HCIP-WLAN-CEWA V1.0 Lab Guide (Web-Based)

Recommendations
 Huawei Learning Website

 http://learning.huawei.com/en
 Huawei e-Learning
 https://ilearningx.huawei.com/portal/#/portal/ebg/51
 Huawei Certification
 http://support.huawei.com/learning/NavigationAction!createNavi?navId=_31
&lang=en
 Find Training
 http://support.huawei.com/learning/NavigationAction!createNavi?navId=_trai
ningsearch&lang=en
More Information
 Huawei learning APP
版权所有© 2019 华为技术有限公司

Huawei WLAN Certification Training
Experiment Guide for
HCIP-WLAN-CEWA (Web-based)
Issue 1.00
Date 2016-03-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Experiment Guide for HCNP-WLAN-CEWA (Web-based) Introduction to Huawei Certification
Introduction to Huawei Certification
Huawei certification provides customers with practical and professional technical certification
based on its technical strength and professional training systems, meeting customers'
requirements on WLAN technologies at different levels.
Huawei certification provides customers with a four-level certification system based on
WLAN technology characteristics and customer requirements.
Huawei Certified Network Professional-Wireless Local Area Network (HCIP-WLAN) is
intended for all WLAN engineers. Engineers passing the certification are proved to have the
following capabilities:
 Have comprehensive knowledge of medium- and large-sized WLANs.
 Learn WLAN theories and principles.
 Can independently plan and deploy different types of WLANs for medium- and
large-sized enterprises using Huawei WLAN devices.
 Are capable of maintaining and managing a WLAN to ensure stable and reliable
operation.
Huawei certification helps you start a WLAN-related career and gain overall recognition.
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential ii

Experiment Guide for HCNP-WLAN-CEWA (Web-based) Introduction to Huawei Certification
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential iii

Experiment Guide for HCNP-WLAN-CEWA (Web-based) About This Document
About This Document
Overview
This document is an HCIP-WLAN-CEWA training course intended for trainees preparing for
HCIP-WLAN-CEWA examinations and readers interested in WLAN technologies. CEWA is
short for Constructing Enterprise WLAN Architecture. The topics cover large-scale WLAN
networking, secure access, high-reliability networking, advanced WLAN technologies,
antenna systems, WLAN network planning and optimization, and related troubleshooting.
Contents
The document includes five modules, covering 10 experiments, and describes configuration
and implementation of large-scale WLAN networking, radio resource management, secure
access, highly reliable networking, layer 3 roaming, and mesh technology.
 Module 1
It includes experiments 1 and 2, and describes how to establish a large-scale WLAN
networking environment and perform radio calibration. This module helps you get
familiar with the HCIP-WLAN experiment environment, and master the large-scale
WLAN networking configuration and radio calibration method.
 Module 2
It includes experiments 3, 4, and (optional) 5, and describes how to deploy secure
WLAN connections and configure the Agile Controller. This module helps you get
familiar with Agile Controller's application in WLAN environment, understand its basic
functions, and learn its configuration method of admission control.
 Module 3
It includes experiment 6, and provides the experiment guide for roaming technologies in
large-scale WLAN networking. This module helps you learn how to configure the
roaming function in large enterprise networks.
 Module 4
It includes experiments 7 and 8, introduces high-reliability configurations in WLANs,
and describes how to use the dual-AC hot-backup method to ensure WLAN availability.
This module helps you master the method of performing WLAN high-reliability
configurations and get familiar with WLAN redundancy technologies.
 Module 5
It includes experiments 9 and 10 (single-MPP and dual-mesh configurations), and
describes how to use the mesh technology to implement the WLAN relay function. This
module helps you master WLAN networking methods in special scenarios.
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential iv

Experiment Guide for HCNP-WLAN-CEWA (Web-based) About This Document
Intended Audience
This document is intended for:
 Engineers preparing for HCNA-WLAN examinations.
 People who have grasped WLAN knowledge, and are familiar with Huawei switching
devices and basic data communication knowledge.
Common Icons
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential v

Experiment Guide for HCNP-WLAN-CEWA (Web-based) Introduction to the Experiment Environment
Introduction to the Experiment Environment
Networking
The experiment environment is intended for wireless engineers preparing for
HCIP-WLAN-CEWA examinations. Each experiment environment includes two to six ACs,
two to 12 APs, one core switch, one eSight server, one Agile Controller, and one AD server,
and is suitable for four to 12 trainees.
Devices
The following table lists recommended devices for each experiment environment to meet
HCIP-WLAN-CEWA experiment requirements.
Device Model Software Version
Core switch S3700-28TP-PWR-EI Version 5.70 (S3700 V100R005C01SPC100)

or S5700-28C-PWR-EI Version 5.130 (S5700 V200R003C00SPC300)
AC AC6005-26-PWR V200R006C10SPC100
AP AP6010DN-AGN V200R006C10SPC100
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential vi

Experiment Guide for HCNP-WLAN-CEWA (Web-based) Experiment Environment Preparation
Experiment Environment Preparation
Checking Whether All Devices Are Available

Before starting the experiment, check whether all required devices are ready. The following
table lists the required devices.
Device Quantity Remarks
AD server 1 Shared by all groups

Agile Controller server 1 Shared by all groups
Huawei 3700PoE/5700PoE 1 Shared by all groups
switch
AC6005 One for each group
AP6010DN Two for each group
Laptop or desktop computer One for each group A desktop computer requires a
network adapter.
Twisted pair Four for each group The twisted pair must be at least 2
meters long.
Console cable One for each group
Each group must check whether the following devices are ready:
 One AC6005
 Two AP6010DNs
 One laptop or desktop computer
 Four twisted pairs
 One console cable
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential vii

Experiment Topology
Figure 0-1 Experiment topology
Key points of bypass topology establishment:

 For group 1, port 8 of AC1 is connected to port 1 of the switch. AP1 is connected to port
10 of the switch. AP2 is connected to port 11 of the switch.
 The same rule applies to all other groups.
 For group 6, port 8 of AC6 is connected to port 6 of the switch. AP11 is connected to
port 20 of the switch. AP12 is connected to port 21 of the switch.
Preparations Before Configuration

Before logging in to the web-based AC, ensure the following conditions are met:
 The access port of the AC as been configured with an IP address. The IP address is
169.251.1.1 16 by default.
 The PC is connected to the AC network. The PC is connected to the management port
(interface VLANIF1 of the AC6005) of the AC using an Ethernet cable. The IP address
of the PC must be at the same network segment as that of the device, such as
169.254.1.2.16).
 The device is running properly with HTTP and HTTPS services correctly configured.
 A browser has been installed on the PC terminal. (The Firefox browser is recommended
because other browsers may not support the command console.)
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential viii

Before delivery, the MEth0/0/1 port of the AC6605 is configured with IP address 169.254.1.1
and subnet mask 255.255.0.0.
Before delivery, the MEth0/0/1 port of the ACU2 is configured with IP address 169.254.1.1
and subnet mask 255.255.0.0.
Before delivery, VLANIF1 of the AC6005 is configured with IP address 169.254.1.1 and
subnet mask 255.255.0.0. AC6005 ports GE0/0/1 to GE0/0/8 have been added to VLAN1 by
default.
The device has been configured with HTTP and HTTPS services at delivery. The default
service port No. is 80 for HTTP services and 443 for HTTPS services. The default user name
is admin, and the default password is admin@huawei.com.
Figure 0-2 Web-based AC topology (AC6005)
Perform the following steps to log in to the AC:

Step 1 Open the browser on the PC. Enter http://169.254.1.1 or https://169.254.1.1 in the address
bar. (169.254.1.1 is the default IP address of VLANIF1. In actual use, enter the IP address of
the access port for logging in to the AC). Press Enter.
The login page of the web-based AC is displayed.
Step 2 Specify Language. Chinese and English are supported. By default, the browser language is
selected.
Enter the user name and password. The default user name is admin, and the default password
is admin@huawei.com.
Click Login.
An operation interface is displayed.
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential ix

Change the password upon the first login. Changing the password to Admin@123 is used as
an example in this document.
Enter the new password.
Step 3 After logging in to the web-based AC, click at the upper-right corner.
The command-line interface (CLI) is displayed. You can enter command lines to manage and
maintain the device. The login password is Admin@123. (The Firefox browser is
recommended. If the browser cannot run, select Enable for Allow previously unused
ActiveX controls to run without prompt in the Internet Options dialog box, as shown in
the following figure.)
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential x

If the Internet Explorer browser is used, the CLI is displayed only after Allow previously unused
ActiveX controls to run without prompt is set to Enable or Prompt.
On the menu bar of the browser, choose Tools > Internet Options > Security, and click Custom Level.
On the displayed page, select Enable or Prompt for Allow previously unused ActiveX controls to run
without prompt.
----End
AC Configuration Removal
Trainees must remove previously saved configurations after the experiment is complete and
before devices are turned off, to avoid any impact of the configurations on the next
experiment. In addition, trainees must confirm that the device is not configured before an
experiment starts. If it is not, remove the configurations and then restart the device.
On the CLI, enter the password Admin@123 to log in to the AC.
Login authentication
Password:Admin@123
<AC6005>reset saved-configuration
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
Enter reboot to restart the AC.

<AC6005>reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xi

Experiment Guide for HCNP-WLAN-CEWA (Web-based) Contents
Contents
Introduction to Huawei Certification ......................................................................................... ii

About This Document ................................................................................................................... iv
Introduction to the Experiment Environment .......................................................................... vi
Experiment Environment Preparation ...................................................................................... vii
1 Experiment 1: Large-Scale WLAN Networking ...................................................................... 1
1.1 Objectives ..................................................................................................................................................................... 1
1.2 Plan ............................................................................................................................................................................... 1
1.3 Procedure ...................................................................................................................................................................... 4
1.3.1 Overall Procedure ...................................................................................................................................................... 4
1.3.2 Configuring a Switch ................................................................................................................................................. 4
1.3.3 Configuring Basic AC Parameters ............................................................................................................................. 5
1.3.4 Configuring AP Authentication and Interconnection Between the AC and AP ....................................................... 20
1.3.5 Configuring WLAN Service Parameters ................................................................................................................. 24
1.4 Verification ................................................................................................................................................................. 35
1.4.1 Checking the VAP List ............................................................................................................................................. 35
1.4.2 Terminal Connection Test ........................................................................................................................................ 36
1.5 Reference Configuration ............................................................................................................................................. 39
1.5.1 SWA Configuration .................................................................................................................................................. 39
1.5.2 AC Configuration..................................................................................................................................................... 40
2 Experiment 2: WLAN Radio Resource Management ........................................................... 45

2.1 Objectives ................................................................................................................................................................... 45
2.2 Plan ............................................................................................................................................................................. 45
2.3 Configuring Radio Calibration ................................................................................................................................... 46
2.3.1 Enabling Radio Calibration ..................................................................................................................................... 46
2.4 Verifying the Configuration ........................................................................................................................................ 52
2.5 Configuring Dynamic Load Balancing ....................................................................................................................... 53
2.5.1 Enabling Dynamic Load Balancing ......................................................................................................................... 53
2.5.2 Verification .............................................................................................................................................................. 54
2.6 Configuring Band Steering ......................................................................................................................................... 54
2.6.1 Enabling Band Steering ........................................................................................................................................... 54
2.7 Reference Configuration ............................................................................................................................................. 55
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xii

3 Experiment 3: Secure WLAN Access Deployment – 802.1X Admission Control ............ 60
3.1 Objectives ................................................................................................................................................................... 60
3.2 Plan ............................................................................................................................................................................. 61
3.3 Procedure .................................................................................................................................................................... 63
3.3.1 Configuring Basic AC Parameters ........................................................................................................................... 64
3.3.2 Configuring the AC as the RADIUS Client ............................................................................................................. 64
3.3.3 Creating an ACL ...................................................................................................................................................... 72
3.3.4 Configuring Agile Controller Route Connectivity ................................................................................................... 76
3.3.5 Configuring an Access Device ................................................................................................................................. 78
3.3.6 Configuring Authentication Users ........................................................................................................................... 82
3.3.7 Configuring Policy Elements ................................................................................................................................... 85
3.3.8 Configuring an Authentication Rule ........................................................................................................................ 88
3.3.9 Configuring an Authorization Result ....................................................................................................................... 99
3.3.10 Configuring an Authorization Rule ...................................................................................................................... 100
3.4 Verification ............................................................................................................................................................... 104
3.5 Reference Configuration ........................................................................................................................................... 106
4 Experiment 4: Secure WLAN Access Deployment – Portal Admission Control .......... 112
4.1 Objectives ................................................................................................................................................................. 112
4.2 Plan ........................................................................................................................................................................... 113
4.3 Procedure .................................................................................................................................................................. 116
4.3.1 Configuring Basic AC Parameters ......................................................................................................................... 116
4.3.2 Configuring the AC as the RADIUS Client ........................................................................................................... 117
4.3.3 Creating an External Portal Server ........................................................................................................................ 119
4.3.4 Configuring the Agile Controller ........................................................................................................................... 122
4.3.5 Configuring Authentication Users ......................................................................................................................... 124
4.3.6 Configuring Policy Elements ................................................................................................................................. 127
4.3.7 Configuring an Authentication Rule ...................................................................................................................... 129
4.3.8 Configuring an Authentication Result ................................................................................................................... 140
4.3.9 Configuring an Authorization Rule ........................................................................................................................ 142
4.3.10 Customizing the Portal Page ................................................................................................................................ 146
4.3.11 Configuring a Portal Page Push Policy ................................................................................................................ 154
4.4 Verification ............................................................................................................................................................... 157
5 Experiment 5: Interconnection Between the Agile Controller and an External Source

.......................................................................................................................................................... 170
5.1 Objectives ................................................................................................................................................................. 170
5.2 Plan ........................................................................................................................................................................... 171
5.3 Procedure .................................................................................................................................................................. 172
5.3.1 Configuring an AD Directory Server ..................................................................................................................... 173
5.3.2 Configuring Connection Parameters ...................................................................................................................... 176
5.3.3 Configuring the Synchronization Mode................................................................................................................. 179
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xiii

5.3.4 Configuring the Data Structure .............................................................................................................................. 179

5.3.5 Configuring the Synchronization Scope ................................................................................................................ 180
5.3.6 Synchronizing User Information............................................................................................................................ 180
5.4 Verifying the Synchronization Result ....................................................................................................................... 181
6 Experiment 6: Inter-AC Roaming in Large-Scale WLAN Networking ........................... 183

6.1 Objectives ................................................................................................................................................................. 183
6.2 Plan ........................................................................................................................................................................... 183
6.3 Procedure .................................................................................................................................................................. 185
6.3.1 Configuring a Switch ............................................................................................................................................. 186
6.3.2 Configuring Basic AC Parameters ......................................................................................................................... 187
6.3.3 Creating an AP Group ............................................................................................................................................ 198
6.3.4 Configuring AP Online Parameters........................................................................................................................ 199
6.3.5 Configuring WLAN Service Parameters ............................................................................................................... 206
6.3.6 Configuring Layer 3 Roaming ............................................................................................................................... 214
6.4 Verification ............................................................................................................................................................... 216
6.5.1 AC1 Configuration................................................................................................................................................. 218
7 Experiment 7: VRRP-based AC Hot Standby ...................................................................... 226

7.1 Objectives ................................................................................................................................................................. 226
7.2 Plan ........................................................................................................................................................................... 226
7.3 Procedure .................................................................................................................................................................. 229
7.3.1 Configuring a Switch ............................................................................................................................................. 229
7.3.2 Configuring Basic Information About AC1 ........................................................................................................... 230
7.3.3 Configuring Basic Information About AC2 ........................................................................................................... 243
7.3.4 Creating an AP Group ............................................................................................................................................ 246
7.3.5 Configuring AP Online Parameters........................................................................................................................ 246
7.3.6 Configuring WLAN Service Parameters ............................................................................................................... 248
7.3.7 Checking the VAP Status ....................................................................................................................................... 253
7.3.8 Configuring VRRP-based Dual-AC Hot Standby.................................................................................................. 253
7.4 Verification ............................................................................................................................................................... 261
7.4.1 Verifying Dual-Link Standby................................................................................................................................. 261
7.4.2 Verifying Dual-Link Switchback ........................................................................................................................... 262
8 (Optional) Experiment 8: Dual-Link-based AC Hot Standby .......................................... 273

8.1 Objectives ................................................................................................................................................................. 273
8.2 Plan ........................................................................................................................................................................... 273
8.3 Procedure .................................................................................................................................................................. 276
8.3.1 Configuring Network Interconnection and Basic WLAN Services ....................................................................... 276
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xiv

8.3.2 Configuring Dual-Link Standby ............................................................................................................................ 278

8.4 Verification ............................................................................................................................................................... 279
8.4.1 Verifying Dual-Link Switchback ........................................................................................................................... 281
8.5.1 SWA Configuration ................................................................................................................................................ 281
9 Experiment 9: Single-MPP Mesh Configurations .............................................................. 291

9.1 Objectives ................................................................................................................................................................. 291
9.2 Plan ........................................................................................................................................................................... 292
9.3 Procedure .................................................................................................................................................................. 293
9.3.1 Performing Basic Mesh Configurations................................................................................................................. 293
9.3.2 Adding an AP ......................................................................................................................................................... 296
9.3.3 Configuring Radio Parameters Used by the Mesh Node ....................................................................................... 299
9.3.4 Configuring Wired Port Parameters for the AP ..................................................................................................... 301
9.3.5 Configuring a Security Profile ............................................................................................................................... 302
9.3.6 Configuring a Mesh Whitelist ................................................................................................................................ 303
9.3.7 Configuring Mesh Roles ........................................................................................................................................ 305
9.3.8 Binding the Mesh Whitelist Profile to AP Radios.................................................................................................. 307
9.3.9 Binding a Wired Port Profile to AP Groups ........................................................................................................... 308
9.3.10 Binding an AP System Profile to an AP Group .................................................................................................... 309
9.3.11 Binding a Mesh Profile to AP Groups.................................................................................................................. 309
9.4 Verification ............................................................................................................................................................... 310
9.5.1 SWA Configuration ................................................................................................................................................ 311
9.5.2 AC Configuration................................................................................................................................................... 313
10 (Optional) Experiment 10: Dual-MPP Mesh Configurations ......................................... 318

10.1 Objectives ............................................................................................................................................................... 318
10.2 Plan ......................................................................................................................................................................... 319
10.3 Procedure ................................................................................................................................................................ 320
10.3.1 Performing Basic Mesh Configurations............................................................................................................... 320
10.3.2 Adding an AP ....................................................................................................................................................... 323
10.3.3 Configuring Radio Parameters Used by the Mesh Node ..................................................................................... 327
10.3.4 Configuring Wired Port Parameters for the AP ................................................................................................... 329
10.3.5 Configuring a Security Profile ............................................................................................................................. 330
10.3.6 Configuring a Mesh Whitelist .............................................................................................................................. 331
10.3.7 Configuring Mesh Roles ...................................................................................................................................... 333
10.3.8 Binding the Mesh Whitelist Profile to AP Radios................................................................................................ 335
10.3.9 Binding a Wired Port Profile to AP Groups ......................................................................................................... 336
10.3.10 Binding an AP System Profile to an AP Group .................................................................................................. 337
10.3.11 Binding a Mesh Profile to AP Groups ................................................................................................................ 337
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xv

10.4 Verification ............................................................................................................................................................. 338

10.5 Reference Configuration ......................................................................................................................................... 339
10.5.1 SWA Configuration .............................................................................................................................................. 339
10.5.2 AC Configuration................................................................................................................................................. 342
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xvi

Experiment Guide for HCNP-WLAN-CEWA (Web-based) 1 Experiment 1: Large-Scale WLAN Networking
1 Experiment 1: Large-Scale WLAN

Networking
1.1 Objectives
 Learn how to configure an authentication AP to go online.
 Understand various wireless configuration profiles.
 Learn basic WLAN configuration processes.
 Learn the configuration of the wireless service set for open-system authentication.
 Learn the large-scale WLAN networking mode.
1.2 Plan
You must configure devices according to the plan to avoid errors. This experiment uses group
1 as an example to illustrate rules for configuring the device name, VLAN, and Trunk.
Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential 1

Group No. AC–Switch Port AP-Switch Port
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP12-G0/0/20
Trainee Group X AC Configuration
Console Port Login

Admin@123
Password
Device AC6005-X
AP Management VLAN VLAN: X0


IP: 10.1.X0.100
VLAN: X1 and X2
Service VLAN (Guest)
IP: 10.1.X1.100-10.1.X2.100
VLAN: X3 and X4
Service VLAN (Employee)
IP: 10.1.X3.100-10.1.X4.100
VLANIF80X
AC Source Port
IP: 10.1.20X.100
GE0/0/8
AC Port Connecting to the
VLANs X0 through X2 and VLAN80X can pass the trunk
Switch
interface.
ap-groupX
VAP ID: 1
VAP profile: guestX
AP Group Regulatory domain profile: domainX
VAP ID: 2
VAP profile: employeeX
Regulatory domain profile: domainX
Name: guestX
SSID name: guestX
SSID Profile
Name: employeeX
SSID name: employeeX
Name: guestX
Security policy: open authentication
Security Profile Name: employeeX
Security policy: WPA2+PSK+AES
Password: b1234567
Name: guestX
Forwarding mode: tunnel forwarding
Service VLAN pool: Guest
Referenced profiles: SSID profile guestX and security
profile guestX
VAP Profile
Name: employeeX
Forwarding mode: direct forwarding
Service VLAN pool: Employee
Referenced profiles: SSID profile employeeX and security
profile employeeX
Topology: layer 3 bypass topology
In this experiment, the PC uses IP address 169.254.1.2 to log in to the web-based AC.

1.3 Procedure
1.3.1 Overall Procedure
Figure 1-2 Configuration procedure of large-scale WLAN networking
1. Configure the Enable layer 2 or layer 3 interconnection

access switch. between the AP and AC.
2. Create an AP
group. Create an AP group.
Configure the DHCP server function of the AC.

Create a regulatory domain profile.
Configure the country code of the AC.
Configure AC Configure the authentication mode for the AP .
3. Configure the
management on Configure the AC source port (for establishing
AP going online.
APs. a tunnel with the AP).
Configure the Configure the

security profile. SSID profile.
4/5. Configure Being
WLAN service referred to
parameters.
Configure the
4. Configure the VAP profile.
VAP profile.
Being referred to
Bind the regulatory domain profile

and VAP profile to the AP group.
5. Bind the profile

to the AP group.
1.3.2 Configuring a Switch

Configure access switch SWA. Add GE0/0/10 and GE0/0/11 to VLANX0 (management
VLAN) and set the port VLAN ID (PVID) to VLANX0. Add port GE0/0/1 to VLANs X0
through X4, VLAN80X, and VLAN1102. VLAN1102 is used for SWA to connect to the Agile
Controller and can be set as required to ensure that the route between SWA and the Agile
Controller is reachable.
<Quidway>system-view
[Quidway]sysname SWA
[SWA]vlan batch 10 to 14 801 1102
[SWA]GigabitEthernet0/0/10
[SWA-GigabitEthernet0/0/10]port link-type trunk
[SWA-GigabitEthernet0/0/10]port trunk pvid vlan 10
[SWA-GigabitEthernet0/0/10]port trunk allow-pass vlan 10 to 14
[SWA-GigabitEthernet0/0/10]quit


[SWA]interface GigabitEthernet 0/0/1
[SWA-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 14 801 1102
[SWA]GigabitEthernet0/0/23]port link-type trunk
[SWA]GigabitEthernet0/0/23]port trunk allow-pass vlan 1102
[SWA]GigabitEthernet0/0/23]quit
Create VLANIF80X interface on SWA to communicate with the AC. Create a LoopbackX
interface, and set its IP address to 10X.10X.10X.10X to simulate a public network interface.
Create VLANIF interfaces to function as gateways of service VLANs.
[SWA]interface Vlanif 801
[SWA-Vlanif801]ip address 10.1.201.1 24
[SWA]interface LoopBack 1
[SWA-LoopBack1]ip address 101.101.101.101 32
[SWA-Vlanif10]quit
[SWA-Vlanif11]quit
[SWA-Vlanif12]quit
[SWA-Vlanif13]quit
[SWA-Vlanif14]quit
1.3.3 Configuring Basic AC Parameters

 Naming an AC
Click Maintenance > AC Maintenance > Basic. Set Device name to AC6005-1. Click
Apply.

 Configuring VLANs
Click Configuration > AC Config > VLAN.
The VLAN configuration page is displayed.
Click Batch Create.
Create VLANs X0 through X4 and VLAN80X.

Configure IP addresses of the layer 3 interfaces corresponding to the VLANs.
Configure VLANIF10.
Configure VLANIF11.

Configure VLANIF12.
Configure VLANIF13.

Configure VLANIF14.
Configure VLANIF801.
Check the configured VLANIF interfaces.

Configure a VLAN pool. Set VLAN assignment mode to Hash.
Configure VLAN IDs for a guest VLAN pool.

Configure VLAN IDs for an employee VLAN pool.
Check the created VLAN pools.
 Configure a DHCP address pool.

Click Configuration > AC Config > IP > DHCP Address Pool. set DHCP status to ON to
enable the DHCP function, and click Create to create a DHCP address pool.
The subnet mask is a 24-bit mask.
Option 43 must be configured for the AP address pool because layer 3 bypass networking is used.

Click to configure the gateway IP addresses.
Configure the IP addresses that cannot be assigned.
Configure the address pool interface.
Configure user address pools. VLAN11 and VLAN12 form a guest address pool, and
VLAN13 and VLAN14 form an employee address pool.

Configure the subnet address for address pool sta1.
Configure the gateway IP address for address pool sta1.
Configure the IP addresses that cannot be assigned in address pool sta1.
Configure the interface for address pool sta1.



Check the created address pools.

Configure interface GigabitEthernet0/0/8 to connect to the switch.

Click Configuration > AC Config > Interface > Interface Attribute. Click
GigabitEthernet0/0/8.
The interface configuration page is displayed.

Check the configuration of interface GigabitEthernet0/0/8.
Check whether the route between the AC and a layer 3 switch is reachable. The following
command output indicates that 100.100.100.100 (the simulated public network interface on
the switch) cannot be pinged.
Log in to the web-based AC by clicking and entering user account admin and
password admin@123 as indicated by the command prompt.
[AC6005-1]ping 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
Configure a static route for the switch.

Click Configuration > AC Config > IP > Route > Static Route Configuration Table.
The static route configuration page is displayed.

In the Static Route Configuration Table area, click Create. On the displayed Create Static
Route dialog box, specify parameter as required to configure the static route.
Set the next hop address to the IP address of interface VLANIF801 on the switch.
IP address 100.100.100.100 can be pinged.

[AC6005-1]ping 100.100.100.100
Reply from 100.100.100.100: bytes=56 Sequence=1 ttl=255 time=7 ms
--- 100.100.100.100 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/9/10 ms
1.3.4 Configuring AP Authentication and Interconnection

Between the AC and AP
Configure WLAN global parameters on the AC.
Configure the AC source address and AP authentication mode.
Click Configuration > AC Config > Basic Config > AC Configuration, select VLANIF for
AC source address, click , and set the AC source address to VLANIF801. Click Apply.

Configure APs going online.

Click Configuration > AP Config > AP Group > AP Group. Click Create to create an AP
group.
Check the created AP group.

Click Configuration > AP Config > AP Info > Non-authorized AP List to check the
unauthorized AP list and obtain the required MAC address of an AP.
The AC MAC addresses of group 1 are cccc-8110-2260 and e8bd-d1f7-79c0. (different APs
have different MAC addresses)
Perform the following operations to add an AP.
Click Configuration > AP Config > AP Config > AP Info. Click Create, and enter the MAC
address of the AP to be added.
The following figure shows how to add AP1.

The following figure shows how to add AP2.
Check the version of the added AP, and whether the status is normal. If it is not, wait for a
moment. If this problem persists, check the configuration.
Group online APs. Select two APs, and click Deploy.
Add the two APs to AP group ap-group1.

After APs are added, their status will change from fault to config, and then to normal. If the
AP status does not change to normal 5 minutes after the AP is added, check the configuration
of VLAN, DHCP, and AP authentication.
1.3.5 Configuring WLAN Service Parameters

Click Configuration > AP Config > Profile > Wireless Service.
The wireless service configuration page is displayed.

Create an SSID profile.


Create a security profile.
For an employee security profile, WPA2+PSK+AES authentication is used, and the password
is b1234567.

For a guest security profile, set Security policy: to OPEN.

Create a VAP profile.
Create VAP profile employee1.
Set Service VLAN to VLAN Pool, and Forwarding mode to Direct.

Create VAP profile guest1.

Use the default forwarding mode (direct forwarding). Changing the forwarding mode will
trigger risk notifications.
Bind the SSID profile to VAP profile employee1.

Bind the security profile to VAP profile employee1.
Bind the SSID profile to VAP profile guest1.

Bind the security profile to VAP profile guest1.
Create a regulatory domain profile.

Click Configuration > AP Config > Profile > Radio Management > Regulatory Domain
Profile. Click Create on the right pane.
Select the country code based on the actual location.

Bind the VAP profile to ap-group1.
Add VAP profile employeeX. Set WLAN ID to 1 and Radio to all.
Add VAP profile guestX. Set WLAN ID to 2 and Radio to all.

Bind regulatory domain profile domainX to the AP group.
1.4 Verification
1.4.1 Checking the VAP List
Click Monitoring > SSID > VAP > VAP List.

1.4.2 Terminal Connection Test

The STA detects WLAN guestX and employeeX, directly accesses WLAN guestX, and
accesses WLAN employeeX using password b1234567.
The STA is connected to WLAN guestX.
The STA obtains the guest IP address.

After you enter the password, the STA is connected to WLAN employeeX.
The STA obtains the employee IP address.

Use the STA to ping the IP address of the simulated public network interface on the switch.
Check the user list.

1.5 Reference Configuration

1.5.1 SWA Configuration
#
sysname SWA
#
vlan batch 10 to 14 801
#
lldp enable
#
dhcp enable
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif14
ip address 10.1.14.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 14 801
#
......
#
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 14
#
#

......
#
#
interface NULL0
#
interface LoopBack0
ip address 100.100.100.100 255.255.255.255
#
user-interface con 0
authentication-mode password
set authentication password cipher Admin@123
user-interface vty 0 4
user privilege level 3
#
Return
1.5.2 AC Configuration
#
sysname AC6005-1
#
http secure-server ssl-policy default_policy
http server enable
#
vlan batch 10 to 14 801 4090
#
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dot1x-access-profile name dot1x_access_profile
mac-access-profile name mac_access_profile
#
vlan pool guest1
vlan 11 to 12
vlan pool employee1
vlan 13 to 14
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#

free-rule-template name default_free_rule

#
portal-access-profile name portal_access_profile
#
ip pool ap
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100
option 43 sub-option 3 ascii 10.1.201.100
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
ip pool sta3
network 10.1.13.0 mask 255.255.255.0
#
ip pool sta4
network 10.1.14.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password
irreversible-cipher %^%#aOa;=_Sy~Ol+)uRi[2OIax8$'c*P63lRUhVe5HW4SwIm+(N.U+9Tmo:L^PP
W%^%#
local-user admin privilege level 15
local-user admin service-type ssh http
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
description Management VLAN
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global

#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
interface Vlanif4090
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
port trunk allow-pass vlan 4090
#
#
interface NULL0
#
undo snmp-agent
#
stelnet server enable
undo telnet ipv6 server enable
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh server secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms hmac sha2_256 sha2_256_96 sha1 sha1_96 md5 md5_96
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source interface vlanif801
#

protocol inbound all
#
wlan
traffic-profile name default
security-profile name default
security-profile name default-wds
security wpa2 psk pass-phrase %^%#%,[^#Q1jX;x0uO;D8$4*6&G&Im)sG$:<%2UK"=$2%^%# aes
security-profile name default-mesh
security wpa2 psk pass-phrase %^%#Vov-H>mS`CYpa(!X}=.P3,tM)=J7cJ15#`4(ed)3%^%# aes
security-profile name employee1
security wpa2 psk pass-phrase b1234567 aes
security-profile name guest1
ssid-profile name guest1
ssid guest1
ssid-profile name default
ssid-profile name employee1
ssid employee1
vap-profile name guest1
forward-mode tunnel
service-vlan vlan-pool guest1
ssid-profile guest1
security-profile guest1
vap-profile name default
vap-profile name employee1
service-vlan vlan-pool employee1
learn-client-address dhcp-strict
ssid-profile employee1
security-profile employee1
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
wids-profile name default
ap-system-profile name default
provision-ap
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0

vap-profile employee1 wlan 1

vap-profile guest1 wlan 2
radio 1
ap-id 1 type-id 19 ap-mac cccc-8110-2260 ap-sn 210235448310C9000012
ap-name ap1
ap-group ap-group1
ap-id 2 type-id 19 ap-mac e8bd-d1f7-79c0 ap-sn 2102354196W0DC003226
ap-name ap2
ap-group ap-group1
#
undo ntp-service enable
#
You have completed experiment 1.

Experiment Guide for HCNP-WLAN-CEWA (Web-based) 2 Experiment 2: WLAN Radio Resource Management
2 Experiment 2: WLAN Radio Resource

Management
2.1 Objectives
 Learn the configuration method of WLAN radio calibration.
 Learn the configuration method of WLAN data load balancing.
 Learn the configuration method of WLAN channel switching without service
interruption.
 Learn the configuration method of WLAN band steering.
2.2 Plan

1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP11-G0/0/20
Profile Configuration
5G radio profile Name: radio5gX

Referenced profiles: RRM profile wlan-netX and air scan profile
wlan-airscanX
2G radio profile Name: radio2gX
Referenced profiles: RRM profile wlan-netX and air scan profile
wlan-airscanX
RRM profile Name: wlan-netX
Start threshold for dynamic load balancing: 15
Load difference threshold for dynamic load balancing: 25%
Air scan profile Name: wlan-airscanX
Air scan channel set: all channels supported by the corresponding
country code of an AP
Air scan interval: 80000 ms
Air scan duration: 80 ms
2.3 Configuring Radio Calibration

2.3.1 Enabling Radio Calibration
Create RRM profile wlan-netX and enable automatic channel selection and automatic transmit
power selection in the RRM profile. By default, automatic channel selection and automatic
transmit power selection are enabled.

To create RRM profile wlan-netX, perform the following operations:

Click Configuration > AP Config > Profile > Radio Management > RRM Profile. Click
Create.
Create air scan profile wlan-airscanX and configure the scan channel set, scan interval, and
scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.

Create 2G radio profile radio2gX and bind RRM profile wlan-netX and air scan profile
wlan-airscanX to the 2G radio profile.

Bind RRM profile wlan-netX to 2G radio profile radio2gX.
Bind air scan profile wlan-airscanX to 2G radio profile radio2gX.
Create 5G radio profile radio5gX and bind RRM profile wlan-netX and air scan profile
wlan-airscanX to the 5G radio profile.

Bind 5G radio profile radio5gX and 2G radio profile radio2gX to AP group ap-groupX.
Click Configuration > AP Config > AP Group. Select ap-groupX for AP group
configuration, and choose Radio Management > Radio 0 > 2G Radio Profile. Select
radio2gX for 2G Radio Profile on the right pane, and click Apply.

Click Configuration > AP Config > AP Group. Select ap-groupX for AP group
configuration, and choose Radio Management > Radio 1 > 5G Radio Profile. Select
radio5gX for 5G Radio Profile on the right pane, and click Apply.
Before radio calibration is enabled, check radio information about all APs.
Set the radio calibration mode to manual and trigger radio calibration. By default, the radio
calibration mode is automatic.
Click Configuration > AC Config > Basic Config > Radio Calibration.

2.4 Verifying the Configuration

After STA detects the WLAN with SSID employeeX, enter password b1234567 to access the
network. Then, check the radio list.
The interface shows that all APs work on non-overlapping channels, indicating successful
radio calibration.
Radio calibration is complete half an hour after it is manually triggered. You can use either of
the following schemes (not provided in the configuration file):
 (Recommended) Set the radio calibration mode to scheduled. Configure the APs to
perform radio calibration during off-peak hours, for example, between 00:00 am and
06:00 am.
 Manually fix the working channels of APs: Disable automatic channel selection and
automatic transmit power selection in the RRM profile. Manually trigger radio
calibration when new APs are added to the WLAN.

2.5 Configuring Dynamic Load Balancing

The load balancing function can implement load balancing among APs in a WLAN network,
guaranteeing the bandwidth for each STA. Load balancing applies to high-density radio
networks to ensure proper STA access. The load balancing technology includes AP-based load
balancing and user number-based multiple-radio load balancing.
2.5.1 Enabling Dynamic Load Balancing

Enable dynamic load balancing in RRM profile wlan-netX and set the start threshold for load
balancing to 15 and load difference threshold to 25%.
Click Configuration > AP Config > Profile > Radio Management > RRM Profile >
wlan-netX.

2.5.2 Verification
Click at the upper-right corner of the web-based AC. Run the display station
load-balance sta-mac command to check AP radios participating in dynamic load balancing.
2.6 Configuring Band Steering

On live networks, most STAs support 2.4 GHz and 5 GHz frequency bands at the same time.
When the STA accesses the network through the AP, 2.4 GHz access is selected by default. As
a result, the 2.4 GHz frequency band with fewer channels is heavily loaded and experiences
congestion and interference, and the 5 GHz frequency band with more channels and little
inference cannot bring its advantages into full play. Especially, when the 2.4 GHz frequency
band carries a larger number of users and experiences severe interference, the 5 GHz
frequency band can provide better access capabilities and reduces impacts of interference on
users. To connect to the 5 GHz frequency band, users must manually select 5 GHz on the
STA.
The band steering function enables an AP to steer STAs to the 5 GHz frequency band
preferentially, which reduces load and interference on the 2.4 GHz frequency band. User
experience is therefore improved.
2.6.1 Enabling Band Steering

Configure load balancing between radios in RRM profile wlan-netX to prevent heavy load on
a single radio. Set the start threshold for load balancing between radios to 15 and the load
difference threshold to 25%.
Click Configuration > AP Config > Profile > Radio Management > RRM Profile >
wlan-netX.


#
sysname AC6005-1
#
http server enable
#
vlan batch 10 to 14 801 4090
#
#
#
vlan pool guest1
vlan 11 to 12
vlan pool employee1
vlan 13 to 14
#
dhcp enable
#
#
#

pki realm default

#
pki-realm default
#
#
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
ip pool sta3
network 10.1.13.0 mask 255.255.255.0
#
ip pool sta4
network 10.1.14.0 mask 255.255.255.0
#
aaa
domain default
local-user admin password irreversible-cipher Admin@123
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global

#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
#
#
interface NULL0
#
undo snmp-agent
#
#

ip route-static 0.0.0.0 0.0.0.0 10.1.201.1

#
#
#
wlan
calibrate enable schedule time 03:00:00
ssid guest1
ssid employee1
forward-mode tunnel
ssid-profile guest1
air-scan-profile name wlan-airscan1
scan-period 80
scan-interval 80000
rrm-profile name wlan-net1
band-steer balance start-threshold 15
band-steer balance gap-threshold 25

sta-load-balance dynamic enable

sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
radio-2g-profile name radio2g1
dot11bg supported-rate 1 2 5 6 9 11 12 18 24 36 48 54
dot11bg basic-rate 1 2
rrm-profile wlan-net1
air-scan-profile wlan-airscan1
provision-ap
radio 0
radio-2g-profile radio2g1
radio 1
ap-name ap1
ap-group ap-group1
ap-name ap2
ap-group ap-group1
#

Huawei WLAN Certification Training 3 Experiment 3: Secure WLAN Access Deployment –
Experiment Guide for HCNP-WLAN-CEWA (Web-based) 802.1X Admission Control
3 Experiment 3: Secure WLAN Access

Deployment – 802.1X Admission Control
3.1 Objectives
 Learn the method of authenticating the interconnection between the AC and Agile
Controller 802.1X.
 Learn how to configure Agile Controller 802.1X authentication.
 Verify the configuration of Agile Controller authentication access.

3.2 Plan
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP11-G0/0/20

Trainee Group X AC configuration
Console Port Login Admin@123

Password
Device AC6005-X

IP: 10.1.X0.100
Service VLAN (Guest) VLAN: X1 and X2
IP: 10.1.X1.100-10.1.X2.100
Service VLAN (Employee) VLAN: X3 and X4

IP: 10.1.X3.100-10.1.X4.100
AC Source Port VLANIF80X
IP: 10.1.20X.100
AC Port Connecting to the GE0/0/8
Switch VLANs X0 through X4 and VLAN80X can pass the
trunk interface.
AP Group Name: ap-groupX

VAP ID: 1
VAP profile: guestX
VAP ID: 2
SSID Profile Name: guestX

SSID name: guestX
Name: employeeX
Security Profile Name: guestX

Security policy: WPA2+Dot1x+AES
Name: employeeX
Security policy: WPA2+Dot1x+AES
VAP Profile Name: guestX
Service VLAN pool: guestX
profile guestX
Name: employeeX
Service VLAN pool: employeeX
Referenced profiles: SSID profile employeeX and
security profile employeeX
Authentication Scheme Name: authX

Trainee Group X AC configuration
Accounting Scheme Name: accoX
RADIUS Server Profile Name: serverX
Dot1x Profile Name: dot1xX
Authentication-free Profile Name: freeX
3.3 Procedure
Figure 3-2 Configuration procedure of the experiment


Modify the STA access security profile.
The basic configuration of this experiment is similar to that of experiment 2. The only
difference is the authentication mode. The AP has two SSIDs: guest1 and employee1. The
access authentication mode is open for guest1 and WPA2+PSK+AES for employee1. In this
experiment, change the access authentication mode to WPA2+Dot1x+AES for both SSIDs.
Click Configuration > AP Config > Profile > Profile Management > Wireless Service >
Security Profile. You can modify the authentication mode on the right pane.
3.3.2 Configuring the AC as the RADIUS Client

Click Configuration > Security > AAA > Authentication Profile > dot1x_authen_profile.

Create an AAA accounting scheme.

Create authentication-free profile freeX, allowing an authenticated server to pass. To allow a

DNS or DHCP server to pass without authentication, perform corresponding configurations
here to facilitate IP address acquisition and authentication performed by STAs.

Create an authentication-free profile.
Specify the authentication-free rule.

After the rule is created, click Apply.
Create RADIUS Server profile serverX.

On the RADIUS tab, click Create below RADIUS Server Profile.
The RADIUS Server configuration page is displayed.
The RADIUS key must be the same as that on the RADIUS Server, set the user name to
exclude the domain name, thereby preventing incorrect account or password during
authentication.

Create a RADIUS authentication/accounting server.
Check the created RADIUS authentication/accounting server.
Create a RADIUS authorization server.

Apply the RADIUS server profile.

Click Configuration > Security > AAA > Authentication Profile > dot1x_authen_profile >
RADIUS Server Profile.
Create an 802.1x profile.

Bind the authentication profile to the VAP profile.

Click Configuration > AP Config > AP Group. Click created AP Group ap-groupX.
Bind the authentication profile to the employee VAP profile.

You can click Binding Profile to view all profiles bound to the authentication profile.
Bind the authentication profile to the guest VAP profile.
3.3.3 Creating an ACL

Click Configuration > Security > ACL > Advanced ACL Settings.
Configure a post-authentication domain ACL.

Configure a post-authentication domain ACL for employees, not allowing employees to

access guest resources.

Allow employees to access other resources.
After the rules are added, click besides ACL3002 to confirm the configuration.

Configure a post-authentication domain ACL for guests, not allowing guests to access
employee resources.

Confirm the configuration of ACL3003:
3.3.4 Configuring Agile Controller Route Connectivity

Before configuring the Agile Controller, ensure that the route between the AC and Agile
Controller server is reachable.
In this experiment, connect the Agile Controller server to interface VLANIF1102 of the AC,
and the connection configuration on the switch has been completed in experiment 1.
Create VLAN1103, configure the IP address for the VLANIF interface, and add VLAN1103
to the interface.
Click AC Config > VLAN > VLAN > Create.

In this experiment, the IP address of the Agile Controller server is 10.254.1.100.
Open the console to test the route connectivity.

Have the STA to connect to SSID employeeX or guestX of the AP. Visit 10.254.1.100 using a
web browser, and enter the account and password to log in to the Agile Controller.
3.3.5 Configuring an Access Device

Note that profiles and rules must be named by group No. to distinguish among one another
because one Agile Controller is used by all groups. For example, group 1 can name the AC
AC6005-1 or AC1, group 2 can name the AC AC6005-2 or AC2, and use user names
employee1 and employee2 for groups 1 and 2, respectively
Log in to the Agile Controller.
Click Resource > Device > Device Management. On the displayed page, click Add on the
right pane.

Configure the device IP address and RADIUS parameters (the device IP address and the IP
address of the Agile Controller must be on the same network segment. In this experiment, the
IP address of interface VLANIF1102 is used as the device IP address).
Enable RADIUS with the authentication key, accounting key, and real-time accounting
interval configured the same as those configured on the AC.

(Optional) Add a device group to facilitate device management and flexible policy delivery.
On the Device Management page, choose Device Group > Access Control, and click .

Move devices to the test group.

3.3.6 Configuring Authentication Users

Perform the following steps to create a user group.
Click Resource > User > User Management. On the displayed page, click .
Create an employee user group and a guest user group. A guest user group exists by default
and is not used in this experiment.

Add employees and user accounts to the user group.
Set Account Type to Common account. The account and password are the same as those
used for login. You can set the account and password as required.

Add a guest account to the user group.

Open the web-based AC, click to test the connectivity between the AC and Agile
Controller.
If the command output contains "Account test succeed", which indicates the connection
between the AC and Agile Controller is proper, proceed to subsequent experiments. If the test
times out, check the connectivity between the AC and Agile Controller.
3.3.7 Configuring Policy Elements

(Optional) Configure the time range.

This configuration allows the access of different user groups and accounts within a planned
time range. In this experiment, policy elements are only configured, and are not necessarily all
invoked.
Click Policy > Permission Control > Policy Element > Schedule. On the displayed page,
click Add on the right pane.
For employees, do not set the time range. Set the time range to 8:00 to 18:00, Monday to
Friday, for guests.

Configure the SSID.

Click Policy > Permission Control > Policy Element > SSID. On the displayed page, click
Add on the right pane.

3.3.8 Configuring an Authentication Rule

Click Policy > Permission Control > Authentication & Authorization > Authentication
Rule. On the displayed page, click Add on the right pane.

In an authentication rule, policy elements are used as match conditions. You can match a user
to the conditions one by one. If multiple authentication rules exist, match the user to
conditions according to authentication rule priorities. If all the rules are not matched, use the
default rule.
Add an employee authentication rule.
Configure an employee authentication condition and bind it to user groups.
Select a user group.

Select user accounts.


On the Location Information pane, perform the following operations:

Select device groups.

Select SSIDs.


Use the default values of other parameters.
Configure authentication information.

Do not enable RADIUS proxy. You are advised to select all authentication protocols.

Access parameters are not selected in this experiment, and must be selected on the live
network. The more access parameters are selected, the longer it takes for user verification.
In the Advanced Setting tab, select Deny Access for The account does not exists and
Identity authentication failed.
Configure the guest authentication rule, and add authentication conditions.



Authentication rules can be configured with different priorities. The rule with a high priority
is matched preferentially. In this experiment, the priority does not need to be configured
because only two rules are created and the priorities are the same.
3.3.9 Configuring an Authorization Result

Generally, the authorization result can be classified into the pre-authentication domain,
post-authentication domain, and isolation domain. This way, different permissions can be
flexibly allocated to users in different authentication stages. This experiment does not invoke
additional security devices, the isolation domain is therefore not set.
Click Policy > Permission Control > Authentication & Authorization > Authorization
Result. On the displayed page, click Add on the right pane.
Add an employee authorization result, and match the result to the employees'
post-authentication domain ACL.

Add a guest authorization result, and match the result to the guests' post-authentication
domain ACL.
Check the created authorization results.
3.3.10 Configuring an Authorization Rule

Rule. On the displayed page, click Add on the right pane to create authorization rules for
employees and guests.

Create an authorization rule for employees.
The matching condition of the authorization rule is the same as that of the authentication rule.
Therefore, you can configure either rule on the live network.

Select an authorization result.
Configure an authorization rule for guests.


The configuration for the 802.1X admission control experiment has been completed.
3.4 Verification
You can use a device with a network adapter, such as a mobile phone or a laptop, to verify the
experiment result. In this experiment, an Android mobile phone is used.
Connect the mobile phone to SSID employee1 (account: employee1, password: Admin@123)
and SSID guest1 (account: guest1, password: Admin@123).

View go-online records in RADIUS logs. Check whether the authentication rule and
authorization rule match each other.


#
sysname AC6005-1
#
http server enable
#
vlan batch 10 to 14 801 1103 4090
#
dot1x-access-profile dot1x1
free-rule-template free1
authentication-scheme auth1
accounting-scheme acco1
radius-server server1
#
dot1x-access-profile name dot1x1
#
vlan pool guest1
vlan 11 to 12
vlan pool employee1
vlan 13 to 14

#
dhcp enable
#
#
vlan 1103
description Connect_to_Controller
#
radius-server template server1
radius-server shared-key cipher Admin@123
radius-server authentication 10.254.1.100 1812 weight 80
radius-server accounting 10.254.1.100 1813 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.1.254.100 shared-key cipher Admin@123 server-group
server1
#
pki realm default
#
pki-realm default
#
acl number 3002
description employee1
rule 1 deny ip destination 10.1.11.0 0.0.0.255
rule 5 permit ip
acl number 3003
description guest1
rule 5 permit ip
#
#
free-rule-template name free1
free-rule 1 destination ip 10.254.1.100 mask 255.255.255.0
#
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0

#
ip pool sta3
network 10.1.13.0 mask 255.255.255.0
#
ip pool sta4
network 10.1.14.0 mask 255.255.255.0
#
aaa
accounting-mode radius
accounting start-fail online
domain default
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0

#
ip address 10.254.1.99 255.255.255.0
#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
#
port trunk allow-pass vlan 10 to 14 801 1103
#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#
#

wlan
security wpa2 dot1x aes
security wpa2 dot1x aes
ssid guest1
ssid employee1
forward-mode tunnel
ssid-profile guest1
authentication-profile dot1x_authen_profile
authentication-profile dot1x_authen_profile
scan-period 80
scan-interval 80000

provision-ap
radio 0
radio 1
ap-name ap1
ap-group ap-group1
ap-name ap2
ap-group ap-group1
#
#
return
<AC6005-1>

Experiment Guide for HCNP-WLAN-CEWA (Web-based) Portal Admission Control
4 Experiment 4: Secure WLAN Access

Deployment – Portal Admission Control
4.1 Objectives
 Learn how to configure authentication on interconnection between the AC and Agile
Controller portal.
 Learn how to configure Agile Controller portal authentication.
 Verify the configuration of Agile Controller authentication access.

4.2 Plan
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
2 AC6005-2–G0/0/2 AP3-G0/0/12
AP4-G0/0/13
3 AC6005-3–G0/0/3 AP5-G0/0/14
AP6-G0/0/15
4 AC6005-4–G0/0/4 AP7-G0/0/15
AP8-G0/0/16
5 AC6005-5–G0/0/5 AP9-G0/0/17
AP10-G0/0/18
6 AC6005-6–G0/0/6 AP11-G0/0/19
AP11-G0/0/20

Console Port Login Admin@123

Password
Device AC6005-X

IP: 10.1.X0.100
Service VLAN (Guest) VLAN: X1 and X2
IP: 10.1.X1.100-10.1.X2.100
Service VLAN (Employee) VLAN: X3 and X4

IP: 10.1.X3.100-10.1.X4.100
AC Source Port VLANIF80X
IP: 10.1.20X.100
AC Port Connecting to the GE0/0/8
Switch VLANs X0 through X4 and VLAN80X can pass the
trunk interface.
AP Group Name: ap-groupX

VAP ID: 1
VAP profile: guestX
VAP ID: 2
SSID Profile Name: guestX
SSID name: guestX
Name: employeeX
Security Profile Name: guestX
Security policy: open
Name: employeeX
Password: b1234567
VAP Profile Name: guestX
Forwarding mode: tunnel forwarding
profile guestX
Name: employeeX
Referenced profiles: SSID profile employeeX and
security profile employeeX

Authentication Scheme Name: authX
Accounting Scheme Name: accoX
RADIUS Server Profile Name: serverX
Authentication-free Profile Name: freeX
Portal Profile Name: portX
Web Server Profile Name: serverX
URL Template Name: urlX

In this experiment, the PC uses IP address 169.254.1.2 to log in to the web-based AC.

4.3 Procedure
Figure 4-2 Configuration procedure of the experiment

The basic configuration of this experiment is similar to that of experiment 3. The only
differences are:
 Security policy is set to OPEN (because portal authentication is used).
 802.1x authentication configuration is omitted.
Click Configuration > AP Config > Profile > Wireless Service. Set Security Profile to
guest1.

4.3.2 Configuring the AC as the RADIUS Client

You can skip the user group creation operation because the user group has been created in
experiment 3.
Create an AAA authentication scheme.
Click Configuration > Security > AAA > Authentication Profile > portal_authen_profile.
Configure the AAA authentication scheme.

Create authentication-free profile freeX, allowing an authenticated server to pass. To allow a

DNS or DHCP server to pass without authentication, perform corresponding configurations
here to facilitate IP address acquisition and authentication performed by STAs. You can skip
this step and use authentication-free profile free1 created in experiment 3.
Configure the RADIUS Server.

4.3.3 Creating an External Portal Server

Set the shared key to that on the Agile Controller, and the portal URL to
http://10.254.1.100:8080/portal.
On the URL Option Settings tab, select SSID and enter ssid. The STA will send SSIDs to the
Agile Controller. This Agile Controller will deliver different portal pages for the SSIDs.
Create a portal profile.

Click Configuration > Security > AAA > Authentication Profile > portal_authen_profile.
Create a portal profile.

Configure the portal profile.

By default, the source subnet for portal authentication is 0.0.0.0/0, indicating that users in all
subnets must pass portal authentication.
Bind the authentication profile to the VAP profile.

VAP Profile > guest1 > Authentication Profile. Set Authentication Profile to
portal_authen_profile on the right pane, and click Apply.

4.3.4 Configuring the Agile Controller

Configure the access device.
Click Resource > Device > Device Management. On the displayed page, click Add on the
right pane.

Configure the device IP address and RADIUS parameters (the device IP address and the IP
address of the Agile Controller must be on the same network segment. In this experiment, the
IP address of interface VLANIF1102 is used as the device IP address).
Enable RADIUS with the authentication key, accounting key, and real-time accounting
interval configured the same as those configured on the AC, which is the same as experiment
3.

After RADIUS authentication parameters are configured, enable portal and configure portal
authentication parameters. The portal key must be the same as that on the AC. In this
experiment, the portal key is Admin@123.
4.3.5 Configuring Authentication Users

Create a user group.

Click Resource > User > User Management. On the displayed page, click .
Create an employee user group and a guest user group. A guest user group exists by default
and is not used in this experiment.
Add employees and user accounts to the user group.

You do not need to create a guest user. The guest user must register with the Agile Controller.
Open the web-based AC, click to test the connectivity between the AC and
Agile Controller.

If the command output contains "Account test succeed", which indicates the connection
between the AC and Agile Controller is proper, proceed to subsequent experiments. If the test
times out, check the connectivity between the AC and Agile Controller.
4.3.6 Configuring Policy Elements

(Optional) Configure the time range.
This configuration allows the access of different user groups and accounts within a planned
time range. In this experiment, policy elements are only configured, and are not necessarily all
invoked.
Click Policy > Permission Control > Policy Element > Schedule. On the displayed page,
click Add on the right pane.

For employees, do not set the time range. Set the time range to 8:00 to 18:00, Monday to
Friday, for guests.
Configure the SSID.

Click Policy > Permission Control > Policy Element > SSID. On the displayed page, click
Add on the right pane.
4.3.7 Configuring an Authentication Rule

Click Policy > Permission Control > Authentication & Authorization > Authentication
Rule. On the displayed page, click Add on the right pane.

In an authentication rule, policy elements are used as match conditions. You can match a user
to the conditions one by one. If multiple authentication rules exist, match the user to
conditions according to authentication rule priorities. If all the rules are not matched, use the
default rule.
Add an employee authentication rule.
Configure an employee authentication condition and bind it to user groups.

Select a user group.

Select user accounts.

On the Location Information pane, perform the following operations:

Select device groups.


Select SSIDs.

Use the default values of other parameters.

Configure authentication information.

Do not enable RADIUS proxy. You are advised to select all authentication protocols.

Configure the guest authentication rule, and add authentication conditions.


Authentication rules can be configured with different priorities. The rule with a high priority
is matched preferentially. In this experiment, the priority does not need to be configured
because only two rules are created and the priorities are the same.
4.3.8 Configuring an Authentication Result

Generally, the authorization result can be classified into the pre-authentication domain,
post-authentication domain, and isolation domain. This way, different permissions can be
flexibly allocated to users in different authentication stages. This experiment does not invoke
additional security devices, the isolation domain is therefore not set.
Result. On the displayed page, click Add on the right pane.
Add an employee authorization result, and match the result to the employees'
post-authentication domain ACL.

Add a guest authorization result, and match the result to the guests' post-authentication
domain ACL.

Check the created authorization results.
4.3.9 Configuring an Authorization Rule

Rule. On the displayed page, click Add on the right pane to create authorization rules for
employees and guests.
Create an authorization rule for employees.
The matching condition of the authorization rule is the same as that of the authentication rule.
Therefore, you can configure either rule on the live network.


Select an authorization result.
Configure an authorization rule for guests.


4.3.10 Customizing the Portal Page

Click Policy > Permission Control > Page Customization. Click on the right pane.
On the guest customization page, select Enable Self-register, and click Next.
Select a template among multiple default authentication templates. In this experiment, the
English account and password authentication template is used.

Customize the Authentication Page tab. On this tab, all images and texts are editable. In this
experiment, the default portal authentication page is used without any editing. After the
customization is complete, click Authentication Success Page on the left pane.

On the Authentication Success Page tab, click to add authentication success

information. You can edit the displayed contents.
After the modification is complete, skip the User Notice Page tab (retaining the default
configurations), and click Registration Page. You can customize the information guests must
fill in for registration based on live network conditions. In this experiment, basic information,
including Account, Password, Confirm password, and Mobile phone number are selected.
By default, information guests must fill in for registration includes Account, Password,
Confirm password, Name, Email, and Mobile phone number. In this experiment, remove
Name and Email in the drop-down list box.

After the customization is complete, click Registration Success Page. Modify the title, then
click Next to start portal page customization for PCs.
Edit the authentication page on the PC, which is similar to that on the mobile phone. All texts
and images are editable. In this experiment, default settings are used. Click Authentication
Success Page.

On the Authentication Success Page tab, click to add authentication success

information. You can edit the displayed contents.
After the customization of the Authentication Success Page tab is complete, click
Registration Page, and remove Name and Email. Then, click Registration Success Page.

After portal customization for PCs is complete, you can click Test to check the customization.
In this experiment, click Publish.
Click to create the portal page for employees.
During portal page customization for employees, deselect Enable Self-register.

Select a template. In this experiment, System-Account Password Authentication Template

is used, which is the same as portal template selection for guests.
Click Next to edit the Authentication Page tab. The portal page for employees does not
include the registration page, which is different from that for guests. In this experiment, retain
default settings of the Authentication Page tab, and click Authentication Success Page.
On the Authentication Success Page tab, add authentication success information and modify
the title.

After Authentication Success Page customization is complete, perform portal customization

for employees on PCs.
After Authentication Page customization is complete, click Authentication Success Page.
After Authentication Success Page customization is complete, click Publish. Then, check
the created portal page.

4.3.11 Configuring a Portal Page Push Policy

Click Policy > Permission Control > Page Customization > Portal Page Push Rule. Click
Add on the right pane to create portal push policies for employees and guests.
For a portal push policy, at least one push condition must be configured. The condition can be
the STA IP address range, SSID, or AP MAC address. The SSID is used in this experiment.

Select the push page for employees. Select the authentication page, simplifying login of
employees with a fixed account.
Replace SERVER-IP:PORT in the URL address with 10.254.1.100:8080.
Create a portal page push policy for guests.

Select the push page for guests. Select the registration page.
Check the configured portal page push policy.

4.4 Verification
You can use a device with a network adapter, such as a mobile phone or a laptop, to verify the
experiment result. In this experiment, an Android mobile phone is used.
Use the mobile phone to connect to SSIDs employee1 and guest1, in sequence.
Select SSID employee1, as shown in the following figure.
You can obtain a planned IP address.

No DNS server exists in this experiment, and domain redirection cannot be performed. You
must enter an IP address within network segment 10.0.0.0, such as 10.1.1.1 in the browser to
open the portal page.
The redirected portal page is the configured authentication page for employees. Enter account
employee1 and password Admin@123, which are configured in experiment 3.

A message is displayed, promoting you to change the password upon the first login.

The following figure shows successful employee authentication.

Test guest portal authentication.

The guest registration page is displayed by default. Perform guest registration. The mobile
phone number is used as the account by default.
The password is obtained successfully.

Change the password upon the first login.
Successful guest authentication information includes the account expiration time.


#
sysname AC6005-1
#
http server enable
#
vlan batch 10 to 14 801 1103 4090
#
dot1x-access-profile dot1x1
portal-access-profile portal1
#
dot1x-access-profile name dot1x1
#
vlan pool guest1
vlan 11 to 12
vlan pool employee1
vlan 13 to 14
#

dhcp enable
#
#
vlan 1103
#
radius-server template server1
radius-server shared-key cipher Admin@123
radius-server authentication 10.254.1.100 1812 weight 80
radius-server accounting 10.254.1.100 1813 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.1.254.100 shared-key cipher Admin@123 server-group
server1
#
pki realm default
#
pki-realm default
#
acl number 3002
description employee1
rule 5 permit ip
acl number 3003
description guest1
rule 5 permit ip
#
#
free-rule-template name free1
free-rule 1 destination ip 10.254.1.100 mask 255.255.255.0
#
url-template name urlTemplate_0
url http://10.254.1.100:8080/portal
url-parameter ssid ssid
#
web-auth-server portal1
server-ip 10.254.1.100
port 50100
shared-key cipher Admin@123
url-template urlTemplate_0
#
#
portal-access-profile name portal1
web-auth-server portal1 layer3
#
ip pool ap

network 10.1.10.0 mask 255.255.255.0

#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
ip pool sta3
network 10.1.13.0 mask 255.255.255.0
#
ip pool sta4
network 10.1.14.0 mask 255.255.255.0
#
aaa
accounting-mode radius
accounting start-fail online
domain default
irreversible-cipher %^%#aOa;=_Sy~Ol+)uRi[2OIax8$'c*P63lRUhVe5HW4SwIm+(N.U+9Tmo:L^PP
W%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#

interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
ip address 10.254.1.99 255.255.255.0
#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
#
port trunk allow-pass vlan 10 to 14 801 1102 to 1103
#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1

ip route-static 0.0.0.0 0.0.0.0 10.254.1.100

#
#
#
wlan
ssid guest1
ssid employee1
forward-mode tunnel
ssid-profile guest1
authentication-profile portal_authen_profile
authentication-profile portal_authen_profile
scan-period 80
scan-interval 80000


provision-ap
radio 0
radio 1
ap-name ap1
ap-group ap-group1
ap-name ap2
ap-group ap-group1
#
#
return

Huawei WLAN Certification Training 5 Experiment 5: Interconnection Between the Agile
Experiment Guide for HCNP-WLAN-CEWA (Web-based) Controller and an External Source
5 Experiment 5: Interconnection Between

the Agile Controller and an External Source
5.1 Objectives
 Learn the method of adding, deleting, and managing users on an AD directory server.
 Learn the method of configuring a template for connecting the Agile Controller and an
external source.
 Learn the method of configuring a template for Agile Controller synchronization scope.
 Learn the method of configuring a template for Agile Controller data mapping.
 Learn the method of the Agile Controller to synchronize with an external data source.
 Verify the synchronization result.

5.2 Plan
After a network is reconstructed, the customer requests an efficient way to build an admission
control system. To address this issue, the Agile Controller is connected to an external data
source and uses the original authentication database, shortening the duration for deploying an
admission control system.
This experiment aims to synchronize user information on the AD directory server to the Agile
Controller using a specific structure.
Figure 5-2 Architecture of an AD directory server

Figure 5-3 Architecture of the Agile Controller after synchronizing with the AD directory server
5.3 Procedure
Figure 5-4 Procedure for connecting the Agile Controller to an external source

5.3.1 Configuring an AD Directory Server

Create an organization unit (OU).
Create an OU in the domain root directory.
Name the OU "HZ."
Create five OUs, namely HR, Marketing, Engineering, R&D, and Financial under OU HZ.
The creating procedure is similar to that for OU HZ, as shown in the following figure.

Create users.
Create users in each OU and set the password.
Enter a user name.

Set the password.

You are advised to select User cannot change password and Password never expires.
Create users Ann (HR), Bob (Marketing), Cary (Engineering), David (R&D), and Franklin
(Financial) under each OU as planned.

Create a synchronization account.

Create a user (account: admin; password: Admin@123) in the domain root directory. The
creating procedure is similar to that for other users.
5.3.2 Configuring Connection Parameters

Create a specific user group.
Log in to the Agile Controller. Click Resource > User > User Management.
Create a user group in the ROOT directory.

On the User Management tab, click besides User Group.

Enter a user group name (Hangzhou).
Configure connection parameters.

Click System > External Authentication > AD-LDAP Sync.

Add an AD server interconnection template.

Configure parameters as follows:
 Set Active Server Address to 10.254.1.101
 Set Authentication port to 389.
 Set AD Domain to Huawei.com.
 Set Base DN to DC=Huawei,DC=com.
 Set Account for sync to admin.
 Set Password for sync to Admin@123.
After the configuration is complete, click Save, then Next.

5.3.3 Configuring the Synchronization Mode

Set the synchronization mode to OU-based synchronization.
5.3.4 Configuring the Data Structure

You are advised to use the default settings.

5.3.5 Configuring the Synchronization Scope

Configure a synchronization scope template.
Set Name to the name of the synchronization scope template.

Set Target user group to the OU where user information is stored on the Agile Controller.
Set Source User Group Object Directory to the OU where user information is stored on the
AD server.
Close the template.
5.3.6 Synchronizing User Information

Click on the right of the synchronization template.

5.4 Verifying the Synchronization Result

Check user information.
Click Resource > User > User Management.


Huawei WLAN Certification Training 6 Experiment 6: Inter-AC Roaming in Large-Scale
Experiment Guide for HCNP-WLAN-CEWA (Web-based) WLAN Networking
6 Experiment 6: Inter-AC Roaming in

Large-Scale WLAN Networking
6.1 Objectives
 Understand the basic principle of roaming.
 Understand the basic principle of smart roaming.
 Learn the configuration method of layer 3 roaming.
 Learn the configuration method of smart roaming.
 Verify and optimize STA roaming performance.
6.2 Plan
Huawei WLAN layer 3 roaming requires that different APs have different VAPs (different
names and VLANs) but the same SSID, authentication mode, and encryption modes. This
experiment takes groups 1 and 2 as examples to illustrate the experiment plan of layer 3
roaming. Each AC requires an AP.

1 Active AC: AC6005-1–G0/0/1 Active AC: AP1-G0/0/10

Roaming AC: AC6005-2–G0/0/2 Roaming AC: AP2-G0/0/11
X indicates the group No. and must be replaced as required, for example, the AP name of
group 1 is employee1.

AP Group employeeX employeeX
SSID profile (Same) SSID profile: employeeX SSID profile: employeeX

SSID: EmployeeX SSID: EmployeeX
Regulatory Domain Name: domain Name: domain
Profile Country code: CN Country code: CN
Service VLAN (Different) 11\12 21\22
Security Profile (Same) Name: employeeX Name: employeeX

Password: huawei123 Password: huawei123
VAP Profile (Same) Name: employeeX Name: employeeX
Referenced profiles: Referenced profiles:
SSID profile employeeX SSID profile employeeX
Security profile employeeX Security profile employeeX
Forwarding Mode (Same) Direct forwarding Direct forwarding
Roaming Group Mobility Mobility
6.3 Procedure
Figure 6-2 Procedure for configuring an inter-AC roaming experiment


VLAN) and set the PVID to VLANX0. Add GE0/0/1 to VLANX0 to VLANX4, and
VLAN80X.
[SWA]vlan batch 10 to 12 20 to 22 801 to 802
[SWA]interface Ethernet 0/0/1

[SWA-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 12 801
[SWA]interface Ethernet 0/0/2
Create VLANIF80X interface on SWA to communicate with the AC. Create interface
Loopback0 to simulate a public network interface. Create VLANIF interfaces to function as
gateways of service VLANs.
[SWA-Vlanif801]ip address
10.1.201.1 24
[SWA-Vlanif10]quit
[SWA-Vlanif11]quit
[SWA-Vlanif12]quit
[SWA-Vlanif20]quit
[SWA-Vlanif21]quit


[SWA-Vlanif22]quit

 Configurations on AC1
Click Maintenance > AC Maintenance > Basic. Set Device name to AC1.
Click Configuration > AC Config > VLAN. On the VLAN tab, click Batch Create.


Check the status of configured VLANIF interfaces. The status of the interfaces is Unavailable
because the uplink interface does not allow VLANs to pass.
Configure interface GE0/0/8 to connect to the SWA. The interface allows VLANs to pass.
Click Configuration > AC Config > Interface. On the Interface Attribute tab, click

Check the configuration.

The status of the VLANIF interfaces is Available.
Create a VLAN pool, with VLAN assignment mode set to Hash.

Check whether the route between the AC and a layer 3 switch is reachable. Log in to the
web-based AC by clicking and entering user account admin and password
admin@huawei.com as indicated by the command prompt.
The IP address of the simulated public network interface on the switch cannot be pinged.
[AC1]ping 100.100.100.100
Request time out
Request time out
Request time out
Request time out
Request time out


[AC1]ping 100.100.100.100
--- 100.100.100.100 ping statistics ---

0.00% packet loss
Click Maintenance > AC Maintenance > Basic. Set Device name to AC2.


Check the status of configured VLANIF interfaces. The status of the interfaces is Unavailable
because the uplink interface does not allow VLANs to pass.
Configure interface GE0/0/8 to connect to the SWA. The interface allows VLANs to pass.
Click Configuration > AC Config > Interface. On the Interface Attribute tab, click

The status of the VLANIF interfaces is Available.

Check whether the route between the AC and a layer 3 switch is reachable. Log in to the
web-based AC by clicking and entering user account admin and password
admin@huawei.com as indicated by the command prompt.
The IP address of the simulated public network interface on the switch cannot be pinged.
[AC2]ping 100.100.100.100
Request time out
Request time out

Request time out

Request time out
Request time out


[AC2]ping 100.100.100.100
--- 100.100.100.100 ping statistics ---

0.00% packet loss
6.3.3 Creating an AP Group

Create AP group ap-groupX for both AC1 and AC2.

Click Configuration > AP Config > AP Group. On the AP Group tab, click Create.
 Create an AP group for AC1.
 Create an AP group for AC2.
6.3.4 Configuring AP Online Parameters

Configure a DHCP address pool. Enable DHCP on AC1 and AC2. Assign IP addresses to the
STA and AP.
Click Configuration > AC Config > IP > DHCP Address Pool, set DHCP status to
ON to enable the DHCP function, and click Create to create an IP address pool.

Click to configure the gateway IP, address pool interface, and IP

address not to be assigned.

Configure the subnet address for an address pool.
Configure the gateway address.


Create address pools on AC2. The steps are the same as those on AC1 and are not
repeated. After the address pools are created, the following information will be
displayed.

Click Configuration > AC Config > Basic Config > AC Configuration, select VLANIF for
AC source address, click , and set the AC source address to VLANIF80X. Click
Apply.
Configure the AC1 source address and AP authentication mode.
Configure the AC2 source address and AP authentication mode.
Add APs.

AP authentication modes include MAC authentication, SN authentication, and

non-authentication. MAC authentication is used by default. You need to manually add the AP
list to the AC. In this experiment, AP6010DN is used.
You can perform the following operations to check the unauthorized AP list and obtain the
required MAC address:
Click Configuration > AP Config > AP Config > AP Info, and click Non-authorized AP
List. Alternatively, you can obtain the MAC address on the back of the AP.
You can click an AP to view the AP information.
Perform the following operations to add an AP:

Click Configuration > AP Config > AP Config > AP Info. Click Create, and enter the MAC
address of the AP to be added.
View the information about added APs. Select APs, click Deploy to add them to AP group
employee1, and name them ap1 and ap2 according to their IDs.

The AP status will be fault and then normal. If the AP cannot go online, check the
configuration.
Add APs to AC2.

Check the MAC addresses of APs.
Manually add APs.

Add APs to an AP group.
APs go online normally.

Create security profile employeeX, and configure the security policy. In this experiment, the
security policy is set to WPA2+PSK+AES and password to huawei123. In actual situations,
the security policy must be configured as required.
Click Configuration > AP Config > Profile > Wireless Service.
The wireless service configuration page is displayed.
Configure AC1.

On the AC, create SSID profile employeeX. Set SSID to employeeX.

Create VAP profile employeeX, set the data forwarding mode and service VLAN, and bind the
security profile and SSID profile to the VAP profile.
Create VAP profile employee1.

Set Service VLAN to VLAN Pool, and Forwarding mode to Direct.
Bind the SSID profile to the VAP profile.
Bind the security profile to the VAP profile.

Bind the VAP profile to the AP group. Bind VAP profile employeeX to AP group employeeX,
and apply the VAP profile to radio 0 and radio 1 of the AP. Click AP Group > employee1 >
VAP Configuration, and click Add.
Configure AC2.
Create a security profile.

Create an SSID profile.
In a roaming experiment, the SSID on AC2 must be the same as that on AC1.

Create a VAP profile.
Bind the SSID profile to the VAP profile.
Bind the security profile to the VAP profile.

Bind the VAP profile to the AP group. Bind VAP profile employeeX to AP group employeeX,
and apply the VAP profile to radio 0 and radio 1 of the AP. Click AP Group > employee2 >
VAP Configuration, and click Add.
Check whether radios are normal.

Click Monitoring > SSID > VAP to check AP information.
Configure AC1.

Configure AC2.
6.3.6 Configuring Layer 3 Roaming

This experiment uses direct forwarding layer 3 roaming.
Basic WLAN services are deployed on AC1 and AC2, and STAs can access the WLAN.
Configure AC1 as a DHCP server, which assigns IP addresses for its associated STAs and all
APs. Configure AC2 as another DHCP server, which assigns IP addresses for its associated
STAs.
Configure the WLAN roaming function on AC1. Enable the Master Controller function of
AC1, and configure AC1 and AC2 to be managed by the Master Controller.

Create a roaming group by performing the following:

Step 1 Click Configuration > AC Config > Basic > Inter-AC Roaming.
The Inter-AC Roaming page is displayed.
Step 2 Click Create under Roaming Group List.
The creating roaming group page is displayed.
Step 3 Configure the roaming group name to mobility. Add ACs to the roaming group.
Step 4 Click OK.
----End

Configure AC2.
6.4 Verification
In the coverage area of ap1, the STA detects the WLAN with SSID Employee1 and accesses
the WLAN after entering password huawei123. The access information about the STA shows
that the STA with MAC address 683e-345e-7734 is bound to ap1.
Click Monitoring > User > User Statistics > User List.
Perform the ping operation on the STA. Let the user move away from APX to trigger layer 3
roaming. (You can deploy APs far away from each other and let the user move between the

APs. Alternatively, you can adjust the RF power of the AP group to simulate signal weakening.
In this experiment, the second method is used.)Click Configuration > AP Config > AP
Group. On the AP Group tab, click employeeX.
The AP group configuration page is displayed.
Set EIRP(dBm) to 1, and click Apply.
When AC1 signals weaken, the STA automatically switches over to AC2. View the user list on
AC2.

Select the STA, and click to view the roaming records.
According to the roaming records, after radio 0 is switched to the 2.4 GHz frequency band,
the STA automatically switches to the 5 GHz frequency band. This is layer 2 roaming (STAs
roams among radios of an AP). After the 5 GHz frequency band is disabled, the STA roams to
AC2.

6.5.1 AC1 Configuration
#
sysname AC1
#
http server enable
#
vlan batch 10 to 12 801 4090
#
#
#
master-controller enable
#
vlan pool employee1
vlan 11 to 12
#

dhcp enable
#
#
#
pki realm default
#
pki-realm default
#
#
#
ip pool AP
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
aaa
domain default
irreversible-cipher %^%#j'-qKyOhaAb*ib(-I(CW+kZ>:_a5BM*I}@*}M.xQyzx2UP-S}P-ylA$XcF!
~%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#

interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
#
#
interface NULL0
#
snmp-agent local-engineid 800007DB03845B12566919
snmp-agent sys-info location Hangzhou China
snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#
set authentication password
cipher %^%#<MQ/T4bN:AYz9x5<mD;;@eW$LUyU3Jb5dG-nK+J7]/+$@cf5M:v^z7I:LO!7%^%#


cipher %^%#WknIF+-"87:|{]NPW6]~z[3yT@MP5UXq%J9yB5+;JA-f7)j,>JWI%oE&%:WM%^%#
protocol inbound telnet
#
wlan
security wpa2 psk pass-phrase %^%#Q*r(59RI"9zzNE(&'Lh6]x_:7Yhv7Ed7S^37Y@].%^%# aes
security wpa2 psk pass-phrase %^%#B$C*%T9)|!\t3@&#Sg,.'<z_9r4QR2bZ~-=gCL\T%^%# aes
security wpa2 psk pass-phrase %^%#AB6XB.uR4Kv-ok7=yrm%:V`<*K}!tDl!o*"K=*VY%^%# aes
ssid Employee1
provision-ap
address-mode dhcp
ap-group name employee1
radio 0
eirp 1
radio 1
eirp 1
ap-id 0 type-id 19 ap-mac cccc-8110-22c0 ap-sn 210235448310C9000015
ap-group employee1
#
master controller
ac id 1 ip 10.1.201.100
ac id 2 ip 10.1.202.100
mobility-group name mobility
member ac id 1
member ac id 2
#


#
return

#
sysname AC2
#
http server enable
#
vlan batch 20 to 22 802 4090
#
#
#
vlan pool employee1
vlan 21 to 22
#
dhcp enable
#
#
#
pki realm default
#
pki-realm default
#
#
#
ip pool AP
network 10.1.20.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.21.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.22.0 mask 255.255.255.0

#
aaa
domain default
irreversible-cipher %^%#`-,lQg[[l2!,d#)M[M]TL!1~<B(O|VH0_~1-rGf$^\>3YC&mwK\M4!A=NqA
W%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif20
ip address 10.1.20.100 255.255.255.0
dhcp select global
#
interface Vlanif21
ip address 10.1.21.100 255.255.255.0
dhcp select global
#
interface Vlanif22
ip address 10.1.22.100 255.255.255.0
dhcp select global
#
interface Vlanif802
ip address 10.1.202.100 255.255.255.0
#
ip address 172.21.11.4 255.255.0.0
#
#
#
#
#
#
#
#


#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.202.1
#
#
cipher %^%#YLgcTuvS]Eo_5"M~:_(!(DGnEtd=w"xV_a0Mi8!TP!V8.6aAB&Hf_)QD1;TF%^%#
cipher %^%#M|L@UP,_uCfJSu*3G*|$^Y$g&S~I"$[1&58>"Uo~g6rwG&cf=._e+}Lo~b\/%^%#
#
wlan
security wpa2 psk pass-phrase %^%#ZEv(Y`,;<A!b<#($y^Q.v8heV@*[KT=k]p3D{#0:%^%# aes
security wpa2 psk pass-phrase %^%#caVJ/zvM":721N&w"+H5Ki\9JN+FV5WhRx(:G_;I%^%# aes
security wpa2 psk pass-phrase %^%#{(*)"_ux"*-cG0U/ywhQ#y[nOsO}$#\nsA&\/\gQ%^%# aes
ssid Employee1


provision-ap
master-controller ip 10.1.201.100
ap-group name employee1
radio 0
radio 1
ap-group employee1
#
#
Return

Experiment Guide for HCNP-WLAN-CEWA (Web-based) 7 Experiment 7: VRRP-based AC Hot Standby
7 Experiment 7: VRRP-based AC Hot

Standby
7.1 Objectives
 Learn the methods of backing up and recovering device configurations.
 Learn the method of configuring VRRP hot standby.
 Learn the method of optimizing VRRP hot standby.
7.2 Plan

Group No. AC-Switch Port AP-Switch Port

Standby AC: AC6005-2–G0/0/2 Standby AC: AP2-G0/0/11
X indicates the group No. In a dual-link experiment, X can be set to 1, 3, 5, 7, or 9; X+1 can
be set to 2, 4, 6, 8, or 10.
Active AC (AC X) Standby AC (AC X+1)

VLANIF80X: VLANIF80X:
Management VLAN
10.1.20X.100/24 10.1.20X.200/24
Service VLAN VLANX1: 10.1.X1.100 VLANX1: 10.1.X1.200

Guest VLAN: X1 and X2 VLANX2: 10.1.X2.100 VLANX2: 10.1.X2.200
Employee VLAN: X3 and VLANX3: 10.1.X3.100 VLANX3: 10.1.X3.200
X4 VLANX4: 10.1.X4.100 VLANX4: 10.1.X4.200
Virtual IP Address of the
Management VRRP VLANIF80X: 10.1.20X.3/24
Group
VLANX0: 10.1.X0.3
VLANX1: 10.1.X1.3
Virtual IP Address of the
VLANX2: 10.1.X2.3
Service VRRP Group
VLANX3: 10.1.X3.3
VLANX4: 10.1.X4.3
Name: ap-groupX
VAP ID: 1
VAP profile: guestX
VAP ID: 2
Regulatory Domain Name: domainX

Profile Country code: CN
Name: guestX
SSID name: guestX
SSID Profile
Name: employeeX
Name: guestX
Password: b1234567
Name: guestX
VAP Profile
Name: employeeX

7.3 Procedure
Figure 7-2 Configuration procedure

VLAN) and set the PVID to VLANX0. Add GE0/0/1 and GE0/0/2 to VLANs X0 through X4
and VLAN80X.
[SWA]vlan batch 10 to 14 801

Create VLANIF80X interface on SWA to communicate with the AC. Create a LoopbackX
interface, and set its IP address to 10X.10X.10X.10X to simulate a public network interface.
Create VLANIF interfaces to function as gateways of service VLANs.
[SWA-Vlanif10]quit
[SWA-Vlanif11]quit
[SWA-Vlanif12]quit
[SWA-Vlanif13]quit
[SWA-Vlanif14]quit
7.3.2 Configuring Basic Information About AC1

Click Maintenance > AC Maintenance > Basic. Change the device name to AC6005-1, and
click Apply.



Check the configured VLANIF interfaces.

Check the created VLAN pools.
Configure a DHCP address pool.

Click Configuration > AC Config > IP > DHCP Address Pool, set DHCP status to ON to
enable the DHCP function, and click Create to create an IP address pool.


Click to configure the gateway IP, address pool interface, and IP address not to
be assigned.

Configure user address pools. VLAN11 and VLAN12 form a guest address pool, and
VLAN13 and VLAN14 form an employee address pool.
Configure IP address pool Guest1.
Configure the gateway IP address for address pool Guest1.

Configure the IP addresses that cannot be assigned in address pool Guest1.
Configure the interface for address pool Guest1.
Configure IP address pool Guest2.
Configure the gateway IP address for address pool Guest2.
Configure the IP addresses that cannot be assigned in address pool Guest2.

Configure the interface for address pool Guest2.
Configure the subnet address for address pool Employee1.
Configure the gateway IP address for address pool Employee1.
Configure the IP addresses that cannot be assigned in address pool Employee1.

Configure the subnet address for address pool Employee2.
Configure the gateway IP address for address pool Employee2.
Configure the IP addresses that cannot be assigned in address pool Employee2.
Configure the interface for address pool Employee2.

Configure interface GigabitEthernet0/0/8 to connect to the switch.

Click Configuration > AC Config > Interface > Interface Attribute, and click
The interface configuration page is displayed.

Check the configuration of interface GigabitEthernet0/0/8.
Check whether the route between the AC and a layer 3 switch is reachable. The following
command output indicates that 100.100.100.100 (the simulated public network interface on
the switch) cannot be pinged.
Log in to the web-based AC by clicking and entering user account admin and
password admin@huawei.com as indicated by the command prompt.
[AC6005-1]ping 100.100.100.100
Request time out
Request time out

Request time out

Request time out
Request time out


[AC6005-1]ping 100.100.100.100
--- 100.100.100.100 ping statistics ---

0.00% packet loss
7.3.3 Configuring Basic Information About AC2

The configuration method is the same as that of AC1. The following figures show the
configuration result. Note that the IP addresses are different from those of AC1.
Create VLANs.

Configure VLANIF interfaces.
Configure VLAN pools.

Configure an interface.
Configure DHCP address pools.
Configure a route.
Test the route connectivity.

[AC6005-2]ping 101.101.101.101

--- 101.101.101.101 ping statistics ---

0.00% packet loss
[AC6005-2]
7.3.4 Creating an AP Group

Create AP group ap-groupX for both AC1 and AC2.
7.3.5 Configuring AP Online Parameters

The configuration is the same on active and standby ACs.
Add APs to the AC in offline mode. You need to obtain the MAC addresses of APs first. You
can query the MAC addresses in the unauthenticated AP list.

Manually add APs based on MAC addresses. Name the two APs AP1 and AP2.
Check the AP status.
Add the APs to AP group ap-groupX.

After APs are added, their status will change from fault to config, and then to normal. If the
AP status does not change to normal several minutes after the AP is added, check the
configuration of VLAN, DHCP, and AP authentication.
An AP cannot go online on two ACs simultaneously. Therefore, the AP status on the standby
AC is idle.

Create security profiles guestX and employeeX. Configure the security policy for guestX to
open authentication and that for employeeX to WPA2+PSK+AES, with the password
b1234567.
In this experiment, pay attention to basic configurations. In actual situations, the security
policy must be configured as required.


Create SSID profiles guestX and employeeX, and set SSIDs to guestX and employeeX,
respectively.
Create VAP profiles guestX and employeeX, set the data forwarding mode to direct
forwarding for the profiles, and bind the security profile and SSID profile to the VAP profile.



Bind the regulatory domain profile and VAP profile to the AP group. When AP group
ap-groupX uses VAP profile guestX, set VAP ID to 1. When AP group ap-groupX uses VAP
profile employeeX, set VAP ID to 2. Radios 0 and 1 on the AP use the configuration of the
VAP profile.
7.3.7 Checking the VAP Status

The AC automatically delivers WLAN service configurations to APs. After the service
configuration is complete, check the VAP status by performing the following:
Click Monitoring SSID > VAP > VAP List.
If the value of Status is ON, the VAPs have been successfully created on AP radios.
7.3.8 Configuring VRRP-based Dual-AC Hot Standby

Log in to the web-based AC. Click Configuration > Backup Settings > Backup Settings.
The Backup Settings page is displayed.
 Configurations on the active AC:
Create a management VRRP group on AC1. Set AC1 priority to 120 in the group and
preemption time to 120s.

Create a service VRRP group on AC1.


Configure the hot standby function on the active AC. Create HSB service 0 on AC1, and
configure the IP address and port No. of active and standby channels, as well as packet
retransmission times and interval for the service.
Create HSB group 0 on AC1, and bind this group to HSB service 0 and the management
VRRP group.
Enable dual-AC hot standby.
Configure the source interface for AC1.

Modify the option 43 field of the DHCP server.
 Configurations on the standby AC:

Create a management VRRP group on AC2.

Create a service VRRP group on AC2.


Configure the hot standby function on the standby AC. Create HSB service 0 on AC2,
and configure the IP address and port No. of active and standby channels, as well as
packet retransmission times and interval for the service.
Create HSB group 0 on AC2, and bind this group to HSB service 0 and the management
VRRP group. Select DHCP, User access, and AP for HSB service.
Enable dual-AC hot standby. Configure the status recovery delay for the VRRP group to
30s.

Configure the source interface for AC2.
Modify the option 43 field of the DHCP server.
7.4 Verification
7.4.1 Verifying Dual-Link Standby
After the configuration is complete, check the AP status on AC1 and AC2. The AP status on
AC1 is normal and that on AC2 is standby.
Configure AC1.

Configure AC2.
Disconnect AC1 from the switch to cut the connection between the AP and AC1. Check the
AP status on AC2.
7.4.2 Verifying Dual-Link Switchback

In a dual-link switchback, an AP that has switched to the standby AC switches back to the
active AC after it recovers. Reconnect AC1 and the switch. Check the AP status after 150s

because the status recovery delay of the VRRP group is set to 30s and the preemption waiting
time is set to 120s.

#
sysname AC6005-1
#
http server enable
#
vrrp recover-delay 30
#
vlan batch 10 to 14 801 4090
#


#
#
vlan pool Guest
vlan 11 to 12
vlan pool Employee
vlan 13 to 14
#
dhcp enable
#
#
#
pki realm default
#
pki-realm default
#
#
#
ip pool AP
network 10.1.10.0 mask 255.255.255.0
#
ip pool Guest1
network 10.1.11.0 mask 255.255.255.0
#
ip pool Guest2
network 10.1.12.0 mask 255.255.255.0
#
ip pool Employee1
network 10.1.13.0 mask 255.255.255.0
#
ip pool Employee2
network 10.1.14.0 mask 255.255.255.0
#
aaa

domain default
irreversible-cipher %^%#},0QB%yPG@'>D%9eOOi6Njju(s+Ak)(5G21IpI0;]hbI9Ebo(NQOkJP&Tj1
U%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.10.3
vrrp vrid 2 preempt-mode timer delay 120
vrrp vrid 2 track admin-vrrp interface Vlanif801 vrid 1 unflowdown
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 priority 120

#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
#
#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
capwap source ip-address 10.1.201.3
#
cipher %^%#);IT*AoN7Duhza:nM(pNW$@|&G]1WWPk~>0ap6S;ZhcY9_eAf(>{E96G-F$@%^%#
cipher %^%#5A==JPO1uSr4z0(^.+uMC#oiE3ab>;3=\KGFAI%.{Tm4O.:8R5H7=#ZuQe>.%^%#
#
hsb-service 0

service-ip-port local-ip 10.1.201.100 peer-ip 10.1.201.200 local-data-port 10241

peer-data-port 10241
service-keep-alive detect retransmit 2 interval 1
#
hsb-group 0
track vrrp vrid 1 interface Vlanif801
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ap data-collection enable
security wpa2 psk pass-phrase %^%#U.7@O=:SiO[vnI'IqOd(|/1eF#1xY%;z8O!qCa^$%^%# aes
security wpa2 psk pass-phrase %^%#S,}u>2@rt5x.G\Bhh>x%[CTmT!Gq[HS5Hr(E6d:Q%^%# aes
security wpa2 psk pass-phrase %^%#tR0n)Mm2_*nH}-(6~|l5WC.\"/W.yT'iOv$TMX^B%^%# aes
ssid guest1
ssid employee1
forward-mode tunnel
service-vlan vlan-pool Guest
ssid-profile guest1
service-vlan vlan-pool Employee
provision-ap


radio 0
radio 1
ap-group ap-group1
ap-group ap-group1
#
#
return

#
sysname AC6005-2
#
http server enable
#
vrrp recover-delay 30
#
vlan batch 10 to 14 801 4090
#
#
#
vlan pool Guest
vlan 11 to 12
vlan pool Employee
vlan 13 to 14
#
dhcp enable
#
#
#
pki realm default
#
pki-realm default
#
#


#
ip pool AP
network 10.1.10.0 mask 255.255.255.0
#
ip pool Guest1
network 10.1.11.0 mask 255.255.255.0
#
ip pool Guest2
network 10.1.12.0 mask 255.255.255.0
#
ip pool Employee1
network 10.1.13.0 mask 255.255.255.0
#
ip pool Employee2
network 10.1.14.0 mask 255.255.255.0
#
aaa
domain default
irreversible-cipher %^%#7);3X,fFbXxIN_Ch/Te8a@LEVrrJ69hlr]R#("qTXh[w9Ò",:[prm>}1]!
V%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.200 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.200 255.255.255.0


dhcp select global
#
interface Vlanif12
ip address 10.1.12.200 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.200 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.200 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.200 255.255.255.0
admin-vrrp vrid 1
#
ip address 172.21.11.4 255.255.0.0
#
#
#
#
#
#
#
#
#

interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#
cipher %^%#C3OmYs6.|9OM-_AxF~i;#&sY"n8UoMFZ-(3=[Hp$mSbyKZZ37.::l]MZ~(pS%^%#
cipher %^%#.v&6P[:U];ofUWJG$5%%<l"C>R2zx5yAueHQ04/1Ffb(%^QR]O.k5RK.GJJ-%^%#
#
hsb-service 0
#
hsb-group 0
track vrrp vrid 1 interface Vlanif801
bind-service 0
hsb enable
#
#
hsb-service-type dhcp hsb-group 0
#
#
wlan
ap data-collection enable
security wpa2 psk pass-phrase %^%#F'P$$umj&.5>V$NURcdVS0o~WrcR3JuB!hXs+gj#%^%# aes
security wpa2 psk pass-phrase %^%#M38HTcd]0HC`*24fFft!^+uQL2Y|p$._k95W'eY%%^%# aes
security wpa2 psk pass-phrase %^%#QG)]TEW(FFB}RmXyf{.WH="WQrd-5N/)rnP#//~*%^%# aes


ssid guest1
ssid employee1
forward-mode tunnel
service-vlan vlan-pool Guest
ssid-profile guest1
service-vlan vlan-pool Employee
provision-ap
radio 0
radio 1
ap-group ap-group1
ap-group ap-group1
#
#
Return

Huawei WLAN Certification Training 8 (Optional) Experiment 8: Dual-Link-based AC Hot
Experiment Guide for HCNP-WLAN-CEWA (Web-based) Standby
8 (Optional) Experiment 8: Dual-Link-based

AC Hot Standby
8.1 Objectives
 Learn the method of configuring dual-link hot standby.
 Learn the method of optimizing dual-link hot standby.
8.2 Plan


X indicates the group No. In a dual-link experiment, X can be set to 1, 3, 5, 7, or 9; X+1 can
be set to 2, 4, 6, 8, or 10.

Active AC (AC6005-X) Standby AC (AC6005-X+1)
AC Priority 1 5
VLANIF80X: VLANIF80X:
Management VLAN
10.1.20X.100/24 10.1.20X.200/24
Service VLAN
VLANX1: 10.1.X1.100 VLANX1: 10.1.X1.200
Guest VLAN: X1 and VLANX2: 10.1.X2.100 VLANX2: 10.1.X2.200
X2
VLANX3: 10.1.X3.100 VLANX3: 10.1.X3.200
Employee VLAN: X3
VLANX4: 10.1.X4.100 VLANX4: 10.1.X4.200
and X4
Name: ap-groupX
VAP ID: 1
VAP profile: guestX
VAP ID: 2
Regulatory Domain Name: domainX

Profile Country code: CN
Name: guestX
SSID name: guestX
SSID Profile
Name: employeeX
Name: guestX
Password: b1234567
Name: guestX
Service VLAN: guest
Referenced profiles: SSID profile guestX and security profile
guestX
VAP Profile
Name: employeeX
Service VLAN: employee
Referenced profiles: SSID profile employeeX and security
profile employeeX

8.3 Procedure
8.3.1 Configuring Network Interconnection and Basic WLAN
Services
Configure the switch and AC, as well as basic WLAN services. The operations are the same
as those in experiment 1. Alternately, remove operations described in section 7.3.8
"Configuring VRRP-based Dual-AC Hot Standby" if this experiment is carried out in the
environment where experiment 7 has been carried out.


8.3.2 Configuring Dual-Link Standby

Specify active and standby ACs according to their priorities. A high-priority AC functions as
the active AC and a low-priority AC functions as the standby AC. A small value indicates a
high priority. If two ACs have the same priority, the one with a light load functions as the
active AC. If the load is the same, the one with a small IP address functions as the active AC.
Click Configuration > Backup Settings > Backup Settings > HSB List.
The HSB List page is displayed.
Click Backup Settings > HSB List > Create HSB Channel.
Click OK to complete the configuration.

On the Backup Configuration page, set Backup mode to Dual-link hot backup, AC
dual-link backup status and AC dual-link switchover status to ON, Local priority to 0, IP
address of the backup AC to 10.1.201.200, which is the IP address of the standby AC (AC2),
and HSB channel to 0.

Click Apply. On the displayed dialog box, click OK.

The configuration on AC2 is similar to that on AC1. The differences are as follows:
 When an HSB channel is configured, set Local IP address to 10.1.201.200 and Peer IP
address to 10.1.201.100, which is the IP address of AC1.
 On the Backup Configuration tab, set Local priority to 1, and IP address of the
backup AC and Peer IP address to 10.1.201.100, which is the IP address of the active
AC (AC1).
8.4 Verification
Check the AP status on AC1.

Check the AP status on AC2.
Disconnect AC1 from the switch to cut the connection between the AP and AC1. The AP
connects to the standby AC if it does not receive response from the active AC for three
CAPWAP packet sending periods (25s for each period).
Wait for one minute and 30 seconds.
The AP is registered with AC2, and AC2 provide services for the STA, ensuring service
continuity.
The AP status on AC2 is normal.

The AP status on AC1 is fault.
8.4.1 Verifying Dual-Link Switchback

After disconnecting from the active AC, an AP sends a CAPWAP discovery packet every 5
seconds to detect whether the active AC recovers. After the active AC recovers, the AP goes
online on the active AC. The AP status is standby and will become normal after 100 seconds.
On the standby AC, the AP status is standby.

#
sysname SWA
#
#
lldp enable
#
dhcp enable

#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.1 255.255.255.0
#
interface Vlanif14
ip address 10.1.14.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
#
......
#
#
#
......
#
#
#
#
#
#
#
#
#

interface NULL0
#
interface LoopBack0
ip address 101.101.101.101 255.255.255.255
#
#
Return

#
sysname AC6005-1
#
#
#
#
vlan pool sta-pool1
vlan 11 to 12
vlan pool sta-pool2
vlan 13 to 14
#
dhcp enable
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
ip pool sta3
network 10.1.13.0 mask 255.255.255.0
#

ip pool sta4
network 10.1.14.0 mask 255.255.255.0
#
aaa
domain default
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif13
ip address 10.1.13.100 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
#
#
#
#
#

#
#
#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#
#
hsb-service 0
#
#
#
wlan
ac protect enable protect-ac 10.1.201.200 priority 1
ssid guest1
ssid employee1
forward-mode tunnel

service-vlan vlan-pool sta-pool1

ssid-profile guest1
provision-ap
radio 0
radio 1
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac e8bd-d105-9120 ap-sn 2102354196W0F6003404
ap-name ap2
ap-group ap-group1
#
#
return

#
sysname AC6005-1
#
#
#

#
vlan pool sta-pool1
vlan 11 to 12
vlan pool sta-pool2
vlan 13 to 14
#
dhcp enable
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
ip pool sta3
network 10.1.13.0 mask 255.255.255.0
#
ip pool sta4
network 10.1.14.0 mask 255.255.255.0
#
aaa
domain default
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.200 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.200 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.200 255.255.255.0
dhcp select global

#
interface Vlanif13
ip address 10.1.13.200 255.255.255.0
dhcp select global
#
interface Vlanif14
ip address 10.1.14.200 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
#
#
#
#
#
#
#
#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#


#
hsb-service 0
#
#
#
wlan
ac protect enable protect-ac 10.1.201.100 priority 5
ssid guest1
ssid employee1
forward-mode tunnel
ssid-profile guest1
provision-ap
radio 0
radio 1


ap-name ap1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac e8bd-d105-9120 ap-sn 2102354196W0F6003404
ap-name ap2
ap-group ap-group1
#
#
Return

Experiment Guide for HCNP-WLAN-CEWA (Web-based) 9 Experiment 9: Single-MPP Mesh Configurations
9 Experiment 9: Single-MPP Mesh

Configurations
9.1 Objectives
 Learn the process of configuring a WLAN single-MPP mesh.
 Learn how to configure radio and wired port parameters of a WLAN single-MPP mesh.
 Learn how to configure the security profile and whitelist of a WLAN single-MPP mesh.
 Learn how to configure roles and profiles of a WLAN single-MPP mesh.
 Learn how to bind the radio profile and wired port profile to a WLAN single-MPP mesh.
 Learn how to bind the AP system profile and mesh profile to a WLAN single-MPP mesh.
 Verify WLAN single-MPP mesh configurations.

9.2 Plan
As shown in the figure, AP1 is an MPP, and AP2 and AP3 are MPs.
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
2 AC6005-2–G0/0/2 AP4-G0/0/13
AP5-G0/0/14
AP6-G0/0/15
3 AC6005-3–G0/0/3 AP7-G0/0/16
AP8-G0/0/17
AP9-G0/0/18
4 AC6005-4–G0/0/4 AP10-G0/0/19
AP11-G0/0/20
AP12-G0/0/21

AP Group ap-groupX
SSID profile: employeeX
SSID Profile
SSID: employeeX
Service VLAN 11\12
Name: mesh-secX
Security Profile (Same)
Password: b1234567
VAP Profile Name: employeeX
Forwarding mode Direct forwarding
Wired Port Profile wired-portX
Mesh Whitelist Profile mesh-listX
AP System Profile mesh-sysX
Mesh Profile meshX
9.3 Procedure
9.3.1 Performing Basic Mesh Configurations

Basic configurations of the switch and AC have been completed to ensure the connectivity of
layer 3 networking. For details, see experiment 2. Do not create AP groups and add APs.
VLAN configurations

VLANIF configurations
VLAN pool configurations
Interface configurations
DHCP address pool configurations

By default, the next hop address is the IP address of interface VLANIF801 on the switch.
Configure the AC source address.
Test the route by ping the loopback address of the switch on the command console.

9.3.2 Adding an AP
Create AP groups. A mesh experiment requires two AP groups, which is different from other
experiments.
Click Configuration > AP Config > AP Group > AP Group, and click Create.
On the displayed page, set parameters as shown in the following figure.
Add an AP to the AP group. Obtain the MAC address of the AP to be added in advance
because in a mesh experiment, the switch only provides POE power supply for the other two
APs. You can view the AP MAC address on a label on the AP back or on the switch. In this
experiment, MAC addresses of three APs are as follows:
 ap1: cccc-8110-2260
 ap2: e8bd-d1f7-75c0
 ap3: e8bd-d105-8260
Add the AP in offline mode. Click Configuration > AP Config > AP Config > AP Info >
Create AP.

Click Configuration > AP Config > AP Config > AP Info. Select multiple APs, and click
Deploy.
Change AP names. Add AP1 to AP group mesh-mppX and AP2 and AP3 to AP group
mesh-mpX.

Select AP2 and AP3, and click Deploy. Add them to AP group mesh-mp1.
Name AP2 and AP3, and add them to AP group mesh-mp1.

Check the AP list after APs are grouped.
9.3.3 Configuring Radio Parameters Used by the Mesh Node

Radio 1 of AP6010DN-AGN is used as an example. The coverage distance is set to 3 by
default, and the unit is 100 m. In this experiment, this parameter is set to 4. You can set this
parameter as required.
Click Configuration > AP Config > AP Group > AP Group. Select a group name.

Click to unfold Radio Management. Click Radio 1.
Set channel frequency to 40+MHz and 157, indicating 157+163 channel bundling. Set
Coverage distance (0.1km) to 4, which is set to 3 by default.
The configuration of mesh-mp1 is the same as that of mesh-mpp1.

9.3.4 Configuring Wired Port Parameters for the AP

Click Configuration > AP Config > Profile > Profile Management > AP > AP Wired Port
Profile. In the AP Wired Port Profile List area on the right pane, click Create.
The Create AP Wired Port Profile page is displayed.

Click OK.
The parameter setting page for the created wired port profile is displayed.
Assume that service VLANs are VLAN11 and VLAN12. Wired ports of all mesh nodes are
added to VLAN11 and VLAN12 in tagged mode.
9.3.5 Configuring a Security Profile

Security Profile.
The Security Profile List area is displayed on the right pane.
Click Create.
The Create Security Profile page is displayed.
Configure security profile employeeX used by mesh links. The mesh network supports only
security policy WPA2+PSK+AES.

The password is b1234567.
9.3.6 Configuring a Mesh Whitelist

Click Configuration > AP Config > Profile > Profile Management > Mesh > Mesh
Whitelist Profile.
The Mesh Whitelist Profile List area is displayed on the right pane.
Click Create.
The Create Mesh Whitelist Profile page is displayed.

Create mesh whitelist profile mesh-listX.
Manually add MAC addresses of three APs. Ensure that the entered MAC addresses are
correct.
Check the mesh whitelist after MAC addresses are added.

9.3.7 Configuring Mesh Roles

By default, the mesh role is mesh-node. Set the mesh role to mesh-portal for AP1 and AP2.
Mesh roles are configured through the AP system profile.
Click Configuration > AP Config > Profile > Profile Management > AP > AP System
Profile.
The AP System Profile List area is displayed on the right pane. Click Create.
The Create AP System Profile page is displayed.
Create AP system profile mesh-sysX.

Set parameters for the AP system profile.
Click Configuration > AP Config > Profile > Profile Management > Mesh > Mesh Profile.
The Mesh Profile List area is displayed on the right pane.
Click Create.
The Create Mesh Profile page is displayed.
Set parameters for the mesh profile. In this experiment, only Mesh ID and Link aging
timeout(s) are configured.

Bind the security profile to the mesh profile.
9.3.8 Binding the Mesh Whitelist Profile to AP Radios

On the AP Group tab, click Mesh > Mesh Whitelist Profile.
Select the created whitelist profile mesh-listX, the value of Radio is 1.

9.3.9 Binding a Wired Port Profile to AP Groups

Bind wired port profile wired-port1 to AP groups mesh-mpp1 and mesh-mp1 to make AP
wired port parameters take effect on mesh nodes.
Click AP > GE0 Profile. Bind wired port profile wired-portX to the AP group.

9.3.10 Binding an AP System Profile to an AP Group

Bind AP system profile mesh-sys1 to AP group mesh-mpp1 to make the MPP role take effect
on AP1.
Click Configuration > AP Config > AP Group > AP Group. Bind a created system profile
to the AP group.
9.3.11 Binding a Mesh Profile to AP Groups

Bind mesh profile mesh-net1 to AP groups mesh-mpp1 and mesh-mp1 to make mesh services
take effect.
Click Configuration > AP Config > AP Group > AP Group. Bind created mesh profile
meshX to the AP group.
Select the created profile meshX.
The binding configuration on an MPP group is the same as that on an MP group.

9.4 Verification
After the configuration is complete, click Monitoring > AP > AP List to check whether mesh
nodes go online successfully. If the value of Status is normal, APs have gone online.
Click Monitoring > Mesh&WDS > Mesh Link Information to check mesh link information.
After mesh links are successfully established, you can view detailed information about the
mesh links on the page.


#
sysname SWA
#
info-center console channel 9
info-center monitor channel 9
#
#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
dhcp enable
#
aaa
domain default
local-user admin password cipher %@%@5d~9:MîpCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0

#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface MEth0/0/1
description Connected_to_MR
ip address 172.21.11.1 255.255.0.0
#
undo port trunk allow-pass vlan 1
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

#
#
#
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.100
#
cipher %@%@W<lO8}%j9ZW6oc';J*L9'%OG+A]:Xx>!2"IV7W1$7!#G%OJ'%@%@
cipher %@%@c=TE<vcI4/lBkb"Xp94H'&1x#CVoXhidQ2cM@t&LL#83&1{'%@%@
#
return
#
sysname AC6005-1
#
http server enable
#
vlan batch 10 to 12 801 4090
#
#
#
vlan pool employee1
vlan 11 to 12
#
dhcp enable
#
#
#
pki realm default

#
pki-realm default
#
#
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
aaa
domain default
irreversible-cipher %^%#S&Sj%*k84:WsW3&}4puW'@Y[#k-6>S^4gwH,0,Q2DD8`!:D-f(2Z&!/i*6\
A%^%#
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0

#
ip address 172.21.11.3 255.255.0.0
#
#
#
#
#
#
#
port link-type access
port default vlan 4090
#
#
interface NULL0
#
undo snmp-agent
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#
cipher %^%#.xrh@g'4L,l*3S*2R"a>K<RZ>"VOsU~XrV&i_2#!eZ<G8\D_]5TG`}DASHwI%^%#
cipher %^%#7&lg4uEAy+5s&l!miN-Qos*v2n>r<XA"|~Rz>/e=@&(T5@p{KSW_:*VV,}G6%^%#
#
wlan


security wpa2 psk pass-phrase %^%#9_3KC<KAK+ok/kP=Z+FQ-oMU~B,cE(7!xK6&e:*=%^%# aes
security wpa2 psk pass-phrase %^%#MZsH9|j+[F3==a5hVn@3rkx2JhzAFRTS9g6!;%qX%^%# aes
security-profile name mesh-sec1
security wpa2 psk pass-phrase %^%#U]Ri#crNmMBW^K;;c;JKp%fP!"l,.43xhgDbX>J~%^%# aes
ssid guest1
ssid employee1
mesh-whitelist-profile name mesh-list1
peer-ap mac cccc-8110-22c0
peer-ap mac e8bd-d1f7-79c0
peer-ap mac e8bd-d105-9120
mesh-profile name mesh1
security-profile mesh-sec1
mesh-id mesh1
link-aging-time 30
telnet enable
ap-system-profile name mesh-sys1
mesh-role mesh-portal
provision-ap
wired-port-profile name wired-port1
vlan tagged 11 to 12
ap-group name mesh-mp1
ap-system-profile mesh-sys1
radio 1
mesh-profile mesh1
mesh-whitelist-profile mesh-list1
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp1
radio 1
mesh-profile mesh1
coverage distance 4

ap-name ap1
ap-group mesh-mpp1
ap-name ap2
ap-group mesh-mp1
ap-id 2 type-id 19 ap-mac e8bd-d1f7-8260 ap-sn 2102354196W0DC003765
ap-name ap3
ap-group mesh-mp1
#
#
return

Huawei WLAN Certification Training 10 (Optional) Experiment 10: Dual-MPP Mesh
Experiment Guide for HCNP-WLAN-CEWA (Web-based) Configurations
10 (Optional) Experiment 10: Dual-MPP

Mesh Configurations
10.1 Objectives
 Learn the process of configuring a WLAN dual-MPP mesh.
 Learn how to configure radio and wired port parameters of a WLAN dual-MPP mesh.
 Learn how to configure the security profile and whitelist of a WLAN dual-MPP mesh.
 Learn how to configure roles and profiles of a WLAN dual-MPP mesh.
 Learn how to bind the radio profile and wired port profile to a WLAN dual-MPP mesh.
 Learn how to bind the AP system profile and mesh profile to a WLAN dual-MPP mesh.
 Verify WLAN dual-MPP mesh configurations.

10.2 Plan
1 AC6005-1–G0/0/1 AP1-G0/0/10
AP2-G0/0/11
AP3-G0/0/12
AP4-G0/0/13
2 AC6005-2–G0/0/2 AP5-G0/0/14
AP6-G0/0/15
AP7-G0/0/15
AP8-G0/0/16
3 AC6005-3–G0/0/3 AP9-G0/0/17
AP10-G0/0/18
AP11-G0/0/19
AP12-G0/0/20

AP Group ap-groupX
SSID Profile
SSID: employeeX
Service VLAN 11\12
Name: mesh-secX
Security Profile (Same)
Name: b1234567
VAP Profile Name: employeeX
Forwarding Mode Direct forwarding
Wired Port Profile wired-portX
Mesh Whitelist Profile mesh-listX
AP System Profile mesh-sysX
Mesh Profile meshX
10.3 Procedure
10.3.1 Performing Basic Mesh Configurations

Basic configurations of the switch and AC have been completed to ensure the connectivity of
layer 3 networking. For details, see experiment 2. Do not create AP groups and add APs.
VLAN configurations

VLANIF configurations
VLAN pool configurations
Interface configurations
DHCP address pool configurations

Configure the static route. Set the next hop address to the IP address of interface VLANIF801
on the switch.
Configure the AC source address.
Test the route. Enter the console and ping the loopback IP address of the switch.

10.3.2 Adding an AP
Create AP groups. A mesh experiment requires two AP groups, which is different from other
experiments.
Add an AP to the AP group.

Add an AP to the AP group. Obtain the MAC address of the AP to be added in advance
because in a mesh experiment, the switch only provides POE power supply for the other two
APs. You can view the AP MAC address on a label on the AP back or on the switch.
In this experiment, MAC addresses of four APs are as follows:
ap1: cccc-8110-2260
ap2: e8bd-d1f7-75c0
ap3: e8bd-d105-8260
ap2: e8bd-d1f7-7560

Add the AP in offline mode.

Click Configuration > AP Config > AP Config > AP Info. Select multiple APs, and click
Deploy.

Change AP names. Add AP1 and AP2 to AP group mesh-mppX and AP3 and AP4 to AP group
mesh-mpX.


The following figure shows APs added to AP groups.
10.3.3 Configuring Radio Parameters Used by the Mesh Node

Radio 1 of AP6010DN-AGN is used as an example. The coverage distance is set to 3 by
default, and the unit is 100 m. In this experiment, this parameter is set to 4. You can set this
parameter as required.
Click to unfold Radio Management. Click Radio 1.

Set channel frequency to 40+MHz and 157, indicating 157+163 channel bundling. Set
Coverage distance (0.1km) to 4, which is set to 3 by default.
The configuration of mesh-mp1 is the same as that of mesh-mpp1.

10.3.4 Configuring Wired Port Parameters for the AP

Click Configuration > AP Config > Profile > Profile Management > AP > AP Wired Port
Profile. In the AP Wired Port Profile List area on the right pane, click Create.
The Create AP Wired Port Profile page is displayed.
Click OK.
The parameter setting page for the created wired port profile is displayed.
This example assumes that the service VLAN is VLAN11 and VLAN12. Wired ports of all
mesh nodes are added to VLAN11 and VLAN12 in tagged mode.

10.3.5 Configuring a Security Profile

Configure security profile employeeX used by mesh links. The mesh network supports only
security policy WPA2+PSK+AES.
Security Profile.
The Security Profile List area is displayed on the right pane.
Click Create. The Create Security Profile page is displayed.

The security policy is WPA2+PSK+AES, and the password is b1234567.
10.3.6 Configuring a Mesh Whitelist

Click Configuration > AP Config > Profile > Profile Management > Mesh > Mesh
Whitelist Profile.
The Mesh Whitelist Profile List area is displayed on the right pane.
Click Create. The Create Mesh Whitelist Profile page is displayed.
Create mesh whitelist profile mesh-listX.

Manually add MAC addresses of four APs. Ensure that the entered MAC addresses are
correct.
Check the mesh whitelist after MAC addresses are added.

10.3.7 Configuring Mesh Roles

By default, the mesh role is mesh-node. Set the mesh role to mesh-portal for AP1 and AP2.
Mesh roles are configured through the AP system profile.
Click Configuration > AP Config > Profile > Profile Management > AP > AP System
Profile.
The AP System Profile List area is displayed on the right pane. Click Create.
The Create AP System Profile page is displayed.
Create AP system profile mesh-sysX.
Set roles in mesh networking for the AP system profile.
Click Configuration > AP Config > Profile > Profile Management > Mesh > Mesh Profile.
The Mesh Profile List area is displayed on the right pane.
Click Create.
The Create Mesh Profile page is displayed.

Set parameters for the mesh profile.

Set Mesh ID to mesh1 and Link aging timeout(s) to 30. Bind a security profile and a mesh
whitelist to the mesh profile.
Bind the security profile to the mesh profile.

10.3.8 Binding the Mesh Whitelist Profile to AP Radios

On the AP Group tab, click Mesh > Mesh Whitelist Profile.
Select the created whitelist profile mesh-listX, the value of Radio is 1.

10.3.9 Binding a Wired Port Profile to AP Groups

Bind wired port profile wired-port1 to AP groups mesh-mpp1 and mesh-mp1 to make AP
wired port parameters take effect on mesh nodes.

10.3.10 Binding an AP System Profile to an AP Group

Bind AP system profile mesh-sys1 to AP group mesh-mpp1 to make the MPP role take effect
on AP1 and AP2.
Click Configuration > AP Config > AP Group > AP Group. Bind a created system profile
to the AP group.
10.3.11 Binding a Mesh Profile to AP Groups

Bind mesh profile mesh1 to AP groups mesh-mpp1 and mesh-mp1 to make mesh services
take effect.
Click Configuration > AP Config > AP Group > AP Group. Bind created mesh profile
meshX to the AP group.

Select the created profile meshX.
The binding configuration on an MPP group is the same as that on an MP group.
10.4 Verification
After the configuration is complete, click Monitoring > AP > AP List to check whether mesh
nodes go online successfully. If the value of Status is normal, APs have gone online.

Click Monitoring > Mesh&WDS > Mesh Link Information to check mesh link information.
After mesh links are successfully established, you can view detailed information about the
mesh links on the page.

#
sysname SWA
#
info-center console channel 9
info-center monitor channel 9
#


#
lldp enable
#
undo http server enable
undo http secure-server enable
#
undo nap slave enable
#
dhcp enable
#
aaa
domain default
local-user admin password cipher %@%@5d~9:MîpCfL\iB)EQd>3Uwe%@%@
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif11
ip address 10.1.11.1 255.255.255.0
#
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
#
interface Vlanif801
ip address 10.1.201.1 255.255.255.0
#
interface MEth0/0/1
description Connected_to_MR
ip address 172.21.11.1 255.255.0.0
#
#
#
#
#
#
#
#

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
interface LoopBack1
ip address 101.101.101.101 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.100
#
#
return

#
sysname AC6005-1
#
http server enable
#
vlan batch 10 to 12 801 4090
#
#
#
vlan pool employee1
vlan 11 to 12
#
dhcp enable
#
#
#
pki realm default
#
pki-realm default
#
#
#
ip pool ap
network 10.1.10.0 mask 255.255.255.0
#
ip pool sta1
network 10.1.11.0 mask 255.255.255.0
#
ip pool sta2
network 10.1.12.0 mask 255.255.255.0
#
aaa

domain default
#
interface Vlanif1
ip address 169.254.1.1 255.255.0.0
#
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
#
interface Vlanif11
ip address 10.1.11.100 255.255.255.0
dhcp select global
#
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
dhcp select global
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
#
#
#
#
#
#
#
#
#
interface NULL0
#
undo snmp-agent
#

#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
#
#
wlan
security wpa2 psk pass-phrase %^%#9_3KC<KAK+ok/kP=Z+FQ-oMU~B,cE(7!xK6&e:*=%^%# aes
security wpa2 psk pass-phrase %^%#MZsH9|j+[F3==a5hVn@3rkx2JhzAFRTS9g6!;%qX%^%# aes
security-profile name mesh-sec1
ssid guest1
ssid employee1
mesh-whitelist-profile name mesh-list1
peer-ap mac cccc-8110-22c0
peer-ap mac e8bd-d1f7-79c0
peer-ap mac e8bd-d105-9120
peer-ap mac e8bd-d1f7-9dc0
mesh-profile name mesh1
security-profile mesh-sec1
mesh-id mesh1
link-aging-time 30
telnet enable
ap-system-profile name mesh-sys1
mesh-role mesh-portal

provision-ap
wired-port-profile name wired-port1
vlan tagged 11 to 12
ap-group name mesh-mp1
wired-port-profile wired-port1 gigabitethernet 0
radio 1
mesh-profile mesh1
coverage distance 4
ap-group name mesh-mpp1
wired-port-profile wired-port1 gigabitethernet 0
radio 1
mesh-profile mesh1
coverage distance 4
ap-name ap1
ap-group mesh-mpp1
ap-name ap2
ap-group mesh-mpp1
ap-name ap3
ap-group mesh-mp1
ap-name ap4
ap-group mesh-mp1
#
#
return

Recommendations
 Huawei Learning Website
 http://learning.huawei.com/en
 Huawei e-Learning
 https://ilearningx.huawei.com/portal/#/portal/ebg/51
 Huawei Certification
 http://support.huawei.com/learning/NavigationAction!createNavi?navId=_31
&lang=en
 Find Training
 http://support.huawei.com/learning/NavigationAction!createNavi?navId=_trai
ningsearch&lang=en
More Information
 Huawei learning APP
版权所有© 2019 华为技术有限公司

HCIP-WLAN-CEWA V1.0 Lab Guide (Web-Based)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCIP-WLAN-CEWA V1.0 Lab Guide (Web-Based)

Uploaded by

Copyright:

Available Formats

Recommendations

 Huawei Learning Website

版权所有© 2019 华为技术有限公司

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential i

Introduction to Huawei Certification

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential ii

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential iii

About This Document

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential iv

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential v

Introduction to the Experiment Environment

Device Model Software Version

Core switch S3700-28TP-PWR-EI Version 5.70 (S3700 V100R005C01SPC100)

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential vi

Experiment Environment Preparation

Checking Whether All Devices Are Available

Device Quantity Remarks

AD server 1 Shared by all groups

AP6010DN Two for each group

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential vii

Figure 0-1 Experiment topology

Key points of bypass topology establishment:

Preparations Before Configuration

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential viii

Figure 0-2 Web-based AC topology (AC6005)

Perform the following steps to log in to the AC:

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential ix

Enter the new password.

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential x

Enter reboot to restart the AC.

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xi

Introduction to Huawei Certification ......................................................................................... ii

2 Experiment 2: WLAN Radio Resource Management ........................................................... 45

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xii

5 Experiment 5: Interconnection Between the Agile Controller and an External Source

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xiii

5.3.4 Configuring the Data Structure .............................................................................................................................. 179

6 Experiment 6: Inter-AC Roaming in Large-Scale WLAN Networking ........................... 183

7 Experiment 7: VRRP-based AC Hot Standby ...................................................................... 226

8 (Optional) Experiment 8: Dual-Link-based AC Hot Standby .......................................... 273

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xiv

8.3.2 Configuring Dual-Link Standby ............................................................................................................................ 278

9 Experiment 9: Single-MPP Mesh Configurations .............................................................. 291

10 (Optional) Experiment 10: Dual-MPP Mesh Configurations ......................................... 318

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xv

10.4 Verification ............................................................................................................................................................. 338

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential xvi

1 Experiment 1: Large-Scale WLAN

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential 1

Figure 1-1 Experiment topology

Group No. AC–Switch Port AP-Switch Port

Trainee Group X AC Configuration

Console Port Login

AP Management VLAN VLAN: X0

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential 2

Trainee Group X AC Configuration

Issue 1.00 (2016-03-15) Huawei Proprietary and Confidential 3

1. Configure the Enable layer 2 or layer 3 interconnection

Configure the DHCP server function of the AC.

Configure the Configure the