01-01 EasyOperation Edition

S1720GFR, S2700, S5700, and S6720 Series Ethernet
Switches
Web-based Configuration Guide 1 EasyOperation Edition
1 EasyOperation Edition
About This Chapter
The web system of the EasyOperation edition allows for common operations
related to the monitor, configuration, diagnosis, maintenance, and network
functions.
Context
NOTE
The web system is applicable to wireless service deployment on small- and middle-sized
networks. For large-sized networks, use other network management systems, such as eSight.
EasyOperation supports login through iPad and supports only Safari. If you log in through iPad,
the following functions are unavailable:
● Upload, download, import, and export
● Spectrum analysis
● CLI switching area
● Dragging the pop-up dialog box
1.1 Logging In to the Switch Through the Web System

1.2 Client Configuration
This section describes the window layout of and basic operations on the web
system of the EasyOperation edition to facilitate user usage.
1.3 Monitor
You can monitor device status information in the web system.
1.4 Configuration
The configuration tasks include basic service management and security service
management.
1.5 Diagnosis
This section describes the maintenance and diagnostic commands.
1.6 Maintenance
This section describes common device maintenance.
1.7 Network
Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 1

Switches
The EasyDeploy function simplifies network configuration and implements remote

deployment and centralized management of network devices.
1.8 Profile (S5720HI)
1.9 Configuration Examples
The following sections illustrate service configurations using several examples.
1.1 Logging In to the Switch Through the Web System

NOTE
The S5720-50X-EI-AC, S5720-50X-EI-DC, S5720-50X-EI-46S-AC, and S5720-50X-EI-46S-DC do not

have the MODE button. If you log in to these models for the first time, do not use the web
system.
There are multiple methods to log in to the switch through web. For details, see
Table 1-1. Select a proper login method.
Table 1-1 Logging in to the switch through the web system
Device Model Scenario Login Method
S1720GFR The switch is powered on See 1.1.1 Logging In to

for the first time and you the Device Through the
log in to the switch Web System for the
through the web system First Time (S1720GFR).
for the first time.
You have logged in to See 1.1.4 Web System

the switch through Login Configuration.
command line, and
expect to log in to the
switch through the web
system this time.
S5720SI, S5720S-SI The switch is powered on See 1.1.3 Logging In to

for the first time and the Device for the First
registered with the DHCP Time Through the Web
server or registration System (Switches
query center. After the Changed to the Cloud-
switch mode is changed based Management
to cloud management, Mode).
you log in to the switch
for the first time through
the web system.
The switch is powered on See 1.1.2 Logging In to

for the first time, and is the Device Through the
not in cloud Web System for the
management mode. You First Time (Switches
log in to the switch Not in Cloud-based
through the web system Management Mode
for the first time. Excluding S1720GFR).

Switches
Device Model Scenario Login Method

command line, and
system this time.
S5720-50X-EI-AC, You have logged in to See 1.1.4 Web System

S5720-50X-EI-DC, the switch through Login Configuration.
S5720-50X-EI-46S-AC, command line, and
S5720-50X-EI-46S-DC expect to log in to the
system this time.
Other models of X7 The switch is powered on See 1.1.2 Logging In to

series switches for the first time and you the Device Through the
log in to the switch Web System for the
through the web system First Time (Switches
for the first time. Not in Cloud-based
Management Mode
Excluding S1720GFR).

command line, and
system this time.
1.1.1 Logging In to the Device Through the Web System for

the First Time (S1720GFR)
When logging in to the S1720GFR with the factory settings for the first time, users
can log in only through the Web system on the PC.
Context
To facilitate device maintenance and use, S1720GFR switches allow for the first
login using the Web system.
Pre-configuration Tasks
Before logging in to a device through the Web system, complete the following
tasks:
● Power on the device.

● Ensure that the device has only the factory settings.

Switches
Default Configuration
Table 1-2 Default configuration of the device

Parameter Default Setting
User name and Password The default username and password

are available in S Series Switches
Default Usernames and Passwords
(Enterprise Network or Carrier). If
you have not obtained the access
permission of the document, see Help
on the website to find out how to
obtain it.
User level 15
Login IP address 192.168.1.253

NOTE
With the factory settings on an S1720GFR,
the default IP address of VLANIF 1 is
192.168.1.253. To prevent IP address
conflict on the local network, users are
advised to change the IP address of
VLANIF 1 on the S1720GFR before
constructing the network.
Procedure
Step 1 Connect the PC to the device.
Connect the PC to any Ethernet interface on the device.
Step 2 Configure an IP address for the PC.
To ensure that the PC and device have reachable routes to each other, configure
an IP address on the same network segment with the device IP address for the PC.
Step 3 Log in to the device through Web system.
Open the browser on the PC and access https://192.168.1.253. On the displayed
Web system login page shown in Figure 1-1, enter the default user name and
default password.

Switches
Figure 1-1 First login page in the Web system
NOTE
To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet Explorer
11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the Classic Web
system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the browser version
or browser patch version is not within the preceding ranges, the web page may not be
properly displayed. Upgrade the browser and browser patch. In addition, the browser must
support JavaScript.
Step 4 Access the password change page of the web system.

On the web system login page, click GO or press Enter to access the password
change page, as shown in Figure 1-2. Change the password and re-log in to the
web system as prompted. You can manage and maintain the device after logging
in to the web system.

Switches
Figure 1-2 Password change page of the web system
NOTE
● The password change page is displayed during the login process only the first time you
log in to the web system.
● The password change page is also displayed if your password will expire or has expired.
To access the web system main page, you must change the password.
● To improve security, a password must contain at least two types of the following:
lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %). In
addition, the password cannot contain spaces or single quotation marks (').
Step 5 (Optional) Changing the Web login password.

If the default password is used to log in to the device, a message is displayed
prompting users to change the password, as shown in Figure 1-3. Click Confirm.
Change the login password on the User Management page. To ensure security,
users are advised to change the Web login password upon the first login to the
device.

Switches
Figure 1-3 Page prompting users to change the login password
NOTE
A secure password should contain at least two of the following: lowercase letters,
uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password
cannot contain spaces or single quotation marks (').
After accessing the user management page, you can change the default user level. Only
level 3 users and higher are administrators with management rights. Level 2 users and
below are monitoring users. Administrator users have all operation rights of a web page,
and monitoring users can only perform ping and tracert operations.
----End
1.1.2 Logging In to the Device Through the Web System for

the First Time (Switches Not in Cloud-based Management
Mode Excluding S1720GFR)
When logging in to the device with the factory settings for the first time, users can
log in only through the Web system on the PC and then configure the login mode
(Web system, Telnet, or STelnet).
Context
When a PC has no available serial interface or does not carry any console cable,
users can log in to the device with the factory settings using the Web system for
the first time. After the login, users can conveniently configure the login mode
(Web system, Telnet, or STelnet). After the login mode is configured, users can log
in to the device using the Web system, Telnet, or STelnet for device maintenance.
NOTE
Devices without the MODE button do not support first login through the Web system.
First login through the Web system, SVF, USB-based deployment, and EasyDeploy cannot be
used together.
Before logging in to a device through the Web system, complete the following
tasks:

Switches
● Powering on the device

● Ensuring that the device has only the factory settings

User name and Password The default username and password

obtain it.
User level 15
Procedure
For a device that provides only optical interfaces, connect the PC to the
management interface on the device. For a device that supports first login through
the Web system, connect the PC to any Ethernet interface (except the
management interface) on the device.
NOTE
Users can log in to a device for the first time using the Web system only when the device is
in factory default state. In this case, do not log in to the device through the console
interface, because any operation on the console interface leads to the failure of the first
login using the Web system.
Step 2 Enter the initial configuration state.

Before performing this step, ensure that the device uses factory settings and the
console interface is not connected.
Press and hold down the MODE button for 6 seconds or longer. When all
indicators are steady green, the device enters the initial configuration state.
The system sets the switch IP address to 192.168.1.253/24 and the user level to 15
by default.

Switches
NOTE
If the device has been configured when users press and hold down the MODE button for 6
seconds or longer, all indicators blink green fast. In this case, the device is restored to the
normal state after 10 seconds, without impact on existing configuration.
If the device in the factory settings has just started or has been configured through the
console interface when users press and hold down the MODE button for 6 seconds, the
device may fail to enter the initial configuration state. When all indicators blink fast for 10s,
the device restores to the factory default state.
The device automatically exits the initial configuration state and restores the factory
settings if users have not saved the settings after 10 minutes.
Step 4 Log in to the device through Web system.

Web system login page shown in Figure 1-4, enter the default user name and
default password, and select the system language. Click GO or press Enter. The
Web system configuration page is displayed.
Figure 1-4 First login page in the Web system
NOTE
The login to the device through the Web system requires that the browser on the PC must
be Microsoft Edge, Internet Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to
54.0. If the browser version or browser patch version is not within the preceding ranges, the
web page may not be properly displayed. Upgrade the browser and browser patch.
Step 5 Configure the device.
As shown in Figure 1-5, the Web system configuration page allows users to
perform the basic and optional configurations. Table 1-4 describes parameters for
the basic configuration. After the basic configuration is complete, users can log in
to the device through the Web system. Table 1-5 describes parameters for the

Switches
optional configuration. After the optional configuration is complete, users can log
in to the device through Telnet or STelnet.
A login user can create users for logging in to the device through Telnet or
STelnet. The parameter Create User is valid only when Telnet Server or Stelnet
Server is On.
Figure 1-5 Web system configuration page
Table 1-4 Basic configuration

Item Description
Management IP Address Indicates the management IP address

of the device. The value is in dotted
decimal notation.
Mask Indicates the mask of the IP address.

Select a subnet mask from the drop-
down list box.
Old Password Indicates the default Web login

password. This parameter is
mandatory.

Switches
Item Description
WEB User Password Indicates the new Web login password.

This parameter is mandatory.
A secure password should contain at
least two types of the following:
lowercase letters, uppercase letters,
numerals, special characters (such as !
$ # %). In addition, the password
cannot contain spaces or single
quotation marks (').
Confirm Password Confirms the new Web login password.

This parameter is mandatory.
The format is the same as that of WEB
User Password.
WEB User Level Indicates the Web user level. Select a

user level from the drop-down list box.
This parameter is optional.
Only level 3 users and higher are
administrators with management
rights. Level 2 users and below are
monitoring users. Administrator users
have all operation rights of a web
page, and monitoring users can only
perform ping and tracert operations.
Table 1-5 Optional configuration

Item Description
Device Name Specifies the device name.

The device name cannot contain
question marks (?) and cannot start
with spaces.
Telnet Server Configures the Telnet function.

● On: enables Telnet.
● Off: disables Telnet.
Stelnet Server Configures the STelnet function.

● On: enables STelnet.
● Off: disables STelnet.
User Name Specifies the Telnet or STelnet login

user name.
The user name cannot contain / : * ? "
< > | ' or %, and cannot start with @.

Switches
Item Description
Password Specifies the password.

A secure password should contain at
least two types of the following:
lowercase letters, uppercase letters,
numerals, special characters (such as !
$ # %). In addition, the password
cannot contain spaces or single
quotation marks (').
Confirm Password Confirms the password.

The format is the same as that of
Password.
User Level Indicates the Telnet or STelnet user

level. Select a user level from the
drop-down list box.
Only level 3 users and higher are
administrators with management
rights. Level 2 users and below are
monitoring users. Administrator users
have all operation rights of a web
page, and monitoring users can only
perform ping and tracert operations.
Step 6 Save configuration.

Click Apply. The configuration is saved. When logging out of the Web system for
the first time, the following situations may occur based on the configured
management IP address:
● When the management IP address is on the same network segment as
192.168.1.253/24, the Web system login page is displayed.
● When the management IP address is not on the same network segment as
192.168.1.253/24, users cannot log in to device through the Web system. In
this case, configure an IP address on the same network segment as the
management IP address for the PC so that the PC and device have reachable
routes to each other.
Users can log in to the device through the Web system, Telnet, or STelnet for
device maintenance.
----End
1.1.3 Logging In to the Device for the First Time Through the
Web System (Switches Changed to the Cloud-based
Management Mode)
After a switch that supports cloud-based management is changed to the cloud-
based management mode, you can log in to the switch only through the web
system on the PC.

Switches
Context
After a device is changed to the cloud-based management mode, you can log in
to the device through the web system for the first time. After logging in to the
device, you can easily configure the web login function on the device and then
maintain the device in cloud-based management mode on the web page.
Before logging in to a device through the web system, complete the following
tasks:
● Power on the device.

● Ensure that the device has been changed to the cloud-based management
mode.
User name The default username and password

obtain it.
Password The default username and password

obtain it.
User level 15
Procedure
If the device works in cloud-based management mode, you need to connect the
PC to the management interface of the device.
Step 2 Enter the initial configuration state.

Switches
Press and hold down the MODE button for 6 seconds or longer. When all
indicators are steady green, the device enters the initial configuration state.
The system sets the user level to 15 by default.
Step 4 Log in to the device through the web system.

web system login page shown in Figure 1-6, enter the default user name and
default password, and select the system language. Click GO or press Enter. The
web system configuration page is displayed.
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
Figure 1-6 First login page in the web system
NOTE
To log in to the device through the web system, the browser on the PC must be Microsoft
Edge, Internet Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. If the
browser version or browser patch version is not within the preceding ranges, the web page
may be unable to be displayed normally. You need to upgrade the browser and browser
patch.
----End
1.1.4 Web System Login Configuration

Switches
1.1.4.1 Overview
Definition
The web system can be used to manage devices. The device has an internal web
server which provides a GUI for users. Before using the web system to manage
and maintain a device, you need to log in to the device through HTTPS from a
terminal.
Purpose
You can manage a device using a web system or a command line interface (CLI).
On a CLI, you must use commands to manage and maintain the device. The CLI
method allows you to implement fine-grained device management, but you have
to be familiar with required commands. In comparison, the web system is easier to
operate and allows you to manage and maintain the device on a GUI. However,
the web system provides only basic routine maintenance and management
functions. You can select a proper management method based on actual needs.
To use the CLI, you must log in to the device through a console port or a mini USB
port, or using Telnet or STelnet. To use the web system, you must log in to the
device through HTTPS.
For details on how to log in to a device through the console port or a mini USB
port, or using Telnet or STelnet, see CLI Login Configuration.
Concepts
Before configuring web system login, familiarize yourself with the following
concepts:
● HTTP
Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the
Internet. It runs at the application layer of the TCP/IP protocol stack. The
transport layer uses the connection-oriented TCP protocol. HTTP has security
vulnerabilities. To avoid potential security risks, the device allows you to log in
to the web system only through the more secure Hypertext Transfer Protocol
Secure (HTTPS).
● HTTPS
HTTPS uses secure sockets layer (SSL) to encrypt data exchanged between
the client and device and defines access control policies based on certificate
attributes. HTTPS enhances data integrity and transmission security, ensuring
that only authorized clients can log in to the device.
● SSL policy
An SSL policy defines parameters that the device uses during startup, and is
implemented during configuration of HTTPS. During configuration, the
corresponding digital certificate on the device is loaded. The SSL policy takes
effect only after it is applied to application layer protocols, such as HTTP.
● Digital certificate
A digital certificate is issued by a certificate authority (CA) and uses a digital
signature to bind a public key with an identity (applicant who possesses the
certificate). The digital certificate includes information such as the applicant

Switches
name, public key, digital signature of the CA, and validity period of the digital
certificate. A digital certificate validates the identities of two communicating
parties to improve communication reliability.
● Certificate Authority (CA)
A CA issues, manages, and revokes digital certificates by checking the validity
of digital certificate owners, issuing digital certificates to prevent
eavesdropping and tampering, and managing certificates and keys. A globally
trusted CA is called a root CA. The root CA can authorize other CAs as
subordinate. A CA's identity needs to be verified and is described in a trusted-
CA file.
For example, CA1 is the root CA and issues a certificate for CA2, and CA2 then
issues a certificate for CA3. This process proceeds until the final server
certificate is issued.
Assume that CA3 issues the server certificate. A certificate authentication
process on the client starts from server certificate authentication:
– The client first verifies validity of the server certificate based on the CA3
certificate.
– The client then checks CA2 certificate to verify validity of the CA3
certificate.
– The client then checks CA1 certificate to verify validity of the CA2
certificate.
– The server certificate passes the authentication only when the CA2
certificate is verified valid by the CA1 certificate.
Figure 1-7 shows the certificate issuing and authentication processes.
Figure 1-7 Certificate issuing and authentication

Certificate issuing
Server’s
CA1 CA2 CAn
certificate
Certificate authentication
● Certificate Revocation List (CRL)

A CRL is issued by a CA and specifies a list of certificates that have been
revoked. Therefore, it should not be relied upon.
Each digital certificate has a limited lifetime and a CA can revoke a digital
certificate to shorten its lifetime. The validity period of a certificate specified
in the CRL is shorter than the original validity period of the certificate. If a CA
revokes a digital certificate, the key pair defined in the certificate can no
longer be used even if the digital certificate does not expire. When a
certificate in a CRL expires, the certificate is deleted from the CRL to shorten
the CRL.
You can load the CRL and a certificate (trust certificate) with a higher level than
the digital certificate on your PC. If they are not loaded, you are prompted to
determine whether to trust the server when you attempt to establish a connection
with a web server. If you choose to not trust the server, the connection cannot be
established. If you choose to trust the server, the connection is established

Switches
successfully, and the PC cannot verify the digital certificate on the server. However,
the confidentiality of data transmitted between the PC and server is ensured. To
ensure that you are connecting to a valid web server, you can load a trust
certificate and CRL on the PC. For details on how to load trust certificates, refer to
the help information in the operating system.
1.1.4.2 Web System Login Configuration Tasks

You can configure login through the web system in simple mode or secure mode.
Table 1-7 describes configuration tasks of web system login.
Table 1-7 Configuration tasks of web system login

Scenario Description Section
Simple Mode The device provides a 1.1.4.4 Configuring

Configure device login default SSL policy, and Device Login Through
through the web system the web page file the Web System
contains a self-signed (Simple Mode)
certificate that is
randomly generated. If
the default SSL policy
and self-signed
certificate meet security
requirements, you do not
need to upload a digital
certificate or configure
an SSL policy. The
configuration of this
mode is simple but poses
security risks. It applies
to scenarios that do not
have high security
requirements.
Secure Mode To avoid potential 1.1.4.5 Configuring

Configure device login security risks, you can Device Login Through
through the web system acquire a trust digital the Web System
certificate and private (Secure Mode)
key file from the CA and
manually configure an
SSL policy. This mode
requires more complex
configuration but
provides high security.
You are recommended to
use this mode to
configure device login
through the web system.

Switches
Scenario Description Section
Configure access control To enhance security, you 1.1.4.6 Configuring

on web users can configure access Access Control on Web
control on web users to Users
specify clients that can
log in to the device
through the web system.
NOTE
The device does not provide lifetime management for the self-signed digital certificate,
such as update and revocation. To ensure device and certificate security, you are
recommended to replace the self-signed certificate with a certificate authority (CA)
certificate.
1.1.4.3 Web System Login Default Configuration

Table 1-8 lists the default configuration of web system login.
Table 1-8 Default configuration of web system login

Web page file integrated into system Supported

software
Default SSL policy Supported
HTTPS service HTTPS IPv4: enabled

HTTPS IPv6: disabled
Port number of the HTTPS server 443
Timeout period of an HTTPS 20 minutes

connection
Web user The default username and password

obtain it.
The default user level is 15 and the
default service type is http.
Access control on web users None

Switches
1.1.4.4 Configuring Device Login Through the Web System (Simple Mode)
NOTE
When a device starts without any configuration, HTTP uses the randomly generated self-
signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore,
you are advised to replace it with the officially authorized digital certificate. For details
about how to replace the certificate, see 1.1.4.5 Configuring Device Login Through the
Web System (Secure Mode).
Before configuring login through the web system (simple mode), configure a
reachable route between a terminal and the device.
Configuration Process
The following configuration tasks must be performed in sequence.
1.1.4.4.1 Uploading and Loading a Web Page File
Context
The system software of the device contains a web page file, and the web page file
is pre-loaded to the device before delivery. If you use this web page file, you do
not need to perform the following configuration. To upgrade the web page file on
the device, log in to Huawei official website to download an independent web
page file, upload and load the file to the device.
NOTE
To obtain a web page file, log in to the Huawei enterprise support website (http://
support.huawei.com/enterprise), choose the product model and version, and select a
patch version under Public Patch in V and R Version to download the required web page
file. The file name is in the format of product name-software version number.web page
file version number.web.7z.
After downloading the file, compare the downloaded web page file with that on the
website to check whether their sizes are the same. If not, an error may occur during file
download. Download the file again.
Each web page file corresponds to a signature file. The method of downloading the
signature file is the same as that of downloading the web page file.
Procedure
Step 1 Upload the web page file.
You can upload the web page file using SFTP or other modes. For details, see
Local File Management.
NOTE
After the file is uploaded to the device, run the dir command in the user view to check
whether the uploaded file has the same size as that on the file server. If not, an error may
have occurred during file upload. Upload the file again.
Step 2 (Optional) Run:

check file-integrity filename signature-filename

Switches
The web page file validity is checked.

Step 3 Load the web page file.
1. Run:
system-view
The system view is displayed.

2. Run:
http server load { file-name | default }
The web page file is loaded.

By default, the web page file in system software is pre-loaded on the device.
If default is specified, the web page file in the system software is loaded. If
file-name is specified, an independent web page file is loaded.
NOTE
If the system software is upgraded from V200R006 or an earlier version to V200R007

or a later version, but the target software version conflicts with the configuration file
for next startup, the device will cancel the configuration of loading the web page file
in the original system software after the upgrade, and load the web page file
integrated in the new system software by default.
----End
1.1.4.4.2 Enabling the HTTPS Service
Context
You can log in to the web system only after the HTTPS service is enabled. To
enhance device security, you can change the port number of the HTTPS server to
prevent attackers from accessing the server using the default port number. In
addition, you can set a timeout period for an HTTPS connection to prevent waste
of web channel resources when no operation is performed in a long time.
By default, the HTTPS IPv4 service is enabled on a device but the HTTPS IPv6
service is disabled, the port number of the HTTPS server is 443, the timeout period
of an HTTPS connection is 20 minutes, and login requests from all interfaces are
accepted. If you use the HTTPS IPv4 service, default port number and timeout
period, and accept login requests from all interfaces, do not perform the following
configuration. To use the HTTPS IPv6 service, you need to enable it first.
Procedure
Step 1 Run:
system-view

Step 2 Run:
http [ ipv6 ] secure-server enable
The HTTPS service is enabled.

By default, the HTTPS IPv4 service is enabled on a device while the HTTPS IPv6
service is disabled.

Switches
Step 3 Run:
http [ ipv6 ] secure-server port port-number
The port number of the HTTPS server is specified.

The default port number of the HTTPS server is 443.
Step 4 Run:
http server-source -i loopback interface-number
A loopback interface is specified as the source interface of the HTTPS server.

Before specifying a source interface for an HTTPS server, ensure that the loopback
interface to be specified as the source interface has been created. If the loopback
interface is not created, the http server-source command cannot be executed.
Step 5 Run:
http timeout timeout
A timeout period is set for HTTPS connections.

The default timeout period is 20 minutes.
----End
1.1.4.4.3 Configuring a Web User and Logging In to the Web System
Context
A web user account can be configured based on the user name, password, level,
and access type. After configuration, you can log in to the web system. Enter the
user name and password to log in to a web system.
NOTE
The default upload/download directory is the root directory. You can modify the upload/
download directory by running the corresponding command in the AAA view.
Procedure
Step 1 Configure a web user.
1. Run:
system-view

2. Run:
aaa
The AAA view is displayed.

3. Run:
local-user user-name password irreversible-cipher password
A local user name and a password are configured.

obtained the access permission of the document, see Help on the website to
find out how to obtain it.

Switches
4. Run:
local-user user-name service-type http
The access type of the local user is set to HTTP
By default, no access type is configured for a local user.

5. Run:
local-user user-name privilege level level
The local user level is set.
By default, the level of the local user is 15 and the user is an administrator.
Only level 3 users and higher are administrators with management rights.
Level 2 users and below are monitoring users. Administrator users have all
operation rights of a web page, and monitoring users can only perform ping
and tracert operations.
After logging in to the web system, monitoring users receive a message,

showing their current level and prompts them to raise their user level. Figure
1-8 and Figure 1-9 show the message displayed on the Classics and
EasyOperation versions.
Figure 1-8 Message received by a monitoring user logging in to the Classics

web system
Figure 1-9 Message received by a monitoring user logging in to the

EasyOperation web system

Switches
Step 2 Log in to the web system.

1. Open the web browser on a PC, enter https:// IP address in the address box,
and press Enter. The web system login page is displayed. Enter the web user
name and password and select a language for the web system, as shown in
Figure 1-10.
IP address specifies the device's management IP address, which can be an
IPv4 or IPv6 address, depending on the HTTPS service type.
To ensure compatibility, a user logging in through HTTP is redirected to
https:// IP address if the user enters http:// IP address in the address box.
Figure 1-10 Web system login page

Switches
NOTE
– The operating system required for web system login must be the Windows 7.0,
Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system. The iOS operating
system supports only login to the EasyOperation web system, but does not support file
uploading and downloading.
– To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet
Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the
Classic Web system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the
browser version or browser patch version is not within the preceding ranges, the web
page may not be properly displayed. Upgrade the browser and browser patch. In
addition, the browser must support JavaScript.
– When logging in to the web system using the Internet Explorer, ensure that active
scripting in the Security tab page is enabled; otherwise, an exception may occur during
web system login.
– The best resolution of the display for web system login is 1316px. If the resolution is
less than 1280px, the system displays a prompt message.
– By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When
logging in to the device through the web system, ensure that the SSL version supported
by the browser is the same as that supported by the device; otherwise, an exception
may occur during web system login. It is recommended that you upgrade the browser
based on the displayed page or modify the SSL configuration. Take the Internet
Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab
to view and select the SSL version.
– If you use Internet Explorer 8.0 running on Windows XP to log in to the web system,
you must configure the RC4 algorithm for the customized SSL cipher suite policy.
Otherwise, you will be unable to log in to the web system. To perform this
configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha |
tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha |
tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha |
tls12_ck_rsa_aes_256_cbc_sha256 } command.
– The web system identifies device information based on the Item value in the device's
electronic label, but the device hardware driver determines whether to start the device
based on the BarCode value. Since the values of BarCode and Item may not be the
same, the web system may not read or display the card information.
– The web system does not support back, forward, and refresh buttons of the browser.
You may return to the login page when you use the buttons.
– If you log in to the Web systems with the same IP address through multiple windows
on a browser, only the latest login is saved. If the Web systems have the same IP
address and the same port number, the latest login account is displayed on earlier web
pages after all the windows are refreshed. If the Web systems have the same IP address
but different port numbers, timeout messages are displayed on earlier web pages after
all the windows are refreshed.
– If the software version of the device changes (for example, the device software is
upgraded or rolled back), clear the browser cache before using the web system.
Otherwise, the web page may be displayed incorrectly.
– You can click Open Source software Notice to view details of the open source
software notice.
2. Select the layout of the web system.
The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations. The Classics version inherits the web page style of
Huawei switches and provides comprehensive configuration and management
functions.
The EasyOperation version is used by default.

Switches
3. Access the password change page of the web system.

On the web system login page, click GO or press Enter to access the
password change page, as shown in Figure 1-11. Change the password and
re-log in to the web system as prompted. You can manage and maintain the
device after logging in to the web system.
NOTE
– The password change page is displayed during the login process only the first time
you log in to the web system.
– The password change page is also displayed if your password will expire or has
expired. To access the web system main page, you must change the password.
– For security purposes, a password must contain at least two types of the following:
lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %).
In addition, the password cannot contain spaces or single quotation marks (').
4. (Optional) Change the default user password.
If you are logged in as an administrator, the system prompts you to change
this password. Figure 1-12 shows the prompt. Click Confirm to display the
User Management page on which you can change the password of the
default user. The default username and password are available in S Series
Switches Default Usernames and Passwords (Enterprise Network or Carrier).
If you have not obtained the access permission of the document, see Help on
the website to find out how to obtain it. Changing this password is
recommended to improve security.

Switches
Figure 1-12 Changing the default user
NOTE
– Only when you log in to the web system as an administrator user (level 3 or
higher), the dialog box is displayed.
– A secure password should contain at least two of the following: lowercase letters,
uppercase letters, numerals, special characters (such as ! $ # %). In addition, the
password cannot contain spaces or single quotation marks (').
----End
1.1.4.4.4 Checking the Configuration of Configuring Device Login Through the Web
System
Context
After completing the configuration, run the following commands in any view on
the CLI to check information about online web users and the HTTPS server.
Procedure
● Run the display http user [ username username ] command to check online
web user information.
● Run the display http server command to check current HTTPS server
information.
----End
1.1.4.5 Configuring Device Login Through the Web System (Secure Mode)
Before configuring login through the web system (secure mode), complete the
following tasks:
● Configure a reachable route between a terminal and the device.

● Obtain a digital certificate and private key file from the CA.

Switches
Configuration Process
The following configuration tasks must be performed in sequence.
1.1.4.5.1 Uploading and Loading a Web Page File
Context
The system software of the device contains a web page file, and the web page file
is pre-loaded to the device before delivery. If you use this web page file, you do
not need to perform the following configuration. To upgrade the web page file on
the device, log in to Huawei official website to download an independent web
page file, upload and load the file to the device.
NOTE
support.huawei.com/enterprise), choose the product model and version, and select a
patch version under Public Patch in V and R Version to download the required web page
file. The file name is in the format of product name-software version number.web page
file version number.web.7z.
After downloading the file, compare the downloaded web page file with that on the
website to check whether their sizes are the same. If not, an error may occur during file
download. Download the file again.
Each web page file corresponds to a signature file. The method of downloading the
signature file is the same as that of downloading the web page file.
Procedure
Step 1 Upload the web page file.
You can upload the web page file using SFTP or other modes. For details, see
NOTE
After the file is uploaded to the device, run the dir command in the user view to check
whether the uploaded file has the same size as that on the file server. If not, an error may
have occurred during file upload. Upload the file again.
Step 2 (Optional) Run:

check file-integrity filename signature-filename
The web page file validity is checked.
Step 3 Load the web page file.

1. Run:
system-view

2. Run:
http server load { file-name | default }
The web page file is loaded.
By default, the web page file in system software is pre-loaded on the device.

Switches
If default is specified, the web page file in the system software is loaded. If
file-name is specified, an independent web page file is loaded.
NOTE
If the system software is upgraded from V200R006 or an earlier version to V200R007

or a later version, but the target software version conflicts with the configuration file
for next startup, the device will cancel the configuration of loading the web page file
in the original system software after the upgrade, and load the web page file
integrated in the new system software by default.
----End
1.1.4.5.2 Configuring an SSL Policy and Loading a Digital Certificate
Context
To avoid potential security risks, you can acquire a trust digital certificate and a
private key file from the CA and manually configure an SSL policy.
The device supports certificates in PEM, ASN1, and PFX formats. Certificates have
the same content regardless of format.
● The PEM (.pem) digital certificate is most commonly used. It applies to text
transmission between systems.
● The ASN1 (.der) format is a universal digital certificate format and the default
format for most browsers.
● The PFX (.pfx) format is a universal digital certificate format and a binary
format that can be converted into PEM or ASN1 format.
Procedure
Step 1 Upload the digital certificate and private key file.
You can upload the digital certificate and private key file using SFTP or other
modes and save them to the security directory. If this directory does not exist, run
the mkdir security command to create it. For procedure on uploading files, see
NOTE
After the files are uploaded to the device, run the dir command in the user view to check if
the uploaded files are the same size as those on the file server. If not, an error may have
occurred. Upload the files again.
Step 2 Configure an SSL policy and load the digital certificate.

1. Run:
system-view

2. (Optional) Customize SSL cipher suite.
a. Run:
ssl cipher-suite-list customization-policy-name
An SSL cipher suite policy is customized and the view of the cipher suite
policy is displayed. If the SSL cipher suite policy already exists, the
command directly displays its view.

Switches
By default, no customized SSL cipher suite policy is configured.

To improve system security, the device only supports secure algorithms.
To improve compatibility, the device also allows you to customize cipher
suite policies. To customize a cipher suite policy, run the ssl cipher-suite
command.
b. Run:
set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha |
tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha |
tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha |
tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }
The cipher suite for a customized SSL cipher suite policy is configured.
By default, no customized SSL cipher suite policy is configured.
To configure cipher suites for a customized SSL cipher suite policy, run the
ssl cipher-suite-list command.
If a customized SSL cipher suite policy is being referenced by an SSL
policy, the cipher suites in the customized cipher suite policy can be
added, modified, or partially deleted. Deleting all of the cipher suites is
not allowed.
c. Run:
quit
Return to the system view.

3. Run:
ssl policy policy-name
An SSL policy is created and the SSL policy view is displayed.

4. (Optional) Run:
ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }
The minimum version of an SSL policy is set.
By default, the minimum version of an SSL policy is TLS1.1.

5. (Optional) Run:
binding cipher-suite-customization customization-policy-name
A customized SSL cipher suite policy is bound to an SSL policy.
By default, no customized cipher suite policy is bound to an SSL policy. Each

SSL policy uses a default cipher suite.
After a customized cipher suite policy is unbound from an SSL policy, the SSL
policy uses one of the following default cipher suites:
– tls1_ck_rsa_with_aes_256_sha
– tls1_ck_rsa_with_aes_128_sha
– tls1_ck_dhe_rsa_with_aes_256_sha
– tls1_ck_dhe_dss_with_aes_256_sha
– tls1_ck_dhe_rsa_with_aes_128_sha
– tls1_ck_dhe_dss_with_aes_128_sha
– tls12_ck_rsa_aes_256_cbc_sha256

Switches
After a customized SSL cipher suite policy is bound to an SSL policy, the
device uses an algorithm in the specified cipher suite to perform SSL
negotiation.
The customized cipher suite policy to be bound to an SSL policy contains

cipher suites.
If the cipher suite contains only one type of algorithm (RSA or DSS), the
corresponding certificate must be loaded for the SSL policy. This facilitates SSL
negotiation.
6. Load the digital certificate and specify the private key file.
Only one certificate or certificate chain can be loaded to an SSL policy. (A

certificate chain is a list of trust certificates, starting from end entity's
certificate and ending at the root CA certificate.) If a certificate or certificate
chain has been loaded, run the undo certificate load command to unload
the old certificate or certificate chain before loading a new one. Select the
corresponding configuration based on the certificate type.
NOTE
When loading a certificate or certificate chain to an SSL policy, ensure that the length
of the key pair in the certificate or certificate chain does not exceed 2048 bits. If the
key pair length exceeds 2048 bits, the certificate or certificate chain cannot be
uploaded to the device.
– Load a PEM certificate or certificate chain. Run either of the following
commands based on whether a user obtains a digital certificate or
certificate chain from the CA.
▪ Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-
code cipher auth-code
A PEM digital certificate is loaded and the private key file is specified.
▪ Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename
auth-code cipher auth-code
A PEM certificate chain is loaded and the private key file is specified.
– Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename
An ASN1 digital certificate is loaded and the private key file is specified.
– Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file
key-filename } auth-code cipher auth-code
A PFX digital certificate is loaded and the private key file is specified.
NOTE
Before rolling V200R008 or a later version back to an earlier version, back up the SSL
private key file.
----End

Switches
1.1.4.5.3 Enabling the HTTPS Service
Context
Enabling HTTPS service enhances device security, and preserves resources during
timeout periods. To log in to the web system in secure mode, bind an SSL policy to
the device and enable the HTTPS service. You can change the port number of the
HTTPS server to prevent attackers from accessing the server using the default port
number. In addition, you can set a timeout period for an HTTPS connection to
prevent waste of web channel resources.
By default, only the HTTPS IPv4 service (not HTTPS IPv6) is enabled on a device.
On the HTTPS server, port 443 is used, the timeout period of an HTTPS connection
is 20 minutes, and login requests from all interfaces are accepted. If you use the
HTTPS IPv4 service, default port number, default timeout period, and accept login
requests from all interfaces, you only need to bind an SSL policy to the device. To
use the HTTPS IPv6 service, you need to enable it first.
Procedure
Step 1 Run:
system-view

Step 2 Run:
http secure-server ssl-policy policy-name
An SSL policy is bound to the device.

policy-name specifies the SSL policy created in 1.1.4.5.2 Configuring an SSL
Policy and Loading a Digital Certificate.
Step 3 Run:
http [ ipv6 ] secure-server enable
The HTTPS service is enabled.

By default, the HTTPS IPv4 service is enabled on a device while the HTTPS IPv6
service is disabled.
Step 4 Run:
http [ ipv6 ] secure-server port port-number
The port number of the HTTPS server is specified.

The default port number of the HTTPS server is 443.
Step 5 Run:
http server-source -i loopback interface-number
A loopback interface is specified as the source interface of the HTTPS server.

Before specifying a source interface for an HTTPS server, ensure that the loopback
interface has been created. If the loopback interface is not created, the http
server-source command cannot be correctly executed.
Step 6 Run:

Switches
http timeout timeout
A timeout period is set for HTTPS connections.

The default timeout period is 20 minutes.
----End
1.1.4.5.4 Configuring a Web User and Logging In to the Web System
Context
A web user account can be configured based on the user name, password, level,
and access type. After configuration, you can log in to the web system. Enter the
user name and password to log in to a web system.
NOTE
The default upload/download directory is the root directory. You can modify the upload/
download directory by running the corresponding command in the AAA view.
Procedure
Step 1 Configure a web user.
1. Run:
system-view

2. Run:
aaa
The AAA view is displayed.

3. Run:
local-user user-name password irreversible-cipher password
A local user name and a password are configured.

obtained the access permission of the document, see Help on the website to
find out how to obtain it.
4. Run:
local-user user-name service-type http
The access type of the local user is set to HTTP

By default, no access type is configured for a local user.
5. Run:
local-user user-name privilege level level
The local user level is set.

By default, the level of the local user is 15 and the user is an administrator.
Only level 3 users and higher are administrators with management rights.
Level 2 users and below are monitoring users. Administrator users have all

Switches
operation rights of a web page, and monitoring users can only perform ping
and tracert operations.
After logging in to the web system, monitoring users receive a message,
showing their current level and prompts them to raise their user level. Figure
1-13 and Figure 1-14 show the message displayed on the Classics and
EasyOperation versions.
Figure 1-13 Message received by a monitoring user logging in to the Classics

web system
Figure 1-14 Message received by a monitoring user logging in to the

EasyOperation web system
Step 2 Log in to the web system.

1. Open the web browser on a PC, enter https:// IP address in the address box,
and press Enter. The web system login page is displayed. Enter the web user
name and password and select a language for the web system, as shown in
Figure 1-15.
IP address specifies the device's management IP address, which can be an
IPv4 or IPv6 address, depending on the HTTPS service type.
To ensure compatibility, a user logging in through HTTP is redirected to
https:// IP address if the user enters http:// IP address in the address box.

Switches

Switches
NOTE
– The operating system required for web system login must be the Windows 7.0,
Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system. The iOS operating
system supports only login to the EasyOperation web system, but does not support file
uploading and downloading.
– To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet
Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the
Classic Web system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the
browser version or browser patch version is not within the preceding ranges, the web
page may not be properly displayed. Upgrade the browser and browser patch. In
addition, the browser must support JavaScript.
– When logging in to the web system using the Internet Explorer, ensure that active
scripting in the Security tab page is enabled; otherwise, an exception may occur during
web system login.
– The best resolution of the display for web system login is 1316px. If the resolution is
less than 1280px, the system displays a prompt message.
– By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When
logging in to the device through the web system, ensure that the SSL version supported
by the browser is the same as that supported by the device; otherwise, an exception
may occur during web system login. It is recommended that you upgrade the browser
based on the displayed page or modify the SSL configuration. Take the Internet
Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab
to view and select the SSL version.
– If you use Internet Explorer 8.0 running on Windows XP to log in to the web system,
you must configure the RC4 algorithm for the customized SSL cipher suite policy.
Otherwise, you will be unable to log in to the web system. To perform this
configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha |
tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha |
tls12_ck_rsa_aes_256_cbc_sha256 } command.
– The web system identifies device information based on the Item value in the device's
electronic label, but the device hardware driver determines whether to start the device
based on the BarCode value. Since the values of BarCode and Item may not be the
same, the web system may not read or display the card information.
– The web system does not support back, forward, and refresh buttons of the browser.
You may return to the login page when you use the buttons.
– If you log in to the Web systems with the same IP address through multiple windows
on a browser, only the latest login is saved. If the Web systems have the same IP
address and the same port number, the latest login account is displayed on earlier web
pages after all the windows are refreshed. If the Web systems have the same IP address
but different port numbers, timeout messages are displayed on earlier web pages after
all the windows are refreshed.
– If the software version of the device changes (for example, the device software is
upgraded or rolled back), clear the browser cache before using the web system.
Otherwise, the web page may be displayed incorrectly.
– You can click Open Source software Notice to view details of the open source
software notice.
2. Select the layout of the web system.
The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations. The Classics version inherits the web page style of
Huawei switches and provides comprehensive configuration and management
functions.
The EasyOperation version is used by default.

Switches
3. Access the password change page of the web system.

On the web system login page, click GO or press Enter to access the
password change page, as shown in Figure 1-16. Change the password and
re-log in to the web system as prompted. You can manage and maintain the
device after logging in to the web system.
NOTE
– The password change page is displayed during the login process only the first time
you log in to the web system.
– The password change page is also displayed if your password will expire or has
expired. To access the web system main page, you must change the password.
– For security purposes, a password must contain at least two types of the following:
lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %).
In addition, the password cannot contain spaces or single quotation marks (').
4. (Optional) Change the default user password.
If you are logged in as an administrator, the system prompts you to change
this password. Figure 1-17 shows the prompt. Click Confirm to display the
User Management page on which you can change the password of the
default user. The default username and password are available in S Series
Switches Default Usernames and Passwords (Enterprise Network or Carrier).
If you have not obtained the access permission of the document, see Help on
the website to find out how to obtain it. Changing this password is
recommended to improve security.

Switches
Figure 1-17 Changing the default user
NOTE
– Only when you log in to the web system as an administrator user (level 3 or
higher), the dialog box is displayed.
– A secure password should contain at least two of the following: lowercase letters,
uppercase letters, numerals, special characters (such as ! $ # %). In addition, the
password cannot contain spaces or single quotation marks (').
----End
1.1.4.5.5 Checking the Configuration of Configuring Device Login Through the Web
System
Context
After completing the configuration, run the following commands in any view on
the CLI to check information about the SSL policy, loaded digital certificate, online
web users, and current HTTPS server.
Procedure
● Run the display ssl policy [ policy-name ] command to check the configured
SSL policy and loaded digital certificate.
● Run the display http user [ username username ] command to check online
web user information.
● Run the display http server command to check current HTTPS server
information.
----End
1.1.4.6 Configuring Access Control on Web Users
Context
To further enhance security, you can configure an HTTPS access control list to
allow only specified web users to log in to the device. Commands can also be run
to force idle users from occupying resources for too long.
ACL/ACL6 rules:

Switches
● If the ACL/ACL6 rule is permit, clients matching the rule are permitted to set
up HTTPS connections with the local device.
● If the ACL/ACL6 rule is deny, clients matching the rule are forbidden to set up
HTTPS connections with the local device.
● If an ACL/ACL6 rule is configured but packets from a client do not match the
rule, the client is not allowed to set up HTTPS connections with the local
device.
● If no ACL/ACL6 rule is configured, any clients are permitted to set up HTTPS
connections with the local device.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Configure an ACL/ACL6 on the HTTPS server.
● Configure an HTTPS IPv4 ACL as follows:
a. Run the acl [ number ] acl-number command to enter the ACL view.
HTTPS IPv4 supports basic and advanced ACLs. If a basic ACL is
configured, the value of acl-number ranges from 2000 to 2999. If an
advanced ACL is configured, the value of acl-number ranges from 3000 to
3999.
b. Configure an ACL.
The commands for configuring basic and advanced ACLs are different.
▪ Command for configuring a basic ACL:

rule [ rule-id ] { deny | permit } [ source { source-address source-
wildcard | any } | fragment | logging | time-range time-name | vpn-
instance vpn-instance-name ] *
▪ Command for configuring an advanced ACL:

rule [ rule-id ] { deny | permit } { protocol-number | tcp }
[ destination { destination-address destination-wildcard | any } |
destination-port { eq port | gt port | lt port | range port-start port-
end } | { { precedence precedence | tos tos } * | dscp dscp } |
fragment | logging | source { source-address source-wildcard | any }
| source-port { eq port | gt port | lt port | range port-start port-end }
| tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-
range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
c. Run the quit command to return to the system view.
d. Run the http acl acl-number command to configure an HTTPS IPv4 ACL.
By default, no ACL is configured on the HTTPS IPv4 server, that is, all web
clients can set up HTTPS IPv4 connections with the server.
● Configure an HTTPS IPv6 ACL6 as follows:
a. Run the acl ipv6 [ number ] acl6-number command to enter the ACL6
view.
HTTPS IPv6 supports basic and advanced ACL6s. If a basic ACL6 is
configured, the value of acl6-number ranges from 2000 to 2999. If an
advanced ACL6 is configured, the value of acl6-number ranges from 3000
to 3999.

Switches
b. Configure an ACL6.
The commands for configuring basic and advanced ACL6s are different.
▪ Command for configuring a basic ACL6:

rule [ rule-id ] { deny | permit } [ fragment | logging | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-
length | source-ipv6-address postfix postfix-length | any } | time-
range time-name | vpn-instance vpn-instance-name ] *
▪ Command for configuring an advanced ACL6:

rule [ rule-id ] { deny | permit } { tcp | protocol-number }
[ destination { destination-ipv6-address prefix-length | destination-
ipv6-address/prefix-length | destination-ipv6-address postfix postfix-
length | any } | destination-port { eq port | gt port | lt port | range
port-start port-end } | { { precedence precedence | tos tos } * | dscp
dscp } | fragment | logging | source { source-ipv6-address prefix-
length | source-ipv6-address/prefix-length | source-ipv6-address
postfix postfix-length | any } | source-port { eq port | gt port | lt
port | range port-start port-end } | tcp-flag { ack | established | fin |
psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-
instance-name ] *
c. Run the quit command to return to the system view.
d. Run the http ipv6 acl acl-number command to configure an HTTPS IPv6
ACL.
By default, no ACL6 is configured on the HTTPS IPv6 server, that is, all
web clients can set up HTTPS IPv6 connections with the server.
Step 3 (Optional) Run the free http user-id user-id command to force a web user offline.
Currently, the device supports a maximum of five concurrent online web users. The
value of user-id ranges from 89 to 93. If a user occupies the web channel
resources but performs no operation in a long time, other users may fail to log in.
To prevent this situation, run the command to force idle web users to go offline
and release the occupied channel resources.
----End
1.1.4.7 Web System Login Configuration Examples
1.1.4.7.1 Example for Configuring Device Login Through the Web System (Secure
Mode)
Networking Requirements
As shown in Figure 1-18, the device functions as an HTTPS server (an HTTPS IPv4
server is used as an example in this section) and is reachable to the PC. The
management IP address of the HTTPS server is 192.168.0.1/24.
Users want to manage and maintain the device through the web system and have
high security requirements. They have obtained the server digital certificate
1_servercert_pem_dsa.pem and private key file 1_serverkey_pem_dsa.pem from
the CA.

Switches
Figure 1-18 Networking diagram for configuring device login through the web
system (secure mode)
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
Loading an independent web page file is used as an example in this section. The
configuration roadmap is as follows:
1. Securely upload necessary files to the server through SFTP, including the web
page file, server digital certificate, and private key file.
2. Load the web page file and digital certificate.
3. Bind an SSL policy and enable the HTTPS service.
4. Configure a web user and enter the web login page.
Procedure
Step 1 Upload files to the device through SFTP.
# Generate a local key pair on the server and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS-Server
[HTTPS-Server] dsa local-key-pair create
Info: The key name will be: HTTPS-Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:2048
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[HTTPS-Server] sftp server enable
# Configure the VTY user interface on the server.

[HTTPS-Server] user-interface vty 0 4
[HTTPS-Server-ui-vty0-4] authentication-mode aaa
[HTTPS-Server-ui-vty0-4] protocol inbound ssh
[HTTPS-Server-ui-vty0-4] quit
# Configure an SSH user, including its authentication mode, service type, service
authorized directory and password, user level, and access type.
[HTTPS-Server] ssh user client001 authentication-type password
[HTTPS-Server] ssh user client001 service-type sftp
[HTTPS-Server] ssh user client001 sftp-directory flash:
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[HTTPS-Server-aaa] local-user client001 privilege level 15
[HTTPS-Server-aaa] local-user client001 service-type ssh
[HTTPS-Server-aaa] quit
[HTTPS-Server] quit
# Log in to the HTTPS server through SFTP from the terminal and upload the
digital certificate and web page file to the server.

Switches
The SSH client software must be installed on the terminal before login. Third-
party software OpenSSH and Windows Command Prompt window are used as
examples in this section.
NOTE
● Ensure that the OpenSSH version you use is compatible with the terminal's operating
system; otherwise, you may fail to log in to the switch through SFTP.
● For details on how to install OpenSSH, see the instruction of the software.
● You need to use OpenSSH commands for login through OpenSSH. For details on how to
use the OpenSSH commands, see the help document of the software.
● OpenSSH commands can be used in the Windows Command Prompt window only after
the OpenSSH software is installed.
Open the Windows Command Prompt window and run the sftp
client001@192.168.0.1 command to enter the working directory of the SFTP
server. You can access the device through SFTP. (The following information is for
reference only.)
C:\Documents and Settings\Administrator> sftp client001@192.168.0.1
Connecting to 192.168.0.1...
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (DSA) to the list of known hosts.
User Authentication
Password:
sftp>
Upload the digital certificate and web page file from the terminal to the server.
sftp> put web.7z
Uploading web.7z to /web.7z
web.7z 100% 1308478 4.6KB/s 00:11
sftp> put 1_servercert_pem_dsa.pem
Uploading 1_servercert_pem_dsa.pem to /1_servercert_pem_dsa.pem
1_servercert_pem_dsa.pem 100% 1302 4.6KB/s 00:02
sftp> put 1_serverkey_pem_dsa.pem
Uploading 1_serverkey_pem_dsa.pem to /1_serverkey_pem_dsa.pem
1_serverkey_pem_dsa.pem 100% 951 4.6KB/s 00:01
# Run the dir command on the device to check whether the digital certificate and
web page file exist in the current storage directory.
NOTE
If the sizes of the digital certificate and web page file in the current storage directory are
different from sizes of those on the server, an error may have occurred during file transfer.
Upload the files again.
# Create the subdirectory security on the server and copy the digital certificate
and private key file to the subdirectory.
<HTTPS-Server> mkdir security
<HTTPS-Server> copy 1_servercert_pem_dsa.pem security
<HTTPS-Server> copy 1_serverkey_pem_dsa.pem security
# Run the dir command in the security subdirectory to check the digital
certificate.
<HTTPS-Server> cd security
<HTTPS-Server> dir
Directory of flash:/security/

Switches
Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_dsa.pem
1 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_dsa.pem
65,233 KB total (7,287 KB free)
Step 2 Load the web page file and digital certificate.

# Load the web page file.
<HTTPS-Server> system-view
[HTTPS-Server] http server load web.7z
# Create an SSL policy and load the PEM digital certificate.

[HTTPS-Server] ssl policy http_server
[HTTPS-Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa
key-file 1_serverkey_pem_dsa.pem auth-code cipher 123456
[HTTPS-Server-ssl-policy-http_server] quit
# After the preceding configurations are complete, run the display ssl policy
command on the HTTPS server to check detailed information about the loaded
certificate.
[HTTPS-Server] display ssl policy
SSL Policy Name: http_server

Policy Applicants: Config-Webs
Key-pair Type: DSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_dsa.pem
Key-file Filename: 1_serverkey_pem_dsa.pem
Auth-code: ******
MAC:
CRL File:
Trusted-CA File:
Issuer Name:
Validity Not Before:
Validity Not After:
Step 3 Bind an SSL policy to the device and enable the HTTPS service.
# Bind an SSL policy to the device.
[HTTPS-Server] http secure-server ssl-policy http_server
# Enable the HTTPS service.

[HTTPS-Server] http secure-server enable
Step 4 Configure a web user and enter the web login page.
# Configure a web user.
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user admin password irreversible-cipher Helloworld@6789
[HTTPS-Server-aaa] local-user admin privilege level 15
[HTTPS-Server-aaa] local-user admin service-type http
[HTTPS-Server-aaa] quit
NOTE
Before configuring a web user, you can run the display this command in the AAA view to
check user names of local users. Ensure that the user name of the configured web user
does not conflict with that of an existing local user. Otherwise, the new web user will
overwrite the existing local user.
# Enter the web login page.

Switches
Open the web browser on the PC, enter https://192.168.0.1 in the address box, and
press Enter to enter the web login page, as shown in Figure 1-19.
Enter the web user name and password and click GO or press Enter to enter the
web system home page.
Step 5 Verify the configuration.
After the configurations are complete, you can log in to the device through the
web system.
Run the display http server command on the device to check the SSL policy name
and the HTTPS server status.
[HTTPS-Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users :1
Maximum Users Allowed :5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled

Switches
HTTP IPv6 Secure-server Port : 443(443)

HTTP server source address : 0.0.0.0
----End
Configuration Files
HTTPS-Server configuration file
#
sysname HTTPS-Server
#
http server load web.7z
http secure-server ssl-policy http_server
#
aaa
local-user admin password irreversible-cipher $1a$#R!d3>ji-.u1+N2gSK>3&2P1AM6jfU:"x/3g[5U,lvqP
+sf=70+%^E7,,SF7$
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher $1a$L@[C7B11%"H&\fS;qETS`zGI#RyJ%
+A2KzP'.k[0tQ{=Cq5s43s&f^L\In6K$
local-user client001 privilege level 15
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 4
authentication-mode aaa
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-
code cipher %^%#0|:yF=]P~Afis516)rO,3Yu<@/3e]
KFg.q@LG50%%^%#
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.
1.1.4.8 Web System Login Common Misconfigurations
1.1.4.8.1 Web System Login Failure
Symptom
In a web system login failure, the device and client can ping each other, but the
device cannot be logged in through the web system.
Procedure
Step 1 Check whether the HTTPS service is enabled.

Switches
● HTTPS IPv4:
By default, the HTTPS IPv4 service is enabled. Run the display this command
in the system view to check whether the undo http secure-server enable
command configuration exists. If it does, the HTTPS IPv4 service is disabled.
You can run the http secure-server enable command in the system view to
enable the HTTPS IPv4 service.
● HTTPS IPv6:
By default, the HTTPS IPv6 service is disabled. You can run the http ipv6
secure-server enable command in the system view to enable the HTTPS IPv6
service.
Step 2 Check whether the number of online web users is at its maximum.
Run the display http user command on the device to check whether the number
of current online web users has reached 5.
Currently, the device supports a maximum of five concurrent online web users. If
an idle user occupies web channel resources, other users may fail to log in. You
can run the free http user-id user-id command to force the user offline.
Step 3 Check whether access control is configured for web users on the device.
● HTTPS IPv4:
Run the display this command in the system view to check whether the http
acl acl-number command configuration exists. If so, record the value of acl-
number.
Run the display acl acl-number command in any view to check whether the
IPv4 address of the web client is denied in the ACL. If so, run the undo rule
rule-id command in the ACL view to delete the deny rule. Then, modify the
ACL and permit the IPv4 address of the web client.
● HTTPS IPv6:
Run the display this command in the system view to check whether the http
ipv6 acl acl6-number command configuration exists. If so, record the value of
acl6-number.
Run the display acl ipv6 acl6-number command in any view to check
whether the IPv6 address of the web client is denied in the ACL. If so, run the
undo rule rule-id command in the ACL6 view to delete the deny rule. Then,
modify the ACL6 and permit the IPv6 address of the web client.
Step 4 Check whether web user access type is correct.
Run the display this command in the AAA view to check whether the access type
of the web user is HTTP. If local-user user-name service-type http exists in the
command output, the access type of user-name is HTTP. If local-user user-name
service-type http does not exist in the command output, run the local-user user-
name service-type http command in the AAA view to set the access type of the
web user to HTTP.
----End
1.1.4.9 FAQ

Switches
1.1.4.9.1 How Do I Obtain the Web Page File?
If the system software of the switch contains a web page file that is loaded, you
do not need to obtain a web page file again. If the system software does not
contain a web page file or you need to upgrade the web page file, log in to
Huawei official website to download a separate web page file and upload the web
page file to the switch.
support.huawei.com/enterprise), choose the product model and version, and
select a patch version under Public Patch in V and R Version to download the
required web page file. The file name is in the format of product name-software
version number.web page file version number.web.7z.
After downloading the file, compare the downloaded web page file with that on
the website to check whether their sizes are the same. If not, an error may occur
during file download. Download the file again.
1.1.4.9.2 Why Only a Few Options Are Available on the Web System?
The user level of the login web user is low.
Web users of level 2 or lower are monitoring users and can use only the ping and
tracert functions. Web users of level 3 or higher are administrator users and have
all operation rights of a web page.
You can run the local-user user-name privilege level level command in AAA view
to set the user level of the login user to level 3 or higher. The login user then has
all operation rights of a web page.
1.1.4.9.3 How Do I Change the Password for Web Login?
If you forget or want to change the web login password, log in to the switch
through the console port, Telnet, or STelnet and set a new password after login.
NOTICE
The Telnet protocol has security vulnerabilities. It is recommended that you log in
to the device through the console port or using STelnet V2.
# Set the user name and password to admin123 and Huawei@123, respectively.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type http
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
1.1.4.9.4 What Is the Difference Between Web and HTTP?

Switches
Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the
Internet. It runs at the application layer of the TCP/IP protocol stack. The transport
layer uses the connection-oriented TCP protocol.
Conclusively, HTTP is a protocol while web is a device management method. Using

the web system to manage and maintain devices requires the HTTP protocol.
1.2 Client Configuration

system of the EasyOperation edition to facilitate user usage.
1.2.1 Understanding the Web System Client User Interface

The following sections help you understand the web system client user interface
and improve your operation efficiency.
1.2.1.1 Window Layout

system.
A typical operation user interface of the web system is shown in the following
figure. Figure 1-20 shows the operation user interface.
Figure 1-20 Operation user interface

Switches
Table 1-9 Window layout
Number Description
1 Function area. The web system of the EasyOperation

edition provides five functions: Monitoring, Configuration,
Diagnosis, Maintenance, and Network.
2 Navigation tree. The navigation tree lists available

configuration items.
3 Status display and operation area. The current status of

devices is displayed in this area, and you can perform the
operations such as creation, deletion, modification,
loading, and searching in this area.
4 CLI switching area. The CLI window can be invoked in this

area and users can manage and maintain devices by
running commands in the window.
If you are using Microsoft Internet Explorer, Initialize and
script ActiveX controls not marked as safe for scripting
must be set to Enable or Prompt. Choose Tools >
Internet Options > Security, click Custom level, and set
Initialize and script ActiveX controls not marked as
safe for scripting to Enable or Prompt. Internet Explorer
8.0 is used in this example.
1.2.1.2 Navigation Tree

This section describes submenus and their functions provided by the web system
of the EasyOperation edition.
The web system of the EasyOperation edition consists of five areas: Monitoring,
Configuration, Diagnosis, Maintenance, and Network, and provides the following
functions: device status overview, interface management, VLAN, DHCP, system
management, service management, diagnosis tool, and network deployment.
Table 1-10 lists submenus in the four areas and describes their functions.
NOTE
The menus and submenus described in this section are used for reference only because the
menus of different switch models have slight differences.
Table 1-10 Description of the web system menus
Menu Submenu Description
Monito Summary (Standalone) Display the device panel, system

ring description, switch status, top 5
bandwidth usage, logs, and alarms.
Summary (SVF) Display SVF brief information and

switch status.

Switches
User Display access user information.
Topology (SVF) Display level-1 AS topology.
Wired Service (SVF) Display information about AS and

user port group.
Wireless Radio Display radio distribution and

Service information.
AP Display AP distribution, AP statistics,

and wired port statistics.
SSID Display SSID and VAP.
Mesh&WDS Display mesh links and WDS bridge

information.
Potential Risk Display the STAs receiving poor

signals and related radio
information.
WIDS Display detection information about

wireless devices and attacked
devices.
Spectrum Provide spectrum analysis.

Analysis
Configu Quick Config Quickly configure switching and

ration routing modes.
SVF Quick SVF Enabling Configure a standalone switch as

Config (SVF) the parent.
AS Addition Add ASs to an SVF and configure

Fabric-Port.
AS User-Side Configure services on AS user port

Service group.
AP Addition Add APs to an SVF.
AP User-Side Configure AP services.

Service
Network-Side Allow users to access the external

Service network.
Advanced SVF AS Access Add AS blacklist and whitelist and

Config (SVF) Mgmt an AS group to an SVF system.
AS Port Group Add an AS port group to an SVF

system.

Switches
AS Profile Add AS profiles to an SVF system.

Mgmt
AS Direct Configure ASs on the parent directly.

Config
Basic Services Interface Interface configuration includes the

Settings following configuration pages: View
Configuration, Connect to PC,
Connect to IP Phone, Connect to
Switch, Connect to Router, Enable/
Disable Interface, Port Loopback
Test, and Detect Link.
PoE Provide PoE management.
VLAN Configure and query VLANs, Modify

VLANs, and Delete VLANs.
DHCP Configure and query DHCP address

pool on VLANIF interface, and DHCP
relay.
MAC Query MAC/IP address table,

Configure static MAC address
entries, Configure static secure MAC
address, Configure blackhole MAC
address entries, and Delete MAC
address entries function.
LBDT Configure the loopback detection

function.
ACL Configure interface ACLs and VLAN

ACLs to filter packets.
User Access Configure Authentication

Control Configuration, Portal Server, and
Access Configuration to provide
security management on the
network.
STP Configure the STP function.
LLDP Configure the LLDP function.
Security ACL Config Configure ACLs.

Services
ACL Reference Reference ACLs.
AAA Configure AAA.
AAA Service Apply AAA.

App

Switches
AAA Profile Provide AAA profile management.

Mgmt
Fast WLAN AC Configure network connections and

Config allow APs to go online.
(Standalone)
AP Configure WLAN service and allow
STAs to go online.
Mesh Configure the mesh network.
Wireless AC Config Set CAPWAP parameters and

Services configure radio calibration.
AP Group Configure AP groups and static load

balancing.
AP Config Add and manage APs.
Profile Configure the WLAN profiles.
Diagno Intelligent Diagnosis Enable intelligent diagnosis for

sis switches, APs, and STAs on WLAN.
Diagnostic Tools Provide switch maintenance and

diagnosis tools.
Mainte System License Load license files and display license

nance Maintenance status.
Restart Restart the switch.

(Standalone)/
Reboot (SVF)
Upgrade Upgrade the system software.
Patch Upload, install, and uninstall

patches.
Log Display the latest 300 logs.
Alarm Display the latest 300 alarms.
Administrator Manage web users.
System Manage the system, including files,

system time, system information,
and factory settings recovery.
SNMP Configure the SNMP agent function.
Electronic Display elabel information on the

Label switch.
AS Interface Display AS interface information.

(SVF)

Switches
AP AP Upgrade Upgrade APs.

Maintenance
AP Restart Restart APs.
Log Manage AP logs.
Account Manage AP accounts.
Networ Role Configuration Determine the role of a device

k before configuring EasyDeploy on
(Standa the device.
lone)
Summary Displays network topology
information and saves the network
topology on the device.
Deployment Deploy unconfigured devices,

replace faulty devices, and perform
batch upgrade based on the
network topology.
Batch Configuration Perform batch configuration on the

devices by delivering command line
scripts to the specified devices.
Power Consumption Displays power consumption of all

the devices on the entire network
and of each device.
1.2.1.3 Buttons
This section describes common buttons on the web system that can be used to
facilitate operations on the web.
Table 1-11 lists the buttons and describes their functions.
Table 1-11 Button description

Button Function
Save the configuration.
Delete a selected data record.
Indicates whether a function is enabled.

ON indicates enabled and OFF indicates
disabled. You can switch this button to
change the status.

Switches
Button Function
Submit the entered configurations and

confirm system display information.
NOTE
If you click Apply on a pop-up dialog box, the
dialog box is not closed.
Create an item on the current page.
Create items in a batch on the current

page.
Search for a value of the current item.
Refresh the current page.
Clear all records on the current page.
1.2.1.4 GUI Elements

This section describes the elements that you usually use on the web system GUI.
Table 1-12 lists the elements that you usually use on the web system GUI.
NOTE
The GUI elements described in this section are used for reference only because the GUI
elements of different switch models have slight differences.
Table 1-12 GUI elements
Name Element
Button
On/off
switch
Option
button
Check box
Tab
Text box
Browse box

Switches
Name Element
Group box
Drop-down
list box
Menu
Sort button Default:

Descending:
Ascending:
Time
setting
Mandatory
option
Interface
panel
CLI
switching
1.2.2 Web User Management

The switch provides a default user name and password for your first login. To
facilitate user management, the web system enables you to add user accounts,
change password, and delete user accounts.
The following sections describe user management operations. Choose
Maintenance > System Maintenance > Administrator to configure user
management.
1.2.2.1 Creating a User Account

You can add user accounts to a switch to allow it to authenticate and authorize
login users based on the local user information. You can also create multiple user
accounts and assign different user levels and passwords for them to refine user
management.
Context
Only administrative users can add user accounts.

Switches
NOTE
You can create a user account of the same or a lower level.
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator.
Step 2 Click Create. The Create User dialog box is displayed.
Step 3 On the Create User page, enter values in User name, Password, and Confirm
password and select values for Access level and Access type, as shown in Figure
1-21.
Figure 1-21 Create User
Step 4 Click OK.
----End
1.2.2.2 Changing User Attribute

You can change the password and user level on the web system GUI.
Context
Only administrative users can change the password and user level.
Procedure
Step 2 Click a user name in the User Name column to open the Modify User page.
Step 3 On the Modify User page, enter values in Password and Confirm password, and
select values for Access level and Access type.

Switches
Step 4 Click OK.
----End
1.2.2.3 Deleting a User Account

You can delete user accounts from the web system.
Context
Only administrative users can delete user accounts.
NOTE
You can delete a user account of the same or a lower level, not including your own user
account.
Procedure
Step 2 Select a record that you want to delete and click Delete. The system asks you
whether to delete the record.
Step 3 Click OK.
----End
1.2.3 User Timeout

The web system assigns each user a timeout period to prevent idle users from
occupying system resources.
If you do not perform any operations on the web system GUI for a long time, you
are logged out and the login page is displayed. Figure 1-22 shows the login page.
If you need to continue operations, log in again.

Switches
Figure 1-22 Login page
By default, the timeout period for a login user is 20 minutes. You can change the
timeout period on the System Info page.
Changing the Timeout Period

Choose Maintenance > System Maintenance > System and enter the new
timeout period on the System info page, as shown in Figure 1-23. Click Apply.
Figure 1-23 Setting system information
1.2.4 Switching to the SVF Mode

This section describes how to switch to the SVF mode.

Switches
Context
The web system can change the switch mode between standalone and SVF. The
mode switching button is on the top left corner of the web page.
● is for standalone mode.
● is for SVF mode.
Only the S5720HI, S6720EI, and S6720S-EI support SVF mode.
Procedure
Step 1 Click to change the mode.
Step 2 In the dialog box that is displayed, click OK.
The SVF configuration page is displayed. Choose Configuration > SVF Quick
Config to configure the SVF mode.
----End
1.2.5 Switching to the Classic Edition

The web system of the EasyOperation edition provides only the frequently used
management functions. If you want to use more management functions, you need
to switch to the classic edition.
A button is available on the EasyOperation edition for you to switch to the classic
edition. Click Classic at the upper right corner of the page to switch to the classic
edition. Figure 1-24 shows the Classic button.
Figure 1-24 Switching to the classic edition
1.2.6 Saving Configuration

After performing configuration, you need to save the configuration data.
Otherwise, the configurations will be lost after the device restarts.
Click at the upper right corner to save all the configuration data to the
configuration file.
NOTICE
● Click at the upper right corner after the preceding configuration; otherwise,
the configuration that has not been saved will be lost upon reboot.
● After you click OK or Apply on the current configuration page, the device
continues the operation but does not save configuration.

Switches
1.2.7 Logging Out of the Web System

To protect security of your account and the switch, log out of the web system
immediately after you finish the configurations.
You can log out of the web system in either of the following ways:
● Click on the upper right corner of the page to close the browser.
● Click on any page of the browser.
NOTE
If you use the first method, save the configurations before you close the browser.
Otherwise, the configurations will be lost. If you use the second method, a message is
displayed on the web system, asking whether you want to save the current configuration.
1.3 Monitor
You can monitor device status information in the web system.
1.3.1 Summary (Standalone)

This chapter describes information about the components in standalone mode,
including device panel, system information, system status, bandwidth usage, and
system log.
1.3.1.1 Panel
The panel diagram displays the panel of a switch.
Context
The panel section displays information about interfaces on a switch panel,
including the number of interfaces and status of each interface. When you move
the mouse to an interface, the interface number and status are displayed.
Procedure
Step 1 Click Monitoring on the toolbar. The panel diagram is displayed, as shown in
Figure 1-25.
NOTE
For an S5720HI, choose Monitoring > Summary in the NAC unified mode.
Figure 1-25 Panel diagram

Switches
----End
1.3.1.2 System Description

The System Description page displays information about a switch, such as the
product model, device name, running time, and serial number of the switch.
Procedure
Step 1 Click Monitoring on the toolbar. The system description of the switch is displayed,
as shown in Figure 1-26.
NOTE
Figure 1-26 System Description section
NOTE
The product model, software version, and other product information provided here are only
for reference and may differ from actual device information.
----End
1.3.1.3 Switch Status

The Switch Status section displays status monitoring information of a switch.

Switches
Context
To view the real-time status of a switch, refresh the page.
Procedure
Step 1 Click Monitoring on the toolbar. The switch status is displayed, as shown in
Figure 1-27.
NOTE
Figure 1-27 Switch Status section
Step 2 Click the CPU Usage, Memory Usage, and Temperature tabs to view detailed
status information, as shown in Figure 1-28.

Switches
Figure 1-28 Detailed status information
You can click to switch between different status information.

Step 3 For a battery switch, the battery status is also displayed, as shown in Figure 1-29.
When you move the mouse to a battery status icon, the battery status represent
by the icon is displayed. Table 1-13 shows the status of different batteries and the
corresponding icons.
NOTE
● Battery switches include S5700-28P-LI-BAT and S5700-28P-LI-24S-BAT.

● The preceding product models support the following batteries: lead-acid battery (used
with the PBB-12AHA lead-acid battery charger module), 4AHA lithium battery, and
8AHA lithium battery.

Switches
Figure 1-29 Switch Status section
Table 1-13 Battery status and status icons

Battery Battery Status Icon
Type
Lead- Absent
acid
battery Charging
Full power
Discharging
Abnormal

Switches
Battery Battery Status Icon

Type
Lithium Absent
battery
Charging
Full power
Discharging
The remaining power is
normal (higher than or
equal to 20%).
Discharging
The remaining power is
too low (lower than
20%).
NOTE
Abnormal A lithium battery is discharging, and the
displayed status icon depends on the remaining
Upgrading power of the battery. If the remaining power is
less than 20% of the full power, the red
discharging icon is displayed, indicating that the
power is too low. If the remaining power is more
than 20% of the full power, the green
discharging icon is displayed.
When a lithium battery is charging or
discharging, the current power percentage is
displayed above the status icon. For example, if a
lithium battery is fully charged, "Lithium battery
100%" is displayed. If the remaining power of a
discharging lithium battery is too low, "Lithium
battery 18%" is displayed.
----End
1.3.1.4 TOP5 Bandwidth Utilization

This section describes operations you can perform on the TOP5 Bandwidth
Utilization.
Procedure
Step 1 Click Monitoring to open the Monitoring page, and click on the left of
Interface Bandwidth Utilization, Log, Alarm, etc. The top 5 interface bandwidth
utilization is displayed, as shown in Figure 1-30.
NOTE

Switches
Figure 1-30 Top 5 Bandwidth Utilization
Step 2 If you want to view the bandwidth utilization of a specific interface, click the
interface below Port Name. The Bandwidth Utilization is displayed. On the page,
you can view the real-time bandwidth utilization of this interface, as shown in
Figure 1-31.
Figure 1-31 Bandwidth Utilization
Step 3 If you want to view the bandwidth utilization of other interfaces, click More in the
lower right corner of the Top 5 Bandwidth Utilization. The Port List is displayed.
You can view detailed information about other interfaces on the Port List, as
shown in Figure 1-32.

Switches
Figure 1-32 Port List
You can use the following method to search and view detailed information about
a specific interface on the Port List.
1. Select an interface type from the drop-down list.
2. Enter the interface number in the second search box.
3. Click .
On the Port List, you can perform refresh, clear, and clear all operations.
● Click Refresh to obtain the latest bandwidth utilization.
● Click Clear to clear the bandwidth utilization of a specified interface and
refresh the page.
● Click Clear All to clear the bandwidth utilization of all interfaces and refresh
the page.
Table 1-14 describes the parameters on the Port List.
Table 1-14 Port List
Item Description
Interface Name Bandwidth utilization of an interface

with a specified type and number.
Inbound Bandwidth Usage Bandwidth utilization of the incoming

traffic.
Outbound Bandwidth Usage Bandwidth utilization of the outgoing

traffic.
Inbound Error Packets Number of error packets received by

an interface.
Outbound Error Packets Number of error packets sent by an

interface.

Switches
Item Description
Inbound Broadcast Packets Number of broadcast packets received

by an interface.
Outbound Broadcast Packets Number of broadcast packets sent by

an interface.
Operation Click Details to obtain the running

status of the interface and interface
statistics.
----End
1.3.1.5 Log
The Log section displays five latest logs with highest severities, providing the
generation time and contents of each log.
Context
You can click More to view more logs.
Procedure
Interface Bandwidth Utilization, Log, Alarm, etc. Logs are displayed in the Log
section, as shown in Figure 1-33.
NOTE
Figure 1-33 Log section

Switches
Step 2 Click More to display the Log page. You can view latest logs with highest
severities on this page.
----End
1.3.1.6 Alarm
The Alarm section displays five latest alarms, providing the generation time and
contents of each alarm.
Context
You can click More to view more alarms.
Procedure
Interface Bandwidth Utilization, Log, Alarm, etc. Alarms are displayed in the
Alarm section, as shown in Figure 1-34.
NOTE
Figure 1-34 Alarm section
Step 2 Click More to display the Alarm page. You can view latest alarms on this page.
----End
1.3.1.7 Power status

The Power status section displays power module presence information and
working status, total power of PoE powers, and available PoE power.

Switches
Context
For a non-PoE device that provides only internal power modules, the Power
status section is not displayed on the Monitor page. If the device does not
support PoE power supply, total available PoE power and total PoE output power
are not displayed in the Power status section.
Procedure
Interface Bandwidth Utilization, Log, Alarm, etc. The Power Status is displayed,
NOTE
Figure 1-35 Power Status section
----End
1.3.2 Summary (SVF)

This chapter describes the SVF information and system status.
Context
Procedure
Step 1 Choose Monitoring > Summary to view information such as SVF summary and
system status, as shown in Figure 1-36.

Switches
Figure 1-36 Summary
Step 2 Click Member Device Status in the lower left corner of the page to view SVF
member information, including member name, type, model, MAC address, and
status, as shown in Figure 1-37.
Figure 1-37 Member Device Status
----End
1.3.3 User
This chapter describes how to view user information.
NOTE
Only the S5720HI supports this function. The S6720EI and S6720S-EI support this function in
SVF mode.
This node is only available in the NAC unified mode.

Switches
1.3.3.1 User Distribution

This section provides the access user list.
Procedure
Step 1 Choose Monitoring > User and click the User Distribution tab. The access user
list is displayed, as shown in Figure 1-38.
Figure 1-38 User distribution list.
NOTE
The S6720EI (SVF mode) and S6720S-EI (SVF mode) do not display wireless user information.
----End
1.3.3.2 Wired User Statistics

This section provides the wired user list.
Procedure
Step 1 Choose Monitoring > User and click the Wired User Statistics tab. The wired
user list is displayed, as shown in Figure 1-39.
Figure 1-39 Wired user list
----End
1.3.3.3 Wireless User Statistics (S5720HI)
Context
You can view traffic statistics of each user through the user monitoring page so
that you can learn the wireless network status.

Switches
NOTE

Procedure
● View the user list.
a. Choose Monitoring > User > Wireless User Statistics. The Wireless
User List page is displayed.
b. Click the downward arrow next to Default to customize items to be
displayed. Click All to display all items.
Table 1-15 Statistics in the user list
Parameter Description
User Name Name of the user.
MAC Address MAC address of the STA.
AP ID ID of the AP that a STA associates with.
AP Name Name of the AP that a STA associates with.
AP Group AP group of the AP that a STA associates with.
IP Address IP address of the STA.
SSID SSID that the STA associates with.
Frequency Band Frequency band type used by the STA to access

the wireless network.
STA HT Mode Radio working mode.
Authentication Authentication mode used by the STA to go

Mode online.
VLAN VLAN for data services of the STA.

Switches
RSSI Strength of RF signals received by the STA.
Negotiation Rate Negotiated rate of the STA when it goes online on

an AP.
Throughput Valid downlink and uplink throughput of the STA.
SNR SNR of the STA.
Channel Channel used by the STA.
Channel Usage Channel usage of the STA.
Frame Quantity Number of uplink and downlink frames

transmitted by the STA.
Downlink Retransmission ratio of service data of the STA.

Retransmission
Ratio
Downlink Packet Packet loss ratio of service data of the STA.

Loss Ratio
c. Search for a user.

In Wireless User Performance Distribution, select specific users based
on the downlink negotiation rate, SNR, and packet loss ratio, (select an
area in the bar graph).
NOTE
● Move the cursor to Channel Usage to view details about channel usage of the user,
including the transmitting time ratio, receiving time ratio, interference ratio, and idle
rate of the channel.
● Click the rightward arrow on the left of the list to view the following recent information
about the user: SNR, downlink negotiation rate, channel usage, valid downlink and
uplink throughput, retransmission ratio, and packet loss ratio graph.
● Intelligently diagnose STA access faults.
Select a user in Wireless User List and click Intelligent Diagnosis to
diagnose login failures, disconnection, and slow service rate or unavailable
service transmission. The web platform will provide handling suggestions. For
details, see 1.5.1 Intelligent Diagnosis (S5720HI).
● Query the roaming track of a STA.
Select a STA in Wireless User List and click Roaming Track to query its
roaming track.
● Query login failure records.
Click Login Failure Record to view all login failure records on the AC and
identify fault causes.
● Query user logout records.
Click Logout Record to view all logout records on the AC and identify fault
causes.

Switches
● Force a STA to go offline.

Select a STA in Wireless User List and click Forcible Logout to force the STA
to go offline.
● Export user information.
Click Export Info in Wireless User List to export user information in .csv file.
----End
1.3.4 Topology (SVF)

This section shows AS topology, including the AS status.
Context
The topology is displayed only in SVF mode.
Procedure
Step 1 Choose Monitoring > Topology. The level-1 AS topology is displayed, as shown in
Figure 1-40.
Figure 1-40 Level-1 AS Topology
Step 2 Click the level-1 AS icon to display the level-2 AS topology, as shown in Figure
1-41.

Switches
Figure 1-41 Level-2 AS Topology
NOTE
To view the AS panel information and user information on interfaces, click the device name
beside the level-1 or level-2 AS.
----End
1.3.5 Wired Service (SVF)

This chapter describes how to view AS and user port group information.
Wired services are displayed only in SVF mode.
1.3.5.1 AS
This section shows the AS information in SVF mode, including AS name, device
model, and system status.
Procedure
Step 1 Choose Monitoring > Wired Service > AS. The AS list is displayed, as shown in
Figure 1-42.

Switches
Figure 1-42 AS List
----End
1.3.5.2 User Port Group

This section describes how to view the user group list, including port group name
and number of member ports.
Procedure
Step 1 Choose Monitoring > Wired Service > User Port Group. The user port group list
is displayed, as shown in Figure 1-43.
Figure 1-43 User Port Group List
----End
1.3.6 Wireless Service (S5720HI)

Context
NOTE

1.3.6.1 Radio
Context
You can view details about radios of APs through the radio monitoring page.
Procedure
● View the radio list.
a. Choose Monitoring > Wireless Service > Radio. The Radio List page is
displayed.

Switches

Table 1-16 Statistics in the radio list

AP ID ID of the AP.
AP Name Name of the AP.
Radio ID Radio ID of the AP.
Frequency Band Frequency band on which a radio works.
STA HT Mode Radio type.
Status Radio status.
Working Mode Radio working mode.
Channel Working channel of a radio.
Frequency Channel bandwidth of a radio.

Bandwidth
EIRP/Max EIRP Radio power configured/Maximum power in

compliance with local laws and regulations.
Access STA Number of STAs associated with a radio.
Noise Strength Radio noise level.
Channel Usage Channel usage of a radio.
Rate Radio rate.
Total Frame Total number of frames received and sent by a

Quantity radio.
Downlink Retransmission ratio on a radio.

Retransmission
Ratio

Switches
Downlink Packet Packet loss ratio on a radio.

Loss Ratio
c. Search for a radio.

In Radio Performance Distribution, select specific radios based on the
noise level, channel usage, and interference ratio (select an area in the
bar graph).
NOTE
● Move the cursor to Channel Usage to view details about channel usage, including the
transmitting time ratio, receiving time ratio, interference ratio, and idle rate of the
channel.
● Click the rightward arrow on the left of the list to view the following information of the
radio: number of recently accessed STAs, noise level, channel usage, rate, retransmission
ratio, and packet loss ratio.
● Implement spectrum analysis.
Select a radio from Radio List and click Spectrum Analysis. The spectrum
charts of the radio are displayed. For details, see 1.3.6.7 Spectrum Analysis.
● Intelligently diagnose radio faults.
Select a radio in Radio List and click Intelligent Diagnosis to diagnose Mesh
link faults, AP failures, and AP upgrade failures. The web platform will provide
handling suggestions. For details, see 1.5.1 Intelligent Diagnosis (S5720HI).
● Capture wireless packets.
Select a radio in Radio List and click Wireless Packet Obtaining to capture
wireless packets so that you can identify faults. For details, see 1.5.2.2
Wireless Packet Capturing (S5720HI).
● View field strength information.
Select a radio in Radio List and click Field Strength Collection to view field
strength information.
Table 1-17 Field strength information
Local AP ID ID of the local AP.
Local AP Name Name of the local AP.
Local AP MAC MAC address of the local AP.
Radio ID ID of a radio of which field strength information is

collected.
Local AP Position This parameter takes effect only when the location-
No. based handover algorithm is enabled.

Switches
Neighboring AP ID ID of the peer AP.
Neighboring AP Name of the peer AP.

Name
Neighboring AP MAC address of the peer AP.

MAC
Neighboring AP This parameter takes effect only when the location-

Position No. based handover algorithm is enabled.
Neighboring AP RSSI of the peer AP.

RSSI
Refresh Time Interval for updating field strength information.
● View radio calibration records.

Click Radio Calibration Record. Radio calibration records are displayed.
Table 1-18 Description of radio calibration records
Time Time when calibration is triggered.
AP ID ID of the AP.
Radio ID ID of the radio.
Channel Before/ Radio channel before/after radio calibration.

After Calibration
Bandwidth Before/ Radio bandwidth before/after radio calibration.

After Calibration
Eirp Before/After Transmit power of the radio before/after radio

Calibration calibration.
RSSI Before/After RSSI of an AP before/after radio calibration.

Calibration
Calibration Cause Cause of radio calibration.
● Export the radio list.
Click Export Info. The radio list is exported in a .csv file.
----End

Switches
1.3.6.2 AP
1.3.6.2.1 AP Statistics Collection
Context
You can view AP performance statistics on the AP Statistics Collection page.
Procedure
● View the AP list.
a. Choose Monitoring > Wireless Service > AP > AP Statistics Collection.
The AP List page is displayed.

Table 1-19 Statistics in the AP list
AP ID ID of the AP.
MAC Address MAC address of the AP.
AP Group AP group to which APs belong.
IP Address IP address of the AP.
AP Type Type of the AP.
Version Software version of the AP.
Serial Number SN of the AP.
Status Working status of the AP.
Central AP ID ID of the central AP.
Central AP Name Name of the central AP.

Switches
Central AP MAC MAC address of the central AP.

Address
STA Access Failure Failure ratio of STAs connect to a WLAN.

Ratio
Logout Ratio User logout ratio.
STA Quantity Number of STAs associated with the AP.
CPU Usage Current CPU usage of the AP.
Memory Usage Current memory usage of the AP.
Wired-side Throughput on the wired side.

Throughput
Login Period Time when the AP went online.
Total Restart Total number of times the AP restarts.

Count
Poweroff Restart Number of times the AP restarts due to power

Count failures.
● Intelligently diagnose AP faults.
Select an AP in AP List and click Intelligent Diagnosis to diagnose Mesh link

faults, AP failures, and AP upgrade failures. The web platform will provide
● View login failure records.
Click Login Failure Record in AP List. The Login Failure Record page is
displayed, on which you can view all records about the STA login failure on
the AP to locate the related fault causes.
● View user logout records.
Click Logout Record in AP List. The Logout Record page is displayed, on

which you can view all STA offline records on the AP to locate the related
fault causes.
● Export the AP list.
Click Export Info to export the AP list a .csv file.
----End
1.3.6.2.2 AP Wired Interface Statistics Collection
Context
You can view statistics about the AP's wired interfaces on the AP Wired Interface
Statistics Collection page.

Switches
Procedure
● View the AP wired interface statistics list.
a. Choose Monitoring > Wireless Service > AP > AP Wired Interface
Statistics Collection. The AP Wired Interface Statistics List page is
displayed.
b. View statistics about the AP's wired interfaces in AP Wired Interface

Statistics List. See Table 1-20 for descriptions of related parameters.
Table 1-20 Parameters in the AP Wired Interface Statistics List page
AP ID AP ID.
AP Name AP name.
MAC Address AP's MAC address.
Interface Name Name of the AP's wired interface.
Connection Status Connection status of the AP's wired interface.
Negotiated Rate Negotiated rate of the AP's wired interface.
----End
1.3.6.3 SSID
1.3.6.3.1 SSID
Context
You can view transmission statistics about a network identified by a service set
identifier (SSID).
Procedure
● View the SSID list.
Choose Monitoring > Wireless Service > SSID > SSID. The SSID List page is
displayed.

Switches
Table 1-21 Statistics in the SSID list

SSID SSID of the network that STAs access.
User Quantity Number of STAs that access the network identified by

a specific SSID.
AP Quantity Number of APs using a specific SSID.
Valid Throughput Valid throughput of the SSID.
Frame Quantity Number of frames

Retransmission
Ratio

Loss Ratio
● View the status graph.

Select an SSID in SSID List to view the user statistic graph and throughput
statistic graph matching the SSID.
----End
1.3.6.3.2 VAP
Context
You can view transmission statistics on each VAP through the VAP monitoring
page.
Procedure
● View the VAP list.
Choose Monitoring > Wireless Service > SSID > VAP. The VAP List page is
displayed.

Switches
Table 1-22 Statistics in the VAP list
AP ID ID of the AP on which the VAP is created.
AP Name Name of the AP on which the VAP is created.
Radio ID Radio ID of the AP on which the VAP is created.
WLAN ID VAP ID.
SSID SSID of the VAP
BSSID BSSID of the VAP.
Authentication Authentication mode of the VAP.

Mode
Access User Number of access users on the VAP.

Quantity
Status Working status of the VAP.
● View the status graph.
Select a VAP in VAP List to view graphs of top 10 applications of traffic within
the latest 60s and cumulative traffic at the lower part of the page.
Click ... next to Application name in Query by Application to view details

about traffic of other applications.
● Clear application statistics on a VAP.
Select the target VAP in VAP List and click Reset Application Statistics to
clear application statistics on the VAP.
----End
1.3.6.4 Mesh&WDS
1.3.6.4.1 Mesh Link Information
Context
You can view Mesh link information through the Mesh link information
monitoring page.

Switches
Procedure
● View the Mesh link list.
a. Choose Monitoring > Wireless Service > Mesh&WDS > Mesh Link
Information. You can view Mesh link list at the page that is displayed.
Table 1-23 Statistics in the Mesh link list

AP ID ID of the local AP.
AP Name Name of the local AP.
AP MAC MAC address of the local AP.
AP Group AP group to which the local AP belongs.
Radio ID Radio ID of a Mesh link.
Channel Channel of a Mesh link.
Coverage Distance Radio coverage distance of the local AP.

Different radio coverage distance parameters
correspond to different values of slottime (inter-
frame interval), acktimeout (ACK timeout period),
and ctstimeout (RTS/CTS timeout period). You must
configure a proper coverage distance parameter
based on AP distance; otherwise, WDS links cannot
be established due to a packet timeout.
Mesh Working Mesh mode of the local AP.

Mode
Peer AP ID ID of the peer AP.
Peer MAC MAC address of the peer AP.
Peer AP Name Name of the peer AP.
Peer AP Status Working status of the peer AP.
Current RSSI Current RSSI of a Mesh link.
Maximum RSSI Maximum RSSI that a Mesh link ever had.
----End

Switches
1.3.6.4.2 WDS Network Bridge Information
Context
You can view WDS link information through the WDS bridge information
monitoring page.
Procedure
● View WDS network bridge information.
a. Choose Monitoring > Wireless Service > Mesh&WDS > WDS Network
Bridge Information. The WDS Network Bridge List page is displayed.
Table 1-24 Statistics in the WDS bridge list
AP ID ID of the local AP.
AP Name Name of the local AP.
AP MAC MAC address of the local AP.
AP Group AP group to which the local AP belongs.
Radio ID Radio ID of a WDS link.
Channel Channel of a WDS link.
Coverage Distance Radio coverage distance of the local AP.

Different radio coverage distance parameters
correspond to different values of slottime (inter-
frame interval), acktimeout (ACK timeout period),
and ctstimeout (RTS/CTS timeout period). You must
configure a proper coverage distance parameter
based on AP distance; otherwise, WDS links cannot
be established due to a packet timeout.
Network Bridge Bridge mode of the local AP.

Working Mode
Peer AP ID ID of the peer AP.
Peer MAC MAC address of the peer AP.
Peer AP Name Name of the peer AP.
Peer AP Status Working status of the peer AP.
Current RSSI Current RSSI of a WDS link.

Switches
Maximum RSSI Maximum RSSI that a WDS link ever had.
----End
1.3.6.5 Potential Risk
Context
You can view and analyze statistics on exceptions of STAs and radios so that you
can identify potential risks.
Procedure
● View potential risks of STAs.
a. Choose Monitoring > Wireless Service > Potential Risk. The Potential
Risk page is displayed.
b. Click the number next to a condition in the User area. The details about
abnormal users are displayed in the Wireless User List at the lower part
of the page.
Table 1-25 Statistics on an abnormal user
User Name Name of the user.
MAC Address MAC address of the STA.
AP ID ID of the AP that the STA associates with.
AP Name Name of the AP that the STA associates with.
AP Group AP group to which the AP belongs.
IP Address IP address of the STA.

Switches
SSID SSID that the STA associates with.
Frequency Band Frequency band used by the STA to associate with

the AP.
STA HT Mode Current radio mode of the STA.
Authentication Authentication mode used by the STA to go online.

Mode
VLAN VLAN for data services of the STA.
RSSI Strength of RF signals received by the STA.
Negotiation Rate Negotiated rate of the STA.
Throughput Valid throughput of the STA.
SNR Uplink SNR of the STA.
Channel Channel used by the STA.
Channel Usage Channel usage for service data of the STA.
Frame Quantity Number of frames of service data of the STA.
Downlink Retransmission ratio of service data of the STA.

Retransmission
Ratio
Downlink Packet Packet loss ratio of service data of the STA.

Loss Ratio
● Intelligently diagnose STA access faults.

Select a user in Wireless User List at the lower part of the page and click
Intelligent Diagnosis to diagnose login failures, disconnection, and slow
service rate or unavailable service transmission. The web platform will provide
● View potential risks of radios.
a. Choose Monitoring > Wireless Service > Potential Risk. The Potential
Risk page is displayed.
b. Click the number next to a condition in the Radio area. The details about
abnormal radios are displayed in Radio List at the lower part of the
page.

Switches
Table 1-26 Statistics on an abnormal radio

AP ID ID of the AP.
Radio ID Radio ID of the AP.
Status Radio status.
Working Mode Radio working mode.

Bandwidth
EIRP/Max Radio power configured/Maximum power in

EIRP(dBm) compliance with local laws and regulations.
Access STA Number of STAs associated with a radio.
Noise Strength Radio noise level.
Channel Usage Channel usage of a radio.
Rate Radio rate.
Total Frame Total number of frames received and sent by a radio.

Quantity

Retransmission
Ratio

Loss Ratio
● Intelligently diagnose radio faults.

Select a user or radio to diagnose Mesh link faults, AP failures, and AP
upgrade failures. The web platform will provide handling suggestions. For
details, see 1.5.1 Intelligent Diagnosis (S5720HI).
● Implement spectrum analysis.
Select a radio from Radio List and click Spectrum Analysis. The spectrum
charts of the radio are displayed. For details, see 1.3.6.7 Spectrum Analysis.
----End

Switches
1.3.6.6 WIDS
Procedure
● View device detection results.
a. Choose Monitoring > Wireless Service > WIDS. The WIDS page is
displayed.
b. View device detection results in Device Detection. Table 1-27 describes
the device detection parameters.
Table 1-27 Device detection parameters
Unauthorized device Number of unauthorized devices.
Interference source Number of interference sources.
Authorized device Number of authorized devices.
Countermeasure list Number of countered devices.
c. Click a number in the detection result list.
The detected device information is displayed in Device Detection

Information. Table 1-28 describes the parameters.
Table 1-28 Device detection parameters
MAC Address MAC address of the device.

Switches
Device Model -
SSID SSID of the device.
Channel Channel used by the device.
Number of Detected APs Number of APs that detect the

device.
Discovered At Time when the device is detected.
d. Select a device in the detected device list and click View Discovered APs.
Information about the APs that detect the device is displayed. Table 1-29
describes the parameters.
Table 1-29 Parameters of APs that detect the device

AP ID ID of the AP that detects the

device.
AP Name Name of the AP that detects the

device.
MAC Address MAC address of the AP that

detects the device.
AP Group AP group to which the AP that

detects the device belongs.
IP Address IP address of the AP that detects

the device.
RSSI of Detected Device RSSI of the detected device.
e. In the list of APs that detect the device, select an AP and click View
Whitelist to check the WIDS whitelist of the AP.
● Clear device detection statistics.
displayed.
b. Click Clear in Device Detection.
● View attack detection results.
displayed.
b. View attack detection results in Attack Detection. Table 1-30 describes
the attack detection parameters.

Switches
Table 1-30 Attack detection parameters

Flood attack Number of flood attacks,

including the following types of
attacks:
● Flood attack of probe request
frames
● Flood attack of authentication
request frames
● Flood attack of
deauthentication request
frames
● Flood attack of association
request frames
● Flood attack of disassociation
request frames
● Flood attack of reassociation
request frames
● Flood attack of action frames
● Flood attack of EAPOL
authentication request frames
● Flood attack of EAPOL offline
frames
Weak IV attack Number of weak IV attacks.

Switches
Spoofing attack Number of spoofing attacks,

including the following types of
attacks:
● Attack of spoofing
deauthentication frames
● Attack of spoofing
disassociation frames
● Other types of spoofing frames
Brute force cracking Number of brute force cracking

attacks, including the following
types of attacks:
● Brute force cracking attack in
WEP-SK authentication mode
WPA-PSK authentication mode
WPA2-PSK authentication
mode
WAPI authentication mode
c. Click a number in the attack detection result list to view details. Table
1-31 describes the parameters.
Table 1-31 Attack detection parameters
MAC Address MAC address of the attacking

device.
Channel Channel used by the attacking

device.

Switches
RSSI RSSI of the attacking device.
Monitor AP Name of the AP that detects

attacks.
First DetectionTime Time when attacks are detected.
NOTE
By default, information about the active attacks is displayed. You can click Historical
Attack to check historical attack detection records.
d. Click View Dynamic Blacklist. The View Dynamic Blacklist page is
displayed. Table 1-32 describes the dynamic blacklist parameters.
Table 1-32 Dynamic blacklist parameters

MAC Address MAC address of the attacking

device.
Attack Type Type of attacks detected.
Monitor AP Name of the AP that detects

attacks.
● Clear attack detection statistics.

displayed.
b. Click Clear in Attack Detection.
----End

Switches
1.3.6.7 Spectrum Analysis
Context
The AP3010DN-AGN and AP9330DN do not support this function.
On the Spectrum Analysis page, you can enable or disable the spectrum analysis
function on a radio and view spectrum charts. The Spectrum Analysis page can
display eight types of spectrum charts, including Swept Spectrogram, Active
Devices, Real-Time FFT, Channel Metrics, Channel Quality Trend, FFT Duty
Cycle, Interference Power, and Quality Spectrogram.
Table 1-33 Description of spectrum charts
Typ Icon Description

e
Sw Swept Spectrogram displays RSSI

ept distribution of one or all channels within
Spe valid collection intervals.
ctro It can reflect the spectrum characteristics of
gra a specific device. For example, frequency
m modulation (FM) devices feature
instantaneous frequency deviation, such as
cordless phones, Bluetooth devices, and
wireless game controllers.
On Swept Spectrogram, the horizontal
coordinate indicates the channel frequencies,
and the vertical coordinate indicates the time
(with the latest time displayed at the
bottom). The color brightness indicates the
RSSI strength. The colors blue, green, cyan,
yellow, and red indicate the RSSI strength in
ascending order.
Acti Active Devices displays non-Wi-Fi

ve interference devices identified by the AP.
Dev Currently, the AP can identify baby monitors,
ices Bluetooth devices, digital cordless phones (at
2.4 GHz frequency band only), wireless audio
transmitters, wireless game controllers, and
microwave ovens. Due to spectrum
differences of individual APs, some of these
non-Wi-Fi devices may not be identified.
Active Devices can be displayed as a pie
chart (default) or table. You can click
and to switch between the two display
modes.
Active Devices provides the following
information:

Switches

e
● Table: type of the detected non-Wi-Fi

device, RSSI, duty cycle, center frequency,
time at which the non-Wi-Fi device is
detected, frequency bandwidth, time at
which the non-Wi-Fi device is activated,
and channels affected by the non-Wi-Fi
device
● Pie chart: type of the detected non-Wi-Fi
device and the percentage
Rea Real-Time FFT displays the RSSI values of

l- one or all channels within valid collection
Tim intervals.
e On Real-Time FFT, the horizontal coordinate
FFT indicates the channel frequencies, and the
vertical coordinate indicates the RSSI values.
Cha Channel Metrics can be displayed as a bar

nne
l chart (default) or table. You can click and
Me to switch between the two display
tric modes.
s Channel Metrics provides the following
information:
● Table: channel at which the non-Wi-Fi
device is detected, number of authorized
APs, number of rogue APs, number of
non-Wi-Fi devices, center frequency,
channel usage, maximum AP power, and
maximum interference
● Bar chart: channel usage of Wi-Fi and
non-Wi-Fi devices (On the bar chart, the
horizontal coordinate indicates the
channels, and the vertical coordinate
indicates the channel usage.)
Cha Channel Quality Trend displays the quality

nne trends of channels. Channel quality = 1 -
l Sum of duty cycle of each interference source
Qu On Channel Quality Trend, the horizontal
alit coordinate indicates the time, and the
y vertical coordinate indicates the channel
Tre quality. Channels are distinguished by the
nd color.

Switches

e
FFT FFT Duty Cycle displays duty cycle

Dut information about each frequency within a
y valid collection interval (60s).
Cyc Duty cycle indicates the ratio of the time
le segment t during which the RSSI value is 20
dB higher than the predefined noise value to
the entire collection interval T.
On FFT Duty Cycle, the horizontal
coordinate indicates frequencies, and the
vertical coordinate indicates the duty cycle.
Inte Interference Power displays the real-time

rfer interference strength of channels.
enc On Interference Power, the horizontal
e coordinate indicates channels, and the
Po vertical coordinate indicates the interference
wer signal strength. Interference types are
distinguished by the color.
Qu Quality Spectrogram displays the quality of

alit one or all channels within valid collection
y intervals. Channel quality = 1 - Sum of duty
Spe cycle of each interference source
ctro On Quality Spectrogram, the horizontal
gra coordinate indicates the channel frequencies,
m and the vertical coordinate indicates the time
(with the latest time displayed at the
bottom). The color brightness indicates the
channel quality. The colors blue, green, cyan,
yellow, and red indicate the channel quality
in ascending order.
Procedure
● Enable spectrum analysis on a radio and view spectrum charts.
a. Choose Monitoring > Wireless Service > Spectrum Analysis. The Radio
List page is displayed.

Switches
Table 1-34 Parameters on the Radio List page
AP Name AP name.
AP ID AP ID.
Radio ID Radio ID of an AP.
Working Mode Working mode of a radio.

Bandwidth
EIRP/Max EIRP Radio power configured/Maximum power in

compliance with local laws and regulations.

Loss Ratio
Status Whether to enable the spectrum analysis function

on a radio.
Operation Radio spectrum chart display by clicking View

Drawing.
b. Select an AP and click Start.

c. In the AP radio list, click View Drawing in the Operation column. The
related spectrum charts are displayed. A maximum of four spectrum
charts can be displayed.
d. Select your desired spectrum chart from the drop-down list box in the
upper left corner. Particularly, you can select Lower or Upper on the

Switches
spectrum charts of a 5G radio to view spectrum charts of different

frequencies.
e. On the Swept Spectrogram chart, click Modify, set the signal strength
scope at both ends of the color bar, and click Apply.
f. On the Active Devices chart, click . The detected non-Wi-Fi devices

are displayed in a list. Click . The detected non-Wi-Fi devices are
displayed in a pie chart.
Table 1-35 Parameters in the non-Wi-Fi device list

Device Type Type of the detected non-Wi-Fi device.
Signal RSSI of the non-Wi-Fi device.
Duty Cycle Duty cycle of the non-Wi-Fi device.
First Time Time when the non-Wi-Fi device is detected.
Activity Duration Time when the non-Wi-Fi device is activated.
Channel Affected Channel interfered by the non-Wi-Fi device.
Center Frequency Center frequency of the non-Wi-Fi device.
Bandwidth Bandwidth of the non-Wi-Fi device.
● Disable spectrum analysis on a radio.

a. Choose Monitoring > Wireless Service > Spectrum Analysis. The Radio
b. Select an AP and click Stop.
----End

Switches
1.4 Configuration
The configuration tasks include basic service management and security service
management.
1.4.1 Quick Config
Procedure
● Configure the switching mode quickly.
a. Choose Configuration > Quick Config. Select Switching for Select a
mode to open the quick switching mode configuration page, as shown in
Figure 1-44.
Figure 1-44 Quick switching mode configuration
b. Click Add below Step 2: Configure the port connected to downlink

devices, set parameters, and click .
Table 1-36 describes parameters on the displayed page.
Table 1-36 Configure the port connected to downlink devices

Interface Name Indicates the interface connected

to downlink devices.
Port Status Indicates the status of the selected

interface.
● ON: indicates that the interface
is enabled.
● OFF: indicates that the
interface is disabled.

Switches
Allowed VLAN Indicates the ID of the default

VLAN that the interface belongs
to.
Device Type Sets the type of a device

connected to the downstream
port.
● PC: The link type is access, and
only one VLAN is allowed.
● Switch: The link type is trunk,
and only one VLAN is allowed.
NOTE
After the configuration is complete, click an interface to configure it. To delete an

interface, click Delete below Step 2: Configure the port connected to downlink
devices.
c. Select an interface below Step 3: Configure the port connected to the
upstream gateway.
You can choose the following operations:
▪ Click one or more port icons to select ports.
▪ Drag the mouse to select consecutive ports.
Table 1-37 Configuring the interface connected to upstream gateway

Port status Indicates the status of the selected

interface.
is enabled.
Link aggregation Indicates that link aggregation is

enabled.
● ON: indicates that link
aggregation is enabled.
● OFF: indicates that link
aggregation is disabled.

Switches
Link aggregation ID Indicates the link aggregation ID.

This parameter is valid when the
link aggregation status is ON.
Allowed VLAN Indicates the VLAN to which an

interface of the link aggregation
type is added.
d. After setting the parameters, click Apply.

● Configure the routing mode quickly.
a. Choose Configuration > Quick Config. Select Routing for Select a
mode to open the quick routing mode configuration page, as shown in
Figure 1-45.
Figure 1-45 Quick routing mode configuration
b. Click Add below Step 2: Configure the port connected to internal

network devices, set parameters, and click .
Table 1-38 Configuring the port connected to internal network devices

Interface Name Indicates the interface connected

to internal network devices.
Port Status Indicates the status of the selected

interface.
is enabled.

Switches
Allowed VLAN Indicates the ID of the default

VLAN that the interface belongs
to.
VLAN Gateway Address Indicates the IP address and

subnet mask of the interface.
Device Type Sets the type of a device

connected to the internal network.
● PC: The link type is access, and
only one VLAN is allowed.
● Switch: The link type is trunk,
and only one VLAN is allowed.
Address Allocation to Terminals Click Configuration to select an

address allocation mode for
terminals.
● Static
● DHCP (local server)
● DHCP (remote server)
NOTE
After the configuration is complete, click an interface to configure it. To delete an

interface, click Delete below Step 2: Configure the port connected to internal
network devices.
c. Select an interface below Step 3: Configure the port connected to the
switch on external network.
You can choose the following operations:
▪ Click one or more port icons to select ports.
▪ Drag the mouse to select consecutive ports.
Table 1-39 Configuring the port connected to switch on the external

network
Port status Indicates the status of the selected

interface.
is enabled.

Switches
Link aggregation Indicates that link aggregation is

enabled.
● ON: indicates that link
aggregation is enabled.
● OFF: indicates that link
aggregation is disabled.
Link aggregation ID Indicates the link aggregation ID.

This parameter is valid when the
link aggregation status is ON.
Allowed VLAN Indicates the VLAN to which an

interface of the link aggregation
type is added.
Connected IP address/mask Indicates the IP address and

subnet mask of the interface.
Next hop Indicates the next-hop address of

a route.

----End
1.4.2 SVF Quick Config (SVF)

This chapter describes how to configure SVF quickly.
SVF quick configuration is supported only in SVF mode.
The S6720EI and S6720S-EI do not support AP Addition and AP User-Side
Service.
1.4.2.1 SVF Enabling

This section describes how to configure a switch as the parent in an SVF system.
Procedure
Step 1 Choose Configuration > SVF Quick Config > SVF Enabling. The SVF Enabling
page is displayed.
Step 2 Set Enable SVF to ON. The SVF Enabling page is displayed, as shown in Figure
1-46.

Switches
Figure 1-46 SVF Enabling page
Table 1-40 describes the parameters on the page.
Table 1-40 Parameters on the SVF Enabling page

Item Description
Enable SVF Indicates whether to enable SVF on the

parent:
● ON: Enable SVF on the parent.
● OFF: Disable SVF on the parent.
Basic SVF Management Configures a management VLAN. The

Configuration VLAN ID value defaults to 4090 and cannot be
VLAN 1 or VLAN 4093.
Management Specifies the total number of ASs and

network scale APs. A value slightly larger than the
actual value is recommended for
capacity expansion.
Management IP Configures a management IP address.

address/mask
AS access Indicates whether to authenticate an AS

authentication when it attempts to connect to an SVF
system:
● ON: The AS needs to be
authenticated.
● OFF: The AS does not need to be
authenticated.

Switches
Item Description
AP access Configures the AP authentication mode:

authentication ● Non-authentication
● MAC address authentication
● SN authentication
Advance SVF AS forwarding Configures the forwarding mode:

Configuration mode ● Distributed: Local traffic of an AS is
directly forwarded from the AS, and
traffic between ASs is sent to the
parent for forwarding.
● Centralized: Both traffic forwarded by
the local AS and traffic forwarded
between ASs are sent to the parent
for forwarding.
Administrator in Creates the administrator and sets the

Independent password for AS login in independent
Configuration configuration mode.
Mode
Step 3 Configure the parameters.

Step 4 Click Apply.
----End
1.4.2.2 AS Addition
This section describes how to add ASs to an SVF system and configure fabric-ports.
Procedure
● Create AS fabric-ports.
a. Choose Configuration > SVF Quick Config > AS Addition and click the
Configure AS Fabric-Ports tab.
b. Click Create and set AS fabric-port parameters, as shown in Figure 1-47.
Figure 1-47 AS Fabric-Port tab
c. Select values for AS Fabric-Port Resides On, AS Fabric-Port ID and AS

Configuration Mode from the drop-down list. Click Manage to select
member ports of the fabric-port.

Switches
d. Click to complete the configuration.

● Create AS fabric-ports in a batch.
b. Click Batch Import to enter the page for batch import of fabric-ports, as
Figure 1-48 Page for batch import of fabric-ports
c. Click to download the fabric-port file profile locally and fill in the
profile.
d. Click to select the fabric-port file to be imported.

e. Click Import to import the selected fabric-port file.
f. Click Confirm to complete the configuration.
● Delete AS fabric-ports.
b. Click Delete in the line where the AS fabric-port resides.
c. In the dialog box that is displayed, click OK.
● Add ASs.
Name ASs tab.
b. Click Create and set AS parameters, as shown in Figure 1-49.
Figure 1-49 AS Addition page
c. Enter values for AS Name and AS Management MAC.

d. Click Manage below AS Model. The Manage AS Model dialog box is
displayed, as shown in Figure 1-50.

Switches
Figure 1-50 Manage AS Model
e. Select Product series and AS model.

f. Click ON for AS stacking to preconfigure the AS stack ID.
Select the slot ID and corresponding product model in the Slot ID-switch
drop-down list box, and click .
g. Click OK to complete the AS model configuration.
h. Click to complete the configuration.
● Add ASs in a batch.
Name ASs tab.
b. Click Batch Import to enter the page for batch import of ASs, as shown
in Figure 1-51.
Figure 1-51 Page for batch import of ASs

Switches
c. Click to download the AS file profile locally and fill in the profile.
d. Click to select the AS file to be imported.

e. Click Import to import the selected AS file.
f. Click Confirm to complete the configuration.
● Delete ASs.
Name ASs tab.
b. Select the AS to be deleted and click Delete.
----End
1.4.2.3 AS User-Side Service

This section describes how to configure services for an AS user port group.
Procedure
Step 1 Choose Configuration > SVF Quick Config > AS User-Side Service. The AS User-
Side Service page is displayed, as shown in Figure 1-52.
Figure 1-52 AS User-Side Service
Step 2 Click Create.

Step 3 In the displayed Add AS Port Group dialog box, set AS port group name, as
Figure 1-53 Add AS Port Group

Switches
Step 4 Click OK.

Step 5 Click the List of Member Ports tab to add member ports, as shown in Figure
1-54.
Figure 1-54 List of Member Ports
1. Click Add.
2. Select the AS name on the Add AS Port page, as shown in Figure 1-55.
Figure 1-55 Add AS Port page
3. Click Add All or Add Selected to add AS ports as required.

4. Click Back after completing the configuration.
Step 6 Click the Service Configuration tab to configure services.
Table 1-41 Icons on the Service Configuration tab

Icon Description
Select: allows you to select parameter.
Create: allows you to configure parameters.
Modify: allows you to modify parameters.
Delete: allows you to delete currently configured

parameters.
● Set Connection type to User-defined, as shown in Figure 1-56.

Switches
Figure 1-56 User-defined
a. Click next to Default VLAN. The Add VLAN and Gateway

Configuration dialog box is displayed, as shown in Figure 1-57.
Figure 1-57 Add VLAN and Gateway Configuration
Table 1-42 describes the parameters in the Add VLAN and Gateway
Configuration dialog box.
Table 1-42 Parameters in the Add VLAN and Gateway Configuration

dialog box
Item Description
VLAN ID Indicates a VLAN ID. The value

ranges from 1 to 4094.
Gateway location Sets Gateway location to Parent

or Other.
VLANIF (IP/mask) Specifies the IP address and mask

of the gateway.

Switches
Item Description
ARP proxy on default VLANIF Indicates whether to enable ARP

proxy on a VLANIF interface:
▪ ON: Enable ARP proxy.
▪ OFF: Disable ARP proxy.

NOTE
In centralized forwarding, ARP proxy
must be enabled on a VLANIF
interface.
User IP allocated by Specifies the user IP address

allocation mode:
▪ Parent
▪ Remote server
Remote server address Specifies the IP address of a

remote server. After setting an IP
address, click to add it to the
following list.
NOTE
This parameter is displayed when
User IP allocated by is set to Remote
server.
b. Configure the parameters and click OK.

c. Click next to Voice VLAN. The Add VLAN and Gateway
d. Configure the parameters and click OK.
e. Enter a VLAN ID for transparent transmission.
f. Click next to Network Enhanced Profile. The Add Network
Enhanced Profile dialog box is displayed, as shown in Figure 1-58.

Switches
Figure 1-58 Add Network Enhanced Profile
Table 1-43 describes the parameters in the Add Network Enhanced

Profile dialog box.
Table 1-43 Parameters in the Add Enhanced Service Profile dialog box
Item Description
Profile name Specifies the enhanced service

template name.
Port group authentication Specifies the port group

authentication status:
▪ Enabled
▪ Disabled
Unicast suppression (pps) Sets the maximum unknown

unicast traffic allowed on an
interface. The value ranges from 0
to 1488100.
Broadcast suppression (pps) Sets the maximum broadcast

traffic allowed on an interface.
The value ranges from 0 to
1488100.
Multicast suppression (pps) Sets the maximum multicast

traffic allowed on an interface.
The value ranges from 0 to
1488100.

Switches
Item Description
All traffic suppression (kbps) Sets the maximum traffic allowed

on an interface. The value ranges
from 64 to 10000000.
DHCP Snooping Indicates whether to enable DHCP

snooping:
▪ ON: Enable DHCP snooping.
▪ OFF: Disable DHCP snooping.
IPSG Indicates whether to enable IP

source guard:
▪ ON: Enable IP source guard.
▪ OFF: Disable IP source guard.
DAI Indicates whether to enable ARP

inspection:
▪ ON: Enable ARP inspection.
▪ OFF: Disable ARP inspection.
Edge Port Indicates whether to enable the

edge port function on an
interface:
▪ ON: Enable the edge port

function.
▪ OFF: Disable the edge port

function.
Priority Trust Indicates whether to configure the

priority trust function on an
interface:
▪ ON: Enable the priority trust

function.
▪ OFF: Disable the priority trust

function.
g. Configure the parameters and click OK.

h. Click next to User Access Profile. The Add User Access Profile dialog
box is displayed.
▪ Set User authentication to Non-authentication, as shown in Figure

1-59.

Switches
Figure 1-59 Creating a user access profile: non-authentication
Table 1-44 Creating a user access profile: non-authentication
Item Description
Profile name Specifies the name of a user

access control template.
Access user limit Sets the maximum number of

access users. The value ranges
from 0 to 4096.
ARP packet rate limit (kbps) Sets the rate limit of incoming
ARP packets on an interface.
The value ranges from 8 to 128.
DHCP packet rate limit (kbps) Sets the rate limit of incoming
DHCP packets on an interface.
▪ Set User authentication to Local authentication, as shown in

Figure 1-60.
Figure 1-60 Creating a user access profile: local authentication

Switches
Table 1-45 Creating a user access profile: local authentication

Item Description


from 1 to 512.
User Name Creates the local user name.
Password Creates the local password.
Confirm password Confirms the local password.
Access mode Sets the user access

authentication mode. You can
select one or multiple of the
following authentication modes:
○ MAC: MAC address
authentication
○ 802.1X: 802.1x authentication
○ Portal: Portal authentication
Portal Server
When Access mode includes Portal, the following parameters are
valid:
Portal server name Specifies the name of a Portal

server template.
URL Sets a URL for a Portal server.

The URL identifies the Portal
server's website that can be
visited by Portal authentication
users.
Portal server IP Configures an IP address for the

Portal server.
Port number Configures a destination port

number for the device to send
packets to the Portal server.
The value is an integer that
Shared key Configures a shared key used by

the device to exchange
information with the Portal
server.
The value is a string of 1 to 16
characters.

Switches
Item Description
Confirm shared key Confirms the shared key used

by the device to exchange
server.
▪ Set User authentication to RADIUS authentication, as shown in

Figure 1-61.
Figure 1-61 Creating a user access profile: remote RADIUS

authentication
Table 1-46 Creating a user access profile: remote RADIUS

authentication
Item Description


from 1 to 512.
Server IP Specifies the IP address of a

RADIUS authentication server.
Port number Specifies the port number of the

RADIUS authentication server.
Shared key Specifies the RADIUS shared

key.
characters.
Confirm shared key Configures the RADIUS shared

key.

Switches
Item Description
Access mode Sets the user access

authentication mode. You can
select one or multiple of the
following authentication modes:
○ MAC: MAC address
authentication
○ 802.1X: 802.1x authentication
○ Portal: Portal authentication
Portal Server
When Access mode includes Portal, the following parameters are
valid:
Portal server name Specifies the name of a Portal

server template.
URL Sets a URL for a Portal server.

The URL identifies the Portal
server's website that can be
visited by Portal authentication
users.
Portal server IP Configures an IP address for the

Portal server.
NOTE
When an S5720HI functions as
parent, you can specify multiple IP
addresses for the portal server. For
the operation method, see1.4.5.3.4
External Portal Server.
Port number Configures a destination port

number for the device to send
packets to the Portal server.
Shared key Configures a shared key used by

the device to exchange
server.
characters.
Confirm shared key Confirms the shared key used

by the device to exchange
server.
i. Configure the parameters and click OK.

Switches
j. Click Apply to complete the configuration.

● Set Connection type to Connect to PC, as shown in Figure 1-62.
Figure 1-62 Connect to PC

c. Click next to Network Enhanced Profile. The Add Network
Profile dialog box.
e. Click next to User Access Profile. The Add User Access Profile dialog
box is displayed, as shown in Figure 1-59, Figure 1-60, or Figure 1-61.
Table 1-44, Table 1-45, or Table 1-46 describes the parameters on the
page.
f. Configure the parameters and click OK.
g. Click Apply to complete the configuration.
● Set Connection type to Connect to IP Phone, as shown in Figure 1-63.
Figure 1-63 Connect to IP Phone

Switches

c. Click next to Voice VLAN. The Add VLAN and Gateway
e. Click next to Network Enhanced Profile. The Add Network
Profile dialog box.
f. Configure the parameters and click OK.
g. Click next to User Access Profile. The Add User Access Profile dialog
box is displayed, as shown in Figure 1-59, Figure 1-60, or Figure 1-61.
Table 1-44, Table 1-45, or Table 1-46 describes the parameters on the
page.
h. Configure the parameters and click OK.
i. Click Apply to complete the configuration.
----End
Follow-up Procedure
Delete an AS user port group.
1. Choose Configuration > SVF Quick Config > AS User-Side Service. The AS
User-Side Service page is displayed.
2. Select the AS user port group name to be deleted.
3. Click Delete.
4. In the dialog box that is displayed, click OK.
1.4.2.4 AP Addition
Procedure
● Configure ports that connect ASs to APs.
a. Choose Configuration > SVF Quick Config > AP Addition. Click the
Configure Ports Connected to APs tab.

Switches
Figure 1-64 Configuring ports that connect ASs to an AP
b. Set AS Name to the added ASs and click Add All or Add Selected. All
ports connecting the ASs to the AP are added in the list.
c. Expand Pass VLAN. Set VLAN ID for the ports and click Apply. VLANs are
configured for the ports.
● Configure APs.
a. Choose Configuration > SVF Quick Config > AP Addition. Click the
Configure APs tab.
Figure 1-65 Configuring APs
b. Click Create to manually add APs one by one or batch import APs offline.
For details, see 1.4.7.3.1 AP Info.
c. Select APs in the list and click Delete. The APs are deleted.
----End
1.4.2.5 AP User-Side Service
Procedure
Step 1 Choose Configuration > SVF Quick Config > AP User-Side Service. The Service
Settings tab is displayed, as shown in Figure 1-66.

Switches
Figure 1-66 Service Settings tab
Step 2 Click Create in the AP Group List pane. In the Create AP Group dialog box that is
displayed, set AP group name and click OK.
Step 3 Create an SSID in an AP group.

1. Click the Service Settings tab and set service parameters.
2. Click Create. Set SSID parameters on the page that is displayed. For
description of the parameters, see Table 1-47, Table 1-48, Table 1-49, and
Table 1-50.
Table 1-47 Basic SSID parameters
SSID SSID name.
Forwarding mode Data forwarding mode of the corresponding AP.
Radio Radio to which a VAP is applied.
WLAN ID VAP corresponding to the SSID.

Switches
Table 1-48 VLAN and gateway parameters

Service VLAN ID Service VLAN bound to the VAP mapping the SSID.
– Click and select a service VLAN in the displayed
Select window.
– Click and create a service VLAN in the displayed
Add VLAN and Gateway Configuration window.
– Click and modify the existing service VLAN in
the displayed Update VLAN And Gateway
Configuration window.
Gateway location Whether the Parent functions as the gateway.
VLANIF (IP/mask) IP address of the VLANIF interface on the Parent,

serving as the user gateway IP address.
User IP allocated by Whether the IP addresses of STAs are obtained from

the Parent or the server when the Parent functions as
the gateway.
Remote server IP address of the remote server when it allocates IP

address addresses to STAs.
This parameter is displayed when User IP allocated
by is set to Remote server.
Table 1-49 SSID security parameters

Security Settings Security policy used on a wireless network.

– High: WPA-WPA2 802.1X
– Medium: WPA-WPA2 PSK
– Low: OPEN
Encryption mode Encryption mode of a security policy,

which is valid only when Security Settings is set to
High or Medium.
Key type Key format of a security policy,

Medium.
Key/Confirm key Encryption key of a security policy,

Medium.

Switches
Table 1-50 SSID authentication parameters
Authentication Authentication mode used by an STA that accesses a

mode wireless network using the SSID.
Server IP IP address of an external RADIUS server,

which is valid only when Authentication mode is set
to External RADIUS.
Port number Port number of an external RADIUS server,

to External RADIUS.
Shared key/Confirm Shared key of an external RADIUS server,

shared key which is valid only when Authentication mode is set
to External RADIUS.
Access mode Access mode of an external RADIUS server,

to Local authentication or External RADIUS.
External Portal External Portal server, which is valid only when

Server Access mode is set to External Portal Server.
– Server name: name of an external Portal server
– URL: interface URL of an external Portal server
– Server IP: IP address of an external Portal server
– Port number: port number of an external Portal
server
– Shared key/Confirm shared key: shared key of
an external Portal server
Built-in Portal Built-in Portal server, which is valid only when Access
Server mode is set to Built-in Portal Server.
– Server IP: IP address of a built-in Portal server
– Port number: port number of a built-in Portal
server
– SSL policy: SSL policy used by a built-in Portal
server
Click to select the required SSL policy.
MAC-prioritized If this option is selected, a MAC access profile is

bound.
This option is valid only when Access mode is set to
External Portal Server or Built-in Portal Server.
3. Click OK.
Step 4 Add an SSID to an AP group.

Switches

2. Click Add. Set SSID parameters on the page that is displayed. For description
of the parameters, see Table 1-51.
Table 1-51 SSID parameters

Select SSID SSID that has been created in another AP group.
Radio Radio associated with the SSID.
WLAN ID VAP associated with the SSID.
3. Click OK to complete the configuration.

Step 5 Remove an SSID from an AP group.
2. Select the SSID that you want to remove and click Remove.
3. Click OK in the displayed window.
Step 6 Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an AP
group.
1. Click the AP List tab and configure APs.
2. Click Add. On the page that is displayed, set Mode to Select existing APs.
3. Select APs from the list below, and click OK.

Step 7 Manually add APs to an AP group.
This operation allows you to manually add a maximum of 10 APs offline to an AP
group.
2. Click Add. On the page that is displayed, set Mode to Manually add.

Switches
3. Configure AP parameters. For description of the parameters, see Table 1-52.
Table 1-52 Parameters for manually adding an AP

Keyword AP authentication mode:

– AP MAC: The AP authentication mode is MAC
address authentication.
– AP SN: The AP authentication mode is SN
authentication.
AP MAC MAC address of the new AP. This parameter is

mandatory.
AP ID ID of the new AP.

This parameter is mandatory when Keyword is set to
AP SN.
AP type Type of the new AP.
AP SN Serial number of the AP.

This parameter is mandatory when Keyword is set to
AP SN.
NOTE
You can click to add a maximum of 10 APs manually.

4. Click OK.
Step 8 Import APs using a template.
This operation allows you to manually add multiple APs offline to an AP group.
NOTE
If AP authentication mode is set to SN authentication, ensure that the AP SNs have been
configured when importing APs offline.
2. Click Add. On the page that is displayed, set Mode to Batch import.

Switches
3. Click to download the batch import template to your local computer.

4. Use the network planning and optimization tool to plan the network
parameters and export the planned parameters to the AP information
template. Table 1-53 describes the parameters of the AP information
template.
NOTE
If you download an AP information template of the Chinese web system under an English
Windows operating system (OS), the Chinese characters in the AP information template
cannot be displayed. You can choose Start > All Programs > Microsoft Office > Microsoft
Office Tools > Microsoft Office 2003 Language Settings in the Windows OS (take
Microsoft Office 2003 as an example) and set Primary Editing Language to
Chinese(PRC) on the Editing Language tab. After completing the setting, restart the
Microsoft Office Excel and open the AP information template. The Chinese characters in
the template will be displayed normally.
Table 1-53 Parameters of the AP information template

AP ID AP ID. If an AP is imported not for the first time and

the MAC address of the AP is not specified, the AP ID
is mandatory; otherwise, the AP ID is optional.
AP Name AP name. This parameter is optional.
AP Type AP type. This parameter is optional.
AP MAC MAC address of an AP. If the AP authentication mode

is MAC address authentication, AP MAC must be set
when the AP is imported for the first time or the AP
ID is not specified.
AP SN AP SN. If the AP authentication mode is SN

authentication, AP SN must be set when the AP is
imported for the first time.
AP Group AP group. This parameter is optional.
Radio ID Radio ID of the AP. This parameter is optional. If you

set Channel, Band Width, or Power, Radio ID must
be set.
Channel Radio channel of the AP. This parameter is optional.

If you set this parameter, Band Width and Radio ID
must be set.

Switches
Band Width Radio bandwidth of the AP. This parameter is

optional. If you set this parameter, Channel and
Radio ID must be set.
Power Radio power of the AP. This parameter is optional. If

you set this parameter, Radio ID must be set.
5. Click to select the batch import template, then click Import.

6. Click OK.
----End
1.4.2.6 Network-Side Service

This section describes how to configure services to allow users to access external
networks.
Procedure
● Create network side VLANs and IP addresses.
a. Choose Configuration > SVF Quick Config > Network-Side Service and
click the Network-Side VLAN and IP tab.
b. Click Create and set parameters, as shown in Figure 1-67.
Figure 1-67 Network-Side VLAN and IP tab
c. Set VLAN ID and VLANIF IP Address/Mask, select OSPF Status, and

click Manage to select Member Interfaces and set Function
Description.
● Delete network-side VLANs and IP addresses.
click the Network-Side VLAN and IP tab.
b. Select the network-side VLAN and IP address to be deleted and click
Delete.
● Create routes.
click the Route tab, as shown in Figure 1-68.

Switches
Figure 1-68 Route
b. Click Create. The Create Static Route page is displayed, as shown in

Figure 1-69.
Figure 1-69 Create Static Route
Table 1-54 Parameters on the Create Static Route

Item Description
Destination IP Identifies the destination IP

address or destination network of
IP packets, for example,
10.10.10.1.

Switches
Item Description
Subnet mask Used with a destination IP address

to identify the address of the
network segment where the
destination host or device resides.
The address of the network
segment where the destination
host or device resides can be
calculated according to the AND
operation on the destination
address and network mask, for
example, 255.255.0.0.
Next hop address Indicates the next-hop destination

address or destination network of
IP packets, for example,
10.10.10.2.
NOTE
Either the next hop or outbound
interface must be specified.
Outbound interface Indicates through which interface

IP packets will be forwarded.
Priority Indicates the route priority. There

may be multiple routes to the
same destination. These routes
may be dynamic routes discovered
by different routing protocols or
static routes manually configured.
A route with the highest priority
(the smallest value) becomes the
optimal route.
Description Indicates the description of a

created route.
c. Configure the parameters.

d. Click OK to complete the configuration.
● Delete routes.
click the Route tab.
b. Select the route to be deleted and click Delete.
----End
1.4.3 Advanced SVF Config(SVF)

This section describes how to perform advanced SVF configuration.
Advanced SVF configuration is supported only in SVF mode.

Switches
1.4.3.1 AS Access Mgmt

This section describes how to add AS blacklist and whitelist and an AS group to an
SVF system.
Procedure
● Create AS blacklist and whitelist.
a. Choose Configuration > Advanced SVF Config > AS Access Mgmt and
click the AS Blacklist And Whitelist tab.
b. Click Create, as shown in Figure 1-70.
Figure 1-70 Creating AS blacklist and whitelist
c. Set a value for AS MAC Address and select blacklist or whitelist from
the Manage drop-down list box.
● Delete AS blacklist and whitelist.
click the AS Blacklist And Whitelist tab.
b. Select the required blacklist and whitelist and click Delete.
● Create an AS group.
click the AS Group tab.
b. Click Create and set AS group parameters, as shown in Figure 1-71.
Figure 1-71 Creating an AS group
Table 1-55 describes parameters on the page.

Switches
Table 1-55 Parameters for creating an AS group
AS Group Name Specifies the name of an AS

group.
AS Name Specifies the name of an AS. Click

Manage and add the specified AS
in the Available AS list to an AS
group.
NOTE
This parameter is valid only when
there is an AS list after you choose
SVF Quick Config > AS Addition >
Name ASs.
Administrator Profile Allows selecting the corresponding

administrator profile.
NOTE
there is an AS administrator profile
list after you choose Advanced SVF
Config > AS Profile Mgmt > AS
Administrator Profile.
c. Configure the parameters and click to complete the configuration.

● Delete an AS group.
click the AS Group tab.
b. Select the AS group to be deleted and click Delete.
----End
1.4.3.2 AS Port Group

This section describes how to add an AS port group to an SVF system.
Procedure
● Create an AS port group.
a. Choose Configuration > Advanced SVF Config > AS Port Group.
Figure 1-72 Creating an AS port group

Switches
Table 1-56 Parameters for creating an AS port group
Port Group Name Specifies the name of a port

group.
Whether Connected to AP Specifies a port type:

● Yes: indicates a port connected
to an AP.
● No: indicates a port connected
to a user.
Network Basic Profile Specifies the name of a network

basic profile to be bound to the
port group. Click Manage to
select the name of the network
basic profile to be bound.
NOTE
there is a network basic profile list
after you choose Advanced SVF
Config > AS Profile Mgmt >
Network Basic Profile.
Network Enhanced Profile Specifies the name of a network

enhanced profile to be bound to
the port group.
NOTE
Whether Connected to AP is set to
No and there is a network enhanced
profile list after you choose Advanced
SVF Config > AS Profile Mgmt >
Network Enhanced Profile.
User Access Profile Specifies the name of a user

access profile to be bound to the
port group.
NOTE
Whether Connected to AP is set to
No and there is a user access profile
list after you choose Advanced SVF
Config > AS Profile Mgmt > User
Access Profile.

● Delete an AS port group.
a. Choose Configuration > Advanced SVF Config > AS Port Group.

Switches
b. Select the required AS port group and click Delete.

----End
1.4.3.3 AS Profile Mgmt

This section describes how to add AS profiles to an SVF system.
Procedure
● Create a network basic profile.
a. Choose Configuration > Advanced SVF Config > AS Profile Mgmt and
click the Network Basic Profile tab.
Figure 1-73 Creating a network basic profile
Table 1-57 Parameters for creating a network basic profile
Profile Name Specifies a profile name.
Default VLAN Configures a default VLAN.
Allowed VLAN Configures an allowed VLAN.
Voice VLAN Configures a voice VLAN.

● Delete a network basic profile.
click the Network Basic Profile tab.
b. Select the required network basic profile and click Delete.
● Create a network enhanced profile.
click the Network Enhanced Profile tab.

Switches
Figure 1-74 Creating a network enhanced profile
Table 1-58 Parameters for creating a network enhanced profile

Unknown Unicast Traffic Sets the maximum rate of

Suppression (pps) unknown unicast traffic.
Broadcast Traffic Suppression Sets the maximum rate of

(pps) broadcast traffic.
Multicast Traffic Suppression (pps) Sets the maximum rate of

multicast traffic.
DHCP Snooping Indicates whether to enable DHCP

snooping:
● ON: Enable DHCP snooping.
● OFF: Disable DHCP snooping.
IPSG Indicates whether to enable IP

packet check:
● ON: Enable IP packet check.
● OFF: Disable IP packet check.
NOTE
DHCP Snooping is set to ON.
DAI Indicates whether to enable

dynamic ARP inspection.
● ON: Enable dynamic ARP
inspection.
● OFF: Disable dynamic ARP
inspection.
NOTE
DHCP Snooping is set to ON.

Switches
Priority Trust Indicates whether to enable the

priority trust function.
● ON: Enable priority trust.
● OFF: Disable priority trust.
All Traffic Suppression (kbps) Sets the traffic rate limit.
Edge Port Indicates whether to enable the

edge port function:
● ON: Enables the edge port
function.
● OFF: Disable the edge port
function.

● Delete a network enhanced profile.
click the Network Enhanced Profile tab.
b. Select the required network enhanced profile and click Delete.
● Create a user access profile.
click the User Access Profile tab.
Figure 1-75 Creating a user access profile
Table 1-59 Parameters for creating a user access profile


Switches
Bound Authentication Profile Specifies the name of an

Name authentication profile to be bound
to the user access profile.
NOTE
Choose Security Services > AAA >
Authentication Profile to learn how
to create an authentication profile.
Number of Access Users Sets the maximum number of

access users.
ARP Packet Rate Limit (kbps) Sets the rate limit of incoming
ARP packets on an AS port.
NOTE
This parameter is valid when no value
is set for Bound Authentication
Profile Name.
DHCP Packet Rate Limit (kbps) Sets the rate limit of incoming
DHCP packets on an AS port.
NOTE
This parameter is valid when no value
is set for Bound Authentication
Profile Name.

● Delete a user access profile.
click the User Access Profile tab.
b. Select the required user access profile and click Delete.
● Create an AS administrator profile.
click the AS Administrator Profile tab.
Figure 1-76 Creating an AS administrator profile

Switches
Table 1-60 Parameters for creating an AS administrator profile

User Name Configures an AS administrator

user name.
Password Configures an AS administrator

password.
ARP Rate Limit (kbps) Sets the rate limit of outgoing

ARP packets on an AS uplink
fabric-port.
DHCP Rate Limit (kbps) Sets the rate limit of outgoing

DHCP packets on an AS uplink
fabric-port.

● Delete an AS administrator profile.
click the AS Administrator Profile tab.
b. Select the required AS administrator profile and click Delete.
----End
1.4.3.4 AS Direct Config

This section describes how to directly configure ASs on the parent.
Context
Choose Monitoring > Summary to check Member Device Status. Only normal
ASs working in centralized configuration mode can be directly configured on the
parent.
Procedure
● Global AS configuration
a. Choose Configuration > Advanced SVF Config > AS Direct Config to
enter the AS Direct Config page.
b. Click behind AS Name to select the AS to be configured and click

OK to enter the configuration page. Click the Global Configuration tab,

Switches
Figure 1-77 Global configuration page
Table 1-61 Global configuration parameters

Packet Rate Limit
Source IP-based ARP rate limit Configures ARP rate limiting based
(pps) on source IP addresses.
Source MAC-based ARP rate Configures ARP rate limiting based

limit (pps) on source MAC addresses.
NOTE
This function is supported only when
ASs are S6720S-EIs or S6720EIs.
PoE
NOTE
You can click PoE parameters to edit these parameters and click to complete
the configuration. This information is displayed only on the PoE-supporting
switches.
Slot ID Specifies the slot ID of a PoE power

module.
IEEE 802.3af-compliant Power Indicates whether IEEE 802.3af-

Supply compliant power supply is enabled:
● ON: Enable IEEE 802.3af-
compliant power supply.
● OFF: Disable IEEE 802.3af-
compliant power supply.

Switches
Allow High Inrush Current Indicates whether to enable a

During Power-on switch to allow high inrush current
during power-on:
● ON: Enable a switch to allow
high inrush current during
power-on.
● OFF: Disable a switch from
allowing high inrush current
during power-on.
c. Configure the parameters and click Apply to complete the configuration.

● AS interface configuration
a. Choose Configuration > Advanced SVF Config > AS Direct Config to
enter the AS Direct Config page.
b. Click behind AS Name to select the AS to be configured and click

OK to enter the configuration page. Click the Interface Configuration
tab and select the interface to be configured, as shown in Figure 1-78.
Figure 1-78 Interface configuration page
When Configured as a Stack Port is selected, Table 1-62 describes

parameters on the page.

Switches
Table 1-62 Interface configuration parameters

Logical stack port ID Specifies the logical stack port to

which physical member ports are
added.
When Configured as a Stack Port is not selected, Table 1-63 describes

parameters on the page.
Table 1-63 Interface configuration parameters

Ethernet Port
Auto-Negotiation Indicates whether the auto-

negotiation function is enabled:
● ON: Enable the auto-negotiation
function.
● OFF: Disable the auto-
negotiation function.
Interface rate Sets the rate in non-auto-

negotiation mode.
NOTE
This parameter is valid only when Auto-
Negotiation is set to OFF.
Duplex mode Sets the duplex mode for an in non-

auto-negotiation mode.
NOTE
This parameter is valid only when Auto-
Negotiation is set to OFF.
Loop detection Indicates whether to enable

loopback detection:
● ON: Enable loopback detection.
● OFF: Disable loopback detection.
PoE
Forcible power supply on ports Indicates whether forcible power

supply is enabled on ports:

Switches
PD compatibility detection Indicates whether PD compatibility

detection is enabled:
● ON: Enable PD compatibility
detection.
● OFF: Disable PD compatibility
detection.
Power supply priority Sets the power supply priority of a

PoE interface.
Advanced
Port bridge Indicates whether the port bridge

function is enabled:
● ON: Enable the port bridge
function.
● OFF: Disable the port bridge
function.
Electrical port sleeping Indicates whether to enable

electrical port sleeping:
● ON: Enable electrical port
sleeping.
● OFF: Disable electrical port
sleeping.
Loopback detection Indicates whether to enable

loopback detection:
Loopback detection in a Performs loopback detection in a

specified VLAN specified VLAN.
c. Configure the parameters and click Apply to complete the configuration.

----End
1.4.4 Basic Services

Basic services include interface, VLAN, DHCP, MAC, and STP settings.
1.4.4.1 Interface Settings

This chapter describes common interface configurations.

Switches
NOTE
● A combo interface is a logical interface, which corresponds to a GE electrical interface and a

GE optical interface on the device panel. The electrical interface is used with the optical
interface as a combo interface. When the device supports electrical interfaces, you do not
need to use the GE copper module to convert an optical interface to an electrical interface.
● Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support connecting the router. If the
device cannot be connected to a router, the page is hidden.
1.4.4.1.1 View Configuration
Context
You can view interface related functions on this page.
Figure 1-79 shows interface status and optical/electrical interfaces.
Figure 1-79 Interface status and optical/electrical interfaces
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click View
Configuration, as shown in Figure 1-80.
Figure 1-80 View Configuration
Step 2 Click an interface icon to select an interface. You can select only one interface at
one time.
Step 3 Check the interface functions in step 3, as shown in Figure 1-81.
Figure 1-81 View Interface Attribute

Switches
Table 1-64 describes the parameters on the View Interface Attribute.
Table 1-64 Interface status list

Item Description
Interface Indicates the type and number of the

selected interface.
Interface Status ● Up: The interface is enabled.

● Down: The interface is disabled.
● Shutdown: The shutdown
command has been run on the
interface.
Auto-Negotiation Indicates the auto-negotiation status

of the interface.
● Enable: Auto-negotiation is
enabled.
● Disable: Auto-negotiation is
disabled.
Duplex Mode Indicates the duplex mode of the

interface.
● Full-duplex
● Half-duplex
Interface Rate Indicates the interface rate.
Jumbo Indicates the number of Ethernet

frames with length ranging from 1518
bytes to the maximum jumbo frame
length and correct FCS values received
by the interface, or number of VLAN
frames with length ranging from 1522
bytes to the maximum jumbo frame
length and correct FCS values received
by the interface.
Indicates the number of frames with
length exceeding 1518 bytes and
correct FCS values sent by the
interface, or number of sent VLAN
frames with length exceeding 1522
bytes and correct FCS values sent by
the interface.

Switches
Item Description
Combo Indicates the working mode of a

combo interface.
● auto: The combo interface
automatically selects the working
mode.
● copper: The combo interface works
as an electrical interface and uses a
network cable to transmit and
receive data.
● fiber: The combo interface works as
an optical interface and uses an
optical fiber to transmit and receive
data.
● --: The combo interface is not
supported.
Flow Control Indicates the flow control status.

● Enable: Flow control is enabled on
the interface.
● Disable: Flow control is disabled on
the interface.
EEE Indicates energy efficient Ethernet

(EEE) that dynamically adjusts the
electrical interface power according to
network traffic volume.
● Enable: The EEE function is enabled
on the interface.
● Disable: The EEE function is
disabled on the interface.
Power Saving Mode Indicates whether the power saving

mode is enabled.
● Enable: The power saving mode is
enabled on the interface.
● Disable: The power saving mode is
disabled on the interface.
Step 4 If you want to delete all configurations on the interface to restore the default
settings, click Clear Configuration. After configurations are deleted, the interface
is disabled.
----End

Switches
1.4.4.1.2 Connect to PC
Context
After a switch is connected to a PC, you can configure functions such as the
default VLAN, port security, and port isolation based on service requirements.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Connect to PC,
Figure 1-82 Configuring the port connected to a PC
Step 2 Select a port to be configured. Perform the following operations as required in the
port area:
● Click a port icon. To deselect the port, click the port icon again.
● Drag the cursor to select consecutive ports in a batch.
● Click multiple port icons to select these ports, and click a port icon again to
deselect the port.
● Select a slot where a panel is located. All ports on the panel are selected.
Step 3 Configure the port.
Table 1-65 describes parameters and their values.

Switches
Table 1-65 Parameters and their values

Interface Status Enables or disables the interface:

● ON: The interface is enabled.
● OFF: The interface is disabled.
Default VLAN Adds the interface to the default VLAN. The VLAN ID ranges
from 1 to 4094.
Port Isolation Enables or disables port isolation:

● ON: Port isolation is enabled.
● OFF: Port isolation is disabled.
Port Security Enables or disables port security:

● ON: Port security is enabled.
● OFF: Port security is disabled.
MAC Address Is valid when Port Security is set to ON.

Limit Sets the maximum number of secure MAC addresses. The
value ranges from 1 to 1024.
Loopback Enables or disables loopback detection:

Detection ● ON: Loopback detection is enabled.
● OFF: Loopback detection is disabled.
Trust Priority Configures trust priority on the interface.

NOTE
The values vary depending on the switch model. The values on your
switch may be different from those provided in this example.
Operation
If you click More Configurations, the following parameters are valid.
Auto- Enables or disables auto-negotiation on the interface:

Negotiation ● ON: Auto-negotiation is enabled.
● OFF: Auto-negotiation is disabled.
Duplex Mode Is valid when Auto-Negotiation is set to OFF.

Configures the duplex mode on the interface.
● Full-duplex
● Half-duplex
Interface Rate Is valid when Auto-Negotiation is set to OFF.

Configures the interface rate.
● 10 Mbit/s
● 100 Mbit/s
● 1000 Mbit/s

Switches
Jumbo Sets the jumbo frame length. The value ranges from 1536 to
10240.
Combo Configures the working mode of a combo interface.

● auto: The combo interface automatically selects the
working mode.
● copper: The combo interface works as an electrical
interface and uses a network cable to transmit and
receive data.
● fiber: The combo interface works as an optical interface
and uses an optical fiber to transmit and receive data.
Flow Control Enables or disables flow control:

● ON: Flow control is enabled.
● OFF: Flow control is disabled.
EEE Is valid when Auto-Negotiation is set to ON.

Enables or disables the EEE function:
● ON: The EEE function is enabled.
● OFF: The EEE function is disabled.
Power Saving Enables or disables the power saving mode:

Mode ● ON: The power saving mode is enabled.
● OFF: The power saving mode is disabled.
Step 4 Click Apply to make the configuration take effect.
----End
1.4.4.1.3 Connect to IP Phone
Context
After a switch is connected to an IP phone, you can configure functions such as
the default VLAN, voice VLAN, port security, and port isolation based on service
requirements.
Procedure
● Based On Phone Model (Auto)
a. Choose Configuration > Basic Services > Interface Settings.Click
Connect to IP Phone to open the Connect to IP Phone page.
b. Select a port to be configured. Perform the following operations as
required in the port area:
▪ Click a port icon. To deselect the port, click the port icon again.
▪ Drag the cursor to select consecutive ports in a batch.

Switches
▪ Click multiple port icons to select these ports, and click a port icon
again to deselect the port.
▪ Select a slot where a panel is located. All ports on the panel are
selected.
c. Click the Based On Phone Model (Auto) tab, and click Auto Phone
Scan. Check whether the interface is connected to an IP phone. Figure
1-83 indicates that the interface is not connected to an IP phone, and
Figure 1-84 indicates that the interface is connected to an IP phone.
Figure 1-83 Auto phone scan result - no IP phone connected
Figure 1-84 Auto phone scan result - IP phone connected
Table 1-66 describes the configuration options on Figure 1-84.
Table 1-66 Auto phone scan parameters
Interface Interface where IP phones are scanned.
Phone Type Type of IP phone connected to the scanned interface.
Interface Enables or disables the interface:

Status ● ON: The interface is enabled.
Default VLAN Adds the interface to the default VLAN. The VLAN ID

Switches
Voice VLAN Enables the voice VLAN function and specifies the
VLAN ID.
Add Voice Enables or disables the function of adding the voice

VLAN to Untag VLAN ID to untagged packets.
VoIP ● ON: The function is enabled.
● OFF: The function is disabled.
LLDP LLDP status:

● ON: enabled
● OFF: disabled

Operation


Limit Sets the maximum number of secure MAC addresses.



● Full-duplex
● Half-duplex

● 10 Mbit/s
● 100 Mbit/s
● 1000 Mbit/s
Jumbo Sets the jumbo frame length.

Switches

● auto: The combo interface automatically selects
the working mode.
receive data.
● fiber: The combo interface works as an optical
interface and uses an optical fiber to transmit and
receive data.



QoS Configuration
802.1p priority Specify the 802.1p priority.
DSCP priority Specify the DSCP priority.

e. Click on the left of More voice VLAN settings to expand voice VLAN
configurations. Click Create to display the configuration options of voice
VLAN, as shown in Figure 1-85.
Figure 1-85 Voice VLAN configuration

Switches
Table 1-67 Voice VLAN creation parameters

OUI This parameter is mandatory. It

specifies the MAC address of voice
packets, for example, 0812-
f231-05e1.
Mask This parameter is mandatory.

Enter the mask, for example, ffff-
ffff-ffff.
Description Enter the description of the OUI.
After setting the parameters, click .

● Based On Phone Model (Manual)
b. Select an interface from Select Interface and click the Based On Phone
Model (Manual) tab, as shown in Figure 1-86.
Figure 1-86 Based on phone type (manual)
Table 1-68 describes the configuration options in Figure 1-86.
Table 1-68 Based on phone type (manual) parameters

Phone Type Type of connected phone.

VLAN ID.

Switches

VLAN to Untag VLAN ID to untagged packets:
LLDP LLDP status:

● ON: enabled
● OFF: disabled

Operation





● Full-duplex
● Half-duplex

● 10 Mbit/s
● 100 Mbit/s
● 1000 Mbit/s

Switches

the working mode.
receive data.
receive data.



QoS Configuration
802.1p priority Specify the 802.1p priority.
DSCP priority Specify the DSCP priority.
c. After setting the parameters, click Apply.

d. Click on the left of More voice VLAN settings to expand voice VLAN
configurations. Click Create to display the configuration options of voice
VLAN, as shown in Figure 1-87.
Figure 1-87 Voice VLAN configuration

Switches
Table 1-69 Voice VLAN creation parameters

OUI This parameter is mandatory. It

specifies the MAC address of voice
packets, for example, 0812-
f231-05e1.
Mask This parameter is mandatory.

Enter the mask, for example, ffff-
ffff-ffff.
Description Enter the description of the OUI.
After setting the parameters, click .

● Customized configuration
b. Select an interface from Select Interface and click the Customized tab,
Figure 1-88 Customized configuration
Table 1-70 describes the configuration options on Figure 1-88.
Table 1-70 Customized configuration options and meanings


VLAN ID.

Switches

VLAN to Untag VLAN ID to untagged packets:




Operation


● Full-duplex
● Half-duplex

● 10 Mbit/s
● 100 Mbit/s
● 1000 Mbit/s

Switches

the working mode.
receive data.
receive data.




----End
1.4.4.1.4 Connect to Switch
Context
After a switch is connected to another switch, you can configure the switch port to
allow packets from a specified VLAN based on service requirements.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Connect to
Switch, as shown in Figure 1-89.

Switches
Figure 1-89 Configuring the port connected to a switch
port area:
deselect the port.
Step 3 Configure the port.
Table 1-71 describes parameters and their values.

Switches
Table 1-71 Parameters of a port and their values

Load balancing Sets the Eth-Trunk load balancing mode. This parameter is
mode valid only after Enable link aggregation is selected.
● dst-ip: Load balancing is performed based on the
destination IP address.
● dst-mac: Load balancing is performed based on the
destination MAC address.
● src-ip: Load balancing is performed based on the source
IP address.
● src-mac: Load balancing is performed based on the
source MAC address.
● src-dst-ip: Load balancing is performed based on the
Exclusive-OR calculation result of the source and
destination IP addresses.
● src-dst-mac: Load balancing is performed based on the
Exclusive-OR calculation result of the source and
destination MAC addresses.
Interface Status Enables or disables the interface:

● ON: The interface is enabled.
Eth-Trunk Adds the interface to an Eth-Trunk. This parameter can be

set only after Enable link aggregation is selected.
Eth-Trunk Mode Sets the Eth-Trunk working mode. This parameter can be set
only after Enable link aggregation is selected.
● Manual load balancing (default): The Eth-Trunk working
mode is set to manual.
● Static LACP: The Eth-Trunk working mode is set to LACP.
Allowed VLANs Configures VLANs allowed by the interface. The VLAN ID

Auto VLAN Configures whether the system automatically creates

Creation allowed VLANs:
● Yes
● No
Operation


Switches

● Full-duplex
● Half-duplex

● 10 Mbit/s
● 100 Mbit/s
● 1000 Mbit/s

● auto: The combo interface automatically selects the
working mode.
receive data.
● fiber: The combo interface works as an optical interface
and uses an optical fiber to transmit and receive data.



----End
1.4.4.1.5 Connect to Router
Context
You can configure functions of interfaces on switches that are connected to
routers on the GUI. Figure 1-90 shows interface status and optical/electrical
interfaces.

Switches
NOTE
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support connecting the router.
If the device cannot be connected to a router, this page is hidden.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Connect to
Router, as shown in Figure 1-91.
Figure 1-91 Connect Router
Step 2 Click an interface icon to select an interface. You can select only one interface at
one time.
Step 3 Set parameters on the Configure Interface. Figure 1-92 shows the Configure
Interface.
Figure 1-92 Configure Interface
Table 1-72 describes the parameters on the Configure Interface.

Switches
Table 1-72 Parameters on the Configure Interface

Item Description
Interface Status Set the interface status.

● ON: The current interface is
enabled.
● OFF: The current interface is
disabled.
IP Address Configure an IP address for the current

interface.
Mask Select a subnet mask from the drop-

down list box, for example, 24
(255.255.255.0).
Step 4 Click Apply to complete the configuration.

----End
1.4.4.1.6 Enable/Disable Interface
Context
You can disable an idle interface that is not connected to a cable or an optical
fiber on the GUI to prevent the idle interface from interfering other interfaces in
working state.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Enable/
Disable Interface, as shown in Figure 1-94.
Figure 1-94 Enable/Disable Interface

Switches
Step 2 Select the interface that you want to configure. Perform either of the following
operations as required.
● Click an interface icon to select an interface.
● Drag the mouse to select multiple consecutive interfaces in a batch.
deselect the port.
● Click the check box before a front panel name to select all the interfaces on
the front panel.
Step 3 Set parameters on the Configure Interface. Figure 1-95 shows the Configure
Interface.
Item Description
Interface Status Set interface status.

● ON: The current interface is not
shut down.
● OFF: The current interface is shut
down.
----End
1.4.4.1.7 Detect Link
Context
Virtual cable test (VCT) technology uses time domain reflectometry (TDR) to
detect the cable status. When a pulse is transmitted to the end of a cable or a

Switches
failure point in the cable, some pulse energies are reflected to the transmitting
end. The VCT algorithm measures the time spent on transmitting pulses over a
cable, reaching a failure point, and returning the pulses. The measured time is
converted to the distance.
VCT can detect the fault type of a network cable and identify failure points to help
locate network cable faults.
The VCT test result is only for reference and may be inaccurate for cables of some
vendors.
VCT takes effect only on optical interfaces that have GE copper modules installed
or GE electrical interfaces on the device.
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings. Click Detect Link, as
Figure 1-97 Detect Link
deselect the port.
the front panel.
Step 3 Click Apply. In the dialog box that is displayed, click OK.

Switches
Step 4 You can view check results on the Configure Interface. Figure 1-98 shows the
Configure Interface.

Item Description
Interface Type and number of the interface on

which link detection is performed.
Management Status Management status of the interface.

● Down: The interface is disabled.
● Up: The interface is enabled.
● Shutdown: indicates that the
administrator has run the
shutdown command on the
interface.

Switches
Item Description
Detection Result Link detection result, which can be

either The network cable is faulty or
The interface works normally.
NOTE
If network cable faults occur, click Details
to view the detailed detection result. The
displayed page contains the following
fields:
● Pair A/B/C/D: indicates the 4 pairs of
circuits in a network cable.
● Pair A length: indicates the length of a
network cable. If a fault occurs, this
field indicates the distance between the
interface and the location of the fault;
when the network cable works properly,
this field indicates the actual length of
the cable; If the interface is not
connected to any network cable, the
default length is 0 meters.
● Pair A state: indicates the status of a
network cable. (OK: normal; Open:
open-circuited; Short: short-circuited;
Crosstalk: incorrect cable sequence;
Unknown: unknown fault)
----End
1.4.4.1.8 Port Loopback Test
Context
A port loopback test is used to check whether the internal forwarding chip
controls forwarding on the interface properly.
Figure 1-99 shows the interface status and symbols of optical and electrical
interfaces.
Figure 1-99 Interface status and symbols of optical and electrical ports
Procedure
Step 1 Choose Configuration > Basic Services > Interface Settings.Select Port
Loopback Test, as shown in Figure 1-100.

Switches
Figure 1-100 Port Loopback Test
deselect the port.
the front panel.
Step 4 The returned information is displayed in Configure Interface, as shown in Figure

1-101.
Table 1-75 Interface parameter list
Interface Indicates the type and number of the

interface where a loopback test is
performed.

Switches
Management Status Indicates the management status.

● Down: indicates that the interface is
disabled.
● Up: indicates that the interface is
enabled.
● Shutdown: indicates that the
shutdown command has been run
on the interface.
Detection Result Indicates the loopback test result.
----End
1.4.4.2 PoE
This chapter describes how to configure PoE. PDs, such as wireless telephones and
APs, are provided with power when the devices are configured with PoE.
Context
NOTE
Only the product models with PWR or PWH in the product names support PoE.
Procedure
Step 1 Choose Configuration > Basic Services > PoE.
Step 2 Perform global settings and click Apply, as shown in Figure 1-102.
Figure 1-102 Global Settings
Table 1-76 describes the parameters in Global Settings.

Switches
Table 1-76 Parameters in Global Settings
Item Description
Power supply Configures the switch's power supply management mode:

management ● Auto
mode
● Manual
Max output Sets the maximum output power of the switch, in mW.
power (mW)
Reserved PoE Sets the percentage of the reserved PoE power against the
power (%) total PoE power.
port area:
deselect the port.
Step 4 Configure interfaces.
Figure 1-103 Interface Setting
Table 1-77 describes the parameters in Interface Setting.

Switches
Table 1-77 Parameters in Interface Setting
Item Description
Interface name Indicates the currently configured interface name. This

parameter cannot be modified.
Enable PoE on Indicates whether to enable the PoE function:

interface ● ON: Enable the PoE function.
● OFF: Disable the PoE function.
Max output Sets the maximum output power of the interface, in mW.
power (mW)
PoE priority Configures the power supply priority for an interface:

● Low: the lowest priority
● High: the second highest priority
● Critical: the highest priority
Manual power Configures the manual power supply mode:

supply ● Power on: Interfaces will be manually powered on.
● Power off: Interfaces will be manually powered off.
PD compatibility Indicates whether to enable non-standard PD compatibility

check check on an interface:
● ON: Enable non-standard PD compatibility check.
● OFF: Disable non-standard PD compatibility check.
----End
1.4.4.3 VLAN
You can create, query, modify, or delete a single VLAN or create VLANs in a batch.
Context
● A switch supports 4094 VLANs from VLAN 1 to VLAN 4094.
● VLANs can isolate the hosts that require no communication with each other,
reducing broadcast traffic and improving network security.
Procedure
● Creating a VLAN
a. Choose Configuration > Basic Services > VLAN.
b. Click Create. The Create VLAN dialog box is displayed, as shown in
Figure 1-104.

Switches
Figure 1-104 Creating a VLAN
Table 1-78 describes parameters in the Create VLAN dialog box.
Table 1-78 Parameters for creating a VLAN

VLAN ID ID of the VLAN. This parameter is

mandatory, and its value ranges
from 1 to 4094. VLAN 1 is the
default VLAN, and the system will
not re-create it.
Description Description of the VLAN. This

parameter is optional.
VLAN attribute Attribute of the VLAN. This

parameter is mandatory. Set VLAN
attribute to Common VLAN or
SVF multicast VLAN.
NOTE
This parameter is available only when
the device is enabled with SVF.
IPv4 address IPv4 address of a VLANIF

interface, such as 10.10.10.1. This
parameter is optional and can be
configured only for a VLANIF
interface.
Mask Subnet mask of the IP address.

This parameter is optional.

Switches
IPv6 address IPv6 address, such as FC00:0:130F:

0:0:9C0:876A:130B. This parameter
is optional and can be configured
only for a VLANIF interface.
Prefix length Length of an address prefix. This

parameter is optional and the
value ranges from 1 to 128.
c. Set parameters.
d. Click Add Interface. The Add Interface area is unfolded, as shown in
Figure 1-105.
Figure 1-105 Adding ports to the VLAN
e. Click Select Interface. The Add Interface page is displayed, as shown in

Figure 1-106.

Switches
Figure 1-106 Selecting ports to be added to the VLAN
f. Click OK. The Create VLAN dialog box is displayed.

g. Click OK.
● Creating VLANs in a batch
b. Click Batch Create. The Batch Create VLAN dialog box is displayed, as
shown in Figure 1-107. Set parameters.
Figure 1-107 Creating VLANs in a batch
c. Click OK.
● Querying a VLAN
b. Enter the VLAN ID in the search box. If you do not enter any VLAN ID, all
created VLANs are displayed.
c. Click . The VLAN is displayed, as shown in Figure 1-108.

Switches
Figure 1-108 VLAN list
d. Click View Interface. The interfaces added to VLANs are displayed, as

Figure 1-109 View Interface
● Modifying a VLAN
b. Click a VLAN ID. The Modify VLAN dialog box is displayed, as shown in
Figure 1-110. Table 1-78 describes parameters in the Modify VLAN
dialog box.
Figure 1-110 Modifying a VLAN

Switches
c. Change the values of parameters as required.

d. Click OK.
● Deleting a VLAN
b. Select a VLAN to be deleted and click Delete. The system asks you
whether to delete the VLAN.
NOTE
VLAN 1 is the default VLAN and cannot be deleted.

c. Click OK.
----End
1.4.4.4 DHCP
Context
Dynamic Host Configuration Protocol (DHCP) is used to dynamically manage and
configure the IP addresses for users in a centralized manner. DHCP adopts the
client/server mode for communication. The client applies to the server for
configurations (including IP address, subnet mask, and default gateway), and the
server replies with corresponding configuration information based on policies.
Procedure
● Global configuration
a. Choose Configuration > Basic Services > DHCP.
b. Set DHCP status to ON in the Global Settings area to enable the DHCP
function globally.
● Address pool list
b. Click Create in the Address Pool List area. The Create IP Pool page is
Figure 1-111 Description of the parameters for creating a DHCP entry

Switches
Table 1-79 describes the parameters on the Create IP Pool page.
Table 1-79 Create IP Pool

VLANIF interface Indicates the VLANIF interface

name. Select a name from the
drop-down list box.
IP/Mask Indicates the IP address and mask

of the VLANIF interface.
DHCP mode Indicates the DHCP mode. You can

select the local allocation or
external server allocation mode. In
local allocation mode, the device
functions as a DHCP server to
assign IP addresses to clients. In
external server allocation mode,
the device functions as a DHCP
relay to assign IP addresses to
clients through a DHCP server
whose address is specified.
Primary DNS server Indicates the primary DNS server

address assigned to a client. This
parameter is configured when the
DHCP mode is local allocation.
Secondary DNS server Indicates the secondary DNS

server address assigned to a client.
This parameter is configured when
the DHCP mode is local allocation.
Server IP Indicates the DHCP server IP

address. This parameter is
configured when the DHCP mode
is external server allocation.
c. Set the parameters.

d. Click OK.
● Address pool information
By clicking an interface address pool (the DHCP mode of the mapping
interface is local allocation) in Address Pool Information, you can check
the detailed address pool information, as shown in Figure 1-112.

Switches
Figure 1-112 Address Pool Information
Table 1-80 describes the parameters on the Address Pool Information

page.
Table 1-80 Parameters in address pool information
Sum of Addresses Indicates the total number of IP

addresses in the address pool.
Allocated Indicates the number of IP

addresses assigned to clients.
Bind IP Indicates that an IP address in the

address pool is bound to a fixed
MAC address.
Fix IP Indicates that an IP address being

used or an expired in the address
pool is bound to the
corresponding MAC address and
will be assigned directly to the
client when it goes online next
time.
Unbind IP Indicates that a bound IP address

is unbound.
Reserve IP Indicates that an IP address in the

address pool is reserved and not
assigned.
Release IP Indicates that a reserved IP

address is released and can be
assigned.
Reclaim IP Indicates that an IP address being

used or an expired or conflicted IP
address in the address pool is
reclaimed. The reclaimed IP
address becomes idle again and
can be re-assigned to clients.

Switches
Refresh Refreshes the page.
b. Configure IP addresses in the address pool.

i. Select the IP addresses to be configured on the Address Pool
Information page.
ii. Click Bind IP, Fix IP, Unbind IP, Reserve IP, Release IP, or Reclaim
IP.
If you click Bind IP, enter the bound MAC address and click OK.
----End
1.4.4.5 MAC
Context
Each switch maintains a MAC address table. A MAC table records learned MAC
addresses, VLAN IDs, and outbound interfaces. To forward data, the switch
searches the MAC table based on destination MAC addresses and VLAN IDs
carried in packets to determine the outbound interfaces for the packets. Therefore,
broadcast traffic is reduced. Configure the following MAC address types and
functions:
● The interface obtains dynamic entries based on the learning of source MAC
addresses. The dynamic entries can be aged.
● Static MAC entries are manually configured and never age. For details, see
Configuring a static user.
● Blackhole MAC entries are used to discard data frames with the specified
source or destination MAC addresses. Blackhole MAC entries are manually
configured and never age. For details, see Configuring a blackhole MAC
address entry.
● ARP entry fixing can be configured to defend against ARP address spoofing
attacks. For details, see Configuring ARP entry fixing.
● Port security makes MAC addresses learned on an interface become secure
MAC addresses to allow only hosts with secure MAC addresses and static
MAC addresses to communicate with the switch through the interface,
improving switch security. For details, see Configuring port security.
Procedure
● Configuring MAC/IP address security and the aging time of dynamic MAC
addresses
a. Choose Configuration > Basic Services > MAC.
b. Click the icon next to MAC/IP address security to enable or disable
MAC/IP address security.
c. Set the aging time of dynamic MAC addresses in the Dynamic MAC
aging time text box and click Apply.

Switches
NOTE
The aging time of dynamic MAC addresses is 0 or in the range of 10 to 1000000, in

seconds. The default value is 300s.
● Querying MAC/IP address entries
b. Click the MAC/IP Address tab and select the interfaces. The MAC/IP
Address tab page is displayed, as shown in Figure 1-113.
Figure 1-113 Querying MAC/IP address entries
c. Click Refresh to refresh entries in the MAC/IP address list.

d. Set search item for querying MAC/IP address entries based on the MAC
Address, IP Address, Type, Outbound Interface and VLAN ID.
e. Click . The search result is displayed.
● Configuring a static user
c. Click Create Static MAC. The Create Static MAC page is displayed, as

Switches
Figure 1-114 Creating a static mac
d. Set parameters.
e. Click OK.
● Creating a static secure MAC address
NOTE
Before creating a static secure MAC address, enable port security by referring to
Configuring port security.
After port security is enabled, a yellow shield identifier next to the interface is
displayed.
c. Click Create Secure MAC. The Create Secure MAC page is displayed, as
Figure 1-115 Creating a secure MAC address

Switches
d. Set parameters.
e. Click OK.
● Deleting MAC address entries
c. Select an entry and click Delete MAC. The system asks you whether to
delete the entry.
d. Click OK.
● Configuring a blackhole MAC address entry
c. Select an entry and click Convert to Blackhole MAC. The system asks
you whether to configure the entry as a blackhole MAC address entry.
NOTE
Only dynamic MAC address entries can be configured as blackhole MAC address
entries.
After dynamic MAC address entries are configured as blackhole MAC address entries,
select Select all interfaces so that they can be displayed in the MAC/IP address list.
d. Click OK.
● Configure fixing of ARP entries
c. Select an entry and click Fix MAC. The system asks you whether to fix the
MAC address entry.
NOTE
Only dynamic MAC address entries can be fixed.

d. Click OK.
● Configuring port security
b. Click the MAC Security tab. The MAC Security tab page is displayed.
c. Select a port, as shown in Figure 1-116.
Figure 1-116 Configuring port security

Switches
Table 1-81 describes parameters on the MAC Security tab page.
Table 1-81 Configuring port security
Parameter Description Value
Interface Name - -
Interface Security If a network requires The value can be

high access security, Enable or Disable.
you can configure
port security on
specified ports. MAC
addresses learned by
these ports are
changed to dynamic
secure MAC addresses
or sticky MAC
addresses. When the
number of learned
MAC addresses
reaches the limit, the
ports do not learn
new MAC addresses.
This prevents devices
with untrusted MAC
addresses from
connecting to these
ports, improving
security of the devices
and the network.
MAC Address Limit Maximum number of The value ranges from

(1-1024) MAC addresses that 1 to 1024.
can be learned by a
port.
Sticky MAC Sticky MAC addresses The value can be

will not be aged out Enable or Disable.
and will exist after the
device restarts.
d. Set parameters.
e. Click Apply.
----End
1.4.4.6 LBDT
This section describes how to configure LBDT.

Switches
Context
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
or even causes service interruption on the entire network. To allow the device to
detect loops on a Layer 2 network in a timely manner and prevent the network
from being severely affected by loops, configure loopback detection. Loopback
detection enables the device to periodically send loopback detection packets to
detect loops. When a loop is detected on an interface, the device shuts down or
blocks the interface to eliminate the loop. The interface can be restored when the
device detects that the loop on the interface is eliminated.
Procedure
Step 1 Click Configuration in the function area and choose Basic Services > LBDT from
the navigation tree in the left. The LBDT page is displayed, as shown in Figure
1-117.
Figure 1-117 Loopback detection configuration page
Table 1-82 describes parameters on the loopback detection configuration page.
Table 1-82 Parameters on the loopback detection configuration page
Enable (Block Interface) Enable loopback detection on an interface

and set the action to block.
When a loop is detected, the device blocks
the interface and forwards only BPDUs.
Enable (Shut Down Interface) Enable loopback detection on an interface

and set the action to shutdown.
When a loop is detected, the device shuts
down the interface.

Switches
Disable Disable loopback detection on the

interface.
Step 2 Select an interface that you want to configure.
Perform either of the following operations:
● Click the interface icon to select one or more interfaces.

● Drag the mouse to select consecutive interfaces in a batch.
● Select a device panel and all interfaces.
Step 3 Click Enable (Block Interface) or Enable (Shut Down Interface) to enable
loopback detection on an interface and set the action taken when a loop is
detected.
By default, loopback detection is disabled on an interface.
NOTE
If Enable (Shut Down Interface) is selected, the interface is shut down when a loop is
detected. The shutdown interface can be restarted in Interface Settings > Enable/Disable
Interface. For details, see Enable/Disable Interface.
Step 4 Check the configuration.
The loopback detection status is displayed on all interfaces that need to be

enabled with loopback detection, as shown in Figure 1-118, the configuration is
successful. Otherwise, the configuration fails.
NOTE
After line loopback detection is enabled, the system detects loops after about 5s. After 5s,
click to view the interface status.
Figure 1-118 Loopback detection configuration result

Switches
----End
1.4.4.7 ACL
Access control lists (ACLs) are used to identify flows. A network device filters
packets according to certain rules. It must identify packets first, and then permits
or denies the packets according to the configured policy.
Context
NOTE
For S5720HI, this node is only available in the NAC common mode.
1.4.4.7.1 Interface ACL

You can apply an ACL to an interface to filter the packets received by the
interface.
Context
You can configure ACL rules and apply the ACL to an interface to filter the packets
received by the interface. The ACL rule configuration includes source and
destination IP addresses, protocol type, source and destination port numbers.
Procedure
● Query the ACL rules applied to interfaces.
a. Click Configuration to display the Configuration page.
b. Choose Basic Services > ACL in the navigation tree to display the ACL
page.
c. Click the Interface ACL tab to display the Interface ACL page, as shown
in Figure 1-119.
Figure 1-119 Interface ACL

Switches
d. Click the icon of the interface to which the ACL rules are applied. The ACL
rule record is displayed in the ACL Rule List area, as shown in Figure
1-120.
Figure 1-120 Querying ACL rules
● Copy the ACL rules that have been applied to an interface to another
interface.
page.
c. Click the Interface ACL tab to display the Interface ACL page.
d. Click the icon of the interface to which the ACL rules have been applied.
Click Copy To to display the Copy To page, as shown in Figure 1-121.
Figure 1-121 Copying ACL rules
e. Select the target interface to which the ACL rules are copied. You can
perform the following operations as required:
▪ Click the icon of a single interface. Re-click the icon to deselect the
interface.

Switches
▪ Click the icons of multiple interfaces.
▪ Drag the mouse to select multiple neighboring interfaces.
▪ Click a device panel name and select all interfaces.

f. Click OK.
● Create ACL rules.
page.
d. Click the icon of the interface to which the ACL rules need to be applied
and create ACL rules.
▪ If no record is displayed in the ACL Rule List area, click on the

right of Operation or Add on the left of Ascend. A record of ACL
Rule List is displayed in the ACL Rule List area. Set the ACL rule
parameters.
▪ If the existing ACL rule records are displayed in the ACL Rule List
area, click on the right of Operation or Add on the left of Ascend
or on the right of Delete. A new record of ACL Rule List is displayed
in the ACL Rule List area. Set the ACL rule parameters, as shown in
Figure 1-122.
NOTE
If you click on the right of Operation or Add on the left of Ascend, a new
record of ACL Rule List is inserted to the first line in the ACL Rule List area. If
you click Add on the right of Delete, a new record of ACL Rule List is inserted
below the current line in the ACL Rule List area.
Figure 1-122 Creating ACL rules
Table 1-83 describes the parameters for creating ACL rules.
Table 1-83 Parameters for creating ACL rules
Source IP address Indicates the source IP address.

The default value is any,
indicating that any source IP
address can be specified.

Switches
Mask of Source IP Indicates the mask of the source

IP address. The default value is
0 (0.0.0.0).
Destination IP address Indicates the destination IP

address. The default value is
any, indicating that any
destination IP address can be
specified.
Mask of Destination IP Indicates the mask of the

destination IP address. The
default value is 0 (0.0.0.0).
Protocol type Indicates the protocol type,

including:
● ip
● tcp
● udp
● icmp
The default protocol type is IP.
Source Port Num Indicates the source port

number.
This parameter is valid only
when the protocol type is TCP
or UDP. If this parameter is not
specified, TCP or UDP packets
with any source port are
matched.
Dest Port Num Indicates the destination port

number.
with any destination port are
matched.
Action Indicating the action matching

a packet, including:
● permit
● deny
The default action is permit.
Operation ● Delete
● Add

Switches
e. Click Apply.
● Edit ACL rules.
b. Choose Basic Settings > ACL in the navigation tree to display the ACL
page.
d. Click the icon of the interface to which the ACL rules have been applied
and edit ACL rules.
▪ Edit ACL rule entries.

Modify the ACL rule parameters in the ACL Rule List area.
▪ Adjust the ACL rule entry sequence.

Select a record of ACL Rule List in the ACL Rule List area. Click
Ascend or Descend to adjust the ACL rule entry sequence.
e. Click Apply.
● Delete ACL rules.
page.
d. Click the icon of the interface to which the ACL rules have been applied.
In the ACL Rule List area, click Delete next to the record to be deleted or
select records and click Delete next to Descend to delete the ACL rules in
batches.
e. Click Apply.
----End
1.4.4.7.2 VLAN ACL

You can apply an ACL to a VLAN to filter the VLAN packets.
Context
You can configure ACL rules and apply the ACL to a VLAN to filter the VLAN
packets. The ACL rule configuration includes source and destination IP addresses,
protocol type, and source and destination port numbers.
Procedure
● Query the ACL rules applied to VLANs.
page.
c. Click the VLAN ACL tab to display the VLAN ACL page, as shown in
Figure 1-123.

Switches
Figure 1-123 VLAN ACL
d. Select the ID of the VLAN to which the ACL rules are applied. The record
is displayed in the ACL Rule List area, as shown in Figure 1-124.
Figure 1-124 Querying ACL rules
● Copy the ACL rules that have been applied to a VLAN to another VLAN.
page.
c. Click the VLAN ACL tab to display the VLAN ACL page.
d. Select the ID of the VLAN to which the ACL rules have been applied. Click
Copy To to display the Copy To page, as shown in Figure 1-125.
Figure 1-125 Copying ACL rules
e. Enter the ID of the destination VLAN to which the ACL rules are applied,
and click OK.
● Create ACL rules.

Switches
page.
d. Select the ID of the VLAN to which ACL rules need to be applied, and
create the ACL rules.
▪ If no record is displayed in the ACL Rule List area, click on the

right of Operation or Add on the left of Ascend. A record of ACL
Rule List is displayed in the ACL Rule List area. Set the ACL rule
parameters.
▪ If the existing ACL rule records are displayed in the ACL Rule List
area, click on the right of Operation or Add on the left of Ascend
or on the right of Delete. A new record of ACL Rule List is displayed
in the ACL Rule List area. Set the ACL rule parameters, as shown in
Figure 1-126.
NOTE
If you click on the right of Operation or Add on the left of Ascend, a new
record of ACL Rule List is inserted to the first line in the ACL Rule List area. If
you click Add on the right of Delete, a new record of ACL Rule List is inserted
below the current line in the ACL Rule List area.
Figure 1-126 Creating ACL rules
Table 1-84 describes the parameters for creating ACL rules.
Table 1-84 Parameters for creating ACL rules

Source IP address Indicates the source IP address.

The default value is any,
indicating that any source IP
address can be specified.
Mask of Source IP Indicates the mask of the source

IP address. The default value is
0 (0.0.0.0).

Switches
Destination IP address Indicates the destination IP

address. The default value is
any, indicating that any
destination IP address can be
specified.
Mask of Destination IP Indicates the mask of the

destination IP address. The
default value is 0 (0.0.0.0).
Protocol type Indicates the protocol type,

including:
● ip
● tcp
● udp
● icmp
The default protocol type is IP.
Source Port Num Indicates the source port

number.
with any source port are
matched.
Dest Port Num Indicates the destination port

number.
with any destination port are
matched.
Action Indicating the action matching

a packet, including:
● permit
● deny
The default action is permit.
Operation ● Delete
● Add
e. Click Apply.
● Edit ACL rules.

Switches

page.
d. Select the ID of the VLAN to which ACL rules have been applied, and edit
the ACL rules.
▪ Edit ACL rule entries.

Modify the ACL rule parameters in the ACL Rule List area.
▪ Adjust the ACL rule entry sequence.

Select a record of ACL Rule List in the ACL Rule List area. Click
Ascend or Descend to adjust the ACL rule entry sequence.
e. Click Apply.
● Delete ACL rules.
page.
d. Select the ID of the VLAN to which the ACL rules have been applied. In
the ACL Rule List area, click Delete next to the record to be deleted or
select records and click Delete next to Descend to delete the ACL rules in
batches.
e. Click Apply.
----End
1.4.4.8 User Access Control

You can control user access to implement network security management.
Context
NOTE
For S5720HI, this node is only available in the NAC common mode.
1.4.4.8.1 Authentication Configuration

This section provides configuration steps and instructions on user authentication.
Context
Authentication configuration includes configurations of the local and RADIUS
authentication modes. If the local authentication mode is used, you must create a
user account on the switch and set a password. If the RADIUS authentication
mode is used, you must configure the IP address, port number, and shared key of
the RADIUS server. If the password configured in local user creation or
modification is the same as the default password, security risk exists.

Switches
NOTE
Account management information includes information about the users whose user types are
802.1x, Bind, PPP, or Web or who do not have access types. The access type of a created user
can be 802.1x, Bind, PPP, or Web.
Procedure
● Configuring local authentication
b. Choose Basic Services > User Access Control in the navigation tree to
display the User Access Control page.
c. Click the Authentication Configuration tab to display the
Authentication Configuration page.
d. Select an option from the User domain name drop-down list box in the
Authentication Configuration area.
e. Select Local authentication for Authentication mode, as shown in
Figure 1-127.
Figure 1-127 Configuring local authentication
f. Click Apply.
g. Configure the user account information for local authentication in the
Account Management area.
▪ Create a user account.

1) Click Create to display the Create User page, as shown in
Figure 1-128.

Switches
Table 1-85 describes the parameters for creating a user.
Table 1-85 Create User/Modify User

User name Indicates the new user name.

The user name cannot
contain \ / : * ? " < > | ' or %,
and cannot start with @.
Password Indicates the user password.

A secure password should
contain at least two types of
the following: lowercase
letters, uppercase letters,
numerals, special characters
(such as ! $ # %). In addition,
the password cannot contain
spaces or single quotation
marks (').
Confirm password Indicates the confirm

password. The format is the
same as that of Password.

Switches
Status Sets the user status.

User status includes active
and block. If the status is set
to block, the device rejects
the user's authentication
requests, and the user cannot
change the password.
NOTE
This parameter is only displayed
on the user modification page.
Access type Sets the user access type.
Forced offline Indicates whether a user is

forcibly disconnected from the
network.
NOTE
This parameter is only displayed
on the user modification page.
2) Set the parameters.

3) Click OK.
▪ Modify a user account.

1) Click Modify next to the AAA account to be modified to display
the Modify User page, as shown in Figure 1-129.
Figure 1-129 Modify User

Switches
NOTE
● For parameter description, see Table 1-85.

● The user name is fixed and cannot be changed.
2) Set the parameters.
3) Click OK.
▪ Delete a user account.

1) You can delete a user account using either of the following
methods:
○ Click Delete next to the AAA account to be deleted.
○ Select the records of the AAA accounts to be deleted, and
click Delete next to Create to delete the AAA accounts in
batches.
After you click Delete, the system prompts you to confirm the
deletion operation.
2) Click OK.
● Configuring RADIUS authentication
c. Click the Authentication Configuration tab to display the
Authentication Configuration page.
d. Select an option from the User domain name drop-down list box in the
Authentication Configuration area.
e. Select RADIUS authentication for Authentication mode, as shown in
Figure 1-130.
Figure 1-130 Configuring RADIUS authentication

Switches
Table 1-86 describes the parameters for RADIUS authentication.
Table 1-86 Parameters for configuring RADIUS authentication

Server IP address Indicates the IP address of the

RADIUS server, for example,
10.10.10.1.
The server IP address must have
reachable routes to the switch.
Port number Indicates the UDP port number of

the RADIUS server.
Shared key Indicates the shared key used for

communication between the
switch and RADIUS server.
When communicating with the
RADIUS server, the switch uses the
shared key to encrypt the user
password to ensure password
security during data transmission.
case-sensitive characters without
spaces, single quotes ('), and
question mask (?).
Confirm shared key Indicates the confirm shared key.

the shared key.
f. Set the parameters.

g. Click Apply.
----End
1.4.4.8.2 Portal Server

In Portal authentication, you can directly perform access authentication without
using the specified client software. The Portal server provides free portal services
and Portal authentication-based pages.
Context
To ensure the communication between the switch and Portal server, you must
configure the Portal server IP address and parameters (including the port number
and shared key of the Portal server) about information exchange between the
switch and Portal server, and bind interfaces to the Portal server.
The device supports two configuration modes. By default, the unified mode is
used. You can run the undo authentication unified-mode command to switch
the configuration mode to traditional mode.

Switches
NOTE
After configuring Portal authentication, perform the Authentication Configuration. The two
functions implement user authentication together.
The web system supports only one Portal server, and this Portal server can only be modified but
cannot be deleted through the web system. To delete the Portal server, run the undo web-auth-
server command in the system view.
Procedure
● The traditional mode.
c. Click the Portal Server tab to display the Portal Server page, as shown
in Figure 1-131.
Figure 1-131 Portal Server Configuration
Table 1-87 describes the parameters for Portal authentication

configuration.
Table 1-87 Parameters for Portal Server configuration

Portal server.

Switches
Port number Indicates the port number of the

Portal server.

switch and Portal server.
The switch and Portal server use
the shared key to encrypt packets.
The value is a string of characters.

the shared key.
VLANIF interface Select an interface and click to

bind the interface to the Portal
server.
You can select multiple interfaces
to bind them to the Portal server.
To unbind an interface from the
Portal server, select the interface
and click .
d. Set the parameters.

e. Click Apply.
● The unified mode.
c. Click the Portal Server tab to display the Portal Server page, as shown
in Figure 1-132.

Switches
Figure 1-132 Portal Server Configuration
Table 1-88 describes the parameters for Portal authentication

configuration.
Table 1-88 Parameters for Portal Server configuration


Portal server.
Port number Indicates the port number of the

Portal server.

switch and Portal server.
The switch and Portal server use
the shared key to encrypt packets.
The value is a string of characters.

the shared key.
d. Set the parameters.

e. Click Apply.
----End
1.4.4.8.3 Access Configuration

Through access configuration, the switch can authenticate users and control user
access through interfaces to ensure enterprise network security.

Switches
Context
The device supports two configuration modes. By default, the unified mode is
used. You can run the undo authentication unified-mode command to switch
the configuration mode to traditional mode.
● In the traditional mode, access configuration includes No-authentication,
802.1x authentication, MAC address authentication, MAC address bypass
authentication. The last authentication mode is combinations of 802.1X
authentication and MAC address authentication.
– No-authentication: Users are allowed to access the network without
authentication.
– 802.1x authentication: a Layer 2 authentication mode based on the
802.1x protocol. In this mode, the 802.1x client software must be installed
on user terminals, and user identity authentication is performed between
clients and servers using the Extensible Authentication Protocol (EAP).
– MAC address authentication: uses MAC addresses of users as identity
information. In this mode, the 802.1x client software does not need to be
installed on user terminals.
– MAC address bypass authentication: In this mode, 802.1x authentication
is performed first and the delay timer for MAC address bypass
authentication is enabled at the same time. If the 802.1x authentication
still fails when the delay time expires, MAC address authentication is
triggered.
When performing access configuration, you must enable the authentication
function first, and then select the interface to which the access configuration
applies and select an authentication mode.
● In the unified mode, access configuration includes No-authentication, 802.1x
authentication, MAC address authentication, and Portal authentication.
NOTE
After performing access configuration, perform the Authentication Configuration. The two
functions implement user authentication together.
If non-authentication is configured, a user passes the authentication using any user name or
password. Therefore, to protect the device or network security, you are advised to enable
authentication, allowing only the authenticated users to access the device or network.
Procedure
● The traditional mode.
c. Click the Access Configuration tab to display the Access Configuration
page, as shown in Figure 1-133.

Switches
Figure 1-133 Access configuration
d. Set Authentication function to ON and click OK.

e. Select interfaces for which the authentication function needs to be
enabled. You can perform the following operations as required:
▪ Click the icon of a single interface or icons of multiple interfaces.

f. Select an interface authentication method, as shown in Figure 1-134.
Figure 1-134 Interface authentication mode
g. Click Apply.
If authentication on any interface fails, an error page is displayed, as

Switches
Figure 1-135 Interface authentication enabling result
In the dialog box, Execution succeeded indicates the number of

interfaces for which the interface authentication function is successfully
applied; Execution failed indicates the number of interfaces for which
the interface authentication function fails to be applied.
● The unified mode.
c. Click the Access Configuration tab to display the Access Configuration
Figure 1-136 Access configuration
d. Select interfaces for which the authentication function needs to be

enabled. You can perform the following operations as required:

Switches
▪ Click the icon of a single interface or icons of multiple interfaces.

e. Select an interface authentication method, as shown in Figure 1-137.
Figure 1-137 Interface authentication mode
NOTE
If 802.1X authentication is configured as authentication mode 1 and MAC address

authentication as authentication mode 2, the MAC address bypass authentication
function is enabled.
If MAC address authentication is configured as authentication mode 1 and 802.1X
authentication as authentication mode 2, the MAC address authentication is
performed first during MAC address bypass authentication.
f. Click Apply.
----End
1.4.4.9 STP
A spanning tree protocol can trim a network with loops into a loop-free tree
network. It prevents infinite looping of packets to ensure packet processing
capabilities of the switch.
1.4.4.9.1 STP Summary
Procedure
● Enable STP globally.
a. Configuration > Basic Services > STP > STP Summary to access the STP
Summary page.
b. Set Global STP status to ON to enable STP globally.
NOTE
The STP Global Setting and Interface Status parameters are available only when the
STP is enabled globally.

Switches
● Configure Global STP.

a. Choose Configuration > Basic Services > STP > STP Summary to access
the STP Summary page, as shown in Figure 1-138.
Figure 1-138 STP configuration
Table 1-89 describes the parameters on the STP Summary page.
Table 1-89 Description of parameters on the STP Summary page
STP working mode Working mode of STP:

● MSTP: The switch sends MSTP
BPDUs.
● RSTP: The switch sends RSTP
BPDUs.
● STP: The switch sends STP
BPDUs.
● VBST: The switch sends VBST
BPDUs.
NOTE
In an SVF, the value is RSTP by default
and cannot be changed.
BPDU protection Whether BPDU protection is

enabled:
● ON: BPDU protection is
enabled.
● OFF: BPDU protection is
disabled.

Switches
b. Set parameters and click Apply.

● Configure the port status.
a. Choose Configuration > Basic Services > STP > STP Summary to access
the STP Summary page, as shown in Figure 1-138.
b. Enter the instance ID in the Instance text box.
c. Select a port to be configured.
Perform either of the following operations.
▪ Click the port icon to select one or more ports.
▪ Drag the mouse to select consecutive ports in a batch.
▪ Select the device panel to select all ports.

d. Click Enable STP, Disable STP, Enable Edge Port, or Disable Edge Port
to configure selected ports.
----End
1.4.4.9.2 MST Region Configuration
Context
NOTE
This function is not supported when a switch is working in super virtual fabric (SVF) mode.
This function is supported only when STP working mode is set to MSTP.
Procedure
● Configure an MST region.
a. Choose Configuration > Basic Services > STP > MST Region
Configuration to access the MST Region Configuration page, as shown
in Figure 1-139.
Figure 1-139 MST Region Configuration page
Table 1-90 describes the parameters on the MST Region Configuration

page.

Switches
Table 1-90 Description of parameters on the MSTP Region

Configuration page
Name Enter the name of an MST region.
Revision level Enter the MSTP revision level.

The MST region name, VLAN
mapping table, and MSTP revision
level identify the MST region that
the switch belongs to.
b. Set parameters and click Apply.

● Create an MSTI list.
Configuration to access the MST Region Configuration page.
b. Click Create to access the Create MSTI page, as shown in Figure 1-140.
Figure 1-140 Create MSTI page
Table 1-91 describes the parameters on the Create MSTI page.
Table 1-91 Description of parameters on the Create MSTI page
MSTI ID Enter the ID of the MSTI.
Mapped VLAN Enter the range of VLAN IDs

mapping to a specified MSTI.
MSTI priority Select the priority of the device in

the specified MSTI.
c. Set parameters and click OK.

● Delete an MSTI.

Switches
b. Select an MSTI to be deleted and click Delete. In the dialog box that is
displayed, click OK.
● Refresh an MSTI list.
b. Click Refresh to refresh the MSTI list.
----End
1.4.4.9.3 VBST Configuration
Context
NOTE
This function is not supported when a switch is working in super virtual fabric (SVF) mode.
This function is supported only when STP working mode is set to VBST.
Procedure
● Enable VLAN-based Spanning Tree (VBST) in a VLAN.
a. Choose Configuration > Basic Services > STP > VBST Configuration to
display the VBST Configuration page.
b. Click Enable to display the Enable VBST in VLANs page, as shown in
Figure 1-141.
Figure 1-141 Enabling VBST in a VLAN
Table 1-92 Parameters for enabling VBST in a VLAN

VLAN Indicates the ID of the VLAN in

which VBST needs to be enabled.

Switches
c. Set the parameters, and click OK.

● Change the VLAN priority.
b. In the VBST list, click the ID of the VLAN whose priority needs to be
changed. The Modify VLAN priority page is displayed, as shown in
Figure 1-142.
Figure 1-142 Changing VLAN priority
Table 1-93 Parameters for changing VLAN priority

VLAN Indicates the ID of the VLAN whose

priority needs to be changed. The
value cannot be modified.
VLAN priority Indicates the priority of the VLAN.

A smaller value indicates a higher
priority.
c. Set the parameters, and click OK.

● Disable VBST in VLANs.
b. Select the VLANs for which VBST needs to be disabled, and click Disable.
In the dialog box that is displayed, click OK.
● Update the VBST list.
b. Click Refresh to update the VBST list.
----End

Switches
1.4.4.9.4 Multi-instance
Procedure
● Check global information about CIST.
a. Choose Configuration > Basic Services > STP > Multi-instance to access
the Multi-instance page, as shown in Figure 1-143.
Figure 1-143 Multi-instance page
b. Click Refresh above Current root bridge to refresh CIST information.

● Check the current root bridge.
a. Choose Configuration > Basic Services > STP > Multi-instance to access
the Multi-instance page.
b. Click Refresh under Current root bridge to refresh information about
the current root bridge.
NOTE
Enter the MSTI ID next to MSTI ID and click to query MSTI information.
----End
1.4.4.10 LLDP
Context
To view the Layer 2 link status between network devices and analyze the network
topology, enable Link Layer Discovery Protocol (LLDP).
Procedure
Step 1 Choose Configuration > Basic Services > LLDP to display the LLDP configuration

Switches
Figure 1-144 LLDP configuration page
Step 2 Set Global LLDP status to ON so that LLDP is enabled on all interfaces.
Step 3 Select the interfaces that you want to configure.
Use any of the following methods to select interfaces:
● Click interface icons to select one or multiple interfaces.

● Drag the mouse to select multiple adjacent interfaces.
● Select the check box of the panel to select all interfaces on the panel.
Step 4 Click Enable LLDP On Port or Disable LLDP On Port to enable or disable LLDP
on the selected interfaces. Click Refresh to refresh information about neighbors of
the selected interfaces.
----End
1.4.5 Security Services

Security services include ACL Config, ACL Reference, AAA, AAA Service App, and
AAA Profile Manage.
NOTE
Only the S5720HI supports security service management.

1.4.5.1 ACL Config

This section describes ACL configurations.
1.4.5.1.1 ACL Config

An ACL defines rules based on source IPv4 addresses, destination IPv4 addresses,
IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP
source/destination port numbers, and time ranges.

Switches
Procedure
● Query an ACL.
a. Click Configuration in the function area. Choose Security Services > ACL
Config > ACL Config to open the ACL Config page.
b. Set the search criteria.
c. Click to display all matching records.

● Create an ACL.
b. Click Create to open the Create ACL page, as shown in Figure 1-145.
Figure 1-145 Create ACL
Table 1-94 Create ACL
ACL name Indicates the name of an ACL. The

ACL name must be unique.
NOTE
● The value is a string starting with a
letter, without spaces.
● Either an ACL number or an ACL name
is required to identify an ACL.
● When you modify an ACL, the ACL
name cannot be changed.

Switches
ACL number Indicates the number of an ACL. It

identifies an ACL. The value is an
integer that ranges from 3000 to
3999.
NOTE
number cannot be changed.
ACL description Indicates the description of an ACL. It

is optional.
c. Click OK.
● Modify an ACL.
b. Select an ACL and click Modify.
NOTE
● Table 1-94 describes the parameters on the page.

● The ACL name and number cannot be changed.
● Delete an ACL.
b. Select an ACL and click Delete. If the ACL contains rules, the system
prompts you that the rules in the ACL will be deleted and asks you
whether to delete the ACL.
c. Click OK. If the operation succeeds, the system returns to the ACL Config
page; otherwise, an error message is displayed.
● Add rules.
b. Select an ACL and click Add Rule.
Figure 1-146 shows the Add Rule page.

Switches
Figure 1-146 Add Rule
Table 1-95 describes the parameters for adding rules.
Table 1-95 Add Rule

Action Indicates whether to permit or deny

packets. The default action is permit.
Protocol type Indicates the type of the protocol. It is

mandatory. The protocol types include:
● GRE(47)
● ICMP(1)
● IGMP(2)
● IP
● IPINIP(4)
● OSPF(89)
● TCP(6)
● UDP(17)
● Customized type
NOTE
The text box is valid only when the
protocol type is customized.

Switches
Match IP Source IP/ Indicates the IP address and wildcard. By

Wildcard default, all source IP addresses are
specified.
Destination Indicates the IP address and wildcard. By

IP/Wildcard default, all destination IP addresses are
specified.
Match IP Indicates that the packets are filtered

Packet precedence according to the precedence field.
Priority
TOS Indicates that packets are filtered
according to the Type of Service (ToS).
DSCP Specifies the Differentiated Services

Code Point (DSCP).
NOTE
● If you set the IP precedence or TOS, the
DSCP priority cannot be set.
● If you set the DSCP priority, the IP
precedence or TOS cannot be set.
Matching Source port This parameter is valid only when the

Interface number protocol type is TCP or UDP. If this
parameter is not specified, TCP or UDP
packets with any source port are
matched.
Dest port This parameter is valid only when the

number protocol type is TCP or UDP. If this
packets with any destination port are
matched.
Set Time Time range Indicates the time range when the ACL
takes effect.
NOTE
The time range name is displayed on the
configuration result page.
c. Click OK.
● Modify a rule.
b. Select an ACL and click to expand the ACL rules.
c. Click of a rule to modify the rule. Table 1-95 describes the parameters
on the page.
NOTE
Click and to change the order of the rule, and click Apply to make the new
order take effect.

Switches
● Delete a rule.
c. Click of a rule to delete the rule. In the dialog box that is displayed,
click OK.
----End
1.4.5.1.2 UCL Config

A UCL matches packets based on source IP addresses or source UCL groups,
destination IP addresses or destination UCL groups, IP protocol type, ICMP type,
TCP source/destination ports, and UDP source/destination ports.
Procedure
● Query ACLs.
Config > UCL Config to open the UCL Config page.
b. Set the search criteria.
c. Click to display all matching records.
● Create an ACL.
b. Click Create to open the Create ACL page, as shown in Figure 1-147.
Figure 1-147 Create ACL

Switches
Table 1-96 Create ACL
ACL name Indicates the name of an ACL. The

ACL name must be unique.
NOTE
● The value is a string starting with a
letter, without spaces.
name cannot be changed.
ACL number Indicates the number of an ACL. It

identifies an ACL. The value is an
integer that ranges from 6000 to
9999.
NOTE
number cannot be changed.
ACL description Indicates the description of an ACL. It

is optional.
c. Click OK.
● Modify an ACL.
b. Select an ACL and click Modify.
NOTE

● The ACL name and number cannot be changed.
● Delete an ACL.
b. Select an ACL and click Delete. If the ACL contains rules, the system
prompts you that the rules in the ACL will be deleted and asks you
whether to delete the ACL.
c. Click OK. If the operation succeeds, the system returns to the UCL Config
page; otherwise, an error message is displayed.
● Add a rule.
b. Click Add Rule of an ACL.
If the ACL is a UCL, the rule page is displayed as shown in Figure 1-148.

Switches
Figure 1-148 Add Rule
Table 1-97 describes the parameters for adding rules.
Table 1-97 Add Rule

Action Indicates whether to permit or deny

packets. The default action is permit.
Protocol type Indicates the type of the protocol. It is

mandatory. The ACL types include:
● GRE(47)
● ICMP(1)
● IGMP(2)
● IP
● IPINIP(4)
● OSPF(89)
● TCP(6)
● UDP(17)
● Customized type
NOTE
The text box is valid only when the UCL
type is customized.

Switches
Source Source IP/ Indicates the IP address and wildcard.

Wildcard The source IP address and wildcard
are in dotted decimal format.
NOTE
If the source IP address and wildcard are
not specified, any source IP address is
matched.
Source user Indicates the source user group of

group packets. Select the following
operations:
● To specify the source UCL group,
click .
● To create a source UCL group, click
.
● To modify the source UCL group,
click .
● To delete the source UCL group,
click .
Destination Destination IP/ Indicates the destination IP address

Wildcard and wildcard in packets.
The destination IP address and
wildcard are in dotted decimal format.
NOTE
If the destination IP address and wildcard
are not specified, any destination IP
address is matched.
Dest user group Indicates the destination user group of

packets. Select the following
operations:
● To specify the destination UCL
group, click .
● To create a destination UCL group,
click .
● To modify the destination UCL
group, click .
● To delete the destination UCL
group, click .
Matching Source port This parameter is valid only when the

Interface number protocol type is TCP or UDP. If this
packets with any source port are
matched.

Switches
Destination This parameter is valid only when the

port number protocol type is TCP or UDP. If this
packets with any destination port are
matched.
Set Time Time range Indicates the time range when the
ACL takes effect.
NOTE
The time range name is displayed on the
configuration result page.
c. Click OK.
● Modify a rule.
c. Click of a rule to modify the rule. Table 1-97 describes the parameters
on the page.
NOTE
Click and to change the order of the rule, and click Apply to make the new
order take effect.
● Delete a rule.
c. Click of a rule to delete the rule. In the dialog box that is displayed,
click OK.
----End
1.4.5.1.3 Validity Time Range

By configuring the effective period, you can apply an ACL in a certain period of
time.
Context
● A time range specifies a period of time. In practice, users may want certain
ACL rules to be valid during a certain period but be invalid out of the period.
That is, the ACL rules are used to filter packets based on the time range. In
this case, you can set one or multiple time ranges, and apply the time ranges
to a created ACL. Then, packets can be filtered based on the set time ranges.
● An effective period can contain periodic time ranges and valid period. A
periodic time range takes effect on a certain day in a week. A validity period
contains the start time and the end time.

Switches
Procedure
● Create a time range.
Config > Validity Time Range to open the Validity Time Range page.
b. Click Create to open the Create Time Range page, as shown in Figure
1-149.
Figure 1-149 Create Time Range
Table 1-98 Create Time Range

Time range name Indicates the name of the created

time range. It is mandatory.

Switches
Time Range Indicates a validity period.

A validity period contains the start
time and the end time. You can
configure multiple validity periods
by clicking . To delete validity
periods, select the records you
want to delete and click .
NOTE
If only one validity period is created,
the validity period takes effect when
the current time is within it.
Validity Time Indicates the periodic time range.

A periodic time range takes effect
on a certain day in a week. You
can configure multiple periodic
time ranges by clicking . To
delete time ranges, select the
records you want to delete and
click .
NOTE
If only one periodic time range is
created, the time range takes effect
when the current time is within the
periodic time range.
c. Set the required parameters.

NOTE
● If an effective period contains both time range and validity time, the effective
period takes effect only when the current time is within the time range and
validity time.
● The start time and end time of the time range can be earlier than the current
time.
● Either the time range or validity time must be set.
d. Click OK.
● Modify a time range.
b. Click a time range name to open the Modify Time Range page, as

Switches
Figure 1-150 Modify Time Range
NOTE

● The time range name cannot be modified.
● The time range and validity time can only be deleted, but cannot be modified.
c. Set the required parameters.
d. Click OK.
● Delete a time range.
b. Select a record that you want to delete and click Delete. The system asks
you whether to delete the record.
NOTE
● To select a record, click the checkbox of the record.

● To delete records in batches, click the checkboxes of records.
c. Click OK.
----End
1.4.5.2 ACL Reference

This section describes how to reference ACLs.

Switches
1.4.5.2.1 Interface ACL
Context
After creating an ACL, apply it to an interface to filter packets based on interfaces.
Procedure
Step 1 Choose Configuration > Security Services > ACL Reference and click the
Interface ACL tab, as shown in Figure 1-151.
Figure 1-151 Interface ACL
port area:
deselect the port.
Step 3 Configure the inbound and outbound ACL numbers.

1. Click New.
2. In the dialog box that is displayed, select an ACL number and click OK, as

Switches
Figure 1-152 Select ACL
Step 4 After setting the parameters, click Apply.
----End
1.4.5.2.2 VLAN ACL
Context
After creating an ACL, apply it to a VLAN to filter packets based on VLANs.
Procedure
Step 1 Choose Configuration > Security Services > ACL Reference and click the VLAN
ACL tab, as shown in Figure 1-153.

Switches
Figure 1-153 VLAN ACL
Step 2 Select a VLAN ID.
Step 3 Configure the inbound and outbound VLAN ACL numbers.
1. Click .
2. In the dialog box that is displayed, select an ACL number and click OK, as
Figure 1-154 Select ACL

Switches
3. Click to apply the ACL to a VLAN.
Step 4 After setting the parameters, click Apply.
----End
1.4.5.2.3 WLAN ACL
Context
An ACL applied on a traffic profile allows you to control packets from STAs
associated with an AP. An ACL applied on a wired port profile allows you to
control packets from wired users associated with an AP.
Procedure
Step 1 Choose Configuration > Security Services > ACL Reference > WLAN ACL. The
WLAN ACL page is displayed.
Step 2 Set Profile type.
Step 3 Set Profile name.
Step 4 Click below IPv4 Packet Filtering to select an egress or ingress ACL.
Step 5 Click Apply.
----End
1.4.5.3 AAA
This section describes the AAA configurations.
1.4.5.3.1 Authentication Profile
Procedure
● Create an authentication profile.
a. Choose Configuration > Security Services > AAA and click the
Authentication Profile tab, as shown in Figure 1-155.

Switches
Figure 1-155 Authentication Profile
b. Click Create. The Create Authentication Profile page is displayed, as

Figure 1-156 Create Authentication Profile
c. Fill in the profile name.

d. Click OK. The parameter setting page of the new authentication profile is
Figure 1-157 Authentication Profile

Switches
Table 1-99 Parameters for creating an authentication profile
Prevent new auth info from Whether the newly delivered

overwriting previous one authentication information
overwrites all the original
authentication information.
Security string delimiter Security character string separator.
e. Set parameters for authentication profile.

f. Click Apply. In the dialog box that is displayed, click OK.
● Modify an authentication profile.
Authentication Profile tab.
b. Click the name of the authentication profile you want to modify on the
Authentication Profile List page to open the authentication profile
configuration page.
c. Set parameters for modifying the authentication profile. Table 1-99
describes the parameters for modifying an authentication profile.
d. Click Apply. In the dialog box that is displayed, click OK.
● Delete an authentication profile.
b. Select the name of the profile you want to delete on the Authentication
Profile List page and click Delete. The system asks you whether to
delete the record.
NOTE

c. Click OK.
● Display the profile reference relationship.
b. Select the profile of which you want to display the reference relationship
and click Display Reference Relationship. The system displays the types
and names of the objects that reference the profile.
NOTE
Click Hide Reference Relationship. The system hides the displayed results.
● Configure a profile referenced in the authentication profile.
The following profiles can be referenced in the authentication profile: 802.1X

profile, Portal profile, MAC access profile, authentication-free rule profile, and
domain profile.

Switches
b. Click on the left of Authentication Profile List. The system displays
the authentication profile names. Click on the left of an authentication
profile name. The profiles referenced by this profile are displayed in the
navigation area.
c. Click any profile referenced by the authentication profile. The
configuration page of the referenced profile is displayed on the right. You
can select another profile from the drop-down list or click Create to
create a profile, and set the profile parameters. For descriptions of the
profile parameters, see its configuration page.
d. Click Apply. In the dialog box that is displayed, click OK.
----End
1.4.5.3.2 Authentication/Authorization/Accounting Scheme
Procedure
● Configure an authentication scheme.
– Create an authentication scheme.
i. Choose Configuration > Security Services > AAA and click the
Authentication/Authorization/Accounting Scheme tab, as shown
in Figure 1-158.
Figure 1-158 Authentication/Authorization/Accounting scheme
ii. Click Create in Authentication Scheme List to open the Create

Authentication Scheme page, as shown in Figure 1-159.

Switches
Figure 1-159 Create Authentication Scheme
Table 1-100 Parameters on the Create Authentication Scheme

page
Item Description
Authentication scheme name Specifies the name of an

authentication scheme.
First authentication The value can be RADIUS,

HWTACACS, Local, or Non-
authentication.
Second authentication The value can be a mode except

the first authentication mode.
When the authentication server
of the first authentication mode
does not respond, the second
authentication mode is
triggered.
When the first authentication
mode is no authentication, the
second authentication mode
cannot be configured.
Third authentication The value can be a mode except

the first and second
authentication modes. When
the authentication servers of
authentication modes do not
respond, the third
triggered.
When the second authentication
mode is no authentication or
not configured, the third
authentication mode cannot be
configured.

Switches
Item Description
Fourth authentication The value can be no

authentication or not
configured. When the
authentication servers of the
first, second, and third
authentication modes do not
respond, the fourth
triggered.
When the third authentication
mode is no authentication or
not configured, the fourth
authentication mode cannot be
configured.
NOTE
If non-authentication is configured, a user passes the authentication using any

user name or password. Therefore, to protect the device or network security, you
are advised to enable authentication, allowing only the authenticated users to
access the device or network.
iii. Set parameters for the authentication scheme.
iv. Click OK.
– Modify the authentication scheme.
Authentication/Authorization/Accounting Scheme tab.
ii. Click the authentication scheme that you want to modify in
Authentication Scheme List.
iii. Set parameters for the authentication scheme. Table 1-100 describes
the parameters on the page.
iv. Click OK.
● Configure an authorization scheme.
– Create an authorization scheme.
ii. Click Create in Authorization Scheme List to open the Create
Authorization Scheme page, as shown in Figure 1-160.
Figure 1-160 Create Authorization Scheme

Switches
Table 1-101 Parameters on the Create Authorization Scheme page
Item Description
Authorization scheme name Specifies the name of an

authorization scheme.
First authorization The value can be HWTACACS,

If-authenticated, Local, or Non-
authorization.
Second authorization The value can be a mode except

the first authorization mode.
When the authorization server
of the first authorization mode
does not respond, the second
authorization mode is triggered.
When the first authorization
mode is no authorization, the
second authorization mode
cannot be configured.
Third authorization The value can be a mode except

authorization modes. When the
authorization servers of the first
and second authorization
modes do not respond, the third
When the second authorization
mode is no authorization or not
configured, the third
authorization mode cannot be
configured.
Fourth authorization The value can be no

authorization or not configured.
When the authorization servers
of the first, second, and third
authorization modes do not
respond, the fourth
When the third authorization
mode is no authorization or not
configured, the fourth
authorization mode cannot be
configured.
iii. Set parameters for the authorization scheme.

Switches
iv. Click OK.

– Modify the authorization scheme.
ii. Click the authorization scheme that you want to modify in
Authorization Scheme List.
iii. Modify parameters for the authorization scheme. Table 1-101
describes the parameters on the page.
iv. Click OK.
● Configure the accounting scheme.
– Create an accounting scheme.
ii. Click Create in Accounting Scheme List to open the Create
Accounting Scheme page, as shown in Figure 1-161.
Figure 1-161 Create Accounting Scheme
Table 1-102 Parameters on the Create Accounting Scheme page

Item Description
Accounting scheme name Specifies the name of an

accounting scheme.
Accounting mode Indicates the accounting mode.

● Non-accounting
● RADIUS accounting
● HWTACACS accounting
iii. Set parameters for the accounting scheme.

iv. Click OK.
– Modify the accounting scheme.

Switches
ii. Click the accounting scheme that you want to modify in Accounting
Scheme List.
iii. Modify parameters for the accounting scheme. Table 1-102 describes
the parameters on the page.
iv. Click OK.
----End
1.4.5.3.3 Service Scheme
Context
Access users must obtain authorization information before they can go online.
Authorization information about users can be managed by configuring a service
scheme.
Procedure
● Create a service scheme profile.
a. Choose Configuration > Security Services > AAA and click the Service
Scheme tab, as shown in Figure 1-162.
Figure 1-162 Service Scheme
b. Click Create to open the Create Service Scheme page, as shown in

Figure 1-163.
Figure 1-163 Create Service Scheme

Switches
Table 1-103 Service Scheme Creation

Server scheme name Indicates the name of the service

scheme.
Administrator priority Indicates the administrator level.
Primary DNS server Indicates the IP address of the

primary DNS server.
Secondary DNS server Indicates the IP address of the

secondary DNS server.
User VLAN Specifies the user VLAN.
UCL group Select a UCL group to be bound.
QoS profile Indicates the QoS profile. Select

the following operations:
● To select a QoS profile, click .
● To set parameters for the QoS
profile, click . After the
configuration is complete, click
OK.
● To modify a QoS profile, click
.
● To delete a QoS profile, click .
Idle user disconnection Specifies the action taken on a

user when the user does not
perform any operation within a
period of time.
● Based on uplink traffic:
indicates that the action takes
effect for only upstream traffic
of the user.
● Based on downlink traffic:
indicates that the action takes
effect for only downstream
traffic of the user.
● Based on uplink and downlink
traffic: indicates that the action
takes effect for both upstream
and downstream traffic of the
user.
● Close: indicates that the idle-
cut function is disabled.
c. Set parameters for the service scheme profile.

Switches
d. Click OK.
● Modify a service scheme profile.
Scheme tab.
b. Click the service scheme profile that you want to modify. The settings of
the service scheme profile are displayed.
c. Set parameters for the service scheme profile. Table 1-103 describes the
parameters for modifying a service scheme profile.
d. Click OK.
● Delete a service scheme profile.
Scheme tab.
b. Select the profile that you want to delete and click Delete. The system
asks you whether to delete the record.
NOTE

c. Click OK.
----End
1.4.5.3.4 External Portal Server
Procedure
● Set the maximum number of Portal authentication users.
a. Choose Configuration > Security Services > AAA and click the External
Portal Server tab, as shown in Figure 1-164.
Figure 1-164 External Portal Server
b. Set the maximum number of concurrent Portal authentication users in

Maximum number of STAs.
c. Click Apply. In the dialog box that is displayed, click OK.
● Create a Portal authentication server.
Portal Server tab.
b. Click Create. The Create Authentication Server page is displayed, as

Switches
Figure 1-165 Create Authentication Server
Table 1-104 Parameters for creating a Portal authentication server
Server name Indicates the name of a Portal

authentication server.
Server IP Indicates the IP address of the

Portal server.
Shared key Indicates the shared key that the

device uses to exchange
information with the Portal server.
Confirm shared key Enter the shared key again.
Packet port number Indicates the port number that the

device uses to listen on Portal
protocol packets.
URL Indicates the URL of the Portal

server.
URL profile
The following parameters are valid when URL profile is selected.
URL Indicates the redirection URL or

pushed URL
LSW-IP Indicates the IP address of the

switch carried in the URL.
LSW-MAC Indicates the MAC address of the

switch carried in the URL.

Switches
User access URL Indicates the original URL that a

user accesses carried in the URL.
User MAC Indicates the user MAC address

carried in the URL.
User IP Indicates the user IP address

carried in the URL.
System name Indicates the device system name

carried in the URL.
AP-IP Indicates the AP IP address carried

in the URL.
AP-MAC Indicates the AP MAC address

carried in the URL.
SSID Indicates the SSID that users

associate with.
MAC address format ● No separator

● normal: sets the MAC address
format to XXXX-XXXX-XXXX.
You can specify a character as
the delimiter.
● compact: sets the MAC address
format to XX-XX-XX-XX-XX-XX.
You can specify a character as
the delimiter.
Separator Indicates the separator, which

contains one character.
c. Set parameters for authentication server.

d. Click OK.
● Modify a Portal authentication server.
Portal Server tab.
b. Click the name of the authentication server that you want to modify. The
authentication server modification page is displayed.
c. Modify parameters for authentication server. Table 1-104 describes the
parameters for modifying an authentication server.
d. Click OK.
● Delete an authentication server.
Portal Server tab.
b. Select the authentication server name and click Delete. The system asks

Switches
NOTE

c. Click OK.
----End
1.4.5.3.5 Built-In Portal Server
Procedure
● Create a built-in Portal server.
a. Choose Configuration > Security Services > AAA and click the Built-In
Portal Server tab, as shown in Figure 1-166.
Figure 1-166 Built-In Portal Server

Switches
Table 1-105 Built-in Portal server

Server IP Indicates the IP address of the

Portal server. Users are then
redirected to the Portal server if
they enter URLs that are not
located in the free IP subnet.
NOTE
● The IP address assigned to the
built-in Portal server must have a
reachable route to the user.
● The built-in Portal server cannot
use the gateway IP address of the
device interface connected to
clients.
● It is recommended that a
loopback interface address be
assigned to the built-in Portal
server because the loopback
interface is stable. Additionally,
packets destined for loopback
interfaces are not sent to other
interfaces on the network;
therefore, system performance is
not deteriorated even if many
users request to go online.
SSL policy SSL policy used by a built-in Portal
server. Click and select an

SSL policy, Click to delete the
selected SSL policy.
Port number Indicates the port that provides

the authentication service on the
Portal server.
Authentication mode Indicates the authentication mode

including PAP and CHAP. You are
advised to use the CHAP with high
security.
Page file package Indicates the file in .zip format.

The file contains web pages that
users access during
authentication.
b. Set parameters for authentication server.

c. Click Apply.
d. Click OK in the displayed dialog box.
----End

Switches
1.4.5.3.6 RADIUS
Context
RADIUS protects a network from unauthorized access. It is often used on the
networks that require high security and remote user access control.
Procedure
● Configure a RADIUS server profile.
– Create a RADIUS server profile.
RADIUS tab, as shown in Figure 1-167.
Figure 1-167 RADIUS configuration
ii. Click Create in RADIUS Server Profile to open the Create RADIUS
Server Profile page, as shown in Figure 1-168.
Figure 1-168 Create RADIUS Server Profile
Table 1-106 Create RADIUS server profile
Profile name Indicates the name of a RADIUS

server profile.

Switches
Key Indicates the shared key for the

RADIUS server.
Confirm key Indicates the confirmed shared

key of the RADIUS server.
User name Indicates whether the device

encapsulates the domain name
in the user name when sending
RADIUS packets to a RADIUS
server.
Original user name configures
the device not to modify the
user name entered by the user
in the packets sent to the
RADIUS server.
Mode ● Active/Standby mode: The

server with the largest
weight value functions as the
active server, other servers
function as standby servers.
A standby server with a
larger weight value has a
higher priority.
● Load balancing mode: When
configuring authentication or
accounting servers, distribute
authentication or accounting
requests to servers according
to weights of the servers.
iii. Set parameters for the RADIUS server.

iv. Click OK.
– Modify a RADIUS server profile.
RADIUS tab.
ii. Select a RADIUS server profile in RADIUS Server Profile to open the
RADIUS server profile modification page.
iii. Modify the parameters of the RADIUS server profile. Table 1-106
describes the parameters for modifying a spectrum profile.
iv. Click OK.
● Configure an authentication/accounting server.
– Create an authentication/accounting server.
RADIUS tab.

Switches
ii. Click Create in Authentication/Accounting Server to open the

Create Authentication/Accounting Server page, as shown in Figure
1-169.
Figure 1-169 Create Authentication/Accounting Server
Table 1-107 Create Authentication/Accounting Server
Profile name Indicates the name of the

created RADIUS server profile.
Server type Indicates the RADIUS server

type: Authentication Server or
Accounting Server.
IP address/port number Indicates the IP address and

port number of the
server.
Source IP address Indicates the source IP address

of the authentication/
accounting server.
Weight Indicates the weight of the

server.
iii. Set parameters for the authentication/accounting server.

iv. Click OK.
– Modify an authentication/accounting server.
RADIUS tab.
ii. Select the authentication/accounting server in Authentication/
Accounting Server.
iii. Modify parameters for the authentication/accounting server. Table
1-107 describes the parameters for modifying a spectrum profile.
iv. Click OK.

Switches
● Configure an authorization server.

– Create an authorization server.
RADIUS tab.
ii. Click Create in Authorization Server to open the Create
Authorization Server page, as shown in Figure 1-170.
Figure 1-170 Create Authorization Server
Table 1-108 Create authorization server

Authorization server IP address Indicates the IP address of an

authorization server.

created RADIUS server profile.
key Indicates the shared key of the

RADIUS authorization server.

key of the RADIUS authorization
server.
iii. Set parameters for authorization server.

iv. Click OK.
– Modify an authorization server.
RADIUS tab.
ii. Select the authentication server in Authorization Server.
iii. Modify parameters for authorization server. Table 1-108 describes
the parameters for modifying an authorization server.
iv. Click OK.
----End

Switches
1.4.5.3.7 HWTACACS
Context
HWTACACS prevents unauthorized users from attacking a network and supports
command-line authorization. Compared with RADIUS, HWTACACS is more reliable
in transmission and encryption, and is more suitable for security control.
Procedure
● Enable or disable HWTACACS.
HWTACACS tab, as shown in Figure 1-171.
Figure 1-171 HWTACACS configuration
b. Set the HWTACACS function status of ON or OFF.

c. Click Apply. In the dialog box that is displayed, click OK.
● Configure an HWTACACS server profile.
– Create an HWTACACS server profile.
HWTACACS tab.
ii. Click Create in HWTACACS Server Profile to open the Create
HWTACACS server profile page, as shown in Figure 1-172.
Figure 1-172 Create HWTACACS server profile

Switches
Table 1-109 Create HWTACACS server profile

Profile name Indicates the name of an

HWTACACS server profile.
key Indicates the shared key for the

HWTACACS server.

key of the HWTACACS server.
User name Indicates whether the device

encapsulates the domain name
in the user name when sending
HWTACACS packets to an
HWTACACS server.
Original user name configures
the device not to modify the
user name entered by the user
in the packets sent to the
HWTACACS server.
iii. Set parameters for the HWTACACS server.

iv. Click OK.
– Modify an HWTACACS server profile.
HWTACACS tab.
ii. Select an HWTACACS server profile in HWTACACS Server Profile to
open the HWTACACS server profile modification page.
iii. Modify parameters for the HWTACACS server. Table 1-109 describes
the parameters for modifying an HWTACACS server profile.
iv. Click OK.
● Configure an authentication/authorization/accounting server.
– Create an authentication/authorization/accounting server.
HWTACACS tab.
ii. Click Create in Authentication/Authorization/Accounting Server
to open the Create Authentication/Authorization/Accounting
Server page, as shown in Figure 1-173.

Switches
Figure 1-173 Create Authentication/Authorization/Accounting Server
Table 1-110 Parameters for creating an authentication/

authorization/accounting server

created HWTACACS server
profile.
Server type Indicates the HWTACACS server

type: Authentication/
Authorization/Accounting
server.
Primary server IP address Indicates the IP address of the

primary authentication/
authorization/accounting server.
Primary server port number Indicates the port number of

the primary authentication/
Secondary server IP address Indicates the IP address of the

secondary authentication/
Secondary server port number Indicates the port number of

the secondary authentication/
iii. Set parameters for the authentication/authorization/accounting

server.
iv. Click OK.
– Modify an authentication/authorization/accounting server.
HWTACACS tab.
ii. Select the authentication/authorization/accounting server in
Authentication/Authorization/Accounting Server.
iii. Modify parameters for the authentication/authorization/accounting
server. Table 1-110 describes the parameters for modifying an
authentication/authorization/accounting server.

Switches
iv. Click OK.
----End
1.4.5.3.8 Local User
Procedure
● Create a local user.
a. Choose Configuration > Security Services > AAA and click the Local
User tab, as shown in Figure 1-174.
Figure 1-174 Local user
b. Click Create to open the Create User page, as shown in Figure 1-175.
Table 1-111 Create user
User name Indicates a new user name.
Password Indicates a new password.
Confirm password Confirms the password. The

format of this parameter is the
same as that of Password.

Switches
User type Indicates the user level. Users at

different levels have different
access rights.
User status Indicates the state of a local user.

● Activate: the device accepts
and processes the
authentication request from
the user.
● Block: the device rejects the
authentication request from
the user.
NOTE
If a user has established a connection
with the device, when the user is set
in blocking state, the connection still
takes effect but the device rejects
subsequent authentication requests
from the user.
Forcible logout Indicates whether to forcibly

disconnect users.
NOTE
This option is available when you
modify a user.
Access mode Indicates the access type. After

you specify the access type of a
user, only the users of the
specified access type can log in.
c. Set parameters for the local user.

d. Click OK.
● Modify a local user.
User tab.
b. Click the name of the user that you want to modify.
c. Set parameters for modifying the user. Table 1-111 describes the
parameters for modifying a local user.
d. Click OK.
● Delete a local user.
User tab.
b. Select a record that you want to delete and click Delete. The system asks

Switches
NOTE

c. Click OK.
----End
1.4.5.3.9 Advanced Settings
Procedure
● Configure 802.1X authentication globally.
Advanced Settings tab, as shown in Figure 1-176.
Figure 1-176 Advanced Settings
b. Set parameters in 802.1X Authentication Global Settings. Table 1-112

describes the parameters on this page.
Table 1-112 Parameters for configuring 802.1X authentication globally

Quiet timer Indicates whether to start the

quiet timer.

Switches
Maximum authentication failures Indicates the maximum number of

before the switch quiets a user times that a user fails
authentication before the quiet
function is enabled. When the
number of times that a user fails
802.1X authentication within 60s
reaches the value set in
Maximum authentication
failures before the switch quiets
a user, the device keeps the user
quiet for a period of time.
Quiet timer value (s) Indicates the quiet period. During

the quiet period of an 802.1X
authentication user, the device
discards the 802.1X authentication
request packets from the user.
c. Click Apply.
d. In the dialog box that is displayed, click OK.
● Configure Portal authentication globally.
b. Set parameters in Portal Authentication Global Settings. Table 1-113
describes the parameters on this page.
Table 1-113 Parameters for configuring Portal authentication globally

Quiet timer Indicates whether to start the

quiet timer.

Portal authentication within 60s
reaches the value set in

Switches
Quiet timer value (s) Indicates the quiet period. During

the quiet period of a Portal
authentication user, the device
discards the Portal authentication
request packets from the user.
Port number in Portal packets Indicates the port number used by

the device to listen on Portal
protocol packets.
Transparent transmission of Indicates whether to enable

authentication information transparent transmission of
authentication information.
Portal version Indicates the version of the Portal

protocol.
Upper alarm threshold percentage Indicates the upper alarm

(%) threshold percentage of Portal
authentication user quantity,
which must be greater than or
equal to Lower alarm threshold
percentage.
Lower alarm threshold percentage Indicates the lower alarm

(%) threshold percentage of Portal
authentication user quantity.
c. Click Apply.
● Configure MAC address authentication globally.
b. Set parameters in MAC Address Authentication Global Settings. Table
1-114 describes the parameters on this page.

Switches
Table 1-114 Parameters for configuring MAC address authentication

globally

MAC address authentication
within 60s reaches the value set in
Quiet timer value (s) Indicates the value of the quiet

timer. When a user fails
authentication, the device keeps
the user quiet for a period before
processing the authentication
request from the user. During the
quiet period, the device does not
process authentication requests
from the user.
c. Click Apply.
● Enable the CNA bypass function for iOS terminals.
b. Set Enable the CNA bypass function for iOS terminals in Others to
ON.
c. Click Apply.
----End
1.4.5.3.10 Free Mobility
Procedure
Step 1 Choose Configuration > Security Services > AAA and click the Free Mobility tab.
Step 2 Set Free mobility status to ON to open the Free Mobility page, as shown in
Figure 1-177.

Switches
Figure 1-177 Enable Free Mobility
Table 1-115 Parameters for enabling Free Mobility
Item Description
Free mobility status Enables Free mobility:

● ON
● OFF
Controller server IP Configures an IP address for the primary controller.
Backup controller Configures an IP address for the backup controller.

server IP
Connection password Configures the password used by the device to set up a

connection with the controller.
The value is a string of 8 to 32 characters.
Confirm connection Confirms the password used by the device to set up a

password connection with the controller.
Source IP address Specifies the source IP address for the communication

between switch and controller.
Step 3 Configure the parameters.
Step 4 Click Apply.
----End
1.4.5.4 AAA Service App

This section describes the AAA configurations.
1.4.5.4.1 Wired Interface Authentication

This section describes how to apply an authentication profile to interfaces.

Switches
Procedure
● Physical Interface Authentication
a. Choose Configuration > Security Services > AAA Service App and click
the Wired Interface Authentication tab, as shown in Figure 1-178.
Figure 1-178 Wired Interface Authentication
b. Select an interface.
c. Select an authentication profile from Authentication profile to bind to
an interface.
d. Click Apply.
● VLAN Authentication
a. Choose Configuration > Security Services > AAA Service App and click
the Wired Interface Authentication tab, as shown in Figure 1-178.
b. Click to select VLAN ID.

c. Select an authentication profile from Authentication profile to bind to a
vlan.
d. Click Apply.
----End
1.4.5.4.2 Wireless Interface Authentication
Procedure
Step 1 Choose Configuration > Security Services > AAA Service App. Click the Wireless
Interface Authentication tab, as shown in Figure 1-179.

Switches
Figure 1-179 Wireless Interface Authentication tab
Step 2 Select an AP group.

Step 3 Select a VAP.
Step 4 Select an authentication profile.
Step 5 Click Apply.
----End
1.4.5.5 AAA Profile Mgmt
1.4.5.5.1 802.1X Profile
Context
You can configure 802.1X authentication to implement interface-based network
access control, that is, to authenticate and control users connected to an interface
of an access control device.
Procedure
● Create an 802.1X profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt >
802.1X Profile. The 802.1X Profile List page is displayed.
b. Click Create. The Create 802.1X Profile page is displayed.
c. Enter the name of the new 802.1X profile in Profile name.
d. Click OK. The parameter setting page for creating an 802.1X profile is

Switches
Figure 1-180 The parameter setting page for creating an 802.1X profile
e. Set parameters for creating an 802.1X profile. Table 1-116 describes the
parameters for creating an 802.1X profile.
Table 1-116 802.1X profile parameters

802.1X Profile Name of the new 802.1X profile,

which cannot be modified.
User authentication mode User authentication mode. The

options are as follows:
● CHAP: Challenge Handshake
Authentication Protocol
● PAP: Password Authentication
Protocol
● EAP: Extensible Authentication
Protocol
Reauthentication Whether to enable the periodical

re-authentication function.
Reauthentication interval (s) 802.1X re-authentication interval.

This option is available when
Reauthentication is enabled.
Maximum authentication requests Maximum number of 802.1X

authentication requests. The
default value is recommended.
Authentication timeout interval 802.1X authentication timeout

(s) interval.
Authentication request interval (s) Interval for sending 802.1X

authentication requests.
EAP packet code number Code number in EAP packets sent

in response to user requests.

Switches
EAP packet data type Data type in EAP packets sent in

response to user requests.
f. Click Apply. In the Info dialog box that is displayed, click OK.
● Modify an 802.X profile.
b. Click the 802.1X profile to modify. The 802.1X profile configuration page
is displayed.
c. Set parameters for modifying an 802.1X profile. Table 1-116 describes
the parameters for modifying an 802.1X profile.
d. Click Apply. In the Info dialog box that is displayed, click OK.
● Delete an 802.1 X profile.
b. Select the profile that you want to delete and click Delete. In the
Confirm dialog box that is displayed, click OK.
NOTE
----End
1.4.5.5.2 Portal Profile
Context
In Portal authentication, users do not need a specific client. The Portal server
provides users with free Portal services and a Portal authentication page.
Procedure
● Create a Portal profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > Portal
Profile. The Portal Profile List page is displayed.
b. Click Create. The Create Portal Profile page is displayed.
c. Enter the name of the new Portal profile in Profile name.
d. Click OK. The parameter setting page for creating a Portal profile is

Switches
Figure 1-181 The parameter setting page for creating a Portal profile
e. Set parameters for creating a Portal profile. Table 1-117 describes the
parameters for creating a Portal profile.
Table 1-117 Portal profile parameters

Portal Profile Name of the Portal profile, which

cannot be modified.
Portal authentication Portal authentication mode.
Built-in portal server anonymous Whether to enable the

login anonymous login function for
users authenticated through the
built-in Portal server.
Built-in portal server Whether to enable the built-in

Portal server.
Active server External active Portal server.
Standby server External standby Portal server.
Authentication mode Authentication mode of the

external Portal server.

Switches
Source authentication network Enter the source authentication

segment/mask network segment and mask of the
external Portal server and click
. To delete the source
authentication network segment
and mask, select the source
authentication network segment
and mask that you want to delete
and click .
This parameter is available when
Authentication mode is set to
Layer 3 authentication.
User reauth when Portal server Whether to reauthenticate users

goes Up going online when the external
Portal server is Down after the
Portal server recovers. After the
reauthentication function is
enabled, the device assigns
normal network access rights to
the users passing the
reauthentication.
● Modify a Portal profile.
b. Click the Portal profile to modify. The Portal profile configuration page is
displayed.
c. Set parameters for modifying a Portal profile. Table 1-117 describes the
parameters for modifying a Portal profile.
● Delete a Portal profile.

Switches
NOTE
----End
1.4.5.5.3 MAC Authentication Profile
Context
MAC address authentication controls network access permissions of a user based
on the access interface and MAC address of the user. The user does not need to
install any client software. The user name and password are the MAC address of
the user device. After detecting the MAC address of a user for the first time, a
network device starts authenticating the user.
Procedure
● Create a MAC authentication profile.
a. Choose Configuration > Security Services > AAA Profile Mgmt > MAC
Authentication Profile. The MAC Authentication Profile List page is
displayed.
b. Click Create. The Create MAC Authentication Profile page is displayed.
c. Enter the name of the new MAC authentication profile in Profile name.
d. Click OK. The parameter setting page for creating a MAC authentication
profile is displayed, as shown in Figure 1-182.
Figure 1-182 The parameter setting page for creating a MAC

authentication profile
e. Set parameters for creating a MAC authentication profile. Table 1-118

describes the parameters for creating a MAC authentication profile.
Table 1-118 MAC authentication profile parameters
MAC Authentication Profile Name of the MAC authentication

profile, which cannot be modified.
Reauthentication Whether to enable

reauthentication.

Switches
Reauthentication interval (s) Interval of MAC address

reauthentication.
This option is available when
Reauthentication is enabled.
User name mode The MAC address or fixed user

name is used for authentication.
MAC address Whether the MAC address

contains the hyphen (-).
This option is available when User
name mode is set to MAC
address.
User name User name for MAC address

authentication.
This option is available when User
name mode is set to Fixed user
name.
Configure password Password in MAC address

authentication.
Confirm password Confirm password in MAC address

authentication.
● Modify a MAC authentication profile.
displayed.
b. Click the MAC authentication profile to modify. The MAC authentication
profile page is displayed.
c. Set parameters for modifying a MAC authentication profile. Table 1-118
describes the parameters for modifying a MAC authentication profile.
● Delete a MAC authentication profile.
displayed.
displayed.

Switches
NOTE
----End
1.4.5.5.4 Authentication-free Rule Profile
Procedure
● Create an authentication-free rule profile.
Authentication-free Rule Profile. The Authentication-free Rule Profile
b. Click the authentication-free rule profile default_free_rule. The
Authentication-free Rule page is displayed.
c. Click Create. The Create Authentication-free Rule page is displayed, as
Figure 1-183 The Create Authentication-free Rule page

Switches
d. Set parameters for creating an authentication-free rule profile. Table

1-119 describes the parameters for creating an authentication-free rule
profile.
Table 1-119 Authentication-free rule profile parameters
Rule ID ID of the authentication-free rule.
Source IP
If packets from Portal authentication users match the following
parameters under Source IP, Portal authentication users do not need
to pass authentication, and can access network resources configured
under Destination IP.
Authentication-free Whether authentication-free is

performed for the source IP
address. If this parameter is
selected, any condition is
matched.
IP address Source IP address in the

authentication-free rule. If
Specified is specified, the IP
address and mask need to be
configured.
Mask The mask and IP address specify a

network segment.
Destination IP
Network resource range that authentication-free users can access.
Authentication-free Whether authentication-free is

performed for the destination IP
address. If this parameter is
selected, any condition is
matched.
IP address Destination IP address in the

authentication-free rule. If
Specified is specified, the IP
address and mask need to be
configured.
Mask The mask and IP address specify a

network segment.
Protocol type Type of the protocol that users are

allowed to access.
Destination port number Destination port number that

users are allowed to access.

Switches
e. Click OK.
● Delete an authentication-free rule profile.
Authentication-free Rule Profile > default_free_rule. The
Authentication-free Rule List page is displayed.
Authentication-free Rule Profile. The Authentication-free Rule Profile
NOTE
----End
1.4.5.5.5 Domain Profile
Context
The created authentication and authorization schemes take effect only after being
applied to a domain.
Procedure
● Create a domain profile.
Domain Profile. The Domain Profile List page is displayed.
b. Click Create. The Create Domain Profile page is displayed.
c. Enter the name of the new domain profile in Profile name.
d. Click OK. The parameter setting page for creating a domain profile is
Figure 1-184 The parameter setting page for creating a domain profile

Switches
e. Set parameters for creating a domain profile. Table 1-120 describes the
parameters for creating a domain profile.
Table 1-120 Domain profile parameters

Authentication scheme Selects a created authentication

scheme.
Authorization scheme Selects a created authorization

scheme.
Accounting scheme Selects a created accounting

scheme.
Service scheme Selects a created service scheme.
RADIUS server profile Selects a created RADIUS profile.
HWTACACS server profile Selects a created HWTACACS

profile.
● Modify a domain profile.
b. Click the domain profile to modify. The domain profile page is displayed.
c. Set parameters for modifying a domain profile. Table 1-120 describes the
parameters for modifying a domain profile.
● Delete a domain profile.
NOTE
----End

Switches
1.4.6 Fast WLAN Config (S5720HI in Standalone Mode)

NOTE

1.4.6.1 AC
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the basic AC attributes are configured.
Procedure
Step 1 Choose Configuration > Fast WLAN Config > AC. The AC quick configuration
page is displayed.
Step 2 Configure a network interface.

1. Click the name of the target network interface on the 1. Configure Ethernet
Interface page.
2. Configure the parameters in the displayed window. For description of the

parameters, see Table 1-121.

Switches
Table 1-121 Network interface parameters
Interface name Interface name.
Default VLAN Default VLAN of the interface.
Link type Link type of the interface.
Added VLAN ID ID of the VLAN to which the interface belongs.
NOTE
Enter the VLAN ID, click , and specify a mode (Tagged or Untagged) in the displayed
window.
3. Click OK.
4. Click Next.
Step 3 Configure a virtual interface.
1. Click Create on the 2. Configure Virtual Interface page.

Table 1-122 Virtual interface parameters
Interface type Virtual interface type (VLANIF/Loopback).
VLAN ID ID of the VLAN to be created, which is valid only

when the interface type is VLANIF.
Interface number Number of the interface through which traffic in the

VLAN passes, which is valid only when the interface
type is Loopback.
Primary IP address/ Primary IP address and subnet mask of the VLANIF

mask interface.

Switches
3. Click OK.
4. Click Next.
Step 4 Configure a DHCP address pool.
1. Click Create on the 3.Configure DHCP page.

parameters, see Table 1-123 and Table 1-124.
Table 1-123 Parameters for configuring a DHCP global address pool

DHCP status Whether to enable the DHCP function globally.
Address pool type DHCP address pool type (global address pool/
interface address pool)
Address pool name Name of the global address pool. The name is a
string of 1 to 64 characters, including only numbers,
letters, dots (.), hyphens (-), and underscores (_). A
single hyphen (-) or multiple hyphens (--) alone
cannot be used as an address pool name.
Subnet address Available network segment addresses in a global

address pool.
Subnet mask Subnet mask of the IP address assigned to the DHCP

client; namely, the subnet mask of the current
interface. The gateway IP address and subnet mask
together identify the range of an interface address
pool.

Switches
Vendor-defined User-defined option for the global IP pool. The

– none: The user-defined option is not configured
for the interface IP pool.
– hex: Specifies the user-defined option code as a
hexadecimal number.
– sub-option: Specifies the value of the user-defined
sub-options and configures the parameter of the
sub-options.
▪ ascii: Specifies the user-defined option code as

an ASCII character string.
▪ hex: Specifies the user-defined option code as a

hexadecimal number.
▪ ip-address: Specifies the user-defined option

code as an IP address. One to eight IP
addresses can be specified.
Gateway IP Egress gateway IP address in a global address pool.

– To add a gateway IP address, enter a gateway IP
address and click . You can repeat this operation
to add a maximum of eight gateway IP addresses.
– To delete a gateway IP address, select a gateway
IP address and click .
Address pool Interface that can use addresses in the address pool.
interface Users going online through this interface can obtain
configuration information, such as IP addresses, from
the global address pool.
– To add an interface, select an interface and click
. To add multiple interfaces, repeat this
operation.
– To delete an interface, select an interface and click
.

Switches
Not allocated IP IP address that will not be dynamically allocated to

clients. When IP addresses are assigned to other
servers such as DNS servers, the IP addresses cannot
be assigned to DHCP clients. Specify these IP
addresses as forbidden IP addresses. This operation
avoids IP address conflicts and shortens the IP
address detection time during IP address assignment,
which improves DHCP efficiency. Perform the
following operations to add or delete forbidden IP
addresses:
– Adding forbidden IP addresses: Set the start and
end IP addresses and click . To add multiple
forbidden IP addresses or IP address segments,
repeat this operation.
– Deleting forbidden IP addresses: Select the check
boxes of forbidden IP addresses or select the check
box next to Forbidden IP, and click .
Table 1-124 Parameters for Configuring a DHCP interface address pool

DHCP status Whether to enable the DHCP function globally.
Address pool type DHCP address pool type (global address pool/
interface address pool)
Select Interface Interface of the DHCP server on which the address

pool is configured. The IP addresses in the network
segment to which the interface IP address belongs
can be allocated.
Interface IP address IP address of the current interface; namely, the

gateway address of the DHCP client.
Mask Subnet mask of the IP address assigned to the DHCP

client; namely, the subnet mask of the current
interface. The gateway IP address and subnet mask
together identify the range of an interface address
pool.

Switches
Vendor-defined User-defined option for the global IP pool. The

– none: The user-defined option is not configured
for the interface IP pool.
– hex: Specifies the user-defined option code as a
hexadecimal number.
– sub-option: Specifies the value of the user-defined
sub-options and configures the parameter of the
sub-options.
▪ ascii: Specifies the user-defined option code as

an ASCII character string.
▪ hex: Specifies the user-defined option code as a

hexadecimal number.
▪ ip-address: Specifies the user-defined option

code as an IP address. One to eight IP
addresses can be specified.
Not allocated IP IP address that will not be dynamically allocated to

clients. When IP addresses are assigned to other
servers such as DNS servers, the IP addresses cannot
be assigned to DHCP clients. Specify these IP
addresses as forbidden IP addresses. This operation
avoids IP address conflicts and shortens the IP
address detection time during IP address assignment,
which improves DHCP efficiency. Perform the
following operations to add or delete forbidden IP
addresses:
– Adding forbidden IP addresses: Set the start and
end IP addresses and click . To add multiple
forbidden IP addresses or IP address segments,
repeat this operation.
– Deleting forbidden IP addresses: Select the check
boxes of forbidden IP addresses or select the check
box next to Forbidden IP, and click .
NOTE
Gateway IP and Not allocated IP must be in the address pool. To ensure correct
configuration, the Subnet address and Subnet mask parameters of the global address
pool and the Select Interface parameter of the interface address pool can be modified or
selected only when Gateway IP and Not allocated IP are not configured.
3. Click OK.
4. Click Next.
Step 5 Configure an AC.

Switches
1. Configure the parameters on the 4. Configure AC page. For description of the

Table 1-125 AC parameters

AC source address Source interface of an AC.

NOTE
The selected source interface must have an IP address.
AP authentication Mode in which the AC authenticates APs.

mode
2. Click Next.
Step 6 Check and confirm the settings on the 5. Confirm Settings page and click Finish.
----End
1.4.6.2 AP
● Create an AP group.
a. Choose Configuration > Fast WLAN Config > AP.
b. Click Create in AP Group List.

Switches
c. Enter the name of the AP group in the displayed window, then click OK.
● Delete an AP group.
b. Select the AP group that you want to delete in AP Group List, and click
Delete.
c. Click OK in the displayed window.
● View AP configuration in an AP group.
b. Select an AP group in AP Group List, and you can view and manage AP
configuration on the right of the page.
1.4.6.2.1 Service Settings
Context
This section describes how to create an SSID as well as how to add a VAP to and
delete a VAP from an AP group.
Procedure
● Set the country code for an AP group.
a. Choose Configuration > Fast WLAN Config > AP. Select a desired AP
group in AP Group List and click the Service Settings tab.
b. Select the target country or area in the Country code drop-down list box,
and click Apply.
● Create an SSID in an AP group.

Switches
b. Click Create and configure SSID parameters in the displayed window. For
description of the parameters, see Table 1-126, Table 1-127, and Table
1-128.
Table 1-126 Basic SSID parameters

SSID SSID name.
Forwarding mode Data forwarding mode of the corresponding AP.
Service VLAN ID ID of a service VLAN.
Radio Radio to which a VAP is applied.
WLAN ID VAP corresponding to the SSID.
Table 1-127 SSID security parameters

Security Settings Security policy used on a wireless network.

● High: WPA-WPA2 802.1X
● Medium: WPA-WPA2 PSK
● Low: OPEN
Encryption mode Encryption mode of a security policy.

This parameter is valid only when Security
Settings is set to High or Medium.
Password type Password format of a security policy.

This parameter is valid only when Security
Settings is set to Medium.

Switches
Password/Confirm Encryption password of a security policy.

password This parameter is valid only when Security
Settings is set to Medium.
Table 1-128 SSID authentication parameters

Authentication Authentication mode used by an STA that

mode accesses a wireless network using the SSID.
Server IP IP address of an external RADIUS server.

This parameter is valid only when Authentication
mode is set to External RADIUS.
Port number Port number of an external RADIUS server.

mode is set to External RADIUS.
Shared key/ Shared key of an external RADIUS server.

Confirm shared This parameter is valid only when Authentication
key mode is set to External RADIUS.
Access mode Access mode of an external RADIUS server.

mode is set to Local authentication or External
RADIUS.
External Portal External Portal server, which is valid only when

Server Access mode is set to External Portal Server.
● Server name: name of an external Portal
server
● URL: interface URL of an external Portal server
● Server IP: IP address of an external Portal
server
● Port number: port number of an external
Portal server
● Shared key/Confirm shared key: shared key
of an external Portal server

Switches
Built-in Portal Built-in Portal server, which is valid only when

Server Access mode is set to Built-in Portal Server.
● Server IP: IP address of a built-in Portal server
● Port number: port number of a built-in Portal
server
● SSL policy: SSL policy used by the built-in
Portal server. To specify an SSL policy, click
MAC-prioritized If this option is selected, a MAC access profile is

bound.
This option is valid only when Access mode is set
to External Portal Server or Built-in Portal
Server.
c. Click OK.
● Add an SSID to an AP group.
b. Click Add. Configure SSID parameters in the displayed window. For
description of the parameters, see Table 1-129.
Table 1-129 SSID parameters

Select SSID SSID that has been created in another AP group.
Radio Radio associated with the SSID.
WLAN ID VAP associated with the SSID.
● Remove an SSID from an AP group.

b. Select the SSID that you want to remove and click Remove.
----End

Switches
1.4.6.2.2 AP List
Context
In the AP list, you can add APs to or delete APs from AP groups.
Procedure
● Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an
AP group.
a. Choose Configuration > Fast WLAN Config > AP. In AP Group List,
select the AP group to which you want to add APs, then click the AP List
tab.
b. Click Add. On the page that is displayed, set Mode to Select existing
APs.
c. Select APs from the list below, and click OK.

● Manually add APs to an AP group.
This operation allows you to manually add a maximum of 10 APs offline to
an AP group.
tab.
b. Click Add. On the page that is displayed, set Mode to Manually add.
c. Configure AP parameters. For description of the parameters, see Table

1-130.

Switches
Keyword AP authentication mode:

● AP MAC: The AP authentication mode is MAC
address authentication.
● AP SN: The AP authentication mode is SN
authentication.
AP MAC MAC address of the new AP. This parameter is

mandatory.

This parameter is mandatory when Keyword is set
to AP SN.

This parameter is mandatory when Keyword is set
to AP SN.
NOTE

d. Click OK.
● Import APs using a template.
This operation allows you to manually add multiple APs offline to an AP

group.
NOTE
If AP authentication mode is set to SN authentication, ensure that the AP SNs have

been configured when importing APs offline.
tab.
b. Click Add. On the page that is displayed, set Mode to Batch import.
c. Click to download the batch import template to your local computer.

d. Use the network planning and optimization tool to plan the network

Switches

template.
NOTE
If you download an AP information template of the Chinese web system under an

English Windows operating system (OS), the Chinese characters in the AP information
template cannot be displayed. You can choose Start > All Programs > Microsoft
Office > Microsoft Office Tools > Microsoft Office 2003 Language Settings in the
Windows OS (take Microsoft Office 2003 as an example) and set Primary Editing
Language to Chinese(PRC) on the Editing Language tab. After completing the
setting, restart the Microsoft Office Excel and open the AP information template. The
Chinese characters in the template will be displayed normally.

AP ID AP ID. If an AP is imported not for the first time

and the MAC address of the AP is not specified,
the AP ID is mandatory; otherwise, the AP ID is
optional.
AP MAC MAC address of an AP. If the AP authentication

mode is MAC address authentication, AP MAC
must be set when the AP is imported for the first
time or the AP ID is not specified.

Radio ID Radio ID of the AP. This parameter is optional. If

you set Channel, Band Width, or Power, Radio
ID must be set.
Channel Radio channel of the AP. This parameter is

optional. If you set this parameter, Band Width
and Radio ID must be set.

Power Radio power of the AP. This parameter is optional.

If you set this parameter, Radio ID must be set.
e. Click to select the batch import template, then click Import.

f. Click OK.
----End

Switches
1.4.6.3 Mesh
a. Choose Configuration > Fast WLAN Config > Mesh.
b. Click Create in AP Group List.
c. Enter the name of the AP group in the displayed window, then click OK.
b. Select the AP group that you want to delete in AP Group List, and click
Delete.
● View AP configuration in an AP group.
b. Select an AP group in AP Group List, and you can view and manage AP
configuration on the right of the page.
1.4.6.3.1 Service Settings
Context
This section allows you to configure Mesh parameters for all APs in an AP group.
Procedure
Step 1 Choose Configuration > Fast WLAN Config > Mesh. In AP Group List, select an
AP group, then click the Service Settings tab.

Switches
Step 2 Configure Mesh parameters for all APs in the AP group. For description of the
Table 1-132 Mesh parameters
Mesh role Role of a Mesh node.

● Mesh-Portal: MPP
● Mesh-node: MP
Radio Radio used by Mesh links.

● Radio 0: 2.4 GHz
● Radio 1: 5 GHz
● Radio 2: 5 GHz
Mesh ID Mesh ID in the Mesh profile.
Bandwidth Operating bandwidth of the radio.

Radios of different AP nodes on a Mesh link must be
configured with the same bandwidth.
Channel Radio channel.

Radios of different AP nodes on a Mesh link must be
configured with the same channel.
EIRP Transmit power of a radio.
Coverage distance Radio coverage distance parameter.
Antenna gain Antenna gain of a radio.
Security policy Security policy in the Mesh profile. Currently, the Mesh
profile supports only the security policy WPA2+PSK+AES.

Switches
Key type Shared key authentication.

● PASS-PHRASE: indicates a key phrase.
● HEX: indicates a hexadecimal number.
Key Authentication key.
Confirm key Indicates the confirm key. The format is the same as
that of key.
Step 3 Configure a Mesh whitelist.

After the Mesh whitelist is bound to an AP radio, only neighboring APs with MAC
addresses in the whitelist can connect to the AP.
1. Click Edit following Mesh Whitelist.
2. Configure the Mesh whitelist in the displayed window.

– To add MAC addresses to the Mesh whitelist, enter AP MAC addresses
and click .
– To delete MAC addresses from the Mesh whitelist, select AP MAC
addresses that you want to delete and click .

Switches
3. Click OK.
Step 4 Click Apply.
----End
1.4.6.3.2 AP List
Context
In the AP list, you can add APs to or delete APs from AP groups.
Procedure
● Add existing APs to an AP group.
You can manually set parameters on the web page to add existing APs to an
AP group.
a. Choose Configuration > Fast WLAN Config > Mesh. In AP Group List,
tab.
b. Click Add. On the page that is displayed, set Mode to Select existing
APs.
c. Select APs that you want to add to the AP group from the list below, and
click OK.
● Manually add APs to an AP group.
This operation allows you to manually add a maximum of 10 APs offline to
an AP group.
tab.
b. Click Add. On the page that is displayed, set Mode to Manually add.
c. Configure AP parameters. For description of the parameters, see Table

1-133.

Switches

Keyword Keyword specified when an AP is manually added,

which can be the AP's MAC address or SN.
AP MAC MAC address of the new AP.
NOTE

d. Click OK.
● Import APs using a template.
This operation allows you to manually add multiple APs offline to an AP
group.
NOTE
If AP authentication mode is set to SN authentication, ensure that the AP SNs have

been configured when importing APs offline.
tab.
b. Click Add. On the page that is displayed, set Mode to Batch import.
c. Click to download the batch import template to your local computer.

template.

Switches
NOTE


optional.



ID must be set.



e. Click to select the batch import template, then click Import.

f. Click OK.
----End

Switches
1.4.7 Wireless Services (S5720HI)

NOTE

1.4.7.1 AC Config
1.4.7.1.1 AC Configuration
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the AC basic parameters are configured.
Procedure
Step 1 Choose Configuration > Wireless Services > AC Config > AC Configuration. The
AC Configuration page is displayed.
Step 2 Configure AC basic parameters. The following table describes the AC basic
parameters.
Table 1-135 AC basic parameters
AC source address Source interface of the AC.

● VLANIF: A VLANIF interface is used as the source
interface.
● Loopback: A Loopback interface is used as the source
interface.
NOTE
The selected source interface must have an IP address.
To delete the AC's source interface, click .
AP data buffer Whether to enable the AC to buffer AP data.

Switches
Buffer duration Period during which an AC buffers AP data. The

parameter takes effect only when you set AP data
buffer to ON.
AP authentication Authentication mode used to authenticate APs. By

mode default, the AC authenticates APs using MAC address
authentication.
● MAC address authentication: The AP authentication
mode can be set to MAC address authentication.
● SN authentication: The AP authentication mode can
be set to SN authentication.
● Non-authentication: The AP authentication mode can
be set to non-authentication.
NOTE
When the parameter is set to MAC address authentication or
SN authentication, you can click Add AP to add APs manually
or import APs in batches. For details, see 1.4.7.3.1 AP Info.
Table 1-136 AC advanced parameters

Priority of CAPWAP Priority of CAPWAP management packets sent from an

management AC to AP.
packets from AC to
AP
Priority of CAPWAP Priority of CAPWAP management packets sent from an

management AP to AC.
packets from AP to
AC
Allow AP to establish Whether to allow an AP to establish a DTLS session with

DTLS session with AC an AC using the default pre-shared key.
using default pre-
shared key
Pre-shared key Pre-shared key used for DTLS encryption.
Confirm pre-shared Confirmation of the pre-shared key used for DTLS

key encryption.
CAPWAP heartbeat CAPWAP heartbeat detection interval.

detection interval
CAPWAP heartbeat Number of CAPWAP heartbeat detections.

detection count
Step 3 Click Apply. The info dialog box is displayed. Click OK.
----End

Switches
1.4.7.1.2 Radio Calibration
Procedure
● Configure manual calibration.
a. Choose Configuration > Wireless Services > AC Config > Radio
Calibration. The Radio Calibration page is displayed.
b. Set Calibration mode to Manual.
c. Set calibration parameters. Table 1-137 describes the calibration

parameters.
Table 1-137 Calibration parameters

Calibration policy Calibration policy.

● Rogue AP
When rogue APs (rogue APs
cannot be controlled by an AC)
exist on a network, set the
radio calibration policy to
Rogue-ap. The device then
implements radio calibration to
minimize the rogue AP
interference on the entire
network.
● Load
When an AP is heavily loaded,
set the radio calibration policy
to Load. The device then
preferentially allocates
channels with a little
interference to the heavily
loaded APs.
● Non-Wi-Fi
When non-Wi-Fi devices exist
on a network, set the radio
calibration policy to Non-wifi.
The device then implements
radio calibration to reduce
interference of non-Wi-Fi
devices on the network.

Switches
Calibration sensitivity Configure radio calibration

sensitivity.
There are three levels of radio
calibration sensitivity:
● Low
● Medium
● High
Start time Specifies the start time for radio

calibration in automatic mode.
Calibration interval(min) Specifies the radio calibration

interval in auto mode.
e. Click Start to trigger the calibration.
● Configure automatic calibration.
b. Set Calibrate mode to Auto and specify Calibration interval(min) and
Start time. You can also click Start to trigger the calibration.

parameters.
● Configure scheduled calibration.
b. Set Calibrate mode to Scheduled and specify Start time. You can also
click Start to trigger the calibration.

parameters.
----End

Switches
1.4.7.2 AP Group
1.4.7.2.1 AP Group
Context
The AP group function is used to configure multiple APs in batches. When multiple
APs managed by an AC require the same configurations, you can add these APs to
one AP group and configure the AP group to complete AP configuration.
NOTE
For details about configurations of each profile bound to an AP group, see 1.8 Profile
(S5720HI).
Procedure
a. Choose Configuration > Wireless Services > AP Group > AP Group. The
AP Group page is displayed.
b. Click Create. Set the parameters in Table 1-138.
Table 1-138 Parameters for creating an AP group
AP group name Name of the AP group
Copy parameters Copy configuration parameters from other AP

from other groups groups to the current AP group.
c. Click OK.
b. Select the AP group that you want to delete and click Delete.
c. Click OK.
● Bind profiles to the AP group.
b. Click an AP group name. On the AP group configuration page that is
displayed, you can see the configurations of the AP group. See 1.8 Profile
(S5720HI) for descriptions of the configuration profiles and Table 1-139
for details about the configuration parameters.

Switches
Table 1-139 Configuration parameters of an AP group

VAP Configuration Configures VAPs for AP groups:

adds or removes VAP profiles for
AP groups. After a VAP profile is
added, the AP generates a VAP to
implement basic WLAN services.
For detailed parameters, see 1.8.1
Wireless Service.
Radio Management Configures radio parameters for

AP groups, enabling the radios to
work at the optimal performance.
● Regulatory Domain Profile:
configures the country code
and DCA parameters for radios.
● Radio 0/Radio 1/Radio 2:
configures parameters for
radios.
Radio Management. Configure
radios describes parameters on
the Radio 0, Radio 1, and Radio 2
pages.
AP Configures system and interface

parameters for AP groups.
● AP System Profile: configures
system parameters for AP
groups.
● AP Wired Port Settings:
configures interface parameters
for AP groups.
● ETH-TRUNK Profile: configures
interface parameters for AP
groups.
For detailed profile parameters,
see 1.8.3 AP. See 1.8.3.3 AP
Wired Port Profile for parameters
of the ETH, GE, ETH-TRUNK and
MultiGE profiles.

Switches
Mesh Configures the Mesh function for

AP groups.
● Mesh Profile: adds or removes
Mesh profiles for radios in AP
groups.
● Mesh Whitelist Profile: adds or
removes Mesh whitelist profiles
for radios in AP groups.
Mesh.
WDS Configures the WDS function for

AP groups.
● WDS Profile: adds or removes
WDS profiles for radios in AP
groups.
● WDS Whitelist Profile: adds or
removes WDS whitelist profiles
for radios in AP groups.
WDS.
WIDS Configures the WIDS function for

AP groups.
WIDS.
WLAN Location Configures the location function

for AP groups.
WLAN Location.
c. Click Apply.
● Configure radios.
b. Click an AP group name. The AP group configuration page is displayed.
c. Click ahead of Radio Management. Among the displayed items, click
Radio 0, Radio 1, or Radio 2. The radio configuration page is displayed.
For detailed parameters, see Table 1-140.

Switches
Table 1-140 Radio parameters

Radio 0 Settings (2.4G)/Radio 1 Settings (5G)/Radio 2 Settings (5G)
Working status Whether the radio is enabled or

disabled.
Working mode Working mode of APs, which can

be:
● normal
● monitor
Channel Working bandwidth and working

channel of the radio.
Antenna gain Antenna gain of the radio.
Coverage distance Radio coverage distance.
Spectrum analysis Whether spectrum analysis is

enabled on the radio.
Switch to 5G Whether the working frequency of

a radio is switched to the 5 GHz
frequency band. Only radio 0
supports this parameter.
WIDS Control
Device detection Whether the device detection

function is enabled on the radio.
Countermeasure of Unauthorized Whether rogue device

Devices containment is enabled.

Switches
Attack detection type Attack detection type. Multiple

options can be selected.
d. Click Apply.
----End
1.4.7.2.2 Static Load Balancing Group
Context
The load balancing function applies to scenarios where there is a high degree of
overlap between APs' coverage ranges. If APs engaged in load balancing are far
from each other, a STA may connect to a distant AP, which affects wireless
experience of users.
When the load difference between APs reaches the load difference threshold,
some STAs may access the network slowly because the APs will reject access
requests of STAs according to the load balancing algorithm. If a STA continues
sending association requests to an AP, the AP allows the STA to associate when
the number of consecutive association attempts of the STA exceeds the maximum
number of rejection times.
In static load balancing mode, APs providing the same services are manually
added to a load balancing group. When a STA needs to access a WLAN, it sends
an Association Request packet to an AC through an AP. The AC determines
whether to permit access from the STA according to a load balancing algorithm.
The implementation of static load balancing must meet the following conditions.
● If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band.
● Each load balancing group supports a maximum of 16 AP radios.
● Under the agile distributed network architecture composed of the central AP
and RUs, you only need to add radios of the RUs to a static load balancing
group.
Procedure
● Create a static load balancing group.
a. Choose Configuration > Wireless Services > AP Group > Static Load
Balancing Group. The Static Load Balancing Group page is displayed.
b. Click Create. Set the parameters in Table 1-141.

Switches
Table 1-141 Parameters for creating a static load balancing group
Static load Name of the static load balancing group.

balancing group
name
Maximum number Maximum number of associations for the load

of rejections balancing group
When the load in a load balancing group is
unbalanced, the AC rejects a STA's request for
associating with an AP with heavy load, but does
not keep rejecting. When the number of
consecutive association requests of the STA
exceeds the maximum value, the AP allows the
STA to associate with the AP.
Start threshold for Start threshold for load balancing.

load balancing
(STA count)
Load difference Load difference threshold for load balancing.

threshold for load
balancing
Optional Radio Radio of AP that can be added to the load

balancing group.
Selected Radio Radio of AP to be added to the load balancing

group.
c. Click OK.
● Modify a static load balancing group.
b. Click the static load balancing group name, find the desired static load
balancing group on the displayed page, and modify parameters.
c. Click OK.
● Delete a static load balancing group.
b. Select the static load balancing group and click Delete.
c. Click OK.
NOTE
Click Refresh to refresh the displayed static load balancing group information.
----End
1.4.7.3 AP Config

Switches
1.4.7.3.1 AP Info
Context
You can view AP information and configure APs on the AP Info page.
Procedure
● Manually add an AP.
a. Choose Configuration > Wireless Services > AP Config > AP Info. The
AP Info page is displayed.
b. Click Create. Set Creation mode to Manually add on the page that is
displayed.
c. Set parameters for the AP. Table 1-142 describes the parameters for
manually adding an AP.
Keyword Keyword specified when an AP is manually added,

which can be the AP's MAC address or SN.
AP MAC MAC address of the new AP.
NOTE
You can click to add a maximum of 10 APs.

Switches
d. Click OK.
● Import AP information from a template.
Edit an AP information template on your local host and import AP

information to the AC from the template.
Fill in the template with AP information by referring content in the template.
Click to select the template and click Import to import AP information.
b. Click Create. Set Creation mode to Batch import on the page that is
displayed.
c. Click to download the AP template to your local host.

template.
NOTE


optional.


Switches


ID must be set.



e. Click to select the template and click Import to import AP

information.
f. Click OK.
● Deploy APs.
b. Select multiple APs and click Deploy.
c. Set the parameters on the page that is displayed. Table 1-144 describes
the parameters for deploying an AP.
Table 1-144 Parameters for deploying an AP
AP group AP group to which the AP belongs.
AP ID AP ID.
AP MAC MAC address of the AP, which is the unique

identifier of the AP.

Switches
AP Group AP Group.
IP Obtaining Mode How the AP obtains an IP address. Options are

DHCP/Static.
IP Address IP address assigned to the AP. This parameter is

valid only when IP Obtaining Mode is set to
Static.
IP Address Mask Subnet mask for the AP. This parameter is valid
only when IP Obtaining Mode is set to Static.
Gateway Default gateway address for the AP. This

parameter is valid only when IP Obtaining Mode
is set to Static.
Status AP status.
d. Click OK.
e. In the Warning dialog box that is displayed, click OK.
● Modify AP deployment parameters.

b. Click an AP ID in the AP list, and modify AP deployment parameters on
the page that is displayed.
● Replace APs.
b. Select an AP and click Replace.
c. Enter the MAC address of the replacement AP in New AP MAC or click
and select an AP on the displayed page.

d. Click OK. On the displayed page, click OK.

Switches
● Delete an AP.
b. Select an AP and click Delete.
c. Click OK in the confirm dialog box that is displayed.
● Add an AP to the blacklist.
b. Select an AP and click Add to Blacklist.
● Manage unauthorized APs.
If AP authentication mode is set to MAC address authentication or SN
authentication (configured in 1.4.7.1.1 AC Configuration) for an AC, the APs
out of the whitelist and blacklist of the AC are added to Non-authorized AP
List. You can add these APs to the whitelist or blacklist.
b. Click before Non-authorized AP List to expand the unauthorized AP

list.
c. Select unauthorized APs in the list and click Add to MAC Whitelist, Add
to SN Whitelist, Add to Blacklist or Refresh.
● Configure AP specific parameters.
b. Click an AP ID. On the AP Customized Settings page that is displayed,
you can see AP configurations. The digit next to AP customized settings
is the AP ID. See 1.8 Profile (S5720HI) for descriptions of the
configuration profiles and Table 1-145 for details about the configuration
parameters.
Table 1-145 AP configuration parameters

VAP Configuration Configures VAPs for APs: adds or

removes VAP profiles for APs.
After a VAP profile is added for an
AP, the AP generates a VAP to
implement basic WLAN services.
Wireless Service.

Switches
Radio Management Configures radio parameters for

APs, enabling the radios to work
at the optimal performance.
● Regulatory domain profile:
configures the country code
and DCA parameters for radios.
● Radio 0/Radio 1/Radio 2:
configures parameters for
radios.
Radio Management. Configure
radios describes parameters on
the Radio 0, Radio 1, and Radio 2
pages.
AP Configures system and interface

parameters for APs.
● AP system profile: configures
system parameters for APs.
● ETH profile/GE profile/ETH-
TRUNK profile: configures
interface parameters for APs.
For detailed profile parameters,
see 1.8.3 AP. See 1.8.3.3 AP
Wired Port Profile for parameters
of the ETH, GE, and ETH-TRUNK
profiles.
Mesh Configures the Mesh function for

APs.
● Mesh profile: adds or removes
Mesh profiles for AP radios.
● Mesh whitelist profile: adds or
removes Mesh whitelist profiles
for AP radios.
Mesh.
WDS Configures the WDS function for

APs.
● WDS profile: adds or removes
WDS profiles for AP radios.
● WDS whitelist profile: adds or
removes WDS whitelist profiles
for AP radios.
WDS.

Switches
WIDS Configures the WIDS function for

APs.
WIDS.
WLAN Location Configures the location function

for APs.
WLAN Location.
c. Click Apply.
● Configure radios.
b. Click an AP ID. The AP Customized Settings page is displayed.
c. Click ahead of Radio Management. Among the displayed items, click
Radio 0, Radio 1, or Radio 2. The radio configuration page is displayed.
For detailed parameters, see Table 1-146.
Table 1-146 Radio parameters

Radio 0 Settings (2.4G)/Radio 1 Settings (5G)/Radio 2 Settings (5G)
Working status Whether the radio is enabled or

disabled.

Switches
Working mode Working mode of APs, which can

be:
● normal
● monitor
Channel Working bandwidth and working

channel of the radio.
NOTE
You must configure both the
frequency bandwidth and channel to
make the configured bandwidth take
effect.
Antenna gain Antenna gain of the radio.
Coverage distance Radio coverage distance.
Spectrum analysis Whether spectrum analysis is

enabled on the radio.
WIDS Control
Device detection Whether the device detection

function is enabled on the radio.
Countermeasure of Unauthorized Whether rogue device

Devices containment is enabled.
Attack detection type Attack detection type. Multiple

options can be selected.
d. Click Apply.
----End
1.4.7.3.2 AP Whitelist
Context
If AP authentication mode is set to MAC address authentication or SN
authentication (configured in 1.4.7.1.1 AC Configuration) for an AC, the APs out
of the whitelist and blacklist of the AC are added to Non-authorized AP List. You
can add the MAC addresses or SNs of these APs to the whitelist.
Procedure
● Add AP MAC addresses to the AP whitelist.
a. Choose Configuration > Wireless Services > AP Config > AP Whitelist.
The AP Whitelist page is displayed.
b. In the MAC Whitelist area, click Create to add AP MAC addresses to the
whitelist.

Switches
Manually adding AP MAC addresses
i. Set Creation mode to Manually add.
ii. Set MAC address. You can click to add a maximum of 10 AP MAC
addresses.
iii. Click OK.
Batch importing AP MAC addresses
i. Set Creation mode to Batch import.
ii. Click to download the AP template to your local host. Edit the
template and save it.
iii. Click select the AP template and click Import.

iv. Click OK.
● Delete an AP from the MAC address whitelist.
a. Choose Configuration > Wireless Services > AP Config > AP Whitelist.
The AP Whitelist page is displayed.
b. Select an AP in the MAC Whitelist area and click Delete.
● The operations for the SN whitelist are similar to the preceding operations.
----End
1.4.7.3.3 AP Blacklist
Context
If AP authentication is set to MAC address authentication (configured in
1.4.7.1.1 AC Configuration) for an AC, the APs out of the whitelist and blacklist
of the AC are added to Non-authorized AP List. You can add the MAC addresses
of these APs to the blacklist.

Switches
Procedure
● Add AP MAC addresses to the AP blacklist.
a. Choose Configuration > Wireless Services > AP Config > AP Blacklist.
The AP Blacklist page is displayed.
b. Click Create to add AP MAC addresses to the blacklist.
Manually adding AP MAC addresses
i. Set Creation mode to Manually add.
ii. Set MAC address. You can click to add a maximum of 10 AP MAC
addresses.
iii. Click OK.
Batch importing AP MAC addresses
i. Set Creation mode to Batch import.
ii. Click to download the AP template to your local host. Edit the
template and save it.
iii. Click select the AP template and click Import.

iv. Click OK.
● Delete an AP MAC address from the blacklist.
a. Choose Configuration > Wireless Services > AP Config > AP Blacklist.
The AP Blacklist page is displayed.
b. Select an AP MAC address and click Delete.
----End
1.4.7.4 Profile
For details, see 1.8 Profile (S5720HI).

Switches
1.5 Diagnosis
This section describes the maintenance and diagnostic commands.
1.5.1 Intelligent Diagnosis (S5720HI)
Context
When a fault occurs on a WLAN, you can use the Intelligent Diagnosis function to
diagnose WLAN devices and the network and rectify the fault accordingly. For
faults that you cannot rectify by yourself, export the diagnosis information and
logs, then contact technical support personnel.
NOTE

Procedure
● Configure diagnosis parameters for WLAN users.
a. Choose Diagnosis > Intelligent Diagnosis. The Intelligent Diagnosis
page is displayed.
b. Click the Wireless user, AP, or LSW icon, choose the object to diagnose,
and configure diagnosis parameters on the page that is displayed. For
Diagnosis objects can be wireless users, APs, and LSW.

Switches
Table 1-147 Diagnosis parameters
LSW
Diagnosis mode Mode in which intelligent

diagnosis is performed.
Start time Start time of a fault.
End time End time of a fault.
Start diagnosis time Start time of the diagnosis when

Diagnosis mode is set to
Scheduled.
AP
Input type Mode in which APs to diagnose

are selected.
● MAC address: APs are selected
based on MAC addresses.
● IP address: APs are selected
based on IP addresses.
● AP name: APs are selected
based on AP names.
NOTE
You are advised to select APs to be
diagnosed based on MAC addresses.
Wireless User
STA MAC address MAC address of a user. Enter the

MAC address directly, or click
and then find the user in

the displayed user list.
c. Click Start Diagnosis or OK.
▪ If Diagnosis mode is set to Real-time, the system will start

diagnosing the object after you click Start Diagnosis.
▪ If Diagnosis mode is set to Scheduled, the system creates a

scheduled diagnosis task after you click OK.
After the diagnosis is complete, the system displays the result at the
bottom left of the page and real-time connection information of the
diagnosed object at the bottom right of the page.
d. Click Suggestion to view the suggestions on how to rectify the fault.
● View scheduled diagnosis tasks.
a. Click . The Diagnosis list page is displayed.

Switches
b. Click Non-diagnosed to view scheduled diagnosis tasks that have not

started.
c. Click Diagnosed to view scheduled diagnosis tasks that are complete.
● Delete a scheduled diagnosis task.
a. Click . The Diagnosis list page is displayed.

b. To delete a scheduled diagnosis task that has not started, click Non-
diagnosed and then .
c. To delete a scheduled diagnosis task that is complete, click Diagnosed
and then .
● Export diagnosis information.
a. Click Export Diagnosis Info.
b. In the dialog box that is displayed, click OK.

The system saves the diagnosis information to the device as txt files
(overall_diaginfo_xxx.txt and autodiagnose-detail.txt), and prompts
you to save the file to a local computer.
▪ overall_diaginfo_xxx.txt: contains all diagnosis information on the

device.
▪ autodiagnose-detail.txt: contains the result of the current

intelligent diagnosis.
c. Save diagnosis information to your local computer.
● Export logs.
a. Click Export Logs.
b. On the Export Logs page that is displayed, select the log files to export,
and click OK.
----End
1.5.2 Diagnostic Tools

This section describes the maintenance and diagnostic tools.
1.5.2.1 One-Click Information Collection

The one-click information collection function enables you to collect information
on a device, including the configuration, logs, and errors.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > One-Click Information Collection to
access the One-Click Information Collection page, as shown in Figure 1-185.

Switches
Figure 1-185 One-Click Information Collection
Step 2 Click One-Click Collection. The system displays a message, asking you whether to
continue, as shown in Figure 1-186. Click OK.
Figure 1-186 Confirm
Step 3 After information collection is complete, the system displays a message, indicating
that the operation is successful. Click OK and click the icon to download the
file.
----End
1.5.2.2 Wireless Packet Capturing (S5720HI)
Context
Packets on air ports can be obtained through the Wireless Packet Capturing
function, but packets on the wired side cannot. Analysis of the obtained packets
can help locate and troubleshoot faults. Packets to be obtained include:
● All packets sent from the local AP and packets with the destination (BSSID) as
the local AP
● All 802.11 protocol packets sent from other APs/STAs or with the destination
(BSSID) as other APs/STAs, except the ARP, DHCP, and EAPOL packets
NOTE


Switches
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > Wireless Packet Capturing. The Wireless
Packet Capturing page is displayed.
Step 2 Set global parameters.

1. In Global Settings, set parameters related to the Wireless Packet Capturing
function. For description of the parameters, see Table 1-148.
2. Click Apply. In the Info dialog box that is displayed, click OK.
Table 1-148 Global parameters

Maximum data packet length Maximum length of packets to be

obtained through the Wireless
Packet Capturing function.
After you enable the Wireless Packet
Capturing function on an AP radio,
the AP starts collecting packet
headers. The AP collects only data
packets with lengths smaller than
the configured maximum length.
Saving mode Mode used to save the obtained

packets. Two modes are available:
– Save locally: The obtained
packets are saved locally.
– Send in real time: The obtained
packets are forwarded to the
server in real time.
Destination IP address IP address of the server in real-time

transmission mode.

Switches
Maximum size of storage file Maximum size of the storage file

when the obtained packets are
saved locally.
Upload mode Mode used to upload the local file

to the server when the obtained
packets are saved locally.
Server IP address IP address of the Server.
User name User name of the Server.
Password Password of the Server.
Step 3 Configure the rule for filtering packets.

● Creating a filtering rule profile
a. In Filter Rule Profile Management, click Create.
b. Set the parameters on the Create Filter Rule page that is displayed. For
c. Click OK.
Table 1-149 Parameters for creating a filtering rule profile

Profile name Name of the filtering rule profile.

After the Wireless Packet
Capturing function starts, the AP
filters packets based on filtering
rules contained in the filtering
rule profile and collects only
packets that match the rules.

Switches
Filtering protocol Protocol type of packets to be

obtained through the Wireless
Packet Capturing function.
▪ Beacon: The device collects

only Beacon packets.
▪ Probe: The device collects only

Probe packets.
▪ EAP: The device collects only

EAP packets.
▪ DHCP: The device collects only

DHCP packets.
▪ Other-mgnt: The device

collects 802.11 management
packets except the Beacon and
Probe packets.
▪ Data: The device collects only

data packets.
Rule ID ID of the filtering rule.
Source MAC address Specifies the source MAC address

of packets to be obtained.
Destination MAC address Specifies the destination MAC

address of packets to be obtained.
BSSID Specifies the BSSID of packets to

be obtained.
● Modifying a filtering rule profile

a. In the list of filtering rule profiles, click the filtering rule profile to modify.
b. Modify the parameters on the Modify Filter Rule page that is displayed.
For description of the parameters, see Table 1-149. (The Profile name
parameter cannot be modified.)
c. Click OK.
● Deleting a filtering rule profile
In the list of filtering rule profiles, choose the filtering rule profile to delete
and click Delete. In the Confirm dialog box that is displayed, click OK.
Step 4 Enable the Wireless Packet Capturing function.
1. Click Start.
2. In the Wireless Packet Capturing dialog box that is displayed, set AP name,
Radio ID, Filter rule profile, and Channel, then click OK.

Switches
----End
Follow-up Procedure
● To stop a packet capturing task, select a record in the packet capturing task
list, then click Stop.
● If Saving mode is set to Save locally, you can select a record in the packet
capturing task list and click Upload File to upload the saved file to the server.
1.5.2.3 Ping
The ping command is used to check network connectivity and host reachability.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > Ping to access the Ping page, as shown in
Figure 1-187.
Figure 1-187 Ping

Switches
Step 2 Enter the IP address in the Ping text box and click Start. The network connection
information is displayed.
NOTE
If no response packets are received within the timeout interval, the following information is
displayed: Request time out. The preceding information shows that a link is faulty.
----End
1.5.2.4 Trace Route

You can use the tracert command to test the gateways that packets pass through
from the source host to the destination host. The tracert command is used to
check network connectivity and locate network faults.
Context
The Tracert command, also called Trace Route, helps you check the IP addresses
and the number of gateways between the source and the destination. Tracert is
used to check network connectivity and locate network faults.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > Trace Route to access the Trace Route
Figure 1-188 Trace Route
Step 2 Enter the IP address in the Trace Route text box and click Start. The Layer 3
devices where packets pass through between the source host and the destination
host are displayed.

Switches
NOTE
● The output of the tracert command includes IP addresses of all the gateways through
which the packet reaches the destination. If one gateway sends back a packet indicating
TTL timeout, * is displayed.
● The tracert test may take a long time.
----End
1.5.2.5 AAA Test

The AAA test tool is used to check whether the user can pass the RADIUS
authentication.
Context
The AAA test tool checks whether a specified user can pass the RADIUS
authentication.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > AAA Test to access the AAA Test page, as
Figure 1-189 AAA Test
Step 2 Enter parameters such as the RADIUS server profile, authentication mode, user
name, and password. For parameter information, see Table 1-150.
Table 1-150 AAA test parameters
RADIUS server profile RADIUS server template used in the

authentication.

Switches
Authentication mode Authentication mode used in the

authentication.
● - None -
● CHAP
● PAP
User name User name of the user to be tested.
Password Password of the user to be tested.
Step 3 Click Start.
After the AAA test is performed, the test result is displayed.
----End
1.5.2.6 RF-Ping (S5720HI)
Context
The RF-Ping tool checks the quality of the link between the AP and STA.
After the RF-Ping test is performed, the test result is displayed.
NOTE

Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > RF-Ping. The RF-Ping page is displayed.
Step 2 In MAC address, enter the MAC address of the STA.
Step 3 Click Start.
----End

Switches
1.5.2.7 AP-Ping (S5720HI)
Context
Using the AP-Ping tool, you can check connectivity between an AP and network
device.
After an AP-Ping operation is complete, the AP-Ping result is displayed on the AP-
Ping page.
NOTE
Before you use the AP-Ping tool, ensure that the AP is properly online and has an IP address
configured.
Procedure
Step 1 Choose Diagnosis > Diagnostic Tools > AP-Ping. The AP-Ping page is displayed.
Step 2 Set AP-Ping parameters. For description of the parameters, see Table 1-151.
Table 1-151 AP-Ping parameters
AP name AP name used in an AP-Ping

operation.
IP address/host name Domain name or IP address of the

destination host.
Packet transmission times Number of times ICMP Echo Request

packets are sent.
Packet length Length of an ICMP Echo Request

packet excluding the IP header and
ICMP header.

Switches
Waiting time Time to wait before sending the next

ICMP Echo Request packet.
Timeout period Timeout period for an ICMP Echo

Response packet.
Step 3 Click Start.
----End
1.6 Maintenance
This section describes common device maintenance.
1.6.1 System Maintenance

This chapter describes how to maintain the switch system, including system
restart, upgrade, patch management, log, and alarm.
1.6.1.1 License
This section describes the functions of loading license files and displaying license
status.
Context
You need to activate licenses in either of the following situations:
● Purchasing a license to obtain permissions on related functions after you
purchase a new device.
● Applying for a new license file, and upgrading and loading the license file
when the license file is loaded on the device and a new feature is required.
NOTE

This node is only supported by the S5720HI, S6720EI, and S6720S-EI.
Procedure
Step 1 Choose Maintenance > System Maintenance > License to access the License

Switches
Figure 1-190 License
Table 1-152 Parameters on the License page
Item Description
License status ● not loaded: default status. By default, a

license is not loaded after the system starts
or when it is invalid.
● Normal: A commercial license enters the
Normal state after it is loaded.
● Trial: A license enters the Trial state when
the loaded ESN does not match the license
or after the license expires.
● Demo: A temporary license enters the
Demo state after it is loaded.
● Emergency: When a license enters the
Emergency state, dynamic resources on the
device are free from the license controls.
That is, the device runs with the maximum
configurations of dynamic resources. A
license can remain in Emergency state for
at most seven days. After seven days, the
license enters the original state.
License revocation code This item is displayed only when an invalid

license file exists in the system.

Switches
Item Description
Function Control Items Displays the names of function control items.
Current Status Displays the control item status.
Resource Control Items Displays the names of resource control items.
Current Device Quantity/ Displays resource usage ratio.

Specifications
Revoke Revokes the current license file.
License file Allows you to select the license file to be

uploaded.
Step 2 Click in Load License and select the license file to be uploaded.
Step 3 Click Activate to activate the license file.
----End
1.6.1.2 Restart (Standalone)

This section describes how to restart the device and perform related operations
during system restart.
Context
After you specify the system software, configuration file, and patch file for next
startup, you must restart the device to make the files take effect. The web system
provides two restart modes: immediate restart and timed restart. After you restart
a device, services will be interrupted; therefore, you need to restart the device
when the device is idle. If the device is idle currently, restart the device
immediately. If the device is busy processing services, restart the device at a
scheduled time when the device is idle.
NOTICE
You are advised to save the current configuration before you restart a device.
Otherwise, the configuration may be lost.
The system software and configuration file are for reference only. The actual
output information may differ from the preceding information.
Procedure
Step 1 Choose Maintenance > System Maintenance > Restart to access the Restart

Switches
Figure 1-191 Restart
Table 1-153 Parameters on the Restart page
Item Description
Current System Info Displays the system software,

configuration file, patch file, plug-in
file, and web file used by the device
currently.
Reboot Settings Allows selecting the system software,

configuration file, plug-in file, and
patch file to be used at the next
startup from the drop-down list boxes.
Reboot Mode Indicates a restart mode. The device

supports immediate restart and
scheduled restart.
NOTE
The time cannot be longer than 720 hours
since the current time.
Step 2 In the Current System Info section, click Export Configuration File to save the
current configuration file locally and prevent configuration loss resulted from the
restart.
NOTE
The configuration file cannot be exported in the cloud management mode.

Switches
Step 3 In the Reboot Settings section, select the file to be used for the next startup from
the drop-down list box and click Apply to save the configuration.
Step 4 In the Reboot Mode section, select a restart mode and click Apply. If you select
Immediate, a message is displayed, asking whether you want to save the
configuration. After you click Yes, the device restarts immediately and terminates
the web connection. If you select Scheduled, enter a specific restart time. The
device will restart at the specified time.
----End
1.6.1.3 Reboot (SVF)

This section describes how to restart the parent and ASs.
Context
After you specify the system software, configuration file, and patch file for next
startup, you must restart the device to make the files take effect. The web system
provides two restart modes: immediate restart and scheduled restart. After you
restart a device, services will be interrupted; therefore, you need to restart the
device when the device is idle. If the device is idle currently, restart the device
immediately. If the device is busy processing services, restart the device at a
scheduled time when the device is idle.
NOTICE
You are advised to save the current configuration before you restart a device.
Otherwise, the configuration may be lost.
The system software and configuration file are for reference only. The actual
Procedure
● Restart the parent.
a. Choose Maintenance > System Maintenance > Reboot and click the
Parent Reboot tab, as shown in Figure 1-192.

Switches
Figure 1-192 Parent Reboot
Table 1-154 Parameters on the Parent Reboot
Item Description
Current System Info Displays the system software,

configuration file, patch file, plug-
in file, and web file used by the
device currently.
Reboot Settings Allows selecting the system

software, configuration file, plug-
in file, and patch file to be used at
the next startup from the drop-
down list boxes.
Reboot Mode Allows you to select a restart

mode. The device supports
immediate restart and scheduled
restart.
NOTE
The time cannot be longer than 720
hours since the current time.
b. In the Current System Info section, click Export Configuration File to

save the current configuration file locally and prevent configuration loss
resulted from the restart.
c. In the Reboot Settings section, select the file to be used for the next
startup from the drop-down list box and click Apply to save the
configuration.

Switches
d. In the Reboot Mode section, select a restart mode and click Apply. If you
select Immediate, a message is displayed, asking whether you want to
save the configuration. After you click Yes, the device restarts
immediately and terminates the web connection. If you select Scheduled,
enter a specific restart time. The device will restart at the specified time.
● Restart an AS.
a. Choose Maintenance > System Maintenance > Reboot and click the AS
Reboot tab, as shown in Figure 1-193.
Figure 1-193 AS Reboot
b. Select the AS to be restarted and click Reboot.

NOTE
To restart all ASs, click Reboot All.

c. In the displayed dialog box, click OK.
----End
1.6.1.4 Upgrade (Standalone)

This section describes how to upgrade the system software through the web
system.
Context
To upgrade the system software of a device, you need to upload upgrade files to
the device, specify files for next startup, and restart the device to make the
upgrade files take effect. The web system allows you to upgrade the system
software on the GUI, simplifying the upgrade operations and improving efficiency.
NOTICE
● Ensure that the configurations are saved before you upgrade the system
software.
● Do not power off the device during the upgrade.
● It takes a long time to upload system software to the device; therefore, before
upgrading the system software, choose Maintenance > System Maintenance
> System > System Info and set HTTP timeout interval (min) to 60 minutes.
● The system software and configuration file are for reference only. The actual

Switches
Procedure
Step 1 Choose Maintenance > System Maintenance > Upgrade to access the Upgrade
Figure 1-194 Upgrade
Table 1-155 describes the configuration items on the displayed page.
Table 1-155 Upgrade Page
Item Description
Upload File
File name Selects the file to be uploaded.
Upgrade File
System File Selects the system file to be loaded.
Patch File Selects the patch file to be loaded.
Version Information about system file is

displayed on the page, including:
● Current system file
● Next startup software
● Current patch file
● Version

Switches
Step 2 Click and select the required upgrade file.

Step 3 Click Upload to upload the upgrade file.
Step 4 Click Upgrade to upgrade the selected device.
The system displays a dialog box indicating that the device will restart and asking
whether you want to save the configuration.
Step 5 Click Yes. The device will restart automatically. The web system cannot be used
during the restart. After the device restarts, re-log in to the web system.
----End
1.6.1.5 Upgrade (SVF)

This section describes how to upgrade the system software through the web
system.
Context
To upgrade the system software of a device, you need to upload upgrade files to
the device, specify files for next startup, and restart the device to make the
upgrade files take effect. The web system allows you to upgrade the system
software on the GUI, simplifying the upgrade operations and improving efficiency.
NOTICE
● Ensure that the configurations are saved before you upgrade the system
software.
● Do not power off the device during the upgrade.
● It takes a long time to upload system software to the device; therefore, before
upgrading the system software, choose Maintenance > System Maintenance
> System > System Info and set HTTP timeout interval (min) to 60 minutes.
● The system software and configuration file are for reference only. The actual
Procedure
● Prepare for a parent upgrade.
a. Choose Maintenance > System Maintenance > Upgrade and click the
Parent Upgrade Preparations tab, as shown in Figure 1-195.

Switches
Figure 1-195 Parent Upgrade Preparations
Table 1-156 describes the configuration items on the displayed page.
Table 1-156 Parent Upgrade Page
Item Description
Upload File
File name Selects the file to be uploaded.
Upgrade File
System File Selects the system file to be

loaded.
Patch File Selects the patch file to be loaded.
Version Information about parent system

file is displayed on the page,
including:
● Current system file
● Next startup software
● Version
b. Click and select the required upgrade file.

c. Click Upload to upload the upgrade file.
d. Click Load to finish the parent system file configuration.

Switches
● Prepare for an AS upgrade.

AS Upgrade Preparations tab, as shown in Figure 1-196.
Figure 1-196 AS Upgrade Preparations
Table 1-157 AS Upgrade Preparations
Item Description
Upload the Upgrade File to the Allows you to select the upgrade
Parent file to be uploaded. You can
upload the locally stored upgrade
file to the parent.
Configure the FTP Account Used Configures the FTP account and
to Load the Upgrade File on the password.
AS
Load the Parent's Upgrade File to Allows you to select the required
the AS upgrade file and patch file based
on the AS type. To load files of the
parent to the AS or unload files
from the AS, click Load or
Uninstall.
b. Click and select the required upgrade file.

c. Click Upload to upload the upgrade file.
d. Configure the FTP account and password used to upload the upgrade file
of an AS and click Apply.
e. Select the required upgrade file and patch file based on the AS type and
click Load.
f. In the dialog box that is displayed, click OK.

Switches
● Perform the upgrade.

Upgrade Execution tab, as shown in Figure 1-197.
Figure 1-197 Upgrade Execution
b. Select the device to be upgraded and click Upgrade. Click Save and
Restart in the displayed dialog box.
The device will restart automatically for the upgrade.
NOTE
To upgrade all devices, click Upgrade All.
----End
1.6.1.6 Patch (Standalone)

This section describes how to upload, install, and uninstall patches.
Context
There are two types of patches: cold patch and hot patch. A cold patch takes
effect only after the switch restarts and a hot patch takes effect immediately after
it is loaded to the switch.
● A patch is a kind of software compatible with the system software. It is used
to remove critical bugs of the system software. The extension name of the
patch file is .pat.
● Before loading patches, you need to save patch files to the storage device of
the switch. Patch files are uploaded to the switch using HTTP.
● After a patch is uninstalled, delete the patch from the memory.
Procedure
Step 1 Choose Maintenance > System Maintenance > Patch to access the Patch page,

Switches
Figure 1-198 Patch
Table 1-158 Parameters on the Patch page
Item Description
Upload Patch Allows you to select the patch file to

be uploaded.
Load Patch Allows you to select the patch file to

be loaded.
Patch Info Indicates patch information:

● Version number
● Status
NOTE
Click Uninstall to delete the installed
patches.
Step 2 Click to select the patch file to be uploaded and click Upload.
Step 3 Select the patch file to be loaded and click Load. The system will display the
currently loaded patch file in Patch Info.
----End
1.6.1.7 Patch (SVF)

This section describes how to upload, install, and uninstall patches.

Switches
Context
There are two types of patches: cold patch and hot patch. A cold patch takes
effect only after the switch restarts and a hot patch takes effect immediately after
it is loaded to the switch.
● A patch is a kind of software compatible with the system software. It is used

to remove critical bugs of the system software. The extension name of the
patch file is .pat.
● Before loading patches, you need to save patch files to the storage device of
the switch. Patch files are uploaded to the switch using HTTP.
● After a patch is uninstalled, delete the patch from the memory.
Procedure
● Manage patches of the parent.
a. Choose Maintenance > System Maintenance > Patch and click the
Parent Patch Management tab, as shown in Figure 1-199.
Figure 1-199 Parent Patch Management
Table 1-159 Parent Patch Management
Item Description
Upload the Parent Patch Allows you to select the patch file
to be uploaded.
Load a Patch to Parent Allows you to select the patch file

to be loaded.

Switches
Item Description
Parent Patch Status Indicates patch information:

● Version number
● Status
b. Click to select the patch file to be uploaded and click Upload.

c. Select the patch file to be loaded and click Load. The system will display
the currently loaded patch file in Parent Patch Status.
● Manage patches of ASs.
a. Choose Maintenance > System Maintenance > Patch and click the AS
Patch Management tab, as shown in Figure 1-200.
Figure 1-200 AS Patch Management
Table 1-160 AS Patch Management
Item Description
Upload the Patch File to the Allows you to select the patch file
Parent to be uploaded. You can upload
the locally stored patch file to the
parent.
Configure the FTP Account Used Configures the FTP account and
to Load the Patch File on the AS password.

Switches
Item Description
Load the Parent's Patch File to the Allows you to select the required
AS patch file based on the AS type.
To load files of the parent to the
AS or unload files from the AS,
click Load or Uninstall.
AS Patch Status Displays patch status information.
b. Click and select the required patch file.

c. Click Upload to upload the patch file.
d. Configure the FTP account and password used to upload the patch file of
an AS and click Apply.
e. Select the required patch file based on the AS type and click Load.
f. In the dialog box that is displayed, click OK.
View patch status information in AS Patch Status.
----End
1.6.1.8 Plug-in Management
Context
Software upgrades can add new functions and services. However, software
upgrades are complex and may affect services. To address these problems, you can
use the plug-in management function to load the specified modules. This
implements online service or function loading.
NOTE
Only S5720S-SI , S5720SI, S5720EI, and S5720HI support plug-in management.
Procedure
Step 1 Choose Maintenance > System Maintenance > Plug-in Management to access
the Plug-in Management page, as shown in Figure 1-201.
Figure 1-201 Plug-in Management

Switches
Table 1-161 Parameters on the plug-in management page
Item Description
Upload Plug-in Allows you to select the plug-in to be

uploaded.
Load Plug-in Allows you to select the plug-in to be

loaded.
Plug-in Status Indicates plug-in information:

● Current Plug-in File
● Version
● Plug-in Status
● Action
Step 2 Click and select the plug-in to be uploaded.

NOTE
● The uploaded plug-in file name extension must be .MOD.

● The loaded plug-in file version must be the same as the running system software version;
otherwise, loading fails.
Step 3 Select the plug-in to be loaded and click Load.
Step 4 After the plug-in file is loaded, view the status of loaded plug-in file in the Plug-in
Status list.
To uninstall the plug-in file, click Unload of the corresponding plug-in file or click
Unload All to uninstall all plug-in files.
----End
1.6.1.9 Log (Cloud management mode)
Context
The log management function records user actions, helps monitor system security,
and provides information for system diagnosis and maintenance.
Procedure
Step 1 Choose Maintenance > System Maintenance > Log to access the Log page, as

Switches
Figure 1-202 Log
Step 2 Set Level and Time to search for specified logs.

Step 3 Click Clear to clear all log information.
----End
1.6.1.10 Log (Traditional management mode)

This section describes how to manage logs.
1.6.1.10.1 View Log
Context
The log management function records user actions, helps monitor system security,
and provides information for system diagnosis and maintenance.
Procedure
Step 1 Choose Maintenance > System Maintenance > Log and click the View Log tab,

Switches
Figure 1-203 View Log
Step 2 Set Level and Time to search for specified logs.
Step 3 Click Clear to clear all log information.
----End
1.6.1.10.2 Set Parameters

You can export logs to a log host.
Context
After configuring the device to output logs to a log host, you can view logs saved
on the log host to monitor device running status.
Procedure
Step 1 Choose Maintenance > System Maintenance > Log and click the Set Parameters
tab, as shown in Figure 1-204.
Figure 1-204 Set Parameters

Switches
Step 2 Turn on Enable system log to enable information center.
Step 3 Click New and enter the log host IP address in the displayed dialog box.
Step 4 Click OK.
----End
1.6.1.11 Alarm
Context
The alarm management function records user actions, helps monitor system
security, and provides information for system diagnosis and maintenance.
Procedure
Step 1 Choose Maintenance > System Maintenance > Alarm to access the Alarm page,
Figure 1-205 Alarm
Step 2 Set Severity and Time to search for specified alarms.
Step 3 Click Clear to clear all alarm information.
Step 4 Click How to Obtain the Alarm Reference to check how to obtain the Alarm
Reference.
----End
1.6.1.12 Administrator
This chapter describes how to manage web users and password policies.

Switches
1.6.1.12.1 Administrator
You can create and maintain a database on the switch to manage web platform
users.
Context
User management includes creating a local user account (web platform user with
the access type HTTP) and modifying or deleting existing user accounts.
By default, a local user named admin exists in the system. The user access type is
HTTP.
obtained the access permission of the document, see Help on the website to find
out how to obtain it.
NOTE
Security risks exist if the user access type is set to Telnet, FTP or HTTP. You are advised to
configure the required access modes only.
A simple password brings security risks. It is recommended that you change the password to a
complicated one after logging in to the web network management system using the default
account. A password should consist of at least 8 characters, and contain at least two types of
the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ #
%). The password cannot contain spaces and single quotation marks ('). In addition, the
password cannot be the same as the user name or the mirror user name.
If the password configured in local user creation or modification is the same as the default
password, security risk exists. To ensure device security, change the password periodically.
The user list includes information about the users whose user types are FTP, HTTP, SSH, Telnet,
Terminal, or x25-pad. The access type of a created user can be FTP, HTTP, SSH, Telnet, Terminal,
or x25-pad.
Procedure
● Create a user account.
a. Choose Maintenance > System Maintenance > Administrator and click
the Administrator tab, as shown in Figure 1-206.
Figure 1-206 Administrator
b. Click Create to display the Create User page, as shown in Figure 1-207.

Switches
Table 1-162 describes the parameters for creating a user.
Table 1-162 Create User/Modify User
User name Indicates the new user name.

The user name cannot contain
question marks (?) or spaces.
Old password Indicates the current web system

login password.
NOTE
This option is available only on the
modification page of the current login
user.
Password Indicates the user password.
Confirm password Indicates the confirm password.

Password.
User directory Indicates the directory that HTTP

users can access.
Access level Indicates the user level.

There are two user levels in
ascending order: monitoring user
and management user.
Access type Configure the user access type.
Forced offline Indicates whether a user is forcibly

disconnected from the network.
NOTE
This parameter is only displayed on
the user modification page.

Switches

d. Click OK.
● Modify user information.
the Administrator tab.
b. Click the user account to be modified to access the Modify User page, as
Figure 1-208 Modify User
NOTE
● Table 1-162 describes the parameters for modifying user information. After the
user attribute is changed, the user level is 3 for a management-level user and 1
for a monitoring-level user.
● After you modify the user attribute, you need to log out and then log in again to
make the modification take effect.
● The user name is fixed and cannot be changed.
d. Click OK.
● Delete a user account.
the Administrator tab.
b. Select the user account to be deleted and click Delete.
c. Click OK in the dialog box that is displayed.
----End
1.6.1.12.2 Password Policy

A password policy protects local user security.
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator and click the
Password Policy tab, as shown in Figure 1-209.

Switches
Figure 1-209 Password Policy
Table 1-163 Password Policy

Item Description
Set Password Policy for Administrator
Password policy Indicates whether the password policy is

enabled for local administrator.
● ON
● OFF
History password records Indicates the maximum number of

historical passwords recorded for the
local administrator. The value is an
integer ranging from 0 to 12. The
default value is 5.

Switches
Item Description
Validity period (days) Indicates the password validity period in

number of days. The value is an integer
ranging from 0 to 999. The default value
is 90.
Remaining days Indicates how long the system displays a

prompt before the password expires. The
value is an integer ranging from 0 to
999. The default value is 30.
Set Password Policy for Common User
Password policy Indicates whether the password policy is

enabled for local user.
● ON
● OFF
History password records Indicates the maximum number of

historical passwords recorded for the
local administrator. The value is an
integer ranging from 0 to 12. The
default value is 5.
Step 2 Set the parameters.

Step 3 Click Apply.
----End
1.6.1.12.3 Online Administrator Management

This section describes how to view and manage online users on each user
interface.
Procedure
Step 1 Choose Maintenance > System Maintenance > Administrator and click the
Online Administrator Management tab, as shown in Figure 1-210.
Figure 1-210 Online User List
Step 2 Select one or multiple users and click Forcible Logout to force the user or users to
go offline.
----End

Switches
1.6.1.13 System
This chapter describes switch system management, including file management,
system time, system information, and restoring factory settings.
1.6.1.13.1 File Management

This section describes how to upload, download, and delete files.
Context
The web system provides file management functions to facilitate user operations.
Figure 1-211 shows the File Management page.
NOTE
When a switch is in SVF mode, it cannot manage files on the AS in independent mode.
Figure 1-211 File Management page
Procedure
● Upload files.
You can upload local files to a switch.
a. Choose Maintenance > System Maintenance > System and click the
File Management tab.
b. Click Upload.
c. Select local files to be uploaded and click OK. After the files are
uploaded, the system displays a message indicating the successful
upload.

Switches
NOTE
● You cannot upload a file with the same name as files in File Management.
● You can only upload files with the following file name
extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .dat, .bat, .jpg, .jpeg, .png, .pem, .p12, .cer, .bin, .mod
and .xml.
● If the security level of the EasyOperation web browser is too high, the
message "The security level of the browser is too high" may be displayed
when you attempt to upload a file, as shown in Figure 1-212. In this case,
choose Internet Options > Security, and click Custom level. In the displayed
dialog box, set Initialize and script ActiveX controls not marked as safe for
scripting and Include local directory path when uploading files to a server
to Enable, as shown in Figure 1-213 and Figure 1-214.
Figure 1-212 Exception message displayed on the web

Switches
Figure 1-213 Enabling "Initialize and script ActiveX controls not marked
as safe for scripting"

Switches
Figure 1-214 Enabling "Include local directory path when uploading files
to a server"
● Download files.
You can download files from the switch to a local device.
b. Click next to a file and select the path for saving the file to download
the file.
NOTE
You can only download files with the following file name
extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .dat, .bat, .jpg, .jpeg, .png, .pem, .p12, .cer, .bin, .mod
and .xml.
● Move files to the recycle bin.
After files are moved to the recycle bin, they still exist on the switch. You can
restore the files in the recycle bin.
b. Select the file to be deleted.

Switches
c. Click Delete.
d. Click OK in the dialog box that is displayed.
● Delete files permanently.
You can permanently delete files from the switch.
NOTICE
The files deleted permanently cannot be restored.
b. Select the file to be deleted.
c. Click Delete Permanently.
● Restore files.
You can restore the files in the recycle bin to the storage device.
b. Select the file to be restored.
c. Click Restore File to restore the file. The file will be removed from the
recycle bin.
● Delete files from the recycle bin.
The files in the recycle bin still occupy storage space. You can delete useless
files permanently from the recycle bin to save the storage space.
b. Select the file to be deleted permanently.
c. Click Delete Permanently.
----End
1.6.1.13.2 System Time (Cloud management mode)

This section describes how to view the system time.
Procedure
Step 1 Choose Maintenance > System Maintenance > System and click the System
Time tab to display the current system time, as shown in Figure 1-215.
Figure 1-215 System Time

Switches
----End
1.6.1.13.3 System Time (Traditional management mode)

The system time can be automatically synchronized or manually set.
Context
Generally, the daylight saving time (DST) is configured in the summer, and the
DST ranges from one day to one year. Therefore, the end time of daylight saving
time must be more than one day but less than one year later than the start time.
To ensure effective communication between the switch and other devices, set the
system time correctly.
Procedure
● Time Zone Settings
System Time tab, as shown in Figure 1-216.
Figure 1-216 System Time
b. Select a time zone from Select time zone and set DST to ON, as shown
in Figure 1-217.

Switches
Figure 1-217 DST Setting
Table 1-164 DST parameters
The following parameters are valid only when DST Type is set to
Absolute.
Effective time Specifies the start and end time of the

absolute DST.
DST difference Specifies the DTS difference.
The following parameters are valid only when DST Type is set to
Timely.
Start time Select By week or By date to set the

start time of DST.
End time Select By week or By date to set the end

time of DST.
DST difference Specifies the DTS difference.
Start and end years Specifies the start and end years of a
periodic DST.

● Date and Time Settings
Choose Maintenance > System Maintenance > System and click the System
Time tab, as shown in Figure 1-216.
Current system time displays the current date and time.
– Automatic synchronization

Switches
i. Click Auto.
ii. Set NTP server IP address and click Add to specify a remote NTP
server.
iii. Click Apply to complete the configuration.
– Manual setting
i. Click Manual.
ii. Set Date and Time.
iii. Click Apply to complete the configuration.
The new date and time is displayed.
▪ If the new time is 10 minutes later or 720 hours earlier than the
scheduled reboot time, the system will display a message as shown
in Figure 1-218, asking whether you want to disable the scheduled
restart function.
Figure 1-218 Information page
▪ If the system time is changed to no more than 10 minutes later than

the scheduled restart time, the system will display a message as
shown in Figure 1-219, asking whether you want to restart the
device immediately.
Figure 1-219 Warning page

Switches
----End
1.6.1.13.4 System Info

This section describes how to set the basic system information, such as device
name and HTTP timeout interval.
Context
NOTE
This function is not supported in the cloud management mode.
Procedure
Step 1 Choose Maintenance > System Maintenance > System and click the System
Info tab, as shown in Figure 1-220.
Figure 1-220 System Info
Table 1-165 describes the parameters on the System Info page.
Table 1-165 Parameters on the System Info page
Item Description
Device name Indicates the device name. This is a

mandatory parameter. You can click
Restore Default Name to restore the
default device name.
HTTP timeout interval (min) Specifies the timeout interval of the

HTTP connection.
Step 2 Set the parameters.
----End

Switches
1.6.1.13.5 Initialization
You can restore the factory settings of a switch on this page.
Context
If improper configurations have been performed on the switch, you can restore the
factory settings of the switch.
NOTICE
After you restore the factory settings of the switch, all the configurations that you
have made on the switch will be deleted and cannot be restored. The original
management IP address becomes invalid and the web system is unavailable. Use a
serial cable to connect to console interface of the switch and your PC to
reconfigure the switch.
Procedure
● Restore the factory settings.
Initialization tab, as shown in Figure 1-221.
Figure 1-221 Initialization
b. Click Initialization.
● Reset the Boot password.
Initialization tab, as shown in Figure 1-221.
b. Click Reset Root Password to restore the BootLoad password or
BootROM password to default values.
----End
1.6.1.14 SNMP
Simple Network Management Protocol (SNMP) is a standard network
management protocol widely used on TCP/IP networks. SNMP uses a central
computer (a network management station) that runs network management
software to manage network elements.

Switches
1.6.1.14.1 SNMP Setting
Context
SNMP agent is an agent program on the managed device. The SNMP agent
maintains information for the managed device, responds to the requests from the
NMS, and sends management data to the NMS. Before the NMS manages a
device through SNMP, the SNMP agent must be enabled on the device and a
proper SNMP version needs to be selected.
A web system supports SNMPv1, SNMPv2c and SNMPv3. The device and NMS
must use the same SNMP version.
NOTE
If a device is managed by multiple NMSs running different SNMP versions, all the SNMP
versions need to be set on the device so that the device can communicate with these NMSs.
Table 1-166 Usage scenarios of SNMP

Version Usage Scenario
SNMPv1 Applicable to small networks with

simple networking and low security
requirements or small networks with
good security and stability, such as
campus networks and small enterprise
networks.
SNMPv2c Applicable to medium and large

networks with low security
requirements or with good security but
on which services are so busy that
traffic congestion may occur.
SNMPv3 Applicable to networks of various

scales, especially networks that have
strict security requirements and can be
managed only by authorized network
administrators. For example, SNMPv3
can be used if data between the NMS
and managed device needs to be
transmitted over a public network.
The community/group management configurations vary with SNMP versions. After

global SNMP settings are complete, configure the communities/groups. Table
1-167 lists the mappings between SNMP versions and configurations.

Switches
Table 1-167 Mappings between SNMP versions and community/group

configurations
Version Configuration
SNMPv1 Community management
SNMPv2c Community management
SNMPv1 and SNMPv2c Community management
SNMPv3 Group management and user

management
SNMPv1 and SNMPv3 Community management, group

management and user management
SNMPv2c and SNMPv3 Community management, group

SNMPv1, SNMPv2c, and SNMPv3 Community management, group

Procedure
Step 1 Choose Maintenance > System Maintenance > SNMP and click the SNMP
Setting tab, as shown in Figure 1-222.
Figure 1-222 SNMP Setting
Step 2 For SNMP parameters, see Table 1-168.

Switches
Table 1-168 SNMP configuration items

SNMP Indicates the SNMP Agent status:

● ON: SNMP Agent is enabled.
● OFF: SNMP Agent is disabled.
To manage devices using the NMS,
enable the SNMP Agent function.
Version number Indicates the SNMP version on the

device.
SNMPv1, SNMPv2c and SNMPv3 are
supported. Choose one or multiple
versions. Ensure that the SNMP
versions on the device and on the
NMS are the same.
NOTE
SNMPv1 and SNMPv2c are not secure.
SNMPv3 is recommended.
Community name Indicates the read/write community

name of SNMPv1, SNMPv2c and
SNMPv3.
This is the password that the NMS
uses to perform the read and write
operations on the SNMP agent. The
password configured on the SNMP
agent must be the same as that
configured on the NMS.
Confirm community name Confirms the community name. It

must be the same as the community
name.
Clear Community Deletes all community names.
Step 3 If SNMPv3 is used, you need to configure groups and users.

1. Click Create in Group to open the Create Group page, as shown in Figure
1-223.

Switches
Figure 1-223 Create Group
Table 1-169 Create Group

Group Name Indicates the SNMPv3 user group.
Security Level Indicates the security level of the

SNMPv3 user group:
– No-auth&no-encrypt
– Auth&no-encrypt
– Auth&encrypt
NOTE
When No-auth&no-encrypt is selected,
there is a security risk. The
Auth&encrypt mode is recommended.
ACL Indicates the access control list for

group management by the NMS on
the device.
Click and select an ACL in the

dialog box.
2. Set the required parameters.

3. Click OK to complete the configuration.
4. Click Create in User to open the Create User page. The configuration items
vary according to the security level.
– Set the security level to No-auth&no-encrypt, as shown in Figure 1-224.

Switches
Figure 1-224 Create a user - No-auth&no-encrypt
Table 1-170 Create a user - No-auth&no-encrypt

User Name Indicates the SNMPv3 user name.

group management by the NMS
on the device.
Click and select an ACL in

the dialog box.
Group Name Indicates the user group to which

users are added.
– Set the security level to Auth&no-encrypt, as shown in Figure 1-225.

Switches
Figure 1-225 Create a user - Auth&no-encrypt
Table 1-171 Create a user - Auth&no-encrypt

Authentication protocol Indicates the authentication

protocol:
▪ MD5: HMAC-MD5-96
▪ SHA: HMAC-SHA-96
Authentication password Indicates the authentication

password.
Confirm authentication password Confirms the authentication

password. It is the same as the
authentication password.

Switches

on the device.

the dialog box.

users are added.
– Set the security level to Auth&encrypt, as shown in Figure 1-226.
Figure 1-226 Create a user - Auth&encrypt

Switches
Table 1-172 Create a user - Auth&encrypt

Authentication protocol Indicates the authentication

protocol:
▪ MD5: HMAC-MD5-96
▪ SHA: HMAC-SHA-96
Authentication password Indicates the authentication

password.
Confirm authentication password Confirms the authentication

password. It is the same as the
authentication password.
Encryption protocol Indicates the encryption protocol:
▪ 3DES
▪ AES128
▪ AES192
▪ AES256
▪ DES56
Encryption password Indicates the encryption password.
Confirm encryption password Confirms the encryption password.

It is the same as the encryption
password.

on the device.

the dialog box.

users are added.
5. Set the required parameters.

6. Click OK.
----End

Switches
1.6.1.14.2 Trap Setting

You can configure the trap function on the device.
Context
NOTE
This page is displayed only when the SNMP agent status in SNMP Setting is set to OFF.
A trap is an alarm message sent from the managed device to the NMS to notify
administrators of the network faults. After receiving a trap from a managed
device, the NMS does not need to reply.
Procedure
● Configure trap.
a. Choose Maintenance > System Maintenance > SNMP and click the Trap
Setting tab, as shown in Figure 1-227.
Figure 1-227 Trap Setting
Table 1-173 Trap Setting
SNMP Trap Indicates whether the SNMP trap

function is enabled.
Trap Source Interface Indicates the source interface for

sending traps. The value depends
on the device configuration.
b. Set parameters.
c. Click Apply to complete the configuration.
● Configure the trap target host.
Create a trap target host.
Setting tab.

Switches
b. Click Create in Destination host receiving traps to open the Create

Trap Host page, as shown in Figure 1-228.
Figure 1-228 Create Trap Host
Table 1-174 describes parameters on the Create Trap Host page.
Table 1-174 Create Trap Host

Destination host IP address Specifies the IP address of the

target host.
UDP port number of destination Specifies the port receiving trap

host messages on the target host. The
default port number is 162.
Trap version Specifies the SNMP version

matching the trap messages,
including:
● v1
● v2c
● v3

Switches
User name Specifies the user name displayed

on the NMS.
● When the trap version is v1 or
v2c, the user name is a string
of 1 to 32 characters without
spaces.
● When the trap version is v3,
the user name must be the
same as the user name
configured in Group
Management.
Security level This parameter is mandatory

when the trap version is v3.
Security levels include:
● No-auth&no-encrypt
● Auth&no-encrypt
● Auth&encrypt
c. Set parameters.
d. Click OK. The configuration is complete.
Delete the trap target host.
Setting tab.
b. Select the items that you want to delete in Destination host receiving
traps, or select all items.
c. Click Delete. The system asks you whether to delete the items.
d. Click OK. The configuration is complete.
----End
1.6.1.15 Electronic Label

You can view electronic label information of a switch on this page.
Procedure
Step 1 Choose Maintenance > System Maintenance > Electronic Label to access the
Electronic Label page, as shown in Figure 1-229.

Switches
Figure 1-229 Electronic Label
Table 1-175 Parameters on the Electronic Label page

Item Description
Slot ID The slot where the switch is located.
BoardType Board model of the specified

component.
BarCode Bar code of the specified component.
Item BOM code of the specified

component.
Description English description of the specified

component.
Manufactured Production date of the specified

component.
VendorName Vendor name of the specified

component.
IssueNumber Issuing number of the specified

component.
CLEICode CLEI code of the specified component.
BOM Sales BOM code of the specified

component.
----End

Switches
1.6.1.16 AS Interface (SVF)
Context
AS interface information is displayed only in SVF mode.
Procedure
Step 1 Choose Maintenance > System Maintenance > AS Interface.
Step 2 Select the AS name and click Search to view AS interface information, as shown in
Figure 1-230.
Figure 1-230 AS Interface
Step 3 Select one or more interfaces as required and click Enable to enable these
interfaces or click Disable to disable these interfaces.
----End
1.6.1.17 Certificate Mgmt (Cloud Management Mode)
Context
In cloud management mode, you can manage local certificates and CA certificates.
Procedure
Step 1 Choose Maintenance > System Maintenance > Certificate Mgmt to open the
Certificate Mgmt page, as shown in Figure 1-231.

Switches
Figure 1-231 Certificate Mgmt
Table 1-176 describes parameters on the Certificate Mgmt page.
Table 1-176 Certificate Mgmt
Upload and Load CA Certificate
Load a CA certificate file Specifies a CA certificate to be

imported. For example, when the
switch functions as an SSL agent, it
can have an SSL agent CA certificate
imported and use the private key of
this certificate to sign the SSL client
certificate again.
Upload and Load Local Certificate
Set an encryption key Specifies an encryption password for

an RSA key pair file.
Confirm an encryption key Confirms an encryption password for

an RSA key pair file.
Load a local certificate file Specifies a local certificate to be

imported.
Current Certificate Information Displays Certificate Status,

Certificate Version, and Certificate
Serial Number of the CA certificate
and local certificate.
Step 2 Click in Load a CA certificate file and select a CA certificate file to be

loaded.
Step 3 Click Load to upload the CA certificate file.

Switches
Step 4 Configure an encryption password, and click in Load a local certificate file
to select a local certificate file to be loaded.
Step 5 Check the CA certificate and local certificate in Current Certificate Information.
----End
1.6.1.18 Controller Mgmt (Cloud Management Mode)
Context
After the switch changes to the cloud management mode, it needs to register with
the cloud management platform for authentication. Before registration
authentication, the switch needs to obtain IP address or URL information of the
cloud management platform to communicate with the platform.
Procedure
● Configure the Controller's IP address.
a. Choose Maintenance > System Maintenance > Controller Mgmt to
open the Controller Management page.
b. Set Controller address format to IP, as shown in Figure 1-232.
Figure 1-232 Configuring the Controller's IP address
c. Configure an IP address and a port number for the Controller.

d. Click Apply to complete the configuration.
● Configure the Controller's URL information.
a. Choose Maintenance > System Maintenance > Controller Mgmt to
open the Controller Management page.
b. Set Controller address format to URL, as shown in Figure 1-233.

Switches
Figure 1-233 Configuring the Controller's URL information
c. Configure a URL and a port number for the Controller.

d. Click Apply to complete the configuration.
----End
1.6.1.19 Device Working Mode
Context
NOTE
Cloud-based management can be configured only on the S5720SI and S5720S-SI.
Switches can switch between Traditional management mode and Cloud

management mode. Compared with the traditional management mode, the
cloud management mode supports only the EasyOperation web system. In cloud
management mode, the EasyOperation web system supports the functions listed
in Table 1-177.
Table 1-177 Description of web system navigation tree (cloud management

mode)
Menu Submenu
Monitoring Displays the device panel, device information, device

status, top 5 bandwidth usages, logs, alarms, and
power supply information.
Diagnosis Diagnostic Tools Includes one-click

information collection, ping
and trace route.
Maintenance System Maintenance Restart
Upgrade

Switches
Menu Submenu
Patch
Log
Alarm
System
Electronic Label
Certificate Mgmt
Controller Mgmt
Device Working Mode
Procedure
Step 1 Choose Maintenance > System Maintenance > Device Working Mode to open
the Device Working Mode page, as shown in Figure 1-234.
Figure 1-234 Device Working Mode
Step 2 Set the working mode of a switch.

● Traditional management mode: You can configure and manage the switch
using SNMP or commands.
● Cloud management mode: You can configure and manage the switch using
the Controller.
----End
1.6.2 AP Maintenance (S5720HI)

NOTE


Switches
1.6.2.1 AP Upgrade
1.6.2.1.1 Upgrade Configuration
Context
You can upgrade a large number of APs on your network in batches on the
Upgrade Configuration page.
Before starting a batch AP upgrade, upgrade an AP to check whether the target

version is normal, ensuring success of the subsequent batch upgrade.
NOTE
The batch AP upgrade and single AP upgrade functions on the web system apply only to
online APs.
Procedure
● Set the upgrade mode.
a. Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade
Configuration. The Upgrade Configuration page is displayed.
b. Set parameters on the Upgrade Configuration page. The AP upgrade

mode can be AC, FTP, or SFTP. Table 1-178 describes the parameters
you need to set in the three upgrade modes.
c. Click Apply. In the Info dialog box that is displayed, click OK.

Switches
NOTE
The parameter settings in Upgrade Mode take effect for both batch AP upgrade and
single AP upgrade.
Table 1-178 Parameters for upgrade mode
Upgrade mode AP upgrade mode.

● AC: The upgrade system
software must be uploaded to
the AC in advance. Upgrading
APs in batches takes a long
time. To shorten the service
interruption time, you are
advised to upgrade APs in FTP
or SFTP mode.
● FTP: The upgrade system
the FTP server in advance, and
APs can communicate with the
FTP server.
● SFTP: The upgrade system
the SFTP server in advance, and
APs can communicate with the
SFTP server.
NOTE
If a large number of APs need to be
upgraded, FTP or SFTP is
recommended.
Upload upgrade file AP upgrade file to be uploaded.
Server IP IP address of the FTP server or

SFTP server for storing the
upgrade system software.
FTP user name User name for logging in to the

FTP server.
FTP password Password for logging in to the FTP

server.
SFTP user name User name for logging in to the

SFTP server.
SFTP password Password for logging in to the

SFTP server.
● Upgrade APs in batches.


Switches
b. In AP Upgrade Configuration List, click Create to set parameters for

upgrading APs in batches. Table 1-179 describes the parameters for
upgrading APs in batches.
Table 1-179 Parameters for upgrading APs in batches
AP type Type of APs to be upgraded.
Upgrade file AP upgrade file.
AP group AP group to which the APs to be

upgraded belong.
c. Click OK.
d. Select AP type, AP group, and Upgrade mode, and click Apply. In the
Confirm dialog box that is displayed, click OK. The upgrade starts.
● Delete batch AP upgrade configurations.
b. Under AP Upgrade Configuration List, select a batch AP upgrade
configuration item and click Delete. In the Confirm dialog box that is
displayed, click OK. The batch AP upgrade configuration is deleted.
● Upgrade a single AP.
b. In Select AP of AP Upgrade, select the AP to be upgraded. Select the
upgrade file in Upgrade file and click Upgrade. In the Info dialog box
that is displayed, click OK.
----End
1.6.2.1.2 Upgrade Status
Context
By checking AP upgrade status, you can know the AP upgrade progress.
Procedure
Step 1 Choose Maintenance > AP Maintenance > AP Upgrade > Upgrade Status. The
Upgrade Status page is displayed.

Switches
Step 2 Check AP upgrade status on the Upgrade Status page. Table 1-180 describes the
AP upgrade status parameters.
Table 1-180 Upgrade status parameters
AP ID AP ID.
AP Name AP name.
AP MAC MAC address of an AP.
Group Name AP group to which an AP belongs.
Type AP type.
Upgrade Status Upgrade status of an AP.
Step 3 Select the AP to be restarted and click Restart. In the Confirm dialog box that is
displayed, click OK.
----End
1.6.2.2 AP Restart
Procedure
● Restart an AP.
a. Choose Maintenance > AP Maintenance > AP Restart. The AP Restart
page is displayed.
b. Select the AP that you want to restart from the AP list and click Restart.
In the Confirm dialog box that is displayed, click OK to restart the AP.
To restart all the APs in the AP list, click Restart All. For descriptions
about the AP parameters, see Table 1-181.
Table 1-181 Descriptions about the AP parameters
Par Description
am
eter
AP ID of the AP.
ID
AP Name of the AP.

Na
me

Switches
Par Description
am
eter
MA MAC address of the AP.

C
Add
ress
Gro Name of the group that the AP belongs to.

up
Na
me
IP IP address of the AP.

Add
ress
Typ Type of the AP.

e
STA Number of STAs connected to the AP.

Qua
ntit
y
Logi Online duration of the AP.

n
Peri
od
Stat Status of the AP.

us
Vers Version of the AP.

ion
Seri Sequence number (SN) of the AP.

al
Nu
mbe
r
----End
1.6.2.3 Log
Procedure
● View logs.
a. Choose Maintenance > AP Maintenance > Log. The Log page is
displayed.

Switches
b. View logs in the list.

The logs containing the keyword are displayed. Table 1-182 describes the
log parameters.
Table 1-182 Log parameters

Par Description
am
eter
AP ID of the AP.
ID
AP Name of the AP.

Na
me
AP MAC address of the AP.

MA
C
Gro Name of the group that the AP belongs to.

up
Na
me
IP IP address of the AP.

Add
ress
Typ Type of the AP.

e
Ope Operation that can be performed.

rati
on
● Export logs.
a. Choose Maintenance > AP Maintenance > Log. The Log page is
displayed.
b. Click Export Logs.
c. In the View Log File dialog box that is displayed, select the logs that you
want to export and click OK.

Switches
If the operation is successful, the logs in the log buffer are saved to the
log file.
----End
1.6.2.4 Account
Context
Unauthorized users may use the default user name and password to log in to APs,
causing security risks. To prevent this problem, use Account menu to change the
user name and password used to log in to APs.
The default username and password are available in WLAN Default Usernames
and Passwords (Enterprise Network or Carrier). If you have not obtained the
access permission of the document, see Help on the website to find out how to
obtain it.
Procedure
● Modify AP account information.
a. Choose Maintenance > AP Maintenance > Account. The Account page
is displayed.
b. Enter the new user name and password in Modify AP Account. Table
1-183 describes the parameters for modifying AP account information.

Switches
Table 1-183 Parameters for modifying AP account information

New user name The value is a string of 4 to 31

characters. It can contain letters,
underscores, and digits, and must
start with a letter.
New password The value is a string of 8 to 32

case-sensitive characters. It must
contain at least one uppercase
letter, one lowercase letter, and
one digit, and cannot contain any
question mark (?).
c. Click Apply.
The AP user name field then displays the new user name.
● Restore the default AP account settings.
a. Choose Maintenance > AP Maintenance > Account. The Account page
is displayed.
b. Click Restore Default Settings.
----End
1.7 Network
The EasyDeploy function simplifies network configuration and implements remote
deployment and centralized management of network devices.
To configure the EasyDeploy function, determine roles of devices first. After a
device is configured as the Commander, you can view client information, configure
and upgrade clients, and view power consumption of the device and the entire
network on the Commander.
NOTE
The network area is available only in the stand-alone mode.

The device that cannot work as the Commander can only be configured as the client, and the
Summary, Deployment, Batch Configuration, and Power Consumption menus are not
available.
If the topology function is not enabled on the Commander, the Summary, Deployment, and
Batch Configuration menus are not available.
Table 1-184 lists the device models and versions that support the EasyDeploy
function.

Switches
Table 1-184 Supports for the EasyDeploy function

Role Product Version Maximum Description
Model Number of
Managed
Clients
Commander S5700HI, V200R003C00 128 The S2720EI,

S5710HI, and to S2750EI,
S6700EI V200R005C00 S5700S-LI,
S5720S-LI,
S5700EI, 64 S5710-X-LI,
S5710EI, and S5700LI,
S5700SI S5720LI,
S5720HI V200R006C00 128 S5720SI, and
and later S5720S-SI can
only work as
S5720EI V200R007C00 128 a client and
and later cannot work
as a
S6720EI V200R008C00 128 Commander.
and later
S6720S-EI V200R009C00 128

and later

Switches
Role Product Version Maximum Description

Model Number of
Managed
Clients
Client ● All fixed V200R003C00 - ● If the

switch and later clients are
models chassis
except the switches,
S1720GFR EasyDeploy
● All can only
modular be applied
switch to the
models batch
upgrade
and batch
configurati
on
scenarios.
● If the
clients are
fixed-
configurati
on
switches,
EasyDeploy
applies to
the batch
upgrade,
batch
configurati
on,
unconfigur
ed device
deploymen
t, and
faulty
device
replaceme
nt
scenarios.
1.7.1 Role Configuration

Before configuring EasyDeploy on a device, determine the role of the device.
1.7.1.1 Commander
You can configure global parameters for the Commander, including the role,
Commander IP address and port, file server, and default files to be downloaded.

Switches
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Role Configuration in the navigation tree to display the Role Configuration
page.
Step 3 Click the Commander option button, as shown in Figure 1-235.
Figure 1-235 Role Configuration
Step 4 To perform advanced configurations, click , as shown in Figure 1-236.

Switches
Figure 1-236 Role configuration (advanced)
Table 1-185 describes the parameters for a Commander.

Switches
Table 1-185 Role parameters

IP address This parameter is mandatory. Select an existing

IP address from the drop-down list box.
Port If you keep this field blank, the default UDP port
is used.
Topology function If you select ON, the Commander is enabled to

collect topology information so that you can
deploy and maintain the network based on the
topology.
Automatic client discovery If you select ON, the Commander automatically

learns client information, including each client's
MAC address, ESN, IP address, device type,
device model, system software name,
configuration file name, and patch file name.
This function enables the Commander to
monitor and manage basic information and
version files for clients on the network.
Aging time of offline clients If you select ON, set an aging time.
If the Commander does not receive status
information from a client in 2 minutes, the
Commanders considers the client offline. When
the number of clients managed by a
Commander reaches the upper limit, new client
information cannot be added to the
Commander. To release the space occupied by
offline clients in the client database, configure
an aging time for offline clients. When the aging
time expires, the Commander deletes the offline
client.
File Server Server type Options are FTP, SFTP, and TFTP.
Configuratio NOTE
n FTP and TFTP cannot ensure secure file transfer. SFTP
is recommended on networks that require high
security.
IP address Enter the IP address of the file server.
User name Set the user name used to log in to the file
server.
Password Set the password used to log in to the file server.

Switches
Download File Options are Default mode and Reset mode.

File activation By default, if downloaded files include a
Configuratio mode software package (*.cc), clients activate all the
n downloaded files by resetting. In a batch
upgrade, if downloaded files include a
configuration file, clients activate all the
downloaded files by resetting.
File Options are Immediate, Delayed, and

activation Scheduled. If you select Delayed or Scheduled,
time specify a time.
Automaticall If you select yes, clients will delete non-startup

y clear system software packages if they do not have
storage sufficient space for downloaded files.
space NOTE
This function is invalid for some types of file servers. If
the file server is a TFTP server, this function does not
take effect because the TFTP server does not return
file size to clients. If an FTP or SFTP server cannot
return the file size, this function does not take effect
yet.
Automatic File backup Options are Non-backup, Save backup file as

Backup mode new file, and Overwrite original file.
Configuratio
n
Default File System file If you do not specify any file information, the
Settings name default file information is used.
System You can specify a maximum of three self-defined

version files.
Configuratio
n file name
Patch file
name
Web file
name
License file
name
User-defined
file name
Step 5 Set parameters on the Role page.

Step 6 Click Apply.
----End

Switches
1.7.1.2 Client
To enable the Commander to manage clients, specify the Commander IP address
and port number on the clients.
Procedure
Step 2 Click Role Configuration in the navigation tree to display the Role Configuration
page.
Step 3 Click the Client option button, as shown in Figure 1-237.
Step 4 Enter the Commander IP address and UDP port and select whether to enable the
network topology collection function. The Commander IP address you enter here
must be the same as that configured on the Commander. If you keep the UDP
port blank, the default UDP port is used.
Step 5 Click Apply.
After you click Apply, the Summary, Deployment, Batch Configuration, and
Power Consumption nodes disappear from the navigation tree. These functions
are supported only on the Commander and are hidden for clients.
NOTE
After completing the client configuration, you can click Go to commander web NMS to view
Commander information or configure the Commander.
----End
1.7.2 Summary
On the Summary page, you can view the network topology and device
information, and save topology information on the device.
Context
To view network topology information, you must enable topology discovery on the
Commander.

Switches
Procedure
● View the network topology.
a. Click Network in the function area to display the Network page.
b. Click Summary in the navigation tree to display the Summary page. The
network topology is displayed, as shown in Figure 1-238.
Figure 1-238 Topology
● Save the topology information.

b. Click Summary in the navigation tree to display the Summary page.
c. Click Save Topology. When the message "Are you sure you want to
overwrite and save the existing topology?" is displayed, determine
whether to save the configuration according to your needs. (The topology
information is saved in the ezop-topo.xml file on the Commander. You
can compare this with the historical topology file to check the changes in
the network topology.)
● View device information.
b. Click Summary in the navigation tree to display the Summary page.
c. Click to view device information.

Switches
Figure 1-239 Device information
Click Log In to display the web page of the device.
----End
1.7.3 Deployment
On the Commander, you can perform unconfigured client deployment, faulty
client replacement, and batch client configuration based on topology information.
1.7.3.1 Unconfigured Device Deployment

An unconfigured client can automatically load the configuration file and other
files after it is powered on.
Procedure
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select an unconfigured device. The device information is displayed, as shown in

Figure 1-240.

Switches
Step 4 Click Set Running File to display the Set Running File page, as shown in Figure
1-241.

Switches
Figure 1-241 Set Running File
Step 5 Set file information and click OK.
----End
1.7.3.2 Faulty Device Replacement

When a client fails and needs to be replaced, specify file information of this client
on the web page. Then the new device can use the specified files to start.
Procedure
Step 3 Select the faulty device to be replaced. The device information is displayed, as

Switches
Step 4 Click Replace Running File and enter the file information in the displayed page.
----End
1.7.3.3 Batch Upgrade

During routine network maintenance, you can update the software version and
patch files of specified clients.
Procedure
Step 3 Select the device to be upgraded and click Upgrade. Enter information about the
upgrade system software and patch file on the displayed page.
----End
1.7.4 Batch Configuration

On the Commander, you can issue a command script to specified clients to
complete batch configuration of the clients.

Switches
Procedure
● Configure clients in a batch.
b. Click Batch Configuration in the navigation tree to display the Batch
Configuration page.
c. Select the device to be configured and click Batch Configuration, as
shown in Figure 1-243. Import the script file.
Figure 1-243 Batch Configuration
● Check the configuration.

b. Click Batch Configuration in the navigation tree to display the Batch
Configuration page.
c. Click Query Configuration Result. The configuration is displayed in the
list.
----End
1.7.5 Power Consumption

On the Commanders, you can view the power consumption trend on the network
and power consumption of a specific device.
Procedure
● View the power consumption trend on the network.
b. Click Power Consumption in the function area to display the Power
Consumption page.
c. Select a time period from the drop-down list box to view the power
consumption trend of the network in one day, three days, or a week. By
default, the system displays the power consumption trend in one day, as

Switches
Figure 1-244 Power consumption trend on the network
● View the power consumption of a device.

b. Click Power Consumption in the function area to display the Power
Consumption page.
c. Select a device from the device list to view its power consumption, as
Figure 1-245 Power consumption of a device
----End
1.8 Profile (S5720HI)

Context
You can configure and manage WLAN profiles in unified and centralized manners
through the profile management page.
Choose Configuration > Wireless Services > Profile. The Profile Management
page is displayed.
NOTE

1.8.1 Wireless Service
1.8.1.1 VAP Profile

Switches
Context
The administrator needs to deliver service parameters to an AP so that the AP can
provide network access services for wireless users. A VAP profile is a set of service
parameters. You can configure different VAP profiles and deliver configurations in
the profiles to APs to provide differentiated WLAN services.
Procedure
● Create a VAP profile.
a. Choose Configuration > Wireless Services > Profile > Wireless Service
> VAP Profile. The VAP Profile List page is displayed.
b. Click Create. The Create VAP Profile page is displayed.
c. Enter the name of the new VAP profile in Profile name.
To copy all parameters from another profile to the new profile, select the
name of the profile in Copy parameters from other profiles. If None is
selected, parameters are not copied from another profile.
d. Click OK. The parameter setting page of the new VAP profile is displayed.
e. Set parameters for creating a VAP profile. Table 1-186 describes the
parameters for creating a VAP profile.
Table 1-186 Parameters for creating a VAP profile

VAP Profile Name of the VAP profile, which

cannot be modified.
Status Whether to enable the service

mode of a VAP.

Switches
VAP type VAP type.

● If the type of a VAP is set to
service, STAs connected to the
VAP can only access network
resources but not APs. Service
VAPs are used in regular WLAN
deployment scenarios.
● If the type of a VAP is set to
ap-management, STAs
connected to the VAP can only
access APs but not network
resources. AP management
VAPs are used in STA access
and AP management scenarios.
Service VLAN Service VLAN of a VAP.

● When a specific VLAN is
configured as the service VLAN
of a VAP, STAs connected to the
VAP join the same VLAN.
● When VLANs in a VLAN pool
are configured as service
VLANs of a VAP, STAs
connected to the VAP join
different VLANs.
Service VLAN ID ID of the service VLAN.
VLAN Pool VLAN pool used for service VLANs.

To configure a VLAN pool,
perform as follows:
● Click to create a VLAN

pool. For parameters for
creating a VLAN pool, see
Table 1-187.
● Click to modify the

selected VLAN pool.
● Click to delete the selected

VLAN pool.
Forwarding mode Service forwarding mode.
Band steering Whether to enable band steering.
ARP probe Whether to enable dynamic ARP

probing.

Switches
IP binding check Whether to enable IP source

guard on an AP.
IP learning Whether to enable STA address

learning.
Strict IP learning Whether to enable strict STA IP

address learning through DHCP.
Dynamic blacklist of strict IP Whether to add STAs with bogus

learning IP addresses to a dynamic
blacklist.
DHCP trusted interface Whether to enable the DHCP

trusted port function on an AP.
Appending Option 82 Whether to enable an AP to insert

the Option 82 field in DHCP
packets sent from a STA.
RID format Format of the remote-ID in the

Option 82 field inserted in DHCP
CID format Format of the circuit-ID in the

Option 82 field inserted in DHCP
Delimiter Format of the AP's MAC address

in the Option 82 field.
User-defined User-defined format in the Option

82 field.
Effective after logout Whether to enable offline

management VAP and antenna
alignment VAP functions.
Disable VAP periodically Whether to enable the scheduled

VAP auto-off function.
Disable VAP time setting at Scheduled time during which a

intervals VAP is disabled.
Table 1-187 Parameters for creating a VLAN pool

Item Description
VLAN pool name Name of a VLAN pool.

Switches
Item Description
VLAN assignment mode Assignment mode of VLANs in a

VLAN pool.
● When the VLAN assignment
algorithm is set to even,
service VLANs are assigned to
STAs from the VLAN pool
based on the order in which
STAs go online. Address pools
mapping the service VLANs
evenly assign IP addresses to
STAs. If a STA goes online
many times, it obtains different
IP addresses.
● When the VLAN assignment
algorithm is set to hash, VLANs
are assigned to STAs from the
VLAN pool based on the harsh
result of their MAC addresses.
As long as the VLANs in the
VLAN pool do not change, the
STAs obtain fixed service
VLANs. A STA is preferentially
assigned the same IP address
when going online at different
times.
VLAN ID ID of a VLAN to be added to or

deleted from a VLAN pool.
● Modify a VAP profile.
b. Click the name of the VAP profile that you want to modify. The VAP
Profile page is displayed.
c. Set parameters for modifying the VAP profile. Table 1-186 describes the
parameters for modifying a VAP profile.
● Delete a VAP profile.

Switches
and click Display Reference. The system displays the types and names of
the objects that reference the profile.
NOTE
● Configure profiles referenced by a VAP profile.
> VAP. The VAP Profile List page is displayed. Click next to VAP
Profile. The system displays names of the VAP profiles. Click next to a
VAP profile name. The profiles referenced by the VAP profile are
displayed in the menu navigation area.
b. Click any profile referenced by the VAP profile. The configuration page of
the referenced profile is displayed on the right. You can select another
profile from the drop-down list and set the profile parameters. For
descriptions of the profile parameters, see its configuration page.
----End
1.8.1.2 SSID Profile
Context
An SSID profile is mainly used to configure STA association and access parameters
based on SSIDs, including the SSID name, STA association timeout period, legacy
terminal access, and QoS CAR.
Procedure
● Create an SSID profile.
> SSID Profile. The SSID Profile List page is displayed.
b. Click Create. The Create SSID Profile page is displayed.
c. Enter the name of the new SSID profile in Profile name.
d. Click OK. The parameter setting page of the new SSID profile is displayed.

Switches
e. Set parameters for creating an SSID profile. Table 1-188 describes the
parameters for creating an SSID profile.
Table 1-188 Parameters for creating an SSID profile

SSID Profile Name of the SSID profile, which

cannot be modified.
SSID Name of the SSID.

NOTE
When command lines are used to
configure an SSID name containing
non-English characters, the non-
English characters can only be edited
using the command editor of the
UTF-8 encoding format.

Switches
Association timeout STA association timeout period. If

an AP receives no data packet
from an STA in a continuous
period of time, the STA goes
offline after the association
timeout period is reached.
Maximum number of STAs Maximum number of access STAs

on a single VAP.
Hide SSID after the maximum Whether to hide SSIDs when the
number of STAs is reached number of users on a VAP reaches
the maximum.
Disable non-HT terminal access Whether to disable non-HT

terminal access.
EDCA Parameters
Area Preset EDCA parameters for

different scenarios. Users can
select the corresponding scenarios
or adjust the preset EDCA
parameters.
● Default: EDCA parameters use
default settings.
● Voice: Voice packets
preferentially use a channel.
● Voice and video: Voice and
video packets preferentially use
a channel.
Packet Type Packet type.

● AC_VO: Voice
● AC_VI: Video
● AC_BE: Best Effort
● AC_BK: Background
AIFSN Arbitration inter frame spacing

number (AIFSN), which
determines the channel idle time.
A larger AIFSN value indicates
that the STA must wait for a
longer time and has a lower
priority.
ECWmin Exponent form of the minimum

contention window (ECWmin) and
exponent form of the maximum
contention window (ECWmax)
together determine the average

Switches
ECWmax backoff time. Larger ECWmin and

ECWmax values indicate that the
average backoff time for the STA
is longer and the STA priority is
lower.
TXOPLimit Transmission opportunity limit

(TXOPLimit), which determines
the maximum duration in which
an STA can occupy the channel. A
larger TXOPLimit value indicates
that the STA can occupy the
channel for a longer time.
Inbound CAR Parameters
CIR Average rate of traffic that can

pass through in the inbound
direction.
PIR Maximum rate of traffic that can

pass through in the inbound
direction.
CBS Average volume of committed

burst traffic that can pass through
in the inbound direction.
PBS Maximum volume of burst traffic

that can pass through in the
inbound direction.
Admin Frame Expense Optimization
Beacon frame rate on 2.4G radio Rate at which 2.4 GHz Beacon
frames are sent.
Beacon frame rate on 5G radio Rate at which 5 GHz Beacon

frames are sent.
Deny broadcast probe Whether to disable an AP from

responding to broadcast Probe
Request frames.
Probe response retry Number of times Probe Response

packets ate retransmitted.
Others
DTIM interval Number of Beacon frames sent

before the Beacon frame that
contains the DTIM.
Hide SSID Whether to enable SSID hiding in

Beacon frames.

Switches
U-APSD power saving mode Whether to enable U-APSD.
● Modify an SSID profile.
b. Click the name of the SSID profile that you want to modify. The SSID
profile configuration page is displayed.
c. Set parameters for modifying an SSID profile. Table 1-188 describes the
parameters for modifying an SSID profile.
● Delete an SSID profile.
NOTE
----End
1.8.1.3 Security Profile
Procedure
● Create a security profile.
> Security Profile. The Security Profile List page is displayed.
b. Click Create. The Create Security Profile page is displayed.
c. Enter the name of the new security profile in Profile name.
d. Click OK. The parameter setting page of the new security profile is
displayed.

Switches
e. Set parameters for creating a security profile. Table 1-189 describes the
parameters for creating a security profile.
Table 1-189 Parameters for creating a security profile

Security Profile Name of the security profile,

Security policy Security policy of the security

profile.
SHARE-KEY Whether to use the pre-shared

key.
Authentication policy Authentication mode of the

security policy.
Encryption mode Encryption mode of the security

policy.
Key type Key type, which is a hexadecimal

number or a passphrase.
Key No. Key number, which you can select

from the drop-down list box.
Key Key of the security profile.
Confirm key Confirmation of the key.
PTK update interval Whether to enable periodic PTK

update during WPA/WPA2/WPA-
WPA2 encryption.

Switches
PTK update interval PTK update interval during WPA/

WPA2/WPA-WPA2 encryption. A
smaller update interval indicates
more frequent PTK updates and
more secure data encryption.
However, if the PTK update
interval is set too small, the STA
and AP implement more PTK
negotiations, affecting the
throughput.
Management frame protection Whether to enable management

frame protection.
Forcibly enable management Whether to forcibly enable

frame protection management frame protection.
Specify AC private key file/key Private key file and key of the AC
certificate specified for the
security profile when the security
policy is set to WAPI.
Specify AC certificate/key AC certificate and key specified for

the security profile when the
security policy is set to WAPI.
NOTE
The certificates must be valid and
correct.
Specify issuer's certificate/key Issuer certificate and key specified

for the security profile when the
security policy is set to WAPI. The
issuer certificate helps to check
whether the AC certificate is
modified.
Specify ASU certificate/key ASU certificate and key specified

for the security profile when the
security policy is set to WAPI.
NOTE
If the authentication system uses only
two certificates, the issuer certificate
is the same as the ASU certificate,
with the same file name. If the
authentication system uses three
certificates, the issuer certificate and
ASU certificate are different from
each other and both must be
imported.
The certificates must be valid and
correct.

Switches
ASU IP IP address of the ASU server when

the security policy is set to WAPI.
NOTE
The parameter determines to which
ASU server WAPI packets are sent.
Users must ensure the correctness of
both ASU certificates and ASU
servers; otherwise, users may fail the
authentication.
Retransmission count of certificate Number of certificate

authentication packets authentication packet
retransmissions specified for the
security profile when the security
policy is set to WAPI.
Association timeout interval Timeout period of a security

association (SA).
BK lifetime percentage BK lifetime percentage.
BK update interval BK update interval.
Key update Key update function. You can

select Unicast Key Update,
Multicast Key Update, or both.
Unicast Key Update/Multicast Key Update
Update interval Key update interval. When the key

update mode is set to time-based
key update, the key update
interval needs to be configured.
Retransmission count of Number of key negotiation packet

negotiation packets retransmissions.
● Modify a security profile.
b. Click the name of the security profile that you want to modify. The
security profile configuration page is displayed.
c. Set parameters for modifying a security profile. Table 1-189 describes the
parameters for modifying a security profile.
● Delete a security profile.

Switches

NOTE
----End
1.8.1.4 Traffic Profile
Procedure
● Create a traffic profile.
> Traffic Profile. The Traffic Profile List page is displayed.
b. Click Create. The Create Traffic Profile page is displayed.
c. Enter the name of the new traffic profile in Profile name.
d. Click OK. The parameter setting page of the new traffic profile is
displayed.
e. Set parameters for creating a traffic profile. Table 1-190 describes the
parameters for creating a traffic profile.
Table 1-190 Parameters for creating a traffic profile
Traffic Profile Name of the traffic profile, which

cannot be modified.

Switches
User isolation mode User isolation mode.
Multicast-to-unicast Whether to enable the function of

converting multicast packets to
unicast packets.
You can enable the function of
converting multicast packets to
unicast packets in scenarios that
have high requirements on
multicast stream transmission,
such as a high-definition video on-
demand scenario. After the
function is enabled, an AP listens
on Report and Leave packets to
maintain multicast-to-unicast
entries. When sending multicast
packets to the client, the AP
converts the multicast packets to
unicast packets based on the
multicast-to-unicast entries to
improve multicast stream
transmission efficiency.
IGMP-Snooping Whether to enable IGMP

snooping.
Multicast Report/Leave Whether to enable suppression of

Suppression multicast Report/Leave packets.
Broadcast packet rate limit Rate limit for broadcast packets.

Broadcast packets are discarded if
their rates exceed the rate limit.
Multicast packet rate limit Rate limit for multicast packets.

Multicast packets are discarded if
their rates exceed the rate limit.
Unknown unicast packet rate limit Rate limit for unknown unicast
packets. Unknown unicast packets
are discarded if their rates exceed
the rate limit.
Packet filtering
The following parameters are available only after IPv4 packet filtering
is selected.
Inbound ACL ACL used to filter incoming

packets.
Outbound ACL ACL used to filter outgoing

packets.

Switches
Uplink Priority Mapping on Air Interface

Mapping from the 802.11e user priority to DSCP priority in the
CAPWAP header when packets are sent from an AP to an AC.
Trust mode Trusted priority on the air

interface, which is the 802.11e or
DSCP priority.
802.11e 802.11e user priority.
DSCP DSCP priority of 802.11 packets.
Tunnel DSCP DSCP priority in the CAPWAP

header.
Downlink Priority Mapping on Air Interface

Mapping from the 802.1p or DSCP priority of 802.3 packets to the
802.11e user priority when packets are sent to an AP from upper-layer
devices.
Trust mode Trusted priority on the air

interface, which is the 802.1p or
DSCP priority.
802.1p 802.1p priority of 802.3 packets.
Tunnel DSCP DSCP priority in the CAPWAP

header.
802.11e 802.11e user priority.
Rate Limit
STA uplink rate limit Uplink rate limit for a STA.
STA downlink rate limit Downlink rate limit for a STA.
VAP uplink rate limit Uplink rate limit for all STAs on a
VAP. The value of this parameter
must be greater than the uplink
rate limit set for a STA.
VAP downlink rate limit Downlink rate limit for all STAs on
a VAP. The value of this parameter
must be greater than the
downlink rate limit set for a STA.
● Modify a traffic profile.
b. Click the name of the traffic profile that you want to modify. The traffic

Switches
c. Set parameters for modifying a traffic profile. Table 1-190 describes the
parameters for modifying a traffic profile.
● Delete a traffic profile.
NOTE
----End
1.8.1.5 STA Blacklist Profile
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the
WLAN and reject access from unauthorized STAs.
● A whitelist contains MAC addresses of STAs that are allowed to connect to a
WLAN. After the whitelist function is enabled, only the STAs in the whitelist
can connect to the WLAN, and access from other STAs is rejected.
● A blacklist contains MAC addresses of STAs that are not allowed to connect to
a WLAN. After the blacklist function is enabled, STAs in the blacklist cannot
connect to the WLAN, and other STAs can connect to the WLAN.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
Procedure
● Create a STA blacklist profile.
> STA Blacklist Profile. The STA Blacklist Profile List page is displayed.
b. Click Create. The Create STA Blacklist Profile page is displayed.
c. Enter the name of the new STA blacklist profile in Profile name.
d. Click OK. The parameter setting page of the new STA blacklist profile is
displayed.

Switches
e. Maintain MAC addresses in the STA blacklist.
▪ Adding MAC addresses one by one

# Click Add. The Add MAC Address page is displayed.
# Enter a MAC address and click . Multiple MAC addresses can be
added. Click to delete the selected MAC address.
# Click OK
▪ Adding MAC addresses in batches

# Click Batch Import. The Import MAC Address page is displayed.
# Click and select the MAC file containing MAC addresses that
you want to import, and click Import.
NOTE
You can click to download the MAC template.

# Click Apply. In the Info dialog box that is displayed, click OK.
▪ Deleting MAC addresses

# Select the MAC address that you want to delete and click Delete.
In the Confirm dialog box that is displayed, click OK.

Switches
● Modify a STA blacklist profile.

b. Click the name of the STA blacklist profile that you want to modify. The
STA blacklist profile configuration page is displayed.
c. Set parameters for modifying a STA blacklist profile. For details, see e.
● Delete a STA blacklist profile.
NOTE
----End
1.8.1.6 STA Whitelist Profile
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the
WLAN and reject access from unauthorized STAs.
● A whitelist contains MAC addresses of STAs that are allowed to connect to a
WLAN. After the whitelist function is enabled, only the STAs in the whitelist
can connect to the WLAN, and access from other STAs is rejected.
● A blacklist contains MAC addresses of STAs that are not allowed to connect to
a WLAN. After the blacklist function is enabled, STAs in the blacklist cannot
connect to the WLAN, and other STAs can connect to the WLAN.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
Procedure
● Create a STA whitelist profile.
> STA Whitelist Profile. The STA Whitelist Profile List page is displayed.
b. Click Create. The Create STA Whitelist Profile page is displayed.
c. Enter the name of the new STA whitelist profile in Profile name.

Switches
d. Click OK. The parameter setting page of the new STA whitelist profile is
displayed.
e. Maintain MAC addresses in the STA whitelist.

# Click OK

NOTE
You can click to download the MAC file profile.


Switches

● Modify a STA whitelist profile.
b. Click the name of the STA whitelist profile that you want to modify. The
STA whitelist profile configuration page is displayed.
c. Set parameters for modifying a STA whitelist profile. For details, see e.
● Delete a STA whitelist profile.
NOTE
----End
1.8.2 Radio Management
1.8.2.1 Regulatory Domain Profile
Context
A regulatory domain profile is used to configure the country code, and calibration
channel and bandwidth. The configuration in the regulatory domain profile takes
effect on APs using the profile.
Procedure
● Create a regulatory domain profile.
a. Choose Configuration > Wireless Services > Profile > Radio
Management > Regulatory Domain Profile. The Regulatory Domain
Profile List page is displayed.
b. Click Create. The Create Regulatory Domain Profile page is displayed.
c. Enter the name of the new regulatory domain profile in Profile name.

Switches
d. Click OK. The parameter setting page of the new regulatory domain
profile is displayed.
e. Set parameters for creating a regulatory domain profile. Table 1-191
describes the parameters for creating a regulatory domain profile.
Table 1-191 Parameters for creating a regulatory domain profile
Regulatory Domain Profile Name of the regulatory domain

Country code AC's country code.
2.4GHz DCA Channel Set 2.4 GHz channel set.
5GHz DCA Channel Set 5 GHz channel set.
Frequency bandwidth Channel bandwidth.
● Modify a regulatory domain profile.
b. Click the name of the regulatory domain profile that you want to modify.
The Regulatory Domain Profile page is displayed.
c. Set parameters for modifying a regulatory domain profile. Table 1-191
describes the parameters for modifying a regulatory domain profile.
● Delete a regulatory domain profile.

Switches

NOTE
----End
1.8.2.2 RRM Profile
Context
WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as
transmission medium. Radio waves will attenuate when they are transmitted over
air, degrading service quality for wireless users. Radio resource management
enables a WLAN to adapt to changes in the radio environment by dynamically
adjusting radio resources. This improves service quality for wireless users.
Procedure
● Create an RRM profile.
Management > RRM Profile. The RRM Profile List page is displayed.
b. Click Create. The Create RRM Profile page is displayed.
c. Enter the name of the new RRM profile in Profile name.
d. Click OK. The parameter setting page of the new RRM profile is
displayed.
e. Set parameters for creating an RRM profile. Table 1-192 describes the
parameters for creating an RRM profile.

Switches
Table 1-192 Parameters for creating an RRM profile
RRM Profile Name of the RRM profile, which

cannot be modified.
Automatic channel optimization Whether to enable automatic

channel selection.
Automatic power optimization Whether to enable automatic

transmit power selection.
Packet loss ratio threshold Packet loss ratio threshold for

triggering partial calibration triggering channel or power
adjustment.
Airtime fair scheduling Whether to enable airtime fair

scheduling.

Switches
Dynamic EDCA Whether to enable dynamic EDCA.
UAC
UAC policy User CAC policy.
New user count threshold CAC threshold for new users

based on the user quantity.
Roaming user count threshold CAC threshold for roaming users

based on the user quantity.
New user channel usage threshold CAC threshold for new users
based on the channel usage.
Roaming user channel usage CAC threshold for roaming users

threshold based on the channel usage.
Hide SSID when user count Whether to enable an AP to

threshold is exceeded automatically hide its SSID when
the number of new users reaches
the CAC threshold.
Restrict access of weak-signal Whether to restrict access from

STAs weak-signal STAs.
Threshold for rejecting access of Threshold for rejecting access

weak-signal STAs from weak-signal STAs.
Band Steering
Start threshold for load balancing Start threshold for load balancing
between frequencies between two frequencies on the
AP that has band steering
enabled.
Load difference threshold for load Load difference threshold for load
balancing between frequencies balancing between two
frequencies on the AP that has
band steering enabled.
Maximum number of rejections Maximum number of times an AP

rejects association requests of a
STA through band steering.
Probe count for aging STA Number of times an AP

frequency band continuously receives probe
frames from the same frequency
band.
Dynamic Load Balancing
Load balancing Whether to enable load balancing.

Switches
Maximum number of rejections Maximum number of times an AP

rejects association requests of a
STA for dynamic load balancing.
Start threshold for load Start threshold for dynamic load

balancing(STA count) balancing.
Load difference threshold for load Load difference threshold for

balancing dynamic load balancing.
Smart Roaming
Smart roaming Whether to enable smart roaming.
Check roaming threshold type Trigger mode of smart roaming,

which can be check SNR or check
rate.
SNR threshold SNR-based roaming threshold.
Rate percentage threshold Rate-based roaming threshold.
Upper threshold of roaming SNR Upper threshold for triggering STA

difference roaming.
Lower threshold of roaming SNR Lower threshold for triggering STA

difference roaming.
SNR detection interval SNR detection interval of smart

roaming STAs.
Aging time of "unable to roam" Aging time of "unable to roam"

record record of smart roaming STAs.
● Modify an RRM profile.
b. Click the name of the RRM profile that you want to modify. The RRM
Profile page is displayed.
c. Modify parameters in the RRM profile. Table 1-192 describes the
parameters for modifying an RRM profile.
● Delete an RRM profile.

Switches
NOTE
----End
1.8.2.3 Air Scan Profile
Context
After an air scan profile is created and bound to a radio profile of an AP, the AP
periodically scans surrounding radio signals and reports the collected information
to an AC or server. The information is used for radio calibration, spectrum analysis,
WLAN location, or WIDS data analysis.
Procedure
● Create an air scan profile.
Management > Air Scan Profile. The Air Scan Profile List page is
displayed.
b. Click Create. The Create Air Scan Profile page is displayed.
c. Enter the name of the new air scan profile in Profile name.
d. Click OK. The parameter setting page of the new air scan profile is
displayed.
e. Set parameters for creating an air scan profile. Table 1-193 describes the
parameters for creating an air scan profile.
Table 1-193 Parameters for creating an air scan profile
Air Scan Profile Name of the air scan profile,


Switches
Scanning Whether scanning is enabled:

● ON: enabled
● OFF: disabled
Channel scanning interval Channel scanning interval.
Channel scanning duration Channel scanning duration.
Probe channel set Air scan channel set.
● Modify an air scan profile.
displayed.
b. Click the name of the air scan profile that you want to modify. The Air
Scan Profile page is displayed.
c. Set parameters for modifying an air scan profile. Table 1-193 describes
the parameters for modifying an air scan profile.
● Delete an air scan profile.
displayed.
displayed.
NOTE
----End
1.8.2.4 2G Radio Profile
Context
A 2G radio profile is used to configure and optimize the 2G radio of an AP, but
does not take effect on the 5G radio. Create a proper radio profile and bind it to
an AP specific profile or AP group. In this way, the AP provides better radio signal
transmit and receive capabilities.

Switches
Procedure
● Create a 2G radio profile.
Management > 2G Radio Profile. The 2G Radio Profile List page is
displayed.
b. Click Create. The Create 2G Radio Profile page is displayed.
c. Enter the name of the new 2G radio profile in Profile name.
d. Click OK. The parameter setting page of the new 2G radio profile is
displayed.
e. Set parameters for the 2G radio profile. Table 1-194 describes the
parameters for creating a 2G radio profile.
Figure 1-246 2G Radio Profile
Figure 1-247 802.11n

Switches
Figure 1-248 802.11bg Rate Set
Figure 1-249 Interference Detection
Figure 1-250 WMM
Table 1-194 Parameters for creating a 2G radio profile
2G Radio Profile Name of the 2G radio profile,

Radio type Radio type.

Switches
Automatically disable radio Whether to enable the automatic

shutdown function of a radio.
Automatic disabling time Start time and end time during

which a VAP is disabled.
Meanings of Wi-Fi indicator status Parameter reflected by the

blinking frequency of the Wireless
indicator.
● Signal strength: The blinking
frequency of the Wireless
indicator on an AP indicates
the signal strength. When the
Wireless indicator blinks fast,
the signal strength is strong.
● Service traffic: The blinking
the service traffic volume.
When the Wireless indicator
blinks fast, the service traffic
volume is high.
Channel switching announcement Whether channel switching

announcement is enabled.
Channel switching announcement Channel switching announcement

mode mode, which can be:
● Stop traffic transmission: stops
data transmission from STAs on
the current channel during
channel switching.
● Proceed traffic transmission:
continues data transmission on
channel switching.
Packet-based power control Whether per-packet power control

is enabled.
Packet fragmentation threshold Package length threshold for

fragmentation.

Switches
RTS-CTS mode RTS/CTS operation mode, which

can be:
● Cts-to-self: When an AP needs
to send data to STAs, it sends a
CTS packet with its IP address
as the source and destination
addresses. Then none of the
devices within the AP's
coverage area sends data
within a specified period. In
cts-to-self mode, an AP only
needs to send a CTS packet to
avoid channel conflicts in most
scenarios. However, if there is a
device within the STA's
coverage area but not within
the AP's coverage area, a
channel conflict may still occur.
● Rts-cts: When an AP needs to
send data to a STA, the AP
sends an RTS packet to all STAs
associated with it. After
receiving the RTS packet, none
of the devices within the AP's
within a specified period. After
the destination STA receives
the RTS packet, it sends a CTS
packet. After receiving the CTS
packet, none of the devices
within the STA's coverage area
sends data within a specified
period. Using the rts-cts mode
to avoid conflicts requires two
packets (RTS and CTS packets),
increasing packet overhead.
● Disable: disables RTS-CTS.
RTS-CTS threshold RTS/CTS threshold.
Support short preamble Whether short preamble is

supported.
Beacon interval Interval at which an AP sends

Beacon frames.

Switches
Utmost power Whether a radio sends packets at

the maximum power.
Only radios of the AD9430DN-24
(including the mapping RUs),
AD9430DN-12 (including the
mapping RUs), AP2030DN,
AP4030DN, AP4130DN,
AP5030DN, AP5130DN,
AP7030DE, AP8030DN,
AP8130DN, AP9131DN,
AP9132DN and AP9330DN can
send packets at maximum power.
802.11n
GI mode Guard interval mode.

● Short: short guard interval
● Normal: normal guard interval
Beamforming Whether beamforming is enabled.
HT AMPDU Whether MPDU aggregation is

enabled.
Index of maximum length of HT Maximum length of an A-MPDU.

AMPDUs The value ranges from 0 to 3.
● 0: indicates that the maximum
length of the A-MPDU is 8191
bytes.
bytes.
bytes.
bytes.
802.11bg Rate Set
Basic rate (Mbps) Basic rate set of 802.11bg.
Supported rate (Mbps) Supported rate set of 802.11bg.
Multicast rate (Mbps) Multicast rate of wireless packets

on the 2.4 GHz radio.
Interference Detection
Interference detection Whether interference detection is

enabled.

Switches
AP co-channel interference alarm Alarm threshold for co-channel

threshold (%) interference.
AP adjacent-channel interference Alarm threshold for adjacent-

alarm threshold (%) channel interference.
STA interference alarm threshold Alarm threshold for STA

interference.
WMM
WMM Whether WMM is enabled.
Restrict access of non-WMM Whether to allow WMM-incapable

terminals STAs to connect to a WMM-
enabled AP.
Area Provides different preset values for

the EDCA parameters in different
scenarios. You can directly select a
specific scenario or make an
adjustment to the preset values.
● Default: specifies the default of
an EDCA parameter.
● Voice: indicates that voice
packets preempt a channel.
● Voice and video: indicates that
voice and video packets
preempt a channel.
Packet Type Type of packets.

In the distributed coordination
function (DCF) protocol, the DCF
inter frame space (DIFS) has a
fixed value. WMM provides
different DIFS values for different
ACs. A larger AIFSN value
indicates that the STA must wait
for a longer time and has a lower
priority.

contention window. ECWmin and
ECWmax determine the average
backoff time. A larger value
indicates a longer average backoff
time and a lower priority.

Switches
ECWmax Exponent form of the maximum

contention window. ECWmax and
ECWmin determine the average

(TXOPLimit). It determines the
maximum duration in which an
STA can occupy a channel. A
larger value indicates a longer
duration. If the TXOPLimit value is
0, the STA can send only one data
frame every time it preempts a
channel.
ACK Policy ACK policy, which includes:

● Reply: During 802.11 packet
exchange, the receiver sends an
ACK packet to confirm the
receiving of a packet from the
sender.
● No reply: The receiver sends no
sender. It applies to scenarios
where communication quality
is good and interference is low.
● Modify a 2G radio profile.
displayed.
b. Click the name of the 2G radio profile that you want to modify. The 2G
Radio Profile page is displayed.
c. Modify parameters for the 2G radio profile. For the parameter
description, see Table 1-194.
● Delete a 2G radio profile.
displayed.

Switches

displayed.
NOTE
● Configure a profile referenced in the 2G radio profile.
displayed. Click to the left of the 2G Radio Profile in the navigation
tree to expand the 2G radio profile list. Click to the left of the 2G
radio profile name to view the names of the profiles referenced in the 2G
radio profile.
b. Click any profile referenced by the 2G radio profile. The configuration
page of the referenced profile is displayed on the right. You can select
another profile from the drop-down list and set the profile parameters.
For descriptions of the profile parameters, see its configuration page.
----End
1.8.2.5 5G Radio Profile
Context
A 5G radio profile is used to configure and optimize the 5G radio of an AP, but
does not take effect on the 2G radio. Create a proper radio profile and bind it to
an AP specific profile or AP group. In this way, the AP provides better radio signal
transmit and receive capabilities.
Procedure
● Create a 5G radio profile.
displayed.
b. Click Create. The Create 5G Radio Profile page is displayed.
c. Enter the name of the new 5G radio profile in Profile name.
d. Click OK. The parameter setting page of the new 5G radio profile is
displayed.
e. Set parameters for the 5G radio profile. Table 1-195 describes the
parameters for creating a 5G radio profile.

Switches
Figure 1-251 5G Radio Profile
Figure 1-252 802.11a Rate Set

Switches
Figure 1-253 802.11ac
Figure 1-254 Interference Detection
Figure 1-255 WMM
Table 1-195 Parameters for creating a 5G radio profile

5G Radio Profile Name of the 5G radio profile,

Radio type Radio type.
Automatically disable radio Whether to enable the automatic

shutdown function of a radio.
Automatic disabling time Start time and end time during

which a VAP is disabled.

Switches
Meanings of Wi-Fi indicator status Parameter reflected by the

blinking frequency of the Wireless
indicator.
● Signal strength: The blinking
the signal strength. When the
Wireless indicator blinks fast,
the signal strength is strong.
● Service traffic: The blinking
the service traffic volume.
When the Wireless indicator
blinks fast, the service traffic
volume is high.
Channel switching announcement Whether channel switching

announcement is enabled.
Channel switching announcement Channel switching announcement

mode mode.
● Stop traffic transmission: stops
data transmission from STAs on
channel switching.
● Proceed traffic transmission:
continues data transmission on
channel switching.
Packet-based power control Whether per-packet power control

is enabled.
Packet fragmentation threshold Package length threshold for

fragmentation.

Switches
RTS-CTS mode RTS/CTS operation mode, which

can be:
● Cts-to-self: When an AP needs
to send data to STAs, it sends a
CTS packet with its IP address
as the source and destination
addresses. Then none of the
devices within the AP's
within a specified period. In
cts-to-self mode, an AP only
needs to send a CTS packet to
avoid channel conflicts in most
scenarios. However, if there is a
device within the STA's
coverage area but not within
the AP's coverage area, a
channel conflict may still occur.
● Rts-cts: When an AP needs to
send data to a STA, the AP
sends an RTS packet to all STAs
associated with it. After
receiving the RTS packet, none
of the devices within the AP's
within a specified period. After
the destination STA receives
the RTS packet, it sends a CTS
packet. After receiving the CTS
packet, none of the devices
within the STA's coverage area
sends data within a specified
period. Using the rts-cts mode
to avoid conflicts requires two
packets (RTS and CTS packets),
increasing packet overhead.
● Disable: disables RTS-CTS.
RTS-CTS threshold RTS/CTS threshold.
Beacon interval Interval at which an AP sends

Beacon frames.
GI mode Guard interval mode.

● Short: short guard interval
● Normal: normal guard interval
Beamforming Whether beamforming is enabled.

Switches
HT AMPDU Whether MPDU aggregation is

enabled.
Index of maximum length of HT Maximum length of an A-MPDU.

bytes.
bytes.
bytes.
bytes.

Switches
Index of maximum length of VHT Maximum length of an A-MPDU.

bytes.
bytes.
bytes.
bytes.
length of the A-MPDU is
131071 bytes.
262143 bytes.
524287 bytes.
1048575 bytes.
Only the AD9430DN-24 (including
the mapping RUs), AD9430DN-12
AP2030DN, AP4030DN,
AP4130DN, AP5030DN,
AP5130DN, AP7030DE,
AP8030DN, AP8130DN,
AP9131DN, AP9132DN and
AP9330DN supports this
parameter.

Switches
VHT AMSDU Indicates that 802.11 packets are

sent in A-MSDU aggregation
mode.
AP2030DN, AP4030DN,
AP4130DN, AP5030DN,
AP5130DN, AP7030DE,
AP8030DN, AP8130DN,
parameter.
Length of VHT AMSDUs Maximum number of subframes

that can be aggregated once in A-
MSDU aggregation mode.
AP2030DN, AP4030DN,
AP4130DN, AP5030DN,
AP5130DN, AP7030DE,
AP8030DN, AP8130DN,
parameter.
Utmost power Whether a radio sends packets at

the maximum power.
Only radios of the AD9430DN-24
AD9430DN-12 (including the
mapping RUs), AP2030DN,
AP4030DN, AP4130DN,
AP5030DN, AP5130DN,
AP7030DE, AP8030DN,
AP8130DN, AP9131DN,
AP9132DN and AP9330DN can
send packets at maximum power.
802.11a Rate Set
Basic rate (Mbps) Basic rate set of 802.11a.
Supported rate (Mbps) Supported rate set of 802.11a.
Multicast rate (Mbps) Multicast rate of wireless packets

on the 5 GHz radio.

Switches
802.11ac
Only the AD9430DN-24 (including the mapping RUs), AD9430DN-12
(including the mapping RUs), AP2030DN, AP4030DN, AP4130DN,
AP5030DN, AP5130DN, AP7030DE, AP8030DN, AP8130DN, AP9131DN,
AP9132DN and AP9330DN supports this parameter.
Spatial stream quantity Whether the spatial streams

support configuration of the
maximum Modulation and Coding
Scheme (MCS) value.
Maximum MCS value Maximum MCS value supported

by the spatial streams.
Interference Detection
Interference detection Whether interference detection is

enabled.
AP co-channel interference alarm Alarm threshold for co-channel

threshold (%) interference.
AP adjacent-channel interference Alarm threshold for adjacent-

alarm threshold (%) channel interference.
STA interference alarm threshold Alarm threshold for STA

interference.
WMM
WMM Whether WMM is enabled.
Restrict access of non-WMM Whether to allow WMM-incapable

terminals STAs to connect to a WMM-
enabled AP.
Area Provides different preset values for

the EDCA parameters in different
scenarios. You can directly select a
specific scenario or make an
adjustment to the preset values.
● Default: specifies the default of
an EDCA parameter.
● Voice: indicates that voice
packets preempt a channel.
● Voice and video: indicates that
voice and video packets
preempt a channel.
Packet Type Type of packets.

Switches

In the distributed coordination
function (DCF) protocol, the DCF
inter frame space (DIFS) has a
fixed value. WMM provides
different DIFS values for different
ACs. A larger AIFSN value
indicates that the STA must wait
for a longer time and has a lower
priority.

contention window. ECWmin and
ECWmax determine the average
ECWmax Exponent form of the maximum

contention window. ECWmax and
ECWmin determine the average

(TXOPLimit). It determines the
maximum duration in which an
STA can occupy a channel. A
larger value indicates a longer
duration. If the TXOPLimit value is
0, the STA can send only one data
frame every time it preempts a
channel.
ACK Policy ACK policy, which includes:

● Reply: During 802.11 packet
exchange, the receiver sends an
sender.
● No reply: The receiver sends no
sender. It applies to scenarios
where communication quality
is good and interference is low.

Switches
● Modify a 5G radio profile.
displayed.
b. Click the name of the 5G radio profile that you want to modify. The 5G
Radio Profile page is displayed.
c. Modify parameters for the 5G radio profile. For the parameter
● Delete a 5G radio profile.
displayed.
displayed.
NOTE
● Configure a profile referenced in the 5G radio profile.
displayed. Click to the left of the 5G Radio Profile in the navigation
tree to expand the 5G radio profile list. Click to the left of the 5G
radio profile name to view the names of the profiles referenced in the 5G
radio profile.
b. Click any profile referenced by the 5G radio profile. The configuration
----End
1.8.3 AP
1.8.3.1 AP Wired Port Link Profile

Switches
Context
An AP wired port link profile allows you to perform link-layer management and
configuration of AP wired interfaces.
Procedure
● Create an AP wired port link profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP Wired
Port Link Profile. The AP Wired Port Link Profile List page is displayed.
b. Click Create. The Create AP Wired Port Link Profile page is displayed.
c. Enter the name of the new AP wired port link profile in Profile name.
d. Click OK. The parameter setting page of the new AP wired port link
profile is displayed.
e. Set parameters for creating an AP wired port link profile. Table 1-196
describes the parameters for creating an AP wired port link profile.
Table 1-196 Parameters for creating an AP wired port link profile
AP Wired Port Link Profile Name of the AP wired port link

Port Whether to enable the AP wired

interface.
LLDP Whether to enable LLDP on the

AP wired interface.

Switches
Advertise basic TLV type Basic TLV that an AP is allowed to

advertise in LLDPDUs.
● All: An AP is allowed to
advertise all basic TLVs in
LLDPDUs.
● Management-address: An AP is
allowed to advertise
Management address TLVs in
LLDPDUs.
● Port-description: An AP is
allowed to advertise Port
description TLVs in LLDPDUs.
● System-capability: An AP is
allowed to advertise System
capability TLVs in LLDPDUs.
● System-description: An AP is
allowed to advertise System
description TLVs in LLDPDUs.
● System-name: An AP is allowed
to advertise System name TLVs
in LLDPDUs.
CRC error alarm Whether to enable the alarm

function for CRC errors on the AP
wired interface.
CRC error alarm threshold Alarm threshold for CRC errors on

the AP wired interface.
CRC error clear alarm threshold Clear alarm threshold for CRC
errors on the AP wired interface.
PoE Settings
PoE Whether to enable the PoE

function on the central AP.
Power supply priority Power priority of PoE interfaces on

the central AP.
Forcible PoE power supply Whether to enable forcible PoE

power supply on the central AP's
interfaces.
PD compatibility check Whether to enable PD

compatibility check on the central
AP.
PoE power-off time range Effective PoE power-off time

range on an interface.

Switches
● Modify an AP wired port link profile.
b. Click the name of the AP wired port link profile that you want to modify.
The AP Wired Port Link Profile page is displayed.
c. Modify parameters in the AP wired port link profile. Table 1-196
describes the parameters for modifying an AP wired port link profile.
● Delete an AP wired port link profile.
NOTE
----End
1.8.3.2 AP System Profile
Context
To centrally manage and maintain multiple APs, add these APs to a group, set
parameters in an AP system profile, and then reference the AP system profile in
the AP group view.
Procedure
● Create an AP system profile.
a. Choose Configuration > Wireless Services > Profile > AP > AP System
Profile. The AP System Profile List page is displayed.
b. Click Create. The Create AP System Profile page is displayed.
c. Enter the name of the new AP system profile in Profile name.
d. Click OK. The parameter setting page of the new AP system profile is
displayed.

Switches
e. Set parameters for the AP system profile. Table 1-197 describes the
parameters for creating an AP system profile.
Figure 1-256 AP System Profile
Figure 1-257 Dual-link Configuration
Figure 1-258 LLDP

Switches
Figure 1-259 Eapol
Figure 1-260 AP Alarm
Figure 1-261 Log Backup
Figure 1-262 Spectrum Analysis
Figure 1-263 PoE settings

Switches
Figure 1-264 Others
Table 1-197 Parameters for creating an AP system profile

AP System Profile Name of the new AP system

Service holding upon link Whether to enable or disable

disconnection service holding upon link
disconnection.
Offline AP permit access of new Whether to enable or disable the

STAs APs in fault state to allow access
of new STAs.
Role in mesh networking Role of an AP on the Mesh

network.
MPP active reselection Whether to enable or disable

active MPP reselection.
MTU Maximum transmission unit

(MTU) on an Ethernet interface.
Dual-link Configuration
AC priority AC priority.
IP address of the backup AC IP address of the standby AC.
LLDP
Delay of enabling LLDP Delay in re-enabling LLDP on APs.
Working mode LLDP working mode on APs.
Packet transmission delay Delay after which an AP sends

LLDP packets to neighboring
devices.

Switches
Packet transmission interval Interval at which an AP sends

LLDP packets to neighboring
devices.
TTL of packets Number of hold time intervals

during which AP information can
be saved on a neighboring device.
Neighbor information report Interval at which an AP reports

interval LLDP neighbor information to an
AC.
Eapol
Eapol-response packet conversion EAPoL-response packet conversion

method.
Eapol-response packet EAPoL-response packet

encapsulation encapsulation method.
Eapol-response MAC address Unicast MAC address of EAPoL-

response packets.
This parameter must be set when
Eapol-response packet
encapsulation is set to Unicast
packets with specific MAC
addresses.
Eapol-start packet conversion EAPoL-start packet conversion

method.
Eapol-start packet encapsulation EAPoL-start packet encapsulation

method.
Eapol-start MAC address Unicast MAC address of EAPoL-

start packets.
This parameter must be set when
Eapol-start packet
encapsulation is set to Unicast
packets with specific MAC
addresses.
AP Alarm
Alarm suppression Whether to enable the alarm

suppression function for APs.
Alarm suppression interval Interval during which alarms are

suppressed on APs.
High temperature alarm threshold High temperature alarm threshold

for APs.

Switches
Low temperature alarm threshold Low temperature alarm threshold

for APs.
CPU usage alarm threshold CPU usage alarm threshold for

APs.
Memory usage alarm threshold Memory usage alarm threshold

for APs.
Log Backup
IP address of the log backup IP address of the log server.

server
Log backup level Severity of AP logs to be backed

up.
Spectrum Analysis
Server IP/port number IP address and port number of a

spectrum server.
Use AC for transparent data Whether an AC is used for

transmission transparent data transmission:
● OFF: Data is transmitted
directly to the spectrum server
● ON: Data is transmitted to the
spectrum server through an AC.
AC port number Port number used by an AC to

receive the spectrum information
(UDP packets) sent by an AP
when the AC is used for
transparent data transmission.
Aging time of non-Wi-Fi devices Aging time of non-Wi-Fi devices

on an AC during spectrum
analysis.
PoE Settings
Maximum output power Maximum output power of the

central AP.
PoE reserved power percentage Percentage of reserved PoE power

to the available PoE power on the
central AP.
Alarm threshold of PoE power Alarm threshold of PoE power

consumption percentage consumption percentage.
IEEE802.3af switching Whether to enable a central AP to

provide PoE power in compliance
with IEEE 802.3af.

Switches
Allow high inrush current during Whether to enable the central AP

power-on to allow high inrush current
during power-on.
Others
Manage VLAN Management VLAN for APs.
Dynamic blacklist aging time Aging time of a dynamic blacklist

entry.
STelnet Whether to allow or forbid STelnet

login.
Telnet Whether to allow or forbid Telnet

login.
Console Whether to allow or forbid

console port login.
SFTP Whether to allow or forbid SFTP

login.
Indicator Whether to turn on or off AP

indicators.
Offline VAP management Whether to enable or disable the

offline VAP management function.
Antenna combined output Whether to enable or disable

combined output of antenna
signals.
Only the AP9132DN supports this
function.
● Modify an AP system profile.
b. Click the name of the AP system profile that you want to modify. The AP
System Profile page is displayed.
c. Modify parameters for the AP system profile. For the parameter
● Delete an AP system profile.

Switches
NOTE
● Configure a profile referenced in an AP system profile.
b. In the navigation tree, click to the left of AP System Profile to
expand the AP system profile list. Click to the left of an AP system
profile name to view the names of the profiles referenced in the AP
system profile.
c. Click any profile referenced by the AP system profile. The configuration
----End
1.8.3.3 AP Wired Port Profile
Context
An AP wired port profile allows you to manage and configure wired interfaces of
APs. You can configure wired port parameters in the AP wired port profile to
facilitate AP management.
Procedure
● Create an AP wired port profile.
Port Profile. The AP Wired Port Profile List page is displayed.
b. Click Create. The Create AP Wired Port Profile page is displayed.
c. Enter the name of the new AP wired port profile in Profile name.
d. Click OK. The parameter setting page of the new AP wired port profile is
displayed.
e. Set parameters for creating an AP wired port profile. Table 1-198
describes the parameters for creating an AP wired port profile.

Switches
Table 1-198 Parameters for creating an AP wired port profile

AP Wired Port Profile Name of the AP wired port profile,

Enable Eth-trunk Whether to enable Eth-Trunk.

Switches
Port mode Operating mode of a wired

interface.
● None: default mode
● root: root mode
● endpoint: endpoint mode
● middle: middle mode
NOTE
By default,
● On a common AP: Its GE
interfaces work in root mode,
Ethernet interfaces in endpoint
mode, and Eth-Trunk interfaces in
root mode.
● On a central AP: Its uplink GE
interfaces in root mode and
downlink GE interfaces work in
middle mode.
● On an R230D: Its Ethernet
interface works in root mode.
● On an R240D: Its Ethernet
interface works in endpoint mode
and GE interface in root mode.
● On an R250D, R250D-E,
AP2050DN, and AP2050DN-E:
Their uplink GE interfaces work in
root mode and downlink GE
interfaces in endpoint mode.
Port description Port description.
User isolation mode User isolation mode on a wired

interface.
If Port mode is set to endpoint,
you need to set this parameter.
STP Whether to enable STP on the

wired interface.
STP-triggered port shutdown Whether STP-triggered port

shutdown is enabled on the AP's
wired interface.
Port recovery time Auto-recovery interval for an AP's

wired interface on which the STP-
triggered port shutdown function
is enabled.
DHCP trusted port Whether to enable the DHCP

trusted port function.

Switches
Address learning Whether terminal address

learning is enabled on the AP's
wired interface.
IP packet binding check Whether IP packet binding check

is enabled on the AP's wired
interface.
ARP packet binding check Whether dynamic ARP inspection

(DAI) is enabled on the AP's wired
interface.
ACL for inbound packet filtering ACL for filtering incoming packets.
Click . Search for and select

an ACL in ACL for inbound
packet filtering.
ACL for outbound packet filtering ACL for filtering outgoing packets.

an ACL in ACL for outbound
packet filtering.
Port PVID PVID of the wired interface.
Added VLAN ID ID of the VLAN to which the wired

interface is added.
Mode Mode used to add the wired

interface to a VLAN. Tagged and
untagged modes are supported.
Packet filtering
The following parameters are available only after IPv4 packet filtering
is selected.
Inbound ACL ACL for filtering incoming packets.

an ACL in ACL for inbound
packet filtering.
Outbound ACL ACL for filtering outgoing packets.

an ACL in ACL for outbound
packet filtering.
Storm Control
Broadcast packet rate limit Maximum broadcast traffic

volume allowed on the AP's wired
interface.

Switches
Unicast packet rate limit Maximum unknown unicast traffic

volume allowed the AP's wired
interface.
Multicast packet rate limit Maximum multicast traffic volume

allowed on the AP's wired
interface.
● Modify an AP wired port profile.
b. Click the name of the AP wired port profile that you want to modify. The
AP Wired Port Profile page is displayed.
c. Modify parameters of the AP wired port profile. Table 1-198 describes
the parameters for modifying an AP wired port profile.
● Delete an AP wired port profile.
NOTE
● Configure the profiles that are referenced by the AP wired port profile.
Port Profile. The AP Wired Port Profile List page is displayed. Click
next to AP Wired Port Profile. The AP wired port profile name is
displayed. Click next to the specified AP wired port profile to view the
profiles that are referenced by the AP wired port profile.
b. Click any profile referenced by the AP wired port profile. The
configuration page of the referenced profile is displayed on the right. You
can select another profile from the drop-down list and set the profile
parameters. For descriptions of the profile parameters, see its
configuration page.
----End

Switches
1.8.4 Mesh
1.8.4.1 Mesh Whitelist Profile
Context
After a Mesh whitelist profile is applied to an AP radio, the AP radio can only set
up Mesh links with neighboring APs whose MAC addresses are in the Mesh
whitelist profile.
Procedure
● Create a Mesh whitelist profile.
a. Choose Configuration > Wireless Services > Profile > Mesh > Mesh
Whitelist Profile. The Mesh Whitelist Profile List page is displayed.
b. Click Create. The Create Mesh Whitelist Profile page is displayed.
c. Enter the name of the new Mesh whitelist profile in Profile name.
d. Click OK. The parameter setting page of the new Mesh whitelist profile is
displayed.
e. Maintain MAC addresses in the Mesh whitelist profile.

# Click OK

Switches

NOTE


● Modify a Mesh whitelist profile.
b. Click the name of the Mesh whitelist profile that you want to modify. The
Mesh whitelist profile configuration page is displayed.
c. Modify parameters in the Mesh whitelist profile. For details, see e.
● Delete a Mesh whitelist profile.
NOTE
----End
1.8.4.2 Mesh Profile

Switches
Context
Common Mesh Network Application
On a traditional WLAN, APs exchange data with STAs using wireless channels and
connect to a wired network through uplinks. If no wired network is available for
WLAN construction, a wired network must be constructed first, which is both
time- and money- consuming. If the positions of some APs on a WLAN need to be
adjusted, the wired network must be adjusted accordingly, increasing the difficulty
in network adjustment. With Mesh technology, APs can connect each other
wirelessly, which allows flexible networking and quick network deployment and
facilitates dynamic expansion of network coverage.
As shown in Figure 1-266, APs on a Mesh network can be sorted into the
following types based on functions:
● Mesh Point (MP): a Mesh-capable node that uses IEEE 802.11 MAC and
physical layer protocols for wireless communication. This node supports
automatic topology discovery, automatic route discovery, and data packet
forwarding. MPs can provide both Mesh service and user access service.
● Mesh Portal Point (MPP): a Mesh point that connects the Mesh network to
other types of networks. This node provides the portal function to allow Mesh
nodes to communicate with external networks.
Figure 1-265 Mesh networking
MPP MP1 MP2
LAN
AC
MP4 MP3
STA3
STA1 STA2
Mesh link
User access
As shown in Figure 1-266, an access terminal (AT) connects to the remote AP

through a Mesh link to provide Internet access services for downstream devices
connected to the AT. The Mesh service needs to be configured on the remote AP
connected to the AT and the Fix-Wireless-Access (FWA) mode needs to be enabled
in the Mesh profile so that the AT can connect to the AP.

Switches
Figure 1-266 AT application

AC Switch AP AT Home gateway
Internet
STA PC
Mesh link
Procedure
● Create a Mesh profile.
Profile. The Mesh Profile List page is displayed.
b. Click Create. The Create Mesh Profile page is displayed.
c. Enter the name of the new Mesh profile in Profile name.
d. Click OK. The parameter setting page of the new Mesh profile is
displayed.
e. Set parameters for creating a Mesh profile. Table 1-199 describes the
parameters for creating a Mesh profile.

Switches
Table 1-199 Parameters for creating a Mesh profile

Mesh Profile Name of the Mesh profile, which

cannot be modified.
Mesh ID Mesh ID of a Mesh profile.
FWA mode Whether the FWA mode is used.

An access terminal (AT) connects
to the remote AP through a Mesh
link to provide Internet access
services for downstream devices
connected to the AT. The Mesh
service needs to be configured on
the remote AP connected to the
AT and the FWA mode needs to
be enabled in the Mesh profile so
that the AT can connect to the AP.
FWA EDCA mode The Enhanced Distributed Channel

Access (EDCA) mode is Auto or
Manual. When Auto is specified,
the remote AP adjusts EDCA
parameters based on the number
of ATs.
Link information report interval Interval at which an MP reports

mesh link information to the AC.
Maximum number of links Maximum number of Mesh links

allowed on an AP.
RSSI threshold RSSI threshold of a Mesh link.

The RSSI threshold of a Mesh link
depends on the distance between
two MPs that establish the Mesh
link. If the two MPs are far from
each other, a smaller RSSI
threshold is recommended. If the
two MPs are close to each other, a
larger RSSI threshold is
recommended.
Link aging timeout Aging time of a Mesh link.

If a Mesh node cannot receive
keepalive packets from a
neighboring node for a period of
time greater than or equal to the
aging time of a Mesh link, the
Mesh node considers the Mesh
link disconnected and will reselect
a link.

Switches

trusted interface in the Mesh
profile.
After the DHCP trusted interface is
configured on an AP, the AP
receives the DHCP OFFER, ACK,
and NAK packets sent by
authorized DHCP servers and
forwards the packets to STAs so
that the STAs can obtain valid IP
addresses and go online.
Area Preset EDCA parameters for

different scenarios. Users can
select the corresponding scenarios
or adjust the preset EDCA
parameters.
● Default: EDCA parameters use
default settings.
● Voice: Voice packets
preferentially use a channel.
● Voice and video: Voice and
video packets preferentially use
a channel.
Packet Type Packet type.

● AC_VO: Voice
● AC_VI: Video
● AC_BE: Best Effort
● AC_BK: Background

A larger AIFSN value indicates
that the STA must wait for a
longer time and has a lower
priority.

contention window (ECWmin) and
ECWmax exponent form of the maximum
contention window (ECWmax)
together determine the average
backoff time. Larger ECWmin and
ECWmax values indicate that the
average backoff time for the STA
is longer and the STA priority is
lower.

Switches

(TXOPLimit), which determines
the maximum duration in which
an STA can occupy the channel. A
larger TXOPLimit value indicates
that the STA can occupy the
channel for a longer time.
● Modify a Mesh profile.
b. Click the name of the Mesh profile that you want to modify. The Mesh
c. Modify parameters in the Mesh profile. Table 1-199 describes the
parameters for modifying a Mesh profile.
● Delete a Mesh profile.
NOTE
● Configure the profiles that are referenced by the Mesh profile.
A Mesh profile can reference the security profile, Mesh whitelist profile, and
Mesh handover profile.
Profile. The Mesh Profile List page is displayed. Click next to Mesh
Profile. The Mesh profile name is displayed. Click next to the
specified Mesh profile to view the profiles that are referenced by the
Mesh profile.
b. Click any profile referenced by the Mesh profile. The configuration page
of the referenced profile is displayed on the right. You can select another

Switches
----End
1.8.5 WDS
1.8.5.1 WDS Whitelist Profile
Context
After a WDS whitelist profile is applied to an AP radio, the AP radio can only set
up WDS links with neighboring APs whose MAC addresses are in the WDS
whitelist profile. If no WDS whitelist profile is applied to an AP radio, the AP radio
can establish WDS links with any neighboring APs.
Procedure
● Create a WDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WDS > WDS
Whitelist Profile. The WDS Whitelist Profile List page is displayed.
b. Click Create. The Create WDS Whitelist Profile page is displayed.
c. Enter the name of the new WDS whitelist profile in Profile name.
d. Click OK. The parameter setting page of the new WDS whitelist profile is
displayed.
e. Maintain MAC addresses in the WDS whitelist profile.


Switches
# Click OK

NOTE


● Modify a WDS whitelist profile.
b. Click the name of the WDS whitelist profile that you want to modify. The
WDS whitelist profile configuration page is displayed.
c. Set parameters for modifying a WDS whitelist profile. For details, see e.
● Delete a WDS whitelist profile.

Switches

NOTE
----End
1.8.5.2 WDS Profile
Procedure
● Create a WDS profile.
Profile. The WDS Profile List page is displayed.
b. Click Create. The Create WDS Profile page is displayed.
c. Enter the name of the new WDS profile in Profile name.
d. Click OK. The parameter setting page of the new WDS profile is
displayed.
e. Set parameters for creating a WDS profile. Table 1-200 describes the
parameters for creating a WDS profile.
Table 1-200 Parameters for creating a WDS profile
WDS Profile Name of the WDS profile, which

cannot be modified.
WDS network bridge name WDS name, specified using a

character string.

Switches
WDS working mode WDS working mode, which can be

the root mode, middle mode, or
leaf mode.
NOTE
After changing the WDS working
mode in a WDS profile, reset the APs
using the profile to make the changed
WDS mode take effect.

trusted interface function.
After the DHCP trusted interface
function is enabled in a WDS
profile, the AP receives the DHCP
OFFER, ACK, and NAK packets
sent by authorized DHCP servers
and forwards the packets to STAs
so that the STAs can obtain valid
IP addresses and go online.
Tagged VLAN Tagged VLAN. To add a tagged

VLAN, enter the tagged VLAN and
click . A maximum of 256
VLANs can be added to a WDS
profile. To delete a tagged VLAN,
enter the tagged VLAN and click
.
After one or a group of VLANs is
added to a WDS profile in tagged
mode, the WDS link forwards only
the packets with these VLAN IDs
from STAs and peer APs.
● Modify a WDS profile.
b. Click the name of the WDS profile that you want to modify. The WDS
c. Modify parameters in the WDS profile. Table 1-200 describes the
parameters for modifying a WDS profile.
● Delete a WDS profile.

Switches

NOTE
● Configure the profiles that are referenced by the WDS profile.
A WDS profile can reference the security profile and WDS whitelist profile.
Profile. The WDS Profile List page is displayed. Click next to WDS
Profile. The WDS profile name is displayed. Click next to the specified
WDS profile to view the profiles that are referenced by the WDS profile.
b. Click any profile referenced by the WDS profile. The configuration page of
the referenced profile is displayed on the right. You can select another
----End
1.8.6 WIDS
1.8.6.1 WIDS Whitelist Profile
Context
There are security risks from unauthorized devices on WLAN networks, so
administrators deploy monitoring APs to monitor the WLAN networks. After the
AP working mode is set to monitoring, the AP monitors wireless devices and
reports wireless device information to an AC. The AC can identify unauthorized
devices.
However, there may be APs of other vendors or other networks working in the
existing signal coverage areas. If these APs are countered, their services will be
affected. To prevent this situation, configure an authorized AP list, including an
authorized MAC address list, OUI list, and SSID list. When an unauthorized AP is
detected but the AP's MAC address is in the authorized MAC address list, the AP is
an authorized AP. However, if the AP's MAC address is not in the authorized MAC
address list, the AP's OUI and SSID must be both in the authorized OUI and SSID
lists; otherwise, the AP is a rogue AP.
Procedure
● Create a WIDS whitelist profile.
a. Choose Configuration > Wireless Services > Profile > WIDS > WIDS
Whitelist Profile. The WIDS Whitelist Profile List page is displayed.

Switches
b. Click Create. The Create WIDS Whitelist Profile page is displayed.

c. Enter the name of the new WIDS whitelist profile in Profile name.
d. Click OK. The parameter setting page of the new WIDS whitelist profile is
displayed.
e. Set parameters for creating a WIDS whitelist profile. Table 1-201

describes the parameters for creating a WIDS whitelist profile.
Table 1-201 Parameters for creating a WIDS whitelist profile

WIDS Whitelist Profile Name of the WIDS whitelist


Switches
MAC Whitelist Maintain MAC addresses in the

whitelist.
● Adding MAC addresses one by
one
# Click Add. The Add MAC
Address page is displayed.
# Enter a MAC address and
click . Multiple MAC
addresses can be added. Click
to delete the selected MAC
address.
# Click OK
● Adding MAC addresses in
batches
# Click Batch Import. The
Import MAC Address page is
displayed.
# Click and select the

MAC file containing MAC
addresses that you want to
import, and click Import.
NOTE
You can click to download the

MAC template.
# Click Apply. In the Info
dialog box that is displayed,
click OK.
● Deleting MAC addresses
# Select the MAC address that
you want to delete and click
Delete. In the Confirm dialog
box that is displayed, click OK.
OUI Whitelist OUI to be added to the OUI

whitelist. To add an OUI, enter an
OUI and click . You can repeat
the operation to add multiple
OUIs. Click to delete the
selected OUI.

Switches
SSID Whitelist SSID to be added to the SSID

whitelist. To add an SSID, enter an
SSID and click . You can repeat
the operation to add multiple
SSIDs. Click to delete the
selected SSID.
● Modify a WIDS whitelist profile.
b. Click the name of the WIDS whitelist profile that you want to modify. The
WIDS whitelist profile configuration page is displayed.
c. Set parameters for modifying a WIDS whitelist profile. Table 1-201
describes the parameters for modifying a WIDS whitelist profile.
● Delete a WIDS whitelist profile.
NOTE
----End
1.8.6.2 WIDS Spoof SSID Profile
Context
WLAN services are available in public places, such as banks and airports. Users can
connect to the WLANs after associating with corresponding SSIDs. If a rogue AP is
deployed and provides spoofing SSIDs similar to authorized SSIDs, the users may
be misled and connect to the rogue AP, which brings security risks. To address this
problem, configure a fuzzy matching rule to identify spoofing SSIDs. The device
compares a detected SSID with the matching rule. If the SSID matches the rule,
the SSID is considered a spoofing SSID. The AP using the spoofing SSID is a rogue
AP. The device then take countermeasures against the rogue AP, forcing users to
disconnect from the AP.

Switches
Procedure
● Create an SSID profile.
Spoof SSID Profile. The WIDS Spoof SSID Profile List page is displayed.
b. Click Create. The Create WIDS Spoof SSID Profile page is displayed.
c. Enter the name of the new WIDS spoof SSID profile in Profile name.
d. Click OK. The parameter setting page of the new WIDS spoof SSID profile
is displayed.
e. Set parameters for creating a WIDS spoof SSID profile. Table 1-202
describes the parameters for modifying an SSID profile.
Table 1-202 Parameters for creating a WIDS spoof SSID profile
WIDS Spoof SSID Profile Name of the WIDS spoof SSID

Rule for identifying spoofing SSIDs Regular expression of an SSID.

After this parameter is set, click
. If a detected SSID matches the
regular expression, the SSID is
considered a spoofing SSID.
Repeat the preceding steps to add
multiple rules for identifying
spoofing SSIDs. Click to delete
the selected rule for identifying
spoofing SSIDs.

Switches
● Modify an SSID profile.
b. Click the name of the WIDS spoof SSID profile that you want to modify.
The WIDS spoof SSID profile configuration page is displayed.
c. Set parameters for modifying a WIDS spoof SSID profile. Table 1-202
describes the parameters for modifying an SSID profile.
● Delete an SSID profile.
NOTE
----End
1.8.6.3 WIDS Profile
Context
A WIDS profile can be used to configure parameters for the wireless device
detection, rogue device containment, and attack detection functions.
Procedure
● Create a WIDS profile.
Profile. The WIDS Profile List page is displayed.
b. Click Create. The Create WIDS Profile page is displayed.
c. Enter the name of the new WIDS profile in Profile name.
d. Click OK. The parameter setting page of the new WIDS profile is
displayed.

Switches
e. Set parameters for creating a WIDS profile. Table 1-203 describes the
parameters for creating a WIDS profile.
Table 1-203 Parameters for creating a WIDS profile

WIDS Profile Name of the WIDS profile, which

cannot be modified.
Interval for reporting detected Interval for reporting the detected

WLAN device information WLAN device information.
Interval for reporting all WLAN Interval at which an AP reports all

device information the detected WLAN device
information.
Dynamic blacklist Whether to enable the dynamic

blacklist function. An AP can use
the dynamic blacklist to filter out
the blacklisted wireless devices to
avoid malicious attacks.
Detection interval Attack detection interval.
Threshold for the number of Possible attack count threshold in

possible attacks a detection interval. The device
reports the detected attacks when
the count threshold is exceeded.

Switches
Quiet period Quiet period for attack detection.

The device does not report the
detected attacks in the quiet
period.
Countermeasure mode Countering mode set against

rogue devices. After the
countering mode is set, rogue
devices cannot connect to the
WLAN.
STA protection whitelist STA protection whitelist, which is

valid only when Countermeasure
mode is set to STA protection.
Select a STA whitelist as the STA
protection whitelist. Only the STAs
in the whitelist can access the
WLAN.
● Modify a WIDS profile.
b. Click the name of the WIDS profile that you want to modify. The WIDS
c. Set parameters for modifying a WIDS profile. Table 1-203 describes the
parameters for modifying a WIDS profile.
● Delete a WIDS profile.
NOTE
● Configure and modify the profiles referenced by a WIDS profile.
A WIDS profile can reference WIDS whitelist and WIDS spoof SSID profiles.
Profile. The WIDS Profile List page is displayed. Click next to WIDS

Switches
Profile. The system displays names of the WIDS profiles. Click next to
a WIDS profile name. The profiles referenced by the WIDS profile are
displayed in the menu navigation area.
b. Click any profile referenced by the WIDS profile. The configuration page
of the referenced profile is displayed on the right. You can select another
----End
1.8.7 WLAN Location

1.8.7.1 WLAN Location Profile
● Create a location profile.

a. Choose Configuration > Wireless Services > Profile > WLAN Location >
WLAN Location Profile. The WLAN Location Profile List page is
displayed.
b. Click Create. The Create WLAN Location Profile page is displayed.
c. Enter the name of the new location profile in Profile name.
d. Click OK. The parameter setting page of the new location profile is
displayed.

Switches
e. Set parameters for creating a location profile. Table 1-204 describes the
parameters for creating a location profile.
Table 1-204 Parameters for creating a location profile
WLAN Location Profile Name of the location profile,

Source IP address of outgoing Source IP address in location

packets packets reported to the AC. This
parameter takes effect only in
AeroScout and Ekahau
positioning.
AeroScout Location
Tag location Whether to enable WLAN location

of AeroScout tags.
STA location Whether to enable WLAN location

of AeroScout MUs.
Packet aggregation interval Interval of AeroScout tag location

packet aggregation and MU
packet aggregation.

Switches
Data report mode Mode in which AeroScout location

packets are reported.
● Through AC: An AP reports
AeroScout location packets to
an AC, and the AC forwards
them to the AeroScout location
server.
● AP: An AP directly reports
AeroScout location packets to
the AeroScout location server
without sending them to the
AC.
NOTE
Each location profile defines three
location methods: AeroScout location,
Ekahau location, and private location.
If multiple location profiles are used
and the same location method is
used, Through AC can be only
specified in one profile.
Server port number Port number of the AeroScout

location server.
AC port number AC port number used to

communicate with the AeroScout
location server.
Ekahau Location
Tag location Whether to enable WLAN location

of Ekahau tags.
Data report mode Mode in which Ekahau location

● Through AC: An AP reports
Ekahau location packets to an
AC, and the AC forwards them
to the Ekahau location server.
● AP: An AP directly reports
Ekahau location packets to the
Ekahau location server without
sending them to the AC.
NOTE

Switches
Server IP/port number IP address and port number of the

Ekahau location server.

communicate with the Ekahau
location server.
Private Location
STA location Whether to enable STA location.
Data report interval Interval for reporting STA location

packets.
Data report mode Mode in which STA location

● Through AC: An AP reports STA
location packets to an AC, and
the AC forwards them to the
STA location server.
● AP: An AP directly reports STA
location packets to the STA
location server without sending
them to the AC.
NOTE
Server IP/port number IP address and port number of the

STA location server.

communicate with the STA
location server.
● Modify a location profile.
displayed.
b. Click the name of the location profile that you want to modify. The
location profile configuration page is displayed.
c. Modify parameters in the location profile. Table 1-204 describes the
parameters for modifying a location profile.

Switches
● Delete a location profile.

displayed.
displayed.
NOTE
----End
1.9 Configuration Examples

The following sections illustrate service configurations using several examples.
1.9.1 Example for Backing Up the Configuration File
In Figure 1-267, back up the configuration file of the switch to a file server, so
that the configuration file can be restored if the switch is damaged unexpectedly.
Additionally, the configuration file can be downloaded from the file server to the
switch if incorrect configurations cause abnormal functions.
Figure 1-267 Networking diagram of backing up the configuration file

Switch File Server
Network
The configuration roadmap is as follows:
1. Save the configuration file.

2. Back up the configuration file.

Switches
Procedure
Step 1 Click at the upper right corner after the preceding configuration; otherwise, the
configuration that has not been saved will be lost upon reboot.
Step 2 Choose Maintenance > System Maintenance > System > File Management. The
File Management page is displayed, as shown in Figure 1-268.
Figure 1-268 File Management page
Step 3 Click in the line of the vrpcfg.zip configuration file, and specify the directory to
which the configuration file is to be backed up.
----End
Result
After the configuration file is backed up, query the backup file on the file server.
Follow-up Procedure
To restore the backup configuration file on the switch, upload the file on the File
Management page. Then on the Upgrade page, specify the backup configuration
file as the configuration file for the next startup and click Apply.
1.9.2 Example for Configuring Interface-based VLANs

As shown in Figure 1-269, the switch of an enterprise connects to many users,
and users accessing the same service connect to the enterprise network through
different devices. To ensure communication security and prevent broadcast storms,

Switches
the enterprise allows only the users accessing the same service to communicate
with each other. You can assign and configure VLANs on the switch based on
interfaces so that the switch adds interfaces connected to users using the same
service to the same VLAN. Users in different VLANs cannot communicate at Layer
2. Users in the same VLAN can directly communicate with each other. That is:
● User 1 and user 2 in VLAN 2 are isolated from user 3 in VLAN 3.
● User 1 and user 2 in VLAN 2 can communicate with each other.
Figure 1-269 Networking for configuring interface-based VLANs
SwitchB
GE0/0/5
SwitchA
GE0/0/2 GE0/0/4
GE0/0/3
User1 User2 User3
VLAN2 VLAN2 VLAN3
1. Select the switching mode.
2. Configure the port connected to terminals.
3. Configure the port connected to the upstream gateway.
Procedure
Step 1 Choose Configuration > Quick Config. Select Switching for Select a mode to
open the quick switching mode configuration page, as shown in Figure 1-270.

Switches
Figure 1-270 Configuring quick switching mode
Step 2 Click Add below Step 2: Configure the port connected to downlink devices, as
Figure 1-271 Configuring the port connected to downlink devices
Set all configuration items as follows. Then click to finish the configuration.
Figure 1-272 displays the configuration result.
Configure GE0/0/2 and GE0/0/3:
● Interface name: GigabitEthernet0/0/2, GigabitEthernet0/0/3

● Port status: ON
● Allowed VLAN: 2
● Device Type: PC
Configure GE0/0/4:
● Interface name: GigabitEthernet0/0/4

● Port status: ON
● Allowed VLAN: 3
● Device Type: PC
Figure 1-272 Configuration result for the port connected to downlink devices
Step 3 Click GE0/0/5 below Step 3: Configure the port connected to the upstream
gateway, and set all configuration items, as shown in Figure 1-273.
● Port status: ON
● Link aggregation: OFF

Switches
● Allowed VLAN: 2, 3
Figure 1-273 Configuring the port connected to the upstream gateway
----End
Result
Choose Configuration > Basic Services > VLAN to check the VLAN information,
Figure 1-274 Checking VLAN information
Click View Interface next to VLAN ID 2 and 3 to view the interfaces added to
each VLAN and their status, as shown in Figure 1-275 and Figure 1-276.
Figure 1-275 Checking the interfaces in VLAN 2

Switches
1.9.3 Example for Configuring VLANIF Interfaces to

Implement Inter-VLAN Communication
User hosts of an enterprise use the same services, and are located on different
network segments. These user hosts belong to different VLANs and need to
communicate with each other.
As shown in Figure 1-277, user 1 and user 2 using the same service belong to
different VLANs and different network segments. User 1 and user 2 can
communicate through a VLANIF interface.
Figure 1-277 Configuring VLANIF interfaces to implement inter-VLAN

communication
SwitchB
GE0/0/4.1
192.168.40.4/24
GE0/0/4
VLANIF4
SwitchA 192.168.40.1/24
GE0/0/2 GE0/0/3
VLANIF2 VLANIF3
192.168.20.1/24 192.168.30.1/24
VLAN2 VLAN3
User1 User2
The following configurations are performed on SwitchA. The configuration
roadmap is as follows:

Switches
1. Select the routing mode.

2. Configure the port connected to terminals on internal network.
3. Configure the port connected to the switch on external network.
Procedure
Step 1 Choose Configuration > Quick Config. Select Routing for Step 1: Select a mode
to open the quick switching mode configuration page, as shown in Figure 1-278.
Figure 1-278 Configuring quick routing mode
Step 2 Click Add below Step 2: Configure the port connected to internal network
devices, as shown in Figure 1-279.
Figure 1-279 Configuring the port connected to internal network devices
Set all configuration items as follows. Then click to finish the configuration.
Figure 1-280 displays the configuration result.
Configure GE0/0/2:
● Interface Name: GigabitEthernet0/0/2

● Port Status: ON
● Allowed VLAN: 2
● VLAN Gateway Address: 192.168.20.1/255.255.255.0
● Device Type: PC
● Address Allocation to Terminals: Click Configuration to choose static
allocation.
Configure GE0/0/3:
● Interface Name: GigabitEthernet0/0/3

● Port Status: ON
● Allowed VLAN: 3
● VLAN Gateway Address: 192.168.30.1/255.255.255.0
● Device Type: PC

Switches
● Address Allocation to Terminals: Click Configuration to choose static

allocation.
Figure 1-280 Configuration result for the port connected to internal network
devices
Step 3 Choose GE0/0/4 below Step 3: Configure the port connected to the switch on
external network. Set all configuration items, as shown in Figure 1-281.
● Port Status: ON
● Link aggregation: OFF
● Allowed VLAN: 4
● Connected IP address/mask: 192.168.40.1/255.255.255.0
● Next hop: 192.168.40.4
Figure 1-281 Configuring the port connected to the switch on external network
Step 4 Click Apply. In the dialog box that is displayed, click OK to finish configuration.
NOTE
If router A is connected to public networks, you need to configure a NAT policy on router A to
implement translation between public and private IP addresses.
You also need to configure a subinterface for the inbound interface of router A to remove tags
from VLAN packets.
----End
Result
Choose Configuration > Basic Services > VLAN to check the VLAN information,

Switches
Figure 1-282 Checking VLAN information
● Click View Interface next to VLAN ID 2, 3 and 4 to view the interfaces added
to each VLAN and their status, as shown in Figure 1-283, Figure 1-284, and
Figure 1-285.

Switches
1.9.4 Example for Configuring the Commander and Client

Roles
On an enterprise network shown in Figure 1-286, EasyDeploy is deployed to
implement automatic configuration, unified deployment, and unified maintenance
of devices. The user requires that SwitchA serve as the Commander and SwitchC,
SwitchD, and SwitchE serve as clients to form an EasyDeploy network.
Figure 1-286 EasyDeploy networking

SwitchB(DHCP Server)
SFTP Server
IP Network
SwitchA(Commander)
SwitchC(Client) SwitchD(Client)
SwitchE(Client)
1. Log in to SwitchA through the web system and configure SwitchA as the
Commander.
2. Log in to SwitchC, SwitchD, and SwitchE through the web system and
configure them as clients.
Procedure
Step 1 Log in to SwitchA through the web system and configure SwitchA as the
Commander.
1. Click Network in the function area. The Network page is displayed.
2. In the navigation tree, click Role Configuration. The Role Configuration
page is displayed.
3. Click the Commander option button, as shown in Figure 1-287.

Switches
4. Select an existing IP address from the IP address drop-down list box. Use the
default UDP port.
5. Click Apply. The configuration is complete.
Step 2 Log in to SwitchC, SwitchD, and SwitchE through the web system and configure
them as clients.
1. Click Network in the function area. The Network page is displayed.
2. In the navigation tree, click Role Configuration. The Role Configuration
page is displayed.
3. Click the Client option button, as shown in Figure 1-288.
4. Enter the Commander IP address, which must be the same as that configured
on the Commander. Use the default UDP port.
5. Click Apply. The configuration is complete.
----End

Switches
1.9.5 Example for Configuring SNMP

An enterprise has purchased a new switch. To manage the switch using the NMS
on the live network, the administrator needs to configure the SNMP service on the
switch. The network shown in Figure 1-289 is secure but has heavy service traffic,
so the administrator configures SNMPv2c to implement communication between
the NMS and managed devices.
Figure 1-289 Configuring SNMPv2c to implement communication between the

NMS and switch
GE0/0/1
10.1.1.1/24 VLAN10
10.1.1.2/24
NMS Switch
Configuration Description
Before configuring SNMP, complete the following tasks:
● Ensure that a reachable route exists between the switch and NMS. The
configuration procedure is not provided.
● Configure SNMPv2c on the switch to be managed by the NMS running
SNMPv2c.
● Configure a community name based on which the switch authenticates the
NMS.
● Configure the NMS according to the NMS manual so that the NMS can
manage SNMP-enabled switch. The configuration procedure is not provided.
Procedure
Step 1 Click Maintenance to open the maintenance page.
Step 2 Click System Maintenance > SNMP in the navigation tree to open the SNMP
configuration page, as shown in Figure 1-290.
Set the parameters as follows:
● Select ON for SNMP.
● Set Version number to v2c.
● Fill adminnms01 into Community name.
● Fill adminnms01 into Confirm community name.
Figure 1-290 SNMP configuration

Switches
Step 3 Click Apply
Step 4 Click in the function area and click OK in the displayed dialog box to save the
SNMP configuration.
----End
Result
Perform the following operations on the NMS according to the NMS manual: set
the SNMP version to SNMPv2c, set the read/write community name to
adminnms01, and set the SNMP connection port number to 161 (default port
used by the switch).
After the preceding configurations are complete, the NMS can manage the switch.
1.9.6 Example for Configuring SVF Through the Web System

A new campus network has a large number of wired and wireless access devices.
The widely distributed access devices complicate management and configuration
of the access layer. Unified management and configuration of wired and wireless
access devices are required to reduce the management cost.
In Figure 1-291, the parent is directly connected to a level-1 AS, and the level-1
AS is directly connected to an AP. The PC's network port is directly connected to
the parent's Ethernet management port for a login to the web system to configure
SVF.
This configuration example uses the S5720HI as the parent, an S5700-10P-PWR-

LI-AC as the level-1 AS, and an AP4030DN as the AP. Both the parent and level-1
AS use the software version V200R010C00, and the AP uses the software version
V200R007C10.
Figure 1-291 SVF networking

S5700-10P-PWR-LI-AC
Network port GE0/0/1 GE0/0/8
Management port GE0/0/9
PC Parent as1 ap1

S5720HI AP4030DN
1. Log in to the web system of the parent through the PC and ensure that the
PC and parent reside on the same network segment.
2. Change to the SVF mode.
3. Configure the SVF system capability.

Switches
– Enable SVF and configure the management VLAN ID and management IP

address.
– Add the level-AS.
– Add the AP.
4. Clear the AS configuration and restart it to ensure that this unconfigured AS
can be connected to the SVF system. Connect the level-1 AS to the parent and
connect the AP to the level-1 AS using cables.
5. Check whether the SVF configuration is correct.
Data Plan
Item Data
MAC addresses of the parent, AS1 and Parent: 0500-0000-XXXX

AP1 AS1: 88cf-98ba-XXXX
AP1: fcb6-98d6-XXXX
SVF management VLAN VLAN 4090
IP address of the management VLANIF 192.168.2.1
Port that connects the parent to AS1 GE0/0/1
Port that connects the AS1 to parent GE0/0/9

NOTE
If the AS needs to use downlink service
ports as member ports of the connected
uplink fabric port, you need to run the
command to specify these downlink service
ports as member ports of the connected
uplink fabric port. For details, see
Configuring an AS in "SVF Configuration"
in the S1720, S2700, S5700, and S6720
V200R010C00 Configuration Guide - Device
Management.
Port that connects AS1 to AP1 GE0/0/8
AP SN 21500826412SF690XXXX
Procedure
Step 1 Log in to the web system of the parent through the PC.
1. Open the web browser on the PC, enter https://management address of the
parent in the address box, and press Enter. The web system login page is

Switches
2. Select a language English for the web system and choose EasyOperation.
3. Enter the configured web user name and password, and click GO or press
Enter. The web system page is displayed.
Step 2 Change to the SVF mode.
1. Click in the upper left corner of the web system page, as shown in
Figure 1-293.
Figure 1-293 Changing to the SVF Mode
2. In the dialog box that is displayed, click OK, as shown in Figure 1-294.
The system automatically redirects you to the SVF Enabling page.
Figure 1-294 Confirming the switchover to the SVF mode
Step 3 Enable the SVF function on the parent.

1. Set Enable SVF to ON. The SVF Enabling page is displayed, as shown in
Figure 1-295.

Switches
Perform the following configurations:

– Set Management VLAN ID to 4090.
– Set Management network scale to 512.
– Set Management IP address/mask to 192.168.2.1/255.255.254.0.
– Set AS access authentication to OFF.
– Set AP access authentication to Non-authentication.
Figure 1-295 Enabling SVF
2. Click Apply. In the dialog box that is displayed, click OK, as shown in Figure
1-296.
Figure 1-296 Confirming the enabling of the SVF function

Switches
When an operation success message is displayed, click OK.

Step 4 Add AS1.
1. Choose Configuration > SVF Quick Config > AS Addition and click the
2. Click Create and set AS Fabric-Port Resides On to Parent and AS Fabric-
Port ID to 0, as shown in Figure 1-297.
Figure 1-297 Configuring AS fabric-ports (AS1)
3. Click Manage in Fabric-Port Member Ports. In the displayed Add Port dialog
box, select GE0/0/1 (the port connected to AS1) as the fabric-port, and click
OK, as shown in Figure 1-298.
Figure 1-298 Adding ports (AS1)
4. Choose Centralized mode for AS Configuration Mode. After the

configurations are complete, click .
5. Click the Name ASs tab.
6. Click Create, as shown in Figure 1-299.
Figure 1-299 Naming ASs (AS1)
7. Set AS Name to as1 and AS Management MAC to 88cf-98ba-XXXX.

8. Click Manage below AS Model. The Manage AS Model dialog box is
displayed, as shown in Figure 1-300. Set Product series to S5700-10P-LI, AS
model to S5700-10P-PWR-LI-AC, and AS stacking to OFF, and click OK.

Switches
Figure 1-300 Managing the AS model
9. After the configurations are complete, click .
Step 5 Add AP1.

1. Choose Configuration > SVF Quick Config > AP Addition and click the
Configure Ports Connected to APs tab. Select as1 from AS Name, as shown
in Figure 1-301.
Figure 1-301 Configuring the port connected to the AP
2. Click Add Selected and select GE0/0/8 from the displayed Manage as1
Member User Ports dialog box, as shown in Figure 1-302.
Figure 1-302 Managing member ports of AS1

Switches
3. Click OK to finish configuring the port connecting AS1 to AP1.

4. Click the Configure APs tab, click Create to set AP parameters, and click OK
after setting these parameters, as shown in Figure 1-303.
Perform the following configurations:
– Set Creation mode to Manually add.
– Set Keyword to AP MAC.
– Set AP MAC to fcb6-98d6-XXXX.
– Set AP ID to 1.
– Set AP type to AP4030DN.
– Set AP SN to 21500826412SF690XXXX.
Figure 1-303 Creating an AP
Step 6 Log in to the AS using a command, run the reset saved-configuration command
to clear the AS configuration, and reboot the AS. If the system asks you whether
to save the current configuration during the reboot, enter N. Connect the level-1
AS to the parent and connect the AP to the level-1 AS using cables.
----End
Result
After configuring SVF, perform the following operations to verify the
configurations:
● Choose Monitoring > Summary. In the displayed page, you can view SVF
overview and device status information. Click on the left side of Member
Device Status, and you can view that both the AS and AP are online, as
shown in Figure 1-304. This indicates that an SVF system has been set up.

Switches
Figure 1-304 SVF overview
● Check the SVF topology.

a. Choose Monitoring > Topology. The SVF topology page is displayed. You
can view the level-1 AS topology, as shown in Figure 1-305.
Figure 1-305 Level-1 AS topology
b. Click the AS1 and AP1 icons. You can view detailed information about
AS1 and AP1, as shown in Figure 1-306 and Figure 1-307.

Switches
Figure 1-306 AS1 detailed information
Figure 1-307 AP1 detailed information
1.9.7 Example for Configuring a Device as a DHCP Server

(Based on an Interface Address Pool)
In Figure 1-308, an enterprise divides two network segments for office terminals:
10.1.1.0/24 for employees with fixed office terminals and 10.1.2.0/24 for
employees on business trips to temporarily access the network. The enterprise
requires that DHCP be used to assign IP addresses to employees with fixed office
terminals and employees on business trips. A PC (DHCP Client_1) requires fixed IP
address 10.1.1.100/24 to meet service requirements.

Switches
Figure 1-308 Networking diagram for configuring the device as a DHCP server
Internet
GE0/0/1 GE0/0/2
VLANIF 10 VLANIF 11
10.1.1.1/24 10.1.2.1/24
Switch
DHCP Server
LSW_1 LSW_2
DHCP Client_1 DHCP DHCP DHCP

... ...
MAC:286e-d488-xxxx Client_n Client_s Client_t
IP:10.1.1.100/24
Employees with Employees on
fixed office business trips
Configure the DHCP server function on the gateway device Switch to dynamically
allocate IP addresses to terminals on the two network segments. PCs on the
network segment 10.1.1.0/24 are employees' fixed office terminals, and the
network segment 10.1.2.0/24 is used by travelling employees to access the
network temporarily.
NOTE
Configure interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2
communication.
Procedure
Step 1 Configure the VLANs to which interfaces belong.
1. Choose Configuration > Basic Services > Interface Settings. Click Connect
to PC.
2. Select GE0/0/1 under Step 2: Select Interface, and set Interface Status and
Default VLAN under Step 3: Configure Interface to ON and 10, as shown in
Figure 1-309. You do not need to configure other parameters under Step 3:
Configure Interface.

Switches
Figure 1-309 Connecting an interface to a PC
3. Click Apply. In the dialog box that is displayed, click OK.

4. Configure GE0/0/2 using the same method.
Step 2 Configure an IP address for each VLANIF interface.
1. Choose Configuration > Basic Services > VLAN in the navigation tree to
open the VLAN configuration page.
2. Click the VLAN data under VLAN ID to open the Modify VLAN page, select
Create VLANIF, and set an appropriate address for IPv4 address, as shown in
Figure 1-310.

Switches
Figure 1-310 Configuring a VLANIF interface

Switches
3. Set the parameters and click OK.

Step 3 Configure interface address pools.
1. Choose Configuration > Basic Services > DHCP in the navigation tree to
open the DHCP configuration page.
2. Set DHCP status to ON to enable the DHCP function.
3. Click Create to open the Create IP Pool page. Set VLANIF interface to
Vlanif10 and DHCP mode to Local allocation, and click OK. Similarly,
configure an interface address pool Vlanif11, as shown in Figure 1-311.

Switches
Figure 1-311 Configuring interface address pools
4. Click the data line of Vlanif10 in Address Pool List to view Vlanif10 Address
Pool Information. Select 10.1.1.100 and click Bind IP to open the Statically
Bound page. Set MAC address to 286e-d488-b684 as shown in Figure 1-312
and click OK.
Figure 1-312 Static IP binding
----End

Switches
Operation Result
Choose Configuration > Basic Services > DHCP and click the data lines of
Vlanif10 and Vlanif11 in Address Pool List to view address allocation of interface
address pools, as shown in Figure 1-313.
Figure 1-313 Displaying address pool information
1.9.8 Example for Configuring 802.1x Authentication

(Authentication Point on the Access Switch)
In Figure 1-314, terminals in a company's offices are connected to the company's
intranet through the switch. GE0/0/2 to GE0/0/n on the switch are directly
connected to terminals in offices. GE0/0/1 on the switch is connected to the
RADIUS server through the intranet.
To meet the company's high security requirements, configure 802.1x
authentication, use the RADIUS server to authenticate terminals in offices, and
deploy authentication points on GE0/0/2 to GE0/0/n of the switch.

Switches
Figure 1-314 Networking diagram for configuring 802.1x authentication

RADIUS Server
192.168.1.30
Intranet
VLANIF10 GE0/0/1
192.168.1.10/24 VLAN 10
Switch
VLANIF20
192.168.2.10/24
GE0/0/2
~GE0/0/n
VLAN 20
Employee …… Employee
Office area
1. Specify the VLANs to which interfaces belong.

2. Configure an IP address for each VLANIF interface.
3. Configure AAA on the switch to implement identity authentication on access
users through the RADIUS server. The configuration includes configuring a
RADIUS server template, an AAA scheme, and an authentication domain, and
binding the RADIUS server template and AAA scheme to the authentication
domain.
4. Configure 802.1x authentication to control network access rights of the
employees in offices, including the 802.1x profile, authentication profile, and
802.1x authentication on interfaces.
NOTE
Before performing the following operations, ensure that there are reachable routes between
user terminals and the server.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
1. Choose Configuration > Basic Services > Interface Settings. Click Connect
to PC.
2. Select GE0/0/2 from Step 2: Select Interface, set Interface Status below
Step 3: Configure Interface to ON, and enter 20 for Default VLAN. The
other parameters do not need to be set. Configure GE0/0/1 in the same way,
as shown in Figure 1-315 and Figure 1-316.

Switches
Figure 1-315 Configure GE0/0/2
Figure 1-316 Configure GE0/0/1
3. Click Apply. In the dialog box that is displayed, click OK.

4. The configurations of GE0/0/3 to GE0/0/n are the same as the configuration
of GE0/0/2.
Step 2 Configure an IP address for each VLANIF interface.
1. Choose Configuration > Basic Services > VLAN to access the VLAN
configuration page.
2. Click a record below VLAN ID to open the Modify VLAN page. Select Create
VLANIF and set IPv4 address and Mask, as shown in Figure 1-317 and
Figure 1-318.

Switches
Figure 1-317 Configure VLANIF 10

Switches
Figure 1-318 Configure VLANIF 20
3. After setting the parameters, click OK.

Step 3 Configure AAA.
1. Run the authentication unified-mode command in the system view to set
the NAC mode to unified.
NOTE
By default, the unified mode is used. The switch restarts after the NAC mode is changed
between the common mode and unified mode.
2. Choose Configuration > Security Services > AAA, click the RADIUS tab, click
the RADIUS Server Profile tab, and click Create to create and configure the
RADIUS server template rd1. Set parameters according to Figure 1-319 and
click OK.

Switches
Figure 1-319 Configure a RADIUS server template
3. Choose Configuration > Security Services > AAA, click the RADIUS tab, click
the Authentication/Accounting Server tab, and click Create to create and
configure an authentication server rd1. Set parameters according to Figure
1-320 and click OK.
Figure 1-320 Configure an authentication server
4. Click the Authentication/Authorization/Accounting Scheme tab, and click

Create to create the AAA authentication scheme abc and set the
authentication mode to RADIUS. Set parameters according to Figure 1-321
and click OK.
Figure 1-321 Configure an AAA authentication scheme
5. Choose Configuration > Security Services > AAA Profile Mgmt >
Authentication Profile > Domain Profile to open the Domain Profile List
page. Click Create to access the Create Domain Profile page. Enter
huawei.com for Profile name and click OK. The authentication domain
huawei.com is created and the AAA authentication scheme abc and RADIUS
server template rd1 are bound to the authentication domain. Set parameters
according to Figure 1-322 and click Apply.

Switches
Figure 1-322 Configure an authentication domain
Step 4 Configure 802.1x authentication.

Authentication Profile > 802.1X Profile to access the 802.1X Profile List
page. Click Create. The Create 802.1X Profile page is displayed. Enter d1 for
Profile name and click OK to create an 802.1x profile. Set parameters
according to Figure 1-323 and click Apply to complete the configuration of
the 802.1x profile d1.
Figure 1-323 Configure the 802.1x profile
Authentication Profile to access the Authentication Profile List page. Click
Create and enter p1 for Profile name, as shown in Figure 1-324. Click OK to
create the authentication profile p1.

Switches
Figure 1-324 Create an Authentication Profile
Authentication Profile > p1 > 802.1X Profile. Select d1 from the 802.1X
Profile drop-down list, as shown in Figure 1-325, and click Apply to bind the
802.1x profile d1 to the authentication profile p1.
Figure 1-325 Bind the authentication profile to 802.1x profile
Authentication Profile > p1 > Domain Profile. Select huawei.com from the
Domain Profile drop-down list, as shown in Figure 1-326, and click Apply to
apply the authentication domain huawei.com to the authentication profile
p1.

Switches
Figure 1-326 Bind authentication profile to authentication domain
5. Choose Configuration > Security Services > AAA Service App > Wired
Interface Authentication. Select GE0/0/2 on the front panel. Select p1 from
Authentication Profile, as shown in Figure 1-327, and click Apply. Configure
GE0/0/3 to GE0/0/n in the same way.
Figure 1-327 Bind authentication profile to interface
----End
Operation Result
● Start the 802.1x client on a terminal, and enter the user name and password
for authentication.
● If the user name and password are correct, a client page displays an
authentication success information and you can access the Internet.
● After going online, log in to the web system. Choose Monitoring > User >
Wired User Statistics. The 802.1x user information is displayed.

01-01 EasyOperation Edition

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-01 EasyOperation Edition

Uploaded by

Copyright:

Available Formats

S1720GFR, S2700, S5700, and S6720 Series Ethernet

About This Chapter

1.1 Logging In to the Switch Through the Web System

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 1

The EasyDeploy function simplifies network configuration and implements remote

1.1 Logging In to the Switch Through the Web System

The S5720-50X-EI-AC, S5720-50X-EI-DC, S5720-50X-EI-46S-AC, and S5720-50X-EI-46S-DC do not

Table 1-1 Logging in to the switch through the web system

Device Model Scenario Login Method

S1720GFR The switch is powered on See 1.1.1 Logging In to

You have logged in to See 1.1.4 Web System

S5720SI, S5720S-SI The switch is powered on See 1.1.3 Logging In to

The switch is powered on See 1.1.2 Logging In to

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 2

Device Model Scenario Login Method

You have logged in to See 1.1.4 Web System

S5720-50X-EI-AC, You have logged in to See 1.1.4 Web System

Other models of X7 The switch is powered on See 1.1.2 Logging In to

You have logged in to See 1.1.4 Web System

1.1.1 Logging In to the Device Through the Web System for

● Power on the device.

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 3

Table 1-2 Default configuration of the device

User name and Password The default username and password

Login IP address 192.168.1.253

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 4

Figure 1-1 First login page in the Web system

Step 4 Access the password change page of the web system.

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 5

Figure 1-2 Password change page of the web system

Step 5 (Optional) Changing the Web login password.

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 6

Figure 1-3 Page prompting users to change the login password

1.1.2 Logging In to the Device Through the Web System for

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 7

● Powering on the device

Table 1-3 Default configuration of the device

User name and Password The default username and password

Login IP address 192.168.1.253

Step 2 Enter the initial configuration state.

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 8

Step 3 Configure an IP address for the PC.

Step 4 Log in to the device through Web system.

Open the browser on the PC and access https://192.168.1.253. On the displayed

Figure 1-4 First login page in the Web system

Step 5 Configure the device.

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 9

Figure 1-5 Web system configuration page

Table 1-4 Basic configuration

Management IP Address Indicates the management IP address

Mask Indicates the mask of the IP address.

Old Password Indicates the default Web login

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 10

WEB User Password Indicates the new Web login password.

Confirm Password Confirms the new Web login password.

WEB User Level Indicates the Web user level. Select a

Table 1-5 Optional configuration

Device Name Specifies the device name.

Telnet Server Configures the Telnet function.

Stelnet Server Configures the STelnet function.

User Name Specifies the Telnet or STelnet login

Issue 15 (2021-02-07) Copyright © Huawei Technologies Co., Ltd. 11

Password Specifies the password.

Confirm Password Confirms the password.