Professional Documents
Culture Documents
• This document describes the main components of WLAN and WLAN network architecture,
including details of Huawei WLAN solution, WLAN network design principles and common
networking schemes.
Management/
Portal server DHCP server RADIUS server NMS server
Control/Analysis
IP
Core switch Aggregation switch Access switch
network
Wireless
control AirEngine wireless access controllers
Wireless
AirEngine wireless access points RU (Remote Unit)
access
Wireless
Laptop Tablet Mobile phone Scanner, AGV, wristband, ...
terminal
Internet
WAC
Fat AP
Fit AP
• Characteristics: The AP works independently and • Characteristics: The AP needs to work with the WAC. The WAC manages
needs to be configured separately. The functions are and configures APs centrally and provides various functions. High skills
simple and the cost is low. are needed from network maintenance personnel.
• Applicable scenarios: households and micro-stores. • Applicable scenarios: large and medium-sized enterprises.
WAC
Internet
Central AP Central AP
• Networking characteristics: APs can work • Networking characteristics: A special AP architecture consisting of central
independently and manage a few APs to realize AP and RUs. The central AP can manage multiple RUs. With this architecture,
basic roaming functions. The cost is low, and it’s less the cost is low and the coverage is good. Agile distributed APs can be used
demanding on maintenance skills. in Fat AP, WAC+FIT AP, and cloud management architecture.
• Applicable scenarios: small and micro enterprises. • Applicable scenarios: high room density.
Internet WAN
Egress zone
DataCenter
• Networking characteristics: APs need to work
Native AC Native AC NMS O&M zone with the SDN controller. The SDN controller
Internet
• Networking characteristics: APs need to work with the cloud
management platform. The cloud management platform manages
and configures APs centrally. APs support various functions and
plug-and-play. Skill requirements for network maintenance
personnel are low.
Cloud AP • Applicable Scope: Small and medium-sized enterprises.
▫ Fit AP
▫ Leader AP
▫ CloudCampus
▫ Fit AP
▫ Leader AP
▫ CloudCampus
Architecture
Layer 2 and Layer 3 VLAN planning WAC reliability
overview
Navi AC
CAPWAP tunnel WAC • WAC controls WLAN access, forwarding and statistics collection, monitors
AP configurations, manages roaming, and provides network management
proxy and security control for APs.
• Fit APs encrypt and decrypt 802.11 packets, perform physical layer functions
of 802.11, and collect statistics on air interfaces and is managed by WAC.
• The WAC and AP communicate with each other using the CAPWAP protocol.
Fit AP
• Compared with the Fat AP architecture, the WAC+Fit AP architecture has the
following advantages:
The WLAN networking may wary with the networking mode, data forwarding mode, and number of WACs.
WAC WAC
L2
L2 L3
L2
• Note: WAC and Fit AP are not in the same network segment. The network between
• Note: The WAC and fit AP are in the same broadcast domain.
the AP and WAC must be L3 reachable. Additional configurations are needed for AP
TAP can find WAC through local broadcast. The networking,
to discover WAC. The networking is flexible and scalable.
configuration, and management are simple.
• Application: Layer 3 networking is applicable to medium- and large-sized networks.
• Application: Applicable to small-scale networks, such as
In a large-scale campus, APs are deployed in each building for wireless coverage, and
small-sized enterprise networks. It is not applicable to
the WAC is deployed in the core equipment room for unified management. In this
complex and fine grained WLAN networking of large
case, a complex Layer 3 network must be deployed between the WAC and Fit APs.
enterprises.
• Note: WAC functions as both radio access controller • Note: In bypass networking, WAC is connected to existing network
(AC) and aggregation switch. WAC forwards and in bypass mode and only processes AP management services. Data
processes data and management services of APs. services of APs can be directly transmitted uplink without passing
through the WAC.
• Application: Applicable to greenfield small- and
medium-scale centralized WLANs. • Application: Mainly applied in network upgrade or greenfield
medium- and large-sized campus networks.
Page 15 Copyright © Huawei Technologies Co., Ltd. All rights reserved
In-Line Mode
Networking description
2. The AC can provide PoE/ PoE+ power supply directly to APs as it also acts as
access/aggregation switch.
WAC 3. Tunnel forwarding or direct forwarding can be used, as in in-line networking, ACs are
connected in serial mode.
4. Note: In direct connection/in-line mode ,all traffic passes through AC. If the AC fails,
non-wireless traffic is also affected.
Application scenario
2. The in-line mode is applicable to new small- and medium-sized campuses and
branches.
1. In bypass mode, AC is connected to network in bypass mode to manage APs’ WLAN services.
2. AC manages APs and transmission of management flows encapsulated in CAPWAP tunnels.
Core switch
Data service flows can be forwarded by the AC over the CAPWAP tunnel or directly sent by the
aggregation switch to the upper-layer network.
3. APs under the aggregation switch are managed by AC that is connected to the aggregation
switch in bypass mode. AC is deployed centrally, thus applicable to hotspots with scattered APs.
WAC Aggregation
switch 4. Bypass networking builds on top of existing network, which requires few modifications, and is
AC is connected to
core/aggregation fast and easy to deploy.
switch in bypass mode. 5. The direct forwarding mode or tunnel forwarding mode can be selected based on user access
control requirements.
6. In most enterprise networks, the tunnel forwarding mode is recommended, and it is a
common practice when building on top of existing network.
Application scenario
1. It is mainly used for network upgrade or setup of new medium- and large-sized campus networks.
2. The original network topology is not changed.
CAPWAP tunnel • No-detour forwarding: After receiving user data packets, AP directly
• Advantages: Data traffic does not pass through AC, and the load on
the AC is light. The solution is recommended for 10GE campus
networks.
CAPWAP tunnel • Service data packets are encapsulated by APs and then forwarded
Core switch to AC. AC not only manages APs but also receives and forwards
Service data traffic
AP traffic.
Management traffic
• Data packets are encapsulated in CAPWAP tunnel and then
forwarded by WAC to upper-layer network.
WAC Aggregation switch
• Tunnel forwarding is usually used in bypass networking. WAC
Note: Data traffic between APs
forwards data packets centrally, which is secure and facilitates
and the WAC is carried in the
C A P W A P data t u n n e l , a n d centralzed management and control. New devices can be easily
management traffic is carried in deployed and configured, and basically no need to change
the CAPWAP control channel.
existing network. Tunnel forwarding is applicable to independent
WLAN deployment or centralized management and control
scenarios of large-scale campuses.
Data traffic is forwarded without detour, which is very efficient. Complex data VLAN
Bypass mode + Layer 3
This enables WLAN deployment on top of existing network and configuration, though with high
networking + Direct forwarding
hot backup. forwarding efficiency
Most commonly used: bypass mode+Layer 3 networking+direct forwarding or bypass mode+Layer 3 networking+tunnel forwarding
Data traffic has no detour. Management is simple. Layer 3 Not suitable to complex and
In-line mode+Layer 3
networking is more suitable for larger-scale networks than fine-grain WLAN networking of
networking+Tunnel forwarding
Layer 2 networking. large enterprises
With in-line mode, it’s not easy to build WLAN on top of existing network.
In-line mode+Layer 3 networking+direct forwarding (or tunnel forwarding) solution is only recommended for small-scale networks.
Internet
DMZ zone
Local WAC
Typical application scenario 1
CAPWAP tunnel
SSID: Guest
Campus Campus
Network Network
An enterprise wants to provide WLAN coverage for An enterprise wants to provide WLAN coverage for Zone
zone A and zone B, and requires that WLANs detected A and Zone B, and requires that WLANs detected by
by users have only one SSID, and same forwarding users have only one SSID and data forwarding control
control policy. In this case, only one SSID and one policies are different. In this case, you can plan one SSID
VLAN need to be planned. and two VLANs, each for one zone. SSID:VLAN = 1:2.
Campus Campus
Network Network
An Enterprise wants to provide WLAN coverage for An Enterprises wants to provide WLAN coverage for
Zone A and Zone B. To allow users to obtain location Zone A and Zone B. To allow users to obtain location
and other information if they search for WLANs, and to and other information once they search for the WLAN
have the same data forwarding control policy, two and to have different data forwarding control policies,
SSIDs and one VL AN are planned. In this case, two SSIDs and two VLANs are planned. In this case,
SSID:VLAN = 2:1. SSID:VLAN = 2:2.
Page 27 Copyright © Huawei Technologies Co., Ltd. All rights reserved
Application Example of VLAN Pool
Problem: hallway effect Solution
If one SSID for one VLAN and one VLAN for Campus
one subnet, when a lot of users access the Campus Network
network from a certain area, only the Network
corresponding subnet in the area can be
e x pa n d e d . As a result, t h e b ro a d c a s t
domain is expanded, causing broadcast
packets to increase greatly, and network
congestion. 3 Hallway area Other area
Hallway area Other area
• In this mode, the active and standby WACs are deployed in the
same geographical location. Compared with other backup
modes, this mode features fast service switchover.
WAC1 HSB channel WAC2 • When the link between AP and the active WAC is disconnected,
10.1.1.3/24 10.1.1.2/24 AP instructs standby WAC to take over as the active WAC.
Applicable scenarios
Existing online users New user On a small-sized wireless network where no standby AC is deployed,
this feature ensures uninterrupted data forwarding when AP is
disconnected from the AC, improving service reliability.
Function description
2. N e t w o r k a d m i n i s t r a t o r n e e d s t o c o nf i g u re t h e 8 0 2 . 1 X
authentication escape service in advance.
Existing online user New user 3. The network administrator needs to send the account and
password required for 802.1X authentication to the AP in advance.
Function description
Function description
Function description
Function description
WAC • When AC is disconnected from AP, new users can access the
network without authentication.
Function description
▫ Fit AP
▫ Leader AP
▫ CloudCampus
1. The leader AP architecture contains only APs. Configure one of the APs in leader AP
mode and the rest in fit AP mode. Fit APs communicate with the leader AP at Layer
Campus 2.
Network
2. The leader AP broadcasts its role on the Layer 2 network. Other APs automatically
discover and connect to the leader AP.
3. The leader AP provides functions similar to WAC, including unified access
management, configuration management, and O&M based on CAPWAP tunnels,
and offers centralized radio resource management and roaming management.
4. Users only need to log in to the leader AP and configure wireless services. All APs
provide the same wireless services, and terminals can roam among different APs.
Applicable scenario
Some small and micro enterprises want to set up their own wireless networks and
manage them independently, without using cloud management. If the fat AP
Fit AP Leader AP Fit AP Fit AP
architecture is used, APs cannot be managed and maintained in a unified manner,
and users cannot enjoy good roaming experience. If the WAC+Fit AP architecture
is used, since the number of terminals is small, the wireless coverage area is small,
and only a few APs are required, cost of WAC devices and license fees would be
too high. In this case, this Leader AP solution can be used.
▫ Fit AP
▫ Leader AP
▫ CloudCampus
Management iMaster NCE-Campus, all-in-one (management, control, and analysis), O&M brain
and control
layer Network construction automation, enabling
Intelligent O&M, ensuring Wi-Fi 6 experience
Wi-Fi 6 services
User experience visualization · Fault
Planning automation · Network construction
demarcation · Network optimization & self-healing
Management, control, and analysis automation · Policy automation
NETCONF/YANG Telemetry Wi-Fi 6-ready wired network
Network
10GE access, unleashing full speed of Wi-Fi 6
Layer
• Multi-GE switch + high-density 25GE fixed switch + 100G core switch for Wi-Fi 6 ultra-broadband
• By default, wireless users are managed uniformly. A maximum of 10,000 APs and 50,000 concurrent
One
users are supported, meeting the needs of massive concurrent user access in the Wi-Fi 6 era.
photoelectric
• 10,000-user wireless campus with 100G core switch CloudEngine 12700E, 57.6 Tbit/s throughput,
CloudEngine S-Series Campus Switches 50,000hybrid
wirelesscable
users, and 6 time performance.
Based on this capability, enterprises can quickly and easily customize portal pages to promote brands and push advertisements.
Authentication
Characteristics Dependency Applicable Scenario
Mode
• If WeChat authentication is
used, and the enterprise has • WeChat account-based
Integrate with WeChat or Facebook
its own WeChat public authentication is applicable for
to ensure that end users can use
account platform, the shopping malls that provide one-
their social media accounts and
WeChat public account click WeChat public account
Social media passwords to be authenticated on
platform must be connected follow in exchange for free
account the service manager page without
to iMaster NCE. Internet access.
registering accounts. After passing
• Enterprises must apply for • Facebook account-based
the authentication, end users can
their own Facebook authentication is applicable to
access the network.
accounts to obtain legal stores outside China.
authorization from Facebook.
• Independent AC has a
wireless traffic bottleneck • The AC functions as a card
and creates a point of failure. AC card
inserted in the switch
Independent • Wired and wireless networks
AC are managed separately. • There is only hardware-level
• Wired and wireless convergence.
authentication points are
separate.
Wired and wireless authentication points, policy control, and traffic forwarding are all separated, making trouble shooting and management difficult.
Sales user R&D user Server resource Add security groups. A security group is a
security group security group security group 1
group of users with the same network
access policy.
Algorithms are used to improve efficiency. Through scenario-based continuous learning and expert experience, AI-based O&M frees O&M personnel
from complex alarms and noises, making O&M more automated and intelligent.
Internet
Scenario description
Cloud mode • Disadvantage: The user network needs to be adjusted, and the AC
needs to be adjusted to the cloud mode.
• Specification: 5 Mbps outbound bandwidth per 1000 APs
Internet WAN
Controller or NMS WAC • In this case, the local forwarding mode is usually
platform used. The branch gateway assigns IP addresses
to branch users and the users directly access the
Unified management of
Internet from the branch.
WACs in branches and the
headquarter. • If a branch needs to communicate with the
headquarter, an Internet Protocol Security (IPSec)
VPN tunnel is deployed in between.
• Solution overview
Internet
• There is only on AP in a network, the AP functions as the
Carrier CPE gateway of STA users.
• Application scenario
• Small-sized stores (such as agency offices and gas
AP stations) with an area of less than 50 m2.
• The maximum number of concurrent online terminals
supported is less than 50.
• Only wireless user access is required.
• Only one wired Internet egress link is required.
Internet features, such as WAN access, DHCP, and NAT, and functions as
the user gateway. The L2 switch provides PoE extension access
Carrier CPE and wired terminal access, and the AP provides wireless
terminal access.
FW • Application scenario
• Small- and medium-sized experience stores, logistics stores,
and insurance stores with an area of less than 3000 m2 and a
L2 switch
maximum number of less than 2000 concurrent online
terminals.
• Multiple APs are required. The devices must support advanced
security functions such as URL filtering, IPS, security defense,
and antivirus. In addition, the devices must support multiple
uplinks.
Page 68 Copyright © Huawei Technologies Co., Ltd. All rights reserved
Question(s)
1. An enterprise’s WLAN does not have heavy user traffic or traffic bottlenecks. To ensure
WLAN security, the customer would like to manage WLAN data in a unified manner.
Which of the following networking modes can be used? ( )
A. AC bypass mode with direct data forwarding