Professional Documents
Culture Documents
You can configure WLAN services to enable users to easily access a wireless
network and move around within the coverage area of the network.
traditional media used for transmission on a wired LAN. The WLAN technology
described in this document is implemented based on 802.11 standards.
802.11 was originally a wireless LAN communications standard defined by the
Institute of Electrical and Electronics Engineers (IEEE) in 1997. The IEEE then made
amendments to the standard, forming the 802.11 family, including 802.11,
802.11a, 802.11b, 802.11e, 802.11g, 802.11i, 802.11n and 802.11ac.
Purpose
WLAN technology allows you to easily access a wireless network and move
around within the coverage of the wireless network. Wired LANs use wired cables
or optical fibers as transmission media, which are expensive and have fixed
locations. As further emphasis was placed on network mobility, wired LANs were
unable to meet user's requirements. This led to the development of WLAN, which
has become the most cost-efficient and convenient network access mode.
Benefits
● High network mobility: WLANs are easily connected easily, and are not limited
by cable and port positions. This makes WLANs great for scenarios where
users are often moving, such as office buildings, airport halls, resorts, hotels,
stadiums, and cafes.
● Flexible network deployment: WLANs provide wireless network coverage in
places where cables are difficult to deploy, such as subways and highways.
WLANs reduce the number of required cables, offer low-cost, easy
deployment, and have high scalability.
Related Documents
Video: Introduction to the Wireless AC Feature of Huawei AR Routers
STA
Fit AP DNS DHCP
STA server server
Campus
CA egress
PW AC
STA AP gateway
Campus
network
AP
STA CAPW
● Access Controller (AC): a device that controls and manages all APs on a
WLAN in the centralized architecture. For example, an AC can connect to an
authentication server to authenticate WLAN users, as shown in Figure 4-1.
● Access point (AP): a device that provides 802.11-compliant wireless access for
STAs to connect wired networks to wireless networks.
– Fit AP: provides wireless access for STAs in the Fit AP architecture. A Fit
AP provides only reliable, high-performance wireless access for STAs and
depends on an AC to provide other functions, as shown in Figure 4-1.
● Control And Provisioning of Wireless Access Points (CAPWAP): an
encapsulation and transmission mechanism defined in RFC5415 to implement
communication between APs and ACs, as shown in Figure 4-1.
● Radio signal: a high-frequency electromagnetic wave that has long-distance
transmission capabilities. Radio signals provide transmission media for 802.11-
compliant WLANs. Radio signals described in this document are
electromagnetic waves in the 2.4 GHz or 5 GHz frequency band.
● Virtual access point (VAP): a WLAN service entity on an AP. You can create
different VAPs on an AP to provide wireless access service for different user
groups.
● Service set identifier (SSID): a unique identifier that identifies a wireless
network. When you search for available wireless networks on your laptop,
SSIDs are displayed to identify the available wireless networks.
SSIDs are classified into two types:
– Basic service set identifier (BSSID): the link-layer MAC address of a VAP
on an AP. Figure 4-2 shows the relationship between VAP and BSSID.
STA1:
I join the guest network
VAP1:
SSID: guest
BSSID: 0025-9e45-24a0
AP
VAP2:
SSID: internal
BSSID: 0025-9e45-24a9
STA2:
I join the internal network
Multiple APs can use one ESSID to provide roaming service for users; however,
their BSSIDs must be unique because the MAC address of each AP is unique.
● Basic service set (BSS): an area covered by an AP. STAs in a BSS can
communicate with each other.
● Extend service set (ESS): a group of BSSs that share the same SSID.
Figure 4-3 shows the relationship between SSID, BSSID, BSS, and ESS.
ESS
AP1 AP2
BSSID:0025- BSSID:0025-
BSS 9e45-24a0 BSS 9e45-3100
SSID="huawei" SSID="huawei"
Introduction to 802.11
Figure 4-4 illustrates the role of 802.11 standards within the IEEE 802 standard
family, involving the physical layer and data link layer.
Figure 4-4 Role of 802.11 standards within the IEEE 802 standard family
● Physical Layer
The different 802.11 standards use different physical layer technologies,
including frequency hopping spread spectrum (FHSS), direct sequence spread
spectrum (DSSS), orthogonal frequency division multiplexing (OFDM), and
multiple-input multiple-output (MIMO). These physical layer technologies
support different frequency bands and transmission rates, as detailed in Table
4-1.
An 802.11 MAC frame has a maximum length of 2348 bytes. The following
describes the purpose of each field in an 802.11 MAC frame.
● Frame Control field: includes the following sub-fields:
– Protocol Version: indicates the MAC version of the frame. Currently, only
MAC version 0 is supported.
– Type/Subtype: identifies the frame type, such as data, control, and
management frames.
802.11 supports the power-saving mode, allowing STAs to shut down antennas
to save power when no data is being transmitted.
After receiving the PS-Poll frame, the AP delivers the requested data
frames to the STA based on the AID in the PS-Poll frame.
● Address field: transmits information about MAC addresses. An 802.11 frame
can have up to four address fields. The four address fields vary according to
the values of the To DS/From DS sub-field in the Frame Control field. For
example, the values of the four address fields are different when a frame is
sent from a STA to an AP and when a frame is sent from an AP to a STA.
Table 4-2 describes the scenarios and rules for filling in the four address
fields.
Internet
AC
(3) To DS=1;
From DS=1
AP1 AP2
(1) To DS=0;
From DS=1 (2) To DS=1;
From DS=0
Fit AP Architecture
In the Fit AP architecture, an AC centrally manages and controls multiple APs (Fit
APs), as shown in Figure 4-7.
STA
Fit AP DNS DHCP
STA server server
Campus
CA egress
PW AC
STA AP gateway
Campus
network
AP
STA CAPW
3. AP Access Control
4. AP Software Upgrade
5. CAPWAP Tunnel Maintenance
6. AC Configuration Delivery
The process in which a central AP goes online on an AC is similar to that of a
common AP.
IP Address Allocation
An AP obtains an IP address through any of the following modes:
● Static mode: An IP address is manually configured for the AP.
● DHCP mode: The AP functions as a DHCP client and requests an IP address
from a DHCP server.
AP AC
Discovery Request
Discovery Response
DTLS
In Discovery phase, the AC determines whether to permit access from an AP based on the
Discovery Request packet that the AP sends and will not respond to Discovery Request
packets of APs not permitted for access. The process is similar to Figure 4-9.
NOTE
If an AP does not receive any Discovery Response packet after sending unicast
Discovery Request packets for ten consecutive times, and Dual-Link Backup is
configured on the AP, the AP does not broadcast a Discovery Request packet to
discover an AC to establish the standby link. Instead, the AP keeps sending
unicast Discovery Request packets.
2. The AP establishes CAPWAP tunnels with an AC.
CAPWAP tunnels include data tunnels and control tunnels.
– Data tunnel: transmits service data from the AP to an AC for centralized
forwarding.
– Control tunnel: transmits control packets between the AP and AC. You
can choose to enable datagram transport layer security (DTLS)
encryption over the control tunnel to ensure security of CAPWAP control
packets. Subsequently, all CAPWAP control packets will be encrypted and
decrypted through DTLS.
AP Access Control
The AP sends a Join Request packet to an AC. The AC then determines whether to
allow the AP access and sends a Join Response packet to the AP. The Join
Response packet carries the AP software upgrade mode and AP version
information.
Figure 4-9 shows a flowchart depicting the process for AP access control.
AP Software Upgrade
The AP determines whether its system software version is the same as that
specified on the AC according to parameters in the received Join Response packet.
If the two versions are different, the AP updates its software version in AC, FTP, or
SFTP mode.
After the software version is updated, the AP restarts and repeats steps 1 to 3.
The AP and AC exchange Echo packets to monitor the control tunnel connectivity.
AC Configuration Delivery
The AC sends a Configuration Update Request packet to the AP, which then replies
with a Configuration Update Response packet. The AC then delivers service
configuration to the AP.
STAs can access wireless networks after APs are logged in and CAPWAP tunnels
are established. STA access involves the following steps:
● Scanning
● Link authentication
● Association
Scanning
A STA can actively or passively scan wireless networks.
Active Scanning
In active scanning, a STA periodically searches for nearby wireless networks. The
STA can send two types of Probe Request frames: probes containing an SSID and
probes that do not contain an SSID.
● Probes containing an SSID: The STA sends a Probe Request frame containing
an SSID in each channel to search for the AP with the same SSID. Only the AP
with the same SSID will respond to the STA. For example, in Figure 4-10, the
STA sends a Probe Request frame containing the SSID huawei to search for
an AP with the SSID huawei.
This method applies to the scenario where a STA actively scans wireless
networks to access a specified wireless network.
STA AP1
(SSID=huawei)
● Probes that do not contain an SSID: The STA periodically broadcasts a Probe
Request frame that does not contain an SSID in the supported channels as
shown in Figure 4-11. The APs return Probe Response frames to notify the
STA of the wireless services they can provide.
This method applies to the scenario where a STA actively scans wireless
networks to determine whether wireless services are available.
AP1
ll)
= Nu
ID
t (SS onse
s
ue esp
R eq be R
be Pro
Pro
STA
Prob
e Re
que st (S
SID =Nul
l)
APn
Passive Scanning
When passive scanning is enabled, a STA listens on the Beacon frames that an AP
periodically sends in each channel to obtain AP information, as shown in Figure
4-12. A Beacon frame contains information including the SSID and supported rate.
To converse power, enable the STA to passively scan wireless networks. In most
cases, VoIP terminals passively scan wireless networks.
Beac
on
STA1
on
Beac
AP
STA2
Link Authentication
To ensure wireless link security, an AP needs to authenticate STAs that attempt to
access the AP. IEEE 802.11 defines two authentication modes: open system
authentication and shared key authentication.
● Open system authentication requires no authentication. STAs that attempt to
access the AP are successfully authenticated as long as the AP supports this
STA AP
● Shared key authentication requires that the STA and AP have the same shared
key preconfigured. The AP checks whether the STA has the same shared key
to determine whether the STA can be authenticated. If the STA has the same
shared key as the AP, the STA is authenticated. Otherwise, STA authentication
fails. Figure 4-14 shows the shared key authentication process.
STA AP
Authentication Request
1
Authentication Response(Challenge)
2
Authentication Response
(EncryptedChallenge)
3
Authentication Response(Success)
4
Association
STA association is also known as to link negotiation. After link authentication is
complete, a STA initiates link negotiation using Association packets. Figure 4-15
shows the association process in the Fit AP architecture.
STA AP AC
1 Association Request
2 Association Request
3 Association Response
4 Association Response
● The STA association process in the Fit AP architecture consists of the following
steps:
a. The STA sends an Association Request packet to the AP. The Association
Request packet carries the STA's parameters and the parameters that the
STA selects according to the service configuration, including the
transmission rate, channel, QoS capabilities, access authentication
algorithm, and encryption algorithm.
b. The AP receives the Association Request packet, encapsulates the packet
into a CAPWAP packet, and sends the CAPWAP packet to the AC.
c. The AC determines whether to authenticate the STA and replies with an
Association Response packet.
d. The AP decapsulates the received Association Response packet and sends
it to the STA.
NOTE
After association, the STA determines whether it needs to be authenticated according to the
received Association Response packet:
● If the STA does not need to be authenticated, the STA can access the wireless network.
● If the STA needs to be authenticated, the STA initiates user access authentication. After
authentication, the STA can access the wireless network. For details about user access
authentication, see NAC in CLI-based Configuration- Security.
Tunnel Forwarding
In tunnel forwarding mode, APs encapsulate service data packets over a CAPWAP
data tunnel and sends them to an AC, which then forwards these packets to an
upper-layer network, as shown in Figure 4-16.
Internet
AC
LAN
l
e
nn
tu
AP
PW
CA
AP
Data packet
Control packet
STA
Direct Forwarding
In direct forwarding mode, an AP directly forwards service data packets to an
upper-layer network without encapsulating them over a CAPWAP data tunnel, as
shown in Figure 4-17.
Internet
AC
LAN
el
nn
tu
AP
PW
CA
AP
Data packet
Control packet
STA
Internet
AC
LAN
l
e
nn
tu
AP
PW
CA
AP
Authentication packet
Control packet
STA
Internet
AC
Switch
l
e
nn
tu
AP
PW
CA
AP
: data packets
: control packets
STA
This function takes effect only when the WLAN uses open system authentication, pre-
shared key authentication, or WPA/WPA2–PSK authentication.
This function allows all the users that enter the correct key to go online. The STA
whitelist and blacklist configured on the AC do not take effect after the CAPWAP link
is broken.
When the function that allows user access after CAPWAP link disconnection is
disabled, STA association and key negotiation are performed between the AC
and STA. After this function is enabled, STA authentication, association, and
key negotiation are performed between the AP and STA. The different
processes for association and authentication are shown in Figure 4-20.
Internet
AC
LAN
el
nn
tu
AP
PW
CA
AP 1
STA
1 Authentication packet exchange before user access permission after
CAPWAP link disconnection is disabled
2 Authentication packet exchange before user access permission
after CAPWAP link disconnection is enabled
NOTE
Currently, the device supports only service holding upon CAPWAP link disconnection when it
functions as the AC.
As shown in Figure 4-21, the following profiles can be bound to the AP group and
AP: regulatory domain profile, radio profile, VAP profile, AP system profile, AP
wired port profile, WIDS profile, and WDS profile. Some of the listed profiles can
further reference other profiles, for example, the radio profile can reference an air
scan profile and an RRM profile.
Regulatory
domain profile
Air scan profile
Radio profile
RRM profile
SSID profile
Security
profile
Traffic
AP VAP profile
profile
Authenticati
on profile*
AP system profile
NOTE
● Profiles marked with an asterisk (*) can reference other profiles. Their referencing
relationships are not illustrated in this figure. For details, see the description of each profile.
● AP provisioning profiles cannot be referenced by other profiles and are only used to deliver
configurations to specified APs or AP groups. Therefore, this figure does not show AP
provisioning profiles.
● An AP radio can directly reference some profiles, including the radio profile, VAP profile,
WDS profile, and WDS whitelist profile.
NOTE
● If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound
to an AP group or AP.
For example, to configure air interface scan parameters, you can configure the
parameters in an air scan profile and bind the air scan profile to a radio profile,
which is then bound to an AP group or AP, as shown in Figure 4-21. After you
manually deliver the configurations, the configurations in the air scan profile take
effect on the APs. If referencing relationships between profiles are set in advance,
and parameters are configured in the air scan profile, the configurations in the
profile take effect after you manually deliver them.
Create an AP group
Configure the AC
to manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the source of AC interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Bind
Bind
AP or AP group
Centralized AC Solution
The centralized AC solution deploys independent ACs to manage APs on the
network.
NMS
Core AC
switch
Aggregation Aggregation
switch switch
Access Access
switch switch
AP AP
Distributed AC Solution
The distributed AC solution deploys multiple ACs in different areas to manage APs.
This mode integrates AC functions on an aggregation switch to manage all the
APs connected to the aggregation switch, without using an independent AC.
Campus Campus
Campus egress
egress network
gateway
gateway
NMS
Integrated Integrated
AC AC
Switch Switch
AP AP
Campus
network
Integrated AC
(campus egress
gateway)
Switch
AP
AP
AC
Branch Headquarters
WAN network
network
Access Headquarters
switch Branch egress
gateway egress gateway
NMS
(manages WLANs in
a unified manner)
AP
AC
Branch Headquarters
WAN network
network
Access
Branch egress Headquarters
switch
gateway egress gateway NMS
(manages WLANs in
a unified manner)
Internet
AC
Online
user
AP
Online Enterprise Enterprise
WAN headquarters
user branch
New
online user
NMS
The basic WLAN service functions can be implemented only when all the following
configuration tasks are completed.
● Configure a common WLAN.
a. 4.8 Creating an AP Group: Create an AP group to reference WLAN
profiles.
b. 4.9 Configuring APs to Go Online: Configure APs to go online.
c. 4.10 Configuring STAs to Go Online: Enable STAs to access the network.
● You are not advised to use VLAN 1 as the management VLAN or service VLAN.
● Management VLAN and service VLAN must be different.
The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s
and VLAN s' represent service VLANs.
● When an AP connects to an AC through a Layer 2 network, VLAN m is the
same as VLAN m', and VLAN s is the same as VLAN s'.
● When an AP connects to an AC through a Layer 3 network, VLAN m is
different from VLAN m', and VLAN s is different from VLAN s'.
● Figure 4-29 shows the process of forwarding management packets through
CAPWAP tunnels.
In Figure 4-29:
– In the uplink direction (from the AP to the AC): When receiving
management packets, the AP encapsulates the packets in CAPWAP
packets. The switch tags the packets with VLAN m. The AC decapsulates
the CAPWAP packets and removes the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving
downstream management packets, the AC encapsulates the packets in
CAPWAP packets and tags them with VLAN m'. The switch removes the
tag VLAN m from the packets. The AP decapsulates the CAPWAP packets.
● Figure 4-30 shows the process of directly forwarding service data packets.
Internet
802.11 Payload
STA
Payload
In Figure 4-30, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and forwards the packets to the destination.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets in 802.3 format reach the AP (the
packets are tagged with VLAN s' by upstream devices), the AP converts
the 802.3 packets into 802.11 packets and forwards them to the STA.
● Figure 4-31 shows the process of forwarding service data packets through
CAPWAP tunnels.
Internet
802.11 Payload
STA
Payload
In Figure 4-31, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and encapsulates them in CAPWAP packets. The upstream switch
tags the packets with VLAN m. The AC decapsulates the CAPWAP packets
and removes the tag VLAN m' from the packets.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets reach the AC, the AC encapsulates the
packets in CAPWAP packets, allows the packets carrying VLAN s to pass
through, and tags the packets with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets, removes
VLAN s, converts the 802.3 packets into 802.11 packets, and forwards
them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated
packets. The intermediate devices between the AC and AP only need to
transparently transmit VLAN m and do not need to be configured with VLAN
s encapsulated in the CAPWAP packets.
Internet
VLAN101 AC
VLAN100 VLAN100
SW2
VLAN101 VLAN100
VLAN101 VLAN100
SW1
el
nn
VLAN101 VLAN100
tu
AP
PW
CA
AP
Management VLAN: VLAN100
Service VLAN: VLAN101
Data packet
Management packet
STA
Internet
VLAN101 AC
VLAN101 VLAN101
SW2
VLAN100 VLAN100
VLAN100
VLAN100
SW1
el
VLAN100 nn
tu
AP
PW
CA
AP
Management VLAN: VLAN100
Service VLAN: VLAN101
Data packet
Management packet
STA
NOTE
NOTICE
NOTE
If any channel in the list does not comply with the local legal rules, contact technical support
personnel.
The maximum channel power specified by China is the maximum power of radio
interface. The actual signal transmit power is affected by factors such as antenna
gain, and may exceed 27 dBm. The maximum channel power specified by the
other country codes refers to the actual transmit power of radio signals.
Radar Channel
Channels 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, and 140
can be used as radar channels. If the channels supported by some countries or
regions overlap with the radar signals, avoid using the radar channels.
Each AP must and can only join one AP group. An AP group contains
configurations shared by all APs. You can configure configurations specific to a
single AP in the AP view.
Pre-configuration Tasks
Before creating an AP group, perform the task of CLI Login Configuration.
Procedure
Step 1 Run system-view
----End
Follow-up Procedure
After an AP group is created, you need to add APs to the AP group so that the APs
can use configurations in the group. For details, see 4.9.6 Adding APs.
Pre-configuration Tasks
Before configuring APs to go online, perform the task of CLI Login Configuration.
Procedure
Perform the following steps in the listed order.
To enable APs and STAs to obtain IP addresses, APs to discover the AC and go
online on the AC, and STAs to access the network, configure interconnections
between network devices.
The APs need to send service packets to STAs, and forward management packets
and STAs' service packets the AC. When configuring network interconnections,
configure the management and service packets separately.
NOTE
The PVIDs of network device interfaces directly connected to the APs must be set to
management VLAN IDs.
Procedure
Step 1 Run system-view
NOTE
----End
Context
A country code identifies the country to which AP radios belong. Different
countries support different AP radio attributes, including the transmit power and
supported channels. Correct country code configuration ensures that radio
attributes of APs comply with laws and regulations of countries and regions to
which the APs are delivered.
The country code is configured in a regulatory domain profile. Two configuration
scenarios are available:
● If the APs managed by an AC are located in the same country or region, you
only need to configure one country code.
● If the APs managed by an AC are located in different countries, you need to
configure different country codes for the APs.
As shown in Figure 4-34, APs using regulatory domain profile 1 in country 1 and
those using regulatory domain profile 2 in country 2 are all managed and
controlled by the same AC. In this situation, you need to configure the country
code of country 1 in regulatory domain profile 1 and that of country 2 in
regulatory domain profile 2.
Switch_A Switch_B
Headquarters Branch
Country 1 Country 2
AP regulatory AP regulatory
domain profile domain profile
AC 1 2 PC
AP AP AP AP
NOTE
When configuring an AC for the first time, you must configure the correct country code. The
country code must comply with local laws and regulations.
Procedure
Step 1 Run system-view
A regulatory domain profile is created, and the regulatory domain profile view is
displayed.
Modifying the country code in a regulatory domain profile will restart APs using
the profile.
Step 8 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
----End
Context
Each AC must have at least one VLANIF or loopback interface specified as the
source interface. All APs connected to the AC can learn the IP address of this
interface and use the IP address to communicate with the AC.
You can specify a VLANIF or loopback interface on the device as the AC source
interface.
● VLANIF interface: applies to the scenario where the APs that associate with
the AC belong to the same management VLAN.
● Loopback interface: applies to the scenario where the APs that associate with
the AC belong to different management VLANs. When the APs belong to
multiple management VLANs, the AC must have multiple VLANIF interfaces
configured. If one of the VLANIF interfaces is specified as the source interface,
all the APs cannot go online when the source interface fails. A loopback
interface remains Up after being created. When a loopback interface is used
as the source interface and a VLANIF interface becomes faulty, only the AP
that connects to the VLANIF interface cannot go online.
Procedure
● Configure an IPv4 source interface.
– Specify a VLANIF interface as the source interface.
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
The created VLAN is a management VLAN.
iii. Run quit
Return to the system view.
iv. Run interface vlanif vlan-id
A VLANIF interface is created, and the VLANIF interface view is
displayed.
v. Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF
interface.
vi. Run quit
Return to the system view.
vii. Run capwap source interface vlanif vlan-id
A VLANIF interface is specified as the source interface of the
CAPWAP tunnel established between the AP and AC.
If a source interface has been configured on the device, you must run
the undo capwap source interface command first before
configuring a new source interface.
After the undo capwap source interface command is executed, all
APs get offline on the AC. Therefore, exercise caution before running
the command.
– Specify a loopback interface as the source interface.
i. Run system-view
The system view is displayed.
ii. Run interface loopback loopback-number
A loopback interface is created, and the loopback interface view is
displayed.
iii. Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the loopback
interface.
The IP address of a loopback interface must use a 32-bit mask.
iv. Run quit
Return to the system view.
v. Run capwap source interface loopback loopback-number
A loopback interface is specified as the source interface of the
CAPWAP tunnel established between the AP and AC.
If a source interface has been configured on the device, you must run
the undo capwap source interface command first before
configuring a new source interface.
----End
Context
A network element is a physical device or service unit on the network topology.
Each AC is a network element.
You can configure network element names for ACs so that the ACs can be
identified by an NMS.
Procedure
Step 1 Run system-view
----End
Prerequisites
Settings of AC system parameters are completed.
Procedure
● Run the display regulatory-domain-profile { all | name profile-name }
command to check configuration information about a regulatory domain
profile.
● Run the display references regulatory-domain-profile name profile-name
command to check reference information about a regulatory domain profile.
● Run the display capwap configuration command to check the source
interface of an AC.
● Run the display ac global configuration command to check global
configurations of an AC, including the AC's NE name.
----End
Context
After an AP is powered on and obtains an AC IP address, the AP begins to
establish CAPWAP tunnels with the AC. CAPWAP tunnels include control and data
tunnels.
The AC sends management packets over the control tunnel to manage APs in a
centralized manner. Data packets of users are all forwarded to the AC for
centralized processing through the data tunnel. To improve link reliability and
prevent CAPWAP control tunnels from being terminated when the service traffic
volume is high, configure a high priority for CAPWAP management packets.
CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption and
sensitive information encryption and integrity check and heartbeat detection to
ensure security.
● DTLS encryption: When the AP establishes CAPWAP tunnels with the AC, the
AP determines whether to perform DTLS negotiation with the AC. The DTLS
protocol can be used to encrypt packets exchanged between the AP and AC to
ensure management packet integrity and privacy. Currently, the device can
only encrypt management packets using the pre-shared key (PSK).
● Sensitive information encryption: When sensitive information is transmitted
between the AC and APs, the encryption configuration can ensure information
security. Sensitive information includes the FTP user name/password, AP login
user name/password, and service configuration PSK.
● Integrity check: When transmitted between the AC and APs, CAPWAP packets
may be forged or tampered with, and malformed packet attacks may be
launched. The integrity check function can better protect the CAPWAP packets
between the AC and APs.
● Heartbeat detection: The AP and AC periodically exchange Echo packets to
determine whether the control tunnel is working properly and periodically
exchange Keepalive packets to determine whether the data tunnel is working
properly. If the AP or AC does not receive any response from each other after
Echo or Keepalive packets are sent for the specified number of times, the AP
and AC consider that the control or data tunnel is terminated. The tunnel
needs to be re-established.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure CAPWAP tunnel parameters as required.
Procedure Command Description
Set the Configure capwap echo interval After the CAPWAP heartbeat
CAPWA the interval-value detection interval is
P heartbeat By default, the CAPWAP configured, the interval for
heartb detection heartbeat detection sending Echo packets is
eat interval. interval is 25s. configured.
detecti After the number of
on. CAPWAP heartbeat
detections is configured, the
number of times for sending
Echo packets is configured.
If no response is received
after packets are sent for
the specified number of
times, the AP or AC
considers the link between
them is disconnected.
If you set the CAPWAP
heartbeat detection interval
and the number of CAPWAP
heartbeat detections smaller
than the default values, the
CAPWAP link reliability is
degraded. Exercise caution
when you set the values.
The default values are
recommended. If an AP goes
offline unexpectedly, you
can set a larger CAPWAP
heartbeat detection interval
and a larger number of
CAPWAP heartbeat
detections.
----End
Context
APs can be upgraded on an AC in the following two modes:
● Automatic upgrade: used when APs are not online on an AC yet. Usually,
automatic upgrade parameters are configured prior to AP access. When going
online, APs upgrade automatically.
For APs that are already online on the AC, you can trigger AP restart after
configuring the automatic upgrade parameters, and the APs upgrade
automatically during restart. Compared to the automatic upgrade, the in-
service upgrade can reduce service interruption time.
● In-service upgrade: mainly used when APs are already online on the AC and
carry WLAN services. For details about the in-service upgrade, see 4.11.1.3
Performing an In-Service Upgrade on APs.
In automatic upgrade mode, an AP checks whether its version is the same as that
configured on the AC, SFTP server, or FTP server during login. If the two versions
are different, the AP upgrades its version, restarts, and goes online again. If the
two versions are the same, the AP does not upgrade its version.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run system-view
▪ When an external FTP server is used, the maximum number of APs that can
be upgraded simultaneously is the configured max-connect-number.
NOTE
▪ When an external SFTP server is used, the maximum number of APs that
can be upgraded simultaneously is the configured max-connect-number.
----End
Context
You can add APs in any of the following modes:
● Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are
configured on an AC before APs go online. The AC starts to set up connections
with the APs if the MAC addresses or SNs of the APs match the configured
ones.
● Configuring the AC to automatically discover an AP: The AP authentication
mode is set to no authentication; alternatively, the AP authentication mode is
set to MAC or SN authentication and the AP whitelist is configured on the AC.
When an AP in the whitelist connects to the AC, the AC discovers the AP, and
the AP goes online.
● Manually confirming APs added to the list of unauthorized APs: The AP
authentication mode is set to MAC or SN authentication, and the AP whitelist
is configured on the AC. When an AP out of the whitelist connects to the AC,
the AC adds the AP to the list of unauthorized APs. After the AP identity is
confirmed, the AP can go online.
When you add an AP in any of the preceding modes, the AP cannot connect to the
AC if the MAC address of the AP is in the AP blacklist.
The AP blacklist and whitelist can be configured at the same time. However, the
MAC address of an AP cannot be added to the AP blacklist and whitelist at the
same time.
Procedure
● Add an AP offline.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command
to add the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN
authentication.
The non-authentication mode brings security risks. You are advised to set
the authentication mode to MAC address authentication or SN
authentication, which is more secure.
– Set the AP authentication mode to MAC address or SN authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan ac command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ]
command to add the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the
AP authentication mode to MAC address authentication or SN
authentication.
The default AP authentication mode is MAC address authentication.
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to
add the AP with the specified MAC address to the whitelist if the
AP authentication mode is set to MAC address authentication.
By default, no MAC address is added to the AP whitelist.
○ Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add
the AP with the specified SN to the whitelist if the AP
authentication mode is set to SN authentication.
By default, no SN is added to the AP whitelist.
● Manually confirm the AP added to the list of unauthorized APs.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command
to add the AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN
authentication.
The default AP authentication mode is MAC address authentication.
e. Run the display ap unauthorized record command to check information
about unauthorized APs.
----End
Context
Before deploying APs onsite, complete network planning operations, for example,
configure the AC and involved NEs, and add APs on the AC. After APs are
connected to the network and powered on, they can automatically upgrade and
go online. Users do not need to perform other configurations on the APs onsite.
You can check whether the APs go online properly on the AC as planned. If the AP
status displays as normal, the APs have gone online properly.
Procedure
● Run the display ap all command to check whether APs go online on an AC.
----End
Procedure
4.10.1 Configuring a Radio and 4.10.2 Configuring a VAP can be performed in
any sequence. After all configuration tasks are complete, perform 4.10.3
Delivering the WLAN Service Configuration first and then 4.10.4 Checking the
STA Online Result.
Context
You need to configure different radio parameters for AP radios based on actual
WLAN environments, enabling the AP radios to work at the optimal performance.
You can configure basic radio parameters in the AP group radio view and AP radio
view. The configuration in the AP group radio view takes effect on all specified AP
radios in an AP group and that in the AP radio view takes effect only on a
specified AP radio. The configuration in the AP radio view has a higher priority
than that in the AP group radio view.
Procedure
Step 1 Run system-view
----End
Context
Basic radio parameters are directly configured on radio interfaces, while other
radio parameters are configured in a radio profile. The radio profile is classified
into the 2G and 5G radio profiles. The configurations in the 2G and 5G radio
profiles take effect on 2.4 GHz and 5 GHz radios, respectively. The commands in
the 2G radio profile are used to configure 2.4 GHz radio parameters while those in
the 5G radio profile are used to configure 5 GHz radio parameters. 4.10.1.4
(Optional) Adjusting Radio Parameters describes different commands used for
the 2G and 5G radio profiles. Unless otherwise specified, the other commands are
applicable to both the 2G and 5G radio profiles.
The 2.4 GHz radio supports the 802.11bgn radio mode, and the 5 GHz radio
supports the 802.11an and 802.11ac radio modes. When connecting to a wireless
network, STAs automatically negotiate the radio mode with their connected APs.
By default, the system provides the 2G radio profile default and 5G radio profile
default, and the two radio profiles are bound to all AP groups. Using the default
radio profiles can simplify user operations. However, in actual scenarios, you are
advised to create different radio profiles and configure parameters in the profiles
according to service requirements.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
----End
Context
When a STA associated with an AP detects a channel switching on the AP, the STA
needs to reassociate with the AP on the new channel. During this process, services
of the STA are interrupted, degrading Internet experience of users. After smooth
channel switching is configured, when the AP channel needs to be switched, the
AP requests STAs to switch the channel after a fixed number of Beacon intervals
so that the STAs and AP switch the channel simultaneously. Smooth channel
switching can prevent STA reassociations and ensure rapid service recovery to
improve Internet experience of users.
The channel switching announcement function must be supported by both the AP
and STA.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
The 2G or 5G radio profile view is displayed.
Step 4 Run undo channel-switch announcement disable
The channel switch announcement function is enabled.
By default, the AP sends an announcement when the channel is switched.
----End
Context
You can adjust and optimize radio parameters to adapt to different network
environments, enabling APs to provide required radio capabilities and improving
signal quality of WLANs.
After parameters in a radio profile are delivered to an AP, only the parameters
supported by the AP can take effect.
Procedure
Step 1 Run system-view
----End
Context
After the configuration in a radio profile is complete, you need to bind the radio
profile to an AP group, AP, AP radio, or AP group radio. After being delivered to
APs, the configuration in a radio profile can take effect on the APs.
After a radio profile is applied to an AP group or AP, the parameter settings in the
profile take effect on all radios of the AP group or AP. After a radio profile is
applied in the AP group radio or AP radio view, the parameter settings in the
profile take effect on the specified AP radio or radios in the AP group. The
configuration under an AP and AP radio has a higher priority than that under an
AP group and AP group radio. The 2G and 5G radio profiles take effect on 2G and
5G radios, respectively.
Procedure
● Bind a radio profile to an AP group.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. Run the ap-group name group-name command to enter the AP group
view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or
radio-5g-profile profile-name { radio { id | all } } command to bind the
radio profile to the radio.
By default, the 2G radio profile default and 5G radio profile default are
bound to an AP group.
● Bind a radio profile to an AP.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or
radio-5g-profile profile-name { radio { id | all } } command to bind the
radio profile to the radio.
By default, the 2G radio profile default and 5G radio profile default are
bound to an AP group radio.
● Apply a radio profile in the AP radio view.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
d. Run the radio radio-id command to enter the radio view.
e. Run the radio-2g-profile profile-name or radio-5g-profile profile-name
command to bind the radio profile to the radio.
----End
Prerequisites
The radio profile configuration is complete.
Procedure
● Run the display radio-2g-profile { all | name profile-name } command to
check configuration and reference information about a 2G radio profile.
● Run the display radio-5g-profile { all | name profile-name } command to
check configuration and reference information about a 5G radio profile.
● Run the display references radio-2g-profile name profile-name command to
check reference information about a 2G radio profile.
● Run the display references radio-5g-profile name profile-name command to
check reference information about a 5G radio profile.
● Run the display ap configurable channel { ap-name ap-name | ap-id ap-id }
command to check configurable channels supported by an AP.
● Run the display ap config-info { ap-name ap-name | ap-id ap-id } command
to check the AP configuration.
----End
Context
After you create a VAP profile, configure parameters in the profile. After the
profile is applied in the AP group view, AP view, AP radio view, or AP group radio
view, VAPs are generated and can provide wireless access services for STAs. You
can configure different parameters in the VAP profile to enable APs to provide
different wireless services.
Procedure
Step 1 Run system-view
----End
Context
Packets transmitted on a WLAN include control packets (management packets)
and data packets. Control packets are forwarded through CAPWAP control tunnels.
Data packets are forwarded in tunnel forwarding (centralized forwarding) or direct
forwarding (local forwarding) mode according to whether data packets are
forwarded through CAPWAP data tunnels.
Table 4-6 lists the comparison between tunnel forwarding and direct forwarding.
Direct Service data does not need Service data cannot be centrally
forwarding to be forwarded by an AC, managed or controlled. New
improving packet device deployment causes large
forwarding efficiency and changes to the existing network.
reducing the burden on the
AC.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Run forward-mode { direct-forward | tunnel }
A data forwarding mode is configured in a VAP profile.
By default, the forwarding mode is direct-forward in the VAP profile.
Step 5 (Optional) Run qos group qos-group-value
A QoS group to which packets belong is configured.
By default, packets do not belong to any QoS group.
NOTE
● The QoS group bound to a VAP profile takes effect only in tunnel forwarding mode but
not in direct forwarding mode.
● This command takes effect after CAPWAP packets are decapsulated. That is, this
command takes effect only for outgoing packets and applies to forwarding from the
LAN to the WAN.
● Only V300R019C11 and later versions support this function.
----End
Context
Layer 2 data packets delivered from a VAP to an AP carry the service VLAN IDs.
Since WLANs provide flexible access modes, STAs may connect to the same WLAN
at the office entrance or stadium entrance, and then roam to different APs. If a
single VLAN is configured as the service VLAN, IP address resources may become
insufficient in areas where many STAs access the WLAN, and IP addresses in the
other areas are wasted.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Run service-vlan { vlan-id vlan-id }
A service VLAN is configured for a VAP.
By default, VLAN 1 is the service VLAN of a VAP.
----End
Context
You can perform the following configurations to improve VAP security: enable STA
address learning, strict STA IP address learning through DHCP, IP source guard on
an AP, and disable DHCP trusted port functions on an AP.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 4 Improve VAP security.
----End
Context
You can flexibly adjust VAP parameters to adapt to different network
requirements.
Procedure
Step 1 Run system-view
NOTE
The VAP profile in which the VAP type is set to management AP can only be applied to one
radio of an AP.
----End
Context
As WLAN technology uses radio signals to transmit service data, service data can
easily be intercepted or tampered by attackers when being transmitted on the
open wireless channels. Security is critical to WLANs. You can create a security
profile to configure security policies, which protect privacy of users and ensure
data transmission security on WLANs.
A security profile provides four WLAN security policies: Wired Equivalent Privacy
(WEP), Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and
Privacy Infrastructure (WAPI). Each security policy has a series of security
mechanisms, including the link authentication mechanism used to establish a
wireless link, user authentication mechanism used when users attempt to connect
to a wireless network, and data encryption mechanism used during data
transmission.
If no security policy is configured during the creation of a security profile, the
default authentication mode (open system authentication) is used. When a user
searches for a wireless network, the user can connect to the wireless network
without being authenticated.
The default security policy has low security. You are advised to configure a proper
security policy. For details on how to configure security policies, see WLAN
Security Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
----End
Context
To protect network resources and prevent network congestion, configure a traffic
profile to limit the rate of traffic entering the WLAN.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run traffic-profile name profile-name
A traffic profile is created, and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Run rate-limit { client | vap } { up | down } rate-value
The rate limit of upstream and downstream packets is configured for all STAs or
each STA on a VAP.
By default, the rate limit for upstream and downstream packets of all STAs on a
VAP is 4294967295 kbit/s, and that of each STA is 4294967295 kbit/s.
Step 5 Run quit
Return to the WLAN view.
----End
Context
SSIDs identify different wireless networks. When you search for available wireless
networks on your laptop, the displayed wireless network names are SSIDs. In an
SSID profile, you can define an SSID name and configure related parameters. After
the SSID profile configuration is complete, bind the SSID profile to a VAP profile.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ssid-profile name profile-name
An SSID profile is created, and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 4 Run ssid ssid
An SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
Step 5 (Optional) Run ssid-hide enable
SSID hiding in Beacon frames is enabled.
By default, SSID hiding in Beacon frames is disabled in an SSID profile.
When creating a WLAN, configure an AP to hide the SSID of the WLAN to ensure
security. Only the users who know the SSID can connect to the WLAN.
Step 6 (Optional) Run max-sta-number max-sta-number
The maximum number of successfully associated STAs on a VAP is configured.
By default, a VAP allows for a maximum of 64 successfully associated STAs.
More access users on a VAP indicate fewer network resources that each user can
occupy. To ensure Internet experience of users, you can configure a proper
Due to individual reasons, some terminals may not run services normally when
entering energy-saving mode. You can run the active-dull-client enable
command to enable the function of preventing terminals from entering energy-
saving mode. After that, an AP frequently sends null data frames to these
terminals to prevent them from entering energy-saving mode, ensuring normal
services.
Step 12 Run quit
Return to the WLAN view.
Step 13 Run vap-profile name profile-name
The VAP profile view is displayed.
Step 14 Run ssid-profile profile-name
The SSID profile is bound to a VAP profile.
By default, the SSID profile default is bound to a VAP profile.
----End
Context
After the configuration in a VAP profile is complete, you need to bind the VAP
profile to an AP group, AP, AP radio, or AP group radio. After being delivered to
APs, the configuration in a VAP profile can take effect on the APs.
After a VAP profile is applied to an AP group or AP, the parameter settings in the
profile take effect on all radios of the AP group or AP. After a radio profile is
applied in the AP group radio or AP radio view, the parameter settings in the
profile take effect on the specified AP radio or radios in the AP group.
Procedure
● Bind a VAP profile to an AP group.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. Run the ap-group name group-name command to enter the AP group
view.
d. Run the vap-profile profile-name wlan wlan-id [ radio radio-id ]
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
● Bind a VAP profile to an AP.
a. Run the system-view command to enter the system view.
b. Run the wlan ac command to enter the WLAN view.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
d. Run the vap-profile profile-name wlan wlan-id [ radio radio-id ]
command to bind the VAP profile to the radio.
----End
Prerequisites
The configuration of the VAP, security, and SSID profiles is complete.
Procedure
● Run the display vap { all | ssid ssid } or display vap { ap-group ap-group-
name | { ap-name ap-name | ap-id ap-id } [ radio radio-id ] } [ ssid ssid ]
command to check service VAP information.
● Run the display vap-profile { all | name profile-name } command to check
configuration and reference information about a VAP profile.
● Run the display references vap-profile name profile-name command to
check reference information about a VAP profile.
● Run the display security-profile { all | name profile-name } command to
check configuration and reference information about a security profile.
● Run the display references security-profile name profile-name command to
check reference information about a security profile.
● Run the display ssid-profile { all | name profile-name } command to check
configuration and reference information about an SSID profile.
● Run the display references ssid-profile name profile-name command to
check reference information about an SSID profile.
● Run the display vap create-fail-record all command to check records about
VAP creation failures.
● Run the display wlan config-errors command to check WLAN configuration
errors.
----End
Context
The WLAN service parameters configured on an AC take effect only after you run
the commit command to deliver the configuration to APs.
NOTE
If you commit configurations to a large number of APs simultaneously, some of the APs may fail
to receive the configurations. In this case, you are advised to commit the configurations again.
Procedure
Step 1 Run system-view
Step 3 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
----End
Context
After basic WLAN service configurations are complete, APs generate WLAN signals
in their coverage ranges. Users can use STAs, such as mobile phones and laptops
with wireless network adapters to associate with WLANs of the configured SSIDs.
After entering the user names and passwords, users can associate with the
WLANs. By checking the STA online result, you can know STAs connected to the
WLAN.
Procedure
● Run the display station { ap-group ap-group-name | ap-name ap-name |
ap-id ap-id | ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all }
command to check STA access information.
----End
Procedure
The following tasks can be performed in any sequence.
Context
When an AP name conflicts with another AP name or you need to change an AP
name to a more suitable name, you can modify the AP name.
Procedure
Step 1 Run system-view
Step 3 Run ap-rename { ap-name name | ap-mac ap-mac-address | ap-id ap-id } new-
name ap-new-name
NOTE
----End
Context
If the current AP group is not applicable to an AP or the AP is added to an
incorrect AP group, you can modify configurations to add the AP to a new AP
group.
NOTICE
Procedure
Step 1 Run system-view
NOTE
The AP group to which an AP is added must have been created using the ap-group name
group-name command.
----End
Context
To upgrade the functions or versions of an existing WLAN, perform an in-service
upgrade on APs on the WLAN.
● AP upgrade based on the AP group: allows you to upgrade APs in the same
AP group.
NOTE
In an in-service upgrade, if APs fail to load the upgrade file and are reset, APs are upgraded
automatically.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run the following commands as required.
● FTP mode
a. Run ap update mode ftp-mode
The AP upgrade mode is set to FTP mode.
The default upgrade mode is ftp-mode.
b. Run ap update ftp-server ip-address server-ip-address ftp-username
ftp-username ftp-password cipher ftp-password
Basic FTP information is configured.
By default, an FTP server has no IP address, name, or password
configured.
c. Run ap update ftp-server max-connect-number max-connect-number
The maximum number of APs to be upgraded simultaneously is
configured.
By default, a maximum of 50 APs can be upgraded simultaneously in FTP
mode.
NOTE
An external FTP server can be used, which is recommended. The AC can also function
as the FTP server.
▪ When an external FTP server is used, the maximum number of APs that can be
upgraded simultaneously is the configured max-connect-number.
An external SFTP server can be used, which is recommended. The AC can also
function as the SFTP server.
▪ When an external SFTP server is used, the maximum number of APs that can be
upgraded simultaneously is the configured max-connect-number.
----End
4.11.1.4 Resetting an AP
Context
If an AP cannot work properly after being upgraded, reset the AP. You can run the
display ap all command to check the AP State field to determine whether an AP
is working properly. If the State field displays name-conflicted, ver-mismatch,
config, config-failed, committing, or commit-failed, an AP fails to work properly.
NOTICE
Exercise caution when resetting an AP because services on the AP will be
interrupted.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are reset.
----End
Context
You can delete the current and historical user configurations and restore the
factory settings of APs.
NOTICE
Restoring the factory settings of an AP will reset the AP and restore all the AP
configurations to factory settings.
Procedure
Step 1 Run system-view
----End
4.11.1.6 Deleting an AP
Context
To disconnect an AP from the current AC or enable an AP to go online on another
AC, you can delete the AP from the current AC.
NOTICE
Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution
when you delete an AP.
Procedure
Step 1 Run system-view
Step 3 Run undo ap { ap-name ap-name | ap-id ap-id | ap-mac ap-mac | ap-group
group-name | all }
An AP is deleted.
----End
Procedure
● Run the display ap { all | ap-group ap-group } command to check AP
information.
● Run the display ap update configuration command to check the AP upgrade
configuration.
● Run the display ap update status { all | downloading | failed | succeed | ap-
name ap-name | ap-id ap-id } command to check the AP upgrade progress.
● Run the display ap-type { all | id type-id | type ap-type } command to check
information about AP types.
● Run the display ap version { all | { ap-group ap-group-name | version-name
version-name } * } command to check information about AP versions.
----End
Context
You can log in to an AP through the console port, STelnet, SFTP, or Telnet in wired
mode. When an AP does not need to be logged in, the login modes are disabled to
ensure AP security, preventing unauthorized users from using these modes to log
in. To log in to the AP, enable one or more login modes.
Procedure
Step 1 Run system-view
By default, The default username and password are available in AR Router Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
Step 12 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
----End
Context
In addition to logging in through a wired interface, you can log in to an AP
through Telnet over WLANs. Currently, only the Telnet login mode is supported in
wireless mode. To log in to an AP wirelessly through Telnet, set the VAP type to
management AP, configure an IP address in the same network segment as the AP
for a STA, and telnet to the IP address of the AP.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, The default username and password are available in AR Router Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
Step 4 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 5 Run telnet enable
The Telnet service function is enabled.
By default, Telnet is disabled on an AP.
Step 6 Run quit
Return to the WLAN view.
NOTE
The VAP profile in which the VAP type is set to management AP can only be applied to one
radio of an AP.
----End
Context
During WDS network deployment, you can configure antenna alignment VAPs for
WDS nodes to facilitate antenna alignment between neighboring APs. When
commissioning the network onsite, connect a mobile terminal to an antenna
alignment VAP and start the antenna alignment program on the terminal to
collect signal strength information of the peer AP radio. The collected information
boosts easy antenna alignment operations.
You can log in to Huawei technical support website and search for Probe Handset
Unit to download the Antenna Alignment program.
● Enterprise technical support website: https://support.huawei.com/enterprise
● Carrier technical support website: https://support.huawei.com
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run security-profile name profile-name
The security profile used by antenna alignment VAPs is created and the security
profile view is displayed.
By default, security profiles default and default-wds are available in the system.
Step 4 Run security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value
{ aes | tkip | aes-tkip }
The security policy and key are configured.
By default, the security policy is open system.
NOTE
The antenna alignment VAP supports only the WEP or WPA/WPA2 PSK authentication mode.
You can run the security wep share-key and wep key key-id { wep-40 | wep-104 | wep-128 }
{ pass-phrase | hex } key-value commands to configure WEP authentication.
Step 17 Apply the VAP profile. You can use any of the following methods:
● Bind the VAP profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
● Bind the VAP profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.
● Bind the VAP profile to AP group radios.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the radio radio-id command to enter the radio view.
c. Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to AP group radios.
By default, no VAP profile is bound to a radio.
● Bind the VAP profile to an AP radio.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the radio radio-id command to enter the radio view.
c. Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to AP group radios.
By default, no VAP profile is bound to a radio.
Step 18 Run quit
Return to the WLAN view.
Step 19 Apply the AP system profile. You can use any of the following methods:
● Bind the AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group, but no
AP system profile is bound to an AP.
● Bind the AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
----End
Context
Different states of AP indicators reflect different meanings, thereby facilitating
installation and management. Configuring meanings reflected by blinking of the
Wireless indicator on APs helps installation personnel to know the current signal
strength or traffic status in real time. However, blinking indicators of indoor APs
deployed in hospitals and hotels may affect people's nighttime rest. Therefore, you
can turn off AP indicators after APs are installed and run properly.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run led off
The AP indicators are turned off.
By default, the AP indicators are allowed to turn on.
Step 5 Run quit
Return to the WLAN view.
Step 6 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
A 2G or 5G radio profile is created and the radio profile view is displayed.
By default, the system provides the 2G radio profile default and 5G radio profile
default.
By default,
● If WDS is enabled on an AP, the blinking frequency of the Wireless LED
reflects the strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless
LED reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED
reflects the weakest signal strength of middle APs.
● If the WDS functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
NOTE
This command takes effect only when the AP has the WDS function enabled. If the WDS
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
Only APs having Wireless LEDs support this command.
----End
Context
Generally, the PVID of the access device interface to which an AP directly connects
is configured as the management VLAN ID. For details, see 4.5 Configuration
Precautions for Basic WLAN Services. Management packets sent by the AP are
then transmitted on CAPWAP tunnels. When the packets arrive at the access
device, the access device adds the PVID to the packets as their VLAN tags. If the
PVID of the access device has been used as the default VLAN tag of wired users,
the PVID cannot be configured as the management VLAN ID on the access device
interface. In this case, configure a management VLAN on the AP. The AP then
encapsulates the control packets sent to the AC in CAPWAP packets and adds the
management VLAN ID to the packets as their VLAN tags. You only need to
configure the access device to allow only the packets carrying the management
VLAN ID to pass.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run management-vlan vlan-id
A management VLAN is configured for an AP.
By default, no management VLAN is configured for an AP.
NOTE
Step 8 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
----End
Context
● You can configure alarm thresholds on an AP to monitor the AP in real time.
When the configured thresholds are exceeded, the AP generates alarms or
logs to notify the AC of AP status.
The default alarm thresholds are recommended.
● If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During
this period, the AP sends a large number of STA association failure alarms to
the AC, which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does
not report alarms repeatedly in the alarm suppression period, preventing
alarm storms.
Procedure
Step 1 Run system-view
AP5030DN/AP5130DN 87
AP6010SN-GN 85
AP6010DN-AGN 102
AP6310SN-GN 94
AP6510DN-AGN 88
AP6510DN-AGN-US 81
AP6610DN-AGN 104
AP6610DN-AGN-US 100
AP7110SN 76
AP7110DN 89
AP7030DE/AP8030DN/AP8130DN/ 83
AP9330DN
AP9131DN 84
NOTE
AP6010SN-GN/AP6010DN-AGN/ -13
AP6310SN-GN/AP7110DN-AGN/
AP7110SN-GN/AP9330DN
AP6510DN-AGN/AP6610DN-AGN/ -43
AP6510DN-AGN-US/AP6610DN-AGN-
US/AP8030DN/AP8130DN/AP9131DN
AP5030DN/AP5130DN -28
AP7030DE -23
NOTE
----End
Context
● Logs record user operations and system running information. After logs are
backed up to a server, network administrators can summarize and analyze AP
logs to learn about the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
● If a STA keeps attempting to connect to an AP because of signal interference
or instability, the AP sends a large number of duplicate login and logoff logs
to the AC in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log
about a user to the AC within the log suppression period.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run access-user syslog-restrain period period
The period of system log suppression is configured.
By default, the period of system log suppression is 300s.
Step 3 Run access-user syslog-restrain enable
The system log suppression function is enabled.
By default, system log suppression is enabled.
Step 4 Run wlan ac
The WLAN view is displayed.
Step 5 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 6 Run log-server ip-address server-ip-address
A log server IP address is configured, and log backup is enabled.
By default, the log server IP address is not configured in an AP system profile and
log backup is disabled on an AP.
Step 7 Run quit
Return to the WLAN view.
Step 8 Bind an AP system profile to an AP group or AP.
● Binding an AP system profile to an AP group.
a. Run the ap-group name group-name command to enter the AP group
view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP group.
By default, the AP system profile default is bound to an AP group.
● Binding an AP system profile to an AP.
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
b. Run the ap-system-profile profile-name command to bind the AP
system profile to the AP.
By default, no AP system profile is bound to an AP.
Step 9 Run quit
Return to the WLAN view.
Step 10 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
Configurations are delivered to APs.
----End
Context
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and
management address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors. After the AP discovers a neighbor, the AP sends neighbor
information to the AC. The NMS then obtains AP's LLDP information from the AC
to learn about the network topology.
To enable an AP to discover neighbors, enable LLDP on the AP and access device
to which the AP directly connects.
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view
and the AP wired port link profile view.
Step 4 (Optional) Configure LLDP in the AP wired port link profile view.
1. Run the port-link-profile name profile-name command to create an AP
wired port link profile and enter the AP wired port link profile view.
By default, the system provides the AP wired port link profile default.
2. Run the lldp enable command to enable LLDP on an AP wired port.
By default, LLDP is enabled on AP wired interfaces.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN
view and the AP wired port link profile view.
3. Run the lldp tlv-enable basic-tlv { all | management-address | port-
description | system-capability | system-description | system-name }
command to specify the types of TLVs that can be advertised from an AP's
wired port.
By default, an AP wired interface advertises all types of TLVs.
4. Run the quit to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to create an AP
wired port profile and enter the AP wired port profile view.
By default, the system provides the AP wired port profile default.
6. Run the port-link-profile profile-name command to bind the AP wired port
link profile to an AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port
profile.
7. Run the quit to return to the WLAN view.
Step 5 Configure LLDP in the WLAN view.
1. Run the ap-system-profile name profile-name command to create an AP
system profile and enter the AP system profile view.
By default, the system provides the AP system profile default.
2. Run the lldp admin-status { rx | tx | txrx } command to configure the LLDP
mode on the AP.
By default, the LLDP operation mode of an AP is TxRx.
3. (Optional) Run lldp report-interval interval-time
----End
Context
To mitigate impact of link disconnections on users in direct forwarding mode and
improve service reliability, you can configure the function of service holding upon
CAPWAP link disconnection. After the disconnected CAPWAP link is restored, the
AP forces all online STAs to go offline and reassociate with the AP and reports
information about the STAs through logs.
NOTE
● Service holding upon CAPWAP link disconnection is only applicable to the direct forwarding
mode.
● WDS networks do not support service holding upon CAPWAP link disconnection.
Procedure
Step 1 Run system-view
Service holding upon CAPWAP link disconnection is enabled. After that, the AP can
still provide data services when the CAPWAP link is disconnected.
By default, all services on the AP are interrupted after the CAPWAP link between
the AP and AC is disconnected.
User access upon CAPWAP link disconnection is enabled. After that, the AP can
still allow new users to access when the CAPWAP link is disconnected.
By default, the APs in fault state are disabled from allowing access of new STAs.
----End
Context
This task is to configure an AP to directly respond to association requests of STAs
and configure the MTU of Ethernet port in the AP system profile and the
Extensible Authentication Protocol (EAP) packet conversion function.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 4 Run mtu mtu-value
The MTU of Ethernet ports is configured in an AP system profile.
The default the MTU of Ethernet ports in an AP system profile is 1500 bytes.
The size of data packets is limited at the network layer. When a network layer
device receives an IP packet, it determines the outbound interface and obtains the
MTU configured on the interface. The device then compares the MTU with the IP
packet length. If the IP packet length is longer than the MTU, the device
fragments the IP packet. Each fragment has the smaller or equal size as the MTU.
NOTE
If the MTU value is smaller than the DHCP packet length, the AP may be disconnected. In this
case, restart the AP.
Step 9 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
----End
Procedure
● Run the display ap-system-profile { all | name profile-name } command to
check configuration and reference information about an AP system profile.
● Run the display references ap-system-profile name profile-name command
to check reference information about an AP system profile.
----End
Context
Managing an AP's wired interface includes configuring AP wired interface
parameters and link layer parameters.
Procedure
Step 1 Run system-view
An AP wired port profile is created, and the AP wired port profile view is displayed.
By default, the system provides the AP wired port link profile default.
2. Run the crc-alarm enable [ high-threshold high-threshold-value | low-
threshold low-threshold-value ]* command to configure the alarm function
for CRC errors on an AP's wired interface, and set the alarm threshold and
clear alarm threshold.
By default, the alarm function for CRC errors is disabled on the AP wired
interface. The alarm threshold for CRC errors is 50 and the clear alarm
threshold is 20.
3. Run the shutdown command to disable the AP's wired interface.
The shutdown command takes effect only on AP's wired interfaces working in
endpoint or middle mode but not on those working in root mode.
4. Run the quit command to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to enter the AP
wired port profile view.
6. Run the port-link-profile profile-name command to bind the AP wired port
link profile to the AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port
profile.
7. Run the quit command to return to the WLAN view.
Step 9 Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
----End
Context
On wireless networks, wireless radio, as the transmission media, is easily interfered
by surroundings. The transmission quality of service data changes greatly
depending on the interference. Therefore, you must evaluate and check the
transmission quality of wireless links to ensure better service data transmission
and efficient cooperation between densely deployed wireless networks, and
reduces signal interference. Use the RF ping function and exchange data packets
between APs and STAs to check the transmission quality of wireless links. The link
check result includes the signal strength, radio interface rate, packet sending delay,
which can comprehensively indicate the transmission quality of wireless links.
Procedure
Step 1 Run system-view
----End
Context
When a network fault occurs, use an AP to ping other network devices to check
the connectivity.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run the ap-ping { ap-name ap-name | ap-id ap-id } [ -c count | -s packetsize | -m
time | -t timeout ] * host command to ping a network device from an AP to check
network connectivity between them.
----End
Context
After AP online and management AP configurations are complete, run the
following commands in any view to check AP running statistics.
Procedure
● Run the display ap run-info { ap-name ap-name | ap-id ap-id } command to
check AP running information.
● Run the display ap performance statistics { ap-name ap-name | ap-id ap-
id } command to check AP performance statistics.
● Run the display radio { all | ap-group ap-group-name | ap-name ap-name |
ap-id ap-id } command to check AP radio information.
Context
You can view neighbor information on a specified AP radio to determine the AP
location and neighbor relationship, helping locate rogue APs and plan the WLAN.
Procedure
Step 1 Run the display ap lldp neighbor { { ap-name ap-name | ap-id ap-id }
[ interface interface-type interface-number ] | brief } command to check LLDP
neighbor information on an AP.
Step 2 Run the display ap neighbor { ap-name ap-name | ap-id ap-id } [ radio radio ]
command to check information about neighbors of a radio.
Step 3 Run the display ap around-ssid-list { ap-name ap-name | ap-id ap-id }
command to check SSIDs of an AP's neighbors.
----End
Context
You can check the AP online failure and offline records to locate the reason for AP
online failures and offline reasons. This helps the maintenance personnel manage
and maintain the APs.
Procedure
● Run the display ap online-fail-record { all | mac mac-address } command to
check AP online failure records.
Context
Before re-collecting AP online failure and offline records, you can clear AP online
failure records and offline records. This helps the maintenance personnel manage
and maintain APs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these
operations.
Procedure
● Run the reset ap online-fail-record { all | mac mac-address } command to
clear AP online failure records.
● Run the reset ap offline-record { all | mac mac-address } command to clear
AP offline records.
----End
Context
You can clear the list of unauthorized APs to clear the removed or
unauthenticated APs that disconnect with an AC. This operation helps re-collect
and confirm unauthenticated APs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these
operations.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan ac
The WLAN view is displayed.
Step 3 Run reset ap unauthorized record
Clear the list of unauthorized APs.
----End
Context
After STAs successfully associate with an AP, you can run the following commands
in any view to monitor the STA running status.
Procedure
● Run the display station { ap-group ap-group-name | ap-name ap-name |
ap-id ap-id | ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all }
command to check STA access information.
● Run the display station statistics [ sta-mac sta-mac-address | ap-name ap-
name | ap-id ap-id ] command to check STA statistics.
● Run the display ap sta-signal strength { ap-name ap-name | ap-id ap-id }
[ radio radio-id ] command to check the average signal strength of STAs on
an AP.
----End
Context
You can check STA online failure and offline records to locate online failure and
offline reasons. This helps the maintenance personnel rectify the fault, enabling
STAs to connect to the wireless network properly.
Procedure
● Run the display station online-fail-record { all | ap-name ap-name | ap-id
ap-id | sta-mac sta-mac-address } command to check records about STA
online failures.
● Run the display station offline-record { all | ap-name ap-name | ap-id ap-id
| sta-mac sta-mac-address } command to check STA offline records.
----End
Context
Before re-collecting STA online failure and offline records, clear STA online failure
records and offline records. This helps the maintenance personnel manage and
maintain STAs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these
operations.
Procedure
● Run the reset station online-fail-record { all | ap-name ap-name | ap-id ap-
id | sta-mac sta-mac-address } command to clear STA online failure records.
● Run the reset station offline-record { all | ap-name ap-name | ap-id ap-id |
sta-mac sta-mac-address } command to clear STA offline records.
----End
Configuration Process
You need to configure and maintain WLAN features and functions in different
profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP
profile, AP system profile, AP wired port profile, WIDS profile, and WDS profile.
When configuring WLAN services, you need to set related parameters in the
WLAN profiles and bind the profiles to the AP group or APs. After that, the
configuration is delivered to and takes effect on the APs. WLAN profiles can
reference one another; therefore, you need to know the relationships among the
profiles before configuring them. For details about the profile relationships and
their basic configuration procedure, see WLAN Service Configuration Procedure.
Networking Requirements
As shown in Figure 4-35, the AP is directly connected to the AC. An enterprise
branch needs to deploy WLAN services for mobile office so that branch users can
access the enterprise internal network from anywhere at any time.
The following requirements must be met:
● A WLAN named wlan-net is available.
● Branch users are assigned IP addresses on 10.10.11.0/24.
Network
AC
Eth2/0/0
VLAN 100
VLAN 101
AP:
Management VLAN:
VLAN 100 area_1
Service VLAN:
VLAN 101
...
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Layer 2 connections between the AP, AC, and upstream device.
2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and AP.
3. Configure the AP to go online.
a. Create an AP group and add the AP to the group. The APs that require
the same configuration can be added to the group for unified
configuration.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that
the AP can go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
IP address 10.10.10.2-10.10.10.254/24
pool for
the AP
IP address 10.10.11.2-10.10.11.254/24
pool for
STAs
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces.
In addition, wireless links are unstable. To ensure stable transmission of multicast
packets, they are usually sent at low rates. If a large number of such multicast
packets are sent from the network side, the air interfaces may be congested. You
are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected.
● In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Connect the AP and AC.
# Add Eth2/0/0 to management VLAN 100 and service VLAN 101.
NOTE
You are advised to configure port isolation on Eth2/0/0 that connects the AC to the AP. If
port isolation is not configured, many broadcast packets will be transmitted in the VLANs or
WLAN users on different APs can directly communicate at Layer 2.
<Huawei> system-view
[Huawei] sysname AC
[AC] vlan batch 100 101
[AC] interface ethernet 2/0/0
[AC-Ethernet2/0/0] port link-type trunk
[AC-Ethernet2/0/0] port trunk pvid vlan 100
[AC-Ethernet2/0/0] port trunk allow-pass vlan 100 101
[AC-Ethernet2/0/0] port-isolate enable
[AC-Ethernet2/0/0] quit
Step 2 Configure the AC as a DHCP server to allocate IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the interface IP address pool on VLANIF 100, and allocate IP addresses to STAs
from the interface IP address pool on VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.10.10.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.10.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
Info: The current country code is same with the input country code.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan ac
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor :
normal [1] --------------------------------------------------------------------------------------------- ID
MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1
ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S
--------------------------------------------------------------------------------------------- Total: 1
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the service VLAN, and apply the security
profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio of the
AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-ap-group-ap-group1] quit
# Connect STAs to the WLAN with SSID wlan-net and enter the password
a1234567. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------------
00e0-fccf-6344 0 area_1 0/1 2.4G 11g 51/44 -55 101 10.10.11.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
capwap source interface vlanif100
#
wlan ac
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
radio 2
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Configuration Process
You need to configure and maintain WLAN features and functions in different
profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP
profile, AP system profile, AP wired port profile, WIDS profile, and WDS profile.
When configuring WLAN services, you need to set related parameters in the
WLAN profiles and bind the profiles to the AP group or APs. After that, the
configuration is delivered to and takes effect on the APs. WLAN profiles can
reference one another; therefore, you need to know the relationships among the
profiles before configuring them. For details about the profile relationships and
their basic configuration procedure, see WLAN Service Configuration Procedure.
Networking Requirements
As shown in Figure 4-36, an AC manages the AP connected to it through
Switch_A.
Network
AC
Eth2/0/0
VLAN100
VLAN101
GE0/0/2
VLAN100
VLAN101
Switch_A GE0/0/1
VLAN100
VLAN101
AP:
area_1
STA STA
Configuration Roadmap
The configuration roadmap is as follows:
Item Data
IP address 10.10.10.2-10.10.10.254/24
pool for
the AP
IP address 10.10.11.2-10.10.11.254/24
pool for
STAs
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces.
In addition, wireless links are unstable. To ensure stable transmission of multicast
packets, they are usually sent at low rates. If a large number of such multicast
packets are sent from the network side, the air interfaces may be congested. You
are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected.
Procedure
Step 1 Configure Switch and the AC so that the AP and AC can transmit CAPWAP
packets.
NOTE
You are advised to configure port isolation on GE0/0/1 that connects Switch to the AP. If
port isolation is not configured, many broadcast packets will be transmitted in the VLANs or
WLAN users on different APs can directly communicate at Layer 2.
# Add GE0/0/1 that connects Switch to the AP to management VLAN 100 and
service VLAN 101 add GE0/0/2 that connects Switch to the AC to the same VLANs.
<Huawei> system-view
[Huawei] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add Eth2/0/0 that connects the AC to Switch to VLANs 100 and 101.
<Huawei> system-view
[Huawei] sysname AC
[AC] vlan batch 100 to 101
[AC] interface ethernet 2/0/0
[AC-Ethernet2/0/0] port link-type trunk
[AC-Ethernet2/0/0] port trunk allow-pass vlan 100 101
[AC-Ethernet2/0/0] port-isolate enable
[AC-Ethernet2/0/0] quit
Step 2 Configure the AC as a DHCP server to allocate IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the interface IP address pool on VLANIF 100, and allocate IP addresses to STAs
from the interface IP address pool on VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.10.10.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.10.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
Info: The current country code is same with the input country code.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan ac
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor :
normal [1] --------------------------------------------------------------------------------------------- ID
MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------- 0 00e0-fc76-e360 area_1
ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S
--------------------------------------------------------------------------------------------- Total: 1
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the service VLAN, and apply the security
profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio of the
AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-ap-group-ap-group1] quit
# Connect STAs to the WLAN with SSID wlan-net and enter the password
a1234567. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------------
00e0-fccf-6344 0 area_1 0/1 2.4G 11g 51/44 -55 101 10.10.11.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
● Switch_A configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
● AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
capwap source interface vlanif100
#
wlan ac
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
radio 2
vap-profile wlan-vap wlan 1
Configuration Process
You need to configure and maintain WLAN features and functions in different
profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP
profile, AP system profile, AP wired port profile, WIDS profile, and WDS profile.
When configuring WLAN services, you need to set related parameters in the
WLAN profiles and bind the profiles to the AP group or APs. After that, the
configuration is delivered to and takes effect on the APs. WLAN profiles can
reference one another; therefore, you need to know the relationships among the
profiles before configuring them. For details about the profile relationships and
their basic configuration procedure, see WLAN Service Configuration Procedure.
Networking Requirements
On a network of a large enterprise in Figure 4-37, an aggregation switch Switch_B
connects to an access switch Switch_A and an upstream Router. The enterprise
needs to deploy a WLAN, with as few changes to the current network structure as
possible.
The enterprise requirements are as follows:
● A WLAN with the SSID guest is deployed in the lobby of the office building to
provide wireless access services for visitors.
● A WLAN with the SSID employee is deployed in office areas to provide
wireless access services for employees.
Internet
AC
Eth2/0/0
VLANIF100: 10.10.10.1/24
GE0/0/2 VLANIF101: 10.10.11.1/24
VLAN100 VLANIF102: 10.10.12.1/24
VLAN101
VLAN102
Switch_B GE0/0/1
VLAN100
VLAN101
VLAN102
GE0/0/3
VLAN100
VLAN101
VLAN102
GE0/0/1 GE0/0/2
VLAN100 VLAN100
VLAN101 Switch_A VLAN102
AP: AP:
area_1 area_2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Switch_A, Switch_B, and AC to implement Layer 2 interconnection.
2. Configure the AC as a DHCP server to assign IP addresses from a global
address pool to STAs and APs.
3. Configure the AP to go online.
a. Create an AP group and add AP that require the same configuration to
the group for unified configuration.
Name: employee
Referenced profile: VAP profile employee and regulatory
domain profile domain1
Name: employee
SSID name: employee
Name: employee
● Security policy: WPA2+PSK+AES
● Password: b1234567
Item Data
Name: employee
● Service VLAN: VLAN 102
● Referenced profile: SSID profile employee and security
profile employee
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces.
In addition, wireless links are unstable. To ensure stable transmission of multicast
packets, they are usually sent at low rates. If a large number of such multicast
packets are sent from the network side, the air interfaces may be congested. You
are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected.
● In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
● In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
● The management VLAN and service VLAN cannot be configured the same.
● When multiple VAP profiles are configured and share one service VLAN,
enable inter-service VLAN proxy ARP if the data forwarding mode is set to
tunnel.
Procedure
Step 1 Configure network interworking.
# Configure Switch_A. Add GE0/0/1 to VLAN 100 (management VLAN) and
configure GE0/0/1 to allow packets from VLAN 101 (service VLAN) to pass
through. Add GE0/0/2 to VLAN 100 and configure GE0/0/2 to allow packets from
VLAN 102 (service VLAN) to pass through. Configure GE0/0/3 to allow packets
from VLAN 100, VLAN 101, and VLAN 102 to pass through.
NOTE
You are advised to configure port isolation on GE0/0/1 and GE0/0/2 that connect Switch_A
to the APs. If port isolation is not configured, many broadcast packets will be transmitted in
VLANs or WLAN users on different APs can directly communicate at Layer 2.
<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] vlan batch 100 to 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
# Configure the AC to allow packets from VLAN 100, VLAN 101, and VLAN 102 to
pass through.
<Huawei> system-view
[Huawei] sysname AC
[AC] vlan batch 100 to 102
[AC] interface ethernet 2/0/0
[AC-Ethernet2/0/0] port link-type trunk
[AC-Ethernet2/0/0] port trunk allow-pass vlan 100 to 102
[AC-Ethernet2/0/0] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.10.10.1 255.255.255.0
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.10.11.1 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.10.12.1 255.255.255.0
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP groups.
# Import the APs offline on the AC. Add APs deployed in the lobby to AP group
guest and APs in office areas to AP group employee. Configure names for the APs
based on the APs' deployment locations, so that you can know where the APs are
deployed from their names. For example, if the AP with MAC address 00e0-fc76-
e360 is deployed in room 1 of the office building, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan ac
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the APs have gone online.
[AC-wlan-view] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor : normal [2]
--------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 guest 10.10.10.253 AP6010DN-AGN nor 0 1M:22S
1 00e0-fc74-9640 area_2 employee 10.10.10.254 AP6010DN-AGN nor 0 5S
--------------------------------------------------------------------------------------------
Total: 2
In this example, the security policy is set to WEP-40 and WPA2+PSK+AES and passwords to
a1234 and b1234567, respectively. In actual situations, the security policy must be configured
according to service requirements.
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] security wep share-key
[AC-wlan-sec-prof-guest] wep key 0 wep-40 pass-phrase a1234
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-sec-prof-guest]wep default-key 0
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-sec-prof-guest] quit
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase b1234567 aes
[AC-wlan-sec-prof-employee] quit
# Create SSID profiles guest and employee, and set the SSID names to guest and
employee, respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the service VLANs, and apply the
security profiles and SSID profiles to the VAP profiles.
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] service-vlan vlan-id 101
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-guest] security-profile guest
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-guest] ssid-profile guest
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] service-vlan vlan-id 102
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-employee] security-profile employee
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-employee] ssid-profile employee
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-vap-prof-employee] quit
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio of the
APs.
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio all
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio all
Info: This operation may take a few seconds, please wait..done.
[AC-wlan-ap-group-employee] quit
# Connect STAs to the WLANs with SSIDs guest and employee and enter the
passwords a1234 and b1234567 respectively. Run the display station ssid guest
and display station ssid employee commands on the AC. The command output
shows that the STAs are connected to the WLANs guest and employee.
[AC-wlan-view] display station ssid guest
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------------
00e0-fccf-6344 0 area_1 0/1 2.4G 11g 26/18 -54 101 10.10.11.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
[AC-wlan-view] display station ssid employee
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------------------
00e0-fc64-656f 1 area_2 1/1 5G 11n 65/56 -53 102 10.10.12.254
------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
● Switch_A configuration file
#
sysname SwitchA
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
security-profile guest
vap-profile name employee
service-vlan vlan-id 102
ssid-profile employee
security-profile employee
regulatory-domain-profile name domain1
ap-group name guest
regulatory-domain-profile domain1
radio 0
vap-profile guest wlan 1
radio 1
vap-profile guest wlan 1
radio 2
vap-profile guest wlan 1
ap-group name default
ap-group name employee
regulatory-domain-profile domain1
radio 0
vap-profile employee wlan 1
radio 1
vap-profile employee wlan 1
radio 2
vap-profile employee wlan 1
ap-id 0 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group guest
ap-id 1 type-id 19 ap-mac 00e0-fc74-9640 ap-sn 210235554710CB000075
ap-name area_2
ap-group employee
#
return
● The address pool is not configured using the dhcp select interface or dhcp
select global command in the interface view.
● The dhcp select global command in executed in the interface view, but the
global address pool is incorrectly configured.
● Wireless users use MAC address authentication, but no MAC address is
configured for the users on the authentication server.
● The AP is not in the list of APs that are supported by the AR.
● The AC function is used with a license and is unavailable by default.
● No PVID is configured for the network access device directly connected to the
AP.
● SN or MAC address authentication is enabled on the AC, but the AP is not on
the AP whitelist.
● When the capwap dtls control-link encrypt command is not configured on
the AC, enabling control tunnel encryption using DTLS will cause a DTLS
negotiation failure. As a result, the CAPWAP tunnel fails to be established.
● The CAPWAP heartbeat detection interval and number of CAPWAP heartbeat
detections on the AC are proper. If the CAPWAP heartbeat detection interval
and number of CAPWAP heartbeat detections are smaller than the default
values, the CAPWAP link reliability is degraded and the AP cannot properly go
online. Typically, default values are recommended. If default values are used,
the AP will go offline unexpectedly. In this case, you can run the capwap
echo command to set a larger CAPWAP heartbeat detection interval and
number of CAPWAP heartbeat detections.
4.14.8 Why Are Packets Lost When the STA Pings the
Gateway?
Run the dtim-interval 1 and beacon-interval 100 commands to configure the
DTIM interval and Beacon interval specified in the radio profile.
NOTE