Professional Documents
Culture Documents
01-01 EasyOperation Edition
01-01 EasyOperation Edition
Switches
Web-based Configuration Guide 1 EasyOperation Edition
1 EasyOperation Edition
The web system of the EasyOperation edition allows for common operations
related to the monitor, configuration, diagnosis, maintenance, and network
functions.
Context
NOTE
The web system is applicable to wireless service deployment on small- and middle-sized
networks. For large-sized networks, use other network management systems, such as eSight.
EasyOperation supports login through iPad and supports only Safari. If you log in through iPad,
the following functions are unavailable:
● Upload, download, import, and export
● Spectrum analysis
● CLI switching area
● Dragging the pop-up dialog box
There are multiple methods to log in to the switch through web. For details, see
Table 1-1. Select a proper login method.
Context
To facilitate device maintenance and use, S1720GFR switches allow for the first
login using the Web system.
Pre-configuration Tasks
Before logging in to a device through the Web system, complete the following
tasks:
Default Configuration
User level 15
Procedure
Step 1 Connect the PC to the device.
Connect the PC to any Ethernet interface on the device.
Step 2 Configure an IP address for the PC.
To ensure that the PC and device have reachable routes to each other, configure
an IP address on the same network segment with the device IP address for the PC.
Step 3 Log in to the device through Web system.
Open the browser on the PC and access https://192.168.1.253. On the displayed
Web system login page shown in Figure 1-1, enter the default user name and
default password.
NOTE
To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet Explorer
11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the Classic Web
system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the browser version
or browser patch version is not within the preceding ranges, the web page may not be
properly displayed. Upgrade the browser and browser patch. In addition, the browser must
support JavaScript.
NOTE
● The password change page is displayed during the login process only the first time you
log in to the web system.
● The password change page is also displayed if your password will expire or has expired.
To access the web system main page, you must change the password.
● To improve security, a password must contain at least two types of the following:
lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %). In
addition, the password cannot contain spaces or single quotation marks (').
NOTE
A secure password should contain at least two of the following: lowercase letters,
uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password
cannot contain spaces or single quotation marks (').
After accessing the user management page, you can change the default user level. Only
level 3 users and higher are administrators with management rights. Level 2 users and
below are monitoring users. Administrator users have all operation rights of a web page,
and monitoring users can only perform ping and tracert operations.
----End
Context
When a PC has no available serial interface or does not carry any console cable,
users can log in to the device with the factory settings using the Web system for
the first time. After the login, users can conveniently configure the login mode
(Web system, Telnet, or STelnet). After the login mode is configured, users can log
in to the device using the Web system, Telnet, or STelnet for device maintenance.
NOTE
Devices without the MODE button do not support first login through the Web system.
First login through the Web system, SVF, USB-based deployment, and EasyDeploy cannot be
used together.
Pre-configuration Tasks
Before logging in to a device through the Web system, complete the following
tasks:
Default Configuration
User level 15
Procedure
Step 1 Connect the PC to the device.
For a device that provides only optical interfaces, connect the PC to the
management interface on the device. For a device that supports first login through
the Web system, connect the PC to any Ethernet interface (except the
management interface) on the device.
NOTE
Users can log in to a device for the first time using the Web system only when the device is
in factory default state. In this case, do not log in to the device through the console
interface, because any operation on the console interface leads to the failure of the first
login using the Web system.
NOTE
If the device has been configured when users press and hold down the MODE button for 6
seconds or longer, all indicators blink green fast. In this case, the device is restored to the
normal state after 10 seconds, without impact on existing configuration.
If the device in the factory settings has just started or has been configured through the
console interface when users press and hold down the MODE button for 6 seconds, the
device may fail to enter the initial configuration state. When all indicators blink fast for 10s,
the device restores to the factory default state.
The device automatically exits the initial configuration state and restores the factory
settings if users have not saved the settings after 10 minutes.
To ensure that the PC and device have reachable routes to each other, configure
an IP address on the same network segment with the device IP address for the PC.
NOTE
The login to the device through the Web system requires that the browser on the PC must
be Microsoft Edge, Internet Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to
54.0. If the browser version or browser patch version is not within the preceding ranges, the
web page may not be properly displayed. Upgrade the browser and browser patch.
As shown in Figure 1-5, the Web system configuration page allows users to
perform the basic and optional configurations. Table 1-4 describes parameters for
the basic configuration. After the basic configuration is complete, users can log in
to the device through the Web system. Table 1-5 describes parameters for the
optional configuration. After the optional configuration is complete, users can log
in to the device through Telnet or STelnet.
A login user can create users for logging in to the device through Telnet or
STelnet. The parameter Create User is valid only when Telnet Server or Stelnet
Server is On.
Item Description
Item Description
----End
1.1.3 Logging In to the Device for the First Time Through the
Web System (Switches Changed to the Cloud-based
Management Mode)
After a switch that supports cloud-based management is changed to the cloud-
based management mode, you can log in to the switch only through the web
system on the PC.
Context
After a device is changed to the cloud-based management mode, you can log in
to the device through the web system for the first time. After logging in to the
device, you can easily configure the web login function on the device and then
maintain the device in cloud-based management mode on the web page.
Pre-configuration Tasks
Before logging in to a device through the web system, complete the following
tasks:
Default Configuration
User level 15
Procedure
Step 1 Connect the PC to the device.
If the device works in cloud-based management mode, you need to connect the
PC to the management interface of the device.
Press and hold down the MODE button for 6 seconds or longer. When all
indicators are steady green, the device enters the initial configuration state.
To ensure that the PC and device have reachable routes to each other, configure
an IP address on the same network segment with the device IP address for the PC.
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
NOTE
To log in to the device through the web system, the browser on the PC must be Microsoft
Edge, Internet Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. If the
browser version or browser patch version is not within the preceding ranges, the web page
may be unable to be displayed normally. You need to upgrade the browser and browser
patch.
----End
1.1.4.1 Overview
Definition
The web system can be used to manage devices. The device has an internal web
server which provides a GUI for users. Before using the web system to manage
and maintain a device, you need to log in to the device through HTTPS from a
terminal.
Purpose
You can manage a device using a web system or a command line interface (CLI).
On a CLI, you must use commands to manage and maintain the device. The CLI
method allows you to implement fine-grained device management, but you have
to be familiar with required commands. In comparison, the web system is easier to
operate and allows you to manage and maintain the device on a GUI. However,
the web system provides only basic routine maintenance and management
functions. You can select a proper management method based on actual needs.
To use the CLI, you must log in to the device through a console port or a mini USB
port, or using Telnet or STelnet. To use the web system, you must log in to the
device through HTTPS.
For details on how to log in to a device through the console port or a mini USB
port, or using Telnet or STelnet, see CLI Login Configuration.
Concepts
Before configuring web system login, familiarize yourself with the following
concepts:
● HTTP
Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the
Internet. It runs at the application layer of the TCP/IP protocol stack. The
transport layer uses the connection-oriented TCP protocol. HTTP has security
vulnerabilities. To avoid potential security risks, the device allows you to log in
to the web system only through the more secure Hypertext Transfer Protocol
Secure (HTTPS).
● HTTPS
HTTPS uses secure sockets layer (SSL) to encrypt data exchanged between
the client and device and defines access control policies based on certificate
attributes. HTTPS enhances data integrity and transmission security, ensuring
that only authorized clients can log in to the device.
● SSL policy
An SSL policy defines parameters that the device uses during startup, and is
implemented during configuration of HTTPS. During configuration, the
corresponding digital certificate on the device is loaded. The SSL policy takes
effect only after it is applied to application layer protocols, such as HTTP.
● Digital certificate
A digital certificate is issued by a certificate authority (CA) and uses a digital
signature to bind a public key with an identity (applicant who possesses the
certificate). The digital certificate includes information such as the applicant
name, public key, digital signature of the CA, and validity period of the digital
certificate. A digital certificate validates the identities of two communicating
parties to improve communication reliability.
● Certificate Authority (CA)
A CA issues, manages, and revokes digital certificates by checking the validity
of digital certificate owners, issuing digital certificates to prevent
eavesdropping and tampering, and managing certificates and keys. A globally
trusted CA is called a root CA. The root CA can authorize other CAs as
subordinate. A CA's identity needs to be verified and is described in a trusted-
CA file.
For example, CA1 is the root CA and issues a certificate for CA2, and CA2 then
issues a certificate for CA3. This process proceeds until the final server
certificate is issued.
Assume that CA3 issues the server certificate. A certificate authentication
process on the client starts from server certificate authentication:
– The client first verifies validity of the server certificate based on the CA3
certificate.
– The client then checks CA2 certificate to verify validity of the CA3
certificate.
– The client then checks CA1 certificate to verify validity of the CA2
certificate.
– The server certificate passes the authentication only when the CA2
certificate is verified valid by the CA1 certificate.
Figure 1-7 shows the certificate issuing and authentication processes.
Server’s
CA1 CA2 CAn
certificate
Certificate authentication
successfully, and the PC cannot verify the digital certificate on the server. However,
the confidentiality of data transmitted between the PC and server is ensured. To
ensure that you are connecting to a valid web server, you can load a trust
certificate and CRL on the PC. For details on how to load trust certificates, refer to
the help information in the operating system.
NOTE
The device does not provide lifetime management for the self-signed digital certificate,
such as update and revocation. To ensure device and certificate security, you are
recommended to replace the self-signed certificate with a certificate authority (CA)
certificate.
1.1.4.4 Configuring Device Login Through the Web System (Simple Mode)
Pre-configuration Tasks
NOTE
When a device starts without any configuration, HTTP uses the randomly generated self-
signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore,
you are advised to replace it with the officially authorized digital certificate. For details
about how to replace the certificate, see 1.1.4.5 Configuring Device Login Through the
Web System (Secure Mode).
Before configuring login through the web system (simple mode), configure a
reachable route between a terminal and the device.
Configuration Process
The following configuration tasks must be performed in sequence.
Context
The system software of the device contains a web page file, and the web page file
is pre-loaded to the device before delivery. If you use this web page file, you do
not need to perform the following configuration. To upgrade the web page file on
the device, log in to Huawei official website to download an independent web
page file, upload and load the file to the device.
NOTE
To obtain a web page file, log in to the Huawei enterprise support website (http://
support.huawei.com/enterprise), choose the product model and version, and select a
patch version under Public Patch in V and R Version to download the required web page
file. The file name is in the format of product name-software version number.web page
file version number.web.7z.
After downloading the file, compare the downloaded web page file with that on the
website to check whether their sizes are the same. If not, an error may occur during file
download. Download the file again.
Each web page file corresponds to a signature file. The method of downloading the
signature file is the same as that of downloading the web page file.
Procedure
Step 1 Upload the web page file.
You can upload the web page file using SFTP or other modes. For details, see
Local File Management.
NOTE
After the file is uploaded to the device, run the dir command in the user view to check
whether the uploaded file has the same size as that on the file server. If not, an error may
have occurred during file upload. Upload the file again.
NOTE
----End
Context
You can log in to the web system only after the HTTPS service is enabled. To
enhance device security, you can change the port number of the HTTPS server to
prevent attackers from accessing the server using the default port number. In
addition, you can set a timeout period for an HTTPS connection to prevent waste
of web channel resources when no operation is performed in a long time.
By default, the HTTPS IPv4 service is enabled on a device but the HTTPS IPv6
service is disabled, the port number of the HTTPS server is 443, the timeout period
of an HTTPS connection is 20 minutes, and login requests from all interfaces are
accepted. If you use the HTTPS IPv4 service, default port number and timeout
period, and accept login requests from all interfaces, do not perform the following
configuration. To use the HTTPS IPv6 service, you need to enable it first.
Procedure
Step 1 Run:
system-view
Step 3 Run:
http [ ipv6 ] secure-server port port-number
----End
Context
A web user account can be configured based on the user name, password, level,
and access type. After configuration, you can log in to the web system. Enter the
user name and password to log in to a web system.
NOTE
The default upload/download directory is the root directory. You can modify the upload/
download directory by running the corresponding command in the AAA view.
Procedure
Step 1 Configure a web user.
1. Run:
system-view
4. Run:
local-user user-name service-type http
By default, the level of the local user is 15 and the user is an administrator.
Only level 3 users and higher are administrators with management rights.
Level 2 users and below are monitoring users. Administrator users have all
operation rights of a web page, and monitoring users can only perform ping
and tracert operations.
NOTE
– The operating system required for web system login must be the Windows 7.0,
Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system. The iOS operating
system supports only login to the EasyOperation web system, but does not support file
uploading and downloading.
– To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet
Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the
Classic Web system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the
browser version or browser patch version is not within the preceding ranges, the web
page may not be properly displayed. Upgrade the browser and browser patch. In
addition, the browser must support JavaScript.
– When logging in to the web system using the Internet Explorer, ensure that active
scripting in the Security tab page is enabled; otherwise, an exception may occur during
web system login.
– The best resolution of the display for web system login is 1316px. If the resolution is
less than 1280px, the system displays a prompt message.
– By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When
logging in to the device through the web system, ensure that the SSL version supported
by the browser is the same as that supported by the device; otherwise, an exception
may occur during web system login. It is recommended that you upgrade the browser
based on the displayed page or modify the SSL configuration. Take the Internet
Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab
to view and select the SSL version.
– If you use Internet Explorer 8.0 running on Windows XP to log in to the web system,
you must configure the RC4 algorithm for the customized SSL cipher suite policy.
Otherwise, you will be unable to log in to the web system. To perform this
configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha |
tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha |
tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha |
tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha |
tls12_ck_rsa_aes_256_cbc_sha256 } command.
– The web system identifies device information based on the Item value in the device's
electronic label, but the device hardware driver determines whether to start the device
based on the BarCode value. Since the values of BarCode and Item may not be the
same, the web system may not read or display the card information.
– The web system does not support back, forward, and refresh buttons of the browser.
You may return to the login page when you use the buttons.
– If you log in to the Web systems with the same IP address through multiple windows
on a browser, only the latest login is saved. If the Web systems have the same IP
address and the same port number, the latest login account is displayed on earlier web
pages after all the windows are refreshed. If the Web systems have the same IP address
but different port numbers, timeout messages are displayed on earlier web pages after
all the windows are refreshed.
– If the software version of the device changes (for example, the device software is
upgraded or rolled back), clear the browser cache before using the web system.
Otherwise, the web page may be displayed incorrectly.
– You can click Open Source software Notice to view details of the open source
software notice.
2. Select the layout of the web system.
The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations. The Classics version inherits the web page style of
Huawei switches and provides comprehensive configuration and management
functions.
The EasyOperation version is used by default.
NOTE
– The password change page is displayed during the login process only the first time
you log in to the web system.
– The password change page is also displayed if your password will expire or has
expired. To access the web system main page, you must change the password.
– For security purposes, a password must contain at least two types of the following:
lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %).
In addition, the password cannot contain spaces or single quotation marks (').
4. (Optional) Change the default user password.
If you are logged in as an administrator, the system prompts you to change
this password. Figure 1-12 shows the prompt. Click Confirm to display the
User Management page on which you can change the password of the
default user. The default username and password are available in S Series
Switches Default Usernames and Passwords (Enterprise Network or Carrier).
If you have not obtained the access permission of the document, see Help on
the website to find out how to obtain it. Changing this password is
recommended to improve security.
NOTE
– Only when you log in to the web system as an administrator user (level 3 or
higher), the dialog box is displayed.
– A secure password should contain at least two of the following: lowercase letters,
uppercase letters, numerals, special characters (such as ! $ # %). In addition, the
password cannot contain spaces or single quotation marks (').
----End
1.1.4.4.4 Checking the Configuration of Configuring Device Login Through the Web
System
Context
After completing the configuration, run the following commands in any view on
the CLI to check information about online web users and the HTTPS server.
Procedure
● Run the display http user [ username username ] command to check online
web user information.
● Run the display http server command to check current HTTPS server
information.
----End
1.1.4.5 Configuring Device Login Through the Web System (Secure Mode)
Pre-configuration Tasks
Before configuring login through the web system (secure mode), complete the
following tasks:
Configuration Process
The following configuration tasks must be performed in sequence.
Context
The system software of the device contains a web page file, and the web page file
is pre-loaded to the device before delivery. If you use this web page file, you do
not need to perform the following configuration. To upgrade the web page file on
the device, log in to Huawei official website to download an independent web
page file, upload and load the file to the device.
NOTE
To obtain a web page file, log in to the Huawei enterprise support website (http://
support.huawei.com/enterprise), choose the product model and version, and select a
patch version under Public Patch in V and R Version to download the required web page
file. The file name is in the format of product name-software version number.web page
file version number.web.7z.
After downloading the file, compare the downloaded web page file with that on the
website to check whether their sizes are the same. If not, an error may occur during file
download. Download the file again.
Each web page file corresponds to a signature file. The method of downloading the
signature file is the same as that of downloading the web page file.
Procedure
Step 1 Upload the web page file.
You can upload the web page file using SFTP or other modes. For details, see
Local File Management.
NOTE
After the file is uploaded to the device, run the dir command in the user view to check
whether the uploaded file has the same size as that on the file server. If not, an error may
have occurred during file upload. Upload the file again.
By default, the web page file in system software is pre-loaded on the device.
If default is specified, the web page file in the system software is loaded. If
file-name is specified, an independent web page file is loaded.
NOTE
----End
Context
To avoid potential security risks, you can acquire a trust digital certificate and a
private key file from the CA and manually configure an SSL policy.
The device supports certificates in PEM, ASN1, and PFX formats. Certificates have
the same content regardless of format.
● The PEM (.pem) digital certificate is most commonly used. It applies to text
transmission between systems.
● The ASN1 (.der) format is a universal digital certificate format and the default
format for most browsers.
● The PFX (.pfx) format is a universal digital certificate format and a binary
format that can be converted into PEM or ASN1 format.
Procedure
Step 1 Upload the digital certificate and private key file.
You can upload the digital certificate and private key file using SFTP or other
modes and save them to the security directory. If this directory does not exist, run
the mkdir security command to create it. For procedure on uploading files, see
Local File Management.
NOTE
After the files are uploaded to the device, run the dir command in the user view to check if
the uploaded files are the same size as those on the file server. If not, an error may have
occurred. Upload the files again.
The cipher suite for a customized SSL cipher suite policy is configured.
By default, no customized SSL cipher suite policy is configured.
To configure cipher suites for a customized SSL cipher suite policy, run the
ssl cipher-suite-list command.
If a customized SSL cipher suite policy is being referenced by an SSL
policy, the cipher suites in the customized cipher suite policy can be
added, modified, or partially deleted. Deleting all of the cipher suites is
not allowed.
c. Run:
quit
After a customized cipher suite policy is unbound from an SSL policy, the SSL
policy uses one of the following default cipher suites:
– tls1_ck_rsa_with_aes_256_sha
– tls1_ck_rsa_with_aes_128_sha
– tls1_ck_dhe_rsa_with_aes_256_sha
– tls1_ck_dhe_dss_with_aes_256_sha
– tls1_ck_dhe_rsa_with_aes_128_sha
– tls1_ck_dhe_dss_with_aes_128_sha
– tls12_ck_rsa_aes_256_cbc_sha256
After a customized SSL cipher suite policy is bound to an SSL policy, the
device uses an algorithm in the specified cipher suite to perform SSL
negotiation.
If the cipher suite contains only one type of algorithm (RSA or DSS), the
corresponding certificate must be loaded for the SSL policy. This facilitates SSL
negotiation.
6. Load the digital certificate and specify the private key file.
NOTE
When loading a certificate or certificate chain to an SSL policy, ensure that the length
of the key pair in the certificate or certificate chain does not exceed 2048 bits. If the
key pair length exceeds 2048 bits, the certificate or certificate chain cannot be
uploaded to the device.
– Load a PEM certificate or certificate chain. Run either of the following
commands based on whether a user obtains a digital certificate or
certificate chain from the CA.
▪ Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-
code cipher auth-code
A PEM digital certificate is loaded and the private key file is specified.
▪ Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename
auth-code cipher auth-code
A PEM certificate chain is loaded and the private key file is specified.
– Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename
An ASN1 digital certificate is loaded and the private key file is specified.
– Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file
key-filename } auth-code cipher auth-code
A PFX digital certificate is loaded and the private key file is specified.
NOTE
Before rolling V200R008 or a later version back to an earlier version, back up the SSL
private key file.
----End
Context
Enabling HTTPS service enhances device security, and preserves resources during
timeout periods. To log in to the web system in secure mode, bind an SSL policy to
the device and enable the HTTPS service. You can change the port number of the
HTTPS server to prevent attackers from accessing the server using the default port
number. In addition, you can set a timeout period for an HTTPS connection to
prevent waste of web channel resources.
By default, only the HTTPS IPv4 service (not HTTPS IPv6) is enabled on a device.
On the HTTPS server, port 443 is used, the timeout period of an HTTPS connection
is 20 minutes, and login requests from all interfaces are accepted. If you use the
HTTPS IPv4 service, default port number, default timeout period, and accept login
requests from all interfaces, you only need to bind an SSL policy to the device. To
use the HTTPS IPv6 service, you need to enable it first.
Procedure
Step 1 Run:
system-view
----End
Context
A web user account can be configured based on the user name, password, level,
and access type. After configuration, you can log in to the web system. Enter the
user name and password to log in to a web system.
NOTE
The default upload/download directory is the root directory. You can modify the upload/
download directory by running the corresponding command in the AAA view.
Procedure
Step 1 Configure a web user.
1. Run:
system-view
operation rights of a web page, and monitoring users can only perform ping
and tracert operations.
After logging in to the web system, monitoring users receive a message,
showing their current level and prompts them to raise their user level. Figure
1-13 and Figure 1-14 show the message displayed on the Classics and
EasyOperation versions.
NOTE
– The operating system required for web system login must be the Windows 7.0,
Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system. The iOS operating
system supports only login to the EasyOperation web system, but does not support file
uploading and downloading.
– To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet
Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the
Classic Web system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the
browser version or browser patch version is not within the preceding ranges, the web
page may not be properly displayed. Upgrade the browser and browser patch. In
addition, the browser must support JavaScript.
– When logging in to the web system using the Internet Explorer, ensure that active
scripting in the Security tab page is enabled; otherwise, an exception may occur during
web system login.
– The best resolution of the display for web system login is 1316px. If the resolution is
less than 1280px, the system displays a prompt message.
– By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When
logging in to the device through the web system, ensure that the SSL version supported
by the browser is the same as that supported by the device; otherwise, an exception
may occur during web system login. It is recommended that you upgrade the browser
based on the displayed page or modify the SSL configuration. Take the Internet
Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab
to view and select the SSL version.
– If you use Internet Explorer 8.0 running on Windows XP to log in to the web system,
you must configure the RC4 algorithm for the customized SSL cipher suite policy.
Otherwise, you will be unable to log in to the web system. To perform this
configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha |
tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha |
tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha |
tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha |
tls12_ck_rsa_aes_256_cbc_sha256 } command.
– The web system identifies device information based on the Item value in the device's
electronic label, but the device hardware driver determines whether to start the device
based on the BarCode value. Since the values of BarCode and Item may not be the
same, the web system may not read or display the card information.
– The web system does not support back, forward, and refresh buttons of the browser.
You may return to the login page when you use the buttons.
– If you log in to the Web systems with the same IP address through multiple windows
on a browser, only the latest login is saved. If the Web systems have the same IP
address and the same port number, the latest login account is displayed on earlier web
pages after all the windows are refreshed. If the Web systems have the same IP address
but different port numbers, timeout messages are displayed on earlier web pages after
all the windows are refreshed.
– If the software version of the device changes (for example, the device software is
upgraded or rolled back), clear the browser cache before using the web system.
Otherwise, the web page may be displayed incorrectly.
– You can click Open Source software Notice to view details of the open source
software notice.
2. Select the layout of the web system.
The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations. The Classics version inherits the web page style of
Huawei switches and provides comprehensive configuration and management
functions.
The EasyOperation version is used by default.
NOTE
– The password change page is displayed during the login process only the first time
you log in to the web system.
– The password change page is also displayed if your password will expire or has
expired. To access the web system main page, you must change the password.
– For security purposes, a password must contain at least two types of the following:
lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %).
In addition, the password cannot contain spaces or single quotation marks (').
4. (Optional) Change the default user password.
If you are logged in as an administrator, the system prompts you to change
this password. Figure 1-17 shows the prompt. Click Confirm to display the
User Management page on which you can change the password of the
default user. The default username and password are available in S Series
Switches Default Usernames and Passwords (Enterprise Network or Carrier).
If you have not obtained the access permission of the document, see Help on
the website to find out how to obtain it. Changing this password is
recommended to improve security.
NOTE
– Only when you log in to the web system as an administrator user (level 3 or
higher), the dialog box is displayed.
– A secure password should contain at least two of the following: lowercase letters,
uppercase letters, numerals, special characters (such as ! $ # %). In addition, the
password cannot contain spaces or single quotation marks (').
----End
1.1.4.5.5 Checking the Configuration of Configuring Device Login Through the Web
System
Context
After completing the configuration, run the following commands in any view on
the CLI to check information about the SSL policy, loaded digital certificate, online
web users, and current HTTPS server.
Procedure
● Run the display ssl policy [ policy-name ] command to check the configured
SSL policy and loaded digital certificate.
● Run the display http user [ username username ] command to check online
web user information.
● Run the display http server command to check current HTTPS server
information.
----End
Context
To further enhance security, you can configure an HTTPS access control list to
allow only specified web users to log in to the device. Commands can also be run
to force idle users from occupying resources for too long.
ACL/ACL6 rules:
● If the ACL/ACL6 rule is permit, clients matching the rule are permitted to set
up HTTPS connections with the local device.
● If the ACL/ACL6 rule is deny, clients matching the rule are forbidden to set up
HTTPS connections with the local device.
● If an ACL/ACL6 rule is configured but packets from a client do not match the
rule, the client is not allowed to set up HTTPS connections with the local
device.
● If no ACL/ACL6 rule is configured, any clients are permitted to set up HTTPS
connections with the local device.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Configure an ACL/ACL6 on the HTTPS server.
● Configure an HTTPS IPv4 ACL as follows:
a. Run the acl [ number ] acl-number command to enter the ACL view.
HTTPS IPv4 supports basic and advanced ACLs. If a basic ACL is
configured, the value of acl-number ranges from 2000 to 2999. If an
advanced ACL is configured, the value of acl-number ranges from 3000 to
3999.
b. Configure an ACL.
The commands for configuring basic and advanced ACLs are different.
b. Configure an ACL6.
The commands for configuring basic and advanced ACL6s are different.
----End
1.1.4.7.1 Example for Configuring Device Login Through the Web System (Secure
Mode)
Networking Requirements
As shown in Figure 1-18, the device functions as an HTTPS server (an HTTPS IPv4
server is used as an example in this section) and is reachable to the PC. The
management IP address of the HTTPS server is 192.168.0.1/24.
Users want to manage and maintain the device through the web system and have
high security requirements. They have obtained the server digital certificate
1_servercert_pem_dsa.pem and private key file 1_serverkey_pem_dsa.pem from
the CA.
Figure 1-18 Networking diagram for configuring device login through the web
system (secure mode)
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
Loading an independent web page file is used as an example in this section. The
configuration roadmap is as follows:
1. Securely upload necessary files to the server through SFTP, including the web
page file, server digital certificate, and private key file.
2. Load the web page file and digital certificate.
3. Bind an SSL policy and enable the HTTPS service.
4. Configure a web user and enter the web login page.
Procedure
Step 1 Upload files to the device through SFTP.
# Generate a local key pair on the server and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS-Server
[HTTPS-Server] dsa local-key-pair create
Info: The key name will be: HTTPS-Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:2048
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[HTTPS-Server] sftp server enable
# Configure an SSH user, including its authentication mode, service type, service
authorized directory and password, user level, and access type.
[HTTPS-Server] ssh user client001 authentication-type password
[HTTPS-Server] ssh user client001 service-type sftp
[HTTPS-Server] ssh user client001 sftp-directory flash:
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[HTTPS-Server-aaa] local-user client001 privilege level 15
[HTTPS-Server-aaa] local-user client001 service-type ssh
[HTTPS-Server-aaa] quit
[HTTPS-Server] quit
# Log in to the HTTPS server through SFTP from the terminal and upload the
digital certificate and web page file to the server.
The SSH client software must be installed on the terminal before login. Third-
party software OpenSSH and Windows Command Prompt window are used as
examples in this section.
NOTE
● Ensure that the OpenSSH version you use is compatible with the terminal's operating
system; otherwise, you may fail to log in to the switch through SFTP.
● For details on how to install OpenSSH, see the instruction of the software.
● You need to use OpenSSH commands for login through OpenSSH. For details on how to
use the OpenSSH commands, see the help document of the software.
● OpenSSH commands can be used in the Windows Command Prompt window only after
the OpenSSH software is installed.
Open the Windows Command Prompt window and run the sftp
client001@192.168.0.1 command to enter the working directory of the SFTP
server. You can access the device through SFTP. (The following information is for
reference only.)
C:\Documents and Settings\Administrator> sftp client001@192.168.0.1
Connecting to 192.168.0.1...
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (DSA) to the list of known hosts.
User Authentication
Password:
sftp>
Upload the digital certificate and web page file from the terminal to the server.
sftp> put web.7z
Uploading web.7z to /web.7z
web.7z 100% 1308478 4.6KB/s 00:11
sftp> put 1_servercert_pem_dsa.pem
Uploading 1_servercert_pem_dsa.pem to /1_servercert_pem_dsa.pem
1_servercert_pem_dsa.pem 100% 1302 4.6KB/s 00:02
sftp> put 1_serverkey_pem_dsa.pem
Uploading 1_serverkey_pem_dsa.pem to /1_serverkey_pem_dsa.pem
1_serverkey_pem_dsa.pem 100% 951 4.6KB/s 00:01
# Run the dir command on the device to check whether the digital certificate and
web page file exist in the current storage directory.
NOTE
If the sizes of the digital certificate and web page file in the current storage directory are
different from sizes of those on the server, an error may have occurred during file transfer.
Upload the files again.
# Create the subdirectory security on the server and copy the digital certificate
and private key file to the subdirectory.
<HTTPS-Server> mkdir security
<HTTPS-Server> copy 1_servercert_pem_dsa.pem security
<HTTPS-Server> copy 1_serverkey_pem_dsa.pem security
# Run the dir command in the security subdirectory to check the digital
certificate.
<HTTPS-Server> cd security
<HTTPS-Server> dir
Directory of flash:/security/
# After the preceding configurations are complete, run the display ssl policy
command on the HTTPS server to check detailed information about the loaded
certificate.
[HTTPS-Server] display ssl policy
Step 3 Bind an SSL policy to the device and enable the HTTPS service.
# Bind an SSL policy to the device.
[HTTPS-Server] http secure-server ssl-policy http_server
Step 4 Configure a web user and enter the web login page.
# Configure a web user.
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user admin password irreversible-cipher Helloworld@6789
[HTTPS-Server-aaa] local-user admin privilege level 15
[HTTPS-Server-aaa] local-user admin service-type http
[HTTPS-Server-aaa] quit
NOTE
Before configuring a web user, you can run the display this command in the AAA view to
check user names of local users. Ensure that the user name of the configured web user
does not conflict with that of an existing local user. Otherwise, the new web user will
overwrite the existing local user.
Open the web browser on the PC, enter https://192.168.0.1 in the address box, and
press Enter to enter the web login page, as shown in Figure 1-19.
Enter the web user name and password and click GO or press Enter to enter the
web system home page.
After the configurations are complete, you can log in to the device through the
web system.
Run the display http server command on the device to check the SSL policy name
and the HTTPS server status.
[HTTPS-Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users :1
Maximum Users Allowed :5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
----End
Configuration Files
HTTPS-Server configuration file
#
sysname HTTPS-Server
#
http server load web.7z
http secure-server ssl-policy http_server
#
aaa
local-user admin password irreversible-cipher $1a$#R!d3>ji-.u1+N2gSK>3&2P1AM6jfU:"x/3g[5U,lvqP
+sf=70+%^E7,,SF7$
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher $1a$L@[C7B11%"H&\fS;qETS`zGI#RyJ%
+A2KzP'.k[0tQ{=Cq5s43s&f^L\In6K$
local-user client001 privilege level 15
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 4
authentication-mode aaa
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-
code cipher %^%#0|:yF=]P~Afis516)rO,3Yu<@/3e]
KFg.q@LG50%%^%#
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.
Symptom
In a web system login failure, the device and client can ping each other, but the
device cannot be logged in through the web system.
Procedure
Step 1 Check whether the HTTPS service is enabled.
● HTTPS IPv4:
By default, the HTTPS IPv4 service is enabled. Run the display this command
in the system view to check whether the undo http secure-server enable
command configuration exists. If it does, the HTTPS IPv4 service is disabled.
You can run the http secure-server enable command in the system view to
enable the HTTPS IPv4 service.
● HTTPS IPv6:
By default, the HTTPS IPv6 service is disabled. You can run the http ipv6
secure-server enable command in the system view to enable the HTTPS IPv6
service.
Step 2 Check whether the number of online web users is at its maximum.
Run the display http user command on the device to check whether the number
of current online web users has reached 5.
Currently, the device supports a maximum of five concurrent online web users. If
an idle user occupies web channel resources, other users may fail to log in. You
can run the free http user-id user-id command to force the user offline.
Step 3 Check whether access control is configured for web users on the device.
● HTTPS IPv4:
Run the display this command in the system view to check whether the http
acl acl-number command configuration exists. If so, record the value of acl-
number.
Run the display acl acl-number command in any view to check whether the
IPv4 address of the web client is denied in the ACL. If so, run the undo rule
rule-id command in the ACL view to delete the deny rule. Then, modify the
ACL and permit the IPv4 address of the web client.
● HTTPS IPv6:
Run the display this command in the system view to check whether the http
ipv6 acl acl6-number command configuration exists. If so, record the value of
acl6-number.
Run the display acl ipv6 acl6-number command in any view to check
whether the IPv6 address of the web client is denied in the ACL. If so, run the
undo rule rule-id command in the ACL6 view to delete the deny rule. Then,
modify the ACL6 and permit the IPv6 address of the web client.
Run the display this command in the AAA view to check whether the access type
of the web user is HTTP. If local-user user-name service-type http exists in the
command output, the access type of user-name is HTTP. If local-user user-name
service-type http does not exist in the command output, run the local-user user-
name service-type http command in the AAA view to set the access type of the
web user to HTTP.
----End
1.1.4.9 FAQ
If the system software of the switch contains a web page file that is loaded, you
do not need to obtain a web page file again. If the system software does not
contain a web page file or you need to upgrade the web page file, log in to
Huawei official website to download a separate web page file and upload the web
page file to the switch.
To obtain a web page file, log in to the Huawei enterprise support website (http://
support.huawei.com/enterprise), choose the product model and version, and
select a patch version under Public Patch in V and R Version to download the
required web page file. The file name is in the format of product name-software
version number.web page file version number.web.7z.
After downloading the file, compare the downloaded web page file with that on
the website to check whether their sizes are the same. If not, an error may occur
during file download. Download the file again.
1.1.4.9.2 Why Only a Few Options Are Available on the Web System?
Web users of level 2 or lower are monitoring users and can use only the ping and
tracert functions. Web users of level 3 or higher are administrator users and have
all operation rights of a web page.
You can run the local-user user-name privilege level level command in AAA view
to set the user level of the login user to level 3 or higher. The login user then has
all operation rights of a web page.
If you forget or want to change the web login password, log in to the switch
through the console port, Telnet, or STelnet and set a new password after login.
NOTICE
The Telnet protocol has security vulnerabilities. It is recommended that you log in
to the device through the console port or using STelnet V2.
# Set the user name and password to admin123 and Huawei@123, respectively.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type http
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the
Internet. It runs at the application layer of the TCP/IP protocol stack. The transport
layer uses the connection-oriented TCP protocol.
A typical operation user interface of the web system is shown in the following
figure. Figure 1-20 shows the operation user interface.
Number Description
NOTE
The menus and submenus described in this section are used for reference only because the
menus of different switch models have slight differences.
1.2.1.3 Buttons
This section describes common buttons on the web system that can be used to
facilitate operations on the web.
Table 1-11 lists the buttons and describes their functions.
Button Function
Table 1-12 lists the elements that you usually use on the web system GUI.
NOTE
The GUI elements described in this section are used for reference only because the GUI
elements of different switch models have slight differences.
Name Element
Button
On/off
switch
Option
button
Check box
Tab
Text box
Browse box
Name Element
Group box
Drop-down
list box
Menu
Time
setting
Mandatory
option
Interface
panel
CLI
switching
Context
Only administrative users can add user accounts.
NOTE
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator.
Step 3 On the Create User page, enter values in User name, Password, and Confirm
password and select values for Access level and Access type, as shown in Figure
1-21.
----End
Context
Only administrative users can change the password and user level.
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator.
Step 2 Click a user name in the User Name column to open the Modify User page.
Step 3 On the Modify User page, enter values in Password and Confirm password, and
select values for Access level and Access type.
----End
Context
Only administrative users can delete user accounts.
NOTE
You can delete a user account of the same or a lower level, not including your own user
account.
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator.
Step 2 Select a record that you want to delete and click Delete. The system asks you
whether to delete the record.
Step 3 Click OK.
----End
By default, the timeout period for a login user is 20 minutes. You can change the
timeout period on the System Info page.
Context
The web system can change the switch mode between standalone and SVF. The
mode switching button is on the top left corner of the web page.
Procedure
The SVF configuration page is displayed. Choose Configuration > SVF Quick
Config to configure the SVF mode.
----End
A button is available on the EasyOperation edition for you to switch to the classic
edition. Click Classic at the upper right corner of the page to switch to the classic
edition. Figure 1-24 shows the Classic button.
Click at the upper right corner to save all the configuration data to the
configuration file.
NOTICE
● Click at the upper right corner after the preceding configuration; otherwise,
the configuration that has not been saved will be lost upon reboot.
● After you click OK or Apply on the current configuration page, the device
continues the operation but does not save configuration.
NOTE
If you use the first method, save the configurations before you close the browser.
Otherwise, the configurations will be lost. If you use the second method, a message is
displayed on the web system, asking whether you want to save the current configuration.
1.3 Monitor
You can monitor device status information in the web system.
1.3.1.1 Panel
The panel diagram displays the panel of a switch.
Context
The panel section displays information about interfaces on a switch panel,
including the number of interfaces and status of each interface. When you move
the mouse to an interface, the interface number and status are displayed.
Procedure
Step 1 Click Monitoring on the toolbar. The panel diagram is displayed, as shown in
Figure 1-25.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
----End
Procedure
Step 1 Click Monitoring on the toolbar. The system description of the switch is displayed,
as shown in Figure 1-26.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
NOTE
The product model, software version, and other product information provided here are only
for reference and may differ from actual device information.
----End
Context
To view the real-time status of a switch, refresh the page.
Procedure
Step 1 Click Monitoring on the toolbar. The switch status is displayed, as shown in
Figure 1-27.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
Step 2 Click the CPU Usage, Memory Usage, and Temperature tabs to view detailed
status information, as shown in Figure 1-28.
Lead- Absent
acid
battery Charging
Full power
Discharging
Abnormal
Lithium Absent
battery
Charging
Full power
Discharging
The remaining power is
normal (higher than or
equal to 20%).
Discharging
The remaining power is
too low (lower than
20%).
NOTE
Abnormal A lithium battery is discharging, and the
displayed status icon depends on the remaining
Upgrading power of the battery. If the remaining power is
less than 20% of the full power, the red
discharging icon is displayed, indicating that the
power is too low. If the remaining power is more
than 20% of the full power, the green
discharging icon is displayed.
When a lithium battery is charging or
discharging, the current power percentage is
displayed above the status icon. For example, if a
lithium battery is fully charged, "Lithium battery
100%" is displayed. If the remaining power of a
discharging lithium battery is too low, "Lithium
battery 18%" is displayed.
----End
Procedure
Step 1 Click Monitoring to open the Monitoring page, and click on the left of
Interface Bandwidth Utilization, Log, Alarm, etc. The top 5 interface bandwidth
utilization is displayed, as shown in Figure 1-30.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
Step 2 If you want to view the bandwidth utilization of a specific interface, click the
interface below Port Name. The Bandwidth Utilization is displayed. On the page,
you can view the real-time bandwidth utilization of this interface, as shown in
Figure 1-31.
Step 3 If you want to view the bandwidth utilization of other interfaces, click More in the
lower right corner of the Top 5 Bandwidth Utilization. The Port List is displayed.
You can view detailed information about other interfaces on the Port List, as
shown in Figure 1-32.
You can use the following method to search and view detailed information about
a specific interface on the Port List.
1. Select an interface type from the drop-down list.
2. Enter the interface number in the second search box.
3. Click .
On the Port List, you can perform refresh, clear, and clear all operations.
● Click Refresh to obtain the latest bandwidth utilization.
● Click Clear to clear the bandwidth utilization of a specified interface and
refresh the page.
● Click Clear All to clear the bandwidth utilization of all interfaces and refresh
the page.
Item Description
Item Description
----End
1.3.1.5 Log
The Log section displays five latest logs with highest severities, providing the
generation time and contents of each log.
Context
You can click More to view more logs.
Procedure
Step 1 Click Monitoring to open the Monitoring page, and click on the left of
Interface Bandwidth Utilization, Log, Alarm, etc. Logs are displayed in the Log
section, as shown in Figure 1-33.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
Step 2 Click More to display the Log page. You can view latest logs with highest
severities on this page.
----End
1.3.1.6 Alarm
The Alarm section displays five latest alarms, providing the generation time and
contents of each alarm.
Context
You can click More to view more alarms.
Procedure
Step 1 Click Monitoring to open the Monitoring page, and click on the left of
Interface Bandwidth Utilization, Log, Alarm, etc. Alarms are displayed in the
Alarm section, as shown in Figure 1-34.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
Step 2 Click More to display the Alarm page. You can view latest alarms on this page.
----End
Context
For a non-PoE device that provides only internal power modules, the Power
status section is not displayed on the Monitor page. If the device does not
support PoE power supply, total available PoE power and total PoE output power
are not displayed in the Power status section.
Procedure
Step 1 Click Monitoring to open the Monitoring page, and click on the left of
Interface Bandwidth Utilization, Log, Alarm, etc. The Power Status is displayed,
as shown in Figure 1-35.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
----End
Context
Only the S5720HI, S6720EI, and S6720S-EI support SVF mode.
Procedure
Step 1 Choose Monitoring > Summary to view information such as SVF summary and
system status, as shown in Figure 1-36.
Step 2 Click Member Device Status in the lower left corner of the page to view SVF
member information, including member name, type, model, MAC address, and
status, as shown in Figure 1-37.
----End
1.3.3 User
This chapter describes how to view user information.
NOTE
Only the S5720HI supports this function. The S6720EI and S6720S-EI support this function in
SVF mode.
This node is only available in the NAC unified mode.
Procedure
Step 1 Choose Monitoring > User and click the User Distribution tab. The access user
list is displayed, as shown in Figure 1-38.
NOTE
The S6720EI (SVF mode) and S6720S-EI (SVF mode) do not display wireless user information.
----End
Procedure
Step 1 Choose Monitoring > User and click the Wired User Statistics tab. The wired
user list is displayed, as shown in Figure 1-39.
----End
Context
You can view traffic statistics of each user through the user monitoring page so
that you can learn the wireless network status.
NOTE
Procedure
● View the user list.
a. Choose Monitoring > User > Wireless User Statistics. The Wireless
User List page is displayed.
b. Click the downward arrow next to Default to customize items to be
displayed. Click All to display all items.
Parameter Description
Parameter Description
● Move the cursor to Channel Usage to view details about channel usage of the user,
including the transmitting time ratio, receiving time ratio, interference ratio, and idle
rate of the channel.
● Click the rightward arrow on the left of the list to view the following recent information
about the user: SNR, downlink negotiation rate, channel usage, valid downlink and
uplink throughput, retransmission ratio, and packet loss ratio graph.
● Intelligently diagnose STA access faults.
Select a user in Wireless User List and click Intelligent Diagnosis to
diagnose login failures, disconnection, and slow service rate or unavailable
service transmission. The web platform will provide handling suggestions. For
details, see 1.5.1 Intelligent Diagnosis (S5720HI).
● Query the roaming track of a STA.
Select a STA in Wireless User List and click Roaming Track to query its
roaming track.
● Query login failure records.
Click Login Failure Record to view all login failure records on the AC and
identify fault causes.
● Query user logout records.
Click Logout Record to view all logout records on the AC and identify fault
causes.
Context
The topology is displayed only in SVF mode.
Only the S5720HI, S6720EI, and S6720S-EI support SVF mode.
Procedure
Step 1 Choose Monitoring > Topology. The level-1 AS topology is displayed, as shown in
Figure 1-40.
Step 2 Click the level-1 AS icon to display the level-2 AS topology, as shown in Figure
1-41.
NOTE
To view the AS panel information and user information on interfaces, click the device name
beside the level-1 or level-2 AS.
----End
1.3.5.1 AS
This section shows the AS information in SVF mode, including AS name, device
model, and system status.
Procedure
Step 1 Choose Monitoring > Wired Service > AS. The AS list is displayed, as shown in
Figure 1-42.
----End
Procedure
Step 1 Choose Monitoring > Wired Service > User Port Group. The user port group list
is displayed, as shown in Figure 1-43.
----End
1.3.6.1 Radio
Context
You can view details about radios of APs through the radio monitoring page.
Procedure
● View the radio list.
a. Choose Monitoring > Wireless Service > Radio. The Radio List page is
displayed.
AP ID ID of the AP.
Parameter Description
● Move the cursor to Channel Usage to view details about channel usage, including the
transmitting time ratio, receiving time ratio, interference ratio, and idle rate of the
channel.
● Click the rightward arrow on the left of the list to view the following information of the
radio: number of recently accessed STAs, noise level, channel usage, rate, retransmission
ratio, and packet loss ratio.
● Implement spectrum analysis.
Select a radio from Radio List and click Spectrum Analysis. The spectrum
charts of the radio are displayed. For details, see 1.3.6.7 Spectrum Analysis.
● Intelligently diagnose radio faults.
Select a radio in Radio List and click Intelligent Diagnosis to diagnose Mesh
link faults, AP failures, and AP upgrade failures. The web platform will provide
handling suggestions. For details, see 1.5.1 Intelligent Diagnosis (S5720HI).
● Capture wireless packets.
Select a radio in Radio List and click Wireless Packet Obtaining to capture
wireless packets so that you can identify faults. For details, see 1.5.2.2
Wireless Packet Capturing (S5720HI).
● View field strength information.
Select a radio in Radio List and click Field Strength Collection to view field
strength information.
Parameter Description
Local AP Position This parameter takes effect only when the location-
No. based handover algorithm is enabled.
Parameter Description
Parameter Description
AP ID ID of the AP.
----End
1.3.6.2 AP
Context
You can view AP performance statistics on the AP Statistics Collection page.
Procedure
● View the AP list.
a. Choose Monitoring > Wireless Service > AP > AP Statistics Collection.
The AP List page is displayed.
Parameter Description
AP ID ID of the AP.
Parameter Description
Click Login Failure Record in AP List. The Login Failure Record page is
displayed, on which you can view all records about the STA login failure on
the AP to locate the related fault causes.
● View user logout records.
----End
Context
You can view statistics about the AP's wired interfaces on the AP Wired Interface
Statistics Collection page.
Procedure
● View the AP wired interface statistics list.
a. Choose Monitoring > Wireless Service > AP > AP Wired Interface
Statistics Collection. The AP Wired Interface Statistics List page is
displayed.
Parameter Description
AP ID AP ID.
AP Name AP name.
----End
1.3.6.3 SSID
1.3.6.3.1 SSID
Context
You can view transmission statistics about a network identified by a service set
identifier (SSID).
Procedure
● View the SSID list.
Choose Monitoring > Wireless Service > SSID > SSID. The SSID List page is
displayed.
1.3.6.3.2 VAP
Context
You can view transmission statistics on each VAP through the VAP monitoring
page.
Procedure
● View the VAP list.
Choose Monitoring > Wireless Service > SSID > VAP. The VAP List page is
displayed.
Parameter Description
Select a VAP in VAP List to view graphs of top 10 applications of traffic within
the latest 60s and cumulative traffic at the lower part of the page.
Select the target VAP in VAP List and click Reset Application Statistics to
clear application statistics on the VAP.
----End
1.3.6.4 Mesh&WDS
Context
You can view Mesh link information through the Mesh link information
monitoring page.
Procedure
● View the Mesh link list.
a. Choose Monitoring > Wireless Service > Mesh&WDS > Mesh Link
Information. You can view Mesh link list at the page that is displayed.
----End
Context
You can view WDS link information through the WDS bridge information
monitoring page.
Procedure
● View WDS network bridge information.
a. Choose Monitoring > Wireless Service > Mesh&WDS > WDS Network
Bridge Information. The WDS Network Bridge List page is displayed.
Parameter Description
Parameter Description
----End
Context
You can view and analyze statistics on exceptions of STAs and radios so that you
can identify potential risks.
Procedure
● View potential risks of STAs.
a. Choose Monitoring > Wireless Service > Potential Risk. The Potential
Risk page is displayed.
b. Click the number next to a condition in the User area. The details about
abnormal users are displayed in the Wireless User List at the lower part
of the page.
Parameter Description
Parameter Description
AP ID ID of the AP.
1.3.6.6 WIDS
Procedure
● View device detection results.
a. Choose Monitoring > Wireless Service > WIDS. The WIDS page is
displayed.
b. View device detection results in Device Detection. Table 1-27 describes
the device detection parameters.
Parameter Description
Parameter Description
Parameter Description
Device Model -
d. Select a device in the detected device list and click View Discovered APs.
Information about the APs that detect the device is displayed. Table 1-29
describes the parameters.
e. In the list of APs that detect the device, select an AP and click View
Whitelist to check the WIDS whitelist of the AP.
● Clear device detection statistics.
a. Choose Monitoring > Wireless Service > WIDS. The WIDS page is
displayed.
b. Click Clear in Device Detection.
● View attack detection results.
a. Choose Monitoring > Wireless Service > WIDS. The WIDS page is
displayed.
b. View attack detection results in Attack Detection. Table 1-30 describes
the attack detection parameters.
Parameter Description
c. Click a number in the attack detection result list to view details. Table
1-31 describes the parameters.
Parameter Description
Parameter Description
NOTE
By default, information about the active attacks is displayed. You can click Historical
Attack to check historical attack detection records.
d. Click View Dynamic Blacklist. The View Dynamic Blacklist page is
displayed. Table 1-32 describes the dynamic blacklist parameters.
Context
The AP3010DN-AGN and AP9330DN do not support this function.
On the Spectrum Analysis page, you can enable or disable the spectrum analysis
function on a radio and view spectrum charts. The Spectrum Analysis page can
display eight types of spectrum charts, including Swept Spectrogram, Active
Devices, Real-Time FFT, Channel Metrics, Channel Quality Trend, FFT Duty
Cycle, Interference Power, and Quality Spectrogram.
Procedure
● Enable spectrum analysis on a radio and view spectrum charts.
a. Choose Monitoring > Wireless Service > Spectrum Analysis. The Radio
List page is displayed.
Parameter Description
AP Name AP name.
AP ID AP ID.
d. Select your desired spectrum chart from the drop-down list box in the
upper left corner. Particularly, you can select Lower or Upper on the
1.4 Configuration
The configuration tasks include basic service management and security service
management.
Procedure
● Configure the switching mode quickly.
a. Choose Configuration > Quick Config. Select Switching for Select a
mode to open the quick switching mode configuration page, as shown in
Figure 1-44.
Parameter Description
NOTE
Parameter Description
Parameter Description
NOTE
Parameter Description
Parameter Description
Procedure
Step 1 Choose Configuration > SVF Quick Config > SVF Enabling. The SVF Enabling
page is displayed.
Step 2 Set Enable SVF to ON. The SVF Enabling page is displayed, as shown in Figure
1-46.
Item Description
1.4.2.2 AS Addition
This section describes how to add ASs to an SVF system and configure fabric-ports.
Procedure
● Create AS fabric-ports.
a. Choose Configuration > SVF Quick Config > AS Addition and click the
Configure AS Fabric-Ports tab.
b. Click Create and set AS fabric-port parameters, as shown in Figure 1-47.
c. Click to download the fabric-port file profile locally and fill in the
profile.
Select the slot ID and corresponding product model in the Slot ID-switch
drop-down list box, and click .
g. Click OK to complete the AS model configuration.
h. Click to complete the configuration.
● Add ASs in a batch.
a. Choose Configuration > SVF Quick Config > AS Addition and click the
Name ASs tab.
b. Click Batch Import to enter the page for batch import of ASs, as shown
in Figure 1-51.
c. Click to download the AS file profile locally and fill in the profile.
Procedure
Step 1 Choose Configuration > SVF Quick Config > AS User-Side Service. The AS User-
Side Service page is displayed, as shown in Figure 1-52.
1. Click Add.
2. Select the AS name on the Add AS Port page, as shown in Figure 1-55.
Table 1-42 describes the parameters in the Add VLAN and Gateway
Configuration dialog box.
Item Description
▪ Parent
▪ Remote server
Table 1-43 Parameters in the Add Enhanced Service Profile dialog box
Item Description
▪ Enabled
▪ Disabled
Item Description
Item Description
ARP packet rate limit (kbps) Sets the rate limit of incoming
ARP packets on an interface.
The value ranges from 8 to 128.
DHCP packet rate limit (kbps) Sets the rate limit of incoming
DHCP packets on an interface.
The value ranges from 8 to 128.
Item Description
Item Description
Item Description
----End
Follow-up Procedure
Delete an AS user port group.
1. Choose Configuration > SVF Quick Config > AS User-Side Service. The AS
User-Side Service page is displayed.
2. Select the AS user port group name to be deleted.
3. Click Delete.
4. In the dialog box that is displayed, click OK.
1.4.2.4 AP Addition
Procedure
● Configure ports that connect ASs to APs.
a. Choose Configuration > SVF Quick Config > AP Addition. Click the
Configure Ports Connected to APs tab.
b. Set AS Name to the added ASs and click Add All or Add Selected. All
ports connecting the ASs to the AP are added in the list.
c. Expand Pass VLAN. Set VLAN ID for the ports and click Apply. VLANs are
configured for the ports.
● Configure APs.
a. Choose Configuration > SVF Quick Config > AP Addition. Click the
Configure APs tab.
b. Click Create to manually add APs one by one or batch import APs offline.
For details, see 1.4.7.3.1 AP Info.
c. Select APs in the list and click Delete. The APs are deleted.
----End
Procedure
Step 1 Choose Configuration > SVF Quick Config > AP User-Side Service. The Service
Settings tab is displayed, as shown in Figure 1-66.
Step 2 Click Create in the AP Group List pane. In the Create AP Group dialog box that is
displayed, set AP group name and click OK.
Parameter Description
Service VLAN ID Service VLAN bound to the VAP mapping the SSID.
– Click and select a service VLAN in the displayed
Select window.
– Click and create a service VLAN in the displayed
Add VLAN and Gateway Configuration window.
– Click and modify the existing service VLAN in
the displayed Update VLAN And Gateway
Configuration window.
Parameter Description
Built-in Portal Built-in Portal server, which is valid only when Access
Server mode is set to Built-in Portal Server.
– Server IP: IP address of a built-in Portal server
– Port number: port number of a built-in Portal
server
– SSL policy: SSL policy used by a built-in Portal
server
3. Click OK.
NOTE
NOTE
If AP authentication mode is set to SN authentication, ensure that the AP SNs have been
configured when importing APs offline.
1. Click the AP List tab and configure APs.
2. Click Add. On the page that is displayed, set Mode to Batch import.
If you download an AP information template of the Chinese web system under an English
Windows operating system (OS), the Chinese characters in the AP information template
cannot be displayed. You can choose Start > All Programs > Microsoft Office > Microsoft
Office Tools > Microsoft Office 2003 Language Settings in the Windows OS (take
Microsoft Office 2003 as an example) and set Primary Editing Language to
Chinese(PRC) on the Editing Language tab. After completing the setting, restart the
Microsoft Office Excel and open the AP information template. The Chinese characters in
the template will be displayed normally.
Parameter Description
----End
Procedure
● Create network side VLANs and IP addresses.
a. Choose Configuration > SVF Quick Config > Network-Side Service and
click the Network-Side VLAN and IP tab.
b. Click Create and set parameters, as shown in Figure 1-67.
Item Description
Procedure
● Create AS blacklist and whitelist.
a. Choose Configuration > Advanced SVF Config > AS Access Mgmt and
click the AS Blacklist And Whitelist tab.
b. Click Create, as shown in Figure 1-70.
c. Set a value for AS MAC Address and select blacklist or whitelist from
the Manage drop-down list box.
d. Click to complete the configuration.
● Delete AS blacklist and whitelist.
a. Choose Configuration > Advanced SVF Config > AS Access Mgmt and
click the AS Blacklist And Whitelist tab.
b. Select the required blacklist and whitelist and click Delete.
c. In the dialog box that is displayed, click OK.
● Create an AS group.
a. Choose Configuration > Advanced SVF Config > AS Access Mgmt and
click the AS Group tab.
b. Click Create and set AS group parameters, as shown in Figure 1-71.
Parameter Description
----End
Procedure
● Create an AS port group.
a. Choose Configuration > Advanced SVF Config > AS Port Group.
b. Click Create, as shown in Figure 1-72.
Parameter Description
----End
Procedure
● Create a network basic profile.
a. Choose Configuration > Advanced SVF Config > AS Profile Mgmt and
click the Network Basic Profile tab.
b. Click Create, as shown in Figure 1-73.
Parameter Description
Parameter Description
Parameter Description
ARP Packet Rate Limit (kbps) Sets the rate limit of incoming
ARP packets on an AS port.
NOTE
This parameter is valid when no value
is set for Bound Authentication
Profile Name.
DHCP Packet Rate Limit (kbps) Sets the rate limit of incoming
DHCP packets on an AS port.
NOTE
This parameter is valid when no value
is set for Bound Authentication
Profile Name.
Context
Choose Monitoring > Summary to check Member Device Status. Only normal
ASs working in centralized configuration mode can be directly configured on the
parent.
Procedure
● Global AS configuration
a. Choose Configuration > Advanced SVF Config > AS Direct Config to
enter the AS Direct Config page.
Source IP-based ARP rate limit Configures ARP rate limiting based
(pps) on source IP addresses.
PoE
NOTE
You can click PoE parameters to edit these parameters and click to complete
the configuration. This information is displayed only on the PoE-supporting
switches.
Parameter Description
Ethernet Port
PoE
Parameter Description
Advanced
NOTE
Context
You can view interface related functions on this page.
Figure 1-79 shows interface status and optical/electrical interfaces.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click View
Configuration, as shown in Figure 1-80.
Step 2 Click an interface icon to select an interface. You can select only one interface at
one time.
Step 3 Check the interface functions in step 3, as shown in Figure 1-81.
Item Description
Step 4 If you want to delete all configurations on the interface to restore the default
settings, click Clear Configuration. After configurations are deleted, the interface
is disabled.
----End
1.4.4.1.2 Connect to PC
Context
After a switch is connected to a PC, you can configure functions such as the
default VLAN, port security, and port isolation based on service requirements.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Connect to PC,
as shown in Figure 1-82.
Step 2 Select a port to be configured. Perform the following operations as required in the
port area:
● Click a port icon. To deselect the port, click the port icon again.
● Drag the cursor to select consecutive ports in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Select a slot where a panel is located. All ports on the panel are selected.
Step 3 Configure the port.
Table 1-65 describes parameters and their values.
Default VLAN Adds the interface to the default VLAN. The VLAN ID ranges
from 1 to 4094.
Operation
If you click More Configurations, the following parameters are valid.
Parameter Description
Jumbo Sets the jumbo frame length. The value ranges from 1536 to
10240.
----End
Context
After a switch is connected to an IP phone, you can configure functions such as
the default VLAN, voice VLAN, port security, and port isolation based on service
requirements.
Procedure
● Based On Phone Model (Auto)
a. Choose Configuration > Basic Services > Interface Settings.Click
Connect to IP Phone to open the Connect to IP Phone page.
b. Select a port to be configured. Perform the following operations as
required in the port area:
▪ Click a port icon. To deselect the port, click the port icon again.
▪ Click multiple port icons to select these ports, and click a port icon
again to deselect the port.
▪ Select a slot where a panel is located. All ports on the panel are
selected.
c. Click the Based On Phone Model (Auto) tab, and click Auto Phone
Scan. Check whether the interface is connected to an IP phone. Figure
1-83 indicates that the interface is not connected to an IP phone, and
Figure 1-84 indicates that the interface is connected to an IP phone.
Parameter Description
Default VLAN Adds the interface to the default VLAN. The VLAN ID
ranges from 1 to 4094.
Parameter Description
Voice VLAN Enables the voice VLAN function and specifies the
VLAN ID.
Operation
If you click More Configurations, the following parameters are valid.
Parameter Description
QoS Configuration
Default VLAN Adds the interface to the default VLAN. The VLAN ID
ranges from 1 to 4094.
Voice VLAN Enables the voice VLAN function and specifies the
VLAN ID.
Parameter Description
Operation
If you click More Configurations, the following parameters are valid.
Parameter Description
QoS Configuration
Default VLAN Adds the interface to the default VLAN. The VLAN ID
ranges from 1 to 4094.
Voice VLAN Enables the voice VLAN function and specifies the
VLAN ID.
Parameter Description
Operation
If you click More Configurations, the following parameters are valid.
Parameter Description
Context
After a switch is connected to another switch, you can configure the switch port to
allow packets from a specified VLAN based on service requirements.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Connect to
Switch, as shown in Figure 1-89.
Step 2 Select a port to be configured. Perform the following operations as required in the
port area:
● Click a port icon. To deselect the port, click the port icon again.
● Drag the cursor to select consecutive ports in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Select a slot where a panel is located. All ports on the panel are selected.
Step 3 Configure the port.
Table 1-71 describes parameters and their values.
Load balancing Sets the Eth-Trunk load balancing mode. This parameter is
mode valid only after Enable link aggregation is selected.
● dst-ip: Load balancing is performed based on the
destination IP address.
● dst-mac: Load balancing is performed based on the
destination MAC address.
● src-ip: Load balancing is performed based on the source
IP address.
● src-mac: Load balancing is performed based on the
source MAC address.
● src-dst-ip: Load balancing is performed based on the
Exclusive-OR calculation result of the source and
destination IP addresses.
● src-dst-mac: Load balancing is performed based on the
Exclusive-OR calculation result of the source and
destination MAC addresses.
Eth-Trunk Mode Sets the Eth-Trunk working mode. This parameter can be set
only after Enable link aggregation is selected.
● Manual load balancing (default): The Eth-Trunk working
mode is set to manual.
● Static LACP: The Eth-Trunk working mode is set to LACP.
Operation
If you click More Configurations, the following parameters are valid.
Parameter Description
----End
Context
You can configure functions of interfaces on switches that are connected to
routers on the GUI. Figure 1-90 shows interface status and optical/electrical
interfaces.
NOTE
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support connecting the router.
If the device cannot be connected to a router, this page is hidden.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Connect to
Router, as shown in Figure 1-91.
Step 2 Click an interface icon to select an interface. You can select only one interface at
one time.
Step 3 Set parameters on the Configure Interface. Figure 1-92 shows the Configure
Interface.
Context
You can disable an idle interface that is not connected to a cable or an optical
fiber on the GUI to prevent the idle interface from interfering other interfaces in
working state.
Figure 1-93 shows interface status and optical/electrical interfaces.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Enable/
Disable Interface, as shown in Figure 1-94.
Step 2 Select the interface that you want to configure. Perform either of the following
operations as required.
● Click an interface icon to select an interface.
● Drag the mouse to select multiple consecutive interfaces in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Click the check box before a front panel name to select all the interfaces on
the front panel.
Step 3 Set parameters on the Configure Interface. Figure 1-95 shows the Configure
Interface.
Item Description
----End
Context
Virtual cable test (VCT) technology uses time domain reflectometry (TDR) to
detect the cable status. When a pulse is transmitted to the end of a cable or a
failure point in the cable, some pulse energies are reflected to the transmitting
end. The VCT algorithm measures the time spent on transmitting pulses over a
cable, reaching a failure point, and returning the pulses. The measured time is
converted to the distance.
VCT can detect the fault type of a network cable and identify failure points to help
locate network cable faults.
The VCT test result is only for reference and may be inaccurate for cables of some
vendors.
VCT takes effect only on optical interfaces that have GE copper modules installed
or GE electrical interfaces on the device.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Detect Link, as
shown in Figure 1-97.
Step 2 Select the interface that you want to configure. Perform either of the following
operations as required.
● Click an interface icon to select an interface.
● Drag the mouse to select multiple consecutive interfaces in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Click the check box before a front panel name to select all the interfaces on
the front panel.
Step 3 Click Apply. In the dialog box that is displayed, click OK.
Step 4 You can view check results on the Configure Interface. Figure 1-98 shows the
Configure Interface.
Item Description
----End
Context
A port loopback test is used to check whether the internal forwarding chip
controls forwarding on the interface properly.
Figure 1-99 shows the interface status and symbols of optical and electrical
interfaces.
Figure 1-99 Interface status and symbols of optical and electrical ports
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings.Select Port
Loopback Test, as shown in Figure 1-100.
Step 2 Select the interface that you want to configure. Perform either of the following
operations as required.
● Click an interface icon to select an interface.
● Drag the mouse to select multiple consecutive interfaces in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Click the check box before a front panel name to select all the interfaces on
the front panel.
Step 3 Click Apply. In the dialog box that is displayed, click OK.
Parameter Description
Parameter Description
----End
1.4.4.2 PoE
This chapter describes how to configure PoE. PDs, such as wireless telephones and
APs, are provided with power when the devices are configured with PoE.
Context
NOTE
Only the product models with PWR or PWH in the product names support PoE.
Procedure
Step 1 Choose Configuration > Basic Services > PoE.
Step 2 Perform global settings and click Apply, as shown in Figure 1-102.
Item Description
Max output Sets the maximum output power of the switch, in mW.
power (mW)
Reserved PoE Sets the percentage of the reserved PoE power against the
power (%) total PoE power.
Step 3 Select a port to be configured. Perform the following operations as required in the
port area:
● Click a port icon. To deselect the port, click the port icon again.
● Drag the cursor to select consecutive ports in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Select a slot where a panel is located. All ports on the panel are selected.
Item Description
Max output Sets the maximum output power of the interface, in mW.
power (mW)
----End
1.4.4.3 VLAN
You can create, query, modify, or delete a single VLAN or create VLANs in a batch.
Context
● A switch supports 4094 VLANs from VLAN 1 to VLAN 4094.
● VLANs can isolate the hosts that require no communication with each other,
reducing broadcast traffic and improving network security.
Procedure
● Creating a VLAN
a. Choose Configuration > Basic Services > VLAN.
b. Click Create. The Create VLAN dialog box is displayed, as shown in
Figure 1-104.
Parameter Description
c. Set parameters.
d. Click Add Interface. The Add Interface area is unfolded, as shown in
Figure 1-105.
c. Click OK.
● Querying a VLAN
a. Choose Configuration > Basic Services > VLAN.
b. Enter the VLAN ID in the search box. If you do not enter any VLAN ID, all
created VLANs are displayed.
c. Click . The VLAN is displayed, as shown in Figure 1-108.
● Modifying a VLAN
a. Choose Configuration > Basic Services > VLAN.
b. Click a VLAN ID. The Modify VLAN dialog box is displayed, as shown in
Figure 1-110. Table 1-78 describes parameters in the Modify VLAN
dialog box.
1.4.4.4 DHCP
Context
Dynamic Host Configuration Protocol (DHCP) is used to dynamically manage and
configure the IP addresses for users in a centralized manner. DHCP adopts the
client/server mode for communication. The client applies to the server for
configurations (including IP address, subnet mask, and default gateway), and the
server replies with corresponding configuration information based on policies.
Procedure
● Global configuration
a. Choose Configuration > Basic Services > DHCP.
b. Set DHCP status to ON in the Global Settings area to enable the DHCP
function globally.
● Address pool list
a. Choose Configuration > Basic Services > DHCP.
b. Click Create in the Address Pool List area. The Create IP Pool page is
displayed, as shown in Figure 1-111.
Parameter Description
Parameter Description
----End
1.4.4.5 MAC
Context
Each switch maintains a MAC address table. A MAC table records learned MAC
addresses, VLAN IDs, and outbound interfaces. To forward data, the switch
searches the MAC table based on destination MAC addresses and VLAN IDs
carried in packets to determine the outbound interfaces for the packets. Therefore,
broadcast traffic is reduced. Configure the following MAC address types and
functions:
● The interface obtains dynamic entries based on the learning of source MAC
addresses. The dynamic entries can be aged.
● Static MAC entries are manually configured and never age. For details, see
Configuring a static user.
● Blackhole MAC entries are used to discard data frames with the specified
source or destination MAC addresses. Blackhole MAC entries are manually
configured and never age. For details, see Configuring a blackhole MAC
address entry.
● ARP entry fixing can be configured to defend against ARP address spoofing
attacks. For details, see Configuring ARP entry fixing.
● Port security makes MAC addresses learned on an interface become secure
MAC addresses to allow only hosts with secure MAC addresses and static
MAC addresses to communicate with the switch through the interface,
improving switch security. For details, see Configuring port security.
Procedure
● Configuring MAC/IP address security and the aging time of dynamic MAC
addresses
a. Choose Configuration > Basic Services > MAC.
b. Click the icon next to MAC/IP address security to enable or disable
MAC/IP address security.
c. Set the aging time of dynamic MAC addresses in the Dynamic MAC
aging time text box and click Apply.
NOTE
d. Set parameters.
e. Click OK.
● Creating a static secure MAC address
a. Choose Configuration > Basic Services > MAC.
b. Click the MAC/IP Address tab and select the interfaces. The MAC/IP
Address tab page is displayed, as shown in Figure 1-113.
NOTE
Before creating a static secure MAC address, enable port security by referring to
Configuring port security.
After port security is enabled, a yellow shield identifier next to the interface is
displayed.
c. Click Create Secure MAC. The Create Secure MAC page is displayed, as
shown in Figure 1-115.
d. Set parameters.
e. Click OK.
● Deleting MAC address entries
a. Choose Configuration > Basic Services > MAC.
b. Click the MAC/IP Address tab and select the interfaces. The MAC/IP
Address tab page is displayed, as shown in Figure 1-113.
c. Select an entry and click Delete MAC. The system asks you whether to
delete the entry.
d. Click OK.
● Configuring a blackhole MAC address entry
a. Choose Configuration > Basic Services > MAC.
b. Click the MAC/IP Address tab and select the interfaces. The MAC/IP
Address tab page is displayed, as shown in Figure 1-113.
c. Select an entry and click Convert to Blackhole MAC. The system asks
you whether to configure the entry as a blackhole MAC address entry.
NOTE
Only dynamic MAC address entries can be configured as blackhole MAC address
entries.
After dynamic MAC address entries are configured as blackhole MAC address entries,
select Select all interfaces so that they can be displayed in the MAC/IP address list.
d. Click OK.
● Configure fixing of ARP entries
a. Choose Configuration > Basic Services > MAC.
b. Click the MAC/IP Address tab and select the interfaces. The MAC/IP
Address tab page is displayed, as shown in Figure 1-113.
c. Select an entry and click Fix MAC. The system asks you whether to fix the
MAC address entry.
NOTE
Interface Name - -
d. Set parameters.
e. Click Apply.
----End
1.4.4.6 LBDT
This section describes how to configure LBDT.
Context
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
or even causes service interruption on the entire network. To allow the device to
detect loops on a Layer 2 network in a timely manner and prevent the network
from being severely affected by loops, configure loopback detection. Loopback
detection enables the device to periodically send loopback detection packets to
detect loops. When a loop is detected on an interface, the device shuts down or
blocks the interface to eliminate the loop. The interface can be restored when the
device detects that the loop on the interface is eliminated.
Procedure
Step 1 Click Configuration in the function area and choose Basic Services > LBDT from
the navigation tree in the left. The LBDT page is displayed, as shown in Figure
1-117.
Parameter Description
Parameter Description
Step 3 Click Enable (Block Interface) or Enable (Shut Down Interface) to enable
loopback detection on an interface and set the action taken when a loop is
detected.
NOTE
If Enable (Shut Down Interface) is selected, the interface is shut down when a loop is
detected. The shutdown interface can be restarted in Interface Settings > Enable/Disable
Interface. For details, see Enable/Disable Interface.
NOTE
After line loopback detection is enabled, the system detects loops after about 5s. After 5s,
click to view the interface status.
----End
1.4.4.7 ACL
Access control lists (ACLs) are used to identify flows. A network device filters
packets according to certain rules. It must identify packets first, and then permits
or denies the packets according to the configured policy.
Context
NOTE
For S5720HI, this node is only available in the NAC common mode.
Context
You can configure ACL rules and apply the ACL to an interface to filter the packets
received by the interface. The ACL rule configuration includes source and
destination IP addresses, protocol type, source and destination port numbers.
Procedure
● Query the ACL rules applied to interfaces.
a. Click Configuration to display the Configuration page.
b. Choose Basic Services > ACL in the navigation tree to display the ACL
page.
c. Click the Interface ACL tab to display the Interface ACL page, as shown
in Figure 1-119.
d. Click the icon of the interface to which the ACL rules are applied. The ACL
rule record is displayed in the ACL Rule List area, as shown in Figure
1-120.
● Copy the ACL rules that have been applied to an interface to another
interface.
a. Click Configuration to display the Configuration page.
b. Choose Basic Services > ACL in the navigation tree to display the ACL
page.
c. Click the Interface ACL tab to display the Interface ACL page.
d. Click the icon of the interface to which the ACL rules have been applied.
Click Copy To to display the Copy To page, as shown in Figure 1-121.
e. Select the target interface to which the ACL rules are copied. You can
perform the following operations as required:
▪ Click the icon of a single interface. Re-click the icon to deselect the
interface.
▪ If the existing ACL rule records are displayed in the ACL Rule List
area, click on the right of Operation or Add on the left of Ascend
or on the right of Delete. A new record of ACL Rule List is displayed
in the ACL Rule List area. Set the ACL rule parameters, as shown in
Figure 1-122.
NOTE
If you click on the right of Operation or Add on the left of Ascend, a new
record of ACL Rule List is inserted to the first line in the ACL Rule List area. If
you click Add on the right of Delete, a new record of ACL Rule List is inserted
below the current line in the ACL Rule List area.
Parameter Description
Parameter Description
Operation ● Delete
● Add
e. Click Apply.
● Edit ACL rules.
a. Click Configuration to display the Configuration page.
b. Choose Basic Settings > ACL in the navigation tree to display the ACL
page.
c. Click the Interface ACL tab to display the Interface ACL page.
d. Click the icon of the interface to which the ACL rules have been applied
and edit ACL rules.
----End
Context
You can configure ACL rules and apply the ACL to a VLAN to filter the VLAN
packets. The ACL rule configuration includes source and destination IP addresses,
protocol type, and source and destination port numbers.
Procedure
● Query the ACL rules applied to VLANs.
a. Click Configuration to display the Configuration page.
b. Choose Basic Settings > ACL in the navigation tree to display the ACL
page.
c. Click the VLAN ACL tab to display the VLAN ACL page, as shown in
Figure 1-123.
d. Select the ID of the VLAN to which the ACL rules are applied. The record
is displayed in the ACL Rule List area, as shown in Figure 1-124.
● Copy the ACL rules that have been applied to a VLAN to another VLAN.
a. Click Configuration to display the Configuration page.
b. Choose Basic Settings > ACL in the navigation tree to display the ACL
page.
c. Click the VLAN ACL tab to display the VLAN ACL page.
d. Select the ID of the VLAN to which the ACL rules have been applied. Click
Copy To to display the Copy To page, as shown in Figure 1-125.
e. Enter the ID of the destination VLAN to which the ACL rules are applied,
and click OK.
● Create ACL rules.
a. Click Configuration to display the Configuration page.
b. Choose Basic Settings > ACL in the navigation tree to display the ACL
page.
c. Click the VLAN ACL tab to display the VLAN ACL page.
d. Select the ID of the VLAN to which ACL rules need to be applied, and
create the ACL rules.
▪ If the existing ACL rule records are displayed in the ACL Rule List
area, click on the right of Operation or Add on the left of Ascend
or on the right of Delete. A new record of ACL Rule List is displayed
in the ACL Rule List area. Set the ACL rule parameters, as shown in
Figure 1-126.
NOTE
If you click on the right of Operation or Add on the left of Ascend, a new
record of ACL Rule List is inserted to the first line in the ACL Rule List area. If
you click Add on the right of Delete, a new record of ACL Rule List is inserted
below the current line in the ACL Rule List area.
Parameter Description
Operation ● Delete
● Add
e. Click Apply.
● Edit ACL rules.
----End
Context
NOTE
For S5720HI, this node is only available in the NAC common mode.
Context
Authentication configuration includes configurations of the local and RADIUS
authentication modes. If the local authentication mode is used, you must create a
user account on the switch and set a password. If the RADIUS authentication
mode is used, you must configure the IP address, port number, and shared key of
the RADIUS server. If the password configured in local user creation or
modification is the same as the default password, security risk exists.
NOTE
Account management information includes information about the users whose user types are
802.1x, Bind, PPP, or Web or who do not have access types. The access type of a created user
can be 802.1x, Bind, PPP, or Web.
Procedure
● Configuring local authentication
a. Click Configuration to display the Configuration page.
b. Choose Basic Services > User Access Control in the navigation tree to
display the User Access Control page.
c. Click the Authentication Configuration tab to display the
Authentication Configuration page.
d. Select an option from the User domain name drop-down list box in the
Authentication Configuration area.
e. Select Local authentication for Authentication mode, as shown in
Figure 1-127.
f. Click Apply.
g. Configure the user account information for local authentication in the
Account Management area.
Parameter Description
NOTE
Context
To ensure the communication between the switch and Portal server, you must
configure the Portal server IP address and parameters (including the port number
and shared key of the Portal server) about information exchange between the
switch and Portal server, and bind interfaces to the Portal server.
The device supports two configuration modes. By default, the unified mode is
used. You can run the undo authentication unified-mode command to switch
the configuration mode to traditional mode.
NOTE
After configuring Portal authentication, perform the Authentication Configuration. The two
functions implement user authentication together.
The web system supports only one Portal server, and this Portal server can only be modified but
cannot be deleted through the web system. To delete the Portal server, run the undo web-auth-
server command in the system view.
Procedure
● The traditional mode.
a. Click Configuration to display the Configuration page.
b. Choose Basic Services > User Access Control in the navigation tree to
display the User Access Control page.
c. Click the Portal Server tab to display the Portal Server page, as shown
in Figure 1-131.
Parameter Description
Parameter Description
Context
The device supports two configuration modes. By default, the unified mode is
used. You can run the undo authentication unified-mode command to switch
the configuration mode to traditional mode.
● In the traditional mode, access configuration includes No-authentication,
802.1x authentication, MAC address authentication, MAC address bypass
authentication. The last authentication mode is combinations of 802.1X
authentication and MAC address authentication.
– No-authentication: Users are allowed to access the network without
authentication.
– 802.1x authentication: a Layer 2 authentication mode based on the
802.1x protocol. In this mode, the 802.1x client software must be installed
on user terminals, and user identity authentication is performed between
clients and servers using the Extensible Authentication Protocol (EAP).
– MAC address authentication: uses MAC addresses of users as identity
information. In this mode, the 802.1x client software does not need to be
installed on user terminals.
– MAC address bypass authentication: In this mode, 802.1x authentication
is performed first and the delay timer for MAC address bypass
authentication is enabled at the same time. If the 802.1x authentication
still fails when the delay time expires, MAC address authentication is
triggered.
When performing access configuration, you must enable the authentication
function first, and then select the interface to which the access configuration
applies and select an authentication mode.
● In the unified mode, access configuration includes No-authentication, 802.1x
authentication, MAC address authentication, and Portal authentication.
NOTE
After performing access configuration, perform the Authentication Configuration. The two
functions implement user authentication together.
If non-authentication is configured, a user passes the authentication using any user name or
password. Therefore, to protect the device or network security, you are advised to enable
authentication, allowing only the authenticated users to access the device or network.
Procedure
● The traditional mode.
a. Click Configuration to display the Configuration page.
b. Choose Basic Services > User Access Control in the navigation tree to
display the User Access Control page.
c. Click the Access Configuration tab to display the Access Configuration
page, as shown in Figure 1-133.
g. Click Apply.
If authentication on any interface fails, an error page is displayed, as
shown in Figure 1-135.
NOTE
f. Click Apply.
----End
1.4.4.9 STP
A spanning tree protocol can trim a network with loops into a loop-free tree
network. It prevents infinite looping of packets to ensure packet processing
capabilities of the switch.
Procedure
● Enable STP globally.
a. Configuration > Basic Services > STP > STP Summary to access the STP
Summary page.
b. Set Global STP status to ON to enable STP globally.
NOTE
The STP Global Setting and Interface Status parameters are available only when the
STP is enabled globally.
Parameter Description
----End
Context
NOTE
This function is not supported when a switch is working in super virtual fabric (SVF) mode.
This function is supported only when STP working mode is set to MSTP.
Procedure
● Configure an MST region.
a. Choose Configuration > Basic Services > STP > MST Region
Configuration to access the MST Region Configuration page, as shown
in Figure 1-139.
Parameter Description
Parameter Description
a. Choose Configuration > Basic Services > STP > MST Region
Configuration to access the MST Region Configuration page.
b. Select an MSTI to be deleted and click Delete. In the dialog box that is
displayed, click OK.
● Refresh an MSTI list.
a. Choose Configuration > Basic Services > STP > MST Region
Configuration to access the MST Region Configuration page.
b. Click Refresh to refresh the MSTI list.
----End
Context
NOTE
This function is not supported when a switch is working in super virtual fabric (SVF) mode.
This function is supported only when STP working mode is set to VBST.
Procedure
● Enable VLAN-based Spanning Tree (VBST) in a VLAN.
a. Choose Configuration > Basic Services > STP > VBST Configuration to
display the VBST Configuration page.
b. Click Enable to display the Enable VBST in VLANs page, as shown in
Figure 1-141.
1.4.4.9.4 Multi-instance
Procedure
● Check global information about CIST.
a. Choose Configuration > Basic Services > STP > Multi-instance to access
the Multi-instance page, as shown in Figure 1-143.
Enter the MSTI ID next to MSTI ID and click to query MSTI information.
----End
1.4.4.10 LLDP
Context
To view the Layer 2 link status between network devices and analyze the network
topology, enable Link Layer Discovery Protocol (LLDP).
Procedure
Step 1 Choose Configuration > Basic Services > LLDP to display the LLDP configuration
page, as shown in Figure 1-144.
Step 2 Set Global LLDP status to ON so that LLDP is enabled on all interfaces.
Step 4 Click Enable LLDP On Port or Disable LLDP On Port to enable or disable LLDP
on the selected interfaces. Click Refresh to refresh information about neighbors of
the selected interfaces.
----End
NOTE
Procedure
● Query an ACL.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > ACL Config to open the ACL Config page.
b. Set the search criteria.
Parameter Description
Parameter Description
c. Click OK.
● Modify an ACL.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > ACL Config to open the ACL Config page.
b. Select an ACL and click Modify.
NOTE
Parameter Description
Set Time Time range Indicates the time range when the ACL
takes effect.
NOTE
The time range name is displayed on the
configuration result page.
c. Click OK.
● Modify a rule.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > ACL Config to open the ACL Config page.
b. Select an ACL and click to expand the ACL rules.
c. Click of a rule to modify the rule. Table 1-95 describes the parameters
on the page.
NOTE
Click and to change the order of the rule, and click Apply to make the new
order take effect.
● Delete a rule.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > ACL Config to open the ACL Config page.
b. Select an ACL and click to expand the ACL rules.
c. Click of a rule to delete the rule. In the dialog box that is displayed,
click OK.
----End
Procedure
● Query ACLs.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > UCL Config to open the UCL Config page.
b. Set the search criteria.
c. Click to display all matching records.
● Create an ACL.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > UCL Config to open the UCL Config page.
b. Click Create to open the Create ACL page, as shown in Figure 1-147.
Parameter Description
c. Click OK.
● Modify an ACL.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > UCL Config to open the UCL Config page.
b. Select an ACL and click Modify.
NOTE
Parameter Description
Parameter Description
Set Time Time range Indicates the time range when the
ACL takes effect.
NOTE
The time range name is displayed on the
configuration result page.
c. Click OK.
● Modify a rule.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > UCL Config to open the UCL Config page.
b. Select an ACL and click to expand the ACL rules.
c. Click of a rule to modify the rule. Table 1-97 describes the parameters
on the page.
NOTE
Click and to change the order of the rule, and click Apply to make the new
order take effect.
● Delete a rule.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > UCL Config to open the UCL Config page.
b. Select an ACL and click to expand the ACL rules.
c. Click of a rule to delete the rule. In the dialog box that is displayed,
click OK.
----End
Context
● A time range specifies a period of time. In practice, users may want certain
ACL rules to be valid during a certain period but be invalid out of the period.
That is, the ACL rules are used to filter packets based on the time range. In
this case, you can set one or multiple time ranges, and apply the time ranges
to a created ACL. Then, packets can be filtered based on the set time ranges.
● An effective period can contain periodic time ranges and valid period. A
periodic time range takes effect on a certain day in a week. A validity period
contains the start time and the end time.
Procedure
● Create a time range.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > Validity Time Range to open the Validity Time Range page.
b. Click Create to open the Create Time Range page, as shown in Figure
1-149.
Parameter Description
● If an effective period contains both time range and validity time, the effective
period takes effect only when the current time is within the time range and
validity time.
● The start time and end time of the time range can be earlier than the current
time.
● Either the time range or validity time must be set.
d. Click OK.
● Modify a time range.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > Validity Time Range to open the Validity Time Range page.
b. Click a time range name to open the Modify Time Range page, as
shown in Figure 1-150.
NOTE
----End
Context
After creating an ACL, apply it to an interface to filter packets based on interfaces.
Procedure
Step 1 Choose Configuration > Security Services > ACL Reference and click the
Interface ACL tab, as shown in Figure 1-151.
Step 2 Select a port to be configured. Perform the following operations as required in the
port area:
● Click a port icon. To deselect the port, click the port icon again.
● Drag the cursor to select consecutive ports in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Select a slot where a panel is located. All ports on the panel are selected.
----End
Context
After creating an ACL, apply it to a VLAN to filter packets based on VLANs.
Procedure
Step 1 Choose Configuration > Security Services > ACL Reference and click the VLAN
ACL tab, as shown in Figure 1-153.
1. Click .
2. In the dialog box that is displayed, select an ACL number and click OK, as
shown in Figure 1-154.
----End
Context
An ACL applied on a traffic profile allows you to control packets from STAs
associated with an AP. An ACL applied on a wired port profile allows you to
control packets from wired users associated with an AP.
Procedure
Step 1 Choose Configuration > Security Services > ACL Reference > WLAN ACL. The
WLAN ACL page is displayed.
Step 4 Click below IPv4 Packet Filtering to select an egress or ingress ACL.
----End
1.4.5.3 AAA
This section describes the AAA configurations.
Procedure
● Create an authentication profile.
a. Choose Configuration > Security Services > AAA and click the
Authentication Profile tab, as shown in Figure 1-155.
Parameter Description
Click Hide Reference Relationship. The system hides the displayed results.
● Configure a profile referenced in the authentication profile.
a. Choose Configuration > Security Services > AAA and click the
Authentication Profile tab.
b. Click on the left of Authentication Profile List. The system displays
the authentication profile names. Click on the left of an authentication
profile name. The profiles referenced by this profile are displayed in the
navigation area.
c. Click any profile referenced by the authentication profile. The
configuration page of the referenced profile is displayed on the right. You
can select another profile from the drop-down list or click Create to
create a profile, and set the profile parameters. For descriptions of the
profile parameters, see its configuration page.
d. Click Apply. In the dialog box that is displayed, click OK.
----End
Procedure
● Configure an authentication scheme.
– Create an authentication scheme.
i. Choose Configuration > Security Services > AAA and click the
Authentication/Authorization/Accounting Scheme tab, as shown
in Figure 1-158.
Item Description
NOTE
Item Description
ii. Click the accounting scheme that you want to modify in Accounting
Scheme List.
iii. Modify parameters for the accounting scheme. Table 1-102 describes
the parameters on the page.
iv. Click OK.
----End
Context
Access users must obtain authorization information before they can go online.
Authorization information about users can be managed by configuring a service
scheme.
Procedure
● Create a service scheme profile.
a. Choose Configuration > Security Services > AAA and click the Service
Scheme tab, as shown in Figure 1-162.
d. Click OK.
● Modify a service scheme profile.
a. Choose Configuration > Security Services > AAA and click the Service
Scheme tab.
b. Click the service scheme profile that you want to modify. The settings of
the service scheme profile are displayed.
c. Set parameters for the service scheme profile. Table 1-103 describes the
parameters for modifying a service scheme profile.
d. Click OK.
● Delete a service scheme profile.
a. Choose Configuration > Security Services > AAA and click the Service
Scheme tab.
b. Select the profile that you want to delete and click Delete. The system
asks you whether to delete the record.
NOTE
Procedure
● Set the maximum number of Portal authentication users.
a. Choose Configuration > Security Services > AAA and click the External
Portal Server tab, as shown in Figure 1-164.
Parameter Description
URL profile
The following parameters are valid when URL profile is selected.
Parameter Description
NOTE
Procedure
● Create a built-in Portal server.
a. Choose Configuration > Security Services > AAA and click the Built-In
Portal Server tab, as shown in Figure 1-166.
1.4.5.3.6 RADIUS
Context
RADIUS protects a network from unauthorized access. It is often used on the
networks that require high security and remote user access control.
Procedure
● Configure a RADIUS server profile.
– Create a RADIUS server profile.
i. Choose Configuration > Security Services > AAA and click the
RADIUS tab, as shown in Figure 1-167.
ii. Click Create in RADIUS Server Profile to open the Create RADIUS
Server Profile page, as shown in Figure 1-168.
Parameter Description
Parameter Description
Parameter Description
1.4.5.3.7 HWTACACS
Context
HWTACACS prevents unauthorized users from attacking a network and supports
command-line authorization. Compared with RADIUS, HWTACACS is more reliable
in transmission and encryption, and is more suitable for security control.
Procedure
● Enable or disable HWTACACS.
a. Choose Configuration > Security Services > AAA and click the
HWTACACS tab, as shown in Figure 1-171.
----End
Procedure
● Create a local user.
a. Choose Configuration > Security Services > AAA and click the Local
User tab, as shown in Figure 1-174.
b. Click Create to open the Create User page, as shown in Figure 1-175.
Parameter Description
Parameter Description
NOTE
Procedure
● Configure 802.1X authentication globally.
a. Choose Configuration > Security Services > AAA and click the
Advanced Settings tab, as shown in Figure 1-176.
Parameter Description
c. Click Apply.
d. In the dialog box that is displayed, click OK.
● Configure Portal authentication globally.
a. Choose Configuration > Security Services > AAA and click the
Advanced Settings tab, as shown in Figure 1-176.
b. Set parameters in Portal Authentication Global Settings. Table 1-113
describes the parameters on this page.
Parameter Description
c. Click Apply.
d. In the dialog box that is displayed, click OK.
● Configure MAC address authentication globally.
a. Choose Configuration > Security Services > AAA and click the
Advanced Settings tab, as shown in Figure 1-176.
b. Set parameters in MAC Address Authentication Global Settings. Table
1-114 describes the parameters on this page.
c. Click Apply.
d. In the dialog box that is displayed, click OK.
● Enable the CNA bypass function for iOS terminals.
a. Choose Configuration > Security Services > AAA and click the
Advanced Settings tab, as shown in Figure 1-176.
b. Set Enable the CNA bypass function for iOS terminals in Others to
ON.
c. Click Apply.
d. In the dialog box that is displayed, click OK.
----End
Procedure
Step 1 Choose Configuration > Security Services > AAA and click the Free Mobility tab.
Step 2 Set Free mobility status to ON to open the Free Mobility page, as shown in
Figure 1-177.
Item Description
----End
Procedure
● Physical Interface Authentication
a. Choose Configuration > Security Services > AAA Service App and click
the Wired Interface Authentication tab, as shown in Figure 1-178.
b. Select an interface.
c. Select an authentication profile from Authentication profile to bind to
an interface.
d. Click Apply.
● VLAN Authentication
a. Choose Configuration > Security Services > AAA Service App and click
the Wired Interface Authentication tab, as shown in Figure 1-178.
Procedure
Step 1 Choose Configuration > Security Services > AAA Service App. Click the Wireless
Interface Authentication tab, as shown in Figure 1-179.
Context
You can configure 802.1X authentication to implement interface-based network
access control, that is, to authenticate and control users connected to an interface
of an access control device.
Procedure
● Create an 802.1X profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
802.1X Profile. The 802.1X Profile List page is displayed.
b. Click Create. The Create 802.1X Profile page is displayed.
c. Enter the name of the new 802.1X profile in Profile name.
d. Click OK. The parameter setting page for creating an 802.1X profile is
displayed, as shown in Figure 1-180.
Figure 1-180 The parameter setting page for creating an 802.1X profile
e. Set parameters for creating an 802.1X profile. Table 1-116 describes the
parameters for creating an 802.1X profile.
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an 802.X profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
802.1X Profile. The 802.1X Profile List page is displayed.
b. Click the 802.1X profile to modify. The 802.1X profile configuration page
is displayed.
c. Set parameters for modifying an 802.1X profile. Table 1-116 describes
the parameters for modifying an 802.1X profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an 802.1 X profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
802.1X Profile. The 802.1X Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
802.1X Profile. The 802.1X Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
In Portal authentication, users do not need a specific client. The Portal server
provides users with free Portal services and a Portal authentication page.
Procedure
● Create a Portal profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > Portal
Profile. The Portal Profile List page is displayed.
b. Click Create. The Create Portal Profile page is displayed.
c. Enter the name of the new Portal profile in Profile name.
d. Click OK. The parameter setting page for creating a Portal profile is
displayed, as shown in Figure 1-181.
Figure 1-181 The parameter setting page for creating a Portal profile
e. Set parameters for creating a Portal profile. Table 1-117 describes the
parameters for creating a Portal profile.
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a Portal profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > Portal
Profile. The Portal Profile List page is displayed.
b. Click the Portal profile to modify. The Portal profile configuration page is
displayed.
c. Set parameters for modifying a Portal profile. Table 1-117 describes the
parameters for modifying a Portal profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a Portal profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > Portal
Profile. The Portal Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Security Services > AAA Profile Mgmt > Portal
Profile. The Portal Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
MAC address authentication controls network access permissions of a user based
on the access interface and MAC address of the user. The user does not need to
install any client software. The user name and password are the MAC address of
the user device. After detecting the MAC address of a user for the first time, a
network device starts authenticating the user.
Procedure
● Create a MAC authentication profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > MAC
Authentication Profile. The MAC Authentication Profile List page is
displayed.
b. Click Create. The Create MAC Authentication Profile page is displayed.
c. Enter the name of the new MAC authentication profile in Profile name.
d. Click OK. The parameter setting page for creating a MAC authentication
profile is displayed, as shown in Figure 1-182.
Parameter Description
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a MAC authentication profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > MAC
Authentication Profile. The MAC Authentication Profile List page is
displayed.
b. Click the MAC authentication profile to modify. The MAC authentication
profile page is displayed.
c. Set parameters for modifying a MAC authentication profile. Table 1-118
describes the parameters for modifying a MAC authentication profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a MAC authentication profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > MAC
Authentication Profile. The MAC Authentication Profile List page is
displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Security Services > AAA Profile Mgmt > MAC
Authentication Profile. The MAC Authentication Profile List page is
displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Procedure
● Create an authentication-free rule profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication-free Rule Profile. The Authentication-free Rule Profile
List page is displayed.
b. Click the authentication-free rule profile default_free_rule. The
Authentication-free Rule page is displayed.
c. Click Create. The Create Authentication-free Rule page is displayed, as
shown in Figure 1-183.
Parameter Description
Source IP
If packets from Portal authentication users match the following
parameters under Source IP, Portal authentication users do not need
to pass authentication, and can access network resources configured
under Destination IP.
Destination IP
Network resource range that authentication-free users can access.
e. Click OK.
● Delete an authentication-free rule profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication-free Rule Profile > default_free_rule. The
Authentication-free Rule List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication-free Rule Profile. The Authentication-free Rule Profile
List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
The created authentication and authorization schemes take effect only after being
applied to a domain.
Procedure
● Create a domain profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Domain Profile. The Domain Profile List page is displayed.
b. Click Create. The Create Domain Profile page is displayed.
c. Enter the name of the new domain profile in Profile name.
d. Click OK. The parameter setting page for creating a domain profile is
displayed, as shown in Figure 1-184.
Figure 1-184 The parameter setting page for creating a domain profile
e. Set parameters for creating a domain profile. Table 1-120 describes the
parameters for creating a domain profile.
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a domain profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Domain Profile. The Domain Profile List page is displayed.
b. Click the domain profile to modify. The domain profile page is displayed.
c. Set parameters for modifying a domain profile. Table 1-120 describes the
parameters for modifying a domain profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a domain profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Domain Profile. The Domain Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
Domain Profile. The Domain Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
1.4.6.1 AC
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the basic AC attributes are configured.
Procedure
Step 1 Choose Configuration > Fast WLAN Config > AC. The AC quick configuration
page is displayed.
Parameter Description
NOTE
Enter the VLAN ID, click , and specify a mode (Tagged or Untagged) in the displayed
window.
3. Click OK.
4. Click Next.
Step 3 Configure a virtual interface.
1. Click Create on the 2. Configure Virtual Interface page.
Parameter Description
3. Click OK.
4. Click Next.
Step 4 Configure a DHCP address pool.
1. Click Create on the 3.Configure DHCP page.
Address pool type DHCP address pool type (global address pool/
interface address pool)
Address pool name Name of the global address pool. The name is a
string of 1 to 64 characters, including only numbers,
letters, dots (.), hyphens (-), and underscores (_). A
single hyphen (-) or multiple hyphens (--) alone
cannot be used as an address pool name.
Parameter Description
Address pool Interface that can use addresses in the address pool.
interface Users going online through this interface can obtain
configuration information, such as IP addresses, from
the global address pool.
– To add an interface, select an interface and click
. To add multiple interfaces, repeat this
operation.
– To delete an interface, select an interface and click
.
Parameter Description
Address pool type DHCP address pool type (global address pool/
interface address pool)
Parameter Description
NOTE
Gateway IP and Not allocated IP must be in the address pool. To ensure correct
configuration, the Subnet address and Subnet mask parameters of the global address
pool and the Select Interface parameter of the interface address pool can be modified or
selected only when Gateway IP and Not allocated IP are not configured.
3. Click OK.
4. Click Next.
2. Click Next.
Step 6 Check and confirm the settings on the 5. Confirm Settings page and click Finish.
----End
1.4.6.2 AP
● Create an AP group.
a. Choose Configuration > Fast WLAN Config > AP.
b. Click Create in AP Group List.
c. Enter the name of the AP group in the displayed window, then click OK.
● Delete an AP group.
a. Choose Configuration > Fast WLAN Config > AP.
b. Select the AP group that you want to delete in AP Group List, and click
Delete.
c. Click OK in the displayed window.
● View AP configuration in an AP group.
a. Choose Configuration > Fast WLAN Config > AP.
b. Select an AP group in AP Group List, and you can view and manage AP
configuration on the right of the page.
Context
This section describes how to create an SSID as well as how to add a VAP to and
delete a VAP from an AP group.
Procedure
● Set the country code for an AP group.
a. Choose Configuration > Fast WLAN Config > AP. Select a desired AP
group in AP Group List and click the Service Settings tab.
b. Select the target country or area in the Country code drop-down list box,
and click Apply.
● Create an SSID in an AP group.
a. Choose Configuration > Fast WLAN Config > AP. Select a desired AP
group in AP Group List and click the Service Settings tab.
b. Click Create and configure SSID parameters in the displayed window. For
description of the parameters, see Table 1-126, Table 1-127, and Table
1-128.
Parameter Description
Parameter Description
c. Click OK.
● Add an SSID to an AP group.
a. Choose Configuration > Fast WLAN Config > AP. Select a desired AP
group in AP Group List and click the Service Settings tab.
b. Click Add. Configure SSID parameters in the displayed window. For
description of the parameters, see Table 1-129.
1.4.6.2.2 AP List
Context
In the AP list, you can add APs to or delete APs from AP groups.
Procedure
● Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an
AP group.
a. Choose Configuration > Fast WLAN Config > AP. In AP Group List,
select the AP group to which you want to add APs, then click the AP List
tab.
b. Click Add. On the page that is displayed, set Mode to Select existing
APs.
Parameter Description
NOTE
NOTE
1.4.6.3 Mesh
● Create an AP group.
a. Choose Configuration > Fast WLAN Config > Mesh.
b. Click Create in AP Group List.
c. Enter the name of the AP group in the displayed window, then click OK.
● Delete an AP group.
a. Choose Configuration > Fast WLAN Config > Mesh.
b. Select the AP group that you want to delete in AP Group List, and click
Delete.
c. Click OK in the displayed window.
● View AP configuration in an AP group.
a. Choose Configuration > Fast WLAN Config > Mesh.
b. Select an AP group in AP Group List, and you can view and manage AP
configuration on the right of the page.
Context
This section allows you to configure Mesh parameters for all APs in an AP group.
Procedure
Step 1 Choose Configuration > Fast WLAN Config > Mesh. In AP Group List, select an
AP group, then click the Service Settings tab.
Step 2 Configure Mesh parameters for all APs in the AP group. For description of the
parameters, see Table 1-132.
Parameter Description
Security policy Security policy in the Mesh profile. Currently, the Mesh
profile supports only the security policy WPA2+PSK+AES.
Parameter Description
Confirm key Indicates the confirm key. The format is the same as
that of key.
3. Click OK.
----End
1.4.6.3.2 AP List
Context
In the AP list, you can add APs to or delete APs from AP groups.
Procedure
● Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an
AP group.
a. Choose Configuration > Fast WLAN Config > Mesh. In AP Group List,
select the AP group to which you want to add APs, then click the AP List
tab.
b. Click Add. On the page that is displayed, set Mode to Select existing
APs.
c. Select APs that you want to add to the AP group from the list below, and
click OK.
● Manually add APs to an AP group.
This operation allows you to manually add a maximum of 10 APs offline to
an AP group.
a. Choose Configuration > Fast WLAN Config > Mesh. In AP Group List,
select the AP group to which you want to add APs, then click the AP List
tab.
b. Click Add. On the page that is displayed, set Mode to Manually add.
NOTE
NOTE
NOTE
Parameter Description
----End
1.4.7.1 AC Config
1.4.7.1.1 AC Configuration
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the AC basic parameters are configured.
Procedure
Step 1 Choose Configuration > Wireless Services > AC Config > AC Configuration. The
AC Configuration page is displayed.
Step 2 Configure AC basic parameters. The following table describes the AC basic
parameters.
Parameter Description
Parameter Description
Step 3 Click Apply. The info dialog box is displayed. Click OK.
----End
Procedure
● Configure manual calibration.
a. Choose Configuration > Wireless Services > AC Config > Radio
Calibration. The Radio Calibration page is displayed.
b. Set Calibration mode to Manual.
Parameter Description
d. Click Apply. In the Info dialog box that is displayed, click OK.
e. Click Start to trigger the calibration.
● Configure automatic calibration.
a. Choose Configuration > Wireless Services > AC Config > Radio
Calibration. The Radio Calibration page is displayed.
b. Set Calibrate mode to Auto and specify Calibration interval(min) and
Start time. You can also click Start to trigger the calibration.
----End
1.4.7.2 AP Group
1.4.7.2.1 AP Group
Context
The AP group function is used to configure multiple APs in batches. When multiple
APs managed by an AC require the same configurations, you can add these APs to
one AP group and configure the AP group to complete AP configuration.
NOTE
For details about configurations of each profile bound to an AP group, see 1.8 Profile
(S5720HI).
Procedure
● Create an AP group.
a. Choose Configuration > Wireless Services > AP Group > AP Group. The
AP Group page is displayed.
b. Click Create. Set the parameters in Table 1-138.
Parameter Description
c. Click OK.
● Delete an AP group.
a. Choose Configuration > Wireless Services > AP Group > AP Group. The
AP Group page is displayed.
b. Select the AP group that you want to delete and click Delete.
c. Click OK.
● Bind profiles to the AP group.
a. Choose Configuration > Wireless Services > AP Group > AP Group. The
AP Group page is displayed.
b. Click an AP group name. On the AP group configuration page that is
displayed, you can see the configurations of the AP group. See 1.8 Profile
(S5720HI) for descriptions of the configuration profiles and Table 1-139
for details about the configuration parameters.
Parameter Description
c. Click Apply.
● Configure radios.
a. Choose Configuration > Wireless Services > AP Group > AP Group. The
AP Group page is displayed.
b. Click an AP group name. The AP group configuration page is displayed.
c. Click ahead of Radio Management. Among the displayed items, click
Radio 0, Radio 1, or Radio 2. The radio configuration page is displayed.
For detailed parameters, see Table 1-140.
WIDS Control
Parameter Description
d. Click Apply.
----End
Context
The load balancing function applies to scenarios where there is a high degree of
overlap between APs' coverage ranges. If APs engaged in load balancing are far
from each other, a STA may connect to a distant AP, which affects wireless
experience of users.
When the load difference between APs reaches the load difference threshold,
some STAs may access the network slowly because the APs will reject access
requests of STAs according to the load balancing algorithm. If a STA continues
sending association requests to an AP, the AP allows the STA to associate when
the number of consecutive association attempts of the STA exceeds the maximum
number of rejection times.
In static load balancing mode, APs providing the same services are manually
added to a load balancing group. When a STA needs to access a WLAN, it sends
an Association Request packet to an AC through an AP. The AC determines
whether to permit access from the STA according to a load balancing algorithm.
The implementation of static load balancing must meet the following conditions.
● If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band.
● Each load balancing group supports a maximum of 16 AP radios.
● Under the agile distributed network architecture composed of the central AP
and RUs, you only need to add radios of the RUs to a static load balancing
group.
Procedure
● Create a static load balancing group.
a. Choose Configuration > Wireless Services > AP Group > Static Load
Balancing Group. The Static Load Balancing Group page is displayed.
b. Click Create. Set the parameters in Table 1-141.
Parameter Description
c. Click OK.
● Modify a static load balancing group.
a. Choose Configuration > Wireless Services > AP Group > Static Load
Balancing Group. The Static Load Balancing Group page is displayed.
b. Click the static load balancing group name, find the desired static load
balancing group on the displayed page, and modify parameters.
c. Click OK.
● Delete a static load balancing group.
a. Choose Configuration > Wireless Services > AP Group > Static Load
Balancing Group. The Static Load Balancing Group page is displayed.
b. Select the static load balancing group and click Delete.
c. Click OK.
NOTE
Click Refresh to refresh the displayed static load balancing group information.
----End
1.4.7.3 AP Config
1.4.7.3.1 AP Info
Context
You can view AP information and configure APs on the AP Info page.
Procedure
● Manually add an AP.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
b. Click Create. Set Creation mode to Manually add on the page that is
displayed.
c. Set parameters for the AP. Table 1-142 describes the parameters for
manually adding an AP.
Parameter Description
NOTE
d. Click OK.
● Import AP information from a template.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
b. Click Create. Set Creation mode to Batch import on the page that is
displayed.
Parameter Description
Parameter Description
c. Set the parameters on the page that is displayed. Table 1-144 describes
the parameters for deploying an AP.
Parameter Description
AP ID AP ID.
Parameter Description
AP Group AP Group.
IP Address Mask Subnet mask for the AP. This parameter is valid
only when IP Obtaining Mode is set to Static.
Status AP status.
d. Click OK.
e. In the Warning dialog box that is displayed, click OK.
● Delete an AP.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
b. Select an AP and click Delete.
c. Click OK in the confirm dialog box that is displayed.
● Add an AP to the blacklist.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
b. Select an AP and click Add to Blacklist.
● Manage unauthorized APs.
If AP authentication mode is set to MAC address authentication or SN
authentication (configured in 1.4.7.1.1 AC Configuration) for an AC, the APs
out of the whitelist and blacklist of the AC are added to Non-authorized AP
List. You can add these APs to the whitelist or blacklist.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
Parameter Description
Parameter Description
c. Click Apply.
● Configure radios.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
b. Click an AP ID. The AP Customized Settings page is displayed.
c. Click ahead of Radio Management. Among the displayed items, click
Radio 0, Radio 1, or Radio 2. The radio configuration page is displayed.
For detailed parameters, see Table 1-146.
Parameter Description
WIDS Control
d. Click Apply.
----End
1.4.7.3.2 AP Whitelist
Context
If AP authentication mode is set to MAC address authentication or SN
authentication (configured in 1.4.7.1.1 AC Configuration) for an AC, the APs out
of the whitelist and blacklist of the AC are added to Non-authorized AP List. You
can add the MAC addresses or SNs of these APs to the whitelist.
Procedure
● Add AP MAC addresses to the AP whitelist.
a. Choose Configuration > Wireless Services > AP Config > AP Whitelist.
The AP Whitelist page is displayed.
b. In the MAC Whitelist area, click Create to add AP MAC addresses to the
whitelist.
ii. Set MAC address. You can click to add a maximum of 10 AP MAC
addresses.
iii. Click OK.
ii. Click to download the AP template to your local host. Edit the
template and save it.
----End
1.4.7.3.3 AP Blacklist
Context
If AP authentication is set to MAC address authentication (configured in
1.4.7.1.1 AC Configuration) for an AC, the APs out of the whitelist and blacklist
of the AC are added to Non-authorized AP List. You can add the MAC addresses
of these APs to the blacklist.
Procedure
● Add AP MAC addresses to the AP blacklist.
a. Choose Configuration > Wireless Services > AP Config > AP Blacklist.
The AP Blacklist page is displayed.
b. Click Create to add AP MAC addresses to the blacklist.
ii. Set MAC address. You can click to add a maximum of 10 AP MAC
addresses.
iii. Click OK.
ii. Click to download the AP template to your local host. Edit the
template and save it.
----End
1.4.7.4 Profile
For details, see 1.8 Profile (S5720HI).
1.5 Diagnosis
This section describes the maintenance and diagnostic commands.
Context
When a fault occurs on a WLAN, you can use the Intelligent Diagnosis function to
diagnose WLAN devices and the network and rectify the fault accordingly. For
faults that you cannot rectify by yourself, export the diagnosis information and
logs, then contact technical support personnel.
NOTE
Procedure
● Configure diagnosis parameters for WLAN users.
a. Choose Diagnosis > Intelligent Diagnosis. The Intelligent Diagnosis
page is displayed.
b. Click the Wireless user, AP, or LSW icon, choose the object to diagnose,
and configure diagnosis parameters on the page that is displayed. For
description of the parameters, see Table 1-147.
Parameter Description
LSW
AP
Wireless User
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > One-Click Information Collection to
access the One-Click Information Collection page, as shown in Figure 1-185.
Step 2 Click One-Click Collection. The system displays a message, asking you whether to
continue, as shown in Figure 1-186. Click OK.
Step 3 After information collection is complete, the system displays a message, indicating
that the operation is successful. Click OK and click the icon to download the
file.
----End
Context
Packets on air ports can be obtained through the Wireless Packet Capturing
function, but packets on the wired side cannot. Analysis of the obtained packets
can help locate and troubleshoot faults. Packets to be obtained include:
● All packets sent from the local AP and packets with the destination (BSSID) as
the local AP
● All 802.11 protocol packets sent from other APs/STAs or with the destination
(BSSID) as other APs/STAs, except the ARP, DHCP, and EAPOL packets
NOTE
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > Wireless Packet Capturing. The Wireless
Packet Capturing page is displayed.
Parameter Description
b. Set the parameters on the Create Filter Rule page that is displayed. For
description of the parameters, see Table 1-149.
c. Click OK.
Parameter Description
----End
Follow-up Procedure
● To stop a packet capturing task, select a record in the packet capturing task
list, then click Stop.
● If Saving mode is set to Save locally, you can select a record in the packet
capturing task list and click Upload File to upload the saved file to the server.
1.5.2.3 Ping
The ping command is used to check network connectivity and host reachability.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > Ping to access the Ping page, as shown in
Figure 1-187.
Step 2 Enter the IP address in the Ping text box and click Start. The network connection
information is displayed.
NOTE
If no response packets are received within the timeout interval, the following information is
displayed: Request time out. The preceding information shows that a link is faulty.
----End
Context
The Tracert command, also called Trace Route, helps you check the IP addresses
and the number of gateways between the source and the destination. Tracert is
used to check network connectivity and locate network faults.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > Trace Route to access the Trace Route
page, as shown in Figure 1-188.
Step 2 Enter the IP address in the Trace Route text box and click Start. The Layer 3
devices where packets pass through between the source host and the destination
host are displayed.
NOTE
● The output of the tracert command includes IP addresses of all the gateways through
which the packet reaches the destination. If one gateway sends back a packet indicating
TTL timeout, * is displayed.
● The tracert test may take a long time.
----End
Context
The AAA test tool checks whether a specified user can pass the RADIUS
authentication.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > AAA Test to access the AAA Test page, as
shown in Figure 1-189.
Step 2 Enter parameters such as the RADIUS server profile, authentication mode, user
name, and password. For parameter information, see Table 1-150.
Parameter Description
Parameter Description
----End
Context
The RF-Ping tool checks the quality of the link between the AP and STA.
NOTE
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > RF-Ping. The RF-Ping page is displayed.
----End
Context
Using the AP-Ping tool, you can check connectivity between an AP and network
device.
After an AP-Ping operation is complete, the AP-Ping result is displayed on the AP-
Ping page.
NOTE
Before you use the AP-Ping tool, ensure that the AP is properly online and has an IP address
configured.
This node is only available in the NAC unified mode.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > AP-Ping. The AP-Ping page is displayed.
Step 2 Set AP-Ping parameters. For description of the parameters, see Table 1-151.
Parameter Description
Parameter Description
----End
1.6 Maintenance
This section describes common device maintenance.
1.6.1.1 License
This section describes the functions of loading license files and displaying license
status.
Context
You need to activate licenses in either of the following situations:
● Purchasing a license to obtain permissions on related functions after you
purchase a new device.
● Applying for a new license file, and upgrading and loading the license file
when the license file is loaded on the device and a new feature is required.
NOTE
Procedure
Step 1 Choose Maintenance > System Maintenance > License to access the License
page, as shown in Figure 1-190.
Item Description
Item Description
Step 2 Click in Load License and select the license file to be uploaded.
----End
Context
After you specify the system software, configuration file, and patch file for next
startup, you must restart the device to make the files take effect. The web system
provides two restart modes: immediate restart and timed restart. After you restart
a device, services will be interrupted; therefore, you need to restart the device
when the device is idle. If the device is idle currently, restart the device
immediately. If the device is busy processing services, restart the device at a
scheduled time when the device is idle.
NOTICE
You are advised to save the current configuration before you restart a device.
Otherwise, the configuration may be lost.
The system software and configuration file are for reference only. The actual
output information may differ from the preceding information.
Procedure
Step 1 Choose Maintenance > System Maintenance > Restart to access the Restart
page, as shown in Figure 1-191.
Item Description
Step 2 In the Current System Info section, click Export Configuration File to save the
current configuration file locally and prevent configuration loss resulted from the
restart.
NOTE
Step 3 In the Reboot Settings section, select the file to be used for the next startup from
the drop-down list box and click Apply to save the configuration.
Step 4 In the Reboot Mode section, select a restart mode and click Apply. If you select
Immediate, a message is displayed, asking whether you want to save the
configuration. After you click Yes, the device restarts immediately and terminates
the web connection. If you select Scheduled, enter a specific restart time. The
device will restart at the specified time.
----End
Context
Only the S5720HI, S6720EI, and S6720S-EI support SVF mode.
After you specify the system software, configuration file, and patch file for next
startup, you must restart the device to make the files take effect. The web system
provides two restart modes: immediate restart and scheduled restart. After you
restart a device, services will be interrupted; therefore, you need to restart the
device when the device is idle. If the device is idle currently, restart the device
immediately. If the device is busy processing services, restart the device at a
scheduled time when the device is idle.
NOTICE
You are advised to save the current configuration before you restart a device.
Otherwise, the configuration may be lost.
The system software and configuration file are for reference only. The actual
output information may differ from the preceding information.
Procedure
● Restart the parent.
a. Choose Maintenance > System Maintenance > Reboot and click the
Parent Reboot tab, as shown in Figure 1-192.
Item Description
d. In the Reboot Mode section, select a restart mode and click Apply. If you
select Immediate, a message is displayed, asking whether you want to
save the configuration. After you click Yes, the device restarts
immediately and terminates the web connection. If you select Scheduled,
enter a specific restart time. The device will restart at the specified time.
● Restart an AS.
a. Choose Maintenance > System Maintenance > Reboot and click the AS
Reboot tab, as shown in Figure 1-193.
----End
Context
To upgrade the system software of a device, you need to upload upgrade files to
the device, specify files for next startup, and restart the device to make the
upgrade files take effect. The web system allows you to upgrade the system
software on the GUI, simplifying the upgrade operations and improving efficiency.
NOTICE
● Ensure that the configurations are saved before you upgrade the system
software.
● Do not power off the device during the upgrade.
● It takes a long time to upload system software to the device; therefore, before
upgrading the system software, choose Maintenance > System Maintenance
> System > System Info and set HTTP timeout interval (min) to 60 minutes.
● The system software and configuration file are for reference only. The actual
output information may differ from the preceding information.
Procedure
Step 1 Choose Maintenance > System Maintenance > Upgrade to access the Upgrade
page, as shown in Figure 1-194.
Item Description
Upload File
Upgrade File
----End
Context
Only the S5720HI, S6720EI, and S6720S-EI support SVF mode.
To upgrade the system software of a device, you need to upload upgrade files to
the device, specify files for next startup, and restart the device to make the
upgrade files take effect. The web system allows you to upgrade the system
software on the GUI, simplifying the upgrade operations and improving efficiency.
NOTICE
● Ensure that the configurations are saved before you upgrade the system
software.
● Do not power off the device during the upgrade.
● It takes a long time to upload system software to the device; therefore, before
upgrading the system software, choose Maintenance > System Maintenance
> System > System Info and set HTTP timeout interval (min) to 60 minutes.
● The system software and configuration file are for reference only. The actual
output information may differ from the preceding information.
Procedure
● Prepare for a parent upgrade.
a. Choose Maintenance > System Maintenance > Upgrade and click the
Parent Upgrade Preparations tab, as shown in Figure 1-195.
Item Description
Upload File
Upgrade File
Item Description
Upload the Upgrade File to the Allows you to select the upgrade
Parent file to be uploaded. You can
upload the locally stored upgrade
file to the parent.
Configure the FTP Account Used Configures the FTP account and
to Load the Upgrade File on the password.
AS
Load the Parent's Upgrade File to Allows you to select the required
the AS upgrade file and patch file based
on the AS type. To load files of the
parent to the AS or unload files
from the AS, click Load or
Uninstall.
b. Select the device to be upgraded and click Upgrade. Click Save and
Restart in the displayed dialog box.
The device will restart automatically for the upgrade.
NOTE
----End
Context
There are two types of patches: cold patch and hot patch. A cold patch takes
effect only after the switch restarts and a hot patch takes effect immediately after
it is loaded to the switch.
● A patch is a kind of software compatible with the system software. It is used
to remove critical bugs of the system software. The extension name of the
patch file is .pat.
● Before loading patches, you need to save patch files to the storage device of
the switch. Patch files are uploaded to the switch using HTTP.
● After a patch is uninstalled, delete the patch from the memory.
Procedure
Step 1 Choose Maintenance > System Maintenance > Patch to access the Patch page,
as shown in Figure 1-198.
Item Description
Step 2 Click to select the patch file to be uploaded and click Upload.
Step 3 Select the patch file to be loaded and click Load. The system will display the
currently loaded patch file in Patch Info.
----End
Context
Only the S5720HI, S6720EI, and S6720S-EI support SVF mode.
There are two types of patches: cold patch and hot patch. A cold patch takes
effect only after the switch restarts and a hot patch takes effect immediately after
it is loaded to the switch.
Procedure
● Manage patches of the parent.
a. Choose Maintenance > System Maintenance > Patch and click the
Parent Patch Management tab, as shown in Figure 1-199.
Item Description
Upload the Parent Patch Allows you to select the patch file
to be uploaded.
Item Description
Item Description
Upload the Patch File to the Allows you to select the patch file
Parent to be uploaded. You can upload
the locally stored patch file to the
parent.
Configure the FTP Account Used Configures the FTP account and
to Load the Patch File on the AS password.
Item Description
Load the Parent's Patch File to the Allows you to select the required
AS patch file based on the AS type.
To load files of the parent to the
AS or unload files from the AS,
click Load or Uninstall.
Context
Software upgrades can add new functions and services. However, software
upgrades are complex and may affect services. To address these problems, you can
use the plug-in management function to load the specified modules. This
implements online service or function loading.
NOTE
Procedure
Step 1 Choose Maintenance > System Maintenance > Plug-in Management to access
the Plug-in Management page, as shown in Figure 1-201.
Item Description
Step 4 After the plug-in file is loaded, view the status of loaded plug-in file in the Plug-in
Status list.
To uninstall the plug-in file, click Unload of the corresponding plug-in file or click
Unload All to uninstall all plug-in files.
----End
Context
The log management function records user actions, helps monitor system security,
and provides information for system diagnosis and maintenance.
Procedure
Step 1 Choose Maintenance > System Maintenance > Log to access the Log page, as
shown in Figure 1-202.
----End
Context
The log management function records user actions, helps monitor system security,
and provides information for system diagnosis and maintenance.
Procedure
Step 1 Choose Maintenance > System Maintenance > Log and click the View Log tab,
as shown in Figure 1-203.
----End
Context
After configuring the device to output logs to a log host, you can view logs saved
on the log host to monitor device running status.
Procedure
Step 1 Choose Maintenance > System Maintenance > Log and click the Set Parameters
tab, as shown in Figure 1-204.
Step 3 Click New and enter the log host IP address in the displayed dialog box.
----End
1.6.1.11 Alarm
Context
The alarm management function records user actions, helps monitor system
security, and provides information for system diagnosis and maintenance.
Procedure
Step 1 Choose Maintenance > System Maintenance > Alarm to access the Alarm page,
as shown in Figure 1-205.
Step 4 Click How to Obtain the Alarm Reference to check how to obtain the Alarm
Reference.
----End
1.6.1.12 Administrator
This chapter describes how to manage web users and password policies.
1.6.1.12.1 Administrator
You can create and maintain a database on the switch to manage web platform
users.
Context
User management includes creating a local user account (web platform user with
the access type HTTP) and modifying or deleting existing user accounts.
By default, a local user named admin exists in the system. The user access type is
HTTP.
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
NOTE
Security risks exist if the user access type is set to Telnet, FTP or HTTP. You are advised to
configure the required access modes only.
A simple password brings security risks. It is recommended that you change the password to a
complicated one after logging in to the web network management system using the default
account. A password should consist of at least 8 characters, and contain at least two types of
the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ #
%). The password cannot contain spaces and single quotation marks ('). In addition, the
password cannot be the same as the user name or the mirror user name.
If the password configured in local user creation or modification is the same as the default
password, security risk exists. To ensure device security, change the password periodically.
The user list includes information about the users whose user types are FTP, HTTP, SSH, Telnet,
Terminal, or x25-pad. The access type of a created user can be FTP, HTTP, SSH, Telnet, Terminal,
or x25-pad.
Procedure
● Create a user account.
a. Choose Maintenance > System Maintenance > Administrator and click
the Administrator tab, as shown in Figure 1-206.
b. Click Create to display the Create User page, as shown in Figure 1-207.
Parameter Description
NOTE
● Table 1-162 describes the parameters for modifying user information. After the
user attribute is changed, the user level is 3 for a management-level user and 1
for a monitoring-level user.
● After you modify the user attribute, you need to log out and then log in again to
make the modification take effect.
● The user name is fixed and cannot be changed.
c. Set the parameters.
d. Click OK.
● Delete a user account.
a. Choose Maintenance > System Maintenance > Administrator and click
the Administrator tab.
b. Select the user account to be deleted and click Delete.
c. Click OK in the dialog box that is displayed.
----End
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator and click the
Password Policy tab, as shown in Figure 1-209.
Item Description
----End
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator and click the
Online Administrator Management tab, as shown in Figure 1-210.
Step 2 Select one or multiple users and click Forcible Logout to force the user or users to
go offline.
----End
1.6.1.13 System
This chapter describes switch system management, including file management,
system time, system information, and restoring factory settings.
Context
The web system provides file management functions to facilitate user operations.
Figure 1-211 shows the File Management page.
NOTE
When a switch is in SVF mode, it cannot manage files on the AS in independent mode.
Procedure
● Upload files.
You can upload local files to a switch.
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Click Upload.
c. Select local files to be uploaded and click OK. After the files are
uploaded, the system displays a message indicating the successful
upload.
NOTE
● You cannot upload a file with the same name as files in File Management.
● You can only upload files with the following file name
extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .dat, .bat, .jpg, .jpeg, .png, .pem, .p12, .cer, .bin, .mod
and .xml.
● If the security level of the EasyOperation web browser is too high, the
message "The security level of the browser is too high" may be displayed
when you attempt to upload a file, as shown in Figure 1-212. In this case,
choose Internet Options > Security, and click Custom level. In the displayed
dialog box, set Initialize and script ActiveX controls not marked as safe for
scripting and Include local directory path when uploading files to a server
to Enable, as shown in Figure 1-213 and Figure 1-214.
Figure 1-213 Enabling "Initialize and script ActiveX controls not marked
as safe for scripting"
Figure 1-214 Enabling "Include local directory path when uploading files
to a server"
● Download files.
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Click next to a file and select the path for saving the file to download
the file.
NOTE
You can only download files with the following file name
extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .dat, .bat, .jpg, .jpeg, .png, .pem, .p12, .cer, .bin, .mod
and .xml.
● Move files to the recycle bin.
After files are moved to the recycle bin, they still exist on the switch. You can
restore the files in the recycle bin.
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Select the file to be deleted.
c. Click Delete.
d. Click OK in the dialog box that is displayed.
● Delete files permanently.
You can permanently delete files from the switch.
NOTICE
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Select the file to be deleted.
c. Click Delete Permanently.
d. Click OK in the dialog box that is displayed.
● Restore files.
You can restore the files in the recycle bin to the storage device.
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Select the file to be restored.
c. Click Restore File to restore the file. The file will be removed from the
recycle bin.
● Delete files from the recycle bin.
The files in the recycle bin still occupy storage space. You can delete useless
files permanently from the recycle bin to save the storage space.
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Select the file to be deleted permanently.
c. Click Delete Permanently.
d. Click OK in the dialog box that is displayed.
----End
Procedure
Step 1 Choose Maintenance > System Maintenance > System and click the System
Time tab to display the current system time, as shown in Figure 1-215.
----End
Context
Generally, the daylight saving time (DST) is configured in the summer, and the
DST ranges from one day to one year. Therefore, the end time of daylight saving
time must be more than one day but less than one year later than the start time.
To ensure effective communication between the switch and other devices, set the
system time correctly.
Procedure
● Time Zone Settings
a. Choose Maintenance > System Maintenance > System and click the
System Time tab, as shown in Figure 1-216.
b. Select a time zone from Select time zone and set DST to ON, as shown
in Figure 1-217.
Parameter Description
The following parameters are valid only when DST Type is set to
Absolute.
The following parameters are valid only when DST Type is set to
Timely.
Start and end years Specifies the start and end years of a
periodic DST.
Choose Maintenance > System Maintenance > System and click the System
Time tab, as shown in Figure 1-216.
– Automatic synchronization
i. Click Auto.
ii. Set NTP server IP address and click Add to specify a remote NTP
server.
iii. Click Apply to complete the configuration.
– Manual setting
i. Click Manual.
ii. Set Date and Time.
iii. Click Apply to complete the configuration.
The new date and time is displayed.
▪ If the new time is 10 minutes later or 720 hours earlier than the
scheduled reboot time, the system will display a message as shown
in Figure 1-218, asking whether you want to disable the scheduled
restart function.
----End
Context
NOTE
Procedure
Step 1 Choose Maintenance > System Maintenance > System and click the System
Info tab, as shown in Figure 1-220.
Item Description
----End
1.6.1.13.5 Initialization
You can restore the factory settings of a switch on this page.
Context
If improper configurations have been performed on the switch, you can restore the
factory settings of the switch.
NOTICE
After you restore the factory settings of the switch, all the configurations that you
have made on the switch will be deleted and cannot be restored. The original
management IP address becomes invalid and the web system is unavailable. Use a
serial cable to connect to console interface of the switch and your PC to
reconfigure the switch.
Procedure
● Restore the factory settings.
a. Choose Maintenance > System Maintenance > System and click the
Initialization tab, as shown in Figure 1-221.
b. Click Initialization.
c. Click OK in the dialog box that is displayed.
● Reset the Boot password.
a. Choose Maintenance > System Maintenance > System and click the
Initialization tab, as shown in Figure 1-221.
b. Click Reset Root Password to restore the BootLoad password or
BootROM password to default values.
c. Click OK in the dialog box that is displayed.
----End
1.6.1.14 SNMP
Simple Network Management Protocol (SNMP) is a standard network
management protocol widely used on TCP/IP networks. SNMP uses a central
computer (a network management station) that runs network management
software to manage network elements.
Context
SNMP agent is an agent program on the managed device. The SNMP agent
maintains information for the managed device, responds to the requests from the
NMS, and sends management data to the NMS. Before the NMS manages a
device through SNMP, the SNMP agent must be enabled on the device and a
proper SNMP version needs to be selected.
A web system supports SNMPv1, SNMPv2c and SNMPv3. The device and NMS
must use the same SNMP version.
NOTE
If a device is managed by multiple NMSs running different SNMP versions, all the SNMP
versions need to be set on the device so that the device can communicate with these NMSs.
Procedure
Step 1 Choose Maintenance > System Maintenance > SNMP and click the SNMP
Setting tab, as shown in Figure 1-222.
▪ MD5: HMAC-MD5-96
▪ SHA: HMAC-SHA-96
Parameter Description
▪ MD5: HMAC-MD5-96
▪ SHA: HMAC-SHA-96
▪ 3DES
▪ AES128
▪ AES192
▪ AES256
▪ DES56
----End
Context
NOTE
This page is displayed only when the SNMP agent status in SNMP Setting is set to OFF.
A trap is an alarm message sent from the managed device to the NMS to notify
administrators of the network faults. After receiving a trap from a managed
device, the NMS does not need to reply.
Procedure
● Configure trap.
a. Choose Maintenance > System Maintenance > SNMP and click the Trap
Setting tab, as shown in Figure 1-227.
Parameter Description
b. Set parameters.
c. Click Apply to complete the configuration.
● Configure the trap target host.
Create a trap target host.
a. Choose Maintenance > System Maintenance > SNMP and click the Trap
Setting tab.
Parameter Description
c. Set parameters.
d. Click OK. The configuration is complete.
Delete the trap target host.
a. Choose Maintenance > System Maintenance > SNMP and click the Trap
Setting tab.
b. Select the items that you want to delete in Destination host receiving
traps, or select all items.
c. Click Delete. The system asks you whether to delete the items.
d. Click OK. The configuration is complete.
----End
Procedure
Step 1 Choose Maintenance > System Maintenance > Electronic Label to access the
Electronic Label page, as shown in Figure 1-229.
----End
Context
AS interface information is displayed only in SVF mode.
Procedure
Step 1 Choose Maintenance > System Maintenance > AS Interface.
Step 2 Select the AS name and click Search to view AS interface information, as shown in
Figure 1-230.
Step 3 Select one or more interfaces as required and click Enable to enable these
interfaces or click Disable to disable these interfaces.
----End
Context
In cloud management mode, you can manage local certificates and CA certificates.
Procedure
Step 1 Choose Maintenance > System Maintenance > Certificate Mgmt to open the
Certificate Mgmt page, as shown in Figure 1-231.
Parameter Description
Step 4 Configure an encryption password, and click in Load a local certificate file
to select a local certificate file to be loaded.
Step 5 Check the CA certificate and local certificate in Current Certificate Information.
----End
Context
After the switch changes to the cloud management mode, it needs to register with
the cloud management platform for authentication. Before registration
authentication, the switch needs to obtain IP address or URL information of the
cloud management platform to communicate with the platform.
Procedure
● Configure the Controller's IP address.
a. Choose Maintenance > System Maintenance > Controller Mgmt to
open the Controller Management page.
b. Set Controller address format to IP, as shown in Figure 1-232.
----End
Context
NOTE
Menu Submenu
Upgrade
Menu Submenu
Patch
Log
Alarm
System
Electronic Label
Certificate Mgmt
Controller Mgmt
Procedure
Step 1 Choose Maintenance > System Maintenance > Device Working Mode to open
the Device Working Mode page, as shown in Figure 1-234.
----End
1.6.2.1 AP Upgrade
Context
You can upgrade a large number of APs on your network in batches on the
Upgrade Configuration page.
NOTE
The batch AP upgrade and single AP upgrade functions on the web system apply only to
online APs.
Procedure
● Set the upgrade mode.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
NOTE
The parameter settings in Upgrade Mode take effect for both batch AP upgrade and
single AP upgrade.
Parameter Description
Parameter Description
c. Click OK.
d. Select AP type, AP group, and Upgrade mode, and click Apply. In the
Confirm dialog box that is displayed, click OK. The upgrade starts.
● Delete batch AP upgrade configurations.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
b. Under AP Upgrade Configuration List, select a batch AP upgrade
configuration item and click Delete. In the Confirm dialog box that is
displayed, click OK. The batch AP upgrade configuration is deleted.
● Upgrade a single AP.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
b. In Select AP of AP Upgrade, select the AP to be upgraded. Select the
upgrade file in Upgrade file and click Upgrade. In the Info dialog box
that is displayed, click OK.
----End
Context
By checking AP upgrade status, you can know the AP upgrade progress.
Procedure
Step 1 Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade Status. The
Upgrade Status page is displayed.
Step 2 Check AP upgrade status on the Upgrade Status page. Table 1-180 describes the
AP upgrade status parameters.
Parameter Description
AP ID AP ID.
AP Name AP name.
Type AP type.
Step 3 Select the AP to be restarted and click Restart. In the Confirm dialog box that is
displayed, click OK.
----End
1.6.2.2 AP Restart
Procedure
● Restart an AP.
a. Choose Maintenance > AP Maintenance > AP Restart. The AP Restart
page is displayed.
b. Select the AP that you want to restart from the AP list and click Restart.
In the Confirm dialog box that is displayed, click OK to restart the AP.
To restart all the APs in the AP list, click Restart All. For descriptions
about the AP parameters, see Table 1-181.
Par Description
am
eter
AP ID of the AP.
ID
Par Description
am
eter
----End
1.6.2.3 Log
Procedure
● View logs.
a. Choose Maintenance > AP Maintenance > Log. The Log page is
displayed.
AP ID of the AP.
ID
● Export logs.
a. Choose Maintenance > AP Maintenance > Log. The Log page is
displayed.
b. Click Export Logs.
c. In the View Log File dialog box that is displayed, select the logs that you
want to export and click OK.
If the operation is successful, the logs in the log buffer are saved to the
log file.
----End
1.6.2.4 Account
Context
Unauthorized users may use the default user name and password to log in to APs,
causing security risks. To prevent this problem, use Account menu to change the
user name and password used to log in to APs.
The default username and password are available in WLAN Default Usernames
and Passwords (Enterprise Network or Carrier). If you have not obtained the
access permission of the document, see Help on the website to find out how to
obtain it.
Procedure
● Modify AP account information.
a. Choose Maintenance > AP Maintenance > Account. The Account page
is displayed.
b. Enter the new user name and password in Modify AP Account. Table
1-183 describes the parameters for modifying AP account information.
c. Click Apply.
The AP user name field then displays the new user name.
● Restore the default AP account settings.
a. Choose Maintenance > AP Maintenance > Account. The Account page
is displayed.
b. Click Restore Default Settings.
----End
1.7 Network
The EasyDeploy function simplifies network configuration and implements remote
deployment and centralized management of network devices.
To configure the EasyDeploy function, determine roles of devices first. After a
device is configured as the Commander, you can view client information, configure
and upgrade clients, and view power consumption of the device and the entire
network on the Commander.
NOTE
Table 1-184 lists the device models and versions that support the EasyDeploy
function.
1.7.1.1 Commander
You can configure global parameters for the Commander, including the role,
Commander IP address and port, file server, and default files to be downloaded.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Role Configuration in the navigation tree to display the Role Configuration
page.
Step 3 Click the Commander option button, as shown in Figure 1-235.
Port If you keep this field blank, the default UDP port
is used.
Aging time of offline clients If you select ON, set an aging time.
If the Commander does not receive status
information from a client in 2 minutes, the
Commanders considers the client offline. When
the number of clients managed by a
Commander reaches the upper limit, new client
information cannot be added to the
Commander. To release the space occupied by
offline clients in the client database, configure
an aging time for offline clients. When the aging
time expires, the Commander deletes the offline
client.
File Server Server type Options are FTP, SFTP, and TFTP.
Configuratio NOTE
n FTP and TFTP cannot ensure secure file transfer. SFTP
is recommended on networks that require high
security.
User name Set the user name used to log in to the file
server.
Parameter Description
Default File System file If you do not specify any file information, the
Settings name default file information is used.
Configuratio
n file name
Patch file
name
Web file
name
License file
name
User-defined
file name
----End
1.7.1.2 Client
To enable the Commander to manage clients, specify the Commander IP address
and port number on the clients.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Role Configuration in the navigation tree to display the Role Configuration
page.
Step 3 Click the Client option button, as shown in Figure 1-237.
Step 4 Enter the Commander IP address and UDP port and select whether to enable the
network topology collection function. The Commander IP address you enter here
must be the same as that configured on the Commander. If you keep the UDP
port blank, the default UDP port is used.
Step 5 Click Apply.
After you click Apply, the Summary, Deployment, Batch Configuration, and
Power Consumption nodes disappear from the navigation tree. These functions
are supported only on the Commander and are hidden for clients.
NOTE
After completing the client configuration, you can click Go to commander web NMS to view
Commander information or configure the Commander.
----End
1.7.2 Summary
On the Summary page, you can view the network topology and device
information, and save topology information on the device.
Context
To view network topology information, you must enable topology discovery on the
Commander.
Procedure
● View the network topology.
a. Click Network in the function area to display the Network page.
b. Click Summary in the navigation tree to display the Summary page. The
network topology is displayed, as shown in Figure 1-238.
----End
1.7.3 Deployment
On the Commander, you can perform unconfigured client deployment, faulty
client replacement, and batch client configuration based on topology information.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 4 Click Set Running File to display the Set Running File page, as shown in Figure
1-241.
----End
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select the faulty device to be replaced. The device information is displayed, as
shown in Figure 1-242.
Step 4 Click Replace Running File and enter the file information in the displayed page.
----End
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select the device to be upgraded and click Upgrade. Enter information about the
upgrade system software and patch file on the displayed page.
----End
Procedure
● Configure clients in a batch.
a. Click Network in the function area to display the Network page.
b. Click Batch Configuration in the navigation tree to display the Batch
Configuration page.
c. Select the device to be configured and click Batch Configuration, as
shown in Figure 1-243. Import the script file.
----End
Procedure
● View the power consumption trend on the network.
a. Click Network in the function area to display the Network page.
b. Click Power Consumption in the function area to display the Power
Consumption page.
c. Select a time period from the drop-down list box to view the power
consumption trend of the network in one day, three days, or a week. By
default, the system displays the power consumption trend in one day, as
shown in Figure 1-244.
----End
Choose Configuration > Wireless Services > Profile. The Profile Management
page is displayed.
NOTE
Context
The administrator needs to deliver service parameters to an AP so that the AP can
provide network access services for wireless users. A VAP profile is a set of service
parameters. You can configure different VAP profiles and deliver configurations in
the profiles to APs to provide differentiated WLAN services.
Procedure
● Create a VAP profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> VAP Profile. The VAP Profile List page is displayed.
b. Click Create. The Create VAP Profile page is displayed.
c. Enter the name of the new VAP profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new VAP profile is displayed.
e. Set parameters for creating a VAP profile. Table 1-186 describes the
parameters for creating a VAP profile.
Parameter Description
Parameter Description
Item Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a VAP profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> VAP Profile. The VAP Profile List page is displayed.
b. Click the name of the VAP profile that you want to modify. The VAP
Profile page is displayed.
c. Set parameters for modifying the VAP profile. Table 1-186 describes the
parameters for modifying a VAP profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a VAP profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> VAP Profile. The VAP Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> VAP Profile. The VAP Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference. The system displays the types and names of
the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure profiles referenced by a VAP profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> VAP. The VAP Profile List page is displayed. Click next to VAP
Profile. The system displays names of the VAP profiles. Click next to a
VAP profile name. The profiles referenced by the VAP profile are
displayed in the menu navigation area.
b. Click any profile referenced by the VAP profile. The configuration page of
the referenced profile is displayed on the right. You can select another
profile from the drop-down list and set the profile parameters. For
descriptions of the profile parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
Context
An SSID profile is mainly used to configure STA association and access parameters
based on SSIDs, including the SSID name, STA association timeout period, legacy
terminal access, and QoS CAR.
Procedure
● Create an SSID profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> SSID Profile. The SSID Profile List page is displayed.
b. Click Create. The Create SSID Profile page is displayed.
c. Enter the name of the new SSID profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new SSID profile is displayed.
e. Set parameters for creating an SSID profile. Table 1-188 describes the
parameters for creating an SSID profile.
Parameter Description
Hide SSID after the maximum Whether to hide SSIDs when the
number of STAs is reached number of users on a VAP reaches
the maximum.
EDCA Parameters
Parameter Description
Beacon frame rate on 2.4G radio Rate at which 2.4 GHz Beacon
frames are sent.
Others
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an SSID profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> SSID Profile. The SSID Profile List page is displayed.
b. Click the name of the SSID profile that you want to modify. The SSID
profile configuration page is displayed.
c. Set parameters for modifying an SSID profile. Table 1-188 describes the
parameters for modifying an SSID profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an SSID profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> SSID Profile. The SSID Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> SSID Profile. The SSID Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Procedure
● Create a security profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Security Profile. The Security Profile List page is displayed.
b. Click Create. The Create Security Profile page is displayed.
c. Enter the name of the new security profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new security profile is
displayed.
e. Set parameters for creating a security profile. Table 1-189 describes the
parameters for creating a security profile.
Parameter Description
Specify AC private key file/key Private key file and key of the AC
certificate specified for the
security profile when the security
policy is set to WAPI.
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a security profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Security Profile. The Security Profile List page is displayed.
b. Click the name of the security profile that you want to modify. The
security profile configuration page is displayed.
c. Set parameters for modifying a security profile. Table 1-189 describes the
parameters for modifying a security profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a security profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Security Profile. The Security Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
Click Hide Reference Relationship. The system hides the displayed results.
----End
Procedure
● Create a traffic profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Traffic Profile. The Traffic Profile List page is displayed.
b. Click Create. The Create Traffic Profile page is displayed.
c. Enter the name of the new traffic profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new traffic profile is
displayed.
e. Set parameters for creating a traffic profile. Table 1-190 describes the
parameters for creating a traffic profile.
Parameter Description
Parameter Description
Unknown unicast packet rate limit Rate limit for unknown unicast
packets. Unknown unicast packets
are discarded if their rates exceed
the rate limit.
Packet filtering
The following parameters are available only after IPv4 packet filtering
is selected.
Parameter Description
Rate Limit
VAP uplink rate limit Uplink rate limit for all STAs on a
VAP. The value of this parameter
must be greater than the uplink
rate limit set for a STA.
VAP downlink rate limit Downlink rate limit for all STAs on
a VAP. The value of this parameter
must be greater than the
downlink rate limit set for a STA.
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a traffic profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Traffic Profile. The Traffic Profile List page is displayed.
b. Click the name of the traffic profile that you want to modify. The traffic
profile configuration page is displayed.
c. Set parameters for modifying a traffic profile. Table 1-190 describes the
parameters for modifying a traffic profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a traffic profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Traffic Profile. The Traffic Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> Traffic Profile. The Traffic Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the
WLAN and reject access from unauthorized STAs.
● A whitelist contains MAC addresses of STAs that are allowed to connect to a
WLAN. After the whitelist function is enabled, only the STAs in the whitelist
can connect to the WLAN, and access from other STAs is rejected.
● A blacklist contains MAC addresses of STAs that are not allowed to connect to
a WLAN. After the blacklist function is enabled, STAs in the blacklist cannot
connect to the WLAN, and other STAs can connect to the WLAN.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
Procedure
● Create a STA blacklist profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> STA Blacklist Profile. The STA Blacklist Profile List page is displayed.
b. Click Create. The Create STA Blacklist Profile page is displayed.
c. Enter the name of the new STA blacklist profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new STA blacklist profile is
displayed.
# Click OK
# Click and select the MAC file containing MAC addresses that
you want to import, and click Import.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the
WLAN and reject access from unauthorized STAs.
● A whitelist contains MAC addresses of STAs that are allowed to connect to a
WLAN. After the whitelist function is enabled, only the STAs in the whitelist
can connect to the WLAN, and access from other STAs is rejected.
● A blacklist contains MAC addresses of STAs that are not allowed to connect to
a WLAN. After the blacklist function is enabled, STAs in the blacklist cannot
connect to the WLAN, and other STAs can connect to the WLAN.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
Procedure
● Create a STA whitelist profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> STA Whitelist Profile. The STA Whitelist Profile List page is displayed.
b. Click Create. The Create STA Whitelist Profile page is displayed.
c. Enter the name of the new STA whitelist profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new STA whitelist profile is
displayed.
# Click OK
# Click and select the MAC file containing MAC addresses that
you want to import, and click Import.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
A regulatory domain profile is used to configure the country code, and calibration
channel and bandwidth. The configuration in the regulatory domain profile takes
effect on APs using the profile.
Procedure
● Create a regulatory domain profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Regulatory Domain Profile. The Regulatory Domain
Profile List page is displayed.
b. Click Create. The Create Regulatory Domain Profile page is displayed.
c. Enter the name of the new regulatory domain profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new regulatory domain
profile is displayed.
e. Set parameters for creating a regulatory domain profile. Table 1-191
describes the parameters for creating a regulatory domain profile.
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a regulatory domain profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Regulatory Domain Profile. The Regulatory Domain
Profile List page is displayed.
b. Click the name of the regulatory domain profile that you want to modify.
The Regulatory Domain Profile page is displayed.
c. Set parameters for modifying a regulatory domain profile. Table 1-191
describes the parameters for modifying a regulatory domain profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a regulatory domain profile.
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as
transmission medium. Radio waves will attenuate when they are transmitted over
air, degrading service quality for wireless users. Radio resource management
enables a WLAN to adapt to changes in the radio environment by dynamically
adjusting radio resources. This improves service quality for wireless users.
Procedure
● Create an RRM profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > RRM Profile. The RRM Profile List page is displayed.
b. Click Create. The Create RRM Profile page is displayed.
c. Enter the name of the new RRM profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new RRM profile is
displayed.
e. Set parameters for creating an RRM profile. Table 1-192 describes the
parameters for creating an RRM profile.
Parameter Description
Parameter Description
UAC
New user channel usage threshold CAC threshold for new users
based on the channel usage.
Band Steering
Start threshold for load balancing Start threshold for load balancing
between frequencies between two frequencies on the
AP that has band steering
enabled.
Load difference threshold for load Load difference threshold for load
balancing between frequencies balancing between two
frequencies on the AP that has
band steering enabled.
Parameter Description
Smart Roaming
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an RRM profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > RRM Profile. The RRM Profile List page is displayed.
b. Click the name of the RRM profile that you want to modify. The RRM
Profile page is displayed.
c. Modify parameters in the RRM profile. Table 1-192 describes the
parameters for modifying an RRM profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an RRM profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > RRM Profile. The RRM Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > RRM Profile. The RRM Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
After an air scan profile is created and bound to a radio profile of an AP, the AP
periodically scans surrounding radio signals and reports the collected information
to an AC or server. The information is used for radio calibration, spectrum analysis,
WLAN location, or WIDS data analysis.
Procedure
● Create an air scan profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Air Scan Profile. The Air Scan Profile List page is
displayed.
b. Click Create. The Create Air Scan Profile page is displayed.
c. Enter the name of the new air scan profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new air scan profile is
displayed.
e. Set parameters for creating an air scan profile. Table 1-193 describes the
parameters for creating an air scan profile.
Parameter Description
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an air scan profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Air Scan Profile. The Air Scan Profile List page is
displayed.
b. Click the name of the air scan profile that you want to modify. The Air
Scan Profile page is displayed.
c. Set parameters for modifying an air scan profile. Table 1-193 describes
the parameters for modifying an air scan profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an air scan profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Air Scan Profile. The Air Scan Profile List page is
displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Air Scan Profile. The Air Scan Profile List page is
displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
A 2G radio profile is used to configure and optimize the 2G radio of an AP, but
does not take effect on the 5G radio. Create a proper radio profile and bind it to
an AP specific profile or AP group. In this way, the AP provides better radio signal
transmit and receive capabilities.
Procedure
● Create a 2G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 2G Radio Profile. The 2G Radio Profile List page is
displayed.
b. Click Create. The Create 2G Radio Profile page is displayed.
c. Enter the name of the new 2G radio profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new 2G radio profile is
displayed.
e. Set parameters for the 2G radio profile. Table 1-194 describes the
parameters for creating a 2G radio profile.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
802.11n
Interference Detection
Parameter Description
WMM
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a 2G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 2G Radio Profile. The 2G Radio Profile List page is
displayed.
b. Click the name of the 2G radio profile that you want to modify. The 2G
Radio Profile page is displayed.
c. Modify parameters for the 2G radio profile. For the parameter
description, see Table 1-194.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a 2G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 2G Radio Profile. The 2G Radio Profile List page is
displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
Click Hide Reference Relationship. The system hides the displayed results.
● Configure a profile referenced in the 2G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 2G Radio Profile. The 2G Radio Profile List page is
displayed. Click to the left of the 2G Radio Profile in the navigation
tree to expand the 2G radio profile list. Click to the left of the 2G
radio profile name to view the names of the profiles referenced in the 2G
radio profile.
b. Click any profile referenced by the 2G radio profile. The configuration
page of the referenced profile is displayed on the right. You can select
another profile from the drop-down list and set the profile parameters.
For descriptions of the profile parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
Context
A 5G radio profile is used to configure and optimize the 5G radio of an AP, but
does not take effect on the 2G radio. Create a proper radio profile and bind it to
an AP specific profile or AP group. In this way, the AP provides better radio signal
transmit and receive capabilities.
Procedure
● Create a 5G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 5G Radio Profile. The 5G Radio Profile List page is
displayed.
b. Click Create. The Create 5G Radio Profile page is displayed.
c. Enter the name of the new 5G radio profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new 5G radio profile is
displayed.
e. Set parameters for the 5G radio profile. Table 1-195 describes the
parameters for creating a 5G radio profile.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
802.11ac
Only the AD9430DN-24 (including the mapping RUs), AD9430DN-12
(including the mapping RUs), AP2030DN, AP4030DN, AP4130DN,
AP5030DN, AP5130DN, AP7030DE, AP8030DN, AP8130DN, AP9131DN,
AP9132DN and AP9330DN supports this parameter.
Interference Detection
WMM
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a 5G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 5G Radio Profile. The 5G Radio Profile List page is
displayed.
b. Click the name of the 5G radio profile that you want to modify. The 5G
Radio Profile page is displayed.
c. Modify parameters for the 5G radio profile. For the parameter
description, see Table 1-195.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a 5G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 5G Radio Profile. The 5G Radio Profile List page is
displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 5G Radio Profile. The 5G Radio Profile List page is
displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure a profile referenced in the 5G radio profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > 5G Radio Profile. The 5G Radio Profile List page is
displayed. Click to the left of the 5G Radio Profile in the navigation
tree to expand the 5G radio profile list. Click to the left of the 5G
radio profile name to view the names of the profiles referenced in the 5G
radio profile.
b. Click any profile referenced by the 5G radio profile. The configuration
page of the referenced profile is displayed on the right. You can select
another profile from the drop-down list and set the profile parameters.
For descriptions of the profile parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
1.8.3 AP
Context
An AP wired port link profile allows you to perform link-layer management and
configuration of AP wired interfaces.
Procedure
● Create an AP wired port link profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Link Profile. The AP Wired Port Link Profile List page is displayed.
b. Click Create. The Create AP Wired Port Link Profile page is displayed.
c. Enter the name of the new AP wired port link profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new AP wired port link
profile is displayed.
e. Set parameters for creating an AP wired port link profile. Table 1-196
describes the parameters for creating an AP wired port link profile.
Parameter Description
Parameter Description
CRC error clear alarm threshold Clear alarm threshold for CRC
errors on the AP wired interface.
PoE Settings
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an AP wired port link profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Link Profile. The AP Wired Port Link Profile List page is displayed.
b. Click the name of the AP wired port link profile that you want to modify.
The AP Wired Port Link Profile page is displayed.
c. Modify parameters in the AP wired port link profile. Table 1-196
describes the parameters for modifying an AP wired port link profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an AP wired port link profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Link Profile. The AP Wired Port Link Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Link Profile. The AP Wired Port Link Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
To centrally manage and maintain multiple APs, add these APs to a group, set
parameters in an AP system profile, and then reference the AP system profile in
the AP group view.
Procedure
● Create an AP system profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP System
Profile. The AP System Profile List page is displayed.
b. Click Create. The Create AP System Profile page is displayed.
c. Enter the name of the new AP system profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new AP system profile is
displayed.
e. Set parameters for the AP system profile. Table 1-197 describes the
parameters for creating an AP system profile.
Dual-link Configuration
AC priority AC priority.
LLDP
Parameter Description
Eapol
AP Alarm
Parameter Description
Log Backup
Spectrum Analysis
PoE Settings
Parameter Description
Others
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an AP system profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP System
Profile. The AP System Profile List page is displayed.
b. Click the name of the AP system profile that you want to modify. The AP
System Profile page is displayed.
c. Modify parameters for the AP system profile. For the parameter
description, see Table 1-197.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an AP system profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP System
Profile. The AP System Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > AP > AP System
Profile. The AP System Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure a profile referenced in an AP system profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP System
Profile. The AP System Profile List page is displayed.
b. In the navigation tree, click to the left of AP System Profile to
expand the AP system profile list. Click to the left of an AP system
profile name to view the names of the profiles referenced in the AP
system profile.
c. Click any profile referenced by the AP system profile. The configuration
page of the referenced profile is displayed on the right. You can select
another profile from the drop-down list and set the profile parameters.
For descriptions of the profile parameters, see its configuration page.
d. Click Apply. In the Info dialog box that is displayed, click OK.
----End
Context
An AP wired port profile allows you to manage and configure wired interfaces of
APs. You can configure wired port parameters in the AP wired port profile to
facilitate AP management.
Procedure
● Create an AP wired port profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Profile. The AP Wired Port Profile List page is displayed.
b. Click Create. The Create AP Wired Port Profile page is displayed.
c. Enter the name of the new AP wired port profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new AP wired port profile is
displayed.
e. Set parameters for creating an AP wired port profile. Table 1-198
describes the parameters for creating an AP wired port profile.
Parameter Description
Parameter Description
ACL for inbound packet filtering ACL for filtering incoming packets.
ACL for outbound packet filtering ACL for filtering outgoing packets.
Packet filtering
The following parameters are available only after IPv4 packet filtering
is selected.
Storm Control
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an AP wired port profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Profile. The AP Wired Port Profile List page is displayed.
b. Click the name of the AP wired port profile that you want to modify. The
AP Wired Port Profile page is displayed.
c. Modify parameters of the AP wired port profile. Table 1-198 describes
the parameters for modifying an AP wired port profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an AP wired port profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Profile. The AP Wired Port Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Profile. The AP Wired Port Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure the profiles that are referenced by the AP wired port profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Profile. The AP Wired Port Profile List page is displayed. Click
next to AP Wired Port Profile. The AP wired port profile name is
displayed. Click next to the specified AP wired port profile to view the
profiles that are referenced by the AP wired port profile.
b. Click any profile referenced by the AP wired port profile. The
configuration page of the referenced profile is displayed on the right. You
can select another profile from the drop-down list and set the profile
parameters. For descriptions of the profile parameters, see its
configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
1.8.4 Mesh
1.8.4.1 Mesh Whitelist Profile
Context
After a Mesh whitelist profile is applied to an AP radio, the AP radio can only set
up Mesh links with neighboring APs whose MAC addresses are in the Mesh
whitelist profile.
Procedure
● Create a Mesh whitelist profile.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Whitelist Profile. The Mesh Whitelist Profile List page is displayed.
b. Click Create. The Create Mesh Whitelist Profile page is displayed.
c. Enter the name of the new Mesh whitelist profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new Mesh whitelist profile is
displayed.
# Click OK
# Click and select the MAC file containing MAC addresses that
you want to import, and click Import.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
Common Mesh Network Application
On a traditional WLAN, APs exchange data with STAs using wireless channels and
connect to a wired network through uplinks. If no wired network is available for
WLAN construction, a wired network must be constructed first, which is both
time- and money- consuming. If the positions of some APs on a WLAN need to be
adjusted, the wired network must be adjusted accordingly, increasing the difficulty
in network adjustment. With Mesh technology, APs can connect each other
wirelessly, which allows flexible networking and quick network deployment and
facilitates dynamic expansion of network coverage.
As shown in Figure 1-266, APs on a Mesh network can be sorted into the
following types based on functions:
● Mesh Point (MP): a Mesh-capable node that uses IEEE 802.11 MAC and
physical layer protocols for wireless communication. This node supports
automatic topology discovery, automatic route discovery, and data packet
forwarding. MPs can provide both Mesh service and user access service.
● Mesh Portal Point (MPP): a Mesh point that connects the Mesh network to
other types of networks. This node provides the portal function to allow Mesh
nodes to communicate with external networks.
LAN
AC
MP4 MP3
STA3
STA1 STA2
Mesh link
User access
STA PC
Mesh link
Procedure
● Create a Mesh profile.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Profile. The Mesh Profile List page is displayed.
b. Click Create. The Create Mesh Profile page is displayed.
c. Enter the name of the new Mesh profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new Mesh profile is
displayed.
e. Set parameters for creating a Mesh profile. Table 1-199 describes the
parameters for creating a Mesh profile.
Parameter Description
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a Mesh profile.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Profile. The Mesh Profile List page is displayed.
b. Click the name of the Mesh profile that you want to modify. The Mesh
profile configuration page is displayed.
c. Modify parameters in the Mesh profile. Table 1-199 describes the
parameters for modifying a Mesh profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a Mesh profile.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Profile. The Mesh Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Profile. The Mesh Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure the profiles that are referenced by the Mesh profile.
A Mesh profile can reference the security profile, Mesh whitelist profile, and
Mesh handover profile.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Profile. The Mesh Profile List page is displayed. Click next to Mesh
Profile. The Mesh profile name is displayed. Click next to the
specified Mesh profile to view the profiles that are referenced by the
Mesh profile.
b. Click any profile referenced by the Mesh profile. The configuration page
of the referenced profile is displayed on the right. You can select another
profile from the drop-down list and set the profile parameters. For
descriptions of the profile parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
1.8.5 WDS
1.8.5.1 WDS Whitelist Profile
Context
After a WDS whitelist profile is applied to an AP radio, the AP radio can only set
up WDS links with neighboring APs whose MAC addresses are in the WDS
whitelist profile. If no WDS whitelist profile is applied to an AP radio, the AP radio
can establish WDS links with any neighboring APs.
Procedure
● Create a WDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WDS > WDS
Whitelist Profile. The WDS Whitelist Profile List page is displayed.
b. Click Create. The Create WDS Whitelist Profile page is displayed.
c. Enter the name of the new WDS whitelist profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new WDS whitelist profile is
displayed.
# Click OK
# Click and select the MAC file containing MAC addresses that
you want to import, and click Import.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Procedure
● Create a WDS profile.
a. Choose Configuration > Wireless Services > Profile > WDS > WDS
Profile. The WDS Profile List page is displayed.
b. Click Create. The Create WDS Profile page is displayed.
c. Enter the name of the new WDS profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new WDS profile is
displayed.
e. Set parameters for creating a WDS profile. Table 1-200 describes the
parameters for creating a WDS profile.
Parameter Description
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a WDS profile.
a. Choose Configuration > Wireless Services > Profile > WDS > WDS
Profile. The WDS Profile List page is displayed.
b. Click the name of the WDS profile that you want to modify. The WDS
profile configuration page is displayed.
c. Modify parameters in the WDS profile. Table 1-200 describes the
parameters for modifying a WDS profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a WDS profile.
a. Choose Configuration > Wireless Services > Profile > WDS > WDS
Profile. The WDS Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
Click Hide Reference Relationship. The system hides the displayed results.
● Configure the profiles that are referenced by the WDS profile.
A WDS profile can reference the security profile and WDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WDS > WDS
Profile. The WDS Profile List page is displayed. Click next to WDS
Profile. The WDS profile name is displayed. Click next to the specified
WDS profile to view the profiles that are referenced by the WDS profile.
b. Click any profile referenced by the WDS profile. The configuration page of
the referenced profile is displayed on the right. You can select another
profile from the drop-down list and set the profile parameters. For
descriptions of the profile parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
1.8.6 WIDS
Context
There are security risks from unauthorized devices on WLAN networks, so
administrators deploy monitoring APs to monitor the WLAN networks. After the
AP working mode is set to monitoring, the AP monitors wireless devices and
reports wireless device information to an AC. The AC can identify unauthorized
devices.
However, there may be APs of other vendors or other networks working in the
existing signal coverage areas. If these APs are countered, their services will be
affected. To prevent this situation, configure an authorized AP list, including an
authorized MAC address list, OUI list, and SSID list. When an unauthorized AP is
detected but the AP's MAC address is in the authorized MAC address list, the AP is
an authorized AP. However, if the AP's MAC address is not in the authorized MAC
address list, the AP's OUI and SSID must be both in the authorized OUI and SSID
lists; otherwise, the AP is a rogue AP.
Procedure
● Create a WIDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Whitelist Profile. The WIDS Whitelist Profile List page is displayed.
Parameter Description
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a WIDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Whitelist Profile. The WIDS Whitelist Profile List page is displayed.
b. Click the name of the WIDS whitelist profile that you want to modify. The
WIDS whitelist profile configuration page is displayed.
c. Set parameters for modifying a WIDS whitelist profile. Table 1-201
describes the parameters for modifying a WIDS whitelist profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a WIDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Whitelist Profile. The WIDS Whitelist Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Whitelist Profile. The WIDS Whitelist Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
WLAN services are available in public places, such as banks and airports. Users can
connect to the WLANs after associating with corresponding SSIDs. If a rogue AP is
deployed and provides spoofing SSIDs similar to authorized SSIDs, the users may
be misled and connect to the rogue AP, which brings security risks. To address this
problem, configure a fuzzy matching rule to identify spoofing SSIDs. The device
compares a detected SSID with the matching rule. If the SSID matches the rule,
the SSID is considered a spoofing SSID. The AP using the spoofing SSID is a rogue
AP. The device then take countermeasures against the rogue AP, forcing users to
disconnect from the AP.
Procedure
● Create an SSID profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Spoof SSID Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Click Create. The Create WIDS Spoof SSID Profile page is displayed.
c. Enter the name of the new WIDS spoof SSID profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new WIDS spoof SSID profile
is displayed.
e. Set parameters for creating a WIDS spoof SSID profile. Table 1-202
describes the parameters for modifying an SSID profile.
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an SSID profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Spoof SSID Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Click the name of the WIDS spoof SSID profile that you want to modify.
The WIDS spoof SSID profile configuration page is displayed.
c. Set parameters for modifying a WIDS spoof SSID profile. Table 1-202
describes the parameters for modifying an SSID profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an SSID profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Spoof SSID Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Spoof SSID Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
----End
Context
A WIDS profile can be used to configure parameters for the wireless device
detection, rogue device containment, and attack detection functions.
Procedure
● Create a WIDS profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Profile. The WIDS Profile List page is displayed.
b. Click Create. The Create WIDS Profile page is displayed.
c. Enter the name of the new WIDS profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new WIDS profile is
displayed.
e. Set parameters for creating a WIDS profile. Table 1-203 describes the
parameters for creating a WIDS profile.
Parameter Description
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a WIDS profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Profile. The WIDS Profile List page is displayed.
b. Click the name of the WIDS profile that you want to modify. The WIDS
profile configuration page is displayed.
c. Set parameters for modifying a WIDS profile. Table 1-203 describes the
parameters for modifying a WIDS profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete a WIDS profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Profile. The WIDS Profile List page is displayed.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
● Display the profile reference relationship.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Profile. The WIDS Profile List page is displayed.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure and modify the profiles referenced by a WIDS profile.
A WIDS profile can reference WIDS whitelist and WIDS spoof SSID profiles.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Profile. The WIDS Profile List page is displayed. Click next to WIDS
Profile. The system displays names of the WIDS profiles. Click next to
a WIDS profile name. The profiles referenced by the WIDS profile are
displayed in the menu navigation area.
b. Click any profile referenced by the WIDS profile. The configuration page
of the referenced profile is displayed on the right. You can select another
profile from the drop-down list and set the profile parameters. For
descriptions of the profile parameters, see its configuration page.
c. Click Apply. In the Info dialog box that is displayed, click OK.
----End
e. Set parameters for creating a location profile. Table 1-204 describes the
parameters for creating a location profile.
Parameter Description
AeroScout Location
Parameter Description
Ekahau Location
Parameter Description
Private Location
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify a location profile.
a. Choose Configuration > Wireless Services > Profile > WLAN Location >
WLAN Location Profile. The WLAN Location Profile List page is
displayed.
b. Click the name of the location profile that you want to modify. The
location profile configuration page is displayed.
c. Modify parameters in the location profile. Table 1-204 describes the
parameters for modifying a location profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
Click Hide Reference Relationship. The system hides the displayed results.
----End
Networking Requirements
In Figure 1-267, back up the configuration file of the switch to a file server, so
that the configuration file can be restored if the switch is damaged unexpectedly.
Additionally, the configuration file can be downloaded from the file server to the
switch if incorrect configurations cause abnormal functions.
Network
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Click at the upper right corner after the preceding configuration; otherwise, the
configuration that has not been saved will be lost upon reboot.
Step 2 Choose Maintenance > System Maintenance > System > File Management. The
File Management page is displayed, as shown in Figure 1-268.
Step 3 Click in the line of the vrpcfg.zip configuration file, and specify the directory to
which the configuration file is to be backed up.
----End
Result
After the configuration file is backed up, query the backup file on the file server.
Follow-up Procedure
To restore the backup configuration file on the switch, upload the file on the File
Management page. Then on the Upgrade page, specify the backup configuration
file as the configuration file for the next startup and click Apply.
the enterprise allows only the users accessing the same service to communicate
with each other. You can assign and configure VLANs on the switch based on
interfaces so that the switch adds interfaces connected to users using the same
service to the same VLAN. Users in different VLANs cannot communicate at Layer
2. Users in the same VLAN can directly communicate with each other. That is:
● User 1 and user 2 in VLAN 2 are isolated from user 3 in VLAN 3.
● User 1 and user 2 in VLAN 2 can communicate with each other.
SwitchB
GE0/0/5
SwitchA
GE0/0/2 GE0/0/4
GE0/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Select the switching mode.
2. Configure the port connected to terminals.
3. Configure the port connected to the upstream gateway.
Procedure
Step 1 Choose Configuration > Quick Config. Select Switching for Select a mode to
open the quick switching mode configuration page, as shown in Figure 1-270.
Step 2 Click Add below Step 2: Configure the port connected to downlink devices, as
shown in Figure 1-271.
Set all configuration items as follows. Then click to finish the configuration.
Figure 1-272 displays the configuration result.
Configure GE0/0/4:
Figure 1-272 Configuration result for the port connected to downlink devices
Step 3 Click GE0/0/5 below Step 3: Configure the port connected to the upstream
gateway, and set all configuration items, as shown in Figure 1-273.
● Port status: ON
● Link aggregation: OFF
● Allowed VLAN: 2, 3
Step 4 Click Apply. In the dialog box that is displayed, click OK.
----End
Result
Choose Configuration > Basic Services > VLAN to check the VLAN information,
as shown in Figure 1-274.
Click View Interface next to VLAN ID 2 and 3 to view the interfaces added to
each VLAN and their status, as shown in Figure 1-275 and Figure 1-276.
SwitchB
GE0/0/4.1
192.168.40.4/24
GE0/0/4
VLANIF4
SwitchA 192.168.40.1/24
GE0/0/2 GE0/0/3
VLANIF2 VLANIF3
192.168.20.1/24 192.168.30.1/24
VLAN2 VLAN3
User1 User2
Configuration Roadmap
The following configurations are performed on SwitchA. The configuration
roadmap is as follows:
Procedure
Step 1 Choose Configuration > Quick Config. Select Routing for Step 1: Select a mode
to open the quick switching mode configuration page, as shown in Figure 1-278.
Step 2 Click Add below Step 2: Configure the port connected to internal network
devices, as shown in Figure 1-279.
Set all configuration items as follows. Then click to finish the configuration.
Figure 1-280 displays the configuration result.
Configure GE0/0/2:
Configure GE0/0/3:
Figure 1-280 Configuration result for the port connected to internal network
devices
Step 3 Choose GE0/0/4 below Step 3: Configure the port connected to the switch on
external network. Set all configuration items, as shown in Figure 1-281.
● Port Status: ON
● Link aggregation: OFF
● Allowed VLAN: 4
● Connected IP address/mask: 192.168.40.1/255.255.255.0
● Next hop: 192.168.40.4
Figure 1-281 Configuring the port connected to the switch on external network
Step 4 Click Apply. In the dialog box that is displayed, click OK to finish configuration.
NOTE
If router A is connected to public networks, you need to configure a NAT policy on router A to
implement translation between public and private IP addresses.
You also need to configure a subinterface for the inbound interface of router A to remove tags
from VLAN packets.
----End
Result
Choose Configuration > Basic Services > VLAN to check the VLAN information,
as shown in Figure 1-282.
● Click View Interface next to VLAN ID 2, 3 and 4 to view the interfaces added
to each VLAN and their status, as shown in Figure 1-283, Figure 1-284, and
Figure 1-285.
SwitchA(Commander)
SwitchC(Client) SwitchD(Client)
SwitchE(Client)
Configuration Roadmap
1. Log in to SwitchA through the web system and configure SwitchA as the
Commander.
2. Log in to SwitchC, SwitchD, and SwitchE through the web system and
configure them as clients.
Procedure
Step 1 Log in to SwitchA through the web system and configure SwitchA as the
Commander.
1. Click Network in the function area. The Network page is displayed.
2. In the navigation tree, click Role Configuration. The Role Configuration
page is displayed.
3. Click the Commander option button, as shown in Figure 1-287.
4. Select an existing IP address from the IP address drop-down list box. Use the
default UDP port.
5. Click Apply. The configuration is complete.
Step 2 Log in to SwitchC, SwitchD, and SwitchE through the web system and configure
them as clients.
1. Click Network in the function area. The Network page is displayed.
2. In the navigation tree, click Role Configuration. The Role Configuration
page is displayed.
3. Click the Client option button, as shown in Figure 1-288.
4. Enter the Commander IP address, which must be the same as that configured
on the Commander. Use the default UDP port.
5. Click Apply. The configuration is complete.
----End
NMS Switch
Configuration Description
Before configuring SNMP, complete the following tasks:
● Ensure that a reachable route exists between the switch and NMS. The
configuration procedure is not provided.
● Configure SNMPv2c on the switch to be managed by the NMS running
SNMPv2c.
● Configure a community name based on which the switch authenticates the
NMS.
● Configure the NMS according to the NMS manual so that the NMS can
manage SNMP-enabled switch. The configuration procedure is not provided.
Procedure
Step 1 Click Maintenance to open the maintenance page.
Step 2 Click System Maintenance > SNMP in the navigation tree to open the SNMP
configuration page, as shown in Figure 1-290.
Set the parameters as follows:
● Select ON for SNMP.
● Set Version number to v2c.
● Fill adminnms01 into Community name.
● Fill adminnms01 into Confirm community name.
Step 4 Click in the function area and click OK in the displayed dialog box to save the
SNMP configuration.
----End
Result
Perform the following operations on the NMS according to the NMS manual: set
the SNMP version to SNMPv2c, set the read/write community name to
adminnms01, and set the SNMP connection port number to 161 (default port
used by the switch).
After the preceding configurations are complete, the NMS can manage the switch.
In Figure 1-291, the parent is directly connected to a level-1 AS, and the level-1
AS is directly connected to an AP. The PC's network port is directly connected to
the parent's Ethernet management port for a login to the web system to configure
SVF.
Configuration Roadmap
The configuration roadmap is as follows:
1. Log in to the web system of the parent through the PC and ensure that the
PC and parent reside on the same network segment.
2. Change to the SVF mode.
3. Configure the SVF system capability.
Data Plan
Item Data
AP SN 21500826412SF690XXXX
Procedure
Step 1 Log in to the web system of the parent through the PC.
1. Open the web browser on the PC, enter https://management address of the
parent in the address box, and press Enter. The web system login page is
displayed, as shown in Figure 1-292.
2. Select a language English for the web system and choose EasyOperation.
3. Enter the configured web user name and password, and click GO or press
Enter. The web system page is displayed.
1. Click in the upper left corner of the web system page, as shown in
Figure 1-293.
2. In the dialog box that is displayed, click OK, as shown in Figure 1-294.
2. Click Apply. In the dialog box that is displayed, click OK, as shown in Figure
1-296.
3. Click Manage in Fabric-Port Member Ports. In the displayed Add Port dialog
box, select GE0/0/1 (the port connected to AS1) as the fabric-port, and click
OK, as shown in Figure 1-298.
2. Click Add Selected and select GE0/0/8 from the displayed Manage as1
Member User Ports dialog box, as shown in Figure 1-302.
Step 6 Log in to the AS using a command, run the reset saved-configuration command
to clear the AS configuration, and reboot the AS. If the system asks you whether
to save the current configuration during the reboot, enter N. Connect the level-1
AS to the parent and connect the AP to the level-1 AS using cables.
----End
Result
After configuring SVF, perform the following operations to verify the
configurations:
● Choose Monitoring > Summary. In the displayed page, you can view SVF
overview and device status information. Click on the left side of Member
Device Status, and you can view that both the AS and AP are online, as
shown in Figure 1-304. This indicates that an SVF system has been set up.
b. Click the AS1 and AP1 icons. You can view detailed information about
AS1 and AP1, as shown in Figure 1-306 and Figure 1-307.
Figure 1-308 Networking diagram for configuring the device as a DHCP server
Internet
GE0/0/1 GE0/0/2
VLANIF 10 VLANIF 11
10.1.1.1/24 10.1.2.1/24
Switch
DHCP Server
LSW_1 LSW_2
Configuration Roadmap
The configuration roadmap is as follows:
Configure the DHCP server function on the gateway device Switch to dynamically
allocate IP addresses to terminals on the two network segments. PCs on the
network segment 10.1.1.0/24 are employees' fixed office terminals, and the
network segment 10.1.2.0/24 is used by travelling employees to access the
network temporarily.
NOTE
Configure interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2
communication.
Procedure
Step 1 Configure the VLANs to which interfaces belong.
1. Choose Configuration > Basic Services > Interface Settings. Click Connect
to PC.
2. Select GE0/0/1 under Step 2: Select Interface, and set Interface Status and
Default VLAN under Step 3: Configure Interface to ON and 10, as shown in
Figure 1-309. You do not need to configure other parameters under Step 3:
Configure Interface.
4. Click the data line of Vlanif10 in Address Pool List to view Vlanif10 Address
Pool Information. Select 10.1.1.100 and click Bind IP to open the Statically
Bound page. Set MAC address to 286e-d488-b684 as shown in Figure 1-312
and click OK.
----End
Operation Result
Choose Configuration > Basic Services > DHCP and click the data lines of
Vlanif10 and Vlanif11 in Address Pool List to view address allocation of interface
address pools, as shown in Figure 1-313.
VLANIF10 GE0/0/1
192.168.1.10/24 VLAN 10
Switch
VLANIF20
192.168.2.10/24
GE0/0/2
~GE0/0/n
VLAN 20
Employee …… Employee
Office area
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
Before performing the following operations, ensure that there are reachable routes between
user terminals and the server.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
1. Choose Configuration > Basic Services > Interface Settings. Click Connect
to PC.
2. Select GE0/0/2 from Step 2: Select Interface, set Interface Status below
Step 3: Configure Interface to ON, and enter 20 for Default VLAN. The
other parameters do not need to be set. Configure GE0/0/1 in the same way,
as shown in Figure 1-315 and Figure 1-316.
By default, the unified mode is used. The switch restarts after the NAC mode is changed
between the common mode and unified mode.
2. Choose Configuration > Security Services > AAA, click the RADIUS tab, click
the RADIUS Server Profile tab, and click Create to create and configure the
RADIUS server template rd1. Set parameters according to Figure 1-319 and
click OK.
3. Choose Configuration > Security Services > AAA, click the RADIUS tab, click
the Authentication/Accounting Server tab, and click Create to create and
configure an authentication server rd1. Set parameters according to Figure
1-320 and click OK.
5. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication Profile > Domain Profile to open the Domain Profile List
page. Click Create to access the Create Domain Profile page. Enter
huawei.com for Profile name and click OK. The authentication domain
huawei.com is created and the AAA authentication scheme abc and RADIUS
server template rd1 are bound to the authentication domain. Set parameters
according to Figure 1-322 and click Apply.
2. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication Profile to access the Authentication Profile List page. Click
Create and enter p1 for Profile name, as shown in Figure 1-324. Click OK to
create the authentication profile p1.
3. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication Profile > p1 > 802.1X Profile. Select d1 from the 802.1X
Profile drop-down list, as shown in Figure 1-325, and click Apply to bind the
802.1x profile d1 to the authentication profile p1.
4. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication Profile > p1 > Domain Profile. Select huawei.com from the
Domain Profile drop-down list, as shown in Figure 1-326, and click Apply to
apply the authentication domain huawei.com to the authentication profile
p1.
5. Choose Configuration > Security Services > AAA Service App > Wired
Interface Authentication. Select GE0/0/2 on the front panel. Select p1 from
Authentication Profile, as shown in Figure 1-327, and click Apply. Configure
GE0/0/3 to GE0/0/n in the same way.
----End
Operation Result
● Start the 802.1x client on a terminal, and enter the user name and password
for authentication.
● If the user name and password are correct, a client page displays an
authentication success information and you can access the Internet.
● After going online, log in to the web system. Choose Monitoring > User >
Wired User Statistics. The 802.1x user information is displayed.