HCPP-04 - Enterprise WLAN Networking Design-2022.01

HCPP-IP Network
Enterprise WLAN Networking Design

Page 0 Copyright © Huawei Technologies Co., Ltd. All rights reserved
reserved.
Preface
• Enterprises may have different requirements on WLANs. As WLANs become more widely used in
enterprise networks, how to construct a WLAN that meets service requirements of enterprises
becomes an important question.
• A good network must have a good architecture and proper networking.
• This document describes the main components of WLAN and WLAN network architecture,
including details of Huawei WLAN solution, WLAN network design principles and common
networking schemes.

Objectives
• After learning this course, you will be able to

▫ Describe key NEs of WLAN.
▫ Describe main Huawei WLAN solutions and networking architecture.
▫ Describe differences between different WLAN solutions.
▫ Describe typical WLAN networking solutions.
▫ Design WLAN networking solution based on features/requirements.

Contents
1. WLAN Networking Architecture Overview
2. WLAN Networking Architecture
3. Typical WLAN Networking Solutions

Main NEs in Enterprise WLAN
Management/
Portal server DHCP server RADIUS server NMS server
Control/Analysis
IP
Core switch Aggregation switch Access switch
network
Wireless
control AirEngine wireless access controllers
Wireless
AirEngine wireless access points RU (Remote Unit)
access
Wireless
Laptop Tablet Mobile phone Scanner, AGV, wristband, ...
terminal

WLAN Networking Architecture Overview
Fat AP WAC+ Fit AP
Internet
WAC
Fat AP
Fit AP
• Characteristics: The AP works independently and • Characteristics: The AP needs to work with the WAC. The WAC manages
needs to be configured separately. The functions are and configures APs centrally and provides various functions. High skills
simple and the cost is low. are needed from network maintenance personnel.
• Applicable scenarios: households and micro-stores. • Applicable scenarios: large and medium-sized enterprises.

(Cont.)
Leader AP Agile distributed AP
WAC
Internet
Central AP Central AP
Agile distributed Agile distributed

Leader AP AP AP
Room 1 Room 2 Room 3 Room N Room 1 Room 2 Room 3 Room N
• Networking characteristics: APs can work • Networking characteristics: A special AP architecture consisting of central
independently and manage a few APs to realize AP and RUs. The central AP can manage multiple RUs. With this architecture,
basic roaming functions. The cost is low, and it’s less the cost is low and the coverage is good. Agile distributed APs can be used
demanding on maintenance skills. in Fat AP, WAC+FIT AP, and cloud management architecture.
• Applicable scenarios: small and micro enterprises. • Applicable scenarios: high room density.

(Cont.)
Next-generation campus network: CloudCampus (large- and medium-sized campus network)
Internet WAN
Egress zone
DataCenter
• Networking characteristics: APs need to work
Native AC Native AC NMS O&M zone with the SDN controller. The SDN controller
Core layer manages and configures APs centrally. This

provides rich functions and integration with
wired networks, and uses big data and AI
Aggregation layer
technologies to build simple, smart, and secure
campus networks.
Access layer
• Applicable scope: large and medium-sized
enterprises.
iStack/CSS Link

(Cont.)
Next-generation campus network: CloudCampus (small- and medium-sized campus network)
Internet
• Networking characteristics: APs need to work with the cloud
management platform. The cloud management platform manages
and configures APs centrally. APs support various functions and
plug-and-play. Skill requirements for network maintenance
personnel are low.
Cloud AP • Applicable Scope: Small and medium-sized enterprises.

Contents

▫ Fat AP
▫ Fit AP
▫ Leader AP
▫ CloudCampus
3. Typical WLAN Networking

Fat AP Architecture
Internet • The fat AP architecture is also called autonomous network

architecture.
• When a single fat AP is deployed, no additional centralized control

device is required because fat APs are independent. Therefore, Fat
APs are easy to deploy and cost-effective.
• However, as the WLAN coverage area in enterprises increases and

the number of access users increases, more fat APs need to be
Fat AP Fat AP Fat AP Fat AP
deployed. However, each Fat AP works independently and lacks
unified control, making it difficult to manage and maintain these
fat APs.
• Therefore, the fat AP architecture is not recommended for

enterprises. The WAC+fit AP architecture, cloud management
architecture, and leader AP architecture are more suitable.
Contents

▫ Fat AP
▫ Fit AP
▫ Leader AP
▫ CloudCampus

WAC + Fit AP Networking Architecture
1 Overview 2 Networking 3 Planning 4 Reliability
Architecture
Layer 2 and Layer 3 VLAN planning WAC reliability
overview
In-line & bypass IP address planning Service reliability
Data forwarding Data forwarding
Navi AC

WAC + Fit AP Architecture
CAPWAP tunnel WAC • WAC controls WLAN access, forwarding and statistics collection, monitors
AP configurations, manages roaming, and provides network management
proxy and security control for APs.
• Fit APs encrypt and decrypt 802.11 packets, perform physical layer functions
of 802.11, and collect statistics on air interfaces and is managed by WAC.
• The WAC and AP communicate with each other using the CAPWAP protocol.
Fit AP
• Compared with the Fat AP architecture, the WAC+Fit AP architecture has the
following advantages:
• Easier to configure and deploy
• Higher level of security
• Easy to update and extend
The WLAN networking may wary with the networking mode, data forwarding mode, and number of WACs.

Networking Mode: Layer 2& Layer 3
Networking
Layer 2 networking Layer 3 networking
WAC WAC
L2
L2 L3
L2
• Note: WAC and Fit AP are not in the same network segment. The network between
• Note: The WAC and fit AP are in the same broadcast domain.
the AP and WAC must be L3 reachable. Additional configurations are needed for AP
TAP can find WAC through local broadcast. The networking,
to discover WAC. The networking is flexible and scalable.
configuration, and management are simple.
• Application: Layer 3 networking is applicable to medium- and large-sized networks.
• Application: Applicable to small-scale networks, such as
In a large-scale campus, APs are deployed in each building for wireless coverage, and
small-sized enterprise networks. It is not applicable to
the WAC is deployed in the core equipment room for unified management. In this
complex and fine grained WLAN networking of large
case, a complex Layer 3 network must be deployed between the WAC and Fit APs.
enterprises.

Networking Mode: In-Line and Bypass
In-line Bypass
Core switch Core switch
WAC WAC Aggregation switch:
• Note: WAC functions as both radio access controller • Note: In bypass networking, WAC is connected to existing network
(AC) and aggregation switch. WAC forwards and in bypass mode and only processes AP management services. Data
processes data and management services of APs. services of APs can be directly transmitted uplink without passing
through the WAC.
• Application: Applicable to greenfield small- and
medium-scale centralized WLANs. • Application: Mainly applied in network upgrade or greenfield
medium- and large-sized campus networks.
In-Line Mode
Networking description
1. In in-line mode, AC is directly connected to AP or access switch and functions as both

AC and aggregation switch. AC forwards and processes data and management services
Core switch of APs.
2. The AC can provide PoE/ PoE+ power supply directly to APs as it also acts as
access/aggregation switch.
WAC 3. Tunnel forwarding or direct forwarding can be used, as in in-line networking, ACs are
connected in serial mode.
4. Note: In direct connection/in-line mode ,all traffic passes through AC. If the AC fails,
non-wireless traffic is also affected.
Application scenario
1. This solution applies to greenfield centrally deployed small- and medium-sized

WLANs and simplifies the network architecture.
2. The in-line mode is applicable to new small- and medium-sized campuses and
branches.

Bypass Mode
Networking description
1. In bypass mode, AC is connected to network in bypass mode to manage APs’ WLAN services.
2. AC manages APs and transmission of management flows encapsulated in CAPWAP tunnels.
Core switch
Data service flows can be forwarded by the AC over the CAPWAP tunnel or directly sent by the
aggregation switch to the upper-layer network.
3. APs under the aggregation switch are managed by AC that is connected to the aggregation
switch in bypass mode. AC is deployed centrally, thus applicable to hotspots with scattered APs.
WAC Aggregation
switch 4. Bypass networking builds on top of existing network, which requires few modifications, and is
AC is connected to
core/aggregation fast and easy to deploy.
switch in bypass mode. 5. The direct forwarding mode or tunnel forwarding mode can be selected based on user access
control requirements.
6. In most enterprise networks, the tunnel forwarding mode is recommended, and it is a
common practice when building on top of existing network.
Application scenario
1. It is mainly used for network upgrade or setup of new medium- and large-sized campus networks.
2. The original network topology is not changed.

Data Forwarding Mode 1: Direct Forwarding
Direct forwarding (also called local forwarding)
CAPWAP tunnel • No-detour forwarding: After receiving user data packets, AP directly
Core switch forwards them to upper-layer network without encapsulating them in

Service data flow
CAPWAP tunnels.
Management flow
• Direct forwarding is used in most in-line scenarios. This networking
mode applies to deployment of small- and medium-scale centralized
WAC Aggregation switch
WLAN and simplifies the network architecture.
• Bypass networking can also use direct forwarding. Data packets do

not need to be processed by WAC centrally, eliminating bandwidth
bottlenecks. In addition, security policies on existing network can be
inherited, which applies to large-scale campus networks with wired
and wireless integration or headquarters and branches.
• Advantages: Data traffic does not pass through AC, and the load on
the AC is light. The solution is recommended for 10GE campus
networks.

Data Forwarding Mode 2: Tunnel Forwarding
Tunnel forwarding (also called centralized data forwarding)
CAPWAP tunnel • Service data packets are encapsulated by APs and then forwarded
Core switch to AC. AC not only manages APs but also receives and forwards
Service data traffic
AP traffic.
Management traffic
• Data packets are encapsulated in CAPWAP tunnel and then
forwarded by WAC to upper-layer network.
• Tunnel forwarding is usually used in bypass networking. WAC
Note: Data traffic between APs
forwards data packets centrally, which is secure and facilitates
and the WAC is carried in the
C A P W A P data t u n n e l , a n d centralzed management and control. New devices can be easily
management traffic is carried in deployed and configured, and basically no need to change
the CAPWAP control channel.
existing network. Tunnel forwarding is applicable to independent
WLAN deployment or centralized management and control
scenarios of large-scale campuses.
• Advantages: Data flows and management flows pass through AC,

which facilitates security control over wireless users.

Typical WAC+Fit AP Networking Modes
Networking description Advantages Drawbacks
Data traffic is forwarded without detour, which is very efficient.

Bypass mode + Layer 2 Complex data VLAN
This enables WLAN deployment on top of existing network and
networking + Direct forwarding configuration
hot backup.
Data VLAN configuration is simple. Tunnel forwarding provides

Bypass mode+Layer 2 Inefficient forwarding due to
Layer 2 tunnel and supports 802.1X authentication. This enables
networking+Tunnel forwarding detours
WLAN deployment on top of existing network and hot backup.
Data VLAN configuration is simple. Tunnel forwarding provides

Bypass mode+Layer 3 Inefficient forwarding due to
Layer 2 tunnel and supports 802.1X authentication. This enables
networking+Tunnel forwarding detours
WLAN deployment on top of existing network and hot backup.
Data traffic is forwarded without detour, which is very efficient. Complex data VLAN
Bypass mode + Layer 3
This enables WLAN deployment on top of existing network and configuration, though with high
networking + Direct forwarding
hot backup. forwarding efficiency
Most commonly used: bypass mode+Layer 3 networking+direct forwarding or bypass mode+Layer 3 networking+tunnel forwarding

Typical WAC+Fit AP Networking Modes (Cont.)
Networking description Advantages Drawbacks
Data VLAN configuration is

In-line mode+Layer 2 Data traffic has no detour. Networking and management are complex and not suitable for
networking+Direct forwarding simple. complex and fine-grain WLAN
networking of large enterprises.
Not suitable for complex and

In-line mode+Layer 2 Data traffic has no detour. Networking, configuration, and
fine-grain WLAN networking of
networking+Tunnel forwarding management are simple.
large enterprises
Data VLAN configuration is

Data traffic has no detour. Management is simple; Layer 3
In-line mode+Layer 3 complex and not suitable for
networking is more suitable for larger-scale networks than
networking+Direct forwarding complex and fine-grain WLAN
Layer 2 networking.
networking of large enterprises.
Data traffic has no detour. Management is simple. Layer 3 Not suitable to complex and
In-line mode+Layer 3
networking is more suitable for larger-scale networks than fine-grain WLAN networking of
networking+Tunnel forwarding
Layer 2 networking. large enterprises
With in-line mode, it’s not easy to build WLAN on top of existing network.
In-line mode+Layer 3 networking+direct forwarding (or tunnel forwarding) solution is only recommended for small-scale networks.

Navi AC
Navi AC solution description
Internet 1. When deploying a wireless network, a large

enterprise needs to provide access services
for internal employees and guests. Guest
DMZ zone
data may bring security threats to the
Local WAC
network.
2. The enterprise can divert guest traffic to Navi
Intranet AC in DMZ for centralized management, thus
application securely separating internal employee access
Navi AC General Guest and guest access.
server
server for authentication
Intranet guests server 1. Local WAC: manages and coordinates Aps
authentication
centrally, for example, enabling STAs to go
server
online and delivering AP configurations.
2. Navi AC: provides security, control, and
management functions for wireless users,
such as identity authentication, authorization,
SSID1: Yuangong and billing.
SSID2: Guest
3. CAPWAP tunnel between local AC and Navi
CAPWAP tunnel
AC: User data packets on local AC are sent to
Employee STA Guest STA Navi AC through CAPWAP tunnel for
forwarding.
CAPWAP tunnel between WACs

Navi AC
Internet
DMZ zone
Local WAC
Typical application scenario 1
Intranet 1. Employee traffic is forwarded on intranet.

application
Navi AC General Guest 2. Guest traffic is forwarded to secure DMZ
server
server for authentication through CAPWAP tunnel, and can access
Intranet guests server
authentication only servers and Internet resources in
server
DMZ.
SSID1: Yuan Gong

SSID2: Guest
Employee STA Guest STA CAPWAP tunnel
CAPWAP tunnel between WACs

Navi AC (Cont.)
Typical application scenario 2
Internet Internet 1. Employee and guest traffic are securely isolated,

guest management and control are decoupled
from the intranet.
2. S e r v i c e e g re s s a n d o p e r a t i on e g re s s a re
independent.
3. Employees are authenticated and authorized on
local AC. The authentication point is local AC.
4. Guest traffic is forwarded to Navi AC through
Local AC CAPWAP tunnel. The authentication
Local WAC Navi AC point is Navi AC.
5. Traffic from employees is sent to Internet through
local AC.
6. Guest traffic is forwarded to Navi AC through local
AC CAPWAP tunnel and then to the Internet.
SSID1: Yuangong
SSID2: Guest SSID: Guest
CAPWAP tunnel Guest

Employee STA Guest STA Employee
authentication authentication
CAPWAP tunnel between WACs points point

VLAN Planning in WLAN
VLAN in WAC + Fit AP scenario
CAPWAP tunnel
Service data traffic Core switch

• WLAN VLANs include management VLAN and service VLAN.
Management traffic
• Management VLAN: transmits packets forwarded through
CAPWAP tunnel, including all management packets and
service data packets forwarded through CAPWAP tunnel.
• Service VLAN: transmits service data packets.
Management VLAN • VLAN planning principles:
• Separate management VLAN from service VLAN.
Service VLAN • Map service VLAN to SSID based on actual service

requirements.
SSID: Guest

Mapping Between Service VLANs and
SSIDs
SSID:VLAN = 1 : 1 SSID:VLAN = 1 : N
Campus Campus
Network Network
Zone A Zone B Zone A Zone B
SSID: Guest SSID: Guest SSID: Guest SSID: Guest

VLAN: 100 VLAN: 100 VLAN: 100 VLAN: 200
An enterprise wants to provide WLAN coverage for An enterprise wants to provide WLAN coverage for Zone
zone A and zone B, and requires that WLANs detected A and Zone B, and requires that WLANs detected by
by users have only one SSID, and same forwarding users have only one SSID and data forwarding control
control policy. In this case, only one SSID and one policies are different. In this case, you can plan one SSID
VLAN need to be planned. and two VLANs, each for one zone. SSID:VLAN = 1:2.

Mapping Between Service VLANs and
SSIDs
SSID:VLAN = N:1 SSID:VLAN = N:M
Campus Campus
Network Network
Zone A Zone B Zone A Zone B
SSID: Zone A SSID: Zone B SSID: Zone A SSID: Zone B

VLAN: 100 VLAN: 100 VLAN: 100 VLAN: 200
An Enterprise wants to provide WLAN coverage for An Enterprises wants to provide WLAN coverage for
Zone A and Zone B. To allow users to obtain location Zone A and Zone B. To allow users to obtain location
and other information if they search for WLANs, and to and other information once they search for the WLAN
have the same data forwarding control policy, two and to have different data forwarding control policies,
SSIDs and one VL AN are planned. In this case, two SSIDs and two VLANs are planned. In this case,
SSID:VLAN = 2:1. SSID:VLAN = 2:2.
Application Example of VLAN Pool
Problem: hallway effect Solution
If one SSID for one VLAN and one VLAN for Campus
one subnet, when a lot of users access the Campus Network
network from a certain area, only the Network
corresponding subnet in the area can be
e x pa n d e d . As a result, t h e b ro a d c a s t
domain is expanded, causing broadcast
packets to increase greatly, and network
congestion. 3 Hallway area Other area
Hallway area Other area
A large number of users are in SSID: Guest SSID: Guest

this area, requiring a large SSID: Guest VLAN pool VLAN pool
SSID:
number of IP addresses. VLAN: 100 (large
Guest
number of addresses)
VLAN: 200
Roaming • In this scenario, a VLAN pool can be used as service VLAN.
2 • VLAN pool provides algorithm for managing and allocating
A lot of users access the network from multiple VLANs. In this way, SSID can be mapped to multiple
1 an area and then roam to another VLANs, and numerous users can be distributed in different
area. VLANs to narrow broadcast domain.

IP Address Planning
① IP address of WAC:
Internet
• Used to manage Aps, usually static IP address that is manually
configured.
② IP address of AP:
• Used for CAPWAP communication with WAC. Because there are a
large number of APs, DHCP server is used to dynamically
allocate IP addresses. On a large-scale campus network, core
switch can be used as a DHCP server.
WAC 1 Core switch • WAC can be used as a DHCP server to assign IP addresses to APs.
Alternatively, an independent DHCP server or network device can
be used.
• If the network between WAC or independent DHCP server and
AP is a Layer 3 network, DHCP relay needs to be configured to
ensure that the route between the WAC or independent DHCP
server and AP is reachable.
2 2 ③ IP address of the STA:

• It is recommended that IP addresses be dynamically allocated
through DHCP. Fixed wireless terminals (such as wireless printers)
can be statically configured. You can use the WAC as a DHCP
3 server or use an independent DHCP server.

WAC Reliability: VRRP Dual-Device Hot
Backup
• Two WACs form a VRRP group. The active and standby WACs
present the same virtual IP address to APs. The active WAC
synchronizes service information to the standby WAC through
WAC1 HSB (Hot Standby) channel WAC2 the hot standby (HSB) channel.
10.1.1.3/24 10.1.1.2/24
VRRP Active VRRP standby • Two WACs use VRRP protocol to form a virtual WAC. By
VRRP Configuration default, the active WAC takes over the work of the virtual WAC.
When the active WAC fails, the standby WAC takes over the
1 Virtual WAC work. All APs establish CAPWAP tunnels with the virtual WAC.
10.1.1.1/24
2 • The AP is aware of only one WAC, and the switchover between
WACs is determined by VRRP.
• In this mode, the active and standby WACs are deployed in the
same geographical location. Compared with other backup
modes, this mode features fast service switchover.
• More protection features:

• Uplink monitoring supports BFD+VRRP.
• Downlink supports MSTP to break the loop.
CAPWAP tunnel

WAC Reliability: Dual-Link Hot Backup
• AP establishes CAPWAP tunnels with the active and standby
WACs respectively. Service information is synchronized between
the WACs through the HSB channel.
WAC1 HSB channel WAC2 • When the link between AP and the active WAC is disconnected,
10.1.1.3/24 10.1.1.2/24 AP instructs standby WAC to take over as the active WAC.
• Active and standby ACs are determined based on AC priority. If

ACs have the same priority, the active and standby ACs are
determined based on the AC load (the number of APs and STAs).
• This solution supports active/standby backup and load

Standby tunnel balancing. In load balancing mode, you can specify WAC1 as the
1 2
active WAC for some APs to set up active CAPWAP links with,
Active tunnel
and specify WAC2 as the active WAC for other APs to set up
active CAPWAP links.
CAPWAP tunnel
• The active and standby WACs in dual-link dual-device hot
standby mode are not restricted by geographical locations. They
can be flexibly deployed to implement load balancing and
effectively use resources, but the service switchover speed is
relatively slow.

WAC Reliability: N+1
Standby WAC Enterprise HQ
• One WAC is used as standby WAC to backup multiple active
WACs.
• In this example, the WAC in HQ can be used as backup

WAC for local WACs in branches 1 and 2.
WAN CAPWAP tunnel • When the network is working properly, an AP establishes a

CAPWAP tunnel only with the active WAC of the same area.
• When the active WAC is faulty or the CAPWAP link between

Active Active the active WAC and an AP is down, the standby WAC takes
WAC of WAC of
enterprise over to manage AP. A CAPWAP link is set up between the
enterprise
branch 1 branch 2 standby WAC and the AP to provide services for the AP.
• Supports active/standby switchover and switchback.
Enterprise branch 1 Enterprise branch 2

WAC Reliability: Summary
Item VRRP dual-device hot backup Dual-link hot backup N+1 backup
The AP status switchover is

The active/standby switchover The AP status switchover is
slow. The switchover happens
is fast and has little impact on slow. The switchover happens
only after the CAPWAP link
services. The VRRP only after the CAPWAP link
connection times out. In this
Switchover speed preemption time can be connection times out. After
case, the AP and terminals
configured to implement the active/standby switchover,
need to go online again, and
faster switchover than other terminals do not need to go
services are interrupted for a
backup modes. online again.
short period of time.
The VRRP protocol is a Layer 2

Remote protocol. It is not
deployment of recommended that the active
Supported Supported
active and and standby WACs be
standby WACs deployed in different
locations.
Scenarios that have high

Scenarios that require high Scenarios that have low
reliability requirements and
Applicable reliability and remote requirements on reliability and
do not require remote
scenario deployment of active and high requirements on cost
deployment of active and
standby WACs control.
standby WACs.

Continuing Service Using Local Forwarding
Even When CAPWAP Down
Campus
Network Function description
1. User data is forwarded in local forwarding mode. When the

CAPWAP link between AP and AC is down, services of existing
online users are not interrupted and user data can be forwarded
WAC
normally.
2. When the WAC is disconnected from the AP, the existing online
users are not affected. Whether new users are allowed to access
the network depends on the authentication mode bound to the
SSID.
3. If open system authentication, shared key authentication (WEP), or
Local forwarding WPA/WPA2PSK is used, new users can still get online.
Applicable scenarios
Existing online users New user On a small-sized wireless network where no standby AC is deployed,
this feature ensures uninterrupted data forwarding when AP is
disconnected from the AC, improving service reliability.

Authentication Escape: 802.1X Authentication
(Solution 1)
Scenario: When AP is disconnected from AC, the local RADIUS server
Campus is used for authentication escape.
Network
• 802.1X authentication is used for WLAN services.
• When AC is disconnected from AP, local RADIUS server is used for

authentication escape. When a new user goes online, AP uses the
WAC
locally configured user name and password to perform 802.1X
authentication for the user.
Function description
1. Direct forwarding mode is used for WLAN services.
2. N e t w o r k a d m i n i s t r a t o r n e e d s t o c o nf i g u re t h e 8 0 2 . 1 X
authentication escape service in advance.
Existing online user New user 3. The network administrator needs to send the account and
password required for 802.1X authentication to the AP in advance.

Authentication Escape: 802.1X
Authentication (Solution 2)
Campus
Network Scenario: When the link between AP and AC is down, 802.1x
authentication is switched to PSK authentication for escape.
• 802.1X authentication is used for WLAN services.
• When AC is disconnected from AP, 802.1x authentication is

WAC
converted to PSK authentication for escape. New users are
authenticated using PSK.
2. Network administrator needs to configure 802.1X authentication

escape service in advance.
Existing online user New user
3. Network administrator must configure PSK service in advance.

Authentication Escape: Portal Authentication
(Solution 1)
Campus
Scenario: When the link to portal server is down, new users use
Network
authentication-exempt access for escape.
• WLAN services use portal authentication. iMaster NCE functions

as Portal server.
WAC
• When AC detects that it is disconnected from the Portal server, it
performs authentication escape. In this case, new users can access
the network without authentication.
The network administrator needs to configure the Por tal


Authentication Escape: Portal
Campus Scenario: When AC is disconnected, the escape mode is
Network authentication-exempt access for new users.
• WLAN services use portal authentication. iMaster NCE functions

as portal server.
WAC
• When AP is disconnected from AC, escape function is triggered. In
this case, new users can access the network without
authentication.
2. Network administrator needs to configure the Portal authentication

escape service in advance.

Authentication Escape: MAC Address
Scenario: When AP is disconnected from AC, local RADIUS server is
used for authentication escape.
Campus
Network
• MAC address authentication is used for WLAN services.
• When AC is disconnected from AP, escape is realized through local

RADIUS server authentication. When a new user goes online, the
WAC AP performs MAC address authentication on the user based on
the locally configured MAC address.
1. Direct forwarding is used for WLAN services.
2. Network administrator needs to configure the MAC address

Existing online user New user 3. Network administrator needs to send the account and password
required for MAC address authentication to AP in advance.

Authentication Escape: MAC Address
Campus
Network Scenario: When AP is disconnected from AC, the escape mode is
authentication-exempt access for new users.
• MAC address authentication is used for WLAN services.
WAC • When AC is disconnected from AP, new users can access the
network without authentication.
2. The network administrator needs to configure the MAC address


Contents
1. WLAN Networking Overview

▫ Fat AP
▫ Fit AP
▫ Leader AP
▫ CloudCampus

Leader AP Architecture
Solution description
1. The leader AP architecture contains only APs. Configure one of the APs in leader AP
mode and the rest in fit AP mode. Fit APs communicate with the leader AP at Layer
Campus 2.
Network
2. The leader AP broadcasts its role on the Layer 2 network. Other APs automatically
discover and connect to the leader AP.
3. The leader AP provides functions similar to WAC, including unified access
management, configuration management, and O&M based on CAPWAP tunnels,
and offers centralized radio resource management and roaming management.
4. Users only need to log in to the leader AP and configure wireless services. All APs
provide the same wireless services, and terminals can roam among different APs.
Applicable scenario
Some small and micro enterprises want to set up their own wireless networks and
manage them independently, without using cloud management. If the fat AP
Fit AP Leader AP Fit AP Fit AP
architecture is used, APs cannot be managed and maintained in a unified manner,
and users cannot enjoy good roaming experience. If the WAC+Fit AP architecture
is used, since the number of terminals is small, the wireless coverage area is small,
and only a few APs are required, cost of WAC devices and license fees would be
too high. In this case, this Leader AP solution can be used.

Contents
1. WLAN Networking Overview

▫ Fat AP
▫ Fit AP
▫ Leader AP
▫ CloudCampus

CloudCampus: Campus Network in Wi-Fi 6 Era
Various industries are undergoing digital transformation
Customer Government &
Electronic Health Smart Education Retail Manufacturing Wireless city
flow enterprise offices
schoolbag management office
analysis
Building an all-wireless digital

Improve shopping Wired and wireless IoT Wireless and IoT
Open platform for industry application development SDK | API space to support enterprises’ Next-generation digitalization
experience, and offline and industrial Internet improve city
transform towards a learning Wireless interactive classroom
conversion rate. convergence operation efficiency.
organization.
Management iMaster NCE-Campus, all-in-one (management, control, and analysis), O&M brain
and control
layer Network construction automation, enabling
Intelligent O&M, ensuring Wi-Fi 6 experience
Wi-Fi 6 services
User experience visualization · Fault
Planning automation · Network construction
demarcation · Network optimization & self-healing
Management, control, and analysis automation · Policy automation
NETCONF/YANG Telemetry Wi-Fi 6-ready wired network
Network
10GE access, unleashing full speed of Wi-Fi 6
Layer
• Multi-GE switch + high-density 25GE fixed switch + 100G core switch for Wi-Fi 6 ultra-broadband
• By default, wireless users are managed uniformly. A maximum of 10,000 APs and 50,000 concurrent
One
users are supported, meeting the needs of massive concurrent user access in the Wi-Fi 6 era.
photoelectric
• 10,000-user wireless campus with 100G core switch CloudEngine 12700E, 57.6 Tbit/s throughput,
CloudEngine S-Series Campus Switches 50,000hybrid
wirelesscable
users, and 6 time performance.
AirEngine WiFi 6 All wireless, AirEngine WiFi 6

High speed Stable coverage Stable Application Stable Roaming
Exclusive dual-band 16- Smart antenna with DynamicTurbo Lossless Roaming
antenna design. 10.75 Gbps, signals following users, Application acceleration Zero packet loss
twice the industry average. covering 20% more area. < 10 ms latency during roaming

WLAN Design: Wireless Roaming
• In small- and medium-sized campus networks, Layer 2 roaming is recommended as the number of terminals
is small. In this case, one SSID is for one service VLAN, and all users share a user gateway. If the number of
APs is greater than 50 or the number of terminals is greater than 1,000, Layer 3 roaming can be deployed so
one SSID is for different service VLANs.
• Note:
▫ Wireless roaming can be performed only between APs at the same site.
▫ If the Layer 2 roaming domain is broad, broadcast packets may flood in. You are advised to configure
the rate limit for broadcast packets on Controller. The default rate limit is 256 pps.
▫ Each AP supports a maximum of 64 users with detoured Layer 3 roaming. When there is a large number
of Layer 3 roaming users, the roaming may fail and the users need to reconnect again.
▫ Traffic of Layer 3 roaming is forwarded to the AP that the user accesses for the first time or to other APs
in the same Layer 2 as the original AP. Therefore, it is recommended that APs at the network ingress be
planned in a large Layer 2 domain so that traffic roaming back from Layer 3 can be shared by more APs.

WLAN Design: Value-Added Services
(Customer Flow Analysis)
Enterprises usually want to obtain customer flow information to optimize
operation and management. WLAN network can obtain more information and
The AP periodically reports
terminal information to the features about customers who use and access the WLAN to help enterprises:
cloud management platform,
including the MAC address, Internet • Understand the customer flow and its patterns to plan market activities
IP address, accessed AP, SSID, accordingly.
and signal strength.
• Identify hotspots, based on which to set rental price so as to manage with
higher efficiency and in a targeted manner.
• Understand the frequency of customer visits, gain customer loyalty, and do

promotions.
AP
Statistics on customer traffic, including the customer traffic at each moment and
the customer traffic change over time can be collected.
During passenger flow analysis, the system can:

Visitors
identify passers-by and visitors and collect statistics on the proportion of visitors,
collect statistics on and analyze the lingering time of visitors, and

Passersby
make customer loyalty analysis (repeated visit rate of returned customers).

WLAN Design: Value-Added Services
(Commercial Portal Push)
Based on this capability, enterprises can quickly and easily customize portal pages to promote brands and push advertisements.

WLAN Design: Value-added Services (IoT
Convergence Solution)
In the IoT field, Huawei WLAN offers technical platform and ecosystem, to fully leverage
IoT management
partners' professional advantages, achieve multi-network convergence, and bring
system
maximum benefits to customers.
Interne
1. Huawei IoT cloud AP provides network-layer capabilities. First, it provides standard
t
Mini-PCIe expansion slots and USB interfaces for IoT modules. Second, it provides an
uplink data channel.
2. Partners provide IoT card modules that comply with Huawei interface specifications to
connect to Huawei IoT cloud APs through Mini-PCIe or USB interfaces.
3. Partners provide terminal layer capabilities, including tags and wristbands, to interact
with IoT cards.
4. Huawei IoT cloud APs provide only the network capability and forward the uplink and
downlink data of the card module, but do not process specific IoT service protocols.
Huawei IoT AP
with an IoT card
Addressing site design and power
Cost reduction Wi-Fi and IoT convergence
supply issues
IoT terminals (labels, The AP provides site and
wristbands, etc.) Simple deployment Easy service provisioning
communication channels.
Scalability Min-PCIe expansion slot + USB Easy installation of IoT cards

AP management Card management
channel channel
IoT card

Access Control Design: Comparison of
Authentication Technologies
Item Portal authentication MAC address authentication 802.1X authentication
STA
Not required Not required Yes
requirements
Advantages Flexible deployment No client installation High security
MAC addresses need to be
Drawbacks Low security registered, complicating Inflexible deployment
management.
Guest networks with high Scenarios with dumb Network authentication of

Applicable
mobility and complex STA terminals, such as printers office users that have high
scenario
types. and fax machines. security requirements.

Access Control Design: Applicable Scenarios of Cloud
Management Portal Authentication
Authentication
Characteristics Dependency Applicable scenario
mode
• The administrator creates accounts for a

relatively fixed user group, for instance,
Access authentication is implemented with
enterprise employees.
User name and either user name and password created by
- • The self-registration mode needs to be
password the tenant administrator or registered by
approved. This mode is applicable to
the user self-registration.
the access confirmation of guests, for
example, members’ access.
User directly connects to the network

The network is open and the Internet
without any account. Controller
Anonymous - access service is provided to customers free
automatically displays the guest login
of charge.
account as an anonymous account
The STA user enters the mobile number as

the account and clicks the button of “obtain Guest authentication. SMS-based
password”. The system automatically authentication can improve the validity of
The SMS server
SMS-based registers the corresponding guest account guest identities, and businesses can obtain
must be configured.
and password and sends an SMS message user information more easily and interact
to notify the end user of the password for with guests.
access authentication.

Access Control Design: Applicable Scenarios of Cloud
Management Portal Authentication (Cont.)
Authentication
Characteristics Dependency Applicable Scenario
Mode
• If WeChat authentication is
used, and the enterprise has • WeChat account-based
Integrate with WeChat or Facebook
its own WeChat public authentication is applicable for
to ensure that end users can use
account platform, the shopping malls that provide one-
their social media accounts and
WeChat public account click WeChat public account
Social media passwords to be authenticated on
platform must be connected follow in exchange for free
account the service manager page without
to iMaster NCE. Internet access.
registering accounts. After passing
• Enterprises must apply for • Facebook account-based
the authentication, end users can
their own Facebook authentication is applicable to
access the network.
accounts to obtain legal stores outside China.
authorization from Facebook.
The user enters the passcode on

The access is simple and applicable
Passcode the landing page and completes -
to store visitors.
the access authentication.

Access Control Design: Best Practices
Internet
• Portal authentication is recommended for customers.

Egress gateway The authentication point can be AP, AR, or firewall
based on the networking.
• Employees can use Portal authentication or 802.1X
L2 switch
authentication. It is recommended that access devices
be used as authentication points.
Dumb • Dumb terminals in an enterprise normally access the

terminal enterprise network in wired mode. For these dumb
terminals, MAC address authentication is recommended,
and access switches can be used as authentication
points.
Employee terminals Customer terminals

CloudCampus Solution for Large- and
Medium-Sized Campus Networks
A p p l i c a t i o n l a y e r : supports ecosystem building on
Electronic Electronic Health Asset CloudCampus network by providing standard northbound
Application shelf label schoolbag management management … interfaces on the SDN controller. Service servers can program
layer applications using SDN controller NBIs and display them on the
API controller.. The application layer contains standard applications
provided by network vendors.
Intent engine Security engine Management layer: provides network-level management

Management
capabilities, such as configuration management, service
layer management, network maintenance, fault detection, and
security threat analysis. SDN controller is at the core of
Policy engine Analysis engine
CloudCampus network.
SNMP: NETCONF/YANG Network layer : supports ultra-broadband capability of

Telemetry NetStream
Cloud c a m p u s n e t w o r k . CloudC a m p u s n e t w o r k u s e s
Virtual virtualization technologies to divide the network layer into the
Virtual office surveillance Virtual IoT
network network network physical network (underlay network) and virtual network
Virtual network (overlay)
(overlay network).
The physical network is completely decoupled from the virtual
network. The physical network continues to evolve according to
Network Moore‘s Law, and have ultra-broadband forwarding and
Layer access capabilities. The virtual network uses the overlay
All-scenario high-density IoT and Wi-Fi convergence Smart antenna, technology to shield complex physical device networking
WLAN Physical network (underlay) 2.5GE/5GE AP andreachable campus switching network that is reachable
anywhere based provides on the overlay.

Wired and Wireless Convergence
Wireless network construction method 1: Independent AC Wireless network construction method 2: AC card
• Independent AC has a
wireless traffic bottleneck • The AC functions as a card
and creates a point of failure. AC card
inserted in the switch
Independent • Wired and wireless networks
AC are managed separately. • There is only hardware-level
• Wired and wireless convergence.
authentication points are
separate.
Wired and wireless authentication points, policy control, and traffic forwarding are all separated, making trouble shooting and management difficult.
Wired and wireless convergence (Native AC)
A Switch integrates WAC function, eliminating wireless traffic forwarding bottlenecks

Native AC and reducing points of failure. Wired and wireless networks are managed centrally.
• Unified management and integrated forwarding of wired and wireless services
• Convergent management of wired and wireless users and gateway convergence
• Integration of wired and wireless authentication points
• Unified wired and wireless policy execution

Converged Forwarding, Authentication,
and Policy Execution
Unified forwarding: Wired and wireless traffic is forwarded by core switches.
• Data of wired users and of wireless users are sent to the access switch and AP
respectively.
• Wired user data is directly sent to the core switch, and wireless user data is
NM Area sent to the core switch through the CAPWAP tunnel by the AP.
Unified authentication: The core switch functions as the unified

authentication point and Layer 3 gateway for wired and wireless users.
L3
Native • The access switch transparently transmits authentication packets to the core
AC switch. APs send wireless user authentication packets to the core switch
CAPWAP through the CAPWAP tunnel.
• The core switch functions as the RADIUS client to send an authentication
L2
request to the authentication server.
• If the authentication succeeds, the authentication server delivers the
authorization result to the core switch.
Unified policy execution: The core switch is a unified policy enforcement

point for wired and wireless networks.
Block 1 Block N • Wired and wireless users are authenticated on the core switch.
• After wired and wireless users are authenticated, the core switch implements
unified policies for wired and wireless user data.

Free Mobility and Security Group-Based
Policy Management
• Free mobility: Users can enjoy the same network rights and user policies regardless of their locations and IP addresses.
Sales user R&D user Server resource Add security groups. A security group is a
security group security group security group 1
group of users with the same network
access policy.
Permission policy Experience policy Define security group-based permission

2
control policies and user experience
policies, and deliver the policies to
Security group and policy delivery network devices.
Campus 4 After the user traffic enters the network,

network the network devices execute the policy
based on the source and destination
security groups the traffic belongs to.
Access Access Access
authentication authentication authentication
User A User B User C 3 User is authorized to a security group after
access authentication.

More About Free Mobility
• Free mobility introduces the concept of security group. A security group is
a group of users who have the same network access policies.
• Security groups are related only to user identities and are completely
decoupled from network information such as user VLANs and IP addresses.
• User permission control and user priority are implemented based on
security groups.
User permission control: policy mobility User priority: consistent experience

Office Office
building building 2 • User access permission control • User bandwidth limit
1 • Access control of users at the same • User bandwidth limit
authentication point • User application-level bandwidth
• Access control of users across limit
authentication points • User priority scheduling
• Resource access permission control • User priority scheduling
Move • Intranet and extranet resource • Application-level priority
Policy mobility and access permission control scheduling
consistent experience • Application-based resource access • Preferential access
User A User A permission control
Security group (R&D) Security group (R&D)

Campus Network O&M Requirements:
Intelligent O&M
As-is: Device-centric network management To-Be: User experience-centric, intelligent O&M
Intelligent Network analyzer

Network management
system • Visualized experience
Traditional management
NMS • Topology management • Client journey playback
• Potential fault identification
• Performance management Telemetry • Root cause analysis
SNMP: • Alarm Management
• Configuration management Second-level network data collection • Predictive network
Minute-level network data
optimization
collection
Visualized experience: Telemetry-based second-level data collection,

visualizing experience of each user, each application, and each moment
• Device-centric, unable to perceive user
Minute-level potential fault identification and root cause analysis
experience
Identify potential faults with dynamic baseline and big data correlation analysis.
• “Fire-fighting” response, unable to predict
potential faults. • KPI association analysis and protocol playback, accurately locating root
causes
• Professional engineers are needed to locate
faults on site. Predictive network optimization: Optimize wireless network through AI-
powered AP load trend predications.
Algorithms are used to improve efficiency. Through scenario-based continuous learning and expert experience, AI-based O&M frees O&M personnel
from complex alarms and noises, making O&M more automated and intelligent.

CampusInsight: Improving User and Service
Experience Using Prediction and AI
Real-time experience visualization Minute-level fault demarcation Predictive automatic optimization
1. Proactive problem identification: 1. Real-time simulation and feedback: Based on

1. By area: The 7-dimensional evaluation
system intuitively displays the network Proactively identify 85% potential network neighbor and radio information of devices on
status and user experience of the entire problems using AI algorithms continuously each floor, evaluate channel conflicts on the
network or each area. trained by Huawei 200,000+ terminals.
wireless network in real time and provide
2. By user: Display the whole network 2. Minute-level fault locating: The fault optimization suggestions.
inference engine is used to locate and
experience of each user in real time (who,
identify the root cause of a fault in minutes 2. Predictive optimization: Identify edge APs
when, which AP is connected, experience,
and provide effective rectification
and issue) and supports fault playback. and predict AP load. Have predictive
suggestions.
3. By application: Real-time voice and optimization on wireless networks. Compare
3. Intelligent fault prediction: AI is used to
video application experience awareness, learn historical data to dynamically generate gains before and after optimization. The
quick intelligent demarcation of faulty baselines and predict possible faults by network-wide performance is improved by
devices, and root cause analysis of poor comparing and analyzing the baselines with more than 50% (Tolly test).
quality. real-time data.
Application Scenario: On Premise
Internet
Scenario description
• CampusInsight is deployed in the customer network and

connects to the WAC and APs through switches.
• The interconnection with CampusInsight needs to be
WAC
configured on WAC. The WAC and AP need to report logs and
KPIs to CampusInsight. The destination IP address is the
southbound address of CampusInsight.
Supported networking types

Fit AP Central AP
• All WACs (including native AC and ACU) + Fit AP
• All WACs (including native AC and ACU) + Central AP + RU
RU
• Hybrid networking of switches and WLAN devices
RU
Note: The devices must support WMI information reporting.
Information flow sent

to CampusInsight

Application Scenario: Huawei Public Cloud
Scenario description
Internet
• Configure on AC the public IP address of CampusInsight as the
southbound IP address for device to report to.
• The device registers with the AC through the DHCP server of the
customer network. (Alternatively, the registration center can be used.
The specific device registration solution is provided by the controller.)
• Advantage: The current multi-tenant public cloud environment can
WAC be directly used to manage customer network, which lowers costs.
Cloud mode • Disadvantage: The user network needs to be adjusted, and the AC
needs to be adjusted to the cloud mode.
• Specification: 5 Mbps outbound bandwidth per 1000 APs
Supported networking type

Fit AP Central AP
• All WACs (including native AC and ACU) + Fit AP

RU RU • All WACs (including native AC and ACU) + Central AP + RU
• Hybrid networking of switches and WLAN devices
Note: The devices must support WMI information reporting.
Information flow sent to
CampusInsight
Contents

Large-Scale Campus Network: Independent
WAC Solution
Internet WAN
1. If the wired network has been deployed and wireless

Egress zone
network needs to be deployed, or if the wireless
DataCenter network scale is large, it is advised to deploy an
NMS O&M zone independent WAC.
WLAN AC WLAN AC
2. In a large campus network, the WAC is connected to
Core layer
the aggregation or core switch in bypass mode.
Aggregation layer 3. To reduce changes to the existing wired network and

facilitate centralized management and control by the
Access layer WAC, tunnel forwarding is recommended. To improve
WAC reliability, usually VRRP dual-device hot backup
is deployed in the independent WAC solution.

Large-Scale Campus Network: Native AC
Solution
Internet WAN
1. In a new campus network, both wired and wireless access
devices exist. To manage and configure wired and wireless
access devices in a unified manner and lower management
Egress zone
costs, the native WAC solution is recommended.
DataCenter
2. In native WAC solution, WAC function is integrated into a
Native AC Native AC NMS O&M zone
switch, and a special service board is installed on the switch, so
Core layer that the switch can manage both wired and wireless access
devices.
Aggregation layer 3. The native WAC provides network access services for both
wired and wireless users, and can manage wired and wireless
Access layer users in a unified manner. The native WAC solution leverages
the reliability technologies (stacking and link aggregation)
provided by switches to realized device-level and link-level
redundancy.

Large Enterprises with Branches
Internet WAN
Headquarter Branch Solution description
WAC is also deployed in a branch of

a large enterprise. The branch WAC
manages the branch WLAN, and the
NMS in the headquarters configures
Controller or NMS platform
WAC WAC
Unified management of WACs in
and monitors the branch WLAN.
branches and the headquarter.

Small-Sized Enterprises With Branches
Internet WAN Internet Solution description
• The WAC in the headquarter manages APs in the

Access control branch headquarter and branches of a small-sized
authentication server Headquarter enterprise.
• In this scenario, the headquarter and branches
are connecte over WAN. The WAC and access
authentication ser ver are deployed at the
campus headquarter, and APs are deployed at
branches.
Controller or NMS WAC • In this case, the local forwarding mode is usually
platform used. The branch gateway assigns IP addresses
to branch users and the users directly access the
Unified management of
Internet from the branch.
WACs in branches and the
headquarter. • If a branch needs to communicate with the
headquarter, an Internet Protocol Security (IPSec)
VPN tunnel is deployed in between.

Small- and Micro-Sized Chain Stores
• Solution overview
Internet
• There is only on AP in a network, the AP functions as the
Carrier CPE gateway of STA users.
• Application scenario
• Small-sized stores (such as agency offices and gas
AP stations) with an area of less than 50 m2.
• The maximum number of concurrent online terminals
supported is less than 50.
• Only wireless user access is required.
• Only one wired Internet egress link is required.

Small- and Medium-Sized Chain Stores
• Solution overview
• Multiple APs are connected through L2 switch PoE extension

to provide wireless coverage. The firewall provides egress
Internet features, such as WAN access, DHCP, and NAT, and functions as
the user gateway. The L2 switch provides PoE extension access
Carrier CPE and wired terminal access, and the AP provides wireless
terminal access.
FW • Application scenario
• Small- and medium-sized experience stores, logistics stores,
and insurance stores with an area of less than 3000 m2 and a
L2 switch
maximum number of less than 2000 concurrent online
terminals.
• Multiple APs are required. The devices must support advanced
security functions such as URL filtering, IPS, security defense,
and antivirus. In addition, the devices must support multiple
uplinks.
Question(s)
1. An enterprise’s WLAN does not have heavy user traffic or traffic bottlenecks. To ensure
WLAN security, the customer would like to manage WLAN data in a unified manner.
Which of the following networking modes can be used? ( )
A. AC bypass mode with direct data forwarding
B. AC bypass mode with data tunnel forwarding
C. Layer 3 networking with direct data forwarding
D. Layer 2 networking with direct data forwarding

Thank you
www.huawei.com

HCPP-04 - Enterprise WLAN Networking Design-2022.01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCPP-04 - Enterprise WLAN Networking Design-2022.01

Uploaded by

Copyright:

Available Formats

HCPP-IP Network

Enterprise WLAN Networking Design

• A good network must have a good architecture and proper networking.

Page 1 Copyright © Huawei Technologies Co., Ltd. All rights reserved

• After learning this course, you will be able to

▫ Describe main Huawei WLAN solutions and networking architecture.

▫ Describe differences between different WLAN solutions.

▫ Describe typical WLAN networking solutions.

▫ Design WLAN networking solution based on features/requirements.

Page 2 Copyright © Huawei Technologies Co., Ltd. All rights reserved

2. WLAN Networking Architecture

3. Typical WLAN Networking Solutions

Page 3 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Page 4 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Page 5 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Agile distributed Agile distributed

Room 1 Room 2 Room 3 Room N Room 1 Room 2 Room 3 Room N

Page 6 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Core layer manages and configures APs centrally. This

Page 7 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Page 8 Copyright © Huawei Technologies Co., Ltd. All rights reserved

2. WLAN Networking Architecture

3. Typical WLAN Networking

Page 9 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Internet • The fat AP architecture is also called autonomous network

• When a single fat AP is deployed, no additional centralized control

• However, as the WLAN coverage area in enterprises increases and

• Therefore, the fat AP architecture is not recommended for

2. WLAN Networking Architecture

3. Typical WLAN Networking

Page 11 Copyright © Huawei Technologies Co., Ltd. All rights reserved

1 Overview 2 Networking 3 Planning 4 Reliability

In-line & bypass IP address planning Service reliability

Data forwarding Data forwarding

Page 12 Copyright © Huawei Technologies Co., Ltd. All rights reserved

• Easier to configure and deploy

• Higher level of security

• Easy to update and extend

Page 13 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Page 14 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Core switch Core switch

WAC WAC Aggregation switch:

1. In in-line mode, AC is directly connected to AP or access switch and functions as both

1. This solution applies to greenfield centrally deployed small- and medium-sized

Page 16 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Page 17 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Core switch forwards them to upper-layer network without encapsulating them in

• Bypass networking can also use direct forwarding. Data packets do

Page 18 Copyright © Huawei Technologies Co., Ltd. All rights reserved

• Advantages: Data flows and management flows pass through AC,

Page 19 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Data traffic is forwarded without detour, which is very efficient.

Data VLAN configuration is simple. Tunnel forwarding provides

Data VLAN configuration is simple. Tunnel forwarding provides

Page 20 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Data VLAN configuration is

Not suitable for complex and

Data VLAN configuration is

Page 21 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Internet 1. When deploying a wireless network, a large

Page 22 Copyright © Huawei Technologies Co., Ltd. All rights reserved

Intranet 1. Employee traffic is forwarded on intranet.

SSID1: Yuan Gong