3 switch is reachable. Log in to the
web-based AC by clicking and entering user account admin and password
admin@huawei.com as indicated by the command prompt.
The IP address of the simulated public network interface on the switch cannot be pinged.
[AC2]ping 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Set the next hop address to the IP address of interface VLANIF802 on the switch.
Click Configuration > AP Config > AP Group. On the AP Group tab, click Create.
Create an AP group for AC1.
Option 43 must be configured for the AP address pool because layer 3 bypass networking is used.
Configurations on AC2
Create address pools on AC2. The steps are the same as those on AC1 and are not
repeated. After the address pools are created, the following information will be
displayed.
Add APs.
View the information about added APs. Select APs, click Deploy to add them to AP group
employee1, and name them ap1 and ap2 according to their IDs.
The AP status will be fault and then normal. If the AP cannot go online, check the
configuration.
Create VAP profile employeeX, set the data forwarding mode and service VLAN, and bind the
security profile and SSID profile to the VAP profile.
Bind the VAP profile to the AP group. Bind VAP profile employeeX to AP group employeeX,
and apply the VAP profile to radio 0 and radio 1 of the AP. Click AP Group > employee1 >
VAP Configuration, and click Add.
Configure AC2.
Create a security profile.
In a roaming experiment, the SSID on AC2 must be the same as that on AC1.
Bind the VAP profile to the AP group. Bind VAP profile employeeX to AP group employeeX,
and apply the VAP profile to radio 0 and radio 1 of the AP. Click AP Group > employee2 >
VAP Configuration, and click Add.
Configure AC2.
Configure AC2.
6.4 Verification
In the coverage area of ap1, the STA detects the WLAN with SSID Employee1 and accesses
the WLAN after entering password huawei123. The access information about the STA shows
that the STA with MAC address 683e-345e-7734 is bound to ap1.
Click Monitoring > User > User Statistics > User List.
Perform the ping operation on the STA. Let the user move away from APX to trigger layer 3
roaming. (You can deploy APs far away from each other and let the user move between the
APs. Alternatively, you can adjust the RF power of the AP group to simulate signal weakening.
In this experiment, the second method is used.)Click Configuration > AP Config > AP
Group. On the AP Group tab, click employeeX.
The AP group configuration page is displayed.
When AC1 signals weaken, the STA automatically switches over to AC2. View the user list on
AC2.
According to the roaming records, after radio 0 is switched to the 2.4 GHz frequency band,
the STA automatically switches to the 5 GHz frequency band. This is layer 2 roaming (STAs
roams among radios of an AP). After the 5 GHz frequency band is disabled, the STA roams to
AC2.
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool AP
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100
option 43 sub-option 3 ascii 10.1.201.100
#
ip pool sta1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password
irreversible-cipher %^%#j'-qKyOhaAb*ib(-I(CW+kZ>:_a5BM*I}@*}M.xQyzx2UP-S}P-ylA$XcF!
~%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 12 801
#
interface NULL0
#
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent sys-info location Hangzhou China
snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source interface vlanif801
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#<MQ/T4bN:AYz9x5<mD;;@eW$LUyU3Jb5dG-nK+J7]/+$@cf5M:v^z7I:LO!7%^%#
user-interface vty 0 4
authentication-mode password
user privilege level 15
excluded-ip-address 10.1.22.100
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password
irreversible-cipher %^%#`-,lQg[[l2!,d#)M[M]TL!1~<B(O|VH0_~1-rGf$^\>3YC&mwK\M4!A=NqA
W%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif20
ip address 10.1.20.100 255.255.255.0
dhcp select global
#
interface Vlanif21
ip address 10.1.21.100 255.255.255.0
dhcp select global
#
interface Vlanif22
ip address 10.1.22.100 255.255.255.0
dhcp select global
#
interface Vlanif802
ip address 10.1.202.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.4 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
7.1 Objectives
Learn the methods of backing up and recovering device configurations.
Learn the method of configuring VRRP hot standby.
Learn the method of optimizing VRRP hot standby.
7.2 Plan
You must configure devices according to the plan to avoid errors. This experiment uses group
1 as an example to illustrate rules for configuring the device name, VLAN, and Trunk.
X indicates the group No. In a dual-link experiment, X can be set to 1, 3, 5, 7, or 9; X+1 can
be set to 2, 4, 6, 8, or 10.
Active AC (AC X) Standby AC (AC X+1)
VLANIF80X: VLANIF80X:
Management VLAN
10.1.20X.100/24 10.1.20X.200/24
VLANX0: 10.1.X0.3
VLANX1: 10.1.X1.3
Virtual IP Address of the
VLANX2: 10.1.X2.3
Service VRRP Group
VLANX3: 10.1.X3.3
VLANX4: 10.1.X4.3
Name: ap-groupX
VAP ID: 1
VAP profile: guestX
AP Group Regulatory domain profile: domainX
VAP ID: 2
VAP profile: employeeX
Regulatory domain profile: domainX
7.3 Procedure
Figure 7-2 Configuration procedure
Create VLANIF80X interface on SWA to communicate with the AC. Create a LoopbackX
interface, and set its IP address to 10X.10X.10X.10X to simulate a public network interface.
Create VLANIF interfaces to function as gateways of service VLANs.
[SWA]interface Vlanif 801
[SWA-Vlanif801]ip address 10.1.201.1 24
[SWA]interface LoopBack 1
[SWA-LoopBack1]ip address 101.101.101.101 32
[SWA]interface Vlanif 10
[SWA-Vlanif10]ip address 10.1.10.1 24
[SWA-Vlanif10]quit
[SWA]interface Vlanif 11
[SWA-Vlanif11]ip address 10.1.11.1 24
[SWA-Vlanif11]quit
[SWA]interface Vlanif 12
[SWA-Vlanif12]ip address 10.1.12.1 24
[SWA-Vlanif12]quit
[SWA]interface Vlanif 13
[SWA-Vlanif13]ip address 10.1.13.1 24
[SWA-Vlanif13]quit
[SWA]interface Vlanif 14
[SWA-Vlanif14]ip address 10.1.14.1 24
[SWA-Vlanif14]quit
Click Configuration > AC Config > VLAN. On the VLAN tab, click Batch Create.
Option 43 must be configured for the AP address pool because layer 3 bypass networking is used.
Click to configure the gateway IP, address pool interface, and IP address not to
be assigned.
Configure user address pools. VLAN11 and VLAN12 form a guest address pool, and
VLAN13 and VLAN14 form an employee address pool.
Configure IP address pool Guest1.
Check whether the route between the AC and a layer 3 switch is reachable. The following
command output indicates that 100.100.100.100 (the simulated public network interface on
the switch) cannot be pinged.
Log in to the web-based AC by clicking and entering user account admin and
password admin@huawei.com as indicated by the command prompt.
[AC6005-1]ping 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Set the next hop address to the IP address of interface VLANIF801 on the switch.
Configure an interface.
Configure a route.
[AC6005-2]
Add APs to the AC in offline mode. You need to obtain the MAC addresses of APs first. You
can query the MAC addresses in the unauthenticated AP list.
Manually add APs based on MAC addresses. Name the two APs AP1 and AP2.
After APs are added, their status will change from fault to config, and then to normal. If the
AP status does not change to normal several minutes after the AP is added, check the
configuration of VLAN, DHCP, and AP authentication.
An AP cannot go online on two ACs simultaneously. Therefore, the AP status on the standby
AC is idle.
Create SSID profiles guestX and employeeX, and set SSIDs to guestX and employeeX,
respectively.
Create VAP profiles guestX and employeeX, set the data forwarding mode to direct
forwarding for the profiles, and bind the security profile and SSID profile to the VAP profile.
Bind the regulatory domain profile and VAP profile to the AP group. When AP group
ap-groupX uses VAP profile guestX, set VAP ID to 1. When AP group ap-groupX uses VAP
profile employeeX, set VAP ID to 2. Radios 0 and 1 on the AP use the configuration of the
VAP profile.
Configure the hot standby function on the active AC. Create HSB service 0 on AC1, and
configure the IP address and port No. of active and standby channels, as well as packet
retransmission times and interval for the service.
Create HSB group 0 on AC1, and bind this group to HSB service 0 and the management
VRRP group.
Enable dual-AC hot standby.
Configure the hot standby function on the standby AC. Create HSB service 0 on AC2,
and configure the IP address and port No. of active and standby channels, as well as
packet retransmission times and interval for the service.
Create HSB group 0 on AC2, and bind this group to HSB service 0 and the management
VRRP group. Select DHCP, User access, and AP for HSB service.
Enable dual-AC hot standby. Configure the status recovery delay for the VRRP group to
30s.
7.4 Verification
7.4.1 Verifying Dual-Link Standby
After the configuration is complete, check the AP status on AC1 and AC2. The AP status on
AC1 is normal and that on AC2 is standby.
Configure AC1.
Configure AC2.
Disconnect AC1 from the switch to cut the connection between the AP and AC1. Check the
AP status on AC2.
because the status recovery delay of the VRRP group is set to 30s and the preemption waiting
time is set to 120s.
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password
irreversible-cipher %^%#},0QB%yPG@'>D%9eOOi6Njju(s+Ak)(5G21IpI0;]hbI9Ebo(NQOkJP&Tj1
U%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.10.3
vrrp vrid 2 preempt-mode timer delay 120
vrrp vrid 2 track admin-vrrp interface Vlanif801 vrid 1 unflowdown
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.11.3
vrrp vrid 3 preempt-mode timer delay 120
vrrp vrid 3 track admin-vrrp interface Vlanif801 vrid 1 unflowdown
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
vrrp vrid 4 virtual-ip 10.1.12.3
vrrp vrid 4 preempt-mode timer delay 120
vrrp vrid 4 track admin-vrrp interface Vlanif801 vrid 1 unflowdown
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.13.3
vrrp vrid 5 preempt-mode timer delay 120
vrrp vrid 5 track admin-vrrp interface Vlanif801 vrid 1 unflowdown
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
vrrp vrid 6 virtual-ip 10.1.14.3
vrrp vrid 6 preempt-mode timer delay 120
vrrp vrid 6 track admin-vrrp interface Vlanif801 vrid 1 unflowdown
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.201.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 120
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk pvid vlan 4090
port trunk allow-pass vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source ip-address 10.1.201.3
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#);IT*AoN7Duhza:nM(pNW$@|&G]1WWPk~>0ap6S;ZhcY9_eAf(>{E96G-F$@%^%#
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password
cipher %^%#5A==JPO1uSr4z0(^.+uMC#oiE3ab>;3=\KGFAI%.{Tm4O.:8R5H7=#ZuQe>.%^%#
protocol inbound telnet
user-interface vty 16 20
protocol inbound all
#
hsb-service 0
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source ip-address 10.1.201.3
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#C3OmYs6.|9OM-_AxF~i;#&sY"n8UoMFZ-(3=[Hp$mSbyKZZ37.::l]MZ~(pS%^%#
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password
cipher %^%#.v&6P[:U];ofUWJG$5%%<l"C>R2zx5yAueHQ04/1Ffb(%^QR]O.k5RK.GJJ-%^%#
protocol inbound telnet
user-interface vty 16 20
protocol inbound all
#
hsb-service 0
service-ip-port local-ip 10.1.201.200 peer-ip 10.1.201.100 local-data-port 10241
peer-data-port 10241
service-keep-alive detect retransmit 2 interval 1
#
hsb-group 0
track vrrp vrid 1 interface Vlanif801
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ap data-collection enable
traffic-profile name default
security-profile name default
security-profile name default-wds
security wpa2 psk pass-phrase %^%#F'P$$umj&.5>V$NURcdVS0o~WrcR3JuB!hXs+gj#%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#M38HTcd]0HC`*24fFft!^+uQL2Y|p$._k95W'eY%%^%# aes
security-profile name employee1
security wpa2 psk pass-phrase %^%#QG)]TEW(FFB}RmXyf{.WH="WQrd-5N/)rnP#//~*%^%# aes
security-profile name guest1
8.1 Objectives
Learn the method of configuring dual-link hot standby.
Learn the method of optimizing dual-link hot standby.
8.2 Plan
You must configure devices according to the plan to avoid errors. This experiment uses group
1 as an example to illustrate rules for configuring the device name, VLAN, and Trunk.
X indicates the group No. In a dual-link experiment, X can be set to 1, 3, 5, 7, or 9; X+1 can
be set to 2, 4, 6, 8, or 10.
AC Priority 1 5
VLANIF80X: VLANIF80X:
Management VLAN
10.1.20X.100/24 10.1.20X.200/24
Service VLAN
VLANX1: 10.1.X1.100 VLANX1: 10.1.X1.200
Guest VLAN: X1 and VLANX2: 10.1.X2.100 VLANX2: 10.1.X2.200
X2
VLANX3: 10.1.X3.100 VLANX3: 10.1.X3.200
Employee VLAN: X3
VLANX4: 10.1.X4.100 VLANX4: 10.1.X4.200
and X4
Name: ap-groupX
VAP ID: 1
VAP profile: guestX
AP Group Regulatory domain profile: domainX
VAP ID: 2
VAP profile: employeeX
Regulatory domain profile: domainX
8.3 Procedure
8.3.1 Configuring Network Interconnection and Basic WLAN
Services
Configure the switch and AC, as well as basic WLAN services. The operations are the same
as those in experiment 1. Alternately, remove operations described in section 7.3.8
"Configuring VRRP-based Dual-AC Hot Standby" if this experiment is carried out in the
environment where experiment 7 has been carried out.
8.4 Verification
Check the AP status on AC1.
Disconnect AC1 from the switch to cut the connection between the AP and AC1. The AP
connects to the standby AC if it does not receive response from the active AC for three
CAPWAP packet sending periods (25s for each period).
Wait for one minute and 30 seconds.
The AP is registered with AC2, and AC2 provide services for the STA, ensuring service
continuity.
The AP status on AC2 is normal.
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif14
ip address 10.1.14.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
......
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 14
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 14
#
......
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 101.101.101.101 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password cipher Admin@123
user-interface vty 16 20
#
Return
ip pool sta4
gateway-list 10.1.14.1
network 10.1.14.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher Admin@123
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source ip-address 10.1.201.100
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
hsb-service 0
service-ip-port local-ip 10.1.201.100 peer-ip 10.1.201.200 local-data-port 10241
peer-data-port 10241
service-keep-alive detect retransmit 2 interval 1
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ac protect enable protect-ac 10.1.201.200 priority 1
traffic-profile name default
security-profile name guest1
security-profile name employee1
security wpa2 psk pass-phrase b1234567 aes
ssid-profile name guest1
ssid guest1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
#
vlan pool sta-pool1
vlan 11 to 12
vlan pool sta-pool2
vlan 13 to 14
#
dhcp enable
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.1.201.200
#
ip pool sta1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
#
ip pool sta3
gateway-list 10.1.13.1
network 10.1.13.0 mask 255.255.255.0
#
ip pool sta4
gateway-list 10.1.14.1
network 10.1.14.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher Admin@123
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.200 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.200 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.200 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.200 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.200 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source ip-address 10.1.201.200
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
9.1 Objectives
Learn the process of configuring a WLAN single-MPP mesh.
Learn how to configure radio and wired port parameters of a WLAN single-MPP mesh.
Learn how to configure the security profile and whitelist of a WLAN single-MPP mesh.
Learn how to configure roles and profiles of a WLAN single-MPP mesh.
Learn how to bind the radio profile and wired port profile to a WLAN single-MPP mesh.
Learn how to bind the AP system profile and mesh profile to a WLAN single-MPP mesh.
Verify WLAN single-MPP mesh configurations.
9.2 Plan
Figure 9-1 Experiment topology
As shown in the figure, AP1 is an MPP, and AP2 and AP3 are MPs.
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
2 AC6005-2–G0/0/2 AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
3 AC6005-3–G0/0/3 AP7-G0/0/16
AP8-G0/0/17
AP9-G0/0/18
4 AC6005-4–G0/0/4 AP10-G0/0/19
AP11-G0/0/20
AP12-G0/0/21
AP Group ap-groupX
SSID profile: employeeX
SSID Profile
SSID: employeeX
Service VLAN 11\12
Name: mesh-secX
Security Profile (Same)
Password: b1234567
VAP Profile Name: employeeX
9.3 Procedure
Figure 9-2 Configuration procedure
VLANIF configurations
Interface configurations
By default, the next hop address is the IP address of interface VLANIF801 on the switch.
Test the route by ping the loopback address of the switch on the command console.
9.3.2 Adding an AP
Create AP groups. A mesh experiment requires two AP groups, which is different from other
experiments.
Click Configuration > AP Config > AP Group > AP Group, and click Create.
On the displayed page, set parameters as shown in the following figure.
Add an AP to the AP group. Obtain the MAC address of the AP to be added in advance
because in a mesh experiment, the switch only provides POE power supply for the other two
APs. You can view the AP MAC address on a label on the AP back or on the switch. In this
experiment, MAC addresses of three APs are as follows:
ap1: cccc-8110-2260
ap2: e8bd-d1f7-75c0
ap3: e8bd-d105-8260
Add the AP in offline mode. Click Configuration > AP Config > AP Config > AP Info >
Create AP.
On the displayed page, set parameters as shown in the following figure.
Click Configuration > AP Config > AP Config > AP Info. Select multiple APs, and click
Deploy.
Change AP names. Add AP1 to AP group mesh-mppX and AP2 and AP3 to AP group
mesh-mpX.
Select AP2 and AP3, and click Deploy. Add them to AP group mesh-mp1.
Set channel frequency to 40+MHz and 157, indicating 157+163 channel bundling. Set
Coverage distance (0.1km) to 4, which is set to 3 by default.
Click OK.
The parameter setting page for the created wired port profile is displayed.
Assume that service VLANs are VLAN11 and VLAN12. Wired ports of all mesh nodes are
added to VLAN11 and VLAN12 in tagged mode.
Manually add MAC addresses of three APs. Ensure that the entered MAC addresses are
correct.
Click Configuration > AP Config > Profile > Profile Management > Mesh > Mesh Profile.
The Mesh Profile List area is displayed on the right pane.
Click Create.
The Create Mesh Profile page is displayed.
Set parameters for the mesh profile. In this experiment, only Mesh ID and Link aging
timeout(s) are configured.
9.4 Verification
After the configuration is complete, click Monitoring > AP > AP List to check whether mesh
nodes go online successfully. If the value of Status is normal, APs have gone online.
Click Monitoring > Mesh&WDS > Mesh Link Information to check mesh link information.
After mesh links are successfully established, you can view detailed information about the
mesh links on the page.
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface MEth0/0/1
description Connected_to_MR
ip address 172.21.11.1 255.255.0.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 12 801
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14 801
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.100
#
user-interface con 0
authentication-mode password
set authentication password
cipher %@%@W<lO8}%j9ZW6oc';J*L9'%OG+A]:Xx>!2"IV7W1$7!#G%OJ'%@%@
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password
cipher %@%@c=TE<vcI4/lBkb"Xp94H'&1x#CVoXhidQ2cM@t&LL#83&1{'%@%@
user-interface vty 16 20
#
return
9.5.2 AC Configuration
#
sysname AC6005-1
#
http secure-server ssl-policy default_policy
http server enable
#
vlan batch 10 to 12 801 4090
#
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dot1x-access-profile name dot1x_access_profile
mac-access-profile name mac_access_profile
#
vlan pool employee1
vlan 11 to 12
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100
option 43 sub-option 3 ascii 10.1.201.100
#
ip pool sta1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
excluded-ip-address 10.1.11.100
#
ip pool sta2
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
excluded-ip-address 10.1.12.100
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password
irreversible-cipher %^%#S&Sj%*k84:WsW3&}4puW'@Y[#k-6>S^4gwH,0,Q2DD8`!:D-f(2Z&!/i*6\
A%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 4090
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 12 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source interface vlanif801
#
user-interface con 0
authentication-mode password
set authentication password
cipher %^%#.xrh@g'4L,l*3S*2R"a>K<RZ>"VOsU~XrV&i_2#!eZ<G8\D_]5TG`}DASHwI%^%#
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password
cipher %^%#7&lg4uEAy+5s&l!miN-Qos*v2n>r<XA"|~Rz>/e=@&(T5@p{KSW_:*VV,}G6%^%#
protocol inbound telnet
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
ap-name ap1
ap-group mesh-mpp1
ap-id 1 type-id 19 ap-mac e8bd-d1f7-75c0 ap-sn 2102354196W0DC003017
ap-name ap2
ap-group mesh-mp1
ap-id 2 type-id 19 ap-mac e8bd-d1f7-8260 ap-sn 2102354196W0DC003765
ap-name ap3
ap-group mesh-mp1
#
undo ntp-service enable
#
return
10.1 Objectives
Learn the process of configuring a WLAN dual-MPP mesh.
Learn how to configure radio and wired port parameters of a WLAN dual-MPP mesh.
Learn how to configure the security profile and whitelist of a WLAN dual-MPP mesh.
Learn how to configure roles and profiles of a WLAN dual-MPP mesh.
Learn how to bind the radio profile and wired port profile to a WLAN dual-MPP mesh.
Learn how to bind the AP system profile and mesh profile to a WLAN dual-MPP mesh.
Verify WLAN dual-MPP mesh configurations.
10.2 Plan
Figure 10-1 Experiment topology
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
2 AC6005-2–G0/0/2 AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
3 AC6005-3–G0/0/3 AP9-G0/0/17
AP10-G0/0/18
AP11-G0/0/19
AP12-G0/0/20
AP Group ap-groupX
SSID name: employeeX
SSID Profile
SSID: employeeX
Service VLAN 11\12
Name: mesh-secX
Security Profile (Same)
Name: b1234567
VAP Profile Name: employeeX
10.3 Procedure
Figure 10-2 Configuration procedure
VLANIF configurations
Interface configurations
Configure the static route. Set the next hop address to the IP address of interface VLANIF801
on the switch.
Test the route. Enter the console and ping the loopback IP address of the switch.
10.3.2 Adding an AP
Create AP groups. A mesh experiment requires two AP groups, which is different from other
experiments.
Click Configuration > AP Config > AP Group > AP Group, and click Create.
On the displayed page, set parameters as shown in the following figure.
Click Configuration > AP Config > AP Config > AP Info. Select multiple APs, and click
Deploy.
Change AP names. Add AP1 and AP2 to AP group mesh-mppX and AP3 and AP4 to AP group
mesh-mpX.
Set channel frequency to 40+MHz and 157, indicating 157+163 channel bundling. Set
Coverage distance (0.1km) to 4, which is set to 3 by default.
Click OK.
The parameter setting page for the created wired port profile is displayed.
This example assumes that the service VLAN is VLAN11 and VLAN12. Wired ports of all
mesh nodes are added to VLAN11 and VLAN12 in tagged mode.
Manually add MAC addresses of four APs. Ensure that the entered MAC addresses are
correct.
Click Configuration > AP Config > Profile > Profile Management > Mesh > Mesh Profile.
The Mesh Profile List area is displayed on the right pane.
Click Create.
The Create Mesh Profile page is displayed.
10.4 Verification
After the configuration is complete, click Monitoring > AP > AP List to check whether mesh
nodes go online successfully. If the value of Status is normal, APs have gone online.
Click Monitoring > Mesh&WDS > Mesh Link Information to check mesh link information.
After mesh links are successfully established, you can view detailed information about the
mesh links on the page.
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 14 801
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.100
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password cipher Admin@123
user-interface vty 16 20
#
return
10.5.2 AC Configuration
#
sysname AC6005-1
#
http secure-server ssl-policy default_policy
http server enable
#
vlan batch 10 to 12 801 4090
#
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dot1x-access-profile name dot1x_access_profile
mac-access-profile name mac_access_profile
#
vlan pool employee1
vlan 11 to 12
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100
option 43 sub-option 3 ascii 10.1.201.100
#
ip pool sta1
gateway-list 10.1.11.1
network 10.1.11.0 mask 255.255.255.0
excluded-ip-address 10.1.11.100
#
ip pool sta2
gateway-list 10.1.12.1
network 10.1.12.0 mask 255.255.255.0
excluded-ip-address 10.1.12.100
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher Admin@123
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 10 to 12 801
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source interface vlanif801
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
protocol inbound telnet
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
security-profile name default-wds
security wpa2 psk pass-phrase %^%#9_3KC<KAK+ok/kP=Z+FQ-oMU~B,cE(7!xK6&e:*=%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#MZsH9|j+[F3==a5hVn@3rkx2JhzAFRTS9g6!;%qX%^%# aes
security-profile name mesh-sec1
security wpa2 psk pass-phrase b1234567 aes
ssid-profile name guest1
ssid guest1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-whitelist-profile name mesh-list1
peer-ap mac cccc-8110-22c0
peer-ap mac e8bd-d1f7-79c0
peer-ap mac e8bd-d105-9120
peer-ap mac e8bd-d1f7-9dc0
mesh-profile name mesh1
security-profile mesh-sec1
mesh-id mesh1
link-aging-time 30
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-profile name default
ap-system-profile name default
telnet enable
ap-system-profile name mesh-sys1
mesh-role mesh-portal
provision-ap
port-link-profile name default
wired-port-profile name default
wired-port-profile name wired-port1
vlan tagged 11 to 12
ap-group name default
ap-group name mesh-mp1
ap-system-profile mesh-sys1
wired-port-profile wired-port1 gigabitethernet 0
radio 1
mesh-profile mesh1
mesh-whitelist-profile mesh-list1
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp1
ap-system-profile mesh-sys1
wired-port-profile wired-port1 gigabitethernet 0
radio 1
mesh-profile mesh1
mesh-whitelist-profile mesh-list1
channel 40mhz-plus 157
coverage distance 4
ap-id 0 type-id 19 ap-mac cccc-8110-2260 ap-sn 210235448310C9000012
ap-name ap1
ap-group mesh-mpp1
ap-id 1 type-id 19 ap-mac e8bd-d1f7-75c0 ap-sn 2102354196W0DC003017
ap-name ap2
ap-group mesh-mpp1
ap-id 2 type-id 19 ap-mac e8bd-d1f7-8260 ap-sn 2102354196W0DC003765
ap-name ap3
ap-group mesh-mp1
ap-id 3 type-id 19 ap-mac e8bd-d1f7-7560 ap-sn 2102354196W0DC003012
ap-name ap4
ap-group mesh-mp1
#
undo ntp-service enable
#
return
Huawei e-Learning
https://ilearningx.huawei.com/portal/#/portal/ebg/51
Huawei Certification
http://support.huawei.com/learning/NavigationAction!createNavi?navId=_31
&lang=en
Find Training
http://support.huawei.com/learning/NavigationAction!createNavi?navId=_trai
ningsearch&lang=en
More Information
Huawei learning APP