01-04 Basic WLAN Service Configuration

NetEngine AR
CLI-based Configuration Guide - WLAN-AC 4 Basic WLAN Service Configuration
4 Basic WLAN Service Configuration
You can configure WLAN services to enable users to easily access a wireless
network and move around within the coverage area of the network.
4.1 Overview of Basic WLAN Services

4.2 Understanding Basic WLAN Services
4.3 Application Scenarios for Basic WLAN Services
4.4 Summary of Basic WLAN Service Configuration Tasks
4.5 Configuration Precautions for Basic WLAN Services
4.6 Default Settings for Basic WLAN Services
4.7 Country Code & Channel Compliance Table, and Channel and Power
Restrictions
4.8 Creating an AP Group
4.9 Configuring APs to Go Online
To enable APs to discover an AC and go online on the AC after passing security
authentication, you need to configure network elements (NEs), interconnections
between NEs, and AC system parameters.
4.10 Configuring STAs to Go Online
4.11 Managing APs
4.12 Maintaining Basic WLAN Services
4.13 Configuration Examples for Basic WLAN Services
4.14 FAQ About Basic WLAN Services
4.1 Overview of Basic WLAN Services

Definition
A wireless local area network (WLAN) is a network that uses high-frequency (2.4
GHz or 5 GHz) signals such as radio waves, lasers, and infrared rays to replace the
Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 6

NetEngine AR
traditional media used for transmission on a wired LAN. The WLAN technology
described in this document is implemented based on 802.11 standards.
802.11 was originally a wireless LAN communications standard defined by the
Institute of Electrical and Electronics Engineers (IEEE) in 1997. The IEEE then made
amendments to the standard, forming the 802.11 family, including 802.11,
802.11a, 802.11b, 802.11e, 802.11g, 802.11i, 802.11n and 802.11ac.
Purpose
WLAN technology allows you to easily access a wireless network and move
around within the coverage of the wireless network. Wired LANs use wired cables
or optical fibers as transmission media, which are expensive and have fixed
locations. As further emphasis was placed on network mobility, wired LANs were
unable to meet user's requirements. This led to the development of WLAN, which
has become the most cost-efficient and convenient network access mode.
Benefits
● High network mobility: WLANs are easily connected easily, and are not limited
by cable and port positions. This makes WLANs great for scenarios where
users are often moving, such as office buildings, airport halls, resorts, hotels,
stadiums, and cafes.
● Flexible network deployment: WLANs provide wireless network coverage in
places where cables are difficult to deploy, such as subways and highways.
WLANs reduce the number of required cables, offer low-cost, easy
deployment, and have high scalability.
Related Documents
Video: Introduction to the Wireless AC Feature of Huawei AR Routers
4.2 Understanding Basic WLAN Services
4.2.1 Concepts of Basic WLAN Services

● Station (STA): a terminal that supports 802.11 standards, such as a PC that
has a wireless network adapter or a mobile phone that supports WLAN, as
shown in Figure 4-1.

NetEngine AR
Figure 4-1 Centralized architecture
STA
Fit AP DNS DHCP
STA server server
Campus
CA egress
PW AC
STA AP gateway
Campus
network
AP
STA CAPW
STA Fit AP NMS
● Access Controller (AC): a device that controls and manages all APs on a
WLAN in the centralized architecture. For example, an AC can connect to an
authentication server to authenticate WLAN users, as shown in Figure 4-1.
● Access point (AP): a device that provides 802.11-compliant wireless access for
STAs to connect wired networks to wireless networks.
– Fit AP: provides wireless access for STAs in the Fit AP architecture. A Fit
AP provides only reliable, high-performance wireless access for STAs and
depends on an AC to provide other functions, as shown in Figure 4-1.
● Control And Provisioning of Wireless Access Points (CAPWAP): an
encapsulation and transmission mechanism defined in RFC5415 to implement
communication between APs and ACs, as shown in Figure 4-1.
● Radio signal: a high-frequency electromagnetic wave that has long-distance
transmission capabilities. Radio signals provide transmission media for 802.11-
compliant WLANs. Radio signals described in this document are
electromagnetic waves in the 2.4 GHz or 5 GHz frequency band.
● Virtual access point (VAP): a WLAN service entity on an AP. You can create
different VAPs on an AP to provide wireless access service for different user
groups.
● Service set identifier (SSID): a unique identifier that identifies a wireless
network. When you search for available wireless networks on your laptop,
SSIDs are displayed to identify the available wireless networks.
SSIDs are classified into two types:
– Basic service set identifier (BSSID): the link-layer MAC address of a VAP
on an AP. Figure 4-2 shows the relationship between VAP and BSSID.

NetEngine AR
Figure 4-2 Relationship between VAP and BSSID
STA1:
I join the guest network
VAP1:
SSID: guest
BSSID: 0025-9e45-24a0
AP
VAP2:
SSID: internal
BSSID: 0025-9e45-24a9
STA2:
I join the internal network
– Extended service set identifier (ESSID): a chosen identifier for one or a

group of wireless networks. For example, in Figure 4-2, SSID guest
identifies one wireless network, and SSID internal identifies another
wireless network. A STA scans all wireless networks and selects a wireless
network based on the SSID. In general terms, an SSID refers to an ESSID.
NOTE
Multiple APs can use one ESSID to provide roaming service for users; however,
their BSSIDs must be unique because the MAC address of each AP is unique.
● Basic service set (BSS): an area covered by an AP. STAs in a BSS can
communicate with each other.
● Extend service set (ESS): a group of BSSs that share the same SSID.
Figure 4-3 shows the relationship between SSID, BSSID, BSS, and ESS.
Figure 4-3 Relationship between SSID, BSSID, BSS, and ESS
ESS
AP1 AP2
BSSID:0025- BSSID:0025-
BSS 9e45-24a0 BSS 9e45-3100
SSID="huawei" SSID="huawei"
4.2.2 802.11 Standards

NetEngine AR
Introduction to 802.11
Figure 4-4 illustrates the role of 802.11 standards within the IEEE 802 standard
family, involving the physical layer and data link layer.
Figure 4-4 Role of 802.11 standards within the IEEE 802 standard family
● Physical Layer
The different 802.11 standards use different physical layer technologies,
including frequency hopping spread spectrum (FHSS), direct sequence spread
spectrum (DSSS), orthogonal frequency division multiplexing (OFDM), and
multiple-input multiple-output (MIMO). These physical layer technologies
support different frequency bands and transmission rates, as detailed in Table
4-1.
Table 4-1 Comparisons between 802.11 standards

802.11 Physical Frequency Transmiss Compatib Commerci
Standard Layer Band ion Rate ility with al Use
Technolog (GHz) (Mbit/s) Other
y 802.11
Standards
802.11 FHSS/ 2.4 1, 2 Incompati Earlier

DSSS ble standard,
supported
by most
products
802.11b DSSS 2.4 1, 2, 5.5, Incompati Earlier

11 ble standard,
supported
by most
products

NetEngine AR
802.11 Physical Frequency Transmiss Compatib Commerci

Standard Layer Band ion Rate ility with al Use
Technolog (GHz) (Mbit/s) Other
y 802.11
Standards
802.11a OFDM 5 6, 9, 12, Incompati Rarely

18, 24, 36, ble used
48, 54
802.11g DSSS/ 2.4 1, 2, 5.5, Compatibl Widely

OFDM 11, 6, 9, e with used
12, 18, 24, 802.11b
36, 48, 54
802.11n OFDM/ 2.4, 5 A Compatibl Widely

MIMO maximum e with used
of 600 802.11a,
Mbit/s, 802.11b,
depending and
on the 802.11g
modulatio
n and
coding
scheme
(MCS)
802.11ac OFDM/ 5 A Compatibl Occasional

MIMO maximum e with ly used
of 1300 802.11a
Mbit/s in and
theory, 802.11n
depending
on the
MCS,
spacial
flow
quantity,
channel
bandwidth
, and
guard
interval
(GI)
length
● Data Link Layer

On a wired LAN, 802.3 standards use carrier sense multiple access with
collision detection (CSMA/CD) to control the wired media access of different
devices. CSMA/CD requires all terminals to detect each other's packets.
However, CSMA/CD does not work for WLANs. WLANs provide only limited
wireless signal coverage, so some terminals may fail to detect each other's
packets.

NetEngine AR
To overcome the problems encountered with CSMA/CD, 802.11 standards use

carrier sense multiple access with collision avoidance (CSMA/CA).
802.11 MAC Frame Format

An 802.11 MAC frame consists of a MAC header, frame body, and frame check
sequence (FCS). The settings of attribute fields in the MAC header determine the
frame type. Figure 4-5 shows the 802.11 MAC frame format.
Figure 4-5 802.11 MAC frame format
An 802.11 MAC frame has a maximum length of 2348 bytes. The following
describes the purpose of each field in an 802.11 MAC frame.
● Frame Control field: includes the following sub-fields:
– Protocol Version: indicates the MAC version of the frame. Currently, only
MAC version 0 is supported.
– Type/Subtype: identifies the frame type, such as data, control, and
management frames.
▪ Data frame: transmits data packets: includes a special type of frame,

the Null frame. A Null frame has a zero-length frame body. A STA
can send a Null frame to notify an AP of changes in the power-
saving state.
NOTE
802.11 supports the power-saving mode, allowing STAs to shut down antennas
to save power when no data is being transmitted.
▪ Control frame: helps transmit data frames, releases and obtains

channels, and acknowledges received data. Some common control
frames include:
○ Acknowledgement (ACK) frame: After receiving a data frame,
the receiving STA will send an ACK frame to the sending STA to
confirm the receipt.
○ Request to Send (RTS) and Clear to Send (CTS) frames: These
frames provide a mechanism to reduce collisions for APs with
hidden STAs. A STA sends an RTS frame before sending data
frames. The STA that receives the RTS frame responds with a CTS
frame. This mechanism is used to release a channel and enable
a sending STA to obtain data transmission media.

NetEngine AR
▪ Management frame: manages WLANs. Functions include notifying

network information, adding or removing STAs, and managing radio.
Some common management frames include:
○ Beacon frame: is periodically sent by an AP to announce the
WLAN presence and provide WLAN parameters, such as the
SSID, rate, and authentication type.
○ Association Request/Response frame: A STA sends an Association
Request frame to an AP to request to join a WLAN. After
receiving the Association Request frame, the AP sends an
Association Response frame to the STA to accept or reject the
association request.
○ Disassociation frame: is sent from a STA to terminate association
with an AP.
○ Authentication Request/Response frame: is used in link
authentication between a STA and an AP for identity
authentication.
○ Deauthentication frame: is sent from a STA to terminate link
authentication with an AP.
○ Probe Request/Response frame: A STA or an AP sends a Probe
Request frame to detect available WLANs. After another STA or
AP receives the Probe Request frame, it needs to reply with a
Probe Response frame that carries all of the parameters
specified in a Beacon frame.
– To DS and From DS: indicates whether a data frame is destined for a
distribution system (or an AP). If both fields are set to 1, the data frame
is transmitted between APs.
– More Frag: indicates whether a packet is divided into multiple fragments
for transmission.
– Retry: indicates whether to retransmit a frame. This field helps eliminate
duplicate frames.
– Pwr Mgmt: indicates the desired power management mode of a STA after
the completion of a frame exchange, such as Active or Sleep mode.
– More Data: indicates that an AP transmits buffered packets to a STA in
power-saving mode.
– Protected Frame: indicates whether a frame is encrypted.
– Order: indicates whether a frame is transmitted in order.
● Duration/ID field: provides the following functions according to its values.
– Indicates the duration for which a STA can occupy a channel. This field is
used for CSMA/CA.
– Identifies an MAC frame transmitted during Contention-Free Period
(CFP). The value of this field is fixed as 32768, indicating that a STA
keeps occupying a channel and other STAs cannot use the channel.
– Specifies the Association ID (AID) of a PS-Poll frame, which identifies the
BSS to which a STA belongs. A STA may work in active or sleep mode.
When a STA works in sleep mode, an AP buffers data frames destined for
the STA. When the STA transitions from the sleep mode to the active
mode, the STA sends a PS-Poll frame to request the buffered data frames.

NetEngine AR
After receiving the PS-Poll frame, the AP delivers the requested data
frames to the STA based on the AID in the PS-Poll frame.
● Address field: transmits information about MAC addresses. An 802.11 frame
can have up to four address fields. The four address fields vary according to
the values of the To DS/From DS sub-field in the Frame Control field. For
example, the values of the four address fields are different when a frame is
sent from a STA to an AP and when a frame is sent from an AP to a STA.
Table 4-2 describes the scenarios and rules for filling in the four address
fields.
Table 4-2 Rules for filling in the four address fields

To DS From DS Address Address Address Address Descript
1 2 3 4 ion
0 0 Destinati Source BSSID Unused The

on address frame is
address a
manage
ment or
control
frame,
for
example,
a
Beacon
frame
sent by
an AP.
0 1 Destinati BSSID Source Unused AP1

on address sends
address the
frame to
STA1 as
shown
in (1) in
Figure
4-6.
1 0 BSSID Source Destinati Unused STA2

address on sends
address the
frame to
AP1 as
shown
in (2) in
Figure
4-6.

NetEngine AR
To DS From DS Address Address Address Address Descript

1 2 3 4 ion
1 1 BSSID of BSSID of Destinati Source AP1

the the on address sends
destinati source address the
on AP AP frame to
AP2 as
shown
in (3) in
Figure
4-6.
Figure 4-6 WLAN networking
Internet
AC
(3) To DS=1;
From DS=1
AP1 AP2
(1) To DS=0;
From DS=1 (2) To DS=1;
From DS=0
STA1 STA2 STA3 STA4
● Sequence Control field: is used to eliminate duplicate frames and reassemble

fragments. It includes two sub-fields:
– Fragment Number: is used to reassemble fragments.
– Sequence Number: is used to eliminate duplicate frames. When a device
receives an 802.11 MAC frame, it discards the frame if the Sequence
Number field value is the same as a previous frame.
● QoS Control field: exists only in a data frame to implement 802.11e-compliant
WLAN QoS.
● Frame Body field: transmits payload from higher layers. It is also called the
data field. In 802.11 standards, the transmitted payload is also called a MAC
service data unit (MSDU).
● Frame Check Sequence (FCS) field: checks the integrity of received frames.
The FCS field is similar to the cyclic redundancy check (CRC) field in an
Ethernet packet.

NetEngine AR
4.2.3 WLAN Architecture

A WLAN has a wired side and a wireless side. On the wired side, an AP connects to
the Internet using Ethernet. On the wireless side, a STA communicates with an AP
using 802.11 standards. The WLAN architecture on the wireless side includes the
centralized architecture.
Fit AP Architecture
In the Fit AP architecture, an AC centrally manages and controls multiple APs (Fit
APs), as shown in Figure 4-7.
Figure 4-7 Fit AP architecture
STA
Fit AP DNS DHCP
STA server server
Campus
CA egress
PW AC
STA AP gateway
Campus
network
AP
STA CAPW
STA Fit AP NMS
An AC and APs implement wireless access.

● The AC implements all security, control, and management functions. These
functions include mobile user management, identity authentication, VLAN
assignment, radio management, and data forwarding.
● Fit APs implement wireless radio access, including radio signal transmission
and detection response, data encryption and decryption, and data
transmission acknowledgment.
● The AC and APs communicate using Control and Provisioning of Wireless
Access Points (CAPWAP). They can be connected across a Layer 2 or Layer 3
network.
In centralized architecture, wireless access involves the following operations:
1. Fit APs establish CAPWAP tunnels with an AC. For details, see 4.2.4 AP Online
Process.
2. STAs associate with a Fit AP. For details, see 4.2.5 STA Access.
4.2.4 AP Online Process

In centralized architecture, Fit APs need to go online before being managed and
controlled by an AC. AP login includes the following steps:
1. IP Address Allocation
2. CAPWAP Tunnel Establishment

NetEngine AR
3. AP Access Control
4. AP Software Upgrade
5. CAPWAP Tunnel Maintenance
6. AC Configuration Delivery
The process in which a central AP goes online on an AC is similar to that of a
common AP.
IP Address Allocation
An AP obtains an IP address through any of the following modes:
● Static mode: An IP address is manually configured for the AP.
● DHCP mode: The AP functions as a DHCP client and requests an IP address
from a DHCP server.
CAPWAP Tunnel Establishment

The AC manages and controls APs in a centralized manner through Control and
Provisioning of Wireless Access Points (CAPWAP) tunnels. CAPWAP tunnels provide
the following functions:
● Maintain the running status of APs and the AC.
● Help the AC manage APs and deliver configurations to APs.
● Transmit service data to the AC for centralized forwarding.
Figure 4-8 shows the process of establishing a CAPWAP tunnel.
Figure 4-8 CAPWAP tunnel establishment process
AP AC
Discovery Request
Discovery Response
DTLS
The process of establishing a CAPWAP tunnel is as follows:

1. An AP sends a Discovery Request packet to find an available AC. (Discovery
Phase)
NOTE
In Discovery phase, the AC determines whether to permit access from an AP based on the
Discovery Request packet that the AP sends and will not respond to Discovery Request
packets of APs not permitted for access. The process is similar to Figure 4-9.

NetEngine AR
An AP can discover an AC in static or dynamic mode.

– Static mode
An AC IP address list is preconfigured on the AP. When the AP goes
online, the AP unicasts a Discovery Request packet to each AC whose IP
address is specified in the preconfigured AC IP address list. After receiving
the Discovery Request packet, the ACs send Discovery Response packets
to the AP. The AP then selects an AC to establish a CAPWAP tunnel
according to the received Discovery Response packets.
– Dynamic mode
An AP can dynamically discover an AC in DHCP, DNS, or broadcast mode.
Details on each of the modes are as follows:
▪ DHCP mode: An AP obtains the AC IP address through DHCP (by

configuring a DHCP response packet to carry Option 43 containing
the AC IP address list on the DHCP server), and sends a Discovery
Request unicast packet to the AC. The AC then sends a Discovery
Response packet to the AP.
▪ DNS mode: An AP obtains the AC domain name and DNS server IP

address through the DHCP service (by configuring a DHCP response
packet to carry Option 15 containing the AC domain name on the
DHCP server), and sends a request to the DNS server to obtain the IP
address corresponding to the AC domain name. After obtaining the
AC IP address, the AP unicasts a Discovery Request packet to the AC.
The AC then sends a Discovery Response packet to the AP.
After receiving the DHCP Response packet, the AP obtains the AC
domain name carried in Option 15. The AP then automatically adds
the prefix huawei-wlan-controller to the obtained domain name
and sends it to the DNS server to obtain the IP address
corresponding to the AC domain name. For example, after obtaining
the AC domain name ac.test.com configured on the DHCP server,
the AP adds the prefix huawei-wlan-controller to ac.test.com and
sends the huawei-wlan-controller.ac.test.com to the DNS server for
resolution. The IP address corresponding to huawei-wlan-
controller.ac.test.com must be configured on the DNS server.
▪ Broadcast mode: An AP broadcasts a Discovery Request packet to

automatically discover an AC in the same network segment and then
selects an AC to establish a CAPWAP tunnel according to the
Discovery Response packets received from available ACs. The
broadcast mode is used when the following conditions are met:
○ No AC IP address list is configured on the AP.
○ The AP sends unicast Discovery Request packets for 10
consecutive times but does not receive any Discovery Response
packet. Dual-Link Backup is not configured on the AP.
○ The AP sends unicast Discovery Request packets for 10
consecutive times but does not receive any Discovery Response
packet. Dual-Link Backup is configured on the AP and the AP
discovers an AC to establish the active link.

NetEngine AR
NOTE
If an AP does not receive any Discovery Response packet after sending unicast
Discovery Request packets for ten consecutive times, and Dual-Link Backup is
configured on the AP, the AP does not broadcast a Discovery Request packet to
discover an AC to establish the standby link. Instead, the AP keeps sending
unicast Discovery Request packets.
2. The AP establishes CAPWAP tunnels with an AC.
CAPWAP tunnels include data tunnels and control tunnels.
– Data tunnel: transmits service data from the AP to an AC for centralized
forwarding.
– Control tunnel: transmits control packets between the AP and AC. You
can choose to enable datagram transport layer security (DTLS)
encryption over the control tunnel to ensure security of CAPWAP control
packets. Subsequently, all CAPWAP control packets will be encrypted and
decrypted through DTLS.
AP Access Control
The AP sends a Join Request packet to an AC. The AC then determines whether to
allow the AP access and sends a Join Response packet to the AP. The Join
Response packet carries the AP software upgrade mode and AP version
information.
Figure 4-9 shows a flowchart depicting the process for AP access control.

NetEngine AR
Figure 4-9 AP access control flowchart
AP Software Upgrade
The AP determines whether its system software version is the same as that
specified on the AC according to parameters in the received Join Response packet.
If the two versions are different, the AP updates its software version in AC, FTP, or
SFTP mode.
After the software version is updated, the AP restarts and repeats steps 1 to 3.
CAPWAP Tunnel Maintenance

The AP and AC exchange Keepalive packets to monitor the data tunnel
connectivity.

NetEngine AR
The AP and AC exchange Echo packets to monitor the control tunnel connectivity.
AC Configuration Delivery
The AC sends a Configuration Update Request packet to the AP, which then replies
with a Configuration Update Response packet. The AC then delivers service
configuration to the AP.
4.2.5 STA Access
STAs can access wireless networks after APs are logged in and CAPWAP tunnels
are established. STA access involves the following steps:
● Scanning
● Link authentication
● Association
Scanning
A STA can actively or passively scan wireless networks.
Active Scanning
In active scanning, a STA periodically searches for nearby wireless networks. The
STA can send two types of Probe Request frames: probes containing an SSID and
probes that do not contain an SSID.
● Probes containing an SSID: The STA sends a Probe Request frame containing
an SSID in each channel to search for the AP with the same SSID. Only the AP
with the same SSID will respond to the STA. For example, in Figure 4-10, the
STA sends a Probe Request frame containing the SSID huawei to search for
an AP with the SSID huawei.
This method applies to the scenario where a STA actively scans wireless
networks to access a specified wireless network.
Figure 4-10 Active scanning by sending a Probe Request frame containing an

SSID
Probe Request (SSID=huawei)
Probe Response
STA AP1
(SSID=huawei)
● Probes that do not contain an SSID: The STA periodically broadcasts a Probe
Request frame that does not contain an SSID in the supported channels as
shown in Figure 4-11. The APs return Probe Response frames to notify the
STA of the wireless services they can provide.
This method applies to the scenario where a STA actively scans wireless
networks to determine whether wireless services are available.

NetEngine AR
Figure 4-11 Active scanning by sending a Probe Request frame containing no

SSID
AP1
ll)
= Nu
ID
t (SS onse
s
ue esp
R eq be R
be Pro
Pro
STA
Prob
e Re
que st (S
SID =Nul
l)
APn
Passive Scanning
When passive scanning is enabled, a STA listens on the Beacon frames that an AP
periodically sends in each channel to obtain AP information, as shown in Figure
4-12. A Beacon frame contains information including the SSID and supported rate.
To converse power, enable the STA to passively scan wireless networks. In most
cases, VoIP terminals passively scan wireless networks.
Figure 4-12 Passive scanning process
Beac
on
STA1
on
Beac
AP
STA2
Link Authentication
To ensure wireless link security, an AP needs to authenticate STAs that attempt to
access the AP. IEEE 802.11 defines two authentication modes: open system
authentication and shared key authentication.
● Open system authentication requires no authentication. STAs that attempt to
access the AP are successfully authenticated as long as the AP supports this

NetEngine AR
mode. An illustration of the open system authentication procedure is shown in

Figure 4-13.
Figure 4-13 Open system authentication

Authentication Request
Authentication Response
STA AP
● Shared key authentication requires that the STA and AP have the same shared
key preconfigured. The AP checks whether the STA has the same shared key
to determine whether the STA can be authenticated. If the STA has the same
shared key as the AP, the STA is authenticated. Otherwise, STA authentication
fails. Figure 4-14 shows the shared key authentication process.
Figure 4-14 Shared key authentication
STA AP
Authentication Request
1
Authentication Response(Challenge)
2
Authentication Response
(EncryptedChallenge)
3
Authentication Response(Success)
4
The shared key authentication process consists of the following steps:

a. The STA sends an Authentication Request packet to the AP.
b. The AP generates a challenge and sends it to the STA.
c. The STA uses the preconfigured key to encrypt the challenge and sends it
to the AP.
d. The AP uses the preconfigured key to decrypt the encrypted challenge
and compares the decrypted challenge with the challenge sent to the
STA. If the two challenges are the same, the STA is authenticated.
Otherwise, STA authentication fails.
Association
STA association is also known as to link negotiation. After link authentication is
complete, a STA initiates link negotiation using Association packets. Figure 4-15
shows the association process in the Fit AP architecture.

NetEngine AR
Figure 4-15 STA association in the Fit AP architecture
STA AP AC
1 Association Request
2 Association Request
3 Association Response
4 Association Response
● The STA association process in the Fit AP architecture consists of the following
steps:
a. The STA sends an Association Request packet to the AP. The Association
Request packet carries the STA's parameters and the parameters that the
STA selects according to the service configuration, including the
transmission rate, channel, QoS capabilities, access authentication
algorithm, and encryption algorithm.
b. The AP receives the Association Request packet, encapsulates the packet
into a CAPWAP packet, and sends the CAPWAP packet to the AC.
c. The AC determines whether to authenticate the STA and replies with an
Association Response packet.
d. The AP decapsulates the received Association Response packet and sends
it to the STA.
NOTE
After association, the STA determines whether it needs to be authenticated according to the
received Association Response packet:
● If the STA does not need to be authenticated, the STA can access the wireless network.
● If the STA needs to be authenticated, the STA initiates user access authentication. After
authentication, the STA can access the wireless network. For details about user access
authentication, see NAC in CLI-based Configuration- Security.
4.2.6 Data Forwarding Mode

Packets transmitted on a WLAN include control packets (management packets)
and data packets. Control packets are forwarded through CAPWAP control tunnels.
Data packets are forwarded through tunnel forwarding (centralized forwarding) or
direct forwarding (local forwarding) according to whether data packets are
forwarded through CAPWAP data tunnels.

NetEngine AR
Tunnel Forwarding
In tunnel forwarding mode, APs encapsulate service data packets over a CAPWAP
data tunnel and sends them to an AC, which then forwards these packets to an
upper-layer network, as shown in Figure 4-16.
Figure 4-16 Tunnel forwarding
Internet
AC
LAN
l
e
nn
tu
AP
PW
CA
AP
Data packet
Control packet
STA
Direct Forwarding
In direct forwarding mode, an AP directly forwards service data packets to an
upper-layer network without encapsulating them over a CAPWAP data tunnel, as
shown in Figure 4-17.

NetEngine AR
Figure 4-17 Direct forwarding
Internet
AC
LAN
el
nn
tu
AP
PW
CA
AP
Data packet
Control packet
STA
Comparison Between Tunnel Forwarding and Direct Forwarding

Table 4-3 lists the advantages and disadvantages of tunnel forwarding and direct
forwarding.
Table 4-3 Comparison between tunnel forwarding and direct forwarding
Data Advantage Disadvantage

Forwarding
Mode
Tunnel An AC forwards all data Service data must be forwarded

forwarding packets, ensuring security by an AC, reducing packet
and facilitating centralized forwarding efficiency and
management and control. burdening the AC.
Direct Service data does not need Service data is difficult to

forwarding to be forwarded by an AC, manage and control in a
improving packet centralized manner.
forwarding efficiency and
reducing the burden on the
AC.

NetEngine AR
Centralized Authentication in Direct Forwarding Mode

If direct forwarding is used, service data does not need to be forwarded by an AC.
When user access authentication (for example, 802.1X authentication) is required
on a wireless user access network and the access control point is deployed on an
AC, user authentication packets cannot be managed by the AC in a centralized
manner. This makes in controlling users in a uniform manner difficult.
Centralized authentication can be enabled in direct forwarding mode so that user

authentication packets can be forwarded over CAPWAP tunnels to the AC, while
common data packets do not need to be forwarded by the AC. Figure 4-18 shows
a network using centralized authentication in direct forwarding mode.
Figure 4-18 Centralized authentication in direct forwarding mode
Internet
AC
LAN
l
e
nn
tu
AP
PW
CA
AP
Common data packet
Authentication packet
Control packet
STA
4.2.7 Uninterrupted AP Operation After CAPWAP Link

Disconnection
In a scenario that uses direct forwarding and AC+Fit AP architecture, the AP and
AC must establish a CAWAP tunnel for control packet forwarding before a STA
connects to the Internet through WLAN. When the CAPWAP tunnel is faulty, the
AP cannot forward data packets, online users on the AP are forcibly disconnected
from the AP, and new users cannot connect to the AP. These problems negatively
affect user experience. To solve these problems, enable the AP to hold services and
grant new users access permission after the CAPWAP link is disconnected.

NetEngine AR
● Service holding upon CAPWAP link disconnection

After the service holding function is enabled, the AP can still forward data
packets when the CAPWAP tunnel is faulty. This function ensures
uninterrupted data service transmission in direct forwarding mode, reducing
loss for users and improving service reliability.
Figure 4-19 Service holding upon CAPWAP link disconnection
Internet
AC
Switch
l
e
nn
tu
AP
PW
CA
AP
: data packets
: control packets
STA
● User access permission after CAPWAP link disconnection

The service holding function takes effect only for online users but not for
offline users. Under normal circumstances, offline users are not allowed to go
online when the CAPWAP link is broken.
When the function that allows user access after CAPWAP link disconnection is
enabled, the AP allows offline users to go online and access the network.
After the broken CAPWAP link is restored, the AP forces all the STAs that have
gone online during CAPWAP link disconnection to go offline. The AP then
automatically reassociates with the STAs and reports information about the
STAs through logs.
NOTE
This function takes effect only when the WLAN uses open system authentication, pre-
shared key authentication, or WPA/WPA2–PSK authentication.
This function allows all the users that enter the correct key to go online. The STA
whitelist and blacklist configured on the AC do not take effect after the CAPWAP link
is broken.
When the function that allows user access after CAPWAP link disconnection is
disabled, STA association and key negotiation are performed between the AC
and STA. After this function is enabled, STA authentication, association, and

NetEngine AR
key negotiation are performed between the AP and STA. The different
processes for association and authentication are shown in Figure 4-20.
Figure 4-20 User access permission after CAPWAP link disconnection
Internet
AC
LAN
el
nn
tu
AP
PW
CA
AP 1
STA
1 Authentication packet exchange before user access permission after
CAPWAP link disconnection is disabled
2 Authentication packet exchange before user access permission
after CAPWAP link disconnection is enabled
NOTE
Currently, the device supports only service holding upon CAPWAP link disconnection when it
functions as the AC.
4.2.8 WLAN Service Configuration Procedure
Reference Relationships Between WLAN Profiles

Various profiles are designed based on different functions and features of WLAN
networks to help users configure and maintain functions of WLAN networks.
These profiles are called WLAN profiles. Figure 4-21 shows the referencing
relationships between WLAN profiles. By getting to know the referencing
relationships, users can easily grasp the configuration roadmap of WLAN profiles
and complete their configurations.
As shown in Figure 4-21, the following profiles can be bound to the AP group and
AP: regulatory domain profile, radio profile, VAP profile, AP system profile, AP
wired port profile, WIDS profile, and WDS profile. Some of the listed profiles can

NetEngine AR
further reference other profiles, for example, the radio profile can reference an air
scan profile and an RRM profile.
Figure 4-21 Reference relationships between WLAN profiles
Regulatory
domain profile
Air scan profile
Radio profile
RRM profile
SSID profile
Security
profile
Traffic
AP VAP profile
profile
Authenticati
on profile*
AP system profile
AP wired port AP wired port link

profile profile
AP group
WIDS spoof SSID profile

WIDS profile
WIDS whitelist profile
WDS profile Security profile
NOTE
● Profiles marked with an asterisk (*) can reference other profiles. Their referencing
relationships are not illustrated in this figure. For details, see the description of each profile.
● AP provisioning profiles cannot be referenced by other profiles and are only used to deliver
configurations to specified APs or AP groups. Therefore, this figure does not show AP
provisioning profiles.
● An AP radio can directly reference some profiles, including the radio profile, VAP profile,
WDS profile, and WDS whitelist profile.
WLAN profiles are designed to facilitate configuration and maintenance of WLAN

functions. When configuring WLAN service functions, users need to configure
parameters in matching WLAN profiles. After completing the configurations, they
need to bind the profiles to upper-level profiles, AP groups, or APs, and manually
deliver the configurations. After that, the configured functions take effect on the
APs.

NetEngine AR
NOTE
● If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound
to an AP group or AP.
For example, to configure air interface scan parameters, you can configure the
parameters in an air scan profile and bind the air scan profile to a radio profile,
which is then bound to an AP group or AP, as shown in Figure 4-21. After you
manually deliver the configurations, the configurations in the air scan profile take
effect on the APs. If referencing relationships between profiles are set in advance,
and parameters are configured in the air scan profile, the configurations in the
profile take effect after you manually deliver them.
WLAN Service Configuration Procedure

You can follow the procedure in Figure 4-22 to configure WLAN services. The
figure lists only basic profiles that need to be created for implementing basic
WLAN services. For reference relationships of other profiles, see Figure 4-21.
The WLAN service configuration procedure includes the following steps:
1. Create an AP group.
2. Configure network interconnection.
3. Configure system parameters for the AC.
4. Configure the AC to deliver WLAN services to Fit APs.

NetEngine AR
Figure 4-22 WLAN service configuration flowchart
Create an AP group
Configure network Configure the DHCP server

interconnection Configure device connectivity
Configure the AC
to manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the source of AC interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Create an SSID Create a security

Create a radio profile
profile profile
Bind
Create a VAP profile
Bind
AP or AP group
4.3 Application Scenarios for Basic WLAN Services
4.3.1 WLAN Networking Application on Medium- and Large-

sized Campus Networks
Medium and large campus networks are deployed in headquarters of large and
medium enterprises, branches of large enterprises, colleges and universities, and
airports. On a large campus network, a large number of APs are often deployed.
Most of these campus networks use the centralized WLAN architecture (AC+Fit
AP) to facilitate network maintenance and enhance security. Based on the AC
deployment mode, two AC solutions are available: centralized AC solution and
distributed AC solution.

NetEngine AR
Centralized AC Solution
The centralized AC solution deploys independent ACs to manage APs on the
network.
Figure 4-23 shows the centralized AC solution on a medium or large campus

network.
Figure 4-23 Centralized AC solution on a medium or large campus network
Campus egress Campus egress Campus

gateway gateway network
NMS
Core AC
switch
Aggregation Aggregation
switch switch
Access Access
switch switch
AP AP
Distributed AC Solution
The distributed AC solution deploys multiple ACs in different areas to manage APs.
This mode integrates AC functions on an aggregation switch to manage all the
APs connected to the aggregation switch, without using an independent AC.

NetEngine AR
Figure 4-24 shows the distributed AC solution on a medium or large campus

network.
Figure 4-24 Distributed AC solution on a medium or large campus network
Campus Campus
Campus egress
egress network
gateway
gateway
NMS
Integrated Integrated
AC AC
Switch Switch
AP AP
4.3.2 WLAN Networking Application on Small Campus

Networks
Small-scale campus networks are deployed in small- and medium-scale
enterprises. Its WLAN deployment scale is smaller than that on a large-scale
campus network but is greater than that on a SOHO network.
To reduce costs, a small-scale campus network does not use dedicated NMS
devices or authentication servers, resulting in low reliability.
A small-scale campus network often uses the centralized AC solution. In Figure
4-25.

NetEngine AR
Figure 4-25 Small-scale campus network WLAN solution
Campus
network
Integrated AC
(campus egress
gateway)
Switch
AP
4.3.3 WLAN Networking Application in Enterprise Branches

The enterprise branch WLAN networking can be used when an enterprise deploys
WLANs in the headquarters and branches and the headquarters needs to manage
WLANs in branches.
Large-scale and small-scale branch WLAN networkings are defined based on the
AC deployment mode, independent of the network size. Figure 4-26 and Figure
4-27 show the large-scale and small-scale branch WLAN networkings.
Figure 4-26 Large-scale branch WLAN networking
AP
AC
Branch Headquarters
WAN network
network
Access Headquarters
switch Branch egress
gateway egress gateway
NMS
(manages WLANs in
a unified manner)

NetEngine AR
Figure 4-27 Small-scale branch WLAN networking
AP
AC
Branch Headquarters
WAN network
network
Access
Branch egress Headquarters
switch
gateway egress gateway NMS
(manages WLANs in
a unified manner)
4.3.4 Application of Uninterrupted AP Operation After

CAPWAP Link Disconnection
As shown in Figure 4-28, to reduce management and maintenance costs, some
small- and medium-sized enterprises deploy the AC at the headquarters to
manage the APs and STAs in branches. In direct forwarding mode, service holding
upon CAPWAP link disconnection is configured. After the CAPWAP link between
the AP and AC is broken, online branch users can access local network resources
(such as the local servers), and new branch users can still access the WLAN to
obtain network resources.
Figure 4-28 Uninterrupted AP operation after CAPWAP link disconnection
Internet
AC
Online
user
AP
Online Enterprise Enterprise
WAN headquarters
user branch
New
online user
NMS
4.4 Summary of Basic WLAN Service Configuration

Tasks
After the AP group is created, and AP and STA online configurations are complete,
APs can go online and STAs can access the wireless network.

NetEngine AR
The basic WLAN service functions can be implemented only when all the following
configuration tasks are completed.
● Configure a common WLAN.
a. 4.8 Creating an AP Group: Create an AP group to reference WLAN
profiles.
b. 4.9 Configuring APs to Go Online: Configure APs to go online.
c. 4.10 Configuring STAs to Go Online: Enable STAs to access the network.
4.5 Configuration Precautions for Basic WLAN Services

VLAN Deployment
Packets transmitted on a WLAN include management packets and service data
packets.
● Management packets must be forwarded through Control And Provisioning of
Wireless Access Points (CAPWAP) tunnels.
● Service data packets can be forwarded directly or through CAPWAP tunnels.
In practice, management packets and service data packets must have different
VLANs configured. That is, management packets must have management VLANs
configured, and service data packets must have service VLANs configured.
● Management VLAN: transmits packets that are forwarded through CAPWAP
tunnels, including management packets and service data packets forwarded
through CAPWAP tunnels.
● Service VLAN: transmits service data packets.
NOTE
● You are not advised to use VLAN 1 as the management VLAN or service VLAN.
● Management VLAN and service VLAN must be different.
The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s
and VLAN s' represent service VLANs.
● When an AP connects to an AC through a Layer 2 network, VLAN m is the
same as VLAN m', and VLAN s is the same as VLAN s'.
● When an AP connects to an AC through a Layer 3 network, VLAN m is
different from VLAN m', and VLAN s is different from VLAN s'.
● Figure 4-29 shows the process of forwarding management packets through
CAPWAP tunnels.

NetEngine AR
Figure 4-29 Forwarding management packets through CAPWAP tunnels
802.3 UDP/IP CAPWAP Payload

AC
VLAN m' 802.3 UDP/IP CAPWAP Payload
VLAN m' 802.3 UDP/IP CAPWAP Payload

Switch
VLAN m 802.3 UDP/IP CAPWAP Payload
AP 802.3 UDP/IP CAPWAP Payload
VLAN m, VLAN m': management VLAN
In Figure 4-29:
– In the uplink direction (from the AP to the AC): When receiving
management packets, the AP encapsulates the packets in CAPWAP
packets. The switch tags the packets with VLAN m. The AC decapsulates
the CAPWAP packets and removes the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving
downstream management packets, the AC encapsulates the packets in
CAPWAP packets and tags them with VLAN m'. The switch removes the
tag VLAN m from the packets. The AP decapsulates the CAPWAP packets.
● Figure 4-30 shows the process of directly forwarding service data packets.

NetEngine AR
Figure 4-30 Forwarding service data packet directly
Internet
VLAN s' 802.3 Payload

Switch
VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN s, VLAN s': service VLAN

Data packet
In Figure 4-30, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and forwards the packets to the destination.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets in 802.3 format reach the AP (the
packets are tagged with VLAN s' by upstream devices), the AP converts
the 802.3 packets into 802.11 packets and forwards them to the STA.
● Figure 4-31 shows the process of forwarding service data packets through
CAPWAP tunnels.

NetEngine AR
Figure 4-31 Forwarding service data packets through CAPWAP tunnels
Internet

AC
VLAN m' 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload
VLAN m' 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

Switch
VLAN m 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload
802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN m, VLAN m': management VLAN

VLAN s: service VLAN
In Figure 4-31, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and encapsulates them in CAPWAP packets. The upstream switch
tags the packets with VLAN m. The AC decapsulates the CAPWAP packets
and removes the tag VLAN m' from the packets.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets reach the AC, the AC encapsulates the
packets in CAPWAP packets, allows the packets carrying VLAN s to pass
through, and tags the packets with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets, removes
VLAN s, converts the 802.3 packets into 802.11 packets, and forwards
them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated
packets. The intermediate devices between the AC and AP only need to
transparently transmit VLAN m and do not need to be configured with VLAN
s encapsulated in the CAPWAP packets.
In WLAN networking, management VLANs and service VLANs must be properly

planned. The following assumes that an AP connects to an AC through a Layer 2
network.

NetEngine AR
● In Figure 4-32, to implement direct forwarding, ensure that the AP can

exchange management VLAN packets with the AC and exchange service
VLAN packets with upstream devices.
Figure 4-32 VLAN deployment in direct forwarding mode
Internet
VLAN101 AC
VLAN100 VLAN100
SW2
VLAN101 VLAN100
VLAN101 VLAN100
SW1
el
nn
VLAN101 VLAN100
tu
AP
PW
CA
AP
Management VLAN: VLAN100
Service VLAN: VLAN101
Data packet
Management packet
STA
● In Figure 4-33, to implement tunnel forwarding, ensure that the AP can

exchange management VLAN packets with the AC and the AC can exchange
service VLAN packets with upstream devices.

NetEngine AR
Figure 4-33 VLAN deployment in tunnel forwarding mode
Internet
VLAN101 AC
VLAN101 VLAN101
SW2
VLAN100 VLAN100
VLAN100
VLAN100
SW1
el
VLAN100 nn
tu
AP
PW
CA
AP
Data packet
Management packet
STA
NOTE
Layer 2 forwarding of CAPWAP tunnels applies only to scenarios where centralized

forwarding is enabled between APs connected to the same AC.
4.6 Default Settings for Basic WLAN Services

Table 4-4 Default settings for basic WLAN services
Parameter Default Setting
Country code CN (China)
AP authentication mode mac-auth (MAC authentication)
Data forwarding mode Direct forwarding
Service holding upon CAPWAP link Disabled

disconnection

NetEngine AR
Parameter Default Setting
Channel switchover announcement Enabled
Channel switchover announcement continue-transmitting (In this mode,

mode data transmission is continued on the
current channel.)
4.7 Country Code & Channel Compliance Table, and

Channel and Power Restrictions
Different countries or regions have specified the channels and maximum transmit
power of radio signals that can be used locally. Radio signals working on different
channels may have varying signal strength. The Country Code & Channel
Compliance Table describes the country code and channel compliance, the
maximum power allowed by each channel, and the mapping relationship between
channels and frequencies. You can directly search for this table on the Huawei
enterprise service technical support website (https://support.huawei.com/
enterprise). N/A indicates that the country or region does not support the
channel.
NOTICE
When planning or optimizing WLANs, pay attention to working channels and

corresponding transmit power of WLAN devices. Channel switching may affect
signal strength, degrading network quality.
NOTE
If any channel in the list does not comply with the local legal rules, contact technical support
personnel.
The maximum channel power specified by China is the maximum power of radio
interface. The actual signal transmit power is affected by factors such as antenna
gain, and may exceed 27 dBm. The maximum channel power specified by the
other country codes refers to the actual transmit power of radio signals.
Radar Channel
Channels 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, and 140
can be used as radar channels. If the channels supported by some countries or
regions overlap with the radar signals, avoid using the radar channels.
4.8 Creating an AP Group

Context
On an AC + Fit AP network, one AC manages many APs. Usually, you need to
perform the same configurations on the APs. In this situation, you can add the APs

NetEngine AR
to an AP group and perform configurations uniformly in the AP group, which

simplifies operations. All APs in the group use the same configurations.
Each AP must and can only join one AP group. An AP group contains
configurations shared by all APs. You can configure configurations specific to a
single AP in the AP view.
By default, an AP automatically joins the AP group default. The AP group default

cannot be deleted, but you can modify configurations in the default AP group.
By default, an AP group has the following profiles bound: AP system profile

default, 2G radio profile default, 5G radio profile default, regulatory domain
profile default, WIDS profile default, and AP wired port profile default.
Pre-configuration Tasks
Before creating an AP group, perform the task of CLI Login Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ap-group name group-name
An AP group is created, and the AP group view is displayed.
By default, the system provides the AP group default.
----End
Verifying the Configuration

● Run the display ap-group { all | name group-name } command to view AP
group configurations.
Follow-up Procedure
After an AP group is created, you need to add APs to the AP group so that the APs
can use configurations in the group. For details, see 4.9.6 Adding APs.
4.9 Configuring APs to Go Online

To enable APs to discover an AC and go online on the AC after passing security
authentication, you need to configure network elements (NEs), interconnections
between NEs, and AC system parameters.
Before configuring APs to go online, perform the task of CLI Login Configuration.

NetEngine AR
Procedure
Perform the following steps in the listed order.
4.9.1 Configuring a DHCP Server
Configuring a DHCP Server

To go online normally, APs and STAs must obtain IP addresses. You can configure
an AC as a DHCP server or use an independent DHCP server to allocate IP
addresses to APs and STAs.
● When an enterprise branch has no independent DHCP server, configure an AC
as the DHCP server.
● An independent DHCP server applies to large WLANs of large- and medium-
sized campus networks.
For details on how to configure a DHCP server, see Configuring a DHCP Server.
A service DHCP address pool assigns IP addresses to STAs, and a management
DHCP address pool assigns IP addresses to APs. The two types of DHCP address
pools must be configured separately.
Configuring the Option 43 Field

If an AC functions as a DHCP server to assign IP addresses to APs, and the AC and
APs are in different network segments, you need to configure the Option 43 field
to specify the IP address of the AC for APs; otherwise, the APs cannot discover the
AC and fail to go online on the AC.
1. Run the system-view command to enter the system view.
2. Run the ip pool ip-pool-name command to create a global address pool and
enter its view.
3. Run any of the following commands to configure the option 43 field.
– option 43 hex hex-string
– option 43 sub-option 3 ascii ascii-string
– option 43 sub-option 2 ip-address ip-address &<1-8>
– option 43 sub-option 1 hex hex-string
Use one of the option 43 sub-option 3 ascii ascii-string, option 43 sub-option 2
ip-address ip-address &<1-8>, and option 43 sub-option 1 hex hex-string
commands to specify AC's IP address for the APs. If you run two or three of the
commands simultaneously, only the last command takes effect.
If the AC and APs are in the same network segment, you do not need to configure
the Option 43 field, and the APs can discover the AC in broadcast mode. After
Option 43 is configured, the APs unicast Discover Request packets to the IP
address carried in Option 43 to discover the AC. If the APs do not receive any
Discovery Response packet after sending unicast Discovery Request packets 10
consecutive times, the APs then broadcast packets to discover the AC.
4.9.2 Configuring Network Interconnections

NetEngine AR
To enable APs and STAs to obtain IP addresses, APs to discover the AC and go
online on the AC, and STAs to access the network, configure interconnections
between network devices.
The APs need to send service packets to STAs, and forward management packets
and STAs' service packets the AC. When configuring network interconnections,
configure the management and service packets separately.
Configuring Management Packet Exchange

Management packets between the AC and APs are transmitted only on the
network between them. To ensure that the AC and APs exchange management
packets properly, you need to configure correct VLANs and routes.
NOTE
The PVIDs of network device interfaces directly connected to the APs must be set to
management VLAN IDs.
Configuring Service Packet Exchange

Service packets are transmitted between the STAs and upper-layer network.
Configure service packet exchange based on the forwarding mode to ensure their
proper transmissions.
● Tunnel forwarding mode:
– Configure the AC and APs to exchange management packets but not
service packets. In tunnel forwarding mode, service packets are
encapsulated in CAPWAP data tunnels and forwarded by the AC to the
upper-layer network.
– Configure the AC to exchange service packets with upper-layer network
devices.
● Direct forwarding mode:
Configure the APs to exchange service VLAN packets with the upper-layer
network. In direct forwarding mode, service packets are not encapsulated in
CAPWAP data tunnels. They can be forwarded directly or by the AC to the
upper-layer network.
Configuring APs and STAs to Communicate with the DHCP Server

The APs and STAs must obtain IP addresses from the DHCP server; therefore, you
need to configure the APs and STAs to communicate with the DHCP server.
4.9.3 Configuring AC System Parameters
4.9.3.1 Configuring the WLAN Mode
Procedure

NetEngine AR

Step 2 Run set workmode wlan ac
The device is configured to work in AC mode.
By default, the AR651W-X4, AR651W-8P, AR651W, AR657W, AR611W, AR611W-
LTE4CN, AR617VW, AR617VW-LTE4, AR617VW-LTE4EA, and AR6120-VW work in
AP mode and other devices work in AC mode.
Step 3 Run quit
Exit from the system view.
Step 4 Run reboot [ fast ]
The device is restarted.
NOTE
After the device is restarted, the AC mode takes effect.
----End
4.9.3.2 Configuring Country Codes
Context
A country code identifies the country to which AP radios belong. Different
countries support different AP radio attributes, including the transmit power and
supported channels. Correct country code configuration ensures that radio
attributes of APs comply with laws and regulations of countries and regions to
which the APs are delivered.
The country code is configured in a regulatory domain profile. Two configuration
scenarios are available:
● If the APs managed by an AC are located in the same country or region, you
only need to configure one country code.
● If the APs managed by an AC are located in different countries, you need to
configure different country codes for the APs.
As shown in Figure 4-34, APs using regulatory domain profile 1 in country 1 and
those using regulatory domain profile 2 in country 2 are all managed and
controlled by the same AC. In this situation, you need to configure the country
code of country 1 in regulatory domain profile 1 and that of country 2 in
regulatory domain profile 2.

NetEngine AR
Figure 4-34 Multiple country codes

Network
management
platform
Switch_A Switch_B
Headquarters Branch
Country 1 Country 2
AP regulatory AP regulatory
domain profile domain profile
AC 1 2 PC
AP AP AP AP
NOTE
When configuring an AC for the first time, you must configure the correct country code. The
country code must comply with local laws and regulations.
Procedure
Step 2 Run wlan ac
Step 3 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created, and the regulatory domain profile view is
displayed.
By default, the system provides the regulatory domain profile default.
Step 4 Run country-code country-code
A country code is configured.
By default, the country code CN is configured.
For details about country codes, see country-code.
Modifying the country code in a regulatory domain profile will restart APs using
the profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the regulatory domain profile to an AP group or AP.

● Binding the regulatory domain profile to an AP group

NetEngine AR
a. Run the ap-group name group-name command to enter the AP group

view.
b. Run the regulatory-domain-profile profile-name command to bind the
regulatory domain profile to the AP group.
By default, the regulatory domain profile default is bound to an AP
group.
● Binding the regulatory domain profile to an AP
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the regulatory-domain-profile profile-name command to bind the
regulatory domain profile to the AP specific profile.
By default, no regulatory domain profile is bound to an AP.
Step 7 Run quit
Step 8 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
Configurations are delivered to APs.
----End
4.9.3.3 Configuring a Source Interface
Context
Each AC must have at least one VLANIF or loopback interface specified as the
source interface. All APs connected to the AC can learn the IP address of this
interface and use the IP address to communicate with the AC.
Before an AP establishes a CAPWAP tunnel with an AC, a source interface must be

specified for the AC.
You can specify a VLANIF or loopback interface on the device as the AC source
interface.
● VLANIF interface: applies to the scenario where the APs that associate with
the AC belong to the same management VLAN.
● Loopback interface: applies to the scenario where the APs that associate with
the AC belong to different management VLANs. When the APs belong to
multiple management VLANs, the AC must have multiple VLANIF interfaces
configured. If one of the VLANIF interfaces is specified as the source interface,
all the APs cannot go online when the source interface fails. A loopback
interface remains Up after being created. When a loopback interface is used
as the source interface and a VLANIF interface becomes faulty, only the AP
that connects to the VLANIF interface cannot go online.
Procedure
● Configure an IPv4 source interface.
– Specify a VLANIF interface as the source interface.

NetEngine AR
i. Run system-view
ii. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
The created VLAN is a management VLAN.
iii. Run quit
Return to the system view.
iv. Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is
displayed.
v. Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF
interface.
vi. Run quit
vii. Run capwap source interface vlanif vlan-id
A VLANIF interface is specified as the source interface of the
CAPWAP tunnel established between the AP and AC.
If a source interface has been configured on the device, you must run
the undo capwap source interface command first before
configuring a new source interface.
After the undo capwap source interface command is executed, all
APs get offline on the AC. Therefore, exercise caution before running
the command.
– Specify a loopback interface as the source interface.
i. Run system-view
ii. Run interface loopback loopback-number
A loopback interface is created, and the loopback interface view is
displayed.
iii. Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the loopback
interface.
The IP address of a loopback interface must use a 32-bit mask.
iv. Run quit
v. Run capwap source interface loopback loopback-number
A loopback interface is specified as the source interface of the

NetEngine AR

the command.
● Configure an IPv6 source interface.
– Specify a VLANIF interface as the source interface.
i. Run system-view
ii. Run capwap ipv6 enable
CAPWAP tunnels are enabled to support IPv6 functions.
By default, CAPWAP tunnels are disabled from supporting IPv6
functions.
iii. Run ipv6
The IPv6 packet forwarding function is enabled.
By default, IPv6 packet forwarding is disabled.
iv. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
This VLAN is the management VLAN after WLAN planning.
v. Run quit
vi. Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is
displayed.
vii. Run ipv6 enable
The IPv6 function is enabled on the interface.
By default, IPv6 is disabled on an interface.
viii. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-
length }
An IPv6 address and a subnet mask are configured for the VLANIF
interface.
ix. Run undo ipv6 nd ra halt
The system is enabled to send RA packets.
By default, the system is disabled from sending RA packets.
x. Run ipv6 nd autoconfig managed-address-flag
The "managed address configuration" flag (M flag) of stateful
autoconfiguration in an RA packet is set.
By default, the M flag is not set in an RA packet.
xi. Run ipv6 nd autoconfig other-flag
The "other configuration" flag (O) flag of stateful autoconfiguration
in an RA packet is set.
By default, the O flag is not set in an RA packet.
xii. Run dhcpv6 server pool-name [ allow-hint | preference preference-
value | rapid-commit | unicast ] *
The DHCPv6 server function is enabled on the interface.

NetEngine AR
By default, the DHCPv6 server function on an interface is disabled.

xiii. Run quit
xiv. Run dhcpv6 pool pool-name
An IPv6 address pool is created, and the IPv6 address pool view is
displayed.
By default, no IPv6 address pool is created on the device.
xv. Run address prefix ipv6-prefix/ipv6-prefix-length [ life-time { valid-
lifetime | infinite } { preferred-lifetime | infinite } ]
A network prefix and lifetime in the IPv6 address pool view are
configured.
By default, no network prefix or lifetime is configured in the IPv6
address pool view.
xvi. Run excluded-address start-ipv6-address [ to end-ipv6-address ]
The range of IPv6 addresses that cannot be automatically assigned
from the IPv6 address pool is specified.
By default, all IPv6 addresses in an address pool can be automatically
assigned to clients. If only one IPv6 address cannot be automatically
allocated, specify it as start-ipv6-address.
xvii. Run capwap-ac ipv6-address
The AC's IPv6 address is configured in the IPv6 address pool view.
By default, the AC's IPv6 address is not configured in the IPv6
address pool view.
xviii.Run quit
xix. Run capwap source interface vlanif vlan-id
A VLANIF interface is specified as the source interface of the
the command.
– Specify a loopback interface as the source interface.
i. Run system-view
ii. Run capwap ipv6 enable
CAPWAP tunnels are enabled to support IPv6 functions.
By default, CAPWAP tunnels are disabled from supporting IPv6
functions.
iii. Run ipv6
The IPv6 packet forwarding function is enabled.
By default, IPv6 packet forwarding is disabled.

NetEngine AR
iv. Run interface loopback loopback-number

A loopback interface is created, and the loopback interface view is
displayed.
v. Run ipv6 enable
The IPv6 function is enabled on the interface.
By default, IPv6 is disabled on an interface.
vi. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-
length }
An IPv6 address and a subnet mask are configured for the loopback
interface.
vii. Run undo ipv6 nd ra halt
The system is enabled to send RA packets.
By default, the system is disabled from sending RA packets.
viii. Run ipv6 nd autoconfig managed-address-flag
The "managed address configuration" flag (M flag) of stateful
autoconfiguration in an RA packet is set.
By default, the M flag is not set in an RA packet.
ix. Run ipv6 nd autoconfig other-flag
The O flag of stateful autoconfiguration in an RA packet is set.
By default, the O flag is not set in an RA packet.
x. Run dhcpv6 server pool-name [ allow-hint | preference preference-
value | rapid-commit | unicast ] *
The DHCPv6 server function is enabled on the interface.
By default, the DHCPv6 server function on an interface is disabled.
xi. Run quit
xii. Run dhcpv6 pool pool-name
An IPv6 address pool is created, and the IPv6 address pool view is
displayed.
By default, no IPv6 address pool is created on the device.
xiii. Run address prefix ipv6-prefix/ipv6-prefix-length [ life-time { valid-
lifetime | infinite } { preferred-lifetime | infinite } ]
A network prefix and lifetime in the IPv6 address pool view are
configured.
By default, no network prefix or lifetime is configured in the IPv6
address pool view.
xiv. Run excluded-address start-ipv6-address [ to end-ipv6-address ]
The range of IPv6 addresses that cannot be automatically assigned
from the IPv6 address pool is specified.
By default, all IPv6 addresses in an address pool can be automatically
assigned to clients. If only one IPv6 address cannot be automatically
allocated, specify it as start-ipv6-address.
xv. Run capwap-ac ipv6-address
The AC's IPv6 address is configured in the IPv6 address pool view.

NetEngine AR
By default, the AC's IPv6 address is not configured in the IPv6

address pool view.
xvi. Run quit
xvii. Run capwap source interface loopback loopback-number
A loopback interface is specified as the source interface of the
the command.
----End
4.9.3.4 (Optional) Configuring a Network Element Name
Context
A network element is a physical device or service unit on the network topology.
Each AC is a network element.
You can configure network element names for ACs so that the ACs can be
identified by an NMS.
Procedure
Step 2 Run wlan ac
Step 3 Run ac sysnetid ac-sysnetid
A network element name is configured for the AC.
By default, no NE name is configured for an AC.
----End
4.9.3.5 Verifying the AC System Parameter Configuration
Prerequisites
Settings of AC system parameters are completed.

NetEngine AR
Procedure
● Run the display regulatory-domain-profile { all | name profile-name }
command to check configuration information about a regulatory domain
profile.
● Run the display references regulatory-domain-profile name profile-name
command to check reference information about a regulatory domain profile.
● Run the display capwap configuration command to check the source
interface of an AC.
● Run the display ac global configuration command to check global
configurations of an AC, including the AC's NE name.
----End
4.9.4 (Optional) Configuring CAPWAP Tunnel Parameters
Context
After an AP is powered on and obtains an AC IP address, the AP begins to
establish CAPWAP tunnels with the AC. CAPWAP tunnels include control and data
tunnels.
The AC sends management packets over the control tunnel to manage APs in a
centralized manner. Data packets of users are all forwarded to the AC for
centralized processing through the data tunnel. To improve link reliability and
prevent CAPWAP control tunnels from being terminated when the service traffic
volume is high, configure a high priority for CAPWAP management packets.
CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption and
sensitive information encryption and integrity check and heartbeat detection to
ensure security.
● DTLS encryption: When the AP establishes CAPWAP tunnels with the AC, the
AP determines whether to perform DTLS negotiation with the AC. The DTLS
protocol can be used to encrypt packets exchanged between the AP and AC to
ensure management packet integrity and privacy. Currently, the device can
only encrypt management packets using the pre-shared key (PSK).
● Sensitive information encryption: When sensitive information is transmitted
between the AC and APs, the encryption configuration can ensure information
security. Sensitive information includes the FTP user name/password, AP login
user name/password, and service configuration PSK.
● Integrity check: When transmitted between the AC and APs, CAPWAP packets
may be forged or tampered with, and malformed packet attacks may be
launched. The integrity check function can better protect the CAPWAP packets
between the AC and APs.
● Heartbeat detection: The AP and AC periodically exchange Echo packets to
determine whether the control tunnel is working properly and periodically
exchange Keepalive packets to determine whether the data tunnel is working
properly. If the AP or AC does not receive any response from each other after
Echo or Keepalive packets are sent for the specified number of times, the AP
and AC consider that the control or data tunnel is terminated. The tunnel
needs to be re-established.

NetEngine AR
Procedure
Step 2 Configure CAPWAP tunnel parameters as required.
Procedure Command Description
Configure the capwap control-link- A larger priority value

priority of CAPWAP priority { local | remote } indicates a higher priority
management priority-value and link reliability. The
packets. By default, the priority of default value 7 is
CAPWAP management recommended.
packets is 7. NOTICE
Configure priority 4 to 7 for
CAPWAP management packets
from an AC to an AP,
preventing the CAPWAP
management tunnel from
being interrupted due to large
traffic.
Config Allow the capwap dtls psk- An AP can use a default or

ure AP to mandatory-match configured PSK to establish
DTLS establish a enable a DTLS session with an AC.
encrypt DTLS By default, an AP is not If an AP is allowed to use
ion. session allowed to establish a the default PSK to establish
with the DTLS session with an AC a DTLS session with an AC,
AC using using the default pre- and a PSK is configured for
the default shared key. DTLS encryption, the
PSK. following situations occur:
Configure capwap dtls psk psk- ● The AP uses the default
the PSK value PSK during login and
used for uses the configured PSK
The default username
DTLS for re-login after being
and password are
encryption. restarted.
available in AR Router
Default Usernames and ● When the AP and AC
Passwords (Enterprise have different PSKs, the
Network or Carrier). If AP uses the default PSK
you have not obtained to establish a DTLS
the access permission of session with the AC after
the document, see Help three consecutive
on the website to find out attempts to establish a
how to obtain it. DTLS session.
It is recommended that you
Enable capwap dtls control-link change the PSK in a timely
DTLS encrypt manner to ensure device
encryption By default, the function of security.
for control encrypting the CAPWAP
tunnels. control tunnel using DTLS
is enabled.

NetEngine AR
Encrypt Configure capwap sensitive-info -

sensitiv a PSK for psk
e encrypting By default, the default
inform sensitive PSK is used for encrypting
ation. informatio sensitive information.
n.
Config Configure capwap message- -

ure a PSK for integrity psk
integrit checking By default, no PSK is
y check integrity of configured for checking
for CAPWAP integrity of CAPWAP
CAPWA packets. packets.
P
packets
.
Set the Configure capwap echo interval After the CAPWAP heartbeat
CAPWA the interval-value detection interval is
P heartbeat By default, the CAPWAP configured, the interval for
heartb detection heartbeat detection sending Echo packets is
eat interval. interval is 25s. configured.
detecti After the number of
on. CAPWAP heartbeat
detections is configured, the
number of times for sending
Echo packets is configured.
If no response is received
after packets are sent for
the specified number of
times, the AP or AC
considers the link between
them is disconnected.
If you set the CAPWAP
heartbeat detection interval
and the number of CAPWAP
heartbeat detections smaller
than the default values, the
CAPWAP link reliability is
degraded. Exercise caution
when you set the values.
The default values are
recommended. If an AP goes
offline unexpectedly, you
can set a larger CAPWAP
heartbeat detection interval
and a larger number of
CAPWAP heartbeat
detections.

NetEngine AR
Configure capwap echo times If dual-link backup is

the times-value enabled, the CAPWAP
number of By default, a maximum heartbeat detection interval
CAPWAP number of six CAPWAP is 25s and the number of
heartbeat heartbeat detections can CAPWAP heartbeat
detections. be performed. detections is 3. When the
Wireless Distribution System
If dual-link backup is (WDS) is required in dual-
enabled, a maximum of link backup configuration,
three CAPWAP heartbeat the WDS link may be
detections can be unstable and users may not
performed. access the network. You
need to run this command
to set the interval for
CAPWAP heartbeat
detection to 25 seconds and
the number of CAPWAP
heartbeat detections to 6.
Radio traffic statistics
packets are sent and
received together with Echo
packets.
----End

● Run the display capwap configuration command to check CAPWAP
configurations.
4.9.5 (Optional) Configuring Automatic Upgrade When APs

Go Online
Context
APs can be upgraded on an AC in the following two modes:
● Automatic upgrade: used when APs are not online on an AC yet. Usually,
automatic upgrade parameters are configured prior to AP access. When going
online, APs upgrade automatically.
For APs that are already online on the AC, you can trigger AP restart after
configuring the automatic upgrade parameters, and the APs upgrade
automatically during restart. Compared to the automatic upgrade, the in-
service upgrade can reduce service interruption time.
● In-service upgrade: mainly used when APs are already online on the AC and
carry WLAN services. For details about the in-service upgrade, see 4.11.1.3
Performing an In-Service Upgrade on APs.
In automatic upgrade mode, an AP checks whether its version is the same as that
configured on the AC, SFTP server, or FTP server during login. If the two versions

NetEngine AR
are different, the AP upgrades its version, restarts, and goes online again. If the
two versions are the same, the AP does not upgrade its version.
Table 4-5 lists the automatic upgrade modes supported by APs.
Table 4-5 AP automatic upgrade modes
Upgrade Mode Function Scenario
FTP mode An AP downloads the This mode applies to the

upgrade file from an FTP scenario where high
server. network security is not
required in file
transmission. In FTP
mode, data is
transmitted in plain text,
bringing potential
security risks.
SFTP mode An AP downloads the This mode applies to the

upgrade version file from scenario demanding high
an SFTP server. network security. In SFTP
mode, data is encrypted,
ensuring data integrity
and privacy.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 2 Run wlan ac
Step 3 Run the following commands as required.

● FTP mode
a. Run ap update mode ftp-mode
The AP upgrade mode is set to FTP mode.
By default, the AP upgrade mode is FTP mode.
b. Run ap update ftp-server ip-address server-ip-address ftp-username
ftp-username ftp-password cipher ftp-password
Basic FTP information is configured.
By default, an FTP server has no IP address, name, or password
configured.

NetEngine AR
It is recommended that you use an external FTP server to upgrade APs. If

the AC functions as the FTP server, a maximum of five APs can be
upgraded simultaneously.
The FTP server user name cannot contain the double quotation marks
("). Ensure that the FTP server user name and unencrypted password
configured on the AC do not contain the preceding characters. Otherwise,
FTP upgrade fails.
c. Run ap update ftp-server max-connect-number max-connect-number
The maximum number of APs to be upgraded simultaneously is
configured.
NOTE
By default, a maximum of 50 APs can be upgraded simultaneously in FTP mode.

An external FTP server can be used, which is recommended. The AC can also
function as the FTP server.
▪ When an external FTP server is used, the maximum number of APs that can
be upgraded simultaneously is the configured max-connect-number.
▪ If an AC is used as the FTP server, a maximum of five APs can be upgraded

simultaneously even if the specified number is larger than five.
When the AC functions as the FTP server, run the ap update ftp-server
max-connect-number max-connect-number command to set the maximum
number of APs that can be upgraded simultaneously. The value of max-
connect-number is an integer ranging from 1 to 5. During the upgrade, a
maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded. If the configured number of APs to be upgraded simultaneously is
larger than 5, an error message will be displayed after the first 5 APs are
upgraded. The remaining APs cannot be automatically upgraded. You have
to repeat the command until all APs are upgraded.
● SFTP mode
a. Run ap update mode sftp-mode
The AP upgrade mode is set to SFTP mode.
By default, the AP upgrade mode is FTP mode.
b. Run ap update sftp-server ip-address server-ip-address sftp-username
sftp-username sftp-password cipher sftp-password
Basic SFTP information is configured.
By default, the IP address, user name, and password of the SFTP server
are not configured.
It is recommended that you use an external SFTP server to upgrade APs.
If the AC functions as the SFTP server, a maximum of five APs can be
upgraded simultaneously.
APs do not support double question marks ("). Ensure that the SFTP
server user name and unencrypted password configured on the AC do not
contain double question marks. Otherwise, SFTP upgrade fails.
c. Run ap update sftp-server max-connect-number max-connect-number
configured.

NetEngine AR
NOTE
By default, a maximum of 50 APs can be upgraded simultaneously in SFTP mode.

An external SFTP server can be used, which is recommended. The AC can also
function as the SFTP server.
▪ When an external SFTP server is used, the maximum number of APs that
can be upgraded simultaneously is the configured max-connect-number.
▪ If an AC is used as the SFTP server, a maximum of five APs can be upgraded

When the AC functions as the SFTP server, run the ap update sftp-server
max-connect-number max-connect-number command to set the maximum
number of APs that can be upgraded simultaneously. The value of max-
connect-number is an integer ranging from 1 to 5. During the upgrade, a
maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If max-connect-number is set larger than 5, an error message will be
displayed after the first five APs are upgraded. The remaining APs cannot be
automatically upgraded. You have to repeat the command until all APs are
upgraded.
Step 4 Run ap update update-filename filename ap-type type-id [ ap-group ap-group-

name ]
An upgrade file is configured for APs of a specified type.
----End

● Run the display ap update configuration command to check AP upgrade
configurations.
● Run the display ap-type { all | id type-id | type ap-type } command to check
the AP type.
● Run the display ap version { all | { ap-group ap-group-name | version-name
version-name } * } command to check the AP version.
4.9.6 Adding APs
Context
You can add APs in any of the following modes:
● Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are
configured on an AC before APs go online. The AC starts to set up connections
with the APs if the MAC addresses or SNs of the APs match the configured
ones.
● Configuring the AC to automatically discover an AP: The AP authentication
mode is set to no authentication; alternatively, the AP authentication mode is
set to MAC or SN authentication and the AP whitelist is configured on the AC.
When an AP in the whitelist connects to the AC, the AC discovers the AP, and
the AP goes online.
● Manually confirming APs added to the list of unauthorized APs: The AP
authentication mode is set to MAC or SN authentication, and the AP whitelist

NetEngine AR
is configured on the AC. When an AP out of the whitelist connects to the AC,
the AC adds the AP to the list of unauthorized APs. After the AP identity is
confirmed, the AP can go online.
When you add an AP in any of the preceding modes, the AP cannot connect to the
AC if the MAC address of the AP is in the AP blacklist.
After you add an AP to an AC offline and configure AP parameters, for example,

AP group which the AP joins by default, the AP can go online and use the
configured data to work. When the AC is configured to automatically discover APs,
an AP uses the default parameters to work after going online.
Adding an AP offline is recommended when the MAC address or SN of the AP is

already learned.
The AP blacklist and whitelist can be configured at the same time. However, the
MAC address of an AP cannot be added to the AP blacklist and whitelist at the
same time.
If AP whitelist and blacklist are all configured, check whether an AP is on the

blacklist first.
Procedure
● Add an AP offline.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command
to add the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN
authentication.
The default AP authentication mode is MAC address authentication.

e. Run the ap-id ap-id [ type-id type-id | ap-type ap-type ] [ ap-mac ap-
mac ] [ ap-sn ap-sn ] or ap-mac ap-mac [ type-id type-id | ap-type ap-
type ] [ ap-id ap-id ] [ ap-sn ap-sn ] command to import the AP offline
and enter the AP view.
f. Run the ap-name ap-name command to configure the AP name.
By default, no AP name is configured for an AP.

g. Run the ap-group group-name command to add the AP to an AP group.
By default, no AP group is configured.

● Configure the AC to automatically discover an AP.
NOTE
If no AP name or AP group is configured for an automatically discovered AP on the AC, the

configuration file of the AP name or AP group will not be generated in the AP view.
If an AP is deleted from the AC, the configuration in the AP view will be automatically
deleted.

NetEngine AR
– Set the AP authentication mode to no authentication.

i. Run the system-view command to enter the system view.
ii. Run the wlan ac command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ]
command to add the AP to an AP blacklist.
iv. Run the ap auth-mode no-auth command to set the AP
authentication mode to no authentication.
NOTE
The non-authentication mode brings security risks. You are advised to set
the authentication mode to MAC address authentication or SN
authentication, which is more secure.
– Set the AP authentication mode to MAC address or SN authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan ac command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ]
command to add the AP to an AP blacklist.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the
AP authentication mode to MAC address authentication or SN
authentication.
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to
add the AP with the specified MAC address to the whitelist if the
AP authentication mode is set to MAC address authentication.
By default, no MAC address is added to the AP whitelist.
○ Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add
the AP with the specified SN to the whitelist if the AP
authentication mode is set to SN authentication.
By default, no SN is added to the AP whitelist.
● Manually confirm the AP added to the list of unauthorized APs.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command
to add the AP to an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN
authentication.
e. Run the display ap unauthorized record command to check information
about unauthorized APs.

NetEngine AR
f. Run the ap-confirm { all | mac ap-mac | sn ap-sn } command to confirm

the unauthorized APs. After confirmation, the APs work in normal state.
----End

● Run the display ap global configuration command to check the AP
authentication mode.
● Run the display ap blacklist command to check the AP blacklist.
● Run the display ap whitelist { mac | sn } command to check the AP whitelist.
4.9.7 Checking Whether APs Can Go Online
Context
Before deploying APs onsite, complete network planning operations, for example,
configure the AC and involved NEs, and add APs on the AC. After APs are
connected to the network and powered on, they can automatically upgrade and
go online. Users do not need to perform other configurations on the APs onsite.
You can check whether the APs go online properly on the AC as planned. If the AP
status displays as normal, the APs have gone online properly.
Procedure
● Run the display ap all command to check whether APs go online on an AC.
----End
4.10 Configuring STAs to Go Online

Before configuring STAs to go online, perform the task of 4.9 Configuring APs to
Go Online.
Procedure
4.10.1 Configuring a Radio and 4.10.2 Configuring a VAP can be performed in
any sequence. After all configuration tasks are complete, perform 4.10.3
Delivering the WLAN Service Configuration first and then 4.10.4 Checking the
STA Online Result.
4.10.1 Configuring a Radio
4.10.1.1 Configuring Basic Radio Parameters

NetEngine AR
Context
You need to configure different radio parameters for AP radios based on actual
WLAN environments, enabling the AP radios to work at the optimal performance.
● If working channels of adjacent APs have overlapping frequencies, signal

interference occurs and affects AP working status. To prevent signal
interference, enable APs to work in the optimal status, and improve the
WLAN quality, configure any two adjacent APs to work on non-overlapping
channels.
Working channels of radios vary according to countries and regions. To
conform to local laws and regulations, you need to configure different
working channels under different country codes. You can run the display ap
configurable channel { ap-name ap-name | ap-id ap-id } command to check
the channels supported by the specified AP.
The channels you configure must be supported by the terminals; otherwise,
the terminals cannot discover wireless signals. For example, when the country
code is set to China, 5 GHz channels 36, 40, 44, 48, 52, 56, 60, and 64 can be
configured. However, most terminals do not support these channels currently.
If these channels are configured, the terminals cannot discover wireless
signals. In this case, you can configure 5 GHz channels 149, 153, 157, 161, and
165, which are supported by the terminals.
If an AP detects radar signals on a channel, the channel cannot be configured
as the radio channel of the AP in 30 minutes. However, the channel can be
configured as the radio channel of other APs not detecting radar signals on it.
It is laborious to manually configure working channels of radios, and difficult
to maintain and modify the configuration. To facilitate configuration and
maintenance, configure radio calibration to dynamically adjust working
channels of radios. For details, see 5.6 Configuring Radio Calibration.
● Configure the transmit power and antenna gain for radios according to actual
network environments so that the radios provide sufficient signal strength,
improving signal quality of WLANs.
● In actual application scenarios, two APs may be connected over dozens of
meters to dozens of kilometers. Due to different AP distances, the time to
wait for ACK packets from the peer AP varies. A proper acktimeout value can
improve data transmission efficiency between APs.
You can configure basic radio parameters in the AP group radio view and AP radio
view. The configuration in the AP group radio view takes effect on all specified AP
radios in an AP group and that in the AP radio view takes effect only on a
specified AP radio. The configuration in the AP radio view has a higher priority
than that in the AP group radio view.
Procedure
Step 2 Run wlan ac

NetEngine AR
Step 3 Enter the radio view.

● Enter the AP group radio view.
view.
b. Run the radio radio-id command to enter the radio view.
● Enter the AP radio view.
enter the AP view.
Step 4 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel
or channel 80+80mhz channel1 channel2.
The working bandwidth and channel are configured for a radio.
By default, the working bandwidth of a radio is 20 MHz, and no working channel
is configured for a radio.
To avoid signal interference, ensure that adjacent APs work in non-overlapping
channels.
The 80 MHz, 160 MHz, and 80+80 MHz working bandwidths are only supported in
the 5G radio view.
Only APs that support 802.11ac support the 80 MHz parameters.
Step 5 Run antenna-gain antenna-gain
The antenna gain is configured for the radio.
By default, no antenna gain is configured for AP radios.
The antenna gain is the ratio of the power density produced by an antenna to the
power density that should be obtained at the same point if the power accepted by
the antenna were radiated equally. It can measure the capability for an antenna to
receive and send signals in a specified direction, which is one of the most
important parameters to select a BTS antenna. In the same condition, if the
antenna gain is high, the wave travels far.
The antenna gain of an AP radio configured using the command must be
consistent with the gain of the antenna connected to the AP.
The maximum antenna gain should comply with laws and regulations of the
corresponding country. For details, see the Country Code & Channel Compliance
Table.
Step 6 Run eirp eirp
The transmit power is configured for the radio.
By default, the transmit power of a radio is 127 dBm.
You can configure the transmit power for a radio based on actual network
environments, enabling radios to provide the required signal strength and
improving signal quality on WLANs.
Step 7 Run coverage distance distance

NetEngine AR
The radio coverage distance parameter is specified.

By default, the radio coverage distance parameter is 3 (unit: 100 m) for all radios.
You can configure the radio coverage distance parameter based on distances
between APs and the APs automatically adjust the values of slottime, acktimeout,
and ctstimeout based on the configured distance parameter to improve data
transmission efficiency.
Step 8 Run frequency
Radio 0 is configured to work on the 5 GHz frequency band.
By default, radio 0 works on the 2.4 GHz frequency band, and radio 2 work on the
5 GHz frequency band.
Step 9 (Optional) Run undo radio disable
The radio is enabled.
By default, all AP radios are enabled.
A radio can work only after you enable it.
----End
4.10.1.2 Creating a Radio Profile
Context
Basic radio parameters are directly configured on radio interfaces, while other
radio parameters are configured in a radio profile. The radio profile is classified
into the 2G and 5G radio profiles. The configurations in the 2G and 5G radio
profiles take effect on 2.4 GHz and 5 GHz radios, respectively. The commands in
the 2G radio profile are used to configure 2.4 GHz radio parameters while those in
the 5G radio profile are used to configure 5 GHz radio parameters. 4.10.1.4
(Optional) Adjusting Radio Parameters describes different commands used for
the 2G and 5G radio profiles. Unless otherwise specified, the other commands are
applicable to both the 2G and 5G radio profiles.
The 2.4 GHz radio supports the 802.11bgn radio mode, and the 5 GHz radio
supports the 802.11an and 802.11ac radio modes. When connecting to a wireless
network, STAs automatically negotiate the radio mode with their connected APs.
By default, the system provides the 2G radio profile default and 5G radio profile
default, and the two radio profiles are bound to all AP groups. Using the default
radio profiles can simplify user operations. However, in actual scenarios, you are
advised to create different radio profiles and configure parameters in the profiles
according to service requirements.
Procedure
Step 2 Run wlan ac

NetEngine AR

Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
A 2G or 5G radio profile is created and the radio profile view is displayed.
default.
----End
4.10.1.3 (Optional) Configuring Smooth Channel Switching
Context
When a STA associated with an AP detects a channel switching on the AP, the STA
needs to reassociate with the AP on the new channel. During this process, services
of the STA are interrupted, degrading Internet experience of users. After smooth
channel switching is configured, when the AP channel needs to be switched, the
AP requests STAs to switch the channel after a fixed number of Beacon intervals
so that the STAs and AP switch the channel simultaneously. Smooth channel
switching can prevent STA reassociations and ensure rapid service recovery to
improve Internet experience of users.
The channel switching announcement function must be supported by both the AP
and STA.
Procedure
Step 2 Run wlan ac
The 2G or 5G radio profile view is displayed.
Step 4 Run undo channel-switch announcement disable
The channel switch announcement function is enabled.
By default, the AP sends an announcement when the channel is switched.
----End
4.10.1.4 (Optional) Adjusting Radio Parameters
Context
You can adjust and optimize radio parameters to adapt to different network
environments, enabling APs to provide required radio capabilities and improving
signal quality of WLANs.

NetEngine AR
After parameters in a radio profile are delivered to an AP, only the parameters
supported by the AP can take effect.
Procedure
Step 2 Run wlan ac
The 2G or 5G radio profile view is displayed.
Step 4 Adjust radio parameters:
Configure the radio-type { dot11b | Usually, the default radio

radio type dot11g | dot11n } type is used and does not
By default, the radio type in need to be modified. If the
a 2G radio profile is dot11n. default radio mode cannot
meet requirements or a fault
radio-type { dot11a | needs to be located,
dot11ac | dot11n } configure the radio type as
By default, the radio type in required.
a 5G radio profile is ● The radio-type { dot11b |
dot11ac. dot11g | dot11n }
command can only be
configured in a 2G radio
profile.
● The radio-type { dot11a |
dot11ac | dot11n }
command can only be
profile.
Configure the dot11a basic-rate { dot11a- All rates specified in the

radio rate rate-value &<1-8> | all } basic rate set must be
By default, a basic rate set of supported by both the AP
the 802.11a protocol in a 5G and STA; otherwise, the STA
radio profile includes rates 6 cannot associate with the AP.
Mbps, 12 Mbps, and 24 ● The dot11a basic-rate
Mbps. { dot11a-rate-value
&<1-8> | all } command
can only be configured in
a 5G radio profile.
● The dot11bg basic-rate
{ dot11bg-rate-value
&<1-12> | all } command

NetEngine AR
dot11bg basic-rate can only be configured in

{ dot11bg-rate-value a 2G radio profile.
&<1-12> | all }
By default, the basic rate set
of the 802.11bg protocol
includes rates 1 Mbps and 2
Mbps in a 2G radio profile.
dot11a supported-rate The supported rate set

{ dot11a-rate-value &<1-8> | contains rates supported by
all } the AP, except the basic
By default, the supported rates. The AP and STA can
rate set of the 802.11a transmit data at all rates
protocol in a 5G radio profile specified by the supported
includes rates 6 Mbps, 9 rate set.
Mbps, 12 Mbps, 18 Mbps, 24 ● The dot11a supported-
Mbps, 36 Mbps, 48 Mbps, rate { dot11a-rate-value
and 54 Mbps. &<1-8> | all } command
can only be configured in
dot11bg supported-rate a 5G radio profile.
{ dot11bg-rate-value
&<1-12> | all } ● The dot11bg supported-
rate { dot11bg-rate-value
By default, the supported &<1-12> | all } command
rate set of the 802.11bg can only be configured in
protocol in a 2G radio profile a 2G radio profile.
includes rates 1 Mbps, 2
Mbps, 5.5 Mbps, 6 Mbps, 9
Mbps, 11 Mbps, 12 Mbps, 18
Mbps, 24 Mbps, 36 Mbps, 48
Mbps, and 54 Mbps.
vht mcs-map nss nss-value Rates of 802.11ac radios

max-mcs max-mcs-value depend on the index value of
By default, the maximum Modulation and Coding
MCS value of the 802.11 ac Scheme (MCS). A larger MCS
radios is 9 in the 5G radio value indicates a higher
profile. transmission rate.
The MCS value can only be
profile.

NetEngine AR
Configure the multicast-rate multicast- The configured multicast

radio multicast rate rate must be in the basic
rate By default, the multicast rate rate set or supported rate
of wireless packets is 11 set, and supported by the
Mbps in a 2G radio profile STA; otherwise, the STA
and 6 Mbps in a 5G radio cannot receive multicast
profile. data.
The values of multicast-rate
differ in 2G and 5G radio
profiles. For details, see
descriptions of multicast-
rate multicast-rate.
Configure the beacon-interval beacon- An AP broadcasts Beacon

interval at which interval frames at intervals to notify
an AP sends By default, the interval for STAs of an existing 802.11
Beacon frames sending Beacon frames is network.
100 ms.
Configure an AP undo short-preamble The preamble is a section of

to support the disable bits in the header of a data
short preamble By default, a radio profile frame. It synchronizes signals
supports the short preamble. transmitted between the
sender and receiver and can
be a short or long preamble.
● A short preamble ensures
better network
synchronization
performance and is
recommended.
● A long preamble is
usually used for
compatibility with earlier
network adapters of
clients.

NetEngine AR
Confi Configur rts-cts-mode { cts-to-self | The RTS/CTS handshake

gure e the disable | rts-cts } mechanism prevents data
the RTS-CTS By default, the RTS-CTS transmission failures caused
RTS operation operation mode is cts-to- by channel conflicts. If STAs
mech mode self. perform RTS/CTS
anis handshakes before sending
m data, RTS frames consume
high channel bandwidth. The
default RTS-CTS operation
mode is recommended.
● If the RTS/CTS handshake
mechanism is not used,
there may be hidden
STAs. If base stations A
and C simultaneously
send information to base
station B because base
station C does not know
that base station A is
sending information to
base station B, signal
conflict occurs. As a
result, signals fail to be
sent to base station B.
● The RTS/CTS handshake
mechanism reduces the
transmission rate and
even causes the network
delay.

NetEngine AR
Configur rts-cts-threshold rts-cts- If STAs perform RTS/CTS

e an threshold handshakes before sending
RTS-CTS The default RTS-CTS alarm data, many RTS frames
threshold threshold is 2347 bytes. consume high channel
in a radio bandwidth. To prevent this
profile problem, set the RTS
threshold and maximum
number of retransmission
attempts for long/short
frames. The RTS threshold
specifies the length of
frames to be sent. When the
length of frames to be sent
by a STA is smaller than the
RTS threshold, no RST/CTS
handshake is performed. The
default RTS threshold is
recommended.
This configuration is
applicable only when the
RTS-CTS operation mode is
rts-cts.
Confi Enable undo ht a-mpdu disable An 802.11 packet is sent as

gure the MAC By default, aggregation of an MPDU, requiring channel
802.1 Protocol MPDUs is enabled. competition and backoff and
1n Data consuming channel
para Unit resources. The 802.11n
mete (MPDU) MPDU aggregation function
rs aggregati aggregates multiple MPDUs
on into an aggregate MAC
function. Protocol Data Unit (A-
MPDU), so that N MPDUs
Configur ht a-mpdu max-length- can be transmitted through
e the exponent max-length- one channel competition
maximu exponent-index and backoff. This function
m length By default, the index for the saves the channel resources
of an A- maximum length of an A- to be consumed for sending
MPDU MPDU is 3. The maximum N-1 MPDUs. The MPDU
length of the A-MPDU is aggregation function
65535 bytes. improves channel efficiency
and 802.11 network
performance.
Before configuring the
length of an A-MPDU, run
the undo ht a-mpdu
disable command to enable
the MPDU aggregation
function.

NetEngine AR
Confi Configur vht a-mpdu max-length- An 802.11 packet is sent as

gure e the exponent max-length- an MPDU, requiring channel
802.1 maximu exponent-index competition and backoff and
1ac m length By default, the index for the consuming channel
para of an A- maximum length of an A- resources. The 802.11ac
mete MPDU MPDU is 7. The maximum MPDU aggregation function
rs length of the A-MPDU is aggregates multiple MPDUs
1048575 bytes. into an aggregate MAC
Protocol Data Unit (A-
MPDU), so that multiple
MPDUs can be transmitted
through one channel
competition and backoff.
This function saves the
channel resources to be
consumed for sending
multiple MPDUs. The MPDU
aggregation function
improves channel efficiency
and 802.11 network
performance.
The length of an A-MPDU
can only be configured in a
5G radio profile.
Enable vht a-msdu enable The function of sending

the By default, the function of 802.11 frames in A-MSDU
function sending 802.11 frames in A- mode can reduce MAC layer
of MSDU mode is disabled. costs of the 802.11 packets
sending and improve packet
802.11ac transmission efficiency
packets especially when short
in A- MSDUs are aggregated.
MSDU The function can only be
mode configured in a 5G radio
profile.

NetEngine AR
Configur vht a-msdu max-frame- A-MSDU technology

e the num max-frame-number aggregates multiple MSDUs
maximu By default, a maximum of into an MPDU to reduce the
m two subframes can be MAC layer cost of 802.11
number aggregated into an A-MSDU packets.
of at one time. Before configuring the
subframe maximum number of
s that subframes that can be
can be aggregated into an A-MSDU,
aggregat run the vht a-msdu enable
ed into command to enable the
an A- function of sending 802.11
MSDU packets in A-MSDU mode.
The configuration can only
be performed in a 5G radio
profile.
Configure the guard-interval-mode The GI mode is classified

guard interval { short | normal } into the short GI and normal
(GI) mode By default, the GI mode is GI. The normal GI is 800 ns,
normal. and the short GI is 400 ns.
The short GI is applicable to
802.11n and 802.11ac
standards, which can raise
the transmission rate of
802.11n and 802.11ac
packets.
Disable radios utmost-power disable The command takes effect

from sending By default, a radio can send only for the country code
packets at packets at maximum power. CN. You can use the
maximum power command to configure a
radio to send packets at
maximum power supported
by the radio or maximum
power allowed by the
country code. After a radio is
disabled from sending
packets at maximum power,
the radio uses the maximum
country code to send
packets.
Except the country code CN,
a radio can only send
packets using the maximum
country codes.

NetEngine AR
----End
4.10.1.5 Binding a Radio Profile
Context
After the configuration in a radio profile is complete, you need to bind the radio
profile to an AP group, AP, AP radio, or AP group radio. After being delivered to
APs, the configuration in a radio profile can take effect on the APs.
After a radio profile is applied to an AP group or AP, the parameter settings in the
profile take effect on all radios of the AP group or AP. After a radio profile is
applied in the AP group radio or AP radio view, the parameter settings in the
profile take effect on the specified AP radio or radios in the AP group. The
configuration under an AP and AP radio has a higher priority than that under an
AP group and AP group radio. The 2G and 5G radio profiles take effect on 2G and
5G radios, respectively.
Procedure
● Bind a radio profile to an AP group.
c. Run the ap-group name group-name command to enter the AP group
view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or
radio-5g-profile profile-name { radio { id | all } } command to bind the
radio profile to the radio.
By default, the 2G radio profile default and 5G radio profile default are
bound to an AP group.
● Bind a radio profile to an AP.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or
By default, no 2G radio profile or 5G radio profile is bound to an AP.

● Apply a radio profile in the AP group radio view.
view.
d. Run the radio radio-id command to enter the radio view.

NetEngine AR
e. Run the radio-2g-profile profile-name or radio-5g-profile profile-name

command to bind the radio profile to the radio.
By default, the 2G radio profile default and 5G radio profile default are
bound to an AP group radio.
● Apply a radio profile in the AP radio view.
enter the AP view.
e. Run the radio-2g-profile profile-name or radio-5g-profile profile-name
command to bind the radio profile to the radio.
By default, no 2G radio profile and 5G radio profile are bound to an AP

radio.
----End
4.10.1.6 Verifying the Radio Configuration
Prerequisites
The radio profile configuration is complete.
Procedure
● Run the display radio-2g-profile { all | name profile-name } command to
check configuration and reference information about a 2G radio profile.
● Run the display radio-5g-profile { all | name profile-name } command to
check configuration and reference information about a 5G radio profile.
● Run the display references radio-2g-profile name profile-name command to
check reference information about a 2G radio profile.
● Run the display references radio-5g-profile name profile-name command to
check reference information about a 5G radio profile.
● Run the display ap configurable channel { ap-name ap-name | ap-id ap-id }
command to check configurable channels supported by an AP.
● Run the display ap config-info { ap-name ap-name | ap-id ap-id } command
to check the AP configuration.
----End
4.10.2 Configuring a VAP
4.10.2.1 Creating a VAP Profile

NetEngine AR
Context
After you create a VAP profile, configure parameters in the profile. After the
profile is applied in the AP group view, AP view, AP radio view, or AP group radio
view, VAPs are generated and can provide wireless access services for STAs. You
can configure different parameters in the VAP profile to enable APs to provide
different wireless services.
Procedure
Step 2 Run wlan ac
Step 3 Run vap-profile name profile-name
A VAP profile is created, and the VAP profile view is displayed.
By default, the system provides the VAP profile default.
----End
4.10.2.2 Configuring a Data Forwarding Mode
Context
Packets transmitted on a WLAN include control packets (management packets)
and data packets. Control packets are forwarded through CAPWAP control tunnels.
Data packets are forwarded in tunnel forwarding (centralized forwarding) or direct
forwarding (local forwarding) mode according to whether data packets are
forwarded through CAPWAP data tunnels.
Table 4-6 lists the comparison between tunnel forwarding and direct forwarding.
Table 4-6 Comparison between tunnel forwarding and direct forwarding

Forwarding
Mode
Tunnel An AC forwards data Service data must be forwarded

forwarding packets in a centralized by an AC, reducing packet
manner, ensuring security forwarding efficiency and
and facilitating centralized burdening the AC.
management and control.
New devices are easy to
deploy and configure, with
small changes to the
existing network.

NetEngine AR

Forwarding
Mode
Direct Service data does not need Service data cannot be centrally
forwarding to be forwarded by an AC, managed or controlled. New
improving packet device deployment causes large
forwarding efficiency and changes to the existing network.
reducing the burden on the
AC.
Procedure
Step 2 Run wlan ac
The VAP profile view is displayed.
Step 4 Run forward-mode { direct-forward | tunnel }
A data forwarding mode is configured in a VAP profile.
By default, the forwarding mode is direct-forward in the VAP profile.
Step 5 (Optional) Run qos group qos-group-value
A QoS group to which packets belong is configured.
By default, packets do not belong to any QoS group.
NOTE
● The QoS group bound to a VAP profile takes effect only in tunnel forwarding mode but
not in direct forwarding mode.
● This command takes effect after CAPWAP packets are decapsulated. That is, this
command takes effect only for outgoing packets and applies to forwarding from the
LAN to the WAN.
● Only V300R019C11 and later versions support this function.
----End
4.10.2.3 Configuring Service VLANs
Context
Layer 2 data packets delivered from a VAP to an AP carry the service VLAN IDs.
Since WLANs provide flexible access modes, STAs may connect to the same WLAN
at the office entrance or stadium entrance, and then roam to different APs. If a

NetEngine AR
single VLAN is configured as the service VLAN, IP address resources may become
insufficient in areas where many STAs access the WLAN, and IP addresses in the
other areas are wasted.
Procedure
Step 2 Run wlan ac
Step 4 Run service-vlan { vlan-id vlan-id }
A service VLAN is configured for a VAP.
By default, VLAN 1 is the service VLAN of a VAP.
----End
4.10.2.4 (Optional) Improving VAP Security
Context
You can perform the following configurations to improve VAP security: enable STA
address learning, strict STA IP address learning through DHCP, IP source guard on
an AP, and disable DHCP trusted port functions on an AP.
Procedure
Step 2 Run wlan ac
Step 4 Improve VAP security.

NetEngine AR
Enable STA address undo learn-client- If a STA associates with an AP

learning address disable that has STA address learning
By default, STA address enabled and obtains an IP
learning is enabled. address, the AP automatically
reports the STA IP address to
the AC to maintain the STA' IP
address and MAC address
binding entry
Enabling STA address learning
is a prerequisite for enabling
strict STA IP address learning
through DHCP.

NetEngine AR
Enable strict STA IP learn-client-address When a STA associates with an

address learning dhcp-strict [ blacklist AP, the following situation
through DHCP enable ] occurs after strict STA IP
By default, strict STA IP address learning through
address learning through DHCP is enabled:
DHCP is disabled. ● If the STA obtains an IP
address through DHCP, the
AP will automatically report
the IP address to the AC.
The STA IP address can be
used to maintain the
mapping between STA IP
addresses and MAC
addresses.
● For a STA using a static IP
address:
If blacklist enable is
specified, the STA will be
added to a dynamic
blacklist of the AP and
cannot associate with the
AP before the blacklist
entry ages.
If blacklist enable is not
specified, the STA can
associate with the AP but
the AP does not learn the IP
address of the STA.
After strict STA IP address
learning is enabled, it is
recommended that you run
the ip source check user-bind
enable commands to enable
IP source guard so that STAs
cannot communicate with the
network before obtaining an IP
address through DHCP.

NetEngine AR
Enable IP source ip source check user- IP source guard checks IP

guard on an AP. bind enable packets against the binding
By default, IP source table to defend against source
guard is disabled on APs. IP address spoofing attacks.
IP source guard takes effect
only when both the undo
learn-client-address disable
and ip source check user-bind
enable commands are
executed.
If an offline STA goes online
again on the AC enabled with
STA address learning, you may
not view the IP address of the
STA. To solve this problem,
enable IP source guard.
Disable DHCP undo dhcp trust port If a bogus DHCP server is

trusted port on an By default, the DHCP deployed at the user side, STAs
AP. trusted interface is may obtain incorrect IP
disabled in the VAP addresses and network
profile view and enabled configuration parameters and
on the AP's uplink cannot communicate properly.
interface in the AP wired After the undo dhcp trust
port profile view. port command is executed in
the VAP profile view, an AP
discards the DHCP OFFER,
ACK, and NAK packets sent by
the bogus DHCP server and
reports to the AC about the IP
address of the unauthorized
DHCP server.
Usually, you need to run the
dhcp trust port command in
an AP wired port profile to
enable a DHCP trusted port on
an AP. After that, the AP
receives the DHCP OFFER,
ACK, and NAK packets sent by
authorized DHCP servers and
forwards the packets to STAs
so that the STAs can obtain
valid IP addresses and go
online. For the detailed
configuration, see 4.11.6
Managing an AP's Wired
Interface.

NetEngine AR
Enable broadcast undo anti-attack If a large number of broadcast

flood attack broadcast-flood disable packets are sent to a device in
detection. By default, the broadcast a short time, the device
flood detection function becomes busy processing the
is enabled. packets and cannot process
normal services. To prevent
broadcast flood attacks, you
can configure broadcast flood
detection.
After broadcast flood detection
is enabled, you can run the
anti-attack broadcast-flood
sta-rate-threshold sta-rate-
threshold command to set a
broadcast flood threshold.
● When the traffic rate
exceeds the threshold, the
device considers a
broadcast flood attack from
the STA and discards the
broadcast traffic. This
prevents the upper-layer
network from being
affected by the broadcast
flood.
● If you enable the broadcast
flood blacklist function the
undo anti-attack
broadcast-flood blacklist
disable command, the
device adds broadcast flood
STAs to the blacklist.
----End
4.10.2.5 (Optional) Adjusting VAP Parameters
Context
You can flexibly adjust VAP parameters to adapt to different network
requirements.
Procedure

NetEngine AR
Step 2 Run wlan ac

Step 4 Run type { ap-management | service }
Set the VAP type.
By default, the type of a VAP is service.
NOTE
The VAP profile in which the VAP type is set to management AP can only be applied to one
radio of an AP.
----End
4.10.2.6 Configuring a Security Profile
Context
As WLAN technology uses radio signals to transmit service data, service data can
easily be intercepted or tampered by attackers when being transmitted on the
open wireless channels. Security is critical to WLANs. You can create a security
profile to configure security policies, which protect privacy of users and ensure
data transmission security on WLANs.
A security profile provides four WLAN security policies: Wired Equivalent Privacy
(WEP), Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and
Privacy Infrastructure (WAPI). Each security policy has a series of security
mechanisms, including the link authentication mechanism used to establish a
wireless link, user authentication mechanism used when users attempt to connect
to a wireless network, and data encryption mechanism used during data
transmission.
If no security policy is configured during the creation of a security profile, the
default authentication mode (open system authentication) is used. When a user
searches for a wireless network, the user can connect to the wireless network
without being authenticated.
The default security policy has low security. You are advised to configure a proper
security policy. For details on how to configure security policies, see WLAN
Security Configuration.
Procedure
Step 2 Run wlan ac

NetEngine AR
Step 3 Run security-profile name profile-name

A security profile is created, and the security profile view is displayed.
By default, security profiles default and default-wds are available in the system.
After a security profile is created, you need to configure a proper security policy
according to service requirements because the default security policy has security
risks. For the detailed configuration, see Configuring a WLAN Security Policy.
Step 4 Run quit
Step 6 Run security-profile profile-name
The security profile is bound to a VAP profile.
By default, the security profile default is bound to a VAP profile.
----End
4.10.2.7 Configuring a Traffic Profile
Context
To protect network resources and prevent network congestion, configure a traffic
profile to limit the rate of traffic entering the WLAN.
Procedure
Step 2 Run wlan ac
Step 3 Run traffic-profile name profile-name
A traffic profile is created, and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Run rate-limit { client | vap } { up | down } rate-value
The rate limit of upstream and downstream packets is configured for all STAs or
each STA on a VAP.
By default, the rate limit for upstream and downstream packets of all STAs on a
VAP is 4294967295 kbit/s, and that of each STA is 4294967295 kbit/s.
Step 5 Run quit

NetEngine AR

Step 7 Run traffic-profile profile-name
The traffic profile is bound to the VAP profile.
By default, the traffic profile default is bound to a VAP profile.
----End
4.10.2.8 Configuring an SSID Profile
Context
SSIDs identify different wireless networks. When you search for available wireless
networks on your laptop, the displayed wireless network names are SSIDs. In an
SSID profile, you can define an SSID name and configure related parameters. After
the SSID profile configuration is complete, bind the SSID profile to a VAP profile.
Procedure
Step 2 Run wlan ac
Step 3 Run ssid-profile name profile-name
An SSID profile is created, and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 4 Run ssid ssid
An SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
Step 5 (Optional) Run ssid-hide enable
SSID hiding in Beacon frames is enabled.
By default, SSID hiding in Beacon frames is disabled in an SSID profile.
When creating a WLAN, configure an AP to hide the SSID of the WLAN to ensure
security. Only the users who know the SSID can connect to the WLAN.
Step 6 (Optional) Run max-sta-number max-sta-number
The maximum number of successfully associated STAs on a VAP is configured.
By default, a VAP allows for a maximum of 64 successfully associated STAs.
More access users on a VAP indicate fewer network resources that each user can
occupy. To ensure Internet experience of users, you can configure a proper

NetEngine AR
maximum number of access users on a VAP according to actual network

situations.
Step 7 (Optional) Run reach-max-sta hide-ssid disable
APs are disabled from automatically hiding SSIDs when the number of users
reaches the maximum.
By default, automatic SSID hiding is enabled when the number of users reaches
the maximum.
After automatic SSID hiding is enabled, SSIDs are automatically hidden when the
number of users connected to the WLAN reaches the maximum, and SSIDs are
unavailable for new users.
Step 8 (Optional) Run legacy-station disable
Access of legacy terminals is denied.
By default, access of legacy terminals is permitted.
Legacy terminals support only 802.11a, 802.11b, or 802.11g and provide a rate far
smaller than 802.11n and 802.11ac terminals. If the legacy terminals access the
wireless network, the data transmission rate of 802.11n and 802.11ac terminals
will be reduced. To prevent the transmission rate of 802.11n and 802.11ac
terminals from being affected, deny access of legacy terminals.
Step 9 (Optional) Run association-timeout association-timeout
The association aging time of STAs is configured.
By default, the association aging time is 5 minutes.
After the association aging time of STAs is configured, if the AP receives no data
packet from a STA in a specified time, the STA goes offline after the association
aging time expires.
Step 10 (Optional) Run dtim-interval dtim-interval
A DTIM interval is configured.
By default, the DTIM interval is 1.
The DTIM interval specifies how many Beacon frames are sent before the Beacon
frame that contains the DTIM. An AP sends a Beacon frame to wake a STA in
power-saving mode, indicating that the saved broadcast and multicast frames will
be transmitted to the STA.
● A short DTIM interval helps transmit data in a timely manner, but the STA is
wakened frequently, causing high power consumption.
● A long DTIM interval lengthens the dormancy time of a STA and saves power,
but degrades the transmission capability of the STA.
Step 11 (Optional) Run active-dull-client enable
The function of preventing terminals from entering energy-saving mode is
enabled.
By default, the function of preventing terminals from entering energy-saving
mode is disabled.

NetEngine AR
Due to individual reasons, some terminals may not run services normally when
entering energy-saving mode. You can run the active-dull-client enable
command to enable the function of preventing terminals from entering energy-
saving mode. After that, an AP frequently sends null data frames to these
terminals to prevent them from entering energy-saving mode, ensuring normal
services.
Step 12 Run quit
Step 14 Run ssid-profile profile-name
The SSID profile is bound to a VAP profile.
By default, the SSID profile default is bound to a VAP profile.
----End
4.10.2.9 Binding VAP Profiles
Context
After the configuration in a VAP profile is complete, you need to bind the VAP
profile to an AP group, AP, AP radio, or AP group radio. After being delivered to
APs, the configuration in a VAP profile can take effect on the APs.
After a VAP profile is applied to an AP group or AP, the parameter settings in the
profile take effect on all radios of the AP group or AP. After a radio profile is
applied in the AP group radio or AP radio view, the parameter settings in the
profile take effect on the specified AP radio or radios in the AP group.
Procedure
● Bind a VAP profile to an AP group.
view.
d. Run the vap-profile profile-name wlan wlan-id [ radio radio-id ]
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
● Bind a VAP profile to an AP.
enter the AP view.
d. Run the vap-profile profile-name wlan wlan-id [ radio radio-id ]

NetEngine AR

● Apply a VAP profile in the AP group radio view.
view.
e. Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to the radio.

● Apply a VAP profile in the AP radio view.
enter the AP view.
e. Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to the radio.
----End
4.10.2.10 Verifying the VAP Configuration
Prerequisites
The configuration of the VAP, security, and SSID profiles is complete.
Procedure
● Run the display vap { all | ssid ssid } or display vap { ap-group ap-group-
name | { ap-name ap-name | ap-id ap-id } [ radio radio-id ] } [ ssid ssid ]
command to check service VAP information.
● Run the display vap-profile { all | name profile-name } command to check
configuration and reference information about a VAP profile.
● Run the display references vap-profile name profile-name command to
check reference information about a VAP profile.
● Run the display security-profile { all | name profile-name } command to
check configuration and reference information about a security profile.
● Run the display references security-profile name profile-name command to
check reference information about a security profile.
● Run the display ssid-profile { all | name profile-name } command to check
configuration and reference information about an SSID profile.
● Run the display references ssid-profile name profile-name command to
check reference information about an SSID profile.

NetEngine AR
● Run the display vap create-fail-record all command to check records about
VAP creation failures.
● Run the display wlan config-errors command to check WLAN configuration
errors.
----End
4.10.3 Delivering the WLAN Service Configuration
Context
The WLAN service parameters configured on an AC take effect only after you run
the commit command to deliver the configuration to APs.
NOTE
If you commit configurations to a large number of APs simultaneously, some of the APs may fail
to receive the configurations. In this case, you are advised to commit the configurations again.
Procedure
Step 2 Run wlan ac
----End
4.10.4 Checking the STA Online Result
Context
After basic WLAN service configurations are complete, APs generate WLAN signals
in their coverage ranges. Users can use STAs, such as mobile phones and laptops
with wireless network adapters to associate with WLANs of the configured SSIDs.
After entering the user names and passwords, users can associate with the
WLANs. By checking the STA online result, you can know STAs connected to the
WLAN.
Procedure
● Run the display station { ap-group ap-group-name | ap-name ap-name |
ap-id ap-id | ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all }
command to check STA access information.
----End

NetEngine AR
4.11 Managing APs

Before managing APs, perform the task of 4.9 Configuring APs to Go Online.
Procedure
The following tasks can be performed in any sequence.
4.11.1 Managing AP Equipment
4.11.1.1 Modifying AP Names
Context
When an AP name conflicts with another AP name or you need to change an AP
name to a more suitable name, you can modify the AP name.
Procedure
Step 2 Run wlan ac
Step 3 Run ap-rename { ap-name name | ap-mac ap-mac-address | ap-id ap-id } new-
name ap-new-name
A new name is configured for an AP.
NOTE
The new AP name cannot be the same as the existing AP name.
----End
4.11.1.2 Modifying the AP Group to Which APs Belong
Context
If the current AP group is not applicable to an AP or the AP is added to an
incorrect AP group, you can modify configurations to add the AP to a new AP
group.

NetEngine AR
NOTICE
Modifying the AP group results in AP restart and service interruption. Exercise

caution when performing this operation.
Procedure
Step 2 Run wlan ac
Step 3 Run ap-regroup { ap-name ap-name | ap-id ap-id } new-group new-group-name
An AP is added to a new AP group.
NOTE
The AP group to which an AP is added must have been created using the ap-group name
group-name command.
----End
4.11.1.3 Performing an In-Service Upgrade on APs
Context
To upgrade the functions or versions of an existing WLAN, perform an in-service
upgrade on APs on the WLAN.
In an in-service upgrade, an AP is already online. If the AP finds that its version is

different from the version of the AP upgrade file specified on the AC, the AP starts
to upgrade its version.
Unlike automatic upgrade, an in-service upgrade allows an AP to work properly

without affecting services. To minimize the impact of an AP upgrade, you are
advised to configure APs to download upgrade files in the daytime and reset the
APs in batches at night. For details about automatic upgrade, see 4.9.5
(Optional) Configuring Automatic Upgrade When APs Go Online.
In an in-service upgrade, APs support the upgrade modes of single AP upgrade,

upgrade based on the AP type, upgrade based on the AP type and group, and
upgrade based on the AP group.
● Upgrade of a single AP: allows you to upgrade a single AP to check whether
the upgrade version can function properly. If the upgrade is successful,
upgrade other APs in batches.
● AP upgrade based on the AP type: allows you to upgrade APs of the same
type.
● AP upgrade based on the AP type and group: allows you to upgrade APs of
the same type in the same group.

NetEngine AR
● AP upgrade based on the AP group: allows you to upgrade APs in the same
AP group.
NOTE
In an in-service upgrade, if APs fail to load the upgrade file and are reset, APs are upgraded
automatically.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 2 Run wlan ac
Step 3 Run the following commands as required.
● FTP mode
a. Run ap update mode ftp-mode
The AP upgrade mode is set to FTP mode.
The default upgrade mode is ftp-mode.
b. Run ap update ftp-server ip-address server-ip-address ftp-username
ftp-username ftp-password cipher ftp-password
Basic FTP information is configured.
By default, an FTP server has no IP address, name, or password
configured.
c. Run ap update ftp-server max-connect-number max-connect-number
configured.
By default, a maximum of 50 APs can be upgraded simultaneously in FTP
mode.

NetEngine AR
NOTE
An external FTP server can be used, which is recommended. The AC can also function
as the FTP server.
▪ When an external FTP server is used, the maximum number of APs that can be
upgraded simultaneously is the configured max-connect-number.
▪ If an AC is used as the FTP server, a maximum of five APs can be upgraded

When the AC functions as the FTP server, run the ap update ftp-server max-
connect-number max-connect-number command to set the maximum number
of APs that can be upgraded simultaneously. The value of max-connect-number
is an integer ranging from 1 to 5. During the upgrade, a maximum of 1 to 5 APs
can be upgraded at a time until all APs are upgraded. If the configured number
of APs to be upgraded simultaneously is larger than 5, an error message will be
displayed after the first 5 APs are upgraded. The remaining APs cannot be
automatically upgraded. You have to repeat the command until all APs are
upgraded.
● SFTP mode
a. Run ap update mode sftp-mode
The AP upgrade mode is set to SFTP mode.
The default upgrade mode is ftp-mode.
b. Run ap update sftp-server ip-address server-ip-address sftp-username
sftp-username sftp-password cipher sftp-password
Basic SFTP information is configured.
By default, the IP address, user name, and password of the SFTP server
are not configured.
c. Run ap update sftp-server max-connect-number max-connect-number
configured.
By default, a maximum of 50 APs can be upgraded simultaneously in
SFTP mode.
NOTE
An external SFTP server can be used, which is recommended. The AC can also
function as the SFTP server.
▪ When an external SFTP server is used, the maximum number of APs that can be
upgraded simultaneously is the configured max-connect-number.
▪ If an AC is used as the SFTP server, a maximum of five APs can be upgraded

When the AC functions as the SFTP server, run the ap update sftp-server max-
connect-number max-connect-number command to set the maximum number
of APs that can be upgraded simultaneously. The value of max-connect-number
is an integer ranging from 1 to 5. During the upgrade, a maximum of 1 to 5 APs
can be upgraded at a time until all APs are upgraded.
If max-connect-number is set larger than 5, an error message will be displayed
after the first five APs are upgraded. The remaining APs cannot be automatically
upgraded. You have to repeat the command until all APs are upgraded.
Step 4 Configure in-service upgrade.

NetEngine AR
● Perform an in-service upgrade on a single AP.

a. Run ap update load { ap-name ap-name | ap-mac ap-mac | ap-id ap-
id } update-filename update-file-name
The specified AP is upgraded.
b. Run ap update reset { ap-name ap-name | ap-mac ap-mac | ap-id ap-
id }
The specified AP is reset for upgrade.
● Upgrade APs of the same AP type.
a. Run ap update update-filename filename ap-type type-id [ ap-group
ap-group-name ]
The upgrade file name for APs of a specified type is specified.
b. Run ap update multi-load ap-type type-id [ ap-group group-name |
{ ap-name ap-name | ap-id ap-id } &<1-10> ]
APs are upgraded in batches based on the AP type.
c. Run ap update multi-reset ap-type type-id [ ap-group group-name |
{ ap-name ap-name | ap-id ap-id } &<1-10> ]
APs of the specified AP type are reset in batches.
----End
4.11.1.4 Resetting an AP
Context
If an AP cannot work properly after being upgraded, reset the AP. You can run the
display ap all command to check the AP State field to determine whether an AP
is working properly. If the State field displays name-conflicted, ver-mismatch,
config, config-failed, committing, or commit-failed, an AP fails to work properly.
NOTICE
Exercise caution when resetting an AP because services on the AP will be
interrupted.
Procedure
Step 2 Run wlan ac
Step 3 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are reset.
----End

NetEngine AR
4.11.1.5 Restoring the Factory Settings of an AP
Context
You can delete the current and historical user configurations and restore the
factory settings of APs.
When the configuration on an AP is incorrect or deleted, you can restore the

factory settings of the AP.
NOTICE
Restoring the factory settings of an AP will reset the AP and restore all the AP
configurations to factory settings.
Procedure
Step 2 Run wlan ac
Step 3 Run ap manufacturer-config { ap-name ap-name | ap-mac ap-mac | ap-id ap-

id }
The factory settings of the specified AP are restored.
----End
4.11.1.6 Deleting an AP
Context
To disconnect an AP from the current AC or enable an AP to go online on another
AC, you can delete the AP from the current AC.
NOTICE
Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution
when you delete an AP.
Procedure

NetEngine AR
Step 2 Run wlan ac
Step 3 Run undo ap { ap-name ap-name | ap-id ap-id | ap-mac ap-mac | ap-group
group-name | all }
An AP is deleted.
----End
4.11.1.7 Verifying the AP Management Configuration
Procedure
● Run the display ap { all | ap-group ap-group } command to check AP
information.
● Run the display ap update configuration command to check the AP upgrade
configuration.
● Run the display ap update status { all | downloading | failed | succeed | ap-
name ap-name | ap-id ap-id } command to check the AP upgrade progress.
● Run the display ap-type { all | id type-id | type ap-type } command to check
information about AP types.
● Run the display ap version { all | { ap-group ap-group-name | version-name
version-name } * } command to check information about AP versions.
----End
4.11.2 Managing AP Wired Login
Context
You can log in to an AP through the console port, STelnet, SFTP, or Telnet in wired
mode. When an AP does not need to be logged in, the login modes are disabled to
ensure AP security, preventing unauthorized users from using these modes to log
in. To log in to the AP, enable one or more login modes.
Procedure
Step 2 Run wlan ac
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, The default username and password are available in AR Router Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not

NetEngine AR
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
Step 4 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 5 Run undo stelnet server disable
The STelnet service function is enabled.
By default, the STelnet server function is enabled on an AP.
Step 6 (Optional) Run undo console disable
AP login through the console port is enabled.
By default, a user can log in to the AP through a console interface.
Step 7 (Optional) Run undo sftp server disable
The SFTP service function is enabled.
By default, the SFTP server function is enabled on an AP.
Step 8 (Optional) Run telnet enable
The Telnet service function is enabled.
By default, Telnet is disabled on an AP.
Step 9 Run quit
Step 10 Bind an AP system profile to an AP group or AP.

● Binding an AP system profile to an AP group.
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
enter the AP view.
system profile to the AP.
By default, no AP system profile is bound to an AP.
Step 11 Run quit

NetEngine AR
----End
Checking the Configuration

● Run the display ap username [ ap-name ap-name | ap-id ap-id ] command
to check the user name for AP login.
● Run the display ap-system-profile { all | name profile-name } command to
check configuration and reference information about an AP system profile.
● Run the display references ap-system-profile name profile-name command
to check reference information about an AP system profile.
4.11.3 Managing AP Wireless Login
Context
In addition to logging in through a wired interface, you can log in to an AP
through Telnet over WLANs. Currently, only the Telnet login mode is supported in
wireless mode. To log in to an AP wirelessly through Telnet, set the VAP type to
management AP, configure an IP address in the same network segment as the AP
for a STA, and telnet to the IP address of the AP.
Procedure
Step 2 Run wlan ac
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, The default username and password are available in AR Router Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
Step 5 Run telnet enable
The Telnet service function is enabled.
By default, Telnet is disabled on an AP.
Step 6 Run quit

NetEngine AR

Step 8 Run type ap-management
The VAP type is set to management AP.
By default, the type of a VAP is service.
NOTE
The VAP profile in which the VAP type is set to management AP can only be applied to one
radio of an AP.
Step 9 Run quit

Step 10 Bind an AP system profile and a VAP profile to an AP group or AP.
● Bind a VAP profile and an AP system profile to an AP group.
view.
c. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
● Bind a VAP profile and an AP system profile to an AP.
enter the AP view.
c. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
Step 11 Run quit
----End
Checking the Configuration

● Run the display ap username [ ap-name ap-name | ap-id ap-id ] command
to check the user name for AP login.

NetEngine AR

● Run the display vap-profile { all | name profile-name } command to check
configuration and reference information about a VAP profile.
● Run the display references vap-profile name profile-name command to
check reference information about a VAP profile.
4.11.4 Configuring Antenna Alignment VAPs
Context
During WDS network deployment, you can configure antenna alignment VAPs for
WDS nodes to facilitate antenna alignment between neighboring APs. When
commissioning the network onsite, connect a mobile terminal to an antenna
alignment VAP and start the antenna alignment program on the terminal to
collect signal strength information of the peer AP radio. The collected information
boosts easy antenna alignment operations.
You can log in to Huawei technical support website and search for Probe Handset
Unit to download the Antenna Alignment program.
● Enterprise technical support website: https://support.huawei.com/enterprise
● Carrier technical support website: https://support.huawei.com
Procedure
Step 2 Run wlan ac
Step 3 Run security-profile name profile-name
The security profile used by antenna alignment VAPs is created and the security
profile view is displayed.
By default, security profiles default and default-wds are available in the system.
Step 4 Run security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value
{ aes | tkip | aes-tkip }
The security policy and key are configured.
By default, the security policy is open system.
NOTE
The antenna alignment VAP supports only the WEP or WPA/WPA2 PSK authentication mode.
You can run the security wep share-key and wep key key-id { wep-40 | wep-104 | wep-128 }
{ pass-phrase | hex } key-value commands to configure WEP authentication.

NetEngine AR
Step 5 Run quit

Step 6 Run ssid-profile name profile-name
An SSID profile is created and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 7 Run ssid ssid
The SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
Step 8 Run quit
A VAP profile is created and the VAP profile view is displayed.
Step 10 Run temporary-management enable
The VAPs are configured as the offline management VAP and antenna alignment
VAP.
By default, a VAP is a service VAP.
Step 11 Run ssid-profile profile-name
The SSID profile is bound to the VAP profile.
By default, the SSID profile default is bound to a VAP profile.
Step 12 Run security-profile profile-name
The security profile is bound to a VAP profile.
By default, the security profile default is bound to a VAP profile.
Step 13 Run quit
An AP system profile is created and the AP system profile view is displayed.
Step 15 Run temporary-management enable
The offline management VAP and antenna alignment VAP functions are enabled.
By default, offline management VAP and antenna alignment VAP functions are
disabled.
Step 16 Run quit

NetEngine AR
Step 17 Apply the VAP profile. You can use any of the following methods:
● Bind the VAP profile to an AP group.
view.
b. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
● Bind the VAP profile to an AP.
enter the AP view.
b. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
● Bind the VAP profile to AP group radios.
view.
c. Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to AP group radios.
● Bind the VAP profile to an AP radio.
enter the AP view.
c. Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to AP group radios.
Step 18 Run quit
Step 19 Apply the AP system profile. You can use any of the following methods:
● Bind the AP system profile to an AP group.
view.
By default, the AP system profile default is bound to an AP group, but no
AP system profile is bound to an AP.
● Bind the AP system profile to an AP.
enter the AP view.

NetEngine AR
By default, the AP system profile default is bound to an AP group, but no

AP system profile is bound to an AP.
Step 20 Run quit
----End
4.11.5 Configuring AP System Management
4.11.5.1 Configuring AP Indicators
Context
Different states of AP indicators reflect different meanings, thereby facilitating
installation and management. Configuring meanings reflected by blinking of the
Wireless indicator on APs helps installation personnel to know the current signal
strength or traffic status in real time. However, blinking indicators of indoor APs
deployed in hospitals and hotels may affect people's nighttime rest. Therefore, you
can turn off AP indicators after APs are installed and run properly.
Procedure
Step 2 Run wlan ac
Step 4 Run led off
The AP indicators are turned off.
By default, the AP indicators are allowed to turn on.
Step 5 Run quit
A 2G or 5G radio profile is created and the radio profile view is displayed.
default.

NetEngine AR
Step 7 Run wifi-light { signal-strength | traffic }
The information reflected by the blinking frequency of the Wireless indicator on

an AP is configured.
By default,
● If WDS is enabled on an AP, the blinking frequency of the Wireless LED
reflects the strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless
LED reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED
reflects the weakest signal strength of middle APs.
● If the WDS functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
On a WDS network, you need to adjust AP locations and antenna directions to

obtain strong signals between WDS-capable APs. The blinking frequency of the
Wireless LED shows the signal strength.
NOTE
This command takes effect only when the AP has the WDS function enabled. If the WDS
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
Only APs having Wireless LEDs support this command.
Step 8 Run quit
Step 9 Bind an AP system profile and a radio profile to an AP group or AP.

● Binding an AP system profile and a radio profile to an AP group
view.
c. Run the radio-2g-profile profile-name { radio { radio-id | all } } or
By default, the 2G radio profile default is bound to the 2G radio, and the
5G radio profile default is bound to the 5G radio.
● Bind an AP system profile and a radio profile to an AP
enter the AP view.

NetEngine AR
c. Run the radio-2g-profile profile-name { radio { radio-id | all } } or

By default, the 2G radio profile default is bound to the 2G radio, and the
5G radio profile default is bound to the 5G radio.
Step 10 Run quit
----End
4.11.5.2 Configuring a Management VLAN on an AP
Context
Generally, the PVID of the access device interface to which an AP directly connects
is configured as the management VLAN ID. For details, see 4.5 Configuration
Precautions for Basic WLAN Services. Management packets sent by the AP are
then transmitted on CAPWAP tunnels. When the packets arrive at the access
device, the access device adds the PVID to the packets as their VLAN tags. If the
PVID of the access device has been used as the default VLAN tag of wired users,
the PVID cannot be configured as the management VLAN ID on the access device
interface. In this case, configure a management VLAN on the AP. The AP then
encapsulates the control packets sent to the AC in CAPWAP packets and adds the
management VLAN ID to the packets as their VLAN tags. You only need to
configure the access device to allow only the packets carrying the management
VLAN ID to pass.
Procedure
Step 2 Run wlan ac
Step 4 Run management-vlan vlan-id
A management VLAN is configured for an AP.
By default, no management VLAN is configured for an AP.
NOTE
The configuration takes effect only after the AP is restarted.

NetEngine AR
Step 5 Run quit

view.
enter the AP view.
Step 7 Run quit
----End
4.11.5.3 Configuring the Alarm Function on an AP
Context
● You can configure alarm thresholds on an AP to monitor the AP in real time.
When the configured thresholds are exceeded, the AP generates alarms or
logs to notify the AC of AP status.
The default alarm thresholds are recommended.
● If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During
this period, the AP sends a large number of STA association failure alarms to
the AC, which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does
not report alarms repeatedly in the alarm suppression period, preventing
alarm storms.
Procedure
Step 2 Run wlan ac

NetEngine AR

Step 4 Run cpu-usage threshold threshold
A CPU usage alarm threshold is configured for an AP.
By default, the CPU usage alarm threshold of APs is 90.
Step 5 Run memory-usage threshold threshold
A memory usage alarm threshold is configured for an AP.
By default, the memory usage alarm threshold on an AP is 80.
Step 6 Run high-temperature threshold threshold-value
A high temperature alarm threshold is configured for an AP.
Table 4-7 Default upper temperature alarm threshold of APs
AP Model Default Value (°C)
AP5030DN/AP5130DN 87
AP6010SN-GN 85
AP6010DN-AGN 102
AP6310SN-GN 94
AP6510DN-AGN 88
AP6510DN-AGN-US 81
AP6610DN-AGN 104
AP6610DN-AGN-US 100
AP7110SN 76
AP7110DN 89
AP7030DE/AP8030DN/AP8130DN/ 83
AP9330DN
AP9131DN 84
NOTE
The AP2010DN, AP2030DN, AP3010DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-V2,

AP3030DN, AP4030DN, and AP4130DN do not support this command.
Step 7 Run low-temperature threshold threshold-value

NetEngine AR
A low temperature alarm threshold is configured for an AP.
Table 4-8 Default lower temperature alarm threshold for APs
AP Model Default Value (°C)
AP6010SN-GN/AP6010DN-AGN/ -13
AP6310SN-GN/AP7110DN-AGN/
AP7110SN-GN/AP9330DN
AP6510DN-AGN/AP6610DN-AGN/ -43
AP6510DN-AGN-US/AP6610DN-AGN-
US/AP8030DN/AP8130DN/AP9131DN
AP5030DN/AP5130DN -28
AP7030DE -23
NOTE
The AP2010DN, AP2030DN, AP3010DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-V2,

AP3030DN, AP4030DN, and AP4130DN do not support this command.
Step 8 Configure the alarm suppression function on an AP.

1. Run the alarm-restriction period period command to configure the alarm
suppression period on the AP.
The default alarm suppression period is 60 seconds on an AP.

2. Run the undo alarm-restriction disable command to enable the alarm
suppression function on an AP.
By default, alarm suppression is enabled for an AP.
Step 9 Run quit

view.
enter the AP view.

NetEngine AR
Step 11 Run quit

----End
4.11.5.4 Configuring the Log Backup and Log Suppression Functions on an

AP
Context
● Logs record user operations and system running information. After logs are
backed up to a server, network administrators can summarize and analyze AP
logs to learn about the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
● If a STA keeps attempting to connect to an AP because of signal interference
or instability, the AP sends a large number of duplicate login and logoff logs
to the AC in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log
about a user to the AC within the log suppression period.
Procedure
Step 2 Run access-user syslog-restrain period period
The period of system log suppression is configured.
By default, the period of system log suppression is 300s.
Step 3 Run access-user syslog-restrain enable
The system log suppression function is enabled.
By default, system log suppression is enabled.
Step 4 Run wlan ac
Step 6 Run log-server ip-address server-ip-address
A log server IP address is configured, and log backup is enabled.

NetEngine AR
By default, the log server IP address is not configured in an AP system profile and
log backup is disabled on an AP.
Step 7 Run quit
view.
enter the AP view.
Step 9 Run quit
----End
4.11.5.5 Configuring LLDP on an AP
Context
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and
management address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors. After the AP discovers a neighbor, the AP sends neighbor
information to the AC. The NMS then obtains AP's LLDP information from the AC
to learn about the network topology.
To enable an AP to discover neighbors, enable LLDP on the AP and access device
to which the AP directly connects.
Procedure

NetEngine AR
Step 2 Run wlan ac

Step 3 Run ap lldp enable
LLDP is enabled in the WLAN view.
By default, LLDP is disabled in the WLAN view.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view
and the AP wired port link profile view.
Step 4 (Optional) Configure LLDP in the AP wired port link profile view.
1. Run the port-link-profile name profile-name command to create an AP
wired port link profile and enter the AP wired port link profile view.
By default, the system provides the AP wired port link profile default.
2. Run the lldp enable command to enable LLDP on an AP wired port.
By default, LLDP is enabled on AP wired interfaces.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN
view and the AP wired port link profile view.
3. Run the lldp tlv-enable basic-tlv { all | management-address | port-
description | system-capability | system-description | system-name }
command to specify the types of TLVs that can be advertised from an AP's
wired port.
By default, an AP wired interface advertises all types of TLVs.
4. Run the quit to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to create an AP
wired port profile and enter the AP wired port profile view.
By default, the system provides the AP wired port profile default.
6. Run the port-link-profile profile-name command to bind the AP wired port
link profile to an AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port
profile.
Step 5 Configure LLDP in the WLAN view.
1. Run the ap-system-profile name profile-name command to create an AP
system profile and enter the AP system profile view.
2. Run the lldp admin-status { rx | tx | txrx } command to configure the LLDP
mode on the AP.
By default, the LLDP operation mode of an AP is TxRx.
3. (Optional) Run lldp report-interval interval-time

NetEngine AR
The interval at which the AP reports neighbor information to an AC is

configured.
By default, an AP reports LLDP neighbor information to an AC at an interval
of 30 seconds.
4. (Optional) Run lldp restart-delay delay-time
The delay in re-enabling LLDP on the AP is configured.
By default, the delay in re-enabling LLDP on an AP is 2 seconds.
5. (Optional) Run lldp message-transmission interval interval
The interval at which the AP sends LLDP packets to neighbors is configured.
The default LLDP packet transmission interval is 30 seconds.
6. (Optional) Run lldp message-transmission delay delay
The delay in sending LLDP packets to neighbors on the AP is configured.
The default LLDP packet transmission delay is 2 seconds.
7. (Optional) Run lldp message-transmission hold-multiplier hold
The hold time multiplier of AP information on neighbors is configured.
The default hold time multiplier is 4.
Step 6 Bind the AP system profile and AP wired port profile to an AP group or AP.
● Binding the AP system profile and AP wired port profile to an AP group
view.
c. Run the wired-port-profile profile-name interface-type interface-number
command to bind the AP wired port profile to the AP group.
By default, the AP wired port profile default is bound to an AP group.
● Binding the AP system profile and AP wired port profile to an AP.
enter the AP view.
c. Run the wired-port-profile profile-name interface-type interface-number
command to bind the AP wired port profile to the AP.
By default, no AP wired port profile is bound to an AP.
Step 7 Run quit

NetEngine AR
----End
4.11.5.6 Configuring Service Holding upon CAPWAP Link Disconnection
Context
To mitigate impact of link disconnections on users in direct forwarding mode and
improve service reliability, you can configure the function of service holding upon
CAPWAP link disconnection. After the disconnected CAPWAP link is restored, the
AP forces all online STAs to go offline and reassociate with the AP and reports
information about the STAs through logs.
NOTE
● Service holding upon CAPWAP link disconnection is only applicable to the direct forwarding
mode.
● WDS networks do not support service holding upon CAPWAP link disconnection.
Procedure
Step 2 Run wlan ac
Step 4 Run keep-service enable
Service holding upon CAPWAP link disconnection is enabled. After that, the AP can
still provide data services when the CAPWAP link is disconnected.
By default, all services on the AP are interrupted after the CAPWAP link between
the AP and AC is disconnected.
Step 5 Run keep-service enable allow new-access
User access upon CAPWAP link disconnection is enabled. After that, the AP can
still allow new users to access when the CAPWAP link is disconnected.
By default, the APs in fault state are disabled from allowing access of new STAs.
Step 6 Run quit


NetEngine AR

view.
enter the AP view.
Step 8 Run quit
----End
4.11.5.7 Optimizing AP System Profile Parameters
Context
This task is to configure an AP to directly respond to association requests of STAs
and configure the MTU of Ethernet port in the AP system profile and the
Extensible Authentication Protocol (EAP) packet conversion function.
Procedure
Step 2 Run wlan ac
Step 4 Run mtu mtu-value
The MTU of Ethernet ports is configured in an AP system profile.
The default the MTU of Ethernet ports in an AP system profile is 1500 bytes.
The size of data packets is limited at the network layer. When a network layer
device receives an IP packet, it determines the outbound interface and obtains the
MTU configured on the interface. The device then compares the MTU with the IP

NetEngine AR
packet length. If the IP packet length is longer than the MTU, the device
fragments the IP packet. Each fragment has the smaller or equal size as the MTU.
NOTE
If the MTU value is smaller than the DHCP packet length, the AP may be disconnected. In this
case, restart the AP.
Step 5 Configure EAP packet conversion.

Different vendors use different methods to encapsulate EAP packets in broadcast,
multicast, or unicast packets. In 802.1X authentication, when an AP sends EAPOL-
Start and EAPOL-Response packets to an AC, the method that the AP uses to
encapsulate the two types of packets must be the same as the method that the
access device directly connected to the AC uses. Otherwise, the two types of
packets cannot be processed by the access device directly connected to the AP.
Consequently, the user cannot pass 802.1X authentication.
1. Run the eapol-start dest-address transform-condition { always | equal-
bssid } command to specify EAPOL-Start packets to be encapsulated.
By default, an AP encapsulates only the EAPOL-Start packets with the
destination MAC addresses being the AP's BSSID.
2. Run the eapol-start dest-address transform-to { broadcast | multicast |
mac mac-address } command to configure the AP to encapsulate EAPOL-Start
packets into broadcast, multicast, or unicast packets.
By default, an AP encapsulates EAPOL-Start packets into multicast packets.
3. Run the eapol-response dest-address transform-condition { always | equal-
bssid } command to specify EAPOL-Response packets to be encapsulated.
By default, an AP encapsulates only the EAPOL-Response packets with the
destination MAC addresses being the AP's BSSID.
4. Run the eapol-response dest-address transform-to { broadcast | multicast |
mac mac-address | learning } command to configure the AP to encapsulate
EAPOL-Response packets into broadcast, multicast, or unicast packets.
By default, an AP encapsulates EAPOL-Response packets into unicast packets
and actively learn the destination MAC address.
Step 6 Run quit
view.
enter the AP view.

NetEngine AR

Step 8 Run quit
----End
4.11.5.8 Verifying the AP System Management Configuration
Procedure
----End
4.11.6 Managing an AP's Wired Interface
Context
Managing an AP's wired interface includes configuring AP wired interface
parameters and link layer parameters.
Procedure
Step 2 Run wlan ac
Step 3 Run wired-port-profile name profile-name
An AP wired port profile is created, and the AP wired port profile view is displayed.
By default, the system provides the AP wired port profile default.
Step 4 Configure parameters for an AP's wired interface.

NetEngine AR
Add an AP's wired eth-trunk trunk-id To improve the

interface to an Eth-Trunk By default, an AP connection reliability and
interface is not added to increase the bandwidth,
any Eth-Trunk. you can run this
command to bind
multiple interfaces into
an Eth-Trunk.
NOTE
APs that have only one
physical network interface
do not support this
command.
The physical interface to
be added to an Eth-Trunk
cannot have other
configurations. Before
adding a physical interface
to an Eth-Trunk, clear all
configurations on it except
the interface status,
working mode,
descriptions, LLDP
function, and alarm
function for CRC errors.
Configure a working mode { root | endpoint | When working as an

mode for an AP's wired middle } uplink interface to
interface By default, the connect to an AC, an
GigabitEthernet interface AP's wired interface must
of a common AP works work in root mode. In
in root mode, the root mode, the AP's
Ethernet interface in wired interface
endpoint mode, and the automatically joins
Eth-trunk interface in service VLANs and user-
root mode. specific VLANs (for
example, VLANs
assigned by the RADIUS
server).
When working as a
downlink interface to
connect to a wired
terminal, the AP's wired
interface must work in
endpoint mode. In
endpoint mode, the AP's
wired interface does not
join any VLAN by
default.
NOTE
The AP's wired interface
supports user isolation in
endpoint mode, but not in
root mode.

NetEngine AR
Enable a DHCP trusted dhcp trust port Before WLAN services

port on an AP's wired By default, the DHCP are delivered to an AP,
interface trusted interface is run the dhcp trust port
disabled in the VAP command in the AP
profile view and enabled wired port profile view.
on the AP's uplink After the command is
interface in the AP wired run, the AP receives the
port profile view. DHCP OFFER, ACK, and
NAK packets sent by the
This command takes authorized DHCP server
effect only on the AP's and forwards the packets
uplink interface. to STAs so that the STAs
can obtain valid IP
addresses and go online.
NOTE
If a bogus DHCP server is
deployed at the user side,
STAs may obtain incorrect
IP addresses and network
configuration parameters
and cannot communicate
properly. After the dhcp
trust port command is
executed in the VAP profile
view, an AP discards the
DHCP OFFER, ACK, and
NAK packets sent by the
bogus DHCP server and
reports to the AC about
the IP address of the
unauthorized DHCP server.
For details, see 4.10.2.4
(Optional) Improving
VAP Security.

NetEngine AR
Enable terminal address learn-client-address After terminal address

learning on an AP's enable learning is enabled on an
wired interface By default, terminal AP's wired interface, if a
address learning is wired terminal
disabled on an AP's connected to the AP
wired interface. wired interface
successfully obtains an IP
address, the AP
automatically reports the
IP address of the
terminal to the AC,
helping to maintain the
IP address and MAC
address binding entries
of wired terminals.
This configuration takes
effect only on AP's wired
interfaces working in
endpoint mode.
Enable IP source guard ipsg enable Attackers often use

(IPSG) on an AP's wired By default, IPSG is packets with the source
interface disabled on an AP's IP addresses or MAC
wired interface. addresses of authorized
users to access or attack
networks. As a result,
authorized users cannot
obtain stable and secure
network services. You
can enable the IPSG
function to prevent the
situation.
To make the
configuration take effect,
terminal address
learning must be
enabled on the AP's
wired interface using the
learn-client-address
enable command.

NetEngine AR
Enable dynamic ARP dai enable You can enable DAI

inspection (DAI) on an By default, DAI is using this command to
AP's wired interface disabled on an AP's prevent Man in The
wired interface. Middle (MITM) attacks
and theft on authorized
user information. When
a device receives an ARP
packet, it compares the
source IP address, source
MAC address, interface
number, and VLAN ID of
the ARP packet with
DHCP snooping binding
entries. If the ARP packet
matches a binding entry,
the device allows the
packet to pass through.
If the ARP packet does
not match any binding
entry, the device discards
the packet.
To make the
configuration take effect,
terminal address
learning must be
enabled on the AP's
wired interface using the
learn-client-address
enable command.
Set the maximum traffic-optimize When a large number of

volume of broadcast, { broadcast-suppression broadcast, multicast, and
multicast, or unknown | multicast-suppression unknown unicast packets
unicast traffic on an AP's | unicast-suppression } are transmitted on a
wired interface packets packets-rate network, a lot of
By default, the volume network resources are
of broadcast, multicast, occupied, and services on
or unknown unicast the network are affected.
traffic is not suppressed When the traffic volume
on an AP's wired of broadcast, multicast,
interface. and unknown unicast
packets reaches the
maximum on an AP's
wired interface, the
system discards excess
packets to control the
traffic volume in a
proper range and
prevent flooding attacks.

NetEngine AR
Step 5 Run quit
Step 6 Configure link layer parameters for an AP's wired interface

1. Run the port-link-profile name profile-name command to create an AP
wired port link profile and enter the profile view.
By default, the system provides the AP wired port link profile default.
2. Run the crc-alarm enable [ high-threshold high-threshold-value | low-
threshold low-threshold-value ]* command to configure the alarm function
for CRC errors on an AP's wired interface, and set the alarm threshold and
clear alarm threshold.
By default, the alarm function for CRC errors is disabled on the AP wired
interface. The alarm threshold for CRC errors is 50 and the clear alarm
threshold is 20.
3. Run the shutdown command to disable the AP's wired interface.
By default, an AP's wired interface is enabled.
If malicious users launch attacks to the network through an AP's wired

interface, the administrator can deliver the shutdown command on the AC to
shut down the interface.
The shutdown command takes effect only on AP's wired interfaces working in
endpoint or middle mode but not on those working in root mode.
4. Run the quit command to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to enter the AP
wired port profile view.
6. Run the port-link-profile profile-name command to bind the AP wired port
link profile to the AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port
profile.
7. Run the quit command to return to the WLAN view.
Step 7 Bind the AP wired port profile to an AP group or AP.

● Bind the AP wired port profile to an AP group.
view.
b. Run the wired-port-profile profile-name interface-type interface-number
command to bind the AP wired port profile to an AP group.
By default, the AP wired port profile default is bound to an AP group.
● Bind the AP wired port profile to an AP.
enter the AP view.
b. Run the wired-port-profile profile-name interface-type interface-number
command to bind the AP wired port profile to an AP.
By default, no AP wired port profile is bound to an AP.

NetEngine AR
Step 8 Run quit
----End

● Run the display wired-port-profile { all | name profile-name } command to
check configuration and reference information about an AP wired port profile.
● Run the display port-link-profile { all | name profile-name } command to
check configuration and reference information about an AP wired port link
profile.
● Run the display references wired-port-profile name profile-name command
to check reference information about an AP wired port profile.
● Run the display references port-link-profile name profile-name command
to check reference information about an AP wired port link profile.
● Run the display mac-address mac-address [ verbose ] ap-all command to
check MAC address entries on all APs.
● Run the display mac-address { ap-id ap-id | ap-name ap-name } interface-
type interface-number command to check all dynamic MAC address entries
on an AP's wired interface.
4.12 Maintaining Basic WLAN Services
4.12.1 Checking Wireless Link Quality Between an AP and a

STA
Context
On wireless networks, wireless radio, as the transmission media, is easily interfered
by surroundings. The transmission quality of service data changes greatly
depending on the interference. Therefore, you must evaluate and check the
transmission quality of wireless links to ensure better service data transmission
and efficient cooperation between densely deployed wireless networks, and
reduces signal interference. Use the RF ping function and exchange data packets
between APs and STAs to check the transmission quality of wireless links. The link
check result includes the signal strength, radio interface rate, packet sending delay,
which can comprehensively indicate the transmission quality of wireless links.
Procedure

NetEngine AR
Step 2 Run wlan ac

Step 3 Run rf-ping [ -m time | -c number ] * mac-address

Wireless link quality is checked.
----End
4.12.2 Checking Connectivity Between an AP and a Network

Device
Context
When a network fault occurs, use an AP to ping other network devices to check
the connectivity.
Procedure
Step 2 Run wlan ac
Step 3 Run the ap-ping { ap-name ap-name | ap-id ap-id } [ -c count | -s packetsize | -m
time | -t timeout ] * host command to ping a network device from an AP to check
network connectivity between them.
----End
4.12.3 Maintaining AP Statistics
4.12.3.1 Checking AP Running Statistics
Context
After AP online and management AP configurations are complete, run the
following commands in any view to check AP running statistics.
Procedure
● Run the display ap run-info { ap-name ap-name | ap-id ap-id } command to
check AP running information.
● Run the display ap performance statistics { ap-name ap-name | ap-id ap-
id } command to check AP performance statistics.
● Run the display radio { all | ap-group ap-group-name | ap-name ap-name |
ap-id ap-id } command to check AP radio information.

NetEngine AR
● Run the display ap asyn-message err-info { all | ap-name ap-name | ap-id

ap-id } command to check records about AP restart failures.
● Run the display ap uncontrol all command to check unauthorized APs.
● Run the display channel switch-record { all | ap-name ap-name radio radio-
id | ap-id ap-id radio radio-id | reason reason } command to check channel
switching records.
● Run the display ap traffic statistics wireless { ap-name ap-name | ap-id ap-
id } radio radio-id [ ssid ssid ] command to check packet statistics on an AP
radio.
● Run the display ap elabel { ap-name ap-name | ap-id ap-id } command to
check AP electronic label information.
● Run the display ap service-config acl { ap-name ap-name | ap-id ap-id }
command to check ACL configurations on an AP.
● Run the display ap port { all | ap-name ap-name | ap-id ap-id | ap-mac ap-
mac } command to check the AP port status and traffic information.
----End
4.12.3.2 Checking AP Neighbor Information
Context
You can view neighbor information on a specified AP radio to determine the AP
location and neighbor relationship, helping locate rogue APs and plan the WLAN.
Procedure
Step 1 Run the display ap lldp neighbor { { ap-name ap-name | ap-id ap-id }
[ interface interface-type interface-number ] | brief } command to check LLDP
neighbor information on an AP.
Step 2 Run the display ap neighbor { ap-name ap-name | ap-id ap-id } [ radio radio ]
command to check information about neighbors of a radio.
Step 3 Run the display ap around-ssid-list { ap-name ap-name | ap-id ap-id }
command to check SSIDs of an AP's neighbors.
----End
4.12.3.3 Checking AP Online Failure and Offline Records
Context
You can check the AP online failure and offline records to locate the reason for AP
online failures and offline reasons. This helps the maintenance personnel manage
and maintain the APs.
Procedure
● Run the display ap online-fail-record { all | mac mac-address } command to
check AP online failure records.

NetEngine AR
● Run the display ap offline-record { all | mac mac-address } command to

check AP offline records.
----End
4.12.3.4 Clearing AP Online Failure and Offline Records
Context
Before re-collecting AP online failure and offline records, you can clear AP online
failure records and offline records. This helps the maintenance personnel manage
and maintain APs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these
operations.
Procedure
● Run the reset ap online-fail-record { all | mac mac-address } command to
clear AP online failure records.
● Run the reset ap offline-record { all | mac mac-address } command to clear
AP offline records.
----End
4.12.3.5 Clearing the List of Unauthorized APs
Context
You can clear the list of unauthorized APs to clear the removed or
unauthenticated APs that disconnect with an AC. This operation helps re-collect
and confirm unauthenticated APs.
NOTE
operations.
Procedure
Step 2 Run wlan ac
Step 3 Run reset ap unauthorized record
Clear the list of unauthorized APs.
----End

NetEngine AR
4.12.4 Maintaining STA Statistics
4.12.4.1 Checking STA Running Statistics
Context
After STAs successfully associate with an AP, you can run the following commands
in any view to monitor the STA running status.
Procedure
● Run the display station { ap-group ap-group-name | ap-name ap-name |
ap-id ap-id | ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all }
command to check STA access information.
● Run the display station statistics [ sta-mac sta-mac-address | ap-name ap-
name | ap-id ap-id ] command to check STA statistics.
● Run the display ap sta-signal strength { ap-name ap-name | ap-id ap-id }
[ radio radio-id ] command to check the average signal strength of STAs on
an AP.
----End
4.12.4.2 Checking STA Online Failure and Offline Records
Context
You can check STA online failure and offline records to locate online failure and
offline reasons. This helps the maintenance personnel rectify the fault, enabling
STAs to connect to the wireless network properly.
Procedure
● Run the display station online-fail-record { all | ap-name ap-name | ap-id
ap-id | sta-mac sta-mac-address } command to check records about STA
online failures.
● Run the display station offline-record { all | ap-name ap-name | ap-id ap-id
| sta-mac sta-mac-address } command to check STA offline records.
----End
4.12.4.3 Clearing STA Online Failure and Offline Records
Context
Before re-collecting STA online failure and offline records, clear STA online failure
records and offline records. This helps the maintenance personnel manage and
maintain STAs.

NetEngine AR
NOTE
operations.
Procedure
● Run the reset station online-fail-record { all | ap-name ap-name | ap-id ap-
id | sta-mac sta-mac-address } command to clear STA online failure records.
● Run the reset station offline-record { all | ap-name ap-name | ap-id ap-id |
sta-mac sta-mac-address } command to clear STA offline records.
----End
4.13 Configuration Examples for Basic WLAN Services
4.13.1 Example for Configuring WLAN Services on a Small-

Scale Network (IPv4 Network)
Configuration Process
You need to configure and maintain WLAN features and functions in different
profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP
profile, AP system profile, AP wired port profile, WIDS profile, and WDS profile.
When configuring WLAN services, you need to set related parameters in the
WLAN profiles and bind the profiles to the AP group or APs. After that, the
configuration is delivered to and takes effect on the APs. WLAN profiles can
reference one another; therefore, you need to know the relationships among the
profiles before configuring them. For details about the profile relationships and
their basic configuration procedure, see WLAN Service Configuration Procedure.
Networking Requirements
As shown in Figure 4-35, the AP is directly connected to the AC. An enterprise
branch needs to deploy WLAN services for mobile office so that branch users can
access the enterprise internal network from anywhere at any time.
The following requirements must be met:
● A WLAN named wlan-net is available.
● Branch users are assigned IP addresses on 10.10.11.0/24.

NetEngine AR
Figure 4-35 Networking diagram of configuring WLAN services on a small-scale

network
Network
AC
Eth2/0/0
VLAN 100
VLAN 101
AP:
Management VLAN:
VLAN 100 area_1
Service VLAN:
VLAN 101
...
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Layer 2 connections between the AP, AC, and upstream device.
2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and AP.
3. Configure the AP to go online.
a. Create an AP group and add the AP to the group. The APs that require
the same configuration can be added to the group for unified
configuration.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that
the AP can go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.

NetEngine AR
Table 4-9 Data planning

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the

server STAs and AP.
IP address 10.10.10.2-10.10.10.254/24
pool for
the AP
IP address 10.10.11.2-10.10.11.254/24
pool for
STAs
AC's VLANIF 100: 10.10.10.1/24

source
interface
address
AP group ● Name: ap-group1

● Referenced profile: VAP profile wlan-vap and regulatory
domain profile domain1
Regulatory ● Name: domain1

domain ● Country code: CN
profile
SSID ● Name: wlan-ssid

profile ● SSID name: wlan-net
Security ● Name: wlan-security

profile ● Security policy: WPA2+PSK+AES
● Password: a1234567
VAP ● Name: wlan-vap

profile ● Service VLAN: VLAN 101
● Referenced profile: SSID profile wlan-ssid and security profile
wlan-security
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces.
In addition, wireless links are unstable. To ensure stable transmission of multicast
packets, they are usually sent at low rates. If a large number of such multicast
packets are sent from the network side, the air interfaces may be congested. You
are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected.
● In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.

NetEngine AR
● In tunnel forwarding mode, you are advised to configure multicast packet

suppression in traffic profiles of the AC.
● The management VLAN and service VLAN cannot be configured the same.
● When multiple VAP profiles are configured and share one service VLAN,
enable inter-service VLAN proxy ARP if the data forwarding mode is set to
tunnel.
Procedure
Step 1 Connect the AP and AC.
# Add Eth2/0/0 to management VLAN 100 and service VLAN 101.
NOTE
You are advised to configure port isolation on Eth2/0/0 that connects the AC to the AP. If
port isolation is not configured, many broadcast packets will be transmitted in the VLANs or
WLAN users on different APs can directly communicate at Layer 2.
<Huawei> system-view
[Huawei] sysname AC
[AC] vlan batch 100 101
[AC] interface ethernet 2/0/0
[AC-Ethernet2/0/0] port link-type trunk
[AC-Ethernet2/0/0] port trunk pvid vlan 100
[AC-Ethernet2/0/0] port trunk allow-pass vlan 100 101
[AC-Ethernet2/0/0] port-isolate enable
[AC-Ethernet2/0/0] quit
Step 2 Configure the AC as a DHCP server to allocate IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the interface IP address pool on VLANIF 100, and allocate IP addresses to STAs
from the interface IP address pool on VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.10.10.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 3 Configure the AP to go online.

# Create an AP group and add the AP to the AP group.
[AC] wlan ac
[AC-wlan-view] ap-group name ap-group1
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
Info: The current country code is same with the input country code.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the

NetEngine AR
radio and reset the AP. Continu

e?[Y/N]:y
[AC-wlan-view] quit
# Configure the AC's source interface.

[AC] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to AP group ap-group1.

Assume that the AP's MAC address is 00e0-fc76-e360. Configure a name for the
AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area
1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan ac
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor :
normal [1] --------------------------------------------------------------------------------------------- ID
MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1
ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S
--------------------------------------------------------------------------------------------- Total: 1
Step 4 Configure WLAN service parameters.

# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the service VLAN, and apply the security
profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101

NetEngine AR

[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio of the
AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
# Commit the configuration.

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
Step 5 Verify the configuration.

# After the service configuration is complete, run the display vap ssid wlan-net
command. If Status in the command output is displayed as ON, the VAPs have
been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------
0 area_1 0 1 00E0-FC76-E360 ON WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------
Total: 2
# Connect STAs to the WLAN with SSID wlan-net and enter the password
a1234567. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------------
00e0-fccf-6344 0 area_1 0/1 2.4G 11g 51/44 -55 101 10.10.11.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface
#

NetEngine AR
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
capwap source interface vlanif100
#
wlan ac
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
radio 2
ap-id 0 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
4.13.2 Example for Configuring WLAN Services on a Medium-

Scale Network
As shown in Figure 4-36, an AC manages the AP connected to it through
Switch_A.
A medium-sized enterprise needs to deploy a WLAN in office areas to meet

mobile office service needs and requires that users be centrally controlled and
managed on the AC.

NetEngine AR
Figure 4-36 Networking diagram of configuring WLAN services on a medium-

scale network
Network
AC
Eth2/0/0
VLAN100
VLAN101
GE0/0/2
VLAN100
VLAN101
Switch_A GE0/0/1
VLAN100
VLAN101
AP:
area_1
STA STA

1. Configure connections between the AP, AC, and upstream device.

2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and AP.
a. Create an AP group and add AP that require the same configuration to
the group for unified configuration.
c. Configure the AP authentication mode and import the AP offline to allow
the AP to go online.

NetEngine AR
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the

server STAs and AP.
IP address 10.10.10.2-10.10.10.254/24
pool for
the AP
IP address 10.10.11.2-10.10.11.254/24
pool for
STAs
AC's VLANIF 100: 10.10.10.1/24

source
interface
address
AP group ● Name: ap-group1

● Referenced profile: VAP profile wlan-vap and regulatory
Regulatory ● Name: domain1

domain ● Country code: CN
profile
SSID ● Name: wlan-ssid

profile ● SSID name: wlan-net
Security ● Name: wlan-security

profile ● Security policy: WPA2+PSK+AES
● Password: a1234567
VAP ● Name: wlan-vap

profile ● Service VLAN: VLAN101
● Referenced profile: SSID profile wlan-ssid and security profile
wlan-security
Configuration Notes

NetEngine AR

tunnel.
Procedure
Step 1 Configure Switch and the AC so that the AP and AC can transmit CAPWAP
packets.
NOTE
You are advised to configure port isolation on GE0/0/1 that connects Switch to the AP. If
port isolation is not configured, many broadcast packets will be transmitted in the VLANs or
WLAN users on different APs can directly communicate at Layer 2.
# Add GE0/0/1 that connects Switch to the AP to management VLAN 100 and
service VLAN 101 add GE0/0/2 that connects Switch to the AC to the same VLANs.
[Huawei] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add Eth2/0/0 that connects the AC to Switch to VLANs 100 and 101.
[Huawei] sysname AC
[AC] vlan batch 100 to 101
[AC-Ethernet2/0/0] port trunk allow-pass vlan 100 101
[AC-Ethernet2/0/0] port-isolate enable
Step 2 Configure the AC as a DHCP server to allocate IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the interface IP address pool on VLANIF 100, and allocate IP addresses to STAs
from the interface IP address pool on VLANIF 101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

NetEngine AR
Step 3 Configure the AP to go online.
# Create an AP group and add the AP to the AP group.

[AC] wlan ac
and apply the profile to the AP group.
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1.

Assume that the AP's MAC address is 00e0-fc76-e360. Configure a name for the
AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area
1.
NOTE
[AC] wlan ac
[AC-wlan-ap-0] ap-group ap-group1
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online normally.
Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor :
normal [1] --------------------------------------------------------------------------------------------- ID
MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1
ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S
--------------------------------------------------------------------------------------------- Total: 1
# Create security profile wlan-security and set the security policy in the profile.

NetEngine AR
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security

[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the service VLAN, and apply the security
profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio of the
AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all


# After the service configuration is complete, run the display vap ssid wlan-net
command. If Status in the command output is displayed as ON, the VAPs have
been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Total: 2
# Connect STAs to the WLAN with SSID wlan-net and enter the password
a1234567. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
------------------------------------------------------------------------------------------

NetEngine AR
------------------------------------------------------------------------------------------
00e0-fccf-6344 0 area_1 0/1 2.4G 11g 51/44 -55 101 10.10.11.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
● Switch_A configuration file
#
sysname Switch
#
#
interface GigabitEthernet0/0/1
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
#
#
#
wlan ac
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
ssid-profile wlan-ssid
security-profile wlan-security
ap-group name ap-group1
radio 0
radio 1
radio 2

NetEngine AR

ap-name area_1
ap-group ap-group1
#
return
4.13.3 Example for Configuring WLAN Services on a Large-

Scale Network
On a network of a large enterprise in Figure 4-37, an aggregation switch Switch_B
connects to an access switch Switch_A and an upstream Router. The enterprise
needs to deploy a WLAN, with as few changes to the current network structure as
possible.
The enterprise requirements are as follows:
● A WLAN with the SSID guest is deployed in the lobby of the office building to
provide wireless access services for visitors.
● A WLAN with the SSID employee is deployed in office areas to provide
wireless access services for employees.

NetEngine AR
Figure 4-37 Networking diagram of configuring WLAN services on a large-scale

network
Internet
AC
Eth2/0/0
VLANIF100: 10.10.10.1/24
GE0/0/2 VLANIF101: 10.10.11.1/24
VLAN100 VLANIF102: 10.10.12.1/24
VLAN101
VLAN102
Switch_B GE0/0/1
VLAN100
VLAN101
VLAN102
GE0/0/3
VLAN100
VLAN101
VLAN102
GE0/0/1 GE0/0/2
VLAN100 VLAN100
VLAN101 Switch_A VLAN102
AP: AP:
area_1 area_2
STA STA STA STA
Management VLAN: Management VLAN:

VLAN100 VLAN100
Service VLAN: Service VLAN:
VLAN101 VLAN102
1. Configure Switch_A, Switch_B, and AC to implement Layer 2 interconnection.
2. Configure the AC as a DHCP server to assign IP addresses from a global
address pool to STAs and APs.
a. Create an AP group and add AP that require the same configuration to
the group for unified configuration.

NetEngine AR

c. Configure the AP authentication mode and import the AP offline to allow
the AP to go online.

Item Data
DHCP server AC functions as a DHCP server to allocate IP addresses to

the STAs and APs.
IP address pool for 10.10.10.2-10.10.10.254/24

the APs
IP address pool for ● IP addresses for visitors:

the STAs 10.10.11.2-10.10.11.254/24
● IP addresses for enterprise users:
10.10.12.2-10.10.12.254/24
AC's source VLANIF100:10.10.10.1/24

interface address
AP group Name: guest

Referenced profile: VAP profile guest and regulatory
Name: employee
Referenced profile: VAP profile employee and regulatory
Regulatory domain Name: domain1

profile Country code: CN
SSID profile Name: guest

SSID name: guest
Name: employee
SSID name: employee
Security profile Name: guest

● Security policy: WEP-40
● Password: a1234
Name: employee
● Security policy: WPA2+PSK+AES
● Password: b1234567

NetEngine AR
Item Data
VAP profile Name: guest

● Service VLAN: VLAN 101
● Referenced profile: SSID profile guest and security
profile guest
Name: employee
● Service VLAN: VLAN 102
● Referenced profile: SSID profile employee and security
profile employee
Configuration Notes
tunnel.
Procedure
Step 1 Configure network interworking.
# Configure Switch_A. Add GE0/0/1 to VLAN 100 (management VLAN) and
configure GE0/0/1 to allow packets from VLAN 101 (service VLAN) to pass
through. Add GE0/0/2 to VLAN 100 and configure GE0/0/2 to allow packets from
VLAN 102 (service VLAN) to pass through. Configure GE0/0/3 to allow packets
from VLAN 100, VLAN 101, and VLAN 102 to pass through.
NOTE
You are advised to configure port isolation on GE0/0/1 and GE0/0/2 that connect Switch_A
to the APs. If port isolation is not configured, many broadcast packets will be transmitted in
VLANs or WLAN users on different APs can directly communicate at Layer 2.
[Huawei] sysname SwitchA
[SwitchA] vlan batch 100 to 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100

NetEngine AR
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101

[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA-GigabitEthernet0/0/2] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchA-GigabitEthernet0/0/2] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101 102
# Configure Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets from

VLAN 100, VLAN 101, and VLAN 102 to pass through.
[Huawei] sysname SwitchB
[SwitchB] vlan batch 100 to 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 102
[SwitchB-GigabitEthernet0/0/2] quit
# Configure the AC to allow packets from VLAN 100, VLAN 101, and VLAN 102 to
pass through.
[Huawei] sysname AC
[AC] vlan batch 100 to 102
[AC-Ethernet2/0/0] port trunk allow-pass vlan 100 to 102
Step 2 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
[AC] dhcp enable
[AC-Vlanif100] ip address 10.10.10.1 255.255.255.0
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
Step 3 Configure the APs to go online.

# Create AP groups guest and employee.
[AC] wlan ac
[AC-wlan-view] ap-group name guest
Info: This operation may take a few seconds. Please wait for a moment..done.
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
Info: This operation may take a few seconds. Please wait for a moment..done.
[AC-wlan-ap-group-employee] quit
and apply the profile to the AP groups.

NetEngine AR

[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC. Add APs deployed in the lobby to AP group
guest and APs in office areas to AP group employee. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are
deployed from their names. For example, if the AP with MAC address 00e0-fc76-
e360 is deployed in room 1 of the office building, name the AP area_1.
NOTE
[AC] wlan ac
[AC-wlan-ap-0] ap-group guest
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] ap-group employee
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the APs have gone online.
Total AP information:
nor : normal [2]
--------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 guest 10.10.10.253 AP6010DN-AGN nor 0 1M:22S
1 00e0-fc74-9640 area_2 employee 10.10.10.254 AP6010DN-AGN nor 0 5S
--------------------------------------------------------------------------------------------
Total: 2

NetEngine AR

# Create security profiles guest and employee and configure the security policy in
the profile.
NOTE
In this example, the security policy is set to WEP-40 and WPA2+PSK+AES and passwords to
a1234 and b1234567, respectively. In actual situations, the security policy must be configured
according to service requirements.
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] security wep share-key
[AC-wlan-sec-prof-guest] wep key 0 wep-40 pass-phrase a1234
[AC-wlan-sec-prof-guest]wep default-key 0
[AC-wlan-sec-prof-guest] quit
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase b1234567 aes
[AC-wlan-sec-prof-employee] quit
# Create SSID profiles guest and employee, and set the SSID names to guest and
employee, respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the service VLANs, and apply the
security profiles and SSID profiles to the VAP profiles.
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] service-vlan vlan-id 101
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] service-vlan vlan-id 102
[AC-wlan-vap-prof-employee] security-profile employee
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] quit
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio of the
APs.
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio all
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio all

NetEngine AR


# After the service configuration is complete, run the display vap ssid guest and
display vap ssid employee commands. If Status in the command output is
displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid guest
WID : WLAN ID
--------------------------------------------------------------------------
--------------------------------------------------------------------------
0 area_1 0 1 00E0-FC76-E360 ON WEP+Share 0 guest
0 area_1 1 1 00E0-FC76-E370 ON WEP+Share 0 guest
--------------------------------------------------------------------------
Total: 2
[AC-wlan-view] display vap ssid employee
WID : WLAN ID
--------------------------------------------------------------------------
--------------------------------------------------------------------------
1 area_2 0 1 00E0-FC74-9640 ON WPA2-PSK 0 employee
1 area_2 1 1 00E0-FC74-9650 ON WPA2-PSK 0 employee
--------------------------------------------------------------------------
Total: 2
# Connect STAs to the WLANs with SSIDs guest and employee and enter the
passwords a1234 and b1234567 respectively. Run the display station ssid guest
and display station ssid employee commands on the AC. The command output
shows that the STAs are connected to the WLANs guest and employee.
[AC-wlan-view] display station ssid guest
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
00e0-fccf-6344 0 area_1 0/1 2.4G 11g 26/18 -54 101 10.10.11.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
[AC-wlan-view] display station ssid employee
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
00e0-fc64-656f 1 area_2 1/1 5G 11n 65/56 -53 102 10.10.12.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
● Switch_A configuration file
#
sysname SwitchA
#
#

NetEngine AR

#
port trunk allow-pass vlan 100 102
#
#
return
● Switch_B configuration file
#
sysname SwitchB
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
#
interface Vlanif102
ip address 10.10.12.1 255.255.255.0
#
#
#
wlan ac
security-profile name guest
security wep share-key
wep key 0 wep-40 pass-phrase %^%#z*z]6]#!|%n:n}Xz'mhKE{PfN|cIj*eU$jJYH48S%^%#
security-profile name employee
security wpa2 psk pass-phrase %^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^%# aes
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
ssid-profile guest

NetEngine AR
security-profile guest
vap-profile name employee
ssid-profile employee
security-profile employee
ap-group name guest
radio 0
vap-profile guest wlan 1
radio 1
radio 2
ap-group name default
ap-group name employee
radio 0
vap-profile employee wlan 1
radio 1
radio 2
ap-name area_1
ap-group guest
ap-id 1 type-id 19 ap-mac 00e0-fc74-9640 ap-sn 210235554710CB000075
ap-name area_2
ap-group employee
#
return
4.14 FAQ About Basic WLAN Services
4.14.1 How Do I Set a Proper Interval for Sending Beacon

Frames?
The AP sends Beacon frames at intervals, notifying a STA of the WLAN. The AP
also notifies the STA that AP data will be sent to the STA based on the DTIM in
Beacon frames.
When the interval at which Beacon frames are sent is set to 1000 ms, mobile
device save more power. However, packets are buffered on the AP and are not
sent to STAs immediately. As a result, there is a delay in sending ping packets and
some packets are lost. It is recommended that the interval be set to 100 ms.
Run the beacon-interval command in the radio profile view to set the interval to
100 ms.
4.14.2 Wireless Users Cannot Obtain IP Addresses and the

STAs Display a Message Indicating that the Connection Is
Restricted or Need to Be Re-established. Why?
Possible causes are:
● DHCP is not enabled globally using the dhcp enable command in the system
view.

NetEngine AR
● The address pool is not configured using the dhcp select interface or dhcp
select global command in the interface view.
● The dhcp select global command in executed in the interface view, but the
global address pool is incorrectly configured.
● Wireless users use MAC address authentication, but no MAC address is
configured for the users on the authentication server.
4.14.3 Why Does the SSID of an AP Disappear Intermittently

on a STA When the AP Is Running Normally?
● Automatic channel adjustment is enabled on the AP, so the AP continuously
adjust channels to obtain the best radio performance. The radio module of
the AP is reset when the channel is changed. You can run the channel-mode
fixed command in the radio profile view to solve this problem.
● The STA is far from the AP or is blocked by an obstacle. As a result, the
receive signal strength on the STA is weak.
4.14.4 Why Does a STA Fail to Discover the SSID of an AP

When the AP Software Version Is Correct and Has Correct
WLAN Configuration?
● The SSID hiding function is enabled using the ssid-hide command in the
service set view. In this case, run the undo ssid-hide command in the service
set view to disable the SSID hiding function.
● To check whether the AP works properly, run the display ap run-info
command on the device functioning as the AC.
4.14.5 Which Online AP Upgrade Mode Does the AR Support

When It Functions as an AC?
The AR supports the FTP upgrade mode and SFTP upgrade mode.
4.14.6 Which Forwarding Mode Does the AR Support When It

Functions as an AC?
In version earlier than V200R008C30, when the device functions as an AC, the
device can only forward service data packets in a local manner.
In V200R008C30 and later versions, when the device functions as an AC, the
device can forward service data packets of users in a local or centralized manner.
4.14.7 Why Cannot an AP Go Online When the AR Functions

as an AC?

NetEngine AR
● The AP is not in the list of APs that are supported by the AR.
● The AC function is used with a license and is unavailable by default.
● No PVID is configured for the network access device directly connected to the
AP.
● SN or MAC address authentication is enabled on the AC, but the AP is not on
the AP whitelist.
● When the capwap dtls control-link encrypt command is not configured on
the AC, enabling control tunnel encryption using DTLS will cause a DTLS
negotiation failure. As a result, the CAPWAP tunnel fails to be established.
● The CAPWAP heartbeat detection interval and number of CAPWAP heartbeat
detections on the AC are proper. If the CAPWAP heartbeat detection interval
and number of CAPWAP heartbeat detections are smaller than the default
values, the CAPWAP link reliability is degraded and the AP cannot properly go
online. Typically, default values are recommended. If default values are used,
the AP will go offline unexpectedly. In this case, you can run the capwap
echo command to set a larger CAPWAP heartbeat detection interval and
number of CAPWAP heartbeat detections.
4.14.8 Why Are Packets Lost When the STA Pings the
Gateway?
Run the dtim-interval 1 and beacon-interval 100 commands to configure the
DTIM interval and Beacon interval specified in the radio profile.
NOTE
DTIM refers to delivery traffic indication map.

An AP broadcasts Beacon frames at intervals to notify STAs of an existing 802.11 network.
4.14.9 Why Cannot a STA Associate with an AP When the

Radio Type Is Set to Pure 802.11n and the Encryption Mode Is
Set to WEP?
WEP is insecure, so 802.11n does not support WEP encryption.
When the radio type is set to pure 802.11n, the following encryption modes are
supported:
● open
● wpa-psk ccmp
● wpa2-psk ccmp
● wapi
● wpa dot1x ccmp
● wpa2 dot1x ccmp

NetEngine AR
4.14.10 Why Cannot a STA Associate with an AP When the

Radio Type Is Set to Pure 802.11n and the Encryption Mode Is
Set to TKIP?
TKIP is insecure, so 802.11n does not support TKIP encryption.

01-04 Basic WLAN Service Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-04 Basic WLAN Service Configuration

Uploaded by

Copyright:

Available Formats

NetEngine AR

CLI-based Configuration Guide - WLAN-AC 4 Basic WLAN Service Configuration

4 Basic WLAN Service Configuration

4.1 Overview of Basic WLAN Services

4.1 Overview of Basic WLAN Services

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 6

4.2 Understanding Basic WLAN Services

4.2.1 Concepts of Basic WLAN Services

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 7

Figure 4-1 Centralized architecture

STA Fit AP NMS

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 8

Figure 4-2 Relationship between VAP and BSSID

– Extended service set identifier (ESSID): a chosen identifier for one or a

Figure 4-3 Relationship between SSID, BSSID, BSS, and ESS

4.2.2 802.11 Standards

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 9

Table 4-1 Comparisons between 802.11 standards

802.11 FHSS/ 2.4 1, 2 Incompati Earlier

802.11b DSSS 2.4 1, 2, 5.5, Incompati Earlier

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 10

802.11 Physical Frequency Transmiss Compatib Commerci

802.11a OFDM 5 6, 9, 12, Incompati Rarely

802.11g DSSS/ 2.4 1, 2, 5.5, Compatibl Widely

802.11n OFDM/ 2.4, 5 A Compatibl Widely

802.11ac OFDM/ 5 A Compatibl Occasional

● Data Link Layer

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 11

To overcome the problems encountered with CSMA/CD, 802.11 standards use

802.11 MAC Frame Format

Figure 4-5 802.11 MAC frame format

▪ Data frame: transmits data packets: includes a special type of frame,

▪ Control frame: helps transmit data frames, releases and obtains

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 12

▪ Management frame: manages WLANs. Functions include notifying

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 13

Table 4-2 Rules for filling in the four address fields

0 0 Destinati Source BSSID Unused The

0 1 Destinati BSSID Source Unused AP1

1 0 BSSID Source Destinati Unused STA2

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 14

To DS From DS Address Address Address Address Descript

1 1 BSSID of BSSID of Destinati Source AP1

Figure 4-6 WLAN networking

STA1 STA2 STA3 STA4

● Sequence Control field: is used to eliminate duplicate frames and reassemble

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 15

4.2.3 WLAN Architecture

Figure 4-7 Fit AP architecture

STA Fit AP NMS

An AC and APs implement wireless access.

4.2.4 AP Online Process

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 16

CAPWAP Tunnel Establishment

Figure 4-8 CAPWAP tunnel establishment process

The process of establishing a CAPWAP tunnel is as follows:

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 17

An AP can discover an AC in static or dynamic mode.

▪ DHCP mode: An AP obtains the AC IP address through DHCP (by

▪ DNS mode: An AP obtains the AC domain name and DNS server IP

▪ Broadcast mode: An AP broadcasts a Discovery Request packet to

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 18

Issue 06 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. 19

Figure 4-9 AP access control flowchart